CN109459995B - State monitoring system and monitoring method for multiple industrial Ethernet protocols - Google Patents

State monitoring system and monitoring method for multiple industrial Ethernet protocols Download PDF

Info

Publication number
CN109459995B
CN109459995B CN201811544041.1A CN201811544041A CN109459995B CN 109459995 B CN109459995 B CN 109459995B CN 201811544041 A CN201811544041 A CN 201811544041A CN 109459995 B CN109459995 B CN 109459995B
Authority
CN
China
Prior art keywords
configuration information
information
message
protocol
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811544041.1A
Other languages
Chinese (zh)
Other versions
CN109459995A (en
Inventor
王进
韩丹涛
赵艳领
何跃鹰
摆亮
刘丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Instrumentation Technology And Economy Institute P R China
National Computer Network and Information Security Management Center
Original Assignee
Instrumentation Technology And Economy Institute P R China
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Instrumentation Technology And Economy Institute P R China, National Computer Network and Information Security Management Center filed Critical Instrumentation Technology And Economy Institute P R China
Priority to CN201811544041.1A priority Critical patent/CN109459995B/en
Publication of CN109459995A publication Critical patent/CN109459995A/en
Application granted granted Critical
Publication of CN109459995B publication Critical patent/CN109459995B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
    • G05B19/4185Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication
    • G05B19/4186Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication by protocol, e.g. MAP, TOP
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Manufacturing & Machinery (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Small-Scale Networks (AREA)

Abstract

The embodiment of the invention provides a state monitoring system and a state monitoring method for multiple industrial Ethernet protocols, wherein the system comprises: the system comprises an industrial Ethernet security policy configuration module, an industrial Ethernet protocol identification processing module and an industrial Ethernet alarm generation module; the industrial Ethernet security policy configuration module is used for storing security policy configuration information; the industrial Ethernet protocol recognition processing module is used for analyzing the message and processing the configuration information in the message according to the security policy configuration information stored in the industrial Ethernet security policy configuration module; and the industrial Ethernet alarm generating module is used for alarming the message which does not conform to the security policy configuration information based on the processing result of the industrial Ethernet protocol identification processing module. The embodiment of the invention can monitor the operation conditions of various industrial Ethernet protocol devices and improve the safety of an industrial control system.

Description

State monitoring system and monitoring method for multiple industrial Ethernet protocols
Technical Field
The invention relates to the technical field of industrial automation, in particular to a state monitoring system and a state monitoring method for multiple industrial Ethernet protocols.
Background
Industrial control system field device communication is gradually transitioning from a closed field bus form to an open industrial ethernet form, and meanwhile, the high efficiency and standard integration of the industrial control system are becoming important development directions. Industrial control systems typically employ industrial communication protocol standards for network communications.
Existing industry communication protocol standards typically include: modbus TCP (an industrial communication protocol standard promulgated by the company MODICON); profinet (an automated bus standard based on industrial ethernet technology introduced by PROFIBUS international organization); OPC UA (OPC Unified Architecture), and the like. Among them, Modbus TCP and Profinet are increasingly widely used as typical industrial ethernet standards, and OPC UA as an integrated standard architecture proposed by OPC foundation will also play an increasingly important role in an industrial control network.
However, as more and more industrial control system products adopt a common communication protocol, common hardware and common software, and can be connected to a public network such as the internet in a plurality of communication modes, threats such as viruses and trojans caused by the threats are spreading to the industrial control system, and if the communication state of the industrial control system cannot be effectively monitored, the security of the industrial control system will be affected.
Disclosure of Invention
The embodiment of the invention aims to provide a state monitoring system and a state monitoring method for multiple industrial Ethernet protocols so as to improve the safety of an industrial control system. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a state monitoring system for multiple industrial ethernet protocols, where the system includes: the system comprises an industrial Ethernet security policy configuration module, an industrial Ethernet protocol identification processing module and an industrial Ethernet alarm generation module;
the industrial Ethernet security policy configuration module is used for storing security policy configuration information; the security policy configuration information includes: equipment physical information related configuration information, equipment correlation related configuration information and process related configuration information; the configuration information related to the device physical information includes: the device name, the device Media Access Control (MAC) address, the device network protocol (IP) address and the device port number; the device correlation configuration information includes: MAC address white list information, IP address and MAC address binding information and network load information; wherein the network load information includes: access times per second limit information and network bandwidth information; the process related configuration information comprises: upper limit information of the key data of the equipment, lower limit information of the key data of the equipment and mutual relation information among the data;
the industrial Ethernet protocol recognition processing module is used for analyzing the acquired message based on the industrial Ethernet protocol and processing the configuration information in the message obtained by analysis according to the security policy configuration information stored in the industrial Ethernet security policy configuration module;
and the industrial Ethernet alarm generating module is used for alarming the message which does not conform to the security policy configuration information based on the processing result of the industrial Ethernet protocol identification processing module.
Optionally, the industrial ethernet protocol identification processing module includes: the device correlation recognition processing sub-module, the Modbus TCP protocol recognition processing sub-module, the Profinet protocol recognition processing sub-module, the OPC UA protocol recognition processing sub-module and the extra network protocol recognition processing sub-module;
the device correlation identification processing submodule is used for loading the device physical information related configuration information based on the physical information of the message sending device and processing the device correlation information in the message obtained through analysis;
the Modbus TCP protocol recognition processing submodule is used for judging whether process relation configuration information obtained by analyzing a Modbus TCP protocol message conforms to process related configuration information in the safety strategy configuration information;
the Profinet protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the Profinet protocol message conforms to the process related configuration information in the safety strategy configuration information;
the OPC UA protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the OPC UA protocol message conforms to the process related configuration information in the safety strategy configuration information;
the additional network protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the message of the additional network protocol conforms to the process related configuration information in the safety strategy configuration information; the additional network protocol is: a network protocol other than the Modbus TCP protocol, the Profinet protocol, and the OPC UA protocol.
Optionally, the device interrelation identification processing sub-module is specifically configured to:
and identifying the sending equipment of the message according to the equipment physical information related configuration information in the security policy configuration information.
Optionally, the industrial ethernet alarm generating module includes: the alarm information generation sub-module, the remote alarm sub-module and the alarm report generation sub-module;
the alarm information generation submodule is used for generating alarm time, an alarm device name, an alarm level, alarm content and alarm suggestion information;
the remote alarm submodule is used for sending alarm information through a User Datagram Protocol (UDP) network channel;
the report generation submodule is used for generating a report file, and the format of the report file is a portable document PDF format.
Optionally, the device interrelation identification processing sub-module is specifically configured to:
and judging whether the physical information of the sending equipment obtained by analyzing the message conforms to the relevant configuration information of the equipment physical information stored in the industrial Ethernet security policy configuration module.
In a second aspect, an embodiment of the present invention provides a method for monitoring states of multiple industrial ethernet protocols, where the method includes:
pre-storing security policy configuration information; the security policy configuration information includes: equipment physical information related configuration information, equipment correlation related configuration information and process related configuration information; the configuration information related to the device physical information includes: the device name, the device Media Access Control (MAC) address, the device network protocol (IP) address and the device port number; the device correlation configuration information includes: MAC address white list information, IP address and MAC address binding information and network load information; wherein the network load information includes: access times per second limit information and network bandwidth information; the process related configuration information comprises: upper limit information of the key data of the equipment, lower limit information of the key data of the equipment and mutual relation information among the data;
analyzing the acquired message based on the industrial Ethernet protocol, and processing the configuration information in the message obtained by analysis according to the pre-stored security policy configuration information;
and alarming the message which does not conform to the security policy configuration information based on the processing result of the configuration information in the message.
Optionally, the analyzing the obtained message based on the industrial ethernet protocol, and processing the configuration information in the message obtained by analyzing according to the pre-stored security policy configuration information includes:
judging whether the physical information of the sending equipment obtained by analyzing the message conforms to the pre-stored relevant configuration information of the physical information of the equipment;
judging whether the process relation configuration information obtained by analyzing the Modbus TCP protocol message conforms to the process related configuration information in the safety strategy configuration information;
judging whether the process relation configuration information obtained by analyzing in the Profinet protocol message conforms to the process related configuration information in the safety strategy configuration information;
judging whether the process relation configuration information obtained by analyzing the OPC UA protocol message conforms to the process related configuration information in the safety strategy configuration information;
judging whether the process relation configuration information obtained by analyzing the message of the additional network protocol conforms to the process related configuration information in the safety strategy configuration information; the additional network protocol is: a network protocol other than the Modbus TCP protocol, the Profinet protocol, and the OPC UA protocol.
Optionally, the loading the configuration information related to the physical information of the device based on the physical information of the message sending device, and processing the device correlation information in the message obtained through analysis includes:
and identifying the sending equipment of the message according to the equipment physical information related configuration information in the security policy configuration information.
Optionally, the alarming, based on a processing result of the configuration information in the packet, the packet that does not conform to the security policy configuration information includes:
generating alarm time, alarm equipment name, alarm level, alarm content and alarm suggestion information;
sending alarm information through a User Datagram Protocol (UDP) network channel;
and generating a report file, wherein the format of the report file is a portable document PDF format.
The state monitoring system and the monitoring method for multiple industrial Ethernet protocols provided by the embodiment of the invention can analyze the acquired messages based on the industrial Ethernet protocols, process the configuration information in the analyzed messages according to the security policy configuration information stored in the industrial Ethernet security policy configuration module, and alarm the messages which do not conform to the security policy configuration information. Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a multiple-industry ethernet protocol-oriented status monitoring system according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an industrial ethernet security policy configuration module according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a switch connected to devices based on different industrial Ethernet protocols according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an industrial ethernet protocol identification processing module according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an industrial Ethernet alarm generating module according to an embodiment of the present invention;
fig. 6 is a schematic flowchart of a status monitoring method for multiple industrial ethernet protocols according to an embodiment of the present invention;
FIG. 7 is a flowchart illustrating step S202 according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a status monitoring system 100 oriented to multiple industrial ethernet protocols, which includes:
an industrial ethernet security policy configuration module 101, an industrial ethernet protocol identification processing module 102, and an industrial ethernet alarm generation module 103.
The industrial ethernet security policy configuration module 101 is configured to store security policy configuration information. As shown in fig. 2, the industrial ethernet security policy configuration module 101 may include: a device physical information related configuration information sub-module 1011, a device interrelation related configuration information sub-module 1012, and a process related configuration information sub-module 1013. That is, the security policy configuration information may store therein: equipment physical information related configuration information, equipment interrelation related configuration information, and process related configuration information.
