CN108718322B - Industrial firewall and protection method thereof - Google Patents
Industrial firewall and protection method thereof Download PDFInfo
- Publication number
- CN108718322B CN108718322B CN201810633168.4A CN201810633168A CN108718322B CN 108718322 B CN108718322 B CN 108718322B CN 201810633168 A CN201810633168 A CN 201810633168A CN 108718322 B CN108718322 B CN 108718322B
- Authority
- CN
- China
- Prior art keywords
- danger
- execution information
- module
- data flow
- data stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses an industrial firewall, which comprises a data flow acquisition module, a firewall and a data flow acquisition module, wherein the data flow acquisition module is used for acquiring data flow passing through the firewall; the data separation module is used for separating path information and execution information contained in the acquired data stream; the path information analysis module is used for analyzing the separated path information and judging the danger of the separated path information; the execution information analysis module is used for analyzing the separated execution information and judging the danger of the execution information; and the judging module judges the danger of the data stream according to the analysis results of the path information analysis module and the execution information analysis module, prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value. The invention can improve the defects of the prior art and improve the operation safety of the industrial network.
Description
Technical Field
The invention relates to the technical field of industrial control system security defense, in particular to an industrial firewall and a protection method thereof.
Background
In an industrial network, various process control systems such as SCADA, DCS, PLC, etc. are operated, which are often the core of a production system and are responsible for completing production control and monitoring. Once disturbed or destroyed, these process control systems can affect industrial production to varying degrees, which can cause significant economic loss to enterprises, endanger the life safety of personnel, and even cause significant social hazards. The recent industrial network intrusion event rings the alarm clock, and how to ensure the operation safety of the process control system is urgent.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an industrial firewall and a protection method thereof, which can solve the defects of the prior art and improve the operation safety of an industrial network.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
An industrial firewall, comprising a first firewall component comprising,
the data flow acquisition module is used for acquiring data flow passing through the firewall;
the data separation module is used for separating path information and execution information contained in the acquired data stream;
the path information analysis module is used for analyzing the separated path information and judging the danger of the separated path information;
the execution information analysis module is used for analyzing the separated execution information and judging the danger of the execution information;
and the judging module judges the danger of the data stream according to the analysis results of the path information analysis module and the execution information analysis module, prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value.
The protection method of the industrial firewall comprises the following steps:
A. the data flow acquisition module acquires data flow passing through the firewall;
B. the data separation module separates the acquired data stream to separate out path information and execution information;
C. the path information analysis module analyzes the separated path information and judges the danger of the separated path information;
D. the execution information analysis module analyzes the separated execution information and judges the danger of the execution information;
E. and the judging module judges the danger of the data stream according to the analysis results of the path information analysis module and the execution information analysis module, prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value.
Preferably, in step C, the theoretical values of the sending address, the register type, the receiving address, the read-write attribute and the read-write time in the data flow path are compared with the actual values, the risk is proportional to the square of the contrast deviation, the contrast deviation is calculated by,
wherein D is the contrast deviation degree,~in order to be the weighting coefficients,andrespectively theoretical and actual values of the sending address,andrespectively a theoretical value and an actual value of the register address,andrespectively theoretical and actual values of the register type,andrespectively theoretical and actual values of the received address,andrespectively a theoretical value and an actual value of the read-write attribute,andrespectively a theoretical value and an actual value of the read-write time.
Preferably, in step D, the risk of executing the information is proportional to the number of times it is compiled.
Preferably, in step E, one of the route information and the execution information having a high risk is selected as a determination target, and the risk of the determination target is compared with a set threshold.
Preferably, in step a, the data flow collection module collects the data flow passing through the firewall at a rate proportional to the proportion of the data flow whose risk is determined to be higher than the set threshold in the previous collection period.
Adopt the beneficial effect that above-mentioned technical scheme brought to lie in: according to the invention, the data flow is separated and processed by improving the structural configuration of the firewall, so that the abnormal data can be accurately and quickly judged, and the operation safety of the industrial network is improved.
Drawings
FIG. 1 is a system schematic of one embodiment of the present invention.
Detailed Description
Referring to fig. 1, one embodiment of the present invention includes,
the data flow acquisition module 1 is used for acquiring data flow passing through a firewall;
the data separation module 2 is used for separating path information and execution information contained in the acquired data stream;
a path information analysis module 3 for analyzing the separated path information and judging the danger;
the execution information analysis module 4 is used for analyzing the separated execution information and judging the danger of the execution information;
and the judging module 5 judges the risk of the data stream according to the analysis results of the path information analysis module 3 and the execution information analysis module 4, prevents the data stream from being continuously transmitted if the risk is higher than a set threshold, and keeps the data stream from being continuously transmitted if the risk is lower than or equal to the set threshold.
The protection method of the industrial firewall comprises the following steps:
A. the data flow acquisition module 1 acquires data flow passing through a firewall;
B. the data separation module 2 separates the acquired data stream to separate out path information and execution information;
C. the path information analysis module 3 analyzes the separated path information and judges the danger of the separated path information;
D. an execution information analysis module 4 for analyzing the separated execution information and judging the risk;
E. the decision module 5 decides the risk of the data stream according to the analysis results of the path information analysis module 3 and the execution information analysis module 4, and prevents the data stream from being continuously transmitted if the risk is higher than a set threshold, and keeps the data stream from being continuously transmitted if the risk is lower than or equal to the set threshold.
In step C, comparing the theoretical values of transmitting address, register type, receiving address, read-write attribute and read-write time in data flow path with the actual values, the risk is in direct proportion to the square of contrast deviation, the calculation method of contrast deviation is as follows,
wherein D is the contrast deviation degree,~in order to be the weighting coefficients,andrespectively theoretical and actual values of the sending address,andrespectively a theoretical value and an actual value of the register address,andrespectively theoretical and actual values of the register type,andrespectively theoretical and actual values of the received address,andrespectively a theoretical value and an actual value of the read-write attribute,andrespectively a theoretical value and an actual value of the read-write time.
In step D, the risk of executing the information is proportional to the number of compilation times.
In step E, one of the route information and the execution information having a higher risk is selected as a determination target, and the risk of the determination target is compared with a set threshold. Respectively extracting characteristic values of the path information and the execution information which are judged to be the high-risk data stream to form characteristic matrixes, establishing a mapping relation set between the two characteristic matrixes, storing the mapping relation set in a judgment database, comparing the mapping relation set between the path information and the execution information with the mapping relation set in the judgment database in step B during the subsequent judgment, and directly judging to be the high-risk data stream if the similarity is higher than a set threshold value.
In step a, the data flow collection rate of the data flow passing through the firewall by the data flow collection module 1 is proportional to the proportion of the data flow in the previous collection period, which is determined that the risk is higher than the set threshold.
The set thresholds in the embodiment are set by using the method for carrying out limited tests according to actual working conditions.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (3)
1. A protection method of an industrial firewall comprises the following steps,
the data flow acquisition module (1) is used for acquiring data flow passing through a firewall;
the data separation module (2) is used for separating the path information and the execution information contained in the acquired data stream;
a path information analysis module (3) for analyzing the separated path information and judging the danger;
the execution information analysis module (4) is used for analyzing the separated execution information and judging the danger of the execution information;
the judging module (5) judges the danger of the data stream according to the analysis results of the path information analysis module (3) and the execution information analysis module (4), prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value;
the method is characterized by comprising the following steps:
A. the data flow acquisition module (1) acquires data flow passing through a firewall;
B. the data separation module (2) separates the collected data stream to separate out path information and execution information;
C. the path information analysis module (3) analyzes the separated path information and judges the danger of the separated path information;
comparing the theoretical values of transmitting address, register type, receiving address, read-write attribute and read-write time in data flow path with the actual values, the danger is proportional to the square of contrast deviation, the calculation method of contrast deviation is,
where D is the contrast deviation, k1~k6S and s 'are weighting coefficients, respectively, a theoretical value and an actual value of a sending address, rs and rs' are respectively a theoretical value and an actual value of a register address, rt and rt 'are respectively a theoretical value and an actual value of a register type, a and a' are respectively a theoretical value and an actual value of a receiving address, wa and wa 'are respectively a theoretical value and an actual value of a read-write attribute, and wt' are respectively a theoretical value and an actual value of read-write time;
D. an execution information analysis module (4) for analyzing the separated execution information and judging the danger; the danger degree of the execution information is in direct proportion to the compiling times of the execution information;
E. the judging module (5) judges the danger of the data stream according to the analysis results of the path information analysis module (3) and the execution information analysis module (4), prevents the data stream from being continuously transmitted if the danger is higher than a set threshold value, and keeps the data stream from being continuously transmitted if the danger is lower than or equal to the set threshold value.
2. The protection method of the industrial firewall according to claim 1, wherein: in step E, one of the route information and the execution information having a higher risk is selected as a determination target, and the risk of the determination target is compared with a set threshold.
3. The protection method of the industrial firewall according to claim 1, wherein: in the step A, the data flow acquisition rate of the data flow passing through the firewall by the data flow acquisition module (1) is in direct proportion to the proportion of the data flow with the risk higher than the set threshold in the previous acquisition period.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810633168.4A CN108718322B (en) | 2018-06-20 | 2018-06-20 | Industrial firewall and protection method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810633168.4A CN108718322B (en) | 2018-06-20 | 2018-06-20 | Industrial firewall and protection method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108718322A CN108718322A (en) | 2018-10-30 |
CN108718322B true CN108718322B (en) | 2021-04-09 |
Family
ID=63913149
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810633168.4A Active CN108718322B (en) | 2018-06-20 | 2018-06-20 | Industrial firewall and protection method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108718322B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
CN103067437A (en) * | 2011-10-08 | 2013-04-24 | 美国博通公司 | Ad hoc social networking |
CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
CN108009241A (en) * | 2017-11-30 | 2018-05-08 | 昆山青石计算机有限公司 | A kind of industrial Internet of Things safe polymeric correlating method based on PSO parameter optimizations |
CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170359306A1 (en) * | 2016-06-10 | 2017-12-14 | Sophos Limited | Network security |
-
2018
- 2018-06-20 CN CN201810633168.4A patent/CN108718322B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101184088A (en) * | 2007-12-14 | 2008-05-21 | 浙江工业大学 | Multi-point interlinked LAN firewall cooperating method |
CN103067437A (en) * | 2011-10-08 | 2013-04-24 | 美国博通公司 | Ad hoc social networking |
CN104378387A (en) * | 2014-12-09 | 2015-02-25 | 浪潮电子信息产业股份有限公司 | Virtual platform information security protection method |
CN108009241A (en) * | 2017-11-30 | 2018-05-08 | 昆山青石计算机有限公司 | A kind of industrial Internet of Things safe polymeric correlating method based on PSO parameter optimizations |
CN108092979A (en) * | 2017-12-20 | 2018-05-29 | 国家电网公司 | A kind of firewall policy processing method and processing device |
Also Published As
Publication number | Publication date |
---|---|
CN108718322A (en) | 2018-10-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106888205B (en) | Non-invasive PLC anomaly detection method based on power consumption analysis | |
EP2860937B1 (en) | Log analysis device, method, and program | |
US10261502B2 (en) | Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model | |
Terai et al. | Cyber-attack detection for industrial control system monitoring with support vector machine based on communication profile | |
CN107204975B (en) | Industrial control system network attack detection technology based on scene fingerprints | |
US11270218B2 (en) | Mapper component for a neuro-linguistic behavior recognition system | |
US11811788B2 (en) | Method of threat detection in a computer network security system | |
EP3230891A1 (en) | Perceptual associative memory for a neuro-linguistic behavior recognition system | |
CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
CN111970229A (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
CN117220920A (en) | Firewall policy management method based on artificial intelligence | |
CN114338188A (en) | Malicious software intelligent cloud detection system based on process behavior sequence fragmentation | |
CN108718322B (en) | Industrial firewall and protection method thereof | |
CN117072460B (en) | Centrifugal pump state monitoring method based on vibration data and expert experience | |
CN112153076A (en) | Computer network safety intrusion detection system | |
CN112637118A (en) | Flow analysis implementation method based on internal and external network drainage abnormity | |
CN108650235B (en) | Intrusion detection device and detection method thereof | |
CN117648689B (en) | Automatic response method for industrial control host safety event based on artificial intelligence | |
CN112949743B (en) | Credibility judgment method and system for network operation and maintenance operation and electronic equipment | |
CN112910688B (en) | OCSVM model-based communication behavior abnormal parallel detection method and system under HJ212 protocol | |
CN115333874B (en) | Industrial terminal host monitoring method | |
CN111191241B (en) | Situation awareness-based major activity guaranteeing method and device | |
CN115022097B (en) | Public information safety monitoring method and system | |
CN118054939A (en) | Vehicle-mounted network security threat detection method and system based on multi-feature fusion | |
CN106992992B (en) | Trojan horse detection method based on communication behaviors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |