CN109408246A - A kind of adaptive auditing method of industry control network - Google Patents
A kind of adaptive auditing method of industry control network Download PDFInfo
- Publication number
- CN109408246A CN109408246A CN201811031865.9A CN201811031865A CN109408246A CN 109408246 A CN109408246 A CN 109408246A CN 201811031865 A CN201811031865 A CN 201811031865A CN 109408246 A CN109408246 A CN 109408246A
- Authority
- CN
- China
- Prior art keywords
- packet
- network
- industry control
- adaptive
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/546—Message passing systems or structures, e.g. queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3024—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a central processing unit [CPU]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3037—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Existing industry control network auditing system, data packet crawl, flow analysis and audit simultaneously carry out, the two coupling seriously, data packet crawl lacks with data packet processing to be coordinated, for network flow different in flow rate, packet capturing and unpack disunity, cause memory excessively high or CPU use it is excessively high;Defect 2, for Mass flow system, the prior art lacks coordination and self diagnosis, is easy to appear network congestion and Network Packet Loss phenomenon.The present invention proposes a kind of adaptive auditing method of industry control network, is able to solve for network flow different in flow rate, and number of threads of auditing solidifies in initialization, can not adaptively coordinate the problem of starting packet capturing thread and packet processing thread.
Description
Technical field
The invention is related to a kind of network audit method more particularly to a kind of adaptive auditing method of industry control network.
Background technique
With the development of information technology and intelligence manufacture, industry 4.0 and made in China 2025 propose safely Industry Control
The problems such as completely new requirement, there is industry control environment closure, network structure to mix, equipment diversification aging.
In order to manage the working specification of industry control environmental operations personnel, monitoring industrial control equipment is by external attack and invasion shape
Condition interrupts intervene destruction and intrusion behavior in time, and each company constantly captures industry control audit key technology, corresponding product in recent years
It comes into being.
Industry control auditing system universal method is based on industry control specification deep analysis technology at present, and specific practice is: step 1:
Obtain industry control Environment communication message;Step 2: establishing industry control action rule warehouse;Step 3: communication message is parsed according to agreement specification,
Extract the sensitive field of key in message;Step 4: crucial sensitive field is matched with industry control action rule warehouse;Step 5:
When message meets regular behavior library, is recorded or alarmed.
Drawback of the prior art is that: defect 1, existing industry control network auditing system, data packet crawl, flow analysis and examine
It counts while carrying out, the two coupling is serious, and data packet crawl, which handles to lack with data packet, to be coordinated, for network flow different in flow rate
Amount, packet capturing and unpacks disunity, causes memory excessively high or CPU is using excessively high;Defect 2, for Mass flow system, the prior art is lacked
Weary coordination and self diagnosis are easy to appear network congestion and Network Packet Loss phenomenon.
, summary of the invention
The invention technical problems to be solved are: for network flow different in flow rate, number of threads of auditing is being initialized
When solidify, can not adaptively coordinate start packet capturing thread and packet processing thread the problem of.
The technical solution of use is as follows:
A kind of adaptive auditing method of industry control network is two threads comprising data packet crawl and data packet processing decoupling, passes through
Message queue establishes the communication of two cross-threads, adaptive to increase packet processing thread when packet crawl is more,;It is simultaneously understanding
Certainly big flow causes system processing to be blocked and delay machine problem, increases by two self diagnosis variables i.e. Installed System Memory and CPU usage,
Wherein Installed System Memory and packet capturing procedure correlation are very big, CPU usage and Packet analyzing, audit be associated with it is very big, when system hardware is matched
It sets when not being able to satisfy flow processing, provides alarm and record, increase memory or CPU in artificial presence, make system stable operation.
The utility model has the advantages that
The invention uses packet capturing and separates decoupling with unpacking, introduces two self diagnosis of cpu busy percentage and memory usage and becomes
Amount realizes the adaptive of memory and packet capturing rate in packet capturing link;CPU usage and packet processing speed are realized in packet processing environment
It is adaptive;Simultaneously by internal closed loop, the coordinating and unifying of packet capturing rate and packet processing speed is realized, it on the one hand can be to greatest extent
The service efficiency for improving hardware resource enables the system to adapt to heterogeneous networks traffic environment, and another aspect is interior due to realizing
Outer closed loop, system are more steady.
Detailed description of the invention:
Fig. 1 is the flow diagram of the invention.
Specific embodiment:
With reference to the accompanying drawing, the invention is further elaborated:
Packet capturing and Packet analyzing are carried out decoupling processing first by a kind of adaptive auditing method of industry control network, and two big modules are by disappearing
Breath queue is communicated, while increasing by two self diagnosis variable system memories and CPU usage, is reduced when Installed System Memory is excessively high
Packet picks up rate, or prompt increases memory;Packet processing speed is reduced when CPU usage is excessively high, and memory and CPU are reached with this
The coordinate operation of data packet crawl and data packet analysis is realized in dynamic equilibrium.
Network packet grabs process: 1, memory highest utilization rate is arranged, and turn-on data packet grabs thread;2, in checking
Utilization rate is deposited, when memory usage is lower, increases packet capturing number of threads, otherwise data packet grabs Thread Count;3, the number grabbed
It is sent to packet handing module according to packet, and counts and does not parse packet number.
Data packet processing and audit process: 1, being arranged cpu busy percentage, and opens packet processing thread;2, check that CPU is utilized
Rate increases packet processing number of threads when utilization rate is lower, otherwise reduces packet processing number;3, the memory of processed packet is discharged
Space.
Packet capturing and packet processing are coordinated: 1, the remaining untreated packet quantity of setting obtains data packet from memory and handles;2, it counts
Untreated packet number increases packet processing thread when untreated number is greater than the set value, otherwise reduces packet processing thread;3, again
Packet capturing and packet treatment process are executed again.
Claims (1)
1. a kind of adaptive auditing method of industry control network is two threads comprising data packet crawl and data packet processing decoupling, leads to
The communication that message queue establishes two cross-threads is crossed, it is adaptive to increase packet processing thread when packet crawl is more,;While in order to
Big flow is solved, system processing is caused to be blocked and delay machine problem, increases by two self diagnosis variables i.e. Installed System Memory and CPU is used
Rate, wherein Installed System Memory and packet capturing procedure correlation are very big, and CPU usage and Packet analyzing, audit are associated with very big, work as system hardware
When configuration is not able to satisfy flow processing, alarm and record are provided, increases memory or CPU in artificial presence, system is made to stablize fortune
Row.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811031865.9A CN109408246A (en) | 2018-09-05 | 2018-09-05 | A kind of adaptive auditing method of industry control network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811031865.9A CN109408246A (en) | 2018-09-05 | 2018-09-05 | A kind of adaptive auditing method of industry control network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109408246A true CN109408246A (en) | 2019-03-01 |
Family
ID=65464537
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811031865.9A Pending CN109408246A (en) | 2018-09-05 | 2018-09-05 | A kind of adaptive auditing method of industry control network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109408246A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112104628A (en) * | 2020-09-04 | 2020-12-18 | 福州林科斯拉信息技术有限公司 | Adaptive feature rule matching real-time malicious flow detection method |
CN112165410A (en) * | 2020-09-16 | 2021-01-01 | 杭州迪普信息技术有限公司 | Message capturing method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6836798B1 (en) * | 2002-12-31 | 2004-12-28 | Sprint Communications Company, L.P. | Network model reconciliation using state analysis |
CN101901167A (en) * | 2010-07-22 | 2010-12-01 | 网御神州科技(北京)有限公司 | Multi-network security auditing method and system under multi-CPU architecture |
CN105357151A (en) * | 2015-11-19 | 2016-02-24 | 成都科来软件有限公司 | DPDK-based packet capture and mirror image flow forwarding method |
CN106445667A (en) * | 2016-09-27 | 2017-02-22 | 西安交大捷普网络科技有限公司 | Method for improving auditing framework CPU load balancing |
CN107465567A (en) * | 2017-06-29 | 2017-12-12 | 西安交大捷普网络科技有限公司 | A kind of data forwarding method of database fire wall |
-
2018
- 2018-09-05 CN CN201811031865.9A patent/CN109408246A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6836798B1 (en) * | 2002-12-31 | 2004-12-28 | Sprint Communications Company, L.P. | Network model reconciliation using state analysis |
CN101901167A (en) * | 2010-07-22 | 2010-12-01 | 网御神州科技(北京)有限公司 | Multi-network security auditing method and system under multi-CPU architecture |
CN105357151A (en) * | 2015-11-19 | 2016-02-24 | 成都科来软件有限公司 | DPDK-based packet capture and mirror image flow forwarding method |
CN106445667A (en) * | 2016-09-27 | 2017-02-22 | 西安交大捷普网络科技有限公司 | Method for improving auditing framework CPU load balancing |
CN107465567A (en) * | 2017-06-29 | 2017-12-12 | 西安交大捷普网络科技有限公司 | A kind of data forwarding method of database fire wall |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112104628A (en) * | 2020-09-04 | 2020-12-18 | 福州林科斯拉信息技术有限公司 | Adaptive feature rule matching real-time malicious flow detection method |
CN112104628B (en) * | 2020-09-04 | 2022-07-26 | 南京林科斯拉信息技术有限公司 | Adaptive feature rule matching real-time malicious flow detection method |
CN112165410A (en) * | 2020-09-16 | 2021-01-01 | 杭州迪普信息技术有限公司 | Message capturing method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107196870B (en) | DPDK-based traffic dynamic load balancing method | |
CN105429977B (en) | Deep packet inspection device abnormal flow monitoring method based on comentropy measurement | |
CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
CN101599963B (en) | Suspected network threat information screener and screening and processing method | |
CN103067218A (en) | High speed network data package content analysis device | |
CN106357622A (en) | Network anomaly flow detection and defense system based on SDN (software defined networking) | |
CN109408246A (en) | A kind of adaptive auditing method of industry control network | |
CN103929334A (en) | Network abnormity notification method and apparatus | |
CN107248960B (en) | Internet of things data reporting control method based on transmission duration and forwarding node | |
EP2983327B1 (en) | Counting control method for counter, and network chip | |
CN109462621A (en) | Network safety protective method, device and electronic equipment | |
CN107948157A (en) | A kind of message processing method and device | |
CN103179039A (en) | Method for effectively filtering normal network data package | |
CN107547416A (en) | A kind of processing method and processing device of protocol massages | |
CN107291868A (en) | A kind of monitoring data processing unit and monitoring data processing method | |
CN110806921A (en) | OVS (optical virtual system) abnormity alarm monitoring system and method | |
CN115190191B (en) | Power grid industrial control system and control method based on protocol analysis | |
CN114531273A (en) | Method for defending distributed denial of service attack of industrial network system | |
CN112737914A (en) | Message processing method and device, network equipment and readable storage medium | |
CN115484047A (en) | Method, device, equipment and storage medium for identifying flooding attack in cloud platform | |
CN103078760A (en) | Online diagnosis method for abnormal network flow | |
CN111209112A (en) | Exception handling method and device | |
JP2015226327A (en) | Method and apparatus for flexible and efficient analytics in network switch | |
Wang et al. | Abnormal traffic detection system in SDN based on deep learning hybrid models | |
CN111431752A (en) | Safety detection method based on adaptive flow control |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
CB02 | Change of applicant information |
Address after: 5 / F, building C, Runhe Software Park, 168 software Avenue, Yuhua District, Nanjing City, Jiangsu Province, 210012 Applicant after: Bozhi Safety Technology Co.,Ltd. Address before: 5 / F, building C, Runhe Software Park, 168 software Avenue, Yuhua District, Nanjing City, Jiangsu Province, 210012 Applicant before: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd. |
|
CB02 | Change of applicant information | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190301 |
|
RJ01 | Rejection of invention patent application after publication |