The configuration information related to the device physical information may refer to configuration information related to physical attributes of the industrial device, for example: the name of the device, the MAC (Media Access Control) Address of the device, the IP (Internet Protocol) Address of the device, the port number of the device, and the like. It should be noted that, a technician may configure the physical information of the industrial device and store the configuration information in the industrial ethernet security policy configuration module.
The configuration information related to the device correlation may refer to configuration information used when communication is performed between the industrial devices, for example: MAC address white list information, IP address and MAC address binding information, network load information and the like; wherein, the network load information includes: access times per second restriction information and network bandwidth information. It should be noted that, a technician may configure the relationship between the devices, and store the configuration information in the industrial ethernet security policy configuration module.
The above process-related configuration information may refer to process parameter information used by the industrial equipment during operation, for example: upper limit information of the device key data, lower limit information of the device key data, correlation information between data, and the like. The critical data herein may refer to process parameters that play a critical role in the operation of the equipment, such as operating voltage; the inter-data correlation information herein may refer to a correlation between two or more data, for example, a difference value between the first data and the second data, or a logical relationship between the first data and the second data. It should be noted that the first data and the second data may be data obtained by parsing the message, and a technician may configure the process parameters of the device and store the configuration information in the industrial ethernet security policy configuration module.
The industrial Ethernet protocol identification processing module is used for analyzing the acquired message based on the industrial Ethernet protocol and processing the configuration information in the analyzed message according to the security policy configuration information stored in the industrial Ethernet security policy configuration module.
In the embodiment of the present invention, as shown in fig. 3, each port of the switch may be connected to devices based on different industrial ethernet protocols, for example, an engineer station, a Modbus master station, a Modbus slave station, a Profinet controller, a Profinet device, an OPC UA server, an OPC UA client, or other devices based on different industrial ethernet protocols. The industrial Ethernet protocol identification processing module can acquire the message data generated by the equipment through the mirror image port of the switch. It should be noted that, the method for obtaining message data from the mirror port of the switch is the prior art, and the embodiment of the present invention is not described herein again.
As a specific implementation manner of the embodiment of the present invention, as shown in fig. 4, the industrial ethernet protocol identification processing module 102 may specifically include:
a device interrelation recognition processing sub-module 1021, a Modbus TCP protocol recognition processing sub-module 1022, a Profinet protocol recognition processing sub-module 1023, an OPC UA protocol recognition processing sub-module 1024, and an additional network protocol recognition processing sub-module 1025.
The device correlation identifying and processing submodule is used for loading device physical information related configuration information based on physical information of the message sending device and processing device correlation information in the message obtained through analysis.
The packet sent by the device usually carries physical information of the device, which may be, for example, a name, an MAC address, and the like of the device. The industrial ethernet security policy configuration module may pre-store the device physical information related configuration information corresponding to the device, and therefore, after the device correlation identification processing sub-module obtains the message, the device correlation identification processing sub-module may determine whether the device physical information obtained by parsing the message matches the pre-stored device physical information related configuration information of the device, and output a determination result.
And the Modbus TCP protocol recognition processing submodule is used for judging whether the process relation configuration information obtained by analyzing the Modbus TCP protocol message conforms to the process related configuration information in the safety strategy configuration information.
In the embodiment of the present invention, the industrial ethernet security policy configuration module may store the relevant configuration information of the device correlation corresponding to the device in advance, so that after the Modbus TCP protocol identification processing sub-module obtains the process relationship configuration information from the Modbus TCP protocol message through parsing, the relevant configuration information of the device physical information may be loaded based on the physical information of the message sending device, and the device correlation information in the message obtained through parsing is processed to output the processing result.
And the Profinet protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the Profinet protocol message conforms to the process related configuration information in the safety strategy configuration information.
Similarly, after the Profinet protocol identification processing submodule analyzes the Profinet protocol message to obtain the process relationship configuration information, the Profinet protocol identification processing submodule can judge whether the process relationship configuration information is consistent with the device correlation configuration information which is stored in advance in the device, and output a judgment result.
And the OPC UA protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the OPC UA protocol message conforms to the process related configuration information in the safety strategy configuration information.
Similarly, after the OPC UA protocol identification processing sub-module analyzes the process relationship configuration information from the OPC UA protocol message, it may determine whether the process relationship configuration information matches the device correlation configuration information stored in advance in the device, and output a determination result.
And the additional network protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the message of the additional network protocol conforms to the process related configuration information in the safety strategy configuration information.
Similarly, after the extra network protocol identification processing sub-module analyzes the extra network protocol message to obtain the process relationship configuration information, the extra network protocol identification processing sub-module can judge whether the process relationship configuration information is consistent with the device correlation configuration information which is stored in advance in the device, and outputs a judgment result. The above additional network protocol may refer to: network protocols other than the Modbus TCP protocol, the Profinet protocol and the OPC UA protocol, for example, the PowerLink industrial communication protocol over standard ethernet.
Therefore, the state monitoring system has the characteristic of universality, namely, the safety monitoring can be realized aiming at the current mainstream industrial Ethernet, the system configuration is simple and clear, the implementation is simple and convenient, and the safety protection can be provided for the industrial control system network.
As an optional implementation manner in the embodiment of the present invention, the device correlation identification processing sub-module may identify a sending device of the packet according to device physical information related configuration information in the security policy configuration information. Specifically, the device correlation identification processing sub-module may determine whether the physical information of the sending device obtained by parsing the message matches configuration information related to the device physical information stored in the industrial ethernet security policy configuration module, and output a determination result, thereby identifying whether the sending device of the message is an unauthorized device.
As an optional implementation manner of the embodiment of the present invention, as shown in fig. 5, the industrial ethernet alarm generating module 103 includes:
alarm information generation sub-module 1031, remote alarm sub-module 1032, and alarm report generation sub-module 1033.
The alarm information generation submodule is used for generating alarm time, alarm equipment names, alarm levels, alarm contents and alarm suggestion information.
In the embodiment of the invention, the industrial Ethernet alarm generation module can generate various alarm information, so that operation and maintenance personnel can find problems in time.
And the remote alarm sub-module is used for sending alarm information through a User Datagram Protocol (UDP) network channel.
The remote alarm sub-module can send alarm information to a remote server, for example, send the alarm information through a UDP network channel, so that operation and maintenance personnel at a remote position can find problems in time.
And the report generation submodule is used for generating a report file for operation and maintenance personnel to archive, and the Format of the report file is a Portable Document Format (PDF). Of course, other than the implementations shown in the examples given, ways of implementing this feature are within the scope of the embodiments of the invention.
As can be seen from the above description, the state monitoring system according to the embodiment of the present invention can deeply analyze and monitor data of mainstream industrial ethernet protocols such as Modbus TCP, Profinet, OPC UA, and the like, recognize illegal access to unauthorized devices, network states, and abnormal messages according to a security policy, monitor key devices in real time, alarm when abnormal, and have an important meaning for current industrial network security.
The state monitoring system and the monitoring method provided by the embodiment of the invention can realize the monitoring of key data in the industrial system and can timely find illegal equipment access, thereby effectively protecting the normal operation of the key equipment and improving the safety of an industrial control system.
As shown in fig. 6, an embodiment of the present invention further provides a state monitoring method for multiple industrial ethernet protocols, which can be applied to the state monitoring system in the embodiment shown in fig. 1, and includes the following processes:
s201, storing the security policy configuration information in advance.
The security policy configuration information may include: equipment physical information related configuration information, equipment correlation related configuration information and process related configuration information; the configuration information related to the device physical information includes: the device name, the device Media Access Control (MAC) address, the device network protocol (IP) address and the device port number; the device correlation configuration information includes: MAC address white list information, IP address and MAC address binding information and network load information; wherein, the network load information includes: access times per second limit information and network bandwidth information; the process related configuration information comprises: the upper limit information of the key data of the equipment, the lower limit information of the key data of the equipment and the mutual relation information among the data. The security policy configuration information may be stored in an industrial ethernet security policy configuration module, which may be a storage device such as a hard disk, a flash disk, or the like.
S202, analyzing the acquired message based on the industrial Ethernet protocol, and processing the configuration information in the analyzed message according to the pre-stored security policy configuration information.
The industrial Ethernet protocol identification processing module can analyze the acquired message based on the industrial Ethernet protocol and process the configuration information in the analyzed message according to the security policy configuration information pre-stored in the industrial Ethernet security policy configuration module.
S203, based on the processing result of the configuration information in the message, alarming the message which does not conform to the configuration information of the security strategy.
The industrial Ethernet alarm generating module can alarm the message which does not conform to the security policy configuration information based on the processing result of the industrial Ethernet protocol identification processing module.
As another optional implementation manner of the embodiment of the present invention, as shown in fig. 7, the step S202 specifically includes:
s2021, determining whether the physical information of the sending device obtained by parsing the packet matches the configuration information related to the physical information of the device stored in the industrial ethernet security policy configuration module.
The device correlation identification processing sub-module may load device physical information related configuration information based on physical information of the message sending device, and process the device correlation information in the message obtained by the analysis.
If they do not match, S2022, an alarm is given.
When they match:
s2023, judging whether the process relation configuration information analyzed from the Modbus TCP protocol message conforms to the process related configuration information in the safety strategy configuration information.
The Modbus TCP protocol recognition processing sub-module can judge whether the process relation configuration information obtained by analysis in the Modbus TCP protocol message conforms to the process related configuration information prestored in the industrial Ethernet safety strategy configuration module.
If they do not match, S2024, an alarm is given.
S2025, judging whether the process relation configuration information analyzed from the Profinet protocol message conforms to the process related configuration information in the safety strategy configuration information.
The Profinet protocol identification processing submodule can judge whether the process relation configuration information obtained by analyzing the Profinet protocol message conforms to the process related configuration information prestored in the industrial Ethernet safety strategy configuration module.
If they do not match, S2026, an alarm is given.
S2027, judging whether the process relation configuration information analyzed from the OPC UA protocol message conforms to the process related configuration information in the safety strategy configuration information.
The OPC UA protocol identification processing sub-module may determine whether the process relationship configuration information obtained by parsing from the OPC UA protocol message conforms to the process-related configuration information pre-stored in the industrial ethernet security policy configuration module.
If they do not match, S2028, an alarm is given.
S2029, determining whether the process relationship configuration information obtained by parsing in the message of the additional network protocol matches the process related configuration information in the security policy configuration information.
If they do not match, S20210, an alarm is given.
The extra network protocol identification processing sub-module can judge whether the process relation configuration information obtained by analyzing the message of the extra network protocol conforms to the process related configuration information prestored in the industrial Ethernet safety strategy configuration module.
As another optional implementation manner of the embodiment of the present invention, the step S2021 may specifically include: and identifying the sending equipment of the message according to the equipment physical information related configuration information in the security policy configuration information through the equipment correlation identification processing submodule. The device correlation identification processing sub-module may be configured to identify a sending device of the packet.
As another optional implementation manner of the embodiment of the present invention, the alarm time, the name of the alarm device, the alarm level, the alarm content, and the alarm suggestion information may also be generated by the alarm information generation sub-module; sending alarm information through a remote alarm submodule; and generating a report file through a report generation submodule.
The state monitoring method for multiple industrial Ethernet protocols, provided by the embodiment of the invention, can analyze the acquired message based on the industrial Ethernet protocol, process the configuration information in the analyzed message according to the security policy configuration information stored in the industrial Ethernet security policy configuration module, and can alarm the message which does not conform to the security policy configuration information.
An embodiment of the present invention further provides an electronic device, as shown in fig. 8, including a processor 301, a communication interface 302, a memory 303, and a communication bus 304, where the processor 301, the communication interface 302, and the memory 303 complete mutual communication through the communication bus 304,
a memory 303 for storing a computer program;
the processor 301, when executing the program stored in the memory 303, implements the following steps:
pre-storing security policy configuration information;
analyzing the acquired message based on the industrial Ethernet protocol, and processing the configuration information in the analyzed message according to the pre-stored security policy configuration information;
and alarming the message which does not conform to the configuration information of the security strategy based on the processing result of the configuration information in the message.
The electronic equipment provided by the embodiment of the invention can analyze the acquired message based on the industrial Ethernet protocol, process the configuration information in the analyzed message according to the security policy configuration information stored in the industrial Ethernet security policy configuration module, and can give an alarm to the message which does not conform to the security policy configuration information.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
An embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, and is configured to execute the following steps:
pre-storing security policy configuration information;
analyzing the acquired message based on the industrial Ethernet protocol, and processing the configuration information in the analyzed message according to the pre-stored security policy configuration information;
and alarming the message which does not conform to the configuration information of the security strategy based on the processing result of the configuration information in the message.
The computer-readable storage medium provided by the embodiment of the invention can analyze the acquired message based on the industrial Ethernet protocol, process the configuration information in the analyzed message according to the security policy configuration information stored in the industrial Ethernet security policy configuration module, and alarm the message which does not conform to the security policy configuration information.
For the method/electronic device/storage medium embodiment, since it is substantially similar to the system embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (8)

1. A multiple industrial ethernet protocol oriented condition monitoring system, the system comprising: the system comprises an industrial Ethernet security policy configuration module, an industrial Ethernet protocol identification processing module and an industrial Ethernet alarm generation module;
the industrial Ethernet security policy configuration module is used for storing security policy configuration information; the security policy configuration information includes: equipment physical information related configuration information, equipment correlation related configuration information and process related configuration information; the configuration information related to the device physical information includes: the device name, the device Media Access Control (MAC) address, the device network protocol (IP) address and the device port number; the device correlation configuration information includes: MAC address white list information, IP address and MAC address binding information and network load information; wherein the network load information includes: access times per second limit information and network bandwidth information; the process related configuration information comprises: the method comprises the following steps of obtaining upper limit information of key data of equipment, lower limit information of the key data of the equipment and interrelation information among the data, wherein the key data refer to process parameters playing a key role in operation of the equipment, and the interrelation information among the data comprises the following steps: a difference value between the two data, or a logical relationship between the two data;
the industrial Ethernet protocol recognition processing module is used for analyzing the acquired message based on the industrial Ethernet protocol and processing the configuration information in the message obtained by analysis according to the security policy configuration information stored in the industrial Ethernet security policy configuration module;
the industrial Ethernet alarm generating module is used for alarming the message which does not conform to the security policy configuration information based on the processing result of the industrial Ethernet protocol identification processing module;
wherein, the industrial Ethernet protocol identification processing module comprises: the device correlation recognition processing sub-module, the Modbus TCP protocol recognition processing sub-module, the Profinet protocol recognition processing sub-module, the OPC UA protocol recognition processing sub-module and the extra network protocol recognition processing sub-module;
the device correlation identification processing submodule is used for loading the device physical information related configuration information based on the physical information of the message sending device and processing the device correlation information in the message obtained through analysis;
the Modbus TCP protocol recognition processing submodule is used for judging whether process relation configuration information obtained by analyzing a Modbus TCP protocol message conforms to process related configuration information in the safety strategy configuration information;
the Profinet protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the Profinet protocol message conforms to the process related configuration information in the safety strategy configuration information;
the OPC UA protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the OPC UA protocol message conforms to the process related configuration information in the safety strategy configuration information;
the additional network protocol identification processing submodule is used for judging whether the process relation configuration information obtained by analyzing the message of the additional network protocol conforms to the process related configuration information in the safety strategy configuration information; the additional network protocol is: a network protocol other than the Modbus TCP protocol, the Profinet protocol, and the OPC UA protocol.
2. The system according to claim 1, wherein the device interrelation identification processing submodule is specifically configured to:
and identifying the sending equipment of the message according to the equipment physical information related configuration information in the security policy configuration information.
3. The system of claim 1, wherein the industrial ethernet alarm generation module comprises: the alarm information generation sub-module, the remote alarm sub-module and the alarm report generation sub-module;
the alarm information generation submodule is used for generating alarm time, an alarm device name, an alarm level, alarm content and alarm suggestion information;
the remote alarm submodule is used for sending alarm information through a User Datagram Protocol (UDP) network channel;
the report generation submodule is used for generating a report file, and the format of the report file is a portable document PDF format.
4. The system according to claim 1, wherein the device interrelation identification processing submodule is specifically configured to:
and judging whether the physical information of the sending equipment obtained by analyzing the message conforms to the relevant configuration information of the equipment physical information stored in the industrial Ethernet security policy configuration module.
5. A method for monitoring status of multiple industrial ethernet protocols, the method comprising:
pre-storing security policy configuration information; the security policy configuration information includes: equipment physical information related configuration information, equipment correlation related configuration information and process related configuration information; the configuration information related to the device physical information includes: the device name, the device Media Access Control (MAC) address, the device network protocol (IP) address and the device port number; the device correlation configuration information includes: MAC address white list information, IP address and MAC address binding information and network load information; wherein the network load information includes: access times per second limit information and network bandwidth information; the process related configuration information comprises: the method comprises the following steps of obtaining upper limit information of key data of equipment, lower limit information of the key data of the equipment and interrelation information among the data, wherein the key data refer to process parameters playing a key role in operation of the equipment, and the interrelation information among the data comprises the following steps: a difference value between the two data, or a logical relationship between the two data;
analyzing the acquired message based on the industrial Ethernet protocol, and processing the configuration information in the message obtained by analysis according to the pre-stored security policy configuration information;
based on the processing result of the configuration information in the message, alarming the message which does not conform to the configuration information of the security strategy;
the analyzing the acquired message based on the industrial ethernet protocol and processing the configuration information in the message acquired by analyzing according to the pre-stored security policy configuration information includes:
loading relevant configuration information of the physical information of the message sending equipment based on the physical information of the message sending equipment, and processing the equipment correlation information in the message obtained by analysis;
judging whether the process relation configuration information obtained by analyzing the Modbus TCP protocol message conforms to the process related configuration information in the safety strategy configuration information;
judging whether the process relation configuration information obtained by analyzing in the Profinet protocol message conforms to the process related configuration information in the safety strategy configuration information;
judging whether the process relation configuration information obtained by analyzing the OPC UA protocol message conforms to the process related configuration information in the safety strategy configuration information;
judging whether the process relation configuration information obtained by analyzing the message of the additional network protocol conforms to the process related configuration information in the safety strategy configuration information; the additional network protocol is: a network protocol other than the Modbus TCP protocol, the Profinet protocol, and the OPC UA protocol.
6. The method according to claim 5, wherein the loading the configuration information related to the device physical information based on the physical information of the message sending device and the processing the device correlation information in the message obtained by the analysis comprises:
and identifying the sending equipment of the message according to the equipment physical information related configuration information in the security policy configuration information.
7. The method according to claim 5, wherein the alarming the message that does not conform to the security policy configuration information based on the processing result of the configuration information in the message comprises:
generating alarm time, alarm equipment name, alarm level, alarm content and alarm suggestion information;
sending alarm information through a User Datagram Protocol (UDP) network channel;
and generating a report file, wherein the format of the report file is a portable document PDF format.
8. The method according to claim 5, wherein the loading the configuration information related to the device physical information based on the physical information of the message sending device and the processing the device correlation information in the message obtained by the analysis comprises:
and judging whether the physical information of the sending equipment obtained by analyzing the message conforms to the pre-stored relevant configuration information of the physical information of the equipment.
CN201811544041.1A 2018-12-17 2018-12-17 State monitoring system and monitoring method for multiple industrial Ethernet protocols Active CN109459995B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811544041.1A CN109459995B (en) 2018-12-17 2018-12-17 State monitoring system and monitoring method for multiple industrial Ethernet protocols

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811544041.1A CN109459995B (en) 2018-12-17 2018-12-17 State monitoring system and monitoring method for multiple industrial Ethernet protocols

Publications (2)

Publication Number Publication Date
CN109459995A CN109459995A (en) 2019-03-12
CN109459995B true CN109459995B (en) 2020-11-13

Family

ID=65613560

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811544041.1A Active CN109459995B (en) 2018-12-17 2018-12-17 State monitoring system and monitoring method for multiple industrial Ethernet protocols

Country Status (1)

Country Link
CN (1) CN109459995B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110262420A (en) * 2019-06-18 2019-09-20 国家计算机网络与信息安全管理中心 A kind of distributed industrial control network security detection system
CN110597226A (en) * 2019-09-17 2019-12-20 中车青岛四方机车车辆股份有限公司 Abnormity early warning method and device for vehicle-mounted Ethernet
CN114153182B (en) * 2020-08-18 2024-03-12 中国航天系统工程有限公司 Industrial terminal safety protection system and method with self-adaptive process
CN112311808B (en) * 2020-11-11 2023-03-21 上海电器科学研究所(集团)有限公司 Method for automatically mapping Modbus protocol data to OPCUA address space

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7421515B2 (en) * 2002-01-17 2008-09-02 Hewlett-Packard Development Company, L.P. Method and system for communications network
CN103997427A (en) * 2014-03-03 2014-08-20 浙江大学 Communication network detection and anti-attack protection method and device, communication equipment and communication system
CN104579818A (en) * 2014-12-01 2015-04-29 国家电网公司 Detection method of network anomaly message of intelligent substation
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list
CN108418794B (en) * 2018-01-29 2022-09-02 全球能源互联网研究院有限公司 Method and system for preventing ARP attack by intelligent substation communication network

Also Published As

Publication number Publication date
CN109459995A (en) 2019-03-12

Similar Documents

Publication Publication Date Title
CN109459995B (en) State monitoring system and monitoring method for multiple industrial Ethernet protocols
US10862902B2 (en) System and methodology providing automation security analysis and network intrusion protection in an industrial environment
US8909926B2 (en) System and methodology providing automation security analysis, validation, and learning in an industrial controller environment
CN110636075A (en) Operation and maintenance management and control and operation and maintenance analysis method and device
CN110830330B (en) Firewall testing method, device and system
EP2366241B1 (en) Network analysis
Yau et al. PLC forensics based on control program logic change detection
CN111897284B (en) Safety protection method and system for PLC (programmable logic controller) equipment
CN111935172A (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
Yang et al. iFinger: Intrusion detection in industrial control systems via register-based fingerprinting
JP2021515498A (en) Attribute-based policies for integrity monitoring and network intrusion detection
Faisal et al. Modeling Modbus TCP for intrusion detection
CN114371682A (en) PLC control logic attack detection method and device
CN112653693A (en) Industrial control protocol analysis method and device, terminal equipment and readable storage medium
US10666671B2 (en) Data security inspection mechanism for serial networks
CN109462617B (en) Method and device for detecting communication behavior of equipment in local area network
CN114978782B (en) Industrial control threat detection method and device, industrial control equipment and storage medium
CN116614287A (en) Network security event evaluation processing method, device, equipment and medium
WO2019207764A1 (en) Extraction device, extraction method, recording medium, and detection device
Negi et al. Intrusion Detection & Prevention in Programmable Logic Controllers: A Model-driven Approach
CN113219895B (en) Device and method for enabling edge controller to be safe and credible
CN112580016B (en) Login authority configuration method and device for industrial control firewall
CN115174245A (en) Test method and system based on DoIP protocol detection
CN114584391A (en) Method, device, equipment and storage medium for generating abnormal flow processing strategy
CN111143387A (en) Dynamic maintenance method, device, storage medium and device for black and white sample library

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant