CN107733905A - A kind of detection method of industry control network unit exception flow - Google Patents

A kind of detection method of industry control network unit exception flow Download PDF

Info

Publication number
CN107733905A
CN107733905A CN201711001338.9A CN201711001338A CN107733905A CN 107733905 A CN107733905 A CN 107733905A CN 201711001338 A CN201711001338 A CN 201711001338A CN 107733905 A CN107733905 A CN 107733905A
Authority
CN
China
Prior art keywords
flow
monitoring
abnormal
abnormal flow
monitoring terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711001338.9A
Other languages
Chinese (zh)
Inventor
冯全宝
韩延鹏
乔金峰
张明远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wei Nu Trick Co Ltd
Original Assignee
Beijing Wei Nu Trick Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wei Nu Trick Co Ltd filed Critical Beijing Wei Nu Trick Co Ltd
Priority to CN201711001338.9A priority Critical patent/CN107733905A/en
Publication of CN107733905A publication Critical patent/CN107733905A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Abstract

The invention discloses a kind of detection method of industry control network unit exception flow, comprise the following steps:1. intelligent monitoring terminal connects with management platform;2. intelligent monitoring terminal deployment way is set;3. opening mode of learning, auxiliary establishes security baseline:4. going to operational mode, start abnormal flow monitoring;5. collection flow in real time, abnormal flow monitoring is carried out according to abnormal flow algorithm;6. produce abnormal flow alarm and log;7. restart to monitor;The beneficial effects of the invention are as follows:The most basic flow of each equipment of industrial control network is established by advanced self-learning algorithm and walks potential model, all-weather is carried out based on this to monitor in real time, once there is abnormal flow triggering, real-time reminding is carried out i.e. in the form of sound, light, and produces corresponding abnormal flow daily record so that follow-up history log is inquired about.Strong technical support is provided for safe and stable, the reliability service of user's industrial network.

