CN108718322B - Industrial firewall and protection method thereof - Google Patents

Industrial firewall and protection method thereof Download PDF

Info

Publication number
CN108718322B
CN108718322B CN201810633168.4A CN201810633168A CN108718322B CN 108718322 B CN108718322 B CN 108718322B CN 201810633168 A CN201810633168 A CN 201810633168A CN 108718322 B CN108718322 B CN 108718322B
Authority
CN
China
Prior art keywords
danger
execution information
module
data flow
data stream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810633168.4A
Other languages
Chinese (zh)
Other versions
CN108718322A (en
Inventor
赵西玉
李佐民
赵越峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wangteng Technology Co ltd
Original Assignee
Beijing Wangteng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wangteng Technology Co ltd filed Critical Beijing Wangteng Technology Co ltd
Priority to CN201810633168.4A priority Critical patent/CN108718322B/en
Publication of CN108718322A publication Critical patent/CN108718322A/en
Application granted granted Critical
Publication of CN108718322B publication Critical patent/CN108718322B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention discloses an industrial firewall, which comprises a data flow acquisition module, a firewall and a data flow acquisition module, wherein the data flow acquisition module is used for acquiring data flow passing through the firewall; the data separation module is used for separating path information and execution information contained in the acquired data stream; the path information analysis module is used for analyzing the separated path information and judging the danger of the separated path information; the execution information analysis module is used for analyzing the separated execution information and judging the danger of the execution information; and the judging module judges the danger of the data stream according to the analysis results of the path information analysis module and the execution information analysis module, prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value. The invention can improve the defects of the prior art and improve the operation safety of the industrial network.

Description

Industrial firewall and protection method thereof
Technical Field
The invention relates to the technical field of industrial control system security defense, in particular to an industrial firewall and a protection method thereof.
Background
In an industrial network, various process control systems such as SCADA, DCS, PLC, etc. are operated, which are often the core of a production system and are responsible for completing production control and monitoring. Once disturbed or destroyed, these process control systems can affect industrial production to varying degrees, which can cause significant economic loss to enterprises, endanger the life safety of personnel, and even cause significant social hazards. The recent industrial network intrusion event rings the alarm clock, and how to ensure the operation safety of the process control system is urgent.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an industrial firewall and a protection method thereof, which can solve the defects of the prior art and improve the operation safety of an industrial network.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
An industrial firewall, comprising a first firewall component comprising,
the data flow acquisition module is used for acquiring data flow passing through the firewall;
the data separation module is used for separating path information and execution information contained in the acquired data stream;
the path information analysis module is used for analyzing the separated path information and judging the danger of the separated path information;
the execution information analysis module is used for analyzing the separated execution information and judging the danger of the execution information;
and the judging module judges the danger of the data stream according to the analysis results of the path information analysis module and the execution information analysis module, prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value.
The protection method of the industrial firewall comprises the following steps:
A. the data flow acquisition module acquires data flow passing through the firewall;
B. the data separation module separates the acquired data stream to separate out path information and execution information;
C. the path information analysis module analyzes the separated path information and judges the danger of the separated path information;
D. the execution information analysis module analyzes the separated execution information and judges the danger of the execution information;
E. and the judging module judges the danger of the data stream according to the analysis results of the path information analysis module and the execution information analysis module, prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value.
Preferably, in step C, the theoretical values of the sending address, the register type, the receiving address, the read-write attribute and the read-write time in the data flow path are compared with the actual values, the risk is proportional to the square of the contrast deviation, the contrast deviation is calculated by,
Figure 268DEST_PATH_IMAGE001
wherein D is the contrast deviation degree,
Figure 566378DEST_PATH_IMAGE002
Figure 664784DEST_PATH_IMAGE003
in order to be the weighting coefficients,
Figure 290938DEST_PATH_IMAGE004
and
Figure 678057DEST_PATH_IMAGE005
respectively theoretical and actual values of the sending address,
Figure 592398DEST_PATH_IMAGE006
and
Figure 748573DEST_PATH_IMAGE007
respectively a theoretical value and an actual value of the register address,
Figure 545628DEST_PATH_IMAGE008
and
Figure 216781DEST_PATH_IMAGE009
respectively theoretical and actual values of the register type,
Figure 390273DEST_PATH_IMAGE010
and
Figure 400954DEST_PATH_IMAGE011
respectively theoretical and actual values of the received address,
Figure 181960DEST_PATH_IMAGE012
and
Figure 278092DEST_PATH_IMAGE013
respectively a theoretical value and an actual value of the read-write attribute,
Figure 786433DEST_PATH_IMAGE014
and
Figure 917201DEST_PATH_IMAGE015
respectively a theoretical value and an actual value of the read-write time.
Preferably, in step D, the risk of executing the information is proportional to the number of times it is compiled.
Preferably, in step E, one of the route information and the execution information having a high risk is selected as a determination target, and the risk of the determination target is compared with a set threshold.
Preferably, in step a, the data flow collection module collects the data flow passing through the firewall at a rate proportional to the proportion of the data flow whose risk is determined to be higher than the set threshold in the previous collection period.
Adopt the beneficial effect that above-mentioned technical scheme brought to lie in: according to the invention, the data flow is separated and processed by improving the structural configuration of the firewall, so that the abnormal data can be accurately and quickly judged, and the operation safety of the industrial network is improved.
Drawings
FIG. 1 is a system schematic of one embodiment of the present invention.
Detailed Description
Referring to fig. 1, one embodiment of the present invention includes,
the data flow acquisition module 1 is used for acquiring data flow passing through a firewall;
the data separation module 2 is used for separating path information and execution information contained in the acquired data stream;
a path information analysis module 3 for analyzing the separated path information and judging the danger;
the execution information analysis module 4 is used for analyzing the separated execution information and judging the danger of the execution information;
and the judging module 5 judges the risk of the data stream according to the analysis results of the path information analysis module 3 and the execution information analysis module 4, prevents the data stream from being continuously transmitted if the risk is higher than a set threshold, and keeps the data stream from being continuously transmitted if the risk is lower than or equal to the set threshold.
The protection method of the industrial firewall comprises the following steps:
A. the data flow acquisition module 1 acquires data flow passing through a firewall;
B. the data separation module 2 separates the acquired data stream to separate out path information and execution information;
C. the path information analysis module 3 analyzes the separated path information and judges the danger of the separated path information;
D. an execution information analysis module 4 for analyzing the separated execution information and judging the risk;
E. the decision module 5 decides the risk of the data stream according to the analysis results of the path information analysis module 3 and the execution information analysis module 4, and prevents the data stream from being continuously transmitted if the risk is higher than a set threshold, and keeps the data stream from being continuously transmitted if the risk is lower than or equal to the set threshold.
In step C, comparing the theoretical values of transmitting address, register type, receiving address, read-write attribute and read-write time in data flow path with the actual values, the risk is in direct proportion to the square of contrast deviation, the calculation method of contrast deviation is as follows,
Figure 869107DEST_PATH_IMAGE001
wherein D is the contrast deviation degree,
Figure 452535DEST_PATH_IMAGE002
Figure 702251DEST_PATH_IMAGE003
in order to be the weighting coefficients,
Figure 749841DEST_PATH_IMAGE004
and
Figure 59600DEST_PATH_IMAGE005
respectively theoretical and actual values of the sending address,
Figure 130324DEST_PATH_IMAGE006
and
Figure 996780DEST_PATH_IMAGE007
respectively a theoretical value and an actual value of the register address,
Figure 836560DEST_PATH_IMAGE008
and
Figure 317220DEST_PATH_IMAGE009
respectively theoretical and actual values of the register type,
Figure 609661DEST_PATH_IMAGE010
and
Figure 529076DEST_PATH_IMAGE011
respectively theoretical and actual values of the received address,
Figure 223362DEST_PATH_IMAGE012
and
Figure 874923DEST_PATH_IMAGE013
respectively a theoretical value and an actual value of the read-write attribute,
Figure 730359DEST_PATH_IMAGE014
and
Figure 125569DEST_PATH_IMAGE015
respectively a theoretical value and an actual value of the read-write time.
In step D, the risk of executing the information is proportional to the number of compilation times.
In step E, one of the route information and the execution information having a higher risk is selected as a determination target, and the risk of the determination target is compared with a set threshold. Respectively extracting characteristic values of the path information and the execution information which are judged to be the high-risk data stream to form characteristic matrixes, establishing a mapping relation set between the two characteristic matrixes, storing the mapping relation set in a judgment database, comparing the mapping relation set between the path information and the execution information with the mapping relation set in the judgment database in step B during the subsequent judgment, and directly judging to be the high-risk data stream if the similarity is higher than a set threshold value.
In step a, the data flow collection rate of the data flow passing through the firewall by the data flow collection module 1 is proportional to the proportion of the data flow in the previous collection period, which is determined that the risk is higher than the set threshold.
The set thresholds in the embodiment are set by using the method for carrying out limited tests according to actual working conditions.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (3)

1. A protection method of an industrial firewall comprises the following steps,
the data flow acquisition module (1) is used for acquiring data flow passing through a firewall;
the data separation module (2) is used for separating the path information and the execution information contained in the acquired data stream;
a path information analysis module (3) for analyzing the separated path information and judging the danger;
the execution information analysis module (4) is used for analyzing the separated execution information and judging the danger of the execution information;
the judging module (5) judges the danger of the data stream according to the analysis results of the path information analysis module (3) and the execution information analysis module (4), prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value;
the method is characterized by comprising the following steps:
A. the data flow acquisition module (1) acquires data flow passing through a firewall;
B. the data separation module (2) separates the collected data stream to separate out path information and execution information;
C. the path information analysis module (3) analyzes the separated path information and judges the danger of the separated path information;
comparing the theoretical values of transmitting address, register type, receiving address, read-write attribute and read-write time in data flow path with the actual values, the danger is proportional to the square of contrast deviation, the calculation method of contrast deviation is,
Figure FDA0002795989720000021
where D is the contrast deviation, k1~k6S and s 'are weighting coefficients, respectively, a theoretical value and an actual value of a sending address, rs and rs' are respectively a theoretical value and an actual value of a register address, rt and rt 'are respectively a theoretical value and an actual value of a register type, a and a' are respectively a theoretical value and an actual value of a receiving address, wa and wa 'are respectively a theoretical value and an actual value of a read-write attribute, and wt' are respectively a theoretical value and an actual value of read-write time;
D. an execution information analysis module (4) for analyzing the separated execution information and judging the danger; the danger degree of the execution information is in direct proportion to the compiling times of the execution information;
E. the judging module (5) judges the danger of the data stream according to the analysis results of the path information analysis module (3) and the execution information analysis module (4), prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value.
2. The protection method of the industrial firewall according to claim 1, wherein: in step E, one of the route information and the execution information having a higher risk is selected as a determination target, and the risk of the determination target is compared with a set threshold.
3. The protection method of the industrial firewall according to claim 1, wherein: in the step A, the data flow acquisition rate of the data flow passing through the firewall by the data flow acquisition module (1) is in direct proportion to the proportion of the data flow with the risk higher than the set threshold in the previous acquisition period.
CN201810633168.4A 2018-06-20 2018-06-20 Industrial firewall and protection method thereof Active CN108718322B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810633168.4A CN108718322B (en) 2018-06-20 2018-06-20 Industrial firewall and protection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810633168.4A CN108718322B (en) 2018-06-20 2018-06-20 Industrial firewall and protection method thereof

Publications (2)

Publication Number Publication Date
CN108718322A CN108718322A (en) 2018-10-30
CN108718322B true CN108718322B (en) 2021-04-09

Family

ID=63913149

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810633168.4A Active CN108718322B (en) 2018-06-20 2018-06-20 Industrial firewall and protection method thereof

Country Status (1)

Country Link
CN (1) CN108718322B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184088A (en) * 2007-12-14 2008-05-21 浙江工业大学 Multi-point interlinked LAN firewall cooperating method
CN103067437A (en) * 2011-10-08 2013-04-24 美国博通公司 Ad hoc social networking
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Virtual platform information security protection method
CN108009241A (en) * 2017-11-30 2018-05-08 昆山青石计算机有限公司 A kind of industrial Internet of Things safe polymeric correlating method based on PSO parameter optimizations
CN108092979A (en) * 2017-12-20 2018-05-29 国家电网公司 A kind of firewall policy processing method and processing device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170359306A1 (en) * 2016-06-10 2017-12-14 Sophos Limited Network security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184088A (en) * 2007-12-14 2008-05-21 浙江工业大学 Multi-point interlinked LAN firewall cooperating method
CN103067437A (en) * 2011-10-08 2013-04-24 美国博通公司 Ad hoc social networking
CN104378387A (en) * 2014-12-09 2015-02-25 浪潮电子信息产业股份有限公司 Virtual platform information security protection method
CN108009241A (en) * 2017-11-30 2018-05-08 昆山青石计算机有限公司 A kind of industrial Internet of Things safe polymeric correlating method based on PSO parameter optimizations
CN108092979A (en) * 2017-12-20 2018-05-29 国家电网公司 A kind of firewall policy processing method and processing device

Also Published As

Publication number Publication date
CN108718322A (en) 2018-10-30

Similar Documents

Publication Publication Date Title
CN106888205B (en) Non-invasive PLC anomaly detection method based on power consumption analysis
EP2860937B1 (en) Log analysis device, method, and program
US10261502B2 (en) Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model
Terai et al. Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile
CN107204975B (en) Industrial control system network attack detection technology based on scene fingerprints
US11270218B2 (en) Mapper component for a neuro-linguistic behavior recognition system
US11811788B2 (en) Method of threat detection in a computer network security system
EP3230891A1 (en) Perceptual associative memory for a neuro-linguistic behavior recognition system
CN111224973A (en) Network attack rapid detection system based on industrial cloud
CN111970229A (en) CAN bus data anomaly detection method aiming at multiple attack modes
CN117220920A (en) Firewall policy management method based on artificial intelligence
CN114338188A (en) Malicious software intelligent cloud detection system based on process behavior sequence fragmentation
CN108718322B (en) Industrial firewall and protection method thereof
CN117072460B (en) Centrifugal pump state monitoring method based on vibration data and expert experience
CN112153076A (en) Computer network safety intrusion detection system
CN112637118A (en) Flow analysis implementation method based on internal and external network drainage abnormity
CN108650235B (en) Intrusion detection device and detection method thereof
CN117648689B (en) Automatic response method for industrial control host safety event based on artificial intelligence
CN112949743B (en) Credibility judgment method and system for network operation and maintenance operation and electronic equipment
CN112910688B (en) OCSVM model-based communication behavior abnormal parallel detection method and system under HJ212 protocol
CN115333874B (en) Industrial terminal host monitoring method
CN111191241B (en) Situation awareness-based major activity guaranteeing method and device
CN115022097B (en) Public information safety monitoring method and system
CN118054939A (en) Vehicle-mounted network security threat detection method and system based on multi-feature fusion
CN106992992B (en) Trojan horse detection method based on communication behaviors

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant