CN109600258A - Industrial protocol message accounting device and method - Google Patents

Industrial protocol message accounting device and method Download PDF

Info

Publication number
CN109600258A
CN109600258A CN201811504723.XA CN201811504723A CN109600258A CN 109600258 A CN109600258 A CN 109600258A CN 201811504723 A CN201811504723 A CN 201811504723A CN 109600258 A CN109600258 A CN 109600258A
Authority
CN
China
Prior art keywords
message
industrial protocol
protocol message
accounting
recorded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811504723.XA
Other languages
Chinese (zh)
Other versions
CN109600258B (en
Inventor
陈亚宁
牛治绿
王红强
周壮
焦颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Master Technology (beijing) Co Ltd
Original Assignee
Master Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Master Technology (beijing) Co Ltd filed Critical Master Technology (beijing) Co Ltd
Priority to CN201811504723.XA priority Critical patent/CN109600258B/en
Publication of CN109600258A publication Critical patent/CN109600258A/en
Application granted granted Critical
Publication of CN109600258B publication Critical patent/CN109600258B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The present invention discloses a kind of industrial protocol message accounting method and device, is applied to industry control network system, and described device includes: that message is pre-recorded module, for acquiring industrial protocol message from the communication interface of industry control network system and recording;Packet parsing module, for parsing industrial protocol message to determine whether industrial protocol message meets message accounting trigger condition;Message accounting module, at least storing current recorded industrial protocol message when determining that industrial protocol message meets message accounting trigger condition;First jump module is pre-recorded module for when determining that industrial protocol message does not meet message accounting trigger condition, jumping to message.The beneficial effect of the embodiment of the present invention is: can determine current existing safety or potential faults by being analyzed industrial protocol message and comparing message accounting trigger condition just, to can timely record relevant industrial protocol message, it is ensured that the integrality of the industrial protocol message recorded.

Description

Industrial protocol message accounting device and method
Technical field
The present invention relates to technical field of industrial control more particularly to a kind of industrial protocol message accounting device and methods.
Background technique
There are a large amount of smart machine (for example, PLC, HMI, operator workstation etc.), these intelligence in industrial control system It is communicated between equipment using industrial communication protocol (for example, Modbus, S7), to realize automatic operating.
When dysfunction occurs in industrial control system or when by the problems such as network attack, needs logical to what is transmitted in industrial control system Letter message is recorded and analyzed, to position and to solve the problems, such as.Recorded message after problem occurs, since there are temporal stagnant Afterwards, can not whole messages in complete documentation problem generating process, be unfavorable for completely tracing and overall process occur for reduction problem.Such as Fruit is continued for recorded message, and since message amount is huge, a large amount of memory space will not only be occupied by saving these messages, but also In problem analysis, associated message can not be quickly found out.For example, the network flow according to 100Mb/s calculates, record 1 Hour message needs 750MB memory space, records one day message, about needs 18GB memory space.It is asked in magnanimity message Topic analysis and positioning are very difficult, are unfavorable for quick solve the problems, such as.
Due to lacking effective message accounting means, when industrial control system dysfunction occurs or the problems such as by network attack When, quickly it can not position and solve, influence the safe and stable operation of industrial control system.
Summary of the invention
The embodiment of the present invention provides a kind of industrial protocol message accounting device and method, asks at least solving above-mentioned technology One of topic.
In a first aspect, the embodiment of the present invention provides a kind of industrial protocol message accounting device, it is applied to industry control network system, Described device includes:
Message is pre-recorded module, for acquiring industrial protocol message from the communication interface of the industry control network system and recording;
Whether packet parsing module meets report for parsing the industrial protocol message with the determination industrial protocol message Text record trigger condition, the message accounting trigger condition include at least abnormal industrial protocol function code and/or abnormal dot address And/or abnormal point value;
Message accounting module, at least depositing when determining that the industrial protocol message meets message accounting trigger condition The current recorded industrial protocol message of storage;
First jump module, for jumping when determining that the industrial protocol message does not meet message accounting trigger condition It pre-records module to the message.
Second aspect, the embodiment of the present invention provide a kind of industrial protocol message accounting method, are applied to industry control network system, The described method includes:
S10, industrial protocol message is acquired from the communication interface of the industry control network system and is recorded;
Whether S20, the parsing industrial protocol message meet message accounting triggering item with the determination industrial protocol message Part, the message accounting trigger condition include at least abnormal industrial protocol function code and/or abnormal dot address and/or abnormal point Value;
S30, if it is, at least current recorded industrial protocol message of storage;
S40, if not, return step S10.
The third aspect, the embodiment of the present invention provide a kind of storage medium, are stored with one or more in the storage medium Including the program executed instruction, it is described execute instruction can by electronic equipment (including but not limited to computer, server, or Network equipment etc.) it reads and executes, for executing any of the above-described industrial protocol message accounting method of the present invention.
Fourth aspect provides a kind of electronic equipment comprising: at least one processor, and with described at least one Manage the memory of device communication connection, wherein the memory is stored with the instruction that can be executed by least one described processor, institute It states instruction to be executed by least one described processor, so that at least one described processor is able to carry out any of the above-described of the present invention Industrial protocol message accounting method.
5th aspect, the embodiment of the present invention also provide a kind of computer program product, and the computer program product includes The computer program of storage on a storage medium, the computer program includes program instruction, when described program instruction is calculated When machine executes, the computer is made to execute any of the above-described industrial protocol message accounting method.
The beneficial effect of the embodiment of the present invention is: by being analyzed industrial protocol message and being compared pre-set The message accounting trigger condition energy including abnormal industrial protocol function code and/or abnormal dot address and/or abnormal point value It is enough to determine current existing safety or potential faults, so that relevant industrial protocol message can be timely recorded, really The integrality of the industrial protocol message recorded is protected.The dysfunction occurred by industrial control system or the network attack being subjected to etc. Problem provides complete reliable record data.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, drawings in the following description are some embodiments of the invention, for this field For those of ordinary skill, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the functional block diagram of an embodiment of industrial protocol message accounting device of the invention;
Fig. 2 is the functional block diagram of another embodiment of industrial protocol message accounting device of the invention
Fig. 3 is the flow chart of an embodiment of industrial protocol message accounting method of the invention;
Fig. 4 is the flow chart of another embodiment of industrial protocol message accounting method of the invention;
Fig. 5 is industrial protocol message accounting device message collection rule functional block diagram;
Fig. 6 is the flow chart of an embodiment of the message collector in the present invention
Fig. 7 be the present invention in message pre-record module an embodiment workflow schematic diagram;
Fig. 8 is the work flow diagram of an embodiment of the message analysis module in the present invention;
Fig. 9 is the work flow diagram of an embodiment of the message accounting module in the present invention;
Figure 10 is the flow chart of an embodiment of the message accounting management module in the present invention;
Figure 11 is message accounting database information query, file acquisition and deletion flow chart in the present invention;
Figure 12 is the structural schematic diagram of an embodiment of electronic equipment of the invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase Mutually combination.
The present invention can describe in the general context of computer-executable instructions executed by a computer, such as program Module.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, programs, objects, member Part, data structure etc..The present invention can also be practiced in a distributed computing environment, in these distributed computing environments, by Task is executed by the connected remote processing devices of communication network.In a distributed computing environment, program module can be with In the local and remote computer storage media including storage equipment.
In the present invention, the fingers such as " module ", " device ", " system " are applied to the related entities of computer, such as hardware, hardware Combination, software or software in execution with software etc..In detail, for example, element can with but be not limited to run on processing Process, processor, object, executable element, execution thread, program and/or the computer of device.In addition, running on server Application program or shell script, server can be element.One or more elements can be in the process and/or thread of execution In, and element can be localized and/or be distributed between two or multiple stage computers on one computer, and can be by each Kind computer-readable medium operation.Element can also according to the signal with one or more data packets, for example, from one with Another element interacts in local system, distributed system, and/or the network in internet passes through signal and other system interactions The signals of data communicated by locally and/or remotely process.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise", not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or equipment institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including described want There is also other identical elements in the process, method, article or equipment of element.
The invention proposes a kind of industrial protocol message accounting device and methods based on condition triggering.It can be for entire Industrial control system or specific important smart machine carry out message accounting, and a series of trigger conditions can be set, and only meet Just the message of relevant device is recorded when trigger condition.In order to obtain complete message, device caches always in memory The message of preset duration records after merging with message thereafter together when triggering message accounting.After the message compression of record with The form of file stores, referred to as message accounting file.Message accounting event database is established simultaneously, message accounting will be triggered every time Event information and corresponding message accounting file path store into database, and by the message accounting time, trigger condition, The information such as relevant device establish index, can quickly to navigate to corresponding message accounting file when carrying out case study.
As shown in Figure 1, the embodiment of the present invention provides a kind of industrial protocol message accounting device 100, it is applied to industry computer Network system, the industrial protocol message accounting device 100 include:
Message is pre-recorded module 110, for acquiring industrial protocol message from the communication interface of the industry control network system and remembering Record;
Whether packet parsing module 120 is accorded with for parsing the industrial protocol message with the determination industrial protocol message Message accounting trigger condition is closed, the message accounting trigger condition includes abnormal industrial protocol function code and/or abnormal dot address And/or abnormal point value;
Message accounting module 130, for when determining that the industrial protocol message meets message accounting trigger condition, at least The current recorded industrial protocol message of storage;
First jump module 140, for jumping when determining that the industrial protocol message does not meet message accounting trigger condition The message is gone to pre-record module.
The embodiment of the present invention includes abnormal industrial association by being analyzed industrial protocol message and being compared and is pre-set View function code and/or abnormal dot address and/or the message accounting trigger condition of abnormal point value just can determine and currently deposited Safety or potential faults, so that relevant industrial protocol message can be recorded timely, it is ensured that the work recorded The integrality of industry protocol massages.The problems such as dysfunction occurred by industrial control system or the network attack being subjected to, provides completely Reliable record data.
As shown in Fig. 2, in some embodiments, industrial protocol message accounting device 100 of the invention further include:
Duration determination module 120 ', for judging whether the duration of current recorded industrial protocol message is more than setting threshold Value;
Message removing module 130 ', for being more than given threshold when the duration for determining current recorded industrial protocol message When, delete the part industrial protocol message formerly recorded in current recorded industrial protocol message;
Illustratively, given threshold 10s, message pre-record module 110 from the 1st second start recording industrial protocol message to When full 10 seconds industrial protocol messages of record, the part industrial protocol message formerly recorded is deleted (for example, recording in the 1st second Industrial protocol message, can also be the industrial message protocol that records are waited in the 2nd second or in the 3rd second, and the present invention does not limit this It is fixed).
Second jump module 140 ', for being not above setting when the duration for determining current recorded industrial protocol message When threshold value, jumps to the message and pre-record module.
By the way that in real-time judge, currently whether the duration of recorded industrial protocol message has been more than to set in the embodiment of the present invention Determine the mode of threshold value, can guarantee that the storage file that the industrial protocol message of final institute's record buffer memory is formed is unlikely to too big.Tool Body, inventor has found in the implementation of the present invention, in industrial control system, any dysfunction or is subjected to Network attack is all to have certain duration, so not needing for a long time when recording related industries protocol massages Carry out record, it is only necessary to record scheduled duration message can (scheduled duration be no more than given threshold, given threshold can root Determined according to the dysfunction of historical statistics and the average duration of network attack), to can guarantee institute's recorded message Integrality, can also minimize expense brought by stored messages data;On the other hand, later period query and search is also reduced Data volume improves the efficiency of positioning problems.
In some embodiments, the current recorded industrial protocol message of at least storage includes: that storage is current Recorded industrial protocol message and since current point in time to the industry association acquired from the communication interface in preset time Discuss message.
Illustratively, preset time can be 10s, be 10s in conjunction with the given threshold in previous embodiment, in the present embodiment Before the industrial protocol message stored is current point in time the industrial protocol message of recorded 10s and current point in time it The industrial protocol message for continuing the 10s of record afterwards, has recorded the industrial protocol message of 20s in total.In the embodiment of the present invention, that is, protect Current recorded industrial protocol message has been deposited, has also continued acquiring subsequent industrial protocol report by corresponding communication interface Text, so that it is guaranteed that the integrality of the industrial protocol message finally recorded.
As shown in figure 3, the embodiment of the present invention provides a kind of industrial protocol message accounting method, it is applied to industry control network system System, which comprises
S10, industrial protocol message is acquired from the communication interface of the industry control network system and is recorded;
Whether S20, the parsing industrial protocol message meet message accounting triggering item with the determination industrial protocol message Part, the message accounting trigger condition include abnormal industrial protocol function code and/or abnormal dot address and/or abnormal point value;
S30, if it is, at least current recorded industrial protocol message of storage;
S40, if not, return step S10.
The embodiment of the present invention includes abnormal industrial association by being analyzed industrial protocol message and being compared and is pre-set View function code and/or abnormal dot address and/or the message accounting trigger condition of abnormal point value just can determine and currently deposited Safety or potential faults, so that relevant industrial protocol message can be recorded timely, it is ensured that the work recorded The integrality of industry protocol massages.The problems such as dysfunction occurred by industrial control system or the network attack being subjected to, provides completely Reliable record data.
As shown in figure 4, in some embodiments, industrial protocol message accounting of the invention, further includes:
Whether S20 ', the duration for judging current recorded industrial protocol message are more than given threshold;
S30 ', if it is, deleting the part industry association formerly recorded in current recorded industrial protocol message Discuss message;
S40 ', if it is not, then return step S10.
In some embodiments, the current recorded industrial protocol message of at least storage includes: that storage is current Recorded industrial protocol message and since current point in time to the industry association acquired from the communication interface in preset time Discuss message.
In some embodiments, after the current recorded industrial protocol message of at least storage further include: according to institute The content information for stating current recorded industrial protocol message generates message accounting event information, the message accounting event letter Breath includes: message accounting file name and/or routing information and/or record time and/or trigger condition and/or facility information.
It should be noted that for the various method embodiments described above, for simple description, therefore, it is stated as a series of Movement merge, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because According to the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules is not necessarily of the invention It is necessary.In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, reference can be made to the related descriptions of other embodiments.
The industrial protocol message accounting method of the embodiments of the present invention can be used for the industrial protocol report of the embodiment of the present invention Performed by literary recording device, and the realization industrial protocol message accounting device for reaching the embodiments of the present invention accordingly is reached Technical effect, which is not described herein again.Hardware processor (hardware processor) can be passed through in the embodiment of the present invention To realize related function module.
In some embodiments, industrial protocol message accounting device 100 of the invention further includes message acquisition module, the report Literary acquisition module is made of message collection rule editing machine and message collector.Message collection rule editing machine acquires needs Message identification information is configured in message collector as message collection rule.
As shown in figure 5, be industrial protocol message accounting device message collection rule functional block diagram, comprising several network interfaces, Serial ports and other communication interfaces, different message collection rule lists is configured to different communication interfaces.A plurality of message acquisition rule Then the relationship of logical "or" between 0-n, as long as any regular that is, in the list of matching message collection rule, even if matching at Function.The message identification information that different network protocols needs to extract is different, and for Ethernet protocol, message identification information includes: Source device MAC Address, source device IP address, source device port, purpose equipment MAC Address, purpose equipment IP address, purpose equipment Port, transport protocol etc.;For serial port protocol, message identification information includes: source device address mark, purpose equipment address mark Deng.
Message collection rule may include one of above message identification or a variety of.When a message collection rule configures The relationship of logical "and" when a variety of message identifications, between a plurality of message identification, i.e., message collection rule configuration all messages When mark all matches, this message collection rule successful match.
Table 1 is ethernet communication collection rule configuration example
What the 1st article of collection rule in 1 ethernet communication collection rule configuration example of table indicated is with acquiring source device MAC The message that location is 68:F7:29:CE:3E:DF and IP address is 192.168.0.98.2nd article of collection rule expression is acquisition source Device port is 1102, the message that purpose equipment port is 502.If a communication interface includes simultaneously the 1st article and the 2nd rules and regulations Then, if indicate the message to be acquired meet wherein a collection rule it is necessary to acquiring message.
As shown in fig. 6, the flow chart of the embodiment for the message collector in the present invention.Wherein specifically include:
Message collector collects message from the communication interface in industrial control system network;
Whether the message collection rule list for detecting communication interface is empty;
If it is sky, indicate that all messages in the industrial control system of acquisition can all be transmitted to message and pre-record module and message point Analyse module;
If the message collection rule list of communication interface is not empty, extraction message identification information;
It is matched with each rule in message collection rule list, matching any regular is successful, and message is transmitted to report Text is pre-recorded module and message analysis module, and strictly all rules match unsuccessful, then is abandoned.
As shown in fig. 7, for the present invention in message pre-record module an embodiment workflow schematic diagram.Specific packet It includes:
It will implement communication message caching in memory;
Whether the message of detection caching exceeds caching duration, and message pre-records module in industrial protocol message accounting device New communication message is cached in memory by the message for depositing middle caching preset duration when receiving new communication message;
If the message of detection caching has exceeded caching duration, the portion formerly cached in the message of current cache is deleted Divide message and terminates;Whether the message for otherwise continuing to test caching is more than caching duration.
In some embodiments, message analysis module is made of trigger condition rule editor and message analysis device.
Trigger condition rule editor is fixed mainly according to characteristics such as industrial protocol function code, dot address and point values Adopted trigger condition rule, is stored in trigger condition list of rules, uses for message analysis device.In trigger condition list of rules Between rule it is the relationship of logical "or", as long as meeting any regular, message accounting will be triggered, and generates corresponding message note Copyist's part.It is the relationship of logical "and" between characteristic in trigger condition rule, message content has to comply with trigger condition All conditions in rule.
Table 2 is trigger condition Sample Rules
Serial number ID Feature 1 Feature 2 Feature N
1 Function code=reading holding register
2 Function code=write holding register Dot address=0 Value < 1000
The configuration of Modbus agreement trigger condition rule is described in table 2.1st rule, expression are when message function When code is reads holding register message, message accounting is just triggered, and generate message accounting event.Message is worked as in 2nd rule, expression Function code is to write holding register, and writing dot address is 0, and when being worth less than 1000, triggers message accounting, and generate message accounting thing Part.
Table 3, event information example
As shown in figure 8, the work flow diagram of the embodiment for the message analysis module in the present invention, comprising:
Obtain message;
Judge whether trigger condition list is empty;
If it is, without message analysis and terminating;
If it is not, then analysis message content, traverses trigger condition list of rules, specifically:
Obtain each trigger condition rule;
Judge whether all characteristics in matching rule;
If it is not, then judging whether to have traversed strictly all rules in trigger condition list of rules
If it is, terminating;
If it is not, then obtaining a trigger condition rule again and repeating above step;
If it is, generating event information, and give event forwarding to message accounting module.
In some embodiments, message analysis device detection trigger condition list of rules whether be it is empty, if it is sky, without Message analysis.When trigger condition list of rules is not sky, the content of message is analyzed, is traversed every in trigger condition list of rules One rule creates message accounting event information according to message content, event information is sent if meeting trigger condition rule Give message accounting module.
As shown in figure 9, the work flow diagram of the embodiment for the message accounting module in the present invention.It specifically includes:
It obtains message and extracts the time that event occurs: the message accounting that message accounting module is generated according to message analysis module Event information extracts the time that event occurs;
It pre-records from message and extracts the history message of certain time length in module;
The real-time packet after event occurs is recorded simultaneously;
After completing the message accounting of preset duration, merges history message and real-time packet, generate message accounting after compression File;
According to predetermined naming rule, names message accounting file and store into file system.Message accounting file generated Afterwards, message accounting module sends file name, routing information and event information in message accounting management module.
Table 4, message accounting content example
Message accounting ID File name Path Event id
7 eth1-1-Modbus-543216331.tar.gz /record/dev1 1
8 eth1-2-Modbus-543216333.tar.gz /record/dev1 5
It as shown in Figure 10, is the flow chart of an embodiment of the message accounting management module in the present invention.It specifically includes:
Message accounting management module, message accounting file name, path and the message note that stored messages logging modle generates Event information is recorded into database;
It is established and is indexed with information such as message accounting time, trigger condition, relevant devices;
Automatic detection file system available space, message accounting management module carry out sustainability pipe to message accounting file Whether reason, detection file system available space reach reservation threshold;
If reached, the information being automatically deleted in history message accounting file and message accounting database guarantees system fortune Capable memory space requirements.
It as shown in figure 11, is message accounting database information query, file acquisition and the deletion flow chart in the present invention.Tool Body includes:
Receive querying condition;
Search inquiry records the file information and temporal information;
Judge whether that downloading obtains message;
If it is, returned packet records file and terminates;
If it is not, then further determining whether to delete message;
If it is not, then terminating;
If it is, deleting the message accounting information and temporal information in database;
It deletes message accounting file in file system and terminates.
User can pass through message accounting time, trigger condition, relevant device information quick-searching message accounting and event Information supports acquisition, the delete operation of message accounting file.
In some embodiments, the embodiment of the present invention provides a kind of non-volatile computer readable storage medium storing program for executing, described to deposit Being stored in storage media one or more includes the programs executed instruction, it is described execute instruction can by electronic equipment (including but It is not limited to computer, server or the network equipment etc.) it reads and executes, for executing any of the above-described industry of the present invention Protocol massages recording method.
In some embodiments, the embodiment of the present invention also provides a kind of computer program product, and the computer program produces Product include the computer program being stored on non-volatile computer readable storage medium storing program for executing, and the computer program includes that program refers to It enables, when described program instruction is computer-executed, the computer is made to execute any of the above-described industrial protocol message accounting side Method.
In some embodiments, the embodiment of the present invention also provides a kind of electronic equipment comprising: at least one processor, And the memory being connect at least one described processor communication, wherein the memory is stored with can be by described at least one The instruction that a processor executes, described instruction is executed by least one described processor, so that at least one described processor energy Enough execute industrial protocol message accounting method.
In some embodiments, the embodiment of the present invention also provides a kind of storage medium, is stored thereon with computer program, It is characterized in that, industrial protocol message accounting method when which is executed by processor.
Figure 12 is the hardware of the electronic equipment for the execution industrial protocol message accounting method that another embodiment of the application provides Structural schematic diagram, as shown in figure 12, which includes:
One or more processors 1210 and memory 1220, in Figure 12 by taking a processor 1210 as an example.
The equipment for executing industrial protocol message accounting method can also include: input unit 1230 and output device 1240.
Processor 1210, memory 1220, input unit 1230 and output device 1240 can by bus or other Mode connects, in Figure 12 for being connected by bus.
Memory 1220 is used as a kind of non-volatile computer readable storage medium storing program for executing, can be used for storing non-volatile software journey Sequence, non-volatile computer executable program and module, such as the industrial protocol message accounting method pair in the embodiment of the present application Program instruction/the module answered.Processor 1210 is by running the non-volatile software program being stored in memory 1220, instruction And module, thereby executing the various function application and data processing of server, i.e. realization above method embodiment industry association Discuss message accounting method.
Memory 1220 may include storing program area and storage data area, wherein storing program area can store operation system Application program required for system, at least one function;Storage data area can be stored to be made according to industrial protocol message accounting device With the data etc. created.In addition, memory 1220 may include high-speed random access memory, it can also include non-volatile Memory, for example, at least a disk memory, flush memory device or other non-volatile solid state memory parts.In some realities It applies in example, it includes the memory remotely located relative to processor 1210 that memory 1220 is optional, these remote memories can be with Pass through network connection to industrial protocol message accounting device.The example of above-mentioned network includes but is not limited to internet, enterprises Net, local area network, mobile radio communication and combinations thereof.
Input unit 1230 can receive the number or character information of input, and generate and industrial protocol message accounting device User setting and the related signal of function control.Output device 1240 may include that display screen etc. shows equipment.
One or more of modules are stored in the memory 1220, when by one or more of processors When 1210 execution, the industrial protocol message accounting method in above-mentioned any means embodiment is executed.
Method provided by the embodiment of the present application can be performed in the said goods, has the corresponding functional module of execution method and has Beneficial effect.The not technical detail of detailed description in the present embodiment, reference can be made to method provided by the embodiment of the present application.
The electronic equipment of the embodiment of the present application exists in a variety of forms, including but not limited to:
(1) mobile communication equipment: the characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data Communication is main target.This Terminal Type includes: smart phone (such as iPhone), multimedia handset, functional mobile phone and low Hold mobile phone etc..
(2) super mobile personal computer equipment: this kind of equipment belongs to the scope of personal computer, there is calculating and processing function Can, generally also have mobile Internet access characteristic.This Terminal Type includes: PDA, MID and UMPC equipment etc., such as iPad.
(3) server: providing the equipment of the service of calculating, and the composition of server includes that processor, hard disk, memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(4) other electronic devices with data interaction function.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, above-mentioned technology Scheme substantially in other words can be embodied in the form of software products the part that the relevant technologies contribute, the computer Software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions to So that computer equipment (can be personal computer, server or the network equipment etc.) execute each embodiment or Method described in certain parts of embodiment.
Finally, it should be noted that above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although The application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of industrial protocol message accounting device, is applied to industry control network system, described device includes:
Message is pre-recorded module, for acquiring industrial protocol message from the communication interface of the industry control network system and recording;
Whether packet parsing module meets message note for parsing the industrial protocol message with the determination industrial protocol message Record trigger condition, the message accounting trigger condition include at least abnormal industrial protocol function code and/or abnormal dot address and/or Abnormal point value;
Message accounting module, for when determining that the industrial protocol message meets message accounting trigger condition, at least storage to be worked as Preceding recorded industrial protocol message;
First jump module, for jumping to institute when determining that the industrial protocol message does not meet message accounting trigger condition Message is stated to pre-record module.
2. the apparatus according to claim 1, wherein further include:
Duration determination module, for judging whether the duration of current recorded industrial protocol message is more than given threshold;
Message removing module, for deleting when the duration for determining current recorded industrial protocol message is more than given threshold The part industrial protocol message formerly recorded in current recorded industrial protocol message;
Second jump module, for when the duration for determining current recorded industrial protocol message is not above given threshold, The message is jumped to pre-record module.
3. the apparatus according to claim 1, wherein the current recorded industrial protocol message packet of at least storage Include: the current recorded industrial protocol message of storage and since current point in time in preset time from the communication interface The industrial protocol message of acquisition.
4. the apparatus according to claim 1, wherein further include:
Message registration management module, for being worked as after the current recorded industrial protocol message of at least storage according to described The content information of preceding recorded industrial protocol message generates message accounting event information, the message accounting event information packet It includes: message accounting file name and/or routing information and/or record time and/or trigger condition and/or facility information.
5. a kind of industrial protocol message accounting method is applied to industry control network system, which comprises
S10, industrial protocol message is acquired from the communication interface of the industry control network system and is recorded;
Whether S20, the parsing industrial protocol message meet message accounting trigger condition, institute with the determination industrial protocol message It states message accounting trigger condition and includes at least abnormal industrial protocol function code and/or abnormal dot address and/or abnormal point value;
S30, if it is, at least current recorded industrial protocol message of storage;
S40, if not, return step S10.
6. according to the method described in claim 5, wherein, further includes:
Whether S20 ', the duration for judging current recorded industrial protocol message are more than given threshold;
S30 ', if it is, deleting the part industrial protocol report formerly recorded in current recorded industrial protocol message Text;
S40 ', if it is not, then return step S10.
7. according to the method described in claim 5, wherein, the current recorded industrial protocol message packet of at least storage Include: the current recorded industrial protocol message of storage and since current point in time in preset time from the communication interface The industrial protocol message of acquisition.
8. according to the method described in claim 5, wherein, the current recorded industrial protocol message of at least storage it Afterwards further include:
Message accounting event information, the message are generated according to the content information of the current recorded industrial protocol message Record event information include: message accounting file name and/or routing information and/or record the time and/or trigger condition and/or Facility information.
9. a kind of electronic equipment comprising: at least one processor, and deposited with what at least one described processor communication was connect Reservoir, wherein the memory be stored with can by least one described processor execute instruction, described instruction by it is described at least One processor executes, so that at least one described processor is able to carry out any one of claim 5-8 the method Step.
10. a kind of storage medium, is stored thereon with computer program, which is characterized in that the realization when program is executed by processor The step of any one of claim 5-8 the method.
CN201811504723.XA 2018-12-10 2018-12-10 Industrial protocol message recording device and method Active CN109600258B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811504723.XA CN109600258B (en) 2018-12-10 2018-12-10 Industrial protocol message recording device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811504723.XA CN109600258B (en) 2018-12-10 2018-12-10 Industrial protocol message recording device and method

Publications (2)

Publication Number Publication Date
CN109600258A true CN109600258A (en) 2019-04-09
CN109600258B CN109600258B (en) 2022-02-22

Family

ID=65962342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811504723.XA Active CN109600258B (en) 2018-12-10 2018-12-10 Industrial protocol message recording device and method

Country Status (1)

Country Link
CN (1) CN109600258B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099058A (en) * 2019-05-06 2019-08-06 江苏亨通工控安全研究院有限公司 Modbus message detecting method, device, electronic equipment and storage medium
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
CN110784482A (en) * 2019-11-04 2020-02-11 浙江国利信安科技有限公司 Message storage method and device of industrial audit system
CN111143306A (en) * 2019-12-17 2020-05-12 国网智能科技股份有限公司 Message optimized storage method and system for intelligent station network distribution device
CN111917686A (en) * 2019-05-08 2020-11-10 创升益世(东莞)智能自控有限公司 Data network communication protocol IPSCom applied to industrial Internet
CN112291214A (en) * 2020-10-19 2021-01-29 傲普(上海)新能源有限公司 Industry message parsing mode based on redis cache
CN112350912A (en) * 2020-10-29 2021-02-09 山东八五信息技术有限公司 Data acquisition method, system and device based on Modbus protocol
CN112559283A (en) * 2020-12-08 2021-03-26 中国联合网络通信集团有限公司 Signaling record processing method, device and equipment
CN113676436A (en) * 2020-05-14 2021-11-19 北京广利核系统工程有限公司 Method and network equipment for realizing hot switching of industrial control protocol analysis rules
CN114401147A (en) * 2022-01-20 2022-04-26 山西晟视汇智科技有限公司 New energy power station communication message comparison method and system based on abstract algorithm
CN115190191A (en) * 2022-09-13 2022-10-14 中电运行(北京)信息技术有限公司 Power grid industrial control system and control method based on protocol analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853196A (en) * 2010-04-21 2010-10-06 中兴通讯股份有限公司 Method and device recording exceptional data
CN103297298A (en) * 2013-06-27 2013-09-11 山东山大电力技术有限公司 Network storm real-time rapid detecting method used for intelligent substation
CN105871847A (en) * 2016-04-01 2016-08-17 国网江苏省电力公司电力科学研究院 Intelligent substation network abnormal flow detection method
CN107124397A (en) * 2017-03-29 2017-09-01 国网安徽省电力公司信息通信分公司 A kind of mobile interaction platform network bracing means and its reinforcement means
CN108322291A (en) * 2018-02-06 2018-07-24 北京和利时电机技术有限公司 A kind of multiple-axis servo operation data monitoring method based on universal serial bus
CN108418807A (en) * 2018-02-05 2018-08-17 浙江大学 A kind of industrial control system popular protocol is realized and monitoring analyzing platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853196A (en) * 2010-04-21 2010-10-06 中兴通讯股份有限公司 Method and device recording exceptional data
CN103297298A (en) * 2013-06-27 2013-09-11 山东山大电力技术有限公司 Network storm real-time rapid detecting method used for intelligent substation
CN105871847A (en) * 2016-04-01 2016-08-17 国网江苏省电力公司电力科学研究院 Intelligent substation network abnormal flow detection method
CN107124397A (en) * 2017-03-29 2017-09-01 国网安徽省电力公司信息通信分公司 A kind of mobile interaction platform network bracing means and its reinforcement means
CN108418807A (en) * 2018-02-05 2018-08-17 浙江大学 A kind of industrial control system popular protocol is realized and monitoring analyzing platform
CN108322291A (en) * 2018-02-06 2018-07-24 北京和利时电机技术有限公司 A kind of multiple-axis servo operation data monitoring method based on universal serial bus

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110099058B (en) * 2019-05-06 2021-08-13 江苏亨通工控安全研究院有限公司 Modbus message detection method and device, electronic equipment and storage medium
CN110099058A (en) * 2019-05-06 2019-08-06 江苏亨通工控安全研究院有限公司 Modbus message detecting method, device, electronic equipment and storage medium
CN111917686A (en) * 2019-05-08 2020-11-10 创升益世(东莞)智能自控有限公司 Data network communication protocol IPSCom applied to industrial Internet
CN110430187B (en) * 2019-08-01 2021-07-06 英赛克科技(北京)有限公司 Communication message security audit method, equipment and storage medium in industrial control system
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
CN110784482A (en) * 2019-11-04 2020-02-11 浙江国利信安科技有限公司 Message storage method and device of industrial audit system
CN110784482B (en) * 2019-11-04 2022-03-25 浙江国利信安科技有限公司 Message storage method and device of industrial audit system
CN111143306A (en) * 2019-12-17 2020-05-12 国网智能科技股份有限公司 Message optimized storage method and system for intelligent station network distribution device
CN111143306B (en) * 2019-12-17 2023-10-31 山东鲁软数字科技有限公司智慧能源分公司 Message optimizing storage method and system for intelligent station network division device
CN113676436B (en) * 2020-05-14 2022-12-20 北京广利核系统工程有限公司 Method and network equipment for realizing hot switching of industrial control protocol analysis rules
CN113676436A (en) * 2020-05-14 2021-11-19 北京广利核系统工程有限公司 Method and network equipment for realizing hot switching of industrial control protocol analysis rules
CN112291214A (en) * 2020-10-19 2021-01-29 傲普(上海)新能源有限公司 Industry message parsing mode based on redis cache
CN112350912A (en) * 2020-10-29 2021-02-09 山东八五信息技术有限公司 Data acquisition method, system and device based on Modbus protocol
CN112559283A (en) * 2020-12-08 2021-03-26 中国联合网络通信集团有限公司 Signaling record processing method, device and equipment
CN114401147A (en) * 2022-01-20 2022-04-26 山西晟视汇智科技有限公司 New energy power station communication message comparison method and system based on abstract algorithm
CN114401147B (en) * 2022-01-20 2024-02-20 山西晟视汇智科技有限公司 New energy power station communication message comparison method and system based on abstract algorithm
CN115190191B (en) * 2022-09-13 2022-11-29 中电运行(北京)信息技术有限公司 Power grid industrial control system and control method based on protocol analysis
CN115190191A (en) * 2022-09-13 2022-10-14 中电运行(北京)信息技术有限公司 Power grid industrial control system and control method based on protocol analysis

Also Published As

Publication number Publication date
CN109600258B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
CN109600258A (en) Industrial protocol message accounting device and method
CN107229662B (en) Data cleaning method and device
US7908160B2 (en) System and method for producing audit trails
CN105243159A (en) Visual script editor-based distributed web crawler system
CN108416041B (en) Voice log analysis method and system
CN108052824B (en) Risk prevention and control method and device and electronic equipment
CN105183873A (en) Malicious clicking behavior detection method and device
CN107370806A (en) HTTP conditional codes monitoring method, device, storage medium and electronic equipment
CN110069403A (en) Position method and device, the storage medium, electronic device of crash event
CN108287854B (en) Method and system for data persistence in stream calculation
CN105718307B (en) Process management method and management of process device
CN104184601B (en) The acquisition methods and device of user&#39;s online hours
CN109450969A (en) The method, apparatus and server of data are obtained from third party&#39;s data source server
CN102662570B (en) Information processing method and device
CN106407429A (en) File tracking method, device and system
CN104102701A (en) Hive-based method for filing and inquiring historical data
CN104219639A (en) Method and device for displaying text message record
CN111126071B (en) Method and device for determining questioning text data and method for processing customer service group data
CN106033438A (en) Public sentiment data storage method and server
US20140250332A1 (en) Log file reduction according to problem-space network topology
CN105488191A (en) Data acquisition processing method and device based on big data information safety management operation and maintenance service platform
US20220052976A1 (en) Answer text processing methods and apparatuses, and key text determination methods
CN107481039A (en) A kind of event-handling method and terminal device
CN108073703A (en) A kind of comment information acquisition methods, device, equipment and storage medium
CN105279159A (en) Contact prompting method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Niu Zhilv

Inventor after: Jiao Ying

Inventor before: Chen Yaning

Inventor before: Niu Zhilv

Inventor before: Wang Hongqiang

Inventor before: Zhou Zhuang

Inventor before: Jiao Ying

CB03 Change of inventor or designer information
CP02 Change in the address of a patent holder

Address after: 100020 705, Unit 1, Building 1, Yard 1, Longyu Middle Street, Huilongguan Town, Changping District, Beijing

Patentee after: INSEC TECHNOLOGY (BEIJING) Co.,Ltd.

Address before: Room 315, unit 1, floor 3, No. 99, Yuexiu Road, Haidian District, Beijing 100096

Patentee before: INSEC TECHNOLOGY (BEIJING) Co.,Ltd.

CP02 Change in the address of a patent holder