Description

A kind of detection method of industry control network unit exception flow
Technical field
The present invention relates to a kind of detection method of industry control network unit exception flow, belong to automatic control technology field.
Background technology
At present, with the development of information technology, originally physically-isolated industry control production and control network have to break every From even directly being connected with Business Administration Network with internet, so stable, controllable, reliable industry control network originally Just face increasing risk.Also find out that the number of times of attack that industry control network is subjected to is got over from the industry control security incident occurred in recent years Come more, injured caused by attack also increasing.Script stable operation, only provide service for industry control network local area network client Real-time server, the request that receives of history server be it is controllable, it is mensurable.Originally only to industry control network LAN services The work station of device request data send request and it is controllable, it is mensurable.And what those were received in the controller of key-course Instruction and data be also it is controllable, it is mensurable.But under present two nets convergence, these are controllable, also whether mensurable flow It is normal then worth thinking.At present, a kind of existing technical scheme is only suitable for the detection of intelligent substation exception flow of network, side The interchanger that case also needs to be capable of mirror image flow is coordinated, and the flow of mirror image is captured, so as to obtain original report Literary information, then it is whether abnormal so as to obtain flow by carrying out simple statistics to these original messages, it can be sent when exception different Reason condition gives remote dispatching system, and these messages are stored.
Publication No. CN106611348A patent application discloses the detection method and device of a kind of abnormal flow.Its In, this method includes:Visitor's data of guest access advertisement are extracted from the Monitoring Data of advertisement;Carried from multiple visitor's data First visitor's data are taken, wherein, first visitor's data are visit of the temporal information in the first preset time in multiple visitor's data Objective data, and the quantity of first visitor's data is multiple;Judge guest identification for any the two of same first guest identification Whether the time difference of individual first visitor data is in the second preset time;If it is judged that guest identification is same first visitor Mark adjacent any two the first visitor data time difference in the second preset time, from first visitor's extracting data Go out second visitor's data, and determine that the second visitor is the visitor for causing Traffic Anomaly.Solve in the prior art due to some visits The technical problem that advertiser's benefit damage caused by the volume of the flow of passengers is practised fraud does harm to.
Publication No. CN106357622A patent application discloses the exception flow of network inspection based on software defined network System of defense is surveyed, software defined network has greatly difference with legacy network to the detection method of abnormal flow so that traditional detection Method is no longer applicable, and by the thought with network control planes and data planar separation, software defined network is research and development network New opplication and processing network security problem provide new solution.The present invention utilizes the concentration control of software defined network framework The characteristics of processed, realize that flow monitors in real time in the source of attack, Access Layer abnormality detection false proof using source IP, link flow is different Often detection forms multiple defense system, gradual Exception Filter flow, realizes detection and defence of the Internet ddos attack in source.
In summary, at present, prior art has the following disadvantages:
1. it is only applicable to a kind of intelligent substation this industry control network.
Coordinated 2. needing and being capable of the interchanger of mirror image flow, if abnormal flow inspection can not be carried out without if Survey.
3. simply going measurement whether abnormal from the angle of single network session, entirety is not gone from the angle of equipment Whether abnormal measure flow.
4. the standard of anomalous discrimination is difficult to determine, and is not suitable for industrial production environment.
The content of the invention
It is an object of the invention to provide a kind of industry control network unit exception flow that can overcome above-mentioned technical problem Detection method, due to the stabilization of industry control network, it is reliable be made up of with controllability the index of each side, wherein each equipment is external Number of requests, the number of requests received and the service that externally provides all are mensurable, controllable.The method of the invention passes through one Kind can either bypass deployment and can and enough seal in flow progress in real time collection and monitoring of the equipment of industry control network to industry control network simultaneously Security baseline is formed using intelligence learning engine self study industry control network normal discharge and as baseline in industry control network Each equipment is monitored in real time, is carried out Real-time Alarm to the flow of exception and be recorded in alarm log.Side of the present invention Method be solve to collect how in all directions each equipment sends and received in each industrial control system flow, how to establish security baseline, The problem of how judging how to handle after Traffic Anomaly and Traffic Anomaly.
The method of the invention specifically includes following steps:
Step 1. intelligent monitoring terminal connects with management platform:
The intelligent monitoring terminal is used for collection site flow, and the management platform is used to manage monitoring terminal.
Step 2. sets intelligent monitoring terminal deployment way:
The intelligent monitoring terminal of setting, which can either bypass, to be deployed on the interchanger for supporting mirror image, can also be sealed in network Specified location carry out data acquisition, according to the actual conditions of industrial network select set intelligent monitoring terminal deployment way.
Step 3. opens mode of learning, and auxiliary establishes Network Traffic Monitoring baseline:
By opening self-studying mode, Network Traffic Monitoring baseline is established, using an intelligence learning engine, will be collected Live flow carry out intelligent learning, auxiliary generation flow operation baseline.Only need intelligent monitoring terminal being switched to study Pattern.
Step 4. goes to operational mode, starts abnormal flow monitoring:
After the Network Traffic Monitoring baseline that step 3 is formed, intelligent monitoring terminal is switched to by work by management platform Operational mode under, the collection of formal turn-on flow rate and abnormal flow differentiate.
Step 5. gathers flow in real time, and abnormal flow monitoring is carried out according to abnormal flow algorithm:
According to Network Traffic Monitoring baseline, the differentiation of abnormal flow, including outflow flow, inflow are carried out for each equipment Several dimensions of flow and bulk flow and accessed port carry out comprehensive distinguishing, once there is the operation not in security baseline Occur, will carry out in next step.
Step 6. produces abnormal flow alarm and log:
When there is abnormal flow, then it will become alarm condition in equipment corresponding to the monitoring page, while produce an energy For the alarm log of subsequent query, and once occurred when equipment does not have currently in abnormal flow but history in the page is monitored It is also not processed to cross abnormal but corresponding abnormal log, then has corresponding prompting and appears in the monitoring page.
Step 7. restarts to monitor:
After a monitoring cycle, corresponding normal discharge and abnormal flow can be reset, and restart next week The monitoring of phase.
The beneficial effects of the invention are as follows:By analyzing the actual flow of industrial control network in conglomerate, typical case is taken out Discharge model, the most basic flow of each equipment of industrial control network is established by advanced self-learning algorithm and walks potential model, All-weather is carried out based on this to monitor in real time, once there is abnormal flow triggering, i.e., real-time reminding is carried out in the form of sound, light, And corresponding abnormal flow daily record is produced so that follow-up history log is inquired about, it is safe and stable, the reliable fortune of user's industrial network Row provides strong technical support.
Brief description of the drawings
Fig. 1 is the schematic diagram of flow rate calculation formula under normal circumstances;
Fig. 2 is the schematic diagram for establishing flow rate calculation formula after different cycles conversation aging again;
Fig. 3 is the schematic diagram for establishing flow rate calculation formula after same period conversation aging again;
Fig. 4 is the schematic diagram of equipment Traffic Anomaly graphic software platform in the cycle;
Fig. 5 is the schematic diagram of the normal graphic software platform of equipment flow in the cycle;
Fig. 6 is that equipment flow is normal in the cycle but has the schematic diagram of the untreated graphic software platform of abnormal flow alarm.
Embodiment
Embodiments of the present invention are described in detail with reference to Figure of description 1-6.The method of the invention has Body comprises the following steps:
Step 1. intelligent monitoring terminal connects with management platform:
The intelligent monitoring terminal is used for collection site flow, and the management platform is used to manage monitoring terminal.
Step 2. sets intelligent monitoring terminal deployment way:
The interchanger of many industry spots does not support mirror image pattern or industrial switch not to support mirror image pattern yet, this Intelligent monitoring terminal in invention methods described, which can either bypass, to be deployed on the interchanger for supporting mirror image, can also seal in network In specified location carry out data acquisition, according to the actual conditions of industrial network select set intelligent monitoring terminal deployment side Formula.
Step 3. opens mode of learning, and auxiliary establishes Network Traffic Monitoring baseline:
By opening self-studying mode, auxiliary is established Network Traffic Monitoring baseline, using an intelligence learning engine, will adopted The live flow collected carries out intelligent learning, auxiliary generation flow operation baseline, it is only necessary to be switched to intelligent monitoring terminal Mode of learning.
Step 4. goes to operational mode, starts abnormal flow monitoring:
After step 3 forms Network Traffic Monitoring baseline, intelligent monitoring terminal is switched to by work by management platform Under operational mode, formal turn-on flow rate collection and abnormal flow differentiate.
Step 5. gathers flow in real time, and abnormal flow monitoring is carried out according to abnormal flow algorithm:
According to flow baseline, the differentiation of abnormal flow is carried out for each equipment, including outflow flow, flow into flow and total Several dimensions of body flow and accessed port carry out comprehensive distinguishing, once there is the operation not in security baseline to occur, will Carry out in next step.
Step 6. produces abnormal flow alarm and log:
When there is abnormal flow, then it will become alarm condition in equipment corresponding to the monitoring page, while produce an energy For the alarm log of subsequent query, and once occurred when equipment does not have currently in abnormal flow but history in the page is monitored It is also not processed to cross abnormal but corresponding abnormal log, then has corresponding prompting and appears in the monitoring page.
Step 7. restarts to monitor;
After a monitoring cycle, corresponding normal discharge and abnormal flow can be reset, and restart next week The monitoring of phase.
Industry control network is entirely supervised by enterprise management level, process monitoring layer, field control layer and scene equipment level is logically divided into Survey and support scattered deployment, the mode of centralized management;More intelligent monitoring terminals distribution in the method for the invention embodiment Formula is deployed in the mirror port of each industrial switch, and unified centralized management is carried out by the management platform.Intelligent monitoring terminal was both Support bypass deployment, can also seal in industry control network, no matter which kind of deployment way, intelligent monitoring terminal do not affect the industry at scene Business production.
In the EPA of station level, the industrial switch position of image feature is supported to bypass one intelligence prison of deployment Terminal is surveyed, intelligent monitoring terminal replicates a all-network flow for passing through the interchanger by interchanger mirror port.Because it is Bypass deployment, and intelligent monitoring terminal only receives network traffics, any interference message will not occur to industry control network, so to life Production. art process will not have any impact.
The interchanger between mechanical floor and key-course does not support image feature at the scene, and intelligent monitoring terminal string is disposed, Because intelligent monitoring terminal does not intercept any message, produced on-site is not interfered with yet.
The method that the auxiliary of intelligence learning engine establishes Network Traffic Monitoring baseline, study engine generate according to following key element Discharge model:
A. type of service;
B. monitoring object;
C. the time is monitored;
D. uplink traffic;
E. downlink traffic;
F. special crest;
G. special trough.
In the above key element, according to the difference of type of service, the flow grounding data set of use is also different, and Monitoring object is all equipment that can send or receive data in industrial network, including:Supervisor, interface message processor (IMP), engineer station, Operator station, real time data server, historic data server, each RTU, PLC.
Rationally differentiate the whether abnormal unique algorithm of flow:
Embodiment 1:
As shown in Figure 1:
When starting monitoring, a upper cycle (5 minutes) newest flow value had been found from database;
Monitor (the T of the cycle 10~T1) in, all it is renewal flow.
Process description:From T0At the moment, data base querying (being inquired about according to 5 tuples+time started) is removed by upper one week Phase (T-1~T0) newest flow value Qc, this value is just used as initial value, and the flow value received in the cycle 1 afterwards subtracts initial value, makees For the flow of the period.
To sum up:Monitor (the T of the cycle 10~T1) flow=Q1–Qc。
Embodiment 2:
As shown in Figure 2:
When starting monitoring, a upper cycle (5 minutes) newest flow value was can not find out from database;
Monitor (the T of the cycle 10~T1) in, all it is renewal flow.
Process description:From T0Moment, at the Tm moment, go data base querying (being inquired about according to 5 tuples+time started) from T0Moment (this moment is not in a upper periodic regime) nearest flow value Qc;To ensure T0Flow is accurate in the~Tm periods Property, this section of flow value is calculated using below equation:
Δ=(Qm-Qc)/Tm-Tc* (Tm-T0)。
Tm~T1The value Qm of the flow of period=newly.
The new value:That is Tm~T1In the flow value that receives again.
To sum up:Monitor (the T of the cycle 10~T1) flow=Δ+Q1–Qm。
Embodiment 3:
As shown in Figure 3:
Monitor (the T of the cycle 10~T1) in, the same existing aging stream of five-tuple also has newly-built stream;Storage and monitoring time segment T0~Td's Flow rate calculation, judge whether to have found a upper cycle (5 minutes) newest flow value from database, accordingly according to situation 1 or Person's situation 2 is handled, and finally obtains the period (T0~Td) flow Δ.
Process description:From T0Moment, in Ts2At the moment, judge that discharge pattern for 1, then illustrates Qs2Newly-built stream is represented, that (the T of cycle 10~T1) flow=Δ+Q1
Equipment flows out flow:
Using equipment as in the session information that source IP inquires, all up byte numbers+inquired using equipment as purpose IP In session information, all descending byte numbers.
Equipment flows into flow:
Using equipment as in the session information that source IP inquires, all descending byte numbers+inquired using equipment as purpose IP In session information, all up byte numbers.
Presentation mode after abnormal flow appearance:
(1) there is exception in the flow in the currently monitored cycle when equipment, will be warned in monitored picture with Fig. 4, and continues Flicker:
(2) flow in the currently monitored cycle when equipment is without exception, and this device-dependent all abnormal flow daily record It is processed, then as shown in Figure 5:
(3) flow in the currently monitored cycle when equipment is without exception, but this device-dependent abnormal flow daily record is present not Processed situation, then it is as shown in Figure 6 in monitored picture.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art is in scope disclosed by the invention, and the change or replacement that can readily occur in should all be contained Lid is within the scope of the invention as claimed.

Claims (4)

1. a kind of detection method of industry control network unit exception flow, it is characterised in that comprise the following steps:
Step 1. intelligent monitoring terminal connects with management platform;
The intelligent monitoring terminal is used for collection site flow, and the management platform is used to manage monitoring terminal;
Step 2. sets intelligent monitoring terminal deployment way;
The intelligent monitoring terminal of setting, which can either bypass, to be deployed on the interchanger for supporting mirror image, the finger that can also seal in network Carry out data acquisition is put in positioning;
Step 3. opens mode of learning, and auxiliary establishes Network Traffic Monitoring baseline;
By opening self-studying mode, Network Traffic Monitoring baseline is established, using an intelligence learning engine, is showed what is collected Field flow amount carries out intelligent learning, auxiliary generation flow operation baseline;
Step 4. goes to operational mode, starts abnormal flow monitoring;
After step 3 forms Network Traffic Monitoring baseline, intelligent monitoring terminal is switched to the operation of work by management platform Under pattern, formal turn-on flow rate collection and abnormal flow differentiate;
Step 5. gathers flow in real time, and abnormal flow monitoring is carried out according to abnormal flow algorithm;
Step 6. produces abnormal flow alarm and log;
It when there is abnormal flow, then will become alarm condition in equipment corresponding to the monitoring page, while produce after an energy supplies The alarm log of continuous inquiry, and in the page is monitored when equipment do not have currently in abnormal flow but history once occurred it is different Normal but corresponding abnormal log is also not processed, then has corresponding prompting and appear in the monitoring page;
Step 7. restarts to monitor;
After a monitoring cycle, corresponding normal discharge and abnormal flow can be reset, and restart next cycle Monitoring.
A kind of 2. detection method of industry control network unit exception flow according to claim 1, it is characterised in that the step In rapid 2, selected to set the deployment way of intelligent monitoring terminal according to the actual conditions of industrial network.
A kind of 3. detection method of industry control network unit exception flow according to claim 1, it is characterised in that the step In rapid 3, intelligent monitoring terminal is switched to mode of learning.
A kind of 4. detection method of industry control network unit exception flow according to claim 1, it is characterised in that the step In rapid 5, according to Network Traffic Monitoring baseline, the differentiation of abnormal flow, including outflow flow, inflow stream are carried out for each equipment Several dimensions of amount and bulk flow and accessed port carry out comprehensive distinguishing, once there is the operation not in security baseline to go out It is existing, it will carry out in next step.
CN201711001338.9A 2017-10-24 2017-10-24 A kind of detection method of industry control network unit exception flow Pending CN107733905A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711001338.9A CN107733905A (en) 2017-10-24 2017-10-24 A kind of detection method of industry control network unit exception flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711001338.9A CN107733905A (en) 2017-10-24 2017-10-24 A kind of detection method of industry control network unit exception flow

Publications (1)

Publication Number Publication Date
CN107733905A true CN107733905A (en) 2018-02-23

Family

ID=61213285

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711001338.9A Pending CN107733905A (en) 2017-10-24 2017-10-24 A kind of detection method of industry control network unit exception flow

Country Status (1)

Country Link
CN (1) CN107733905A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108777679A (en) * 2018-05-22 2018-11-09 深信服科技股份有限公司 Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN109164786A (en) * 2018-08-24 2019-01-08 杭州安恒信息技术股份有限公司 A kind of anomaly detection method based on time correlation baseline, device and equipment
CN109462617A (en) * 2018-12-29 2019-03-12 北京威努特技术有限公司 Device talk behavioral value method and device in a kind of local area network
CN109743187A (en) * 2018-11-23 2019-05-10 北京奇安信科技有限公司 Industry control network method for detecting abnormality and device
CN110224970A (en) * 2018-03-01 2019-09-10 西门子公司 A kind of security monitoring method and apparatus of industrial control system
CN111159715A (en) * 2019-12-24 2020-05-15 贵州航天计量测试技术研究所 Industrial control safety audit system and method based on artificial intelligence
CN112187528A (en) * 2020-09-15 2021-01-05 浙江大学 Industrial control system communication flow online monitoring method based on SARIMA
CN112333045A (en) * 2020-11-03 2021-02-05 国家工业信息安全发展研究中心 Intelligent flow baseline learning method, equipment and computer readable storage medium
CN112436968A (en) * 2020-11-23 2021-03-02 恒安嘉新(北京)科技股份公司 Network flow monitoring method, device, equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101616129A (en) * 2008-06-27 2009-12-30 成都市华为赛门铁克科技有限公司 The methods, devices and systems of anti-network attack flow overload protection
CN102122374A (en) * 2011-03-03 2011-07-13 江苏方天电力技术有限公司 Intelligent analysis system for flow abnormity of power automation system
CN104954192A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Network flow monitoring method and device
CN106899601A (en) * 2017-03-10 2017-06-27 北京华清信安科技有限公司 Network attack defence installation and method based on cloud and local platform
CN107248938A (en) * 2017-03-10 2017-10-13 北京华清信安科技有限公司 Safe big data analysis method based on risk quantification

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101616129A (en) * 2008-06-27 2009-12-30 成都市华为赛门铁克科技有限公司 The methods, devices and systems of anti-network attack flow overload protection
CN102122374A (en) * 2011-03-03 2011-07-13 江苏方天电力技术有限公司 Intelligent analysis system for flow abnormity of power automation system
CN104954192A (en) * 2014-03-27 2015-09-30 东华软件股份公司 Network flow monitoring method and device
CN106899601A (en) * 2017-03-10 2017-06-27 北京华清信安科技有限公司 Network attack defence installation and method based on cloud and local platform
CN107248938A (en) * 2017-03-10 2017-10-13 北京华清信安科技有限公司 Safe big data analysis method based on risk quantification

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11029676B2 (en) 2018-03-01 2021-06-08 Siemens Aktiengesellschaft Safety monitoring method and apparatus for an industrial control system
CN110224970B (en) * 2018-03-01 2021-11-23 西门子公司 Safety monitoring method and device for industrial control system
CN110224970A (en) * 2018-03-01 2019-09-10 西门子公司 A kind of security monitoring method and apparatus of industrial control system
CN108777679A (en) * 2018-05-22 2018-11-09 深信服科技股份有限公司 Flow access relation generation method, device and the readable storage medium storing program for executing of terminal
CN108777679B (en) * 2018-05-22 2021-09-17 深信服科技股份有限公司 Method and device for generating traffic access relation of terminal and readable storage medium
CN109164786A (en) * 2018-08-24 2019-01-08 杭州安恒信息技术股份有限公司 A kind of anomaly detection method based on time correlation baseline, device and equipment
CN109743187B (en) * 2018-11-23 2021-11-16 奇安信科技集团股份有限公司 Industrial control network anomaly detection method and device
CN109743187A (en) * 2018-11-23 2019-05-10 北京奇安信科技有限公司 Industry control network method for detecting abnormality and device
CN109462617A (en) * 2018-12-29 2019-03-12 北京威努特技术有限公司 Device talk behavioral value method and device in a kind of local area network
CN109462617B (en) * 2018-12-29 2022-04-15 北京威努特技术有限公司 Method and device for detecting communication behavior of equipment in local area network
CN111159715A (en) * 2019-12-24 2020-05-15 贵州航天计量测试技术研究所 Industrial control safety audit system and method based on artificial intelligence
CN111159715B (en) * 2019-12-24 2023-11-14 贵州航天计量测试技术研究所 Industrial control safety audit system and method based on artificial intelligence
CN112187528A (en) * 2020-09-15 2021-01-05 浙江大学 Industrial control system communication flow online monitoring method based on SARIMA
CN112187528B (en) * 2020-09-15 2021-10-08 浙江大学 Industrial control system communication flow online monitoring method based on SARIMA
CN112333045A (en) * 2020-11-03 2021-02-05 国家工业信息安全发展研究中心 Intelligent flow baseline learning method, equipment and computer readable storage medium
CN112436968A (en) * 2020-11-23 2021-03-02 恒安嘉新(北京)科技股份公司 Network flow monitoring method, device, equipment and storage medium
CN112436968B (en) * 2020-11-23 2023-10-17 恒安嘉新(北京)科技股份公司 Network traffic monitoring method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107733905A (en) A kind of detection method of industry control network unit exception flow
CN105959144B (en) Secure data acquisition and method for detecting abnormality and system towards industrial control network
CN103108159B (en) Electric power intelligent video analyzing and monitoring system and method
CN104079874B (en) A kind of security protection integral system and method based on technology of Internet of things
CN105163091B (en) Pump station engineering management integrated linkage system
CN107807593B (en) Power distribution room master control device, master control system and detection control method
CN110517429A (en) A kind of Intelligent electronic fence system and processing method
CN102930702B (en) Zero false alarm networking video security method and system thereof
CN109600363A (en) A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method
CN107145959A (en) A kind of electric power data processing method based on big data platform
CN105515180A (en) Intelligent substation communication network dynamic monitoring system and monitoring method thereof
CN102447570A (en) Monitoring device and method based on health degree analysis
CN103391425B (en) Monitoring intelligent remodeling method based on time division multiplex video analysis
CN111049843A (en) Intelligent substation network abnormal flow analysis method
CN102882701A (en) Alarm system and method for intelligently monitoring power grid core service data
CN114881808B (en) Big data-based accurate identification method for electric power larceny and electric power larceny prevention system
CN106707940A (en) Production well device integration management system
CN110531656A (en) A kind of monitoring system and method for Hydropower Unit performance
CN110472749A (en) The long-distance monitoring method and monitoring device of equipment
CN106254318A (en) A kind of Analysis of Network Attack method
CN112969054A (en) Intelligent community police office system based on Internet of things security
CN113566883A (en) Power cable monitoring method and system based on Internet of things and storage medium
CN112558562A (en) Pump station management system
CN109147079A (en) Equipment routing inspection method and device
CN112543123B (en) Safety protection and early warning system of industrial automatic control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180223