CN109164786B - Abnormal behavior detection method, device and equipment based on time-dependent baseline - Google Patents
Abnormal behavior detection method, device and equipment based on time-dependent baseline Download PDFInfo
- Publication number
- CN109164786B CN109164786B CN201810973981.6A CN201810973981A CN109164786B CN 109164786 B CN109164786 B CN 109164786B CN 201810973981 A CN201810973981 A CN 201810973981A CN 109164786 B CN109164786 B CN 109164786B
- Authority
- CN
- China
- Prior art keywords
- data
- baseline
- real
- time
- expected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
Abstract
The application discloses an abnormal behavior detection method, device and equipment based on time-dependent baseline, which are applied to an industrial control network and comprise the following steps: acquiring real-time detection data in a current preset time period; comparing the real-time detection data with an expected network baseline to obtain a comparison result; judging whether the industrial control network is abnormal or not by using the comparison result; the expected network baseline is data obtained by predicting detection data in the current preset time period by using historical detection data in the historical preset time period. Therefore, whether the industrial control network is abnormal or not is judged by comparing the real-time detection data with the expected network baseline, the problems that the existing industrial control system cannot judge network abnormality and user behavior abnormality are solved, and the safety of the industrial control network is improved; in addition, the invention can accurately judge the abnormal behavior with the time rule by utilizing the expected network baseline based on the preset time period, thereby reducing the false alarm rate caused by time correlation.
Description
Technical Field
The invention relates to the technical field of industrial control networks, in particular to an abnormal behavior detection method, device and equipment based on a time-dependent baseline.
Background
In recent years, with the development of information technology, industrial control networks are more vulnerable to exploitation vulnerabilities due to the openness of the industrial control networks in addition to misoperation of employees. Along with the occurrence of events such as 'network shaking' and the like, the industrial control network is more and more attacked, the original normal operation of the industrial control system is damaged, and the industrial information is stolen, so that the information security of the industrial control is more and more emphasized by people. However, since there is no detection flag that can be relied upon entirely, the detection of an abnormality of the industrial control system becomes more difficult.
In the prior art, the detection of the industrial control system is usually only aiming at the pulse frequency and the pulse size transmitted in the system, network abnormality, user behavior abnormality and the like cannot be judged, and misjudgment is caused by the mode due to the influence of data flow peaks in different time periods. Therefore, how to solve the security problem of the industrial control network and reduce the false alarm rate of the abnormal behavior are important concerns for those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method, an apparatus, and a device for detecting abnormal behavior based on a time-dependent baseline, which are used to solve the problem that the prior art cannot determine network abnormality and user behavior abnormality, and avoid misdetermination caused by a time-dependent data traffic peak. The specific scheme is as follows:
in a first aspect, the invention discloses an abnormal behavior detection method based on a time-dependent baseline, which is applied to an industrial control network and comprises the following steps:
acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
comparing the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period;
and judging whether the industrial control network is abnormal or not by using the comparison result.
Optionally, the acquiring real-time detection data in the current preset time period includes:
and acquiring real-time network flow data, real-time user behavior data and real-time process control behavior data in a current preset time period.
Optionally, before comparing the real-time detection data with the expected network baseline, the method further includes:
acquiring the expected network baseline in a real-time data generation mode or a pre-generated data reading mode;
wherein the process of generating the expected network baseline comprises:
predicting the network traffic data in the current preset time period by using the historical network traffic data in the historical preset time period to obtain an expected network traffic baseline;
predicting the user behavior data in the current preset time period by using the historical user behavior data in the historical preset time period to obtain an expected user behavior baseline;
and predicting the process control behavior data in the current preset time period by using the historical process control behavior data in the historical preset time period to obtain an expected process control behavior baseline.
Optionally, the comparing the real-time detection data with the expected network baseline to obtain a comparison result includes:
comparing the real-time network traffic data to the expected network traffic baseline;
and if the real-time network traffic data conforms to the expected network traffic baseline, determining the comparison result as that the current data conforms to the prediction.
Optionally, the comparing the real-time network traffic data with the expected network traffic baseline further includes:
if the real-time network traffic data does not conform to the expected network traffic baseline, comparing the real-time user behavior data with the expected user behavior baseline;
and if the real-time user behavior data conforms to the expected user behavior baseline, determining the comparison result as that the current data conforms to the prediction.
Optionally, the comparing the real-time user behavior data with the expected user behavior baseline further includes:
if the real-time user behavior data does not conform to the expected user behavior baseline, comparing the real-time process control behavior data with the expected process control behavior baseline;
and if the real-time process control behavior data conforms to the expected process control behavior baseline, determining that the comparison result is that the current data conforms to the prediction.
Optionally, the comparing the real-time process control behavior data with the expected process control behavior baseline further includes:
and if the real-time process control behavior data does not conform to the expected process control behavior baseline, determining that the comparison result is that the current data does not conform to the prediction.
Optionally, the determining, by using the comparison result, whether the industrial control network is abnormal includes:
if the comparison result is that the current data does not conform to the prediction, judging that the industrial control network is abnormal, giving an alarm, and sending the data abnormality to an administrator;
and if the comparison result is that the current data are in accordance with the prediction, judging that the industrial control network is normal, and recording the time and the operation behavior of the relevant events.
In a second aspect, the present invention discloses an abnormal behavior detection apparatus based on a time-dependent baseline, which is applied to an industrial control network, and includes:
the data acquisition module is used for acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
the data comparison module is used for comparing the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period;
and the abnormity judgment module is used for judging whether the industrial control network is abnormal or not by utilizing the comparison result.
In a third aspect, the present invention discloses an abnormal behavior detection device based on a time-dependent baseline, which is applied to an industrial control network, and is characterized by comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the above disclosed abnormal behavior detection method.
Therefore, the real-time detection data in the current preset time period are obtained; comparing the real-time detection data with an expected network baseline to obtain a comparison result; judging whether the industrial control network is abnormal or not by using the comparison result; the real-time detection data is data obtained after the industrial control network is detected; the expected network baseline is data obtained by predicting detection data in the current preset time period by using historical detection data in the historical preset time period. Therefore, the method and the device judge whether the current industrial control network is abnormal or not by comparing the real-time detection data with the expected network baseline, solve the problems that the existing industrial control system cannot judge network abnormality and user behavior abnormality, and improve the safety of the industrial control network; in addition, the expected network baseline is data obtained by predicting the detection data in the current preset time period based on the historical detection data in the historical preset time period, so that abnormal behaviors with time rules can be accurately judged, and the misjudgment rate caused by data traffic peaks generated by time correlation is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a method for detecting abnormal behavior based on a time-dependent baseline according to the present disclosure;
FIG. 2 is a flowchart of a specific method for detecting abnormal behavior based on a time-dependent baseline according to the present disclosure;
FIG. 3 is a schematic structural diagram of an abnormal behavior detection apparatus based on a time-dependent baseline according to the present disclosure;
fig. 4 is a schematic diagram of a hardware structure of an abnormal behavior detection device based on a time-dependent baseline according to the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, no detection mark which can be completely relied on exists in the detection of the industrial control system, so that the industrial control system cannot judge network abnormality and user behavior abnormality, and misjudgment can be generated due to the influence of data traffic peaks in different time periods. By the technical scheme disclosed by the invention, the detection of the network abnormal behavior in the industrial control system can be realized, the misjudgment rate is reduced, and the safety of the industrial control system is improved.
The embodiment of the invention discloses an abnormal behavior detection method based on a time-dependent baseline, which is applied to an industrial control network and is shown in figure 1, and the method comprises the following steps:
step S101: acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
in this embodiment, the real-time detection data in the current preset time period is acquired, and the real-time network traffic data, the real-time user behavior data, and the real-time process control behavior data may be acquired by collecting data in the program log, the network monitor, and/or the application monitor. The preset time period is a time period required to be detected, and can be set according to actual service conditions, which does not influence the implementation of the invention.
It should be noted that the real-time network traffic data includes any one or any combination of the following: source IP address total, destination IP address total, TCP/UDP port total, network capacity and traffic duration; the real-time user behavior data comprises any one or any combination of the following: the total number of the surviving users, the total number of the login/logout users and the login/offline operation executed by the users; the real-time process control behavior data comprises any one or any combination of the following: the total number of function codes, the total number of characters per segment of function codes, and the total number of configuration changes.
Specifically, real-time network traffic data can be acquired by capturing data through a network probe or acquiring data in a traffic log of a network switch/router; real-time user behavior data can be acquired by collecting application program logs, database logs and a discrimination authentication process; real-time process control behavior data may be obtained by identifying historical tags or collecting data from an industrial control system protocol monitor/application monitor.
Step S102: comparing the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period;
it should be noted that, before comparing the real-time detection data with the expected network baseline, the embodiment also obtains the expected network baseline in a manner of generating data in real time or reading pre-generated data.
In one embodiment, the expected network baseline is generated in real time by using historical detection data within the preset time period before each comparison between the real-time detection data and the expected network baseline. In another specific embodiment, the expected network baseline is generated by using historical detection data in the preset time period in advance, and the pre-generated expected network baseline data is directly acquired in the subsequent detection process, wherein the expected network baseline is only generated once and can be reused later, so that the working time is saved, and the detection efficiency is further improved.
In this embodiment, comparing the real-time detection data with an expected network baseline to obtain a comparison result specifically includes: comparing whether the real-time detection data is consistent with an expected network baseline or not, and if so, determining that the comparison result is that the current data is consistent with prediction; if not, determining that the comparison result is that the current data does not accord with the prediction.
It is understood that the expected network baseline based on the time-dependent baseline can be set based on different time rules for different service scenarios and system situations in the implementation process. For example, considering that the login times of the employee in the morning of monday are far greater than the login times of weekends, the working day can be used as a preset time period to obtain historical detection data corresponding to the working day, so as to obtain a working day expected network baseline; or taking the weekend as a preset time period, acquiring historical detection data corresponding to the weekend, and further obtaining an expected network baseline of the weekend. When the real-time detection data is acquired, firstly, judging whether the time period of the real-time detection data is weekend or working day; if the time period of the real-time detection data is weekend, comparing the real-time detection data with a corresponding weekend expected network baseline; if the time period of the real-time detection data is a working day, comparing the real-time detection data with the corresponding expected network baseline of the working day, and adopting the expected network baseline in the time period corresponding to the data with different time rules as a judgment standard, so that the phenomenon of false alarm can be effectively reduced, and the abnormal behavior with the time rules can be accurately judged.
Specifically, when comparing whether the real-time detection data is consistent with the expected network baseline, the determination may be performed according to a preset consistent range, where the preset consistent range represents a deviation degree of the real-time detection data from the expected network baseline. In the implementation process, a preset conforming range can be set in advance in a manual setting mode or a system setting mode according to the detection precision requirement: if the requirement on the detection precision of the abnormal behavior is high, the preset conforming range can be set to be small; if the requirement on the detection precision of the abnormal behavior is low, the preset conforming range can be set to be large. It can be understood that if the requirement on the detection precision of the abnormal behavior is higher, the precision of the detection structure is further guaranteed, the preset conforming range can be set to be smaller, the setting is not suitable to be overlarge, and the preset conforming range is set to be within the error allowable range.
Step S103: and judging whether the industrial control network is abnormal or not by using the comparison result.
In this embodiment, if the comparison result indicates that the current data conforms to the prediction, it indicates that the current industrial control network is normal, and at this time, the time and the operation behavior of the current relevant event are recorded to generate a log; if the comparison result is that the current data are not in accordance with the prediction, the current industrial control network is abnormal, and at the moment, a warning is sent out and a log is generated.
Specifically, after the comparison result is judged that the current data is not in accordance with the prediction, a warning is given out and a log is generated, the information of the log can be correlated and compared with the information of the event in the system safety equipment, so that accurate data abnormal information is further obtained and sent to an administrator.
Therefore, the real-time detection data in the current preset time period are obtained; comparing the real-time detection data with an expected network baseline to obtain a comparison result; judging whether the industrial control network is abnormal or not by using the comparison result; the real-time detection data is data obtained after the industrial control network is detected; the expected network baseline is data obtained by predicting detection data in the current preset time period by using historical detection data in the historical preset time period. Therefore, the method and the device judge whether the current industrial control network is abnormal or not by comparing the real-time detection data with the expected network baseline, solve the problems that the existing industrial control system cannot judge network abnormality and user behavior abnormality, and improve the safety of the industrial control network; in addition, the expected network baseline is data obtained by predicting the detection data in the current preset time period based on the historical detection data in the historical preset time period, so that abnormal behaviors with time rules can be accurately judged, and the misjudgment rate caused by data traffic peaks generated by time correlation is reduced.
The embodiment of the invention discloses a specific abnormal behavior detection method, which comprises the following steps:
step S201: acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
for details of the step S201, reference may be made to the foregoing embodiments, and details are not repeated herein.
Step S202: predicting the detection data in the current preset time period by using historical detection data in the historical preset time period to obtain an expected network baseline;
in this embodiment, the process of obtaining the expected network baseline by using the historical detection data may be as follows: sampling and calculating the historical detection data in the same preset time period in a plurality of different historical production periods to obtain a primary baseline behavior; and predicting the detection data in the current preset time period based on the actual situation, so as to adjust the baseline behavior and obtain the final expected network baseline. The actual conditions may include environmental changes, equipment parameters, etc. that may have an effect on the baseline behavior.
Specifically, the embodiment performs sampling calculation on historical network traffic data in the same preset time period in a plurality of different historical generation periods to obtain a preliminary network traffic baseline behavior; predicting the network traffic data in the current preset time period based on actual conditions, adjusting the network traffic baseline behavior, and obtaining a final expected network traffic baseline.
In addition, in the embodiment of the present invention, the expected user behavior baseline is obtained by using historical user behavior data in the historical preset time period, and a process of obtaining the expected process control behavior baseline by using historical process control behavior data in the historical preset time period is similar to the process of obtaining the expected network traffic baseline by using historical network traffic data in the historical preset time period, and reference may be made to the step of generating the expected network traffic baseline, which is not described herein again.
Step S203: comparing the real-time detection data with an expected network baseline to obtain a comparison result;
step S204: and judging whether the industrial control network is abnormal or not by using the comparison result.
For the details of the steps S203 and S204, reference may be made to the foregoing embodiments, and details are not repeated here.
The embodiment of the invention discloses a specific abnormal behavior detection method, which comprises the following steps:
step S301: acquiring real-time network flow data, real-time user behavior data and real-time process control behavior data in a current preset time period;
step S302: reading a pre-generated expected network traffic baseline, an expected user behavior baseline and an expected process control behavior baseline;
for the details of the steps S301 and S302, reference may be made to the foregoing embodiments, and details are not repeated here.
Step S303: comparing the real-time network traffic data to the expected network traffic baseline;
step S304: if the real-time network traffic data conforms to the expected network traffic baseline, determining a comparison result as that the current data conforms to prediction, and if the real-time network traffic data does not conform to the expected network traffic baseline, comparing the real-time user behavior data with the expected user behavior baseline;
if the real-time user behavior data conforms to the expected user behavior baseline, determining a comparison result as that the current data conforms to prediction, and if the real-time user behavior data does not conform to the expected user behavior baseline, comparing the real-time process control behavior data with the expected process control behavior baseline;
and if the real-time process control behavior data does not accord with the expected process control behavior baseline, determining that the comparison result is that the current data does not accord with the prediction.
Step S305: and judging whether the industrial control network is abnormal or not by using the comparison result.
As shown in fig. 2, in this embodiment, the real-time detection data is not completely compared with the corresponding expected network traffic baseline, but the real-time network traffic data is compared with the expected network traffic baseline first, and then whether the real-time network traffic data meets the expected network traffic baseline is determined; if the real-time network flow data at the moment accords with the expected network flow baseline, the current industrial control network is indicated to have no abnormal operation, the real-time user behavior data and the real-time process control behavior data are not detected any more, the time and the operation behavior of the current relevant event are recorded, the detection is finished, and the next detection process is started.
If the real-time network flow data does not conform to the expected network flow baseline, the abnormal operation of the current industrial control network is represented, the detection is continued, and the real-time user behavior data and the expected user behavior baseline are compared; and if the real-time user behavior data conforms to the expected user behavior baseline, indicating that abnormal operation does not occur in the current industrial control network, recording the time and operation behavior of the current relevant event, ending the detection, and starting the next detection process.
If the real-time user behavior data does not accord with the expected user behavior baseline, the data is abnormal due to the fact that abnormal operation possibly occurs in the current industrial control network, the detection is continued, and the real-time process control behavior data is compared with the expected process control behavior baseline; and if the real-time process control behavior data conforms to the expected process control behavior baseline, indicating that the current industrial control network does not have abnormal operation, recording the time and operation behavior of the current relevant events, finishing the detection, and starting the next detection process.
And if the real-time process control behavior data does not accord with the expected process control behavior baseline, indicating that abnormal operation occurs in the current industrial control network and data is abnormal, sending out a warning and sending data abnormal information to an administrator.
The embodiment of the invention discloses a specific abnormal behavior detection method, which comprises the following steps:
step S401: acquiring historical network flow data, historical user behavior data and historical process/control behavior data of the same preset time period in different production periods;
step S402: predicting the detection data in the current preset time period by using historical network flow data, historical user behavior data and historical process/control behavior data to obtain an expected network baseline;
step S402: comparing each data obtained by actual detection with an expected network baseline;
step S403: detecting whether the total number of the IP addresses accords with an expected network baseline in a database, if so, recording the time and operation of an event, and continuing to detect the next time; if the traffic flow does not meet the baseline, assuming that the traffic flow is not normally operated by the staff, searching equipment with abnormal traffic flow according to the acquired data, and searching whether unauthorized service operation occurs in the network;
step S404: detecting whether the number of the users living on the equipment accords with a base line in a database, if so, recording the time and operation of the event, and continuing to detect the next time; if not, checking the management log of the malicious user, and judging whether the malicious user passes through the authentication process of the system and abnormal operations such as stealing of an administrator account and illegal use of an attacker exist;
step S405: detecting a protocol monitor of the device, detecting whether the function codes in the device accord with a base line in a database, if so, recording the time and operation of an event, and continuing to detect the next time; if not, alarming abnormal behavior and sending data abnormality to an administrator;
step S406: and collecting logs in the safety equipment, carrying out comparison and association on events of the system safety equipment, and sending the generated abnormal data to an administrator.
In addition, an embodiment of the present invention further discloses an abnormal behavior detection apparatus based on a time-dependent baseline, which is applied to an industrial control network, and as shown in fig. 3, the apparatus includes:
a data obtaining module 100, configured to obtain real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
the data comparison module 200 is configured to compare the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period;
and an anomaly determination module 300, configured to determine whether the industrial control network is abnormal by using the comparison result.
The abnormal behavior detection apparatus of this embodiment is used to implement the foregoing abnormal behavior detection method, so that the specific implementation manner of the abnormal behavior detection apparatus may refer to the description of each partial embodiment of the foregoing abnormal behavior detection method, and is not described herein again.
In addition, the embodiment of the invention also discloses an industrial control system which comprises the abnormal behavior detection device.
In addition, the embodiment of the present invention further discloses an abnormal behavior detection device, which includes a processor 11 and a memory 12, wherein when the processor 11 executes a computer program stored in the memory 12, the following steps are implemented:
acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected; comparing the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period; and judging whether the industrial control network is abnormal or not by using the comparison result.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: and acquiring real-time network flow data, real-time user behavior data and real-time process control behavior data in a current preset time period.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: predicting the network traffic data in the current preset time period by using the historical network traffic data in the historical preset time period to obtain an expected network traffic baseline; predicting the user behavior data in the current preset time period by using the historical user behavior data in the historical preset time period to obtain an expected user behavior baseline; and predicting the process control behavior data in the current preset time period by using the historical process control behavior data in the historical preset time period to obtain an expected process control behavior baseline.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: comparing the real-time network traffic data to the expected network traffic baseline; and if the real-time network traffic data conforms to the expected network traffic baseline, determining the comparison result as that the current data conforms to the prediction.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: if the real-time network traffic data does not conform to the expected network traffic baseline, comparing the real-time user behavior data with the expected user behavior baseline; and if the real-time user behavior data conforms to the expected user behavior baseline, determining the comparison result as that the current data conforms to the prediction.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: if the real-time user behavior data does not conform to the expected user behavior baseline, comparing the real-time process control behavior data with the expected process control behavior baseline; and if the real-time process control behavior data conforms to the expected process control behavior baseline, determining that the comparison result is that the current data conforms to the prediction.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: and if the real-time process control behavior data does not conform to the expected process control behavior baseline, determining that the comparison result is that the current data does not conform to the prediction.
In this embodiment, when the processor 11 executes the computer program stored in the memory 12, the following steps may be specifically implemented: if the comparison result is that the current data does not conform to the prediction, judging that the industrial control network is abnormal, giving an alarm, and sending the data abnormality to an administrator; and if the comparison result is that the current data are in accordance with the prediction, judging that the industrial control network is normal, and recording the time and the operation behavior of the relevant events.
Further, referring to fig. 4, the abnormal behavior detection apparatus in this embodiment may further include:
the input interface 13 is configured to obtain a computer program imported from the outside, store the obtained computer program in the memory 12, and also be configured to obtain various instructions and parameters transmitted by an external terminal device, and transmit the instructions and parameters to the processor 11, so that the processor 11 performs corresponding processing by using the instructions and parameters. In this embodiment, the input interface 13 may specifically include, but is not limited to, a USB interface, a serial interface, a voice input interface, a fingerprint input interface, a hard disk reading interface, and the like.
And an output interface 14, configured to output various data generated by the processor 11 to a terminal device connected thereto, so that other terminal devices connected to the output interface 14 can acquire various data generated by the processor 11. In this embodiment, the output interface 14 may specifically include, but is not limited to, a USB interface, a serial interface, and the like.
The communication unit 15 is configured to establish a remote communication connection with an external server, acquire data sent by an external terminal, and send the data to the processor 11 for processing and analysis, and in addition, the processor 11 may also send various results obtained after processing to preset various data receiving terminals through the communication unit 15.
And a display unit 16 for displaying the data sent by the processor 11.
In addition, an embodiment of the present invention further discloses a computer-readable storage medium for storing a computer program, wherein when the computer program is executed by a processor, the steps of the abnormal behavior detection method disclosed in the foregoing embodiments are implemented.
For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The industrial control system and the abnormal behavior detection method, device, equipment and medium based on the time-dependent baseline thereof provided by the invention are described in detail, a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the above example is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (8)
1. An abnormal behavior detection method based on time-dependent baseline is applied to an industrial control network, and is characterized by comprising the following steps:
acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
comparing the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period;
judging whether the industrial control network is abnormal or not by using the comparison result;
the acquiring of the real-time detection data in the current preset time period includes:
acquiring real-time network flow data, real-time user behavior data and real-time process control behavior data in a current preset time period;
comparing the real-time detection data with an expected network baseline to obtain a comparison result, wherein the comparison result comprises:
reading a pre-generated expected network traffic baseline, an expected user behavior baseline and an expected process control behavior baseline;
comparing the real-time network traffic data to the expected network traffic baseline;
if the real-time network traffic data does not conform to the expected network traffic baseline, comparing the real-time user behavior data with the expected user behavior baseline;
and if the real-time user behavior data conforms to the expected user behavior baseline, determining the comparison result as that the current data conforms to the prediction.
2. The abnormal behavior detection method of claim 1, further comprising, prior to the comparing the real-time detection data to the expected network baseline:
acquiring the expected network baseline in a real-time data generation mode or a pre-generated data reading mode;
wherein the process of generating the expected network baseline comprises:
predicting the network traffic data in the current preset time period by using the historical network traffic data in the historical preset time period to obtain an expected network traffic baseline;
predicting the user behavior data in the current preset time period by using the historical user behavior data in the historical preset time period to obtain an expected user behavior baseline;
and predicting the process control behavior data in the current preset time period by using the historical process control behavior data in the historical preset time period to obtain an expected process control behavior baseline.
3. The abnormal behavior detection method according to claim 2, wherein the comparing the real-time detection data with the expected network baseline to obtain a comparison result comprises:
comparing the real-time network traffic data to the expected network traffic baseline;
and if the real-time network traffic data conforms to the expected network traffic baseline, determining the comparison result as that the current data conforms to the prediction.
4. The abnormal behavior detection method of claim 3, wherein the comparing real-time user behavior data to the expected user behavior baseline further comprises:
if the real-time user behavior data does not conform to the expected user behavior baseline, comparing the real-time process control behavior data with the expected process control behavior baseline;
and if the real-time process control behavior data conforms to the expected process control behavior baseline, determining that the comparison result is that the current data conforms to the prediction.
5. The abnormal behavior detection method of claim 4, wherein the comparing the real-time process control behavior data to the expected process control behavior baseline further comprises:
and if the real-time process control behavior data does not conform to the expected process control behavior baseline, determining that the comparison result is that the current data does not conform to the prediction.
6. The abnormal behavior detection method according to any one of claims 3 to 5, wherein the determining whether the industrial control network is abnormal using the comparison result comprises:
if the comparison result is that the current data does not conform to the prediction, judging that the industrial control network is abnormal, giving an alarm, and sending the data abnormality to an administrator;
and if the comparison result is that the current data are in accordance with the prediction, judging that the industrial control network is normal, and recording the time and the operation behavior of the relevant events.
7. An abnormal behavior detection device based on time-dependent baseline is applied to an industrial control network, and is characterized by comprising:
the data acquisition module is used for acquiring real-time detection data in a current preset time period; the real-time detection data is data obtained after the industrial control network is detected;
the data comparison module is used for comparing the real-time detection data with an expected network baseline to obtain a comparison result; the expected network baseline is obtained by predicting the detection data in the current preset time period by using historical detection data in the historical preset time period;
the abnormality judgment module is used for judging whether the industrial control network is abnormal or not by utilizing the comparison result;
the acquiring real-time detection data in the current preset time period includes:
acquiring real-time network flow data, real-time user behavior data and real-time process control behavior data in a current preset time period;
comparing the real-time detection data with an expected network baseline to obtain a comparison result, wherein the comparison result comprises:
reading a pre-generated expected network traffic baseline, an expected user behavior baseline and an expected process control behavior baseline;
comparing the real-time network traffic data to the expected network traffic baseline;
if the real-time network traffic data does not conform to the expected network traffic baseline, comparing the real-time user behavior data with the expected user behavior baseline;
and if the real-time user behavior data conforms to the expected user behavior baseline, determining the comparison result as that the current data conforms to the prediction.
8. An abnormal behavior detection device based on time-dependent baseline, applied to an industrial control network, is characterized by comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the abnormal behavior detection method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810973981.6A CN109164786B (en) | 2018-08-24 | 2018-08-24 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810973981.6A CN109164786B (en) | 2018-08-24 | 2018-08-24 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109164786A CN109164786A (en) | 2019-01-08 |
| CN109164786B true CN109164786B (en) | 2020-05-29 |
Family
ID=64896751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810973981.6A Active CN109164786B (en) | 2018-08-24 | 2018-08-24 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109164786B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351307B (en) * | 2019-08-14 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on ensemble learning |
| CN111199018B (en) * | 2019-12-27 | 2024-03-05 | 东软集团股份有限公司 | Abnormal data detection method and device, storage medium and electronic equipment |
| CN111131290B (en) * | 2019-12-30 | 2022-06-10 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
| CN111490976B (en) * | 2020-03-24 | 2022-04-15 | 浙江中烟工业有限责任公司 | Dynamic baseline management and monitoring method for industrial control network |
| CN111835777B (en) * | 2020-07-20 | 2022-09-30 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112199243A (en) * | 2020-10-10 | 2021-01-08 | 中国建设银行股份有限公司 | System detection method, device, equipment and readable storage medium |
| CN112287390A (en) * | 2020-10-23 | 2021-01-29 | 杭州数梦工场科技有限公司 | Self-adaptive baseline adjusting method and device |
| CN112436968B (en) * | 2020-11-23 | 2023-10-17 | 恒安嘉新(北京)科技股份公司 | Network traffic monitoring method, device, equipment and storage medium |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
| CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
| CN115348339B (en) * | 2022-08-12 | 2023-11-21 | 北京威努特技术有限公司 | Industrial control abnormity detection method based on correlation of function code and service data |
| CN116027771B (en) * | 2023-03-30 | 2023-06-13 | 深圳市深蓝宇科技有限公司 | Abnormality detection method for industrial personal computer control system |
| CN116185672B (en) * | 2023-04-28 | 2023-08-22 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| US7877287B1 (en) * | 1997-06-12 | 2011-01-25 | Bailey G William | System and method for selecting multiple sites using weighted bands |
| CN104734894A (en) * | 2013-12-18 | 2015-06-24 | 中国移动通信集团甘肃有限公司 | Flow data screening method and device |
| CN104954192A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Network flow monitoring method and device |
| CN107454068A (en) * | 2017-07-21 | 2017-12-08 | 河南工程学院 | A kind of sweet net security postures cognitive method of combination Danger Immune theory |
| CN108306846A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团公司 | A kind of network access exception detection method and system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3147855B2 (en) * | 1998-05-27 | 2001-03-19 | 日本電気株式会社 | Inspection method for mounting boards |
| US20090319330A1 (en) * | 2008-06-18 | 2009-12-24 | Microsoft Corporation | Techniques for evaluating recommendation systems |
| CN101465809B (en) * | 2009-01-16 | 2012-11-14 | 中国人民解放军信息工程大学 | Method, equipment and system for managing network flux |
| US10291506B2 (en) * | 2015-03-04 | 2019-05-14 | Fisher-Rosemount Systems, Inc. | Anomaly detection in industrial communications networks |
| CN107038086B (en) * | 2016-11-08 | 2020-03-20 | 上海电气泰雷兹交通自动化系统有限公司 | Safety analysis method for hot standby control logic of safety computer platform |
| CN107517203B (en) * | 2017-08-08 | 2020-07-14 | 奇安信科技集团股份有限公司 | User behavior baseline establishing method and device |
| CN107566163B (en) * | 2017-08-10 | 2020-11-06 | 奇安信科技集团股份有限公司 | Alarm method and device for user behavior analysis association |
| CN107733905A (en) * | 2017-10-24 | 2018-02-23 | 北京威努特技术有限公司 | A kind of detection method of industry control network unit exception flow |
-
2018
- 2018-08-24 CN CN201810973981.6A patent/CN109164786B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7877287B1 (en) * | 1997-06-12 | 2011-01-25 | Bailey G William | System and method for selecting multiple sites using weighted bands |
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN104734894A (en) * | 2013-12-18 | 2015-06-24 | 中国移动通信集团甘肃有限公司 | Flow data screening method and device |
| CN104954192A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Network flow monitoring method and device |
| CN108306846A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团公司 | A kind of network access exception detection method and system |
| CN107454068A (en) * | 2017-07-21 | 2017-12-08 | 河南工程学院 | A kind of sweet net security postures cognitive method of combination Danger Immune theory |
Non-Patent Citations (1)
| Title |
|---|
| 统计分析在网络流量监控系统中的研究与应用;刘婷;《中国优秀硕士学位论文全文数据库 信息科技辑》;20120415(第4期);第I139-145页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109164786A (en) | 2019-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109164786B (en) | Abnormal behavior detection method, device and equipment based on time-dependent baseline | |
| CN108989150B (en) | Login abnormity detection method and device | |
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| CN111427336B (en) | Vulnerability scanning method, device and equipment for industrial control system | |
| WO2021063068A1 (en) | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium | |
| CN110417778B (en) | Access request processing method and device | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN111447204B (en) | Weak password detection method, device, equipment and medium | |
| CN112184091B (en) | Industrial control system security threat assessment method, device and system | |
| CN112565266A (en) | Information leakage attack detection method and device, electronic equipment and storage medium | |
| CN112422554B (en) | Method, device, equipment and storage medium for detecting abnormal traffic external connection | |
| CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
| CN114124476B (en) | Sensitive information leakage vulnerability detection method, system and device for Web application | |
| EP3343421A1 (en) | System to detect machine-initiated events in time series data | |
| CN113315767A (en) | Electric power Internet of things equipment safety detection system and method | |
| CN114499974B (en) | Device detection method, device, computer device and storage medium | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| CN113315785B (en) | Alarm reduction method, device, equipment and computer readable storage medium | |
| CN114866296A (en) | Intrusion detection method, device, equipment and readable storage medium | |
| KR20160087187A (en) | Cyber blackbox system and method thereof | |
| CN111510443B (en) | Terminal monitoring method and terminal monitoring device based on equipment portrait | |
| CN110798425B (en) | Method, system and related device for detecting hacker attack behavior | |
| EP3457609B1 (en) | System and method for computing of anomalies based on frequency driven transformation and computing of new features based on point anomaly density | |
| CN112073426A (en) | Website scanning detection method, system and equipment in cloud protection environment | |
| CN112507270A (en) | Website tampering alarm method based on title escape in cloud protection and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |