CN109408246A - A kind of adaptive auditing method of industry control network - Google Patents

A kind of adaptive auditing method of industry control network Download PDF

Info

Publication number
CN109408246A
CN109408246A CN201811031865.9A CN201811031865A CN109408246A CN 109408246 A CN109408246 A CN 109408246A CN 201811031865 A CN201811031865 A CN 201811031865A CN 109408246 A CN109408246 A CN 109408246A
Authority
CN
China
Prior art keywords
packet
network
industry control
adaptive
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811031865.9A
Other languages
Chinese (zh)
Inventor
傅涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu's Software Polytron Technologies Inc
Original Assignee
Jiangsu's Software Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu's Software Polytron Technologies Inc filed Critical Jiangsu's Software Polytron Technologies Inc
Priority to CN201811031865.9A priority Critical patent/CN109408246A/en
Publication of CN109408246A publication Critical patent/CN109408246A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/546Message passing systems or structures, e.g. queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3024Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a central processing unit [CPU]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3037Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Existing industry control network auditing system, data packet crawl, flow analysis and audit simultaneously carry out, the two coupling seriously, data packet crawl lacks with data packet processing to be coordinated, for network flow different in flow rate, packet capturing and unpack disunity, cause memory excessively high or CPU use it is excessively high;Defect 2, for Mass flow system, the prior art lacks coordination and self diagnosis, is easy to appear network congestion and Network Packet Loss phenomenon.The present invention proposes a kind of adaptive auditing method of industry control network, is able to solve for network flow different in flow rate, and number of threads of auditing solidifies in initialization, can not adaptively coordinate the problem of starting packet capturing thread and packet processing thread.

Description

A kind of adaptive auditing method of industry control network
Technical field
The invention is related to a kind of network audit method more particularly to a kind of adaptive auditing method of industry control network.
Background technique
With the development of information technology and intelligence manufacture, industry 4.0 and made in China 2025 propose safely Industry Control The problems such as completely new requirement, there is industry control environment closure, network structure to mix, equipment diversification aging.
In order to manage the working specification of industry control environmental operations personnel, monitoring industrial control equipment is by external attack and invasion shape Condition interrupts intervene destruction and intrusion behavior in time, and each company constantly captures industry control audit key technology, corresponding product in recent years It comes into being.
Industry control auditing system universal method is based on industry control specification deep analysis technology at present, and specific practice is: step 1: Obtain industry control Environment communication message;Step 2: establishing industry control action rule warehouse;Step 3: communication message is parsed according to agreement specification, Extract the sensitive field of key in message;Step 4: crucial sensitive field is matched with industry control action rule warehouse;Step 5: When message meets regular behavior library, is recorded or alarmed.
Drawback of the prior art is that: defect 1, existing industry control network auditing system, data packet crawl, flow analysis and examine It counts while carrying out, the two coupling is serious, and data packet crawl, which handles to lack with data packet, to be coordinated, for network flow different in flow rate Amount, packet capturing and unpacks disunity, causes memory excessively high or CPU is using excessively high;Defect 2, for Mass flow system, the prior art is lacked Weary coordination and self diagnosis are easy to appear network congestion and Network Packet Loss phenomenon.
, summary of the invention
The invention technical problems to be solved are: for network flow different in flow rate, number of threads of auditing is being initialized When solidify, can not adaptively coordinate start packet capturing thread and packet processing thread the problem of.
The technical solution of use is as follows:
A kind of adaptive auditing method of industry control network is two threads comprising data packet crawl and data packet processing decoupling, passes through Message queue establishes the communication of two cross-threads, adaptive to increase packet processing thread when packet crawl is more,;It is simultaneously understanding Certainly big flow causes system processing to be blocked and delay machine problem, increases by two self diagnosis variables i.e. Installed System Memory and CPU usage, Wherein Installed System Memory and packet capturing procedure correlation are very big, CPU usage and Packet analyzing, audit be associated with it is very big, when system hardware is matched It sets when not being able to satisfy flow processing, provides alarm and record, increase memory or CPU in artificial presence, make system stable operation.
The utility model has the advantages that
The invention uses packet capturing and separates decoupling with unpacking, introduces two self diagnosis of cpu busy percentage and memory usage and becomes Amount realizes the adaptive of memory and packet capturing rate in packet capturing link;CPU usage and packet processing speed are realized in packet processing environment It is adaptive;Simultaneously by internal closed loop, the coordinating and unifying of packet capturing rate and packet processing speed is realized, it on the one hand can be to greatest extent The service efficiency for improving hardware resource enables the system to adapt to heterogeneous networks traffic environment, and another aspect is interior due to realizing Outer closed loop, system are more steady.
Detailed description of the invention:
Fig. 1 is the flow diagram of the invention.
Specific embodiment:
With reference to the accompanying drawing, the invention is further elaborated:
Packet capturing and Packet analyzing are carried out decoupling processing first by a kind of adaptive auditing method of industry control network, and two big modules are by disappearing Breath queue is communicated, while increasing by two self diagnosis variable system memories and CPU usage, is reduced when Installed System Memory is excessively high Packet picks up rate, or prompt increases memory;Packet processing speed is reduced when CPU usage is excessively high, and memory and CPU are reached with this The coordinate operation of data packet crawl and data packet analysis is realized in dynamic equilibrium.
Network packet grabs process: 1, memory highest utilization rate is arranged, and turn-on data packet grabs thread;2, in checking Utilization rate is deposited, when memory usage is lower, increases packet capturing number of threads, otherwise data packet grabs Thread Count;3, the number grabbed It is sent to packet handing module according to packet, and counts and does not parse packet number.
Data packet processing and audit process: 1, being arranged cpu busy percentage, and opens packet processing thread;2, check that CPU is utilized Rate increases packet processing number of threads when utilization rate is lower, otherwise reduces packet processing number;3, the memory of processed packet is discharged Space.
Packet capturing and packet processing are coordinated: 1, the remaining untreated packet quantity of setting obtains data packet from memory and handles;2, it counts Untreated packet number increases packet processing thread when untreated number is greater than the set value, otherwise reduces packet processing thread;3, again Packet capturing and packet treatment process are executed again.

Claims (1)

1. a kind of adaptive auditing method of industry control network is two threads comprising data packet crawl and data packet processing decoupling, leads to The communication that message queue establishes two cross-threads is crossed, it is adaptive to increase packet processing thread when packet crawl is more,;While in order to Big flow is solved, system processing is caused to be blocked and delay machine problem, increases by two self diagnosis variables i.e. Installed System Memory and CPU is used Rate, wherein Installed System Memory and packet capturing procedure correlation are very big, and CPU usage and Packet analyzing, audit are associated with very big, work as system hardware When configuration is not able to satisfy flow processing, alarm and record are provided, increases memory or CPU in artificial presence, system is made to stablize fortune Row.
CN201811031865.9A 2018-09-05 2018-09-05 A kind of adaptive auditing method of industry control network Pending CN109408246A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811031865.9A CN109408246A (en) 2018-09-05 2018-09-05 A kind of adaptive auditing method of industry control network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811031865.9A CN109408246A (en) 2018-09-05 2018-09-05 A kind of adaptive auditing method of industry control network

Publications (1)

Publication Number Publication Date
CN109408246A true CN109408246A (en) 2019-03-01

Family

ID=65464537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811031865.9A Pending CN109408246A (en) 2018-09-05 2018-09-05 A kind of adaptive auditing method of industry control network

Country Status (1)

Country Link
CN (1) CN109408246A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104628A (en) * 2020-09-04 2020-12-18 福州林科斯拉信息技术有限公司 Adaptive feature rule matching real-time malicious flow detection method
CN112165410A (en) * 2020-09-16 2021-01-01 杭州迪普信息技术有限公司 Message capturing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6836798B1 (en) * 2002-12-31 2004-12-28 Sprint Communications Company, L.P. Network model reconciliation using state analysis
CN101901167A (en) * 2010-07-22 2010-12-01 网御神州科技(北京)有限公司 Multi-network security auditing method and system under multi-CPU architecture
CN105357151A (en) * 2015-11-19 2016-02-24 成都科来软件有限公司 DPDK-based packet capture and mirror image flow forwarding method
CN106445667A (en) * 2016-09-27 2017-02-22 西安交大捷普网络科技有限公司 Method for improving auditing framework CPU load balancing
CN107465567A (en) * 2017-06-29 2017-12-12 西安交大捷普网络科技有限公司 A kind of data forwarding method of database fire wall

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6836798B1 (en) * 2002-12-31 2004-12-28 Sprint Communications Company, L.P. Network model reconciliation using state analysis
CN101901167A (en) * 2010-07-22 2010-12-01 网御神州科技(北京)有限公司 Multi-network security auditing method and system under multi-CPU architecture
CN105357151A (en) * 2015-11-19 2016-02-24 成都科来软件有限公司 DPDK-based packet capture and mirror image flow forwarding method
CN106445667A (en) * 2016-09-27 2017-02-22 西安交大捷普网络科技有限公司 Method for improving auditing framework CPU load balancing
CN107465567A (en) * 2017-06-29 2017-12-12 西安交大捷普网络科技有限公司 A kind of data forwarding method of database fire wall

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112104628A (en) * 2020-09-04 2020-12-18 福州林科斯拉信息技术有限公司 Adaptive feature rule matching real-time malicious flow detection method
CN112104628B (en) * 2020-09-04 2022-07-26 南京林科斯拉信息技术有限公司 Adaptive feature rule matching real-time malicious flow detection method
CN112165410A (en) * 2020-09-16 2021-01-01 杭州迪普信息技术有限公司 Message capturing method and device

Similar Documents

Publication Publication Date Title
CN107196870B (en) DPDK-based traffic dynamic load balancing method
CN105429977B (en) Deep packet inspection device abnormal flow monitoring method based on comentropy measurement
CN110401624A (en) The detection method and system of source net G system mutual message exception
CN101599963B (en) Suspected network threat information screener and screening and processing method
CN103067218A (en) High speed network data package content analysis device
CN106357622A (en) Network anomaly flow detection and defense system based on SDN (software defined networking)
CN109408246A (en) A kind of adaptive auditing method of industry control network
CN103929334A (en) Network abnormity notification method and apparatus
CN107248960B (en) Internet of things data reporting control method based on transmission duration and forwarding node
EP2983327B1 (en) Counting control method for counter, and network chip
CN109462621A (en) Network safety protective method, device and electronic equipment
CN107948157A (en) A kind of message processing method and device
CN103179039A (en) Method for effectively filtering normal network data package
CN107547416A (en) A kind of processing method and processing device of protocol massages
CN107291868A (en) A kind of monitoring data processing unit and monitoring data processing method
CN110806921A (en) OVS (optical virtual system) abnormity alarm monitoring system and method
CN115190191B (en) Power grid industrial control system and control method based on protocol analysis
CN114531273A (en) Method for defending distributed denial of service attack of industrial network system
CN112737914A (en) Message processing method and device, network equipment and readable storage medium
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN103078760A (en) Online diagnosis method for abnormal network flow
CN111209112A (en) Exception handling method and device
JP2015226327A (en) Method and apparatus for flexible and efficient analytics in network switch
Wang et al. Abnormal traffic detection system in SDN based on deep learning hybrid models
CN111431752A (en) Safety detection method based on adaptive flow control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 5 / F, building C, Runhe Software Park, 168 software Avenue, Yuhua District, Nanjing City, Jiangsu Province, 210012

Applicant after: Bozhi Safety Technology Co.,Ltd.

Address before: 5 / F, building C, Runhe Software Park, 168 software Avenue, Yuhua District, Nanjing City, Jiangsu Province, 210012

Applicant before: JIANGSU BOZHI SOFTWARE TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190301

RJ01 Rejection of invention patent application after publication