CN109714371B - Industrial control network safety detection system - Google Patents

Industrial control network safety detection system Download PDF

Info

Publication number
CN109714371B
CN109714371B CN201910186014.XA CN201910186014A CN109714371B CN 109714371 B CN109714371 B CN 109714371B CN 201910186014 A CN201910186014 A CN 201910186014A CN 109714371 B CN109714371 B CN 109714371B
Authority
CN
China
Prior art keywords
security
module
equipment
scanning
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910186014.XA
Other languages
Chinese (zh)
Other versions
CN109714371A (en
Inventor
李明轩
陈涛
杨慧婷
钟劲松
郭庆瑞
王旭
郭学让
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of State Grid Xinjiang Electric Power Co Ltd
Original Assignee
Electric Power Research Institute of State Grid Xinjiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of State Grid Xinjiang Electric Power Co Ltd filed Critical Electric Power Research Institute of State Grid Xinjiang Electric Power Co Ltd
Priority to CN201910186014.XA priority Critical patent/CN109714371B/en
Publication of CN109714371A publication Critical patent/CN109714371A/en
Application granted granted Critical
Publication of CN109714371B publication Critical patent/CN109714371B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The embodiment of the invention provides an industrial control network security detection system, which belongs to the technical field of network security and comprises a first device, wherein the first device is provided with a security communication module and a scanning module, and the security communication module is connected with a second device and a third device through a communication network; the second equipment is provided with a safety management module, and the safety management module sends a remote safety management service request to the first equipment; and the matching module is used for matching a second security component to the first device based on the environment information, receiving and installing the second security component distributed by the third device on the first device, and executing security management on the first device based on the second security component. Through the processing scheme of the application, the safety of the equipment is improved.

Description

Industrial control network safety detection system
Technical Field
The invention relates to the technical field of network security, in particular to an industrial control network security detection system.
Background
The challenges of network security are becoming more and more severe today with the popularity of the Internet and the rapid evolution of web technologies. With the increasing availability of online information and services, and the growing number of web-based attacks and disruptions, security risks have reached an unprecedented level. Web applications are almost forgotten because of the large amount of security work concentrated on the network itself. Perhaps because applications in the past were often stand-alone programs running on a computer that was secure if the computer was secure. Today, the situation is quite different, with web applications running on a variety of different machines: client, web server, database server, and application server. Moreover, because they are generally available to all, these applications become a background bypass for many attack activities.
The security vulnerability of software mainly refers to the defect that the whole computer software system is easily threatened in the aspect of security in the process of writing the software, or the sum of various factors which can influence the operation of the whole system. Because computer software is artificially created, vulnerabilities are not completely brought about by the consideration of software builder in the process of creating software. Common software vulnerabilities include: exceptions in software operation, use; a vulnerability in protocol aspects; the abnormal operation behavior of the software after the computer is infected by the virus invasion.
In practical applications, users have increasingly high requirements for the security of computer devices. Therefore, a new security processing scheme for computing devices is needed.
Disclosure of Invention
In view of this, an embodiment of the present invention provides an industrial network security detection system, which at least partially solves the problems in the prior art.
The embodiment of the invention provides an industrial control network safety detection system, which comprises:
an industrial control network security detection system, comprising:
the system comprises a first device and a second device, wherein the first device is provided with a safety communication module and a scanning module, and the safety communication module is connected with the second device and the third device through a communication network;
the second equipment is provided with a safety management module, and the safety management module sends a remote safety management service request to the first equipment;
the scanning module executes an initialization scanning operation from the security management module on a first device based on the remote security management service request, and installs a first security detection component after the initialization scanning is completed, wherein the first security detection component is used for extracting environment information of the first device;
the security communication module sends environment information of the first device to a third device in communication connection with the first device, a customized security device related to security management and a matching module are arranged on the third device, and the matching module matches a second security component to the first device based on the environment information;
receiving and installing, on a first device, a second security component distributed from the third device, the second security component being a set of one or more customized security modules selected by the third device from the customized security apparatuses based on environmental information of the first device, performing security management on the first device based on the second security component after successful installation of the second security component.
According to a specific implementation manner of the embodiment of the present invention, the second device further includes:
the rule module issues a security scanning rule to the scanning module before the scanning module executes initialization scanning on the first device;
and the security sample database is used for carrying out data matching on the file characteristics extracted by the scanning module on the first equipment and distributing a first security detection component to the first equipment based on the result of the data matching.
According to a specific implementation manner of the embodiment of the present invention, the first device further includes:
the security verification module is used for performing security verification on the remote security management service request of the second equipment;
and the registration module is used for starting the registration of the first equipment to the second equipment after the security verification is passed, setting the first equipment to be in an isolation state, and setting the first equipment from the isolation state to be in a scanning state after a registration success message of the second equipment is received.
According to a specific implementation manner of the embodiment of the present invention, the scanning module is further configured to:
receiving a vulnerability scanning request from the second device;
installing a first security detection component on the first device in response to the vulnerability scanning request;
requesting a first security detection component to perform a vulnerability scan for the first device;
and sending the result of vulnerability scanning to the second equipment through a secure communication module.
According to a specific implementation manner of the embodiment of the present invention, the secure communication module is further configured to:
and after the scanning result of the security vulnerability which does not exist in the first equipment is sent to the second equipment, receiving the first security detection component from the second equipment.
According to a specific implementation manner of the embodiment of the present invention, the security verification module is further configured to:
and after receiving the first security detection component from the second device, receiving an authentication key sent by the second device to the first device.
According to a specific implementation manner of the embodiment of the present invention, the second security component is further configured to:
the method comprises the steps of obtaining a network environment where first equipment is located, and carrying out security evaluation on the network environment to obtain a first evaluation value.
According to a specific implementation manner of the embodiment of the present invention, the second security component is further configured to:
under the condition that the first evaluation value is larger than a first threshold value, acquiring a program to be tested in the first equipment, triggering the starting of the program to be tested, and evaluating the starting process of the program to be tested to obtain a second evaluation value, wherein the second evaluation value comprises a characteristic value of the program to be tested and a starting parameter of the program to be tested.
According to a specific implementation manner of the embodiment of the present invention, the second security component is further configured to:
and searching whether matched data corresponding to the second evaluation value exists in a security sample database of the second equipment, and when the matched data exists, performing vulnerability detection in the first equipment based on the second evaluation value.
According to a specific implementation manner of the embodiment of the present invention, the security verification module is further configured to:
acquiring a communication log of a first device and a second device;
determining a security key between the first device and a second device based on the communication log;
and receiving a security authentication request sent by a security management module of the second device based on the security key.
The industrial control network safety detection system comprises a first device, wherein the first device is provided with a safety communication module and a scanning module, and the safety communication module is connected with a second device and a third device through a communication network; the second equipment is provided with a safety management module, and the safety management module sends a remote safety management service request to the first equipment; the scanning module executes an initialization scanning operation from the security management module on a first device based on the remote security management service request, and installs a first security detection component after the initialization scanning is completed, wherein the first security detection component is used for extracting environment information of the first device; the security communication module sends environment information of the first device to a third device in communication connection with the first device, a customized security device related to security management and a matching module are arranged on the third device, and the matching module matches a second security component to the first device based on the environment information; receiving and installing, on a first device, a second security component distributed from the third device, the second security component being a set of one or more customized security modules selected by the third device from the customized security apparatuses based on environmental information of the first device, performing security management on the first device based on the second security component after successful installation of the second security component. Through the scheme of the application, the safety of the equipment is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a security device management system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a security device management flow according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating another security device management flow according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating another security device management flow according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating another security device management flow according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present disclosure, and the drawings only show the components related to the present disclosure rather than the number, shape and size of the components in actual implementation, and the type, amount and ratio of the components in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
The embodiment of the disclosure provides an industrial control network security detection system. The industrial control network security detection system provided by the embodiment may be executed by a computing device, where the computing device may be implemented as software, or implemented as a combination of software and hardware, and the computing device may be integrally disposed in a server, a terminal device, or the like.
Referring to fig. 1, an industrial control network security detection system provided in an embodiment of the present invention includes a first device, a second device, and a third device. The first device is provided with a secure communication module and a scanning module, and the secure communication module is connected with the second device and the third device through a communication network. The second device is provided with a security management module that sends a remote security management service request to the first device. And the third equipment is provided with a matching module and a customized safety device. The matching module selects one or more customized security modules from the customized security devices based on the request of the first device to form a second security detection component, and sends the second security detection component to the first device.
The scanning module executes an initialization scanning operation from the security management module on a first device based on the remote security management service request, and installs a first security detection component after the initialization scanning is completed, wherein the first security detection component is used for extracting environment information of the first device.
The first device is a hardware device that needs security management, and as an example, the first device may be a computer, a mobile phone, or other computing device. An operating system (e.g., a windows system, a Linux system, an IOS system, an Android system) may be run in the first device, and the program to be tested is an application program running in the operating system of the first device.
The second equipment is in communication connection with the first equipment, a safety management module is installed in the second equipment, and based on the safety management module, the second equipment can perform safety management on the equipment connected with the second equipment. Specifically, after acquiring the information of the first device, the second device may send a remote security management service request to the first device in a wired or wireless manner, and further perform security management on the first device by receiving a response of the first device to the remote security management service request.
The first device, upon receiving a remote security management service request from the second device, is able to parse the remote security management service request. For example, the first device can perform data verification on the remote security management service request, and after the second device is resolved as a trusted device through the remote security management service request, perform further communication connection with the second device.
The remote security management service request comprises an initialization scanning operation request aiming at the first device, and when the first device determines that the second device is a trusted device, the initialization scanning operation from the security management module can be executed. By initializing the scanning operation, the environmental information on the first device can be preliminarily scanned, and the characteristic information related to the device safety on the first device can be extracted.
After the initialization scanning is completed, the first device sends a scanned result to the second device, a security management module in the second device analyzes the scanned result after receiving the scanned result sent by the first device, and when the analyzed result shows that the security environment of the first device needs to be further managed, a first security detection component is installed to the first device through a network and used for further extracting environment information of the first device. The first security detection component may have security software of a specific function.
The security communication module sends the environment information of the first device to a third device in communication connection with the first device, a customized security device related to security management and a matching module are arranged on the third device, and the matching module matches a second security component with the first device based on the environment information.
After the first security detection component obtains the information scanning and collecting authority on the first device, the environment information of the first device can be sent to a third device appointed by a security management module in the second device. The third equipment is in communication connection with the first equipment, a plurality of customized security modules related to security management are arranged on the third equipment, and each customized security module has different security detection functions. For example, the customized security module may include a module for detecting a specific network virus, and may also include a module for detecting whether a vulnerability exists in a specific application program. The customization module may exist in the form of software.
The second device is communicatively coupled to a third device, and a security management module on the second device is capable of maintaining and updating one or more customized security modules on the third device.
Receiving and installing, on a first device, a second security component distributed from the third device, the second security component being a set of one or more customized security modules selected by the third device from the customized security apparatuses based on environmental information of the first device, performing security management on the first device based on the second security component after successful installation of the second security component.
After the first device sends the request to the third device, and the third device verifies the request sent by the first device, the first device sends the second security component to the first device. According to the content of the environmental information on the first device, the third device selects one or more customized security modules from the customized security module set to form a new software combination, the environmental information on the first device is different, the software combination on the second security component is also different, and because different customized security modules have different functions, the software set which is most suitable for security management of the first device, namely the second security component, can be configured in a software combination mode. The second security component can conduct targeted security management on the first device, and therefore efficiency of security management is improved.
As an optional implementation manner, referring to fig. 1, the second device may further include a rule module and a security sample database, where the rule module issues a security scanning rule to the scanning module before the scanning module performs initialization scanning on the first device, and the scanning module of the first device may perform security scanning on the environment of the first device according to the security scanning rule.
And the security sample database performs data matching on the file features extracted by the scanning module on the first equipment, and distributes a first security detection component to the first equipment based on the result of the data matching. As one example, the first security component may be stored in a security sample database.
In order to ensure the safety of the first device, according to a specific implementation manner of the embodiment of the present invention, the first device further includes: a security verification module and a registration module. The security verification module is used for performing security verification on the remote security management service request of the second device so as to confirm whether the second device belongs to a trusted device. After the security verification module confirms that the second device is a trusted device, the registration module is used for starting the registration of the first device to the second device after the security verification is passed, setting the first device to be in an isolated state, and setting the first device to be in a scanning state from the isolated state after receiving a registration success message of the second device. By setting the first device to different states, the second device can acquire the security state of the first device in real time and perform security management on the first device based on the security state of the first device.
As an optional implementation, the scanning module is further configured to: receiving a vulnerability scanning request from the second equipment, responding to the vulnerability scanning request, installing a first security detection component on the first equipment, requesting the first security detection component to execute vulnerability scanning aiming at the first equipment, and sending the result of the vulnerability scanning to the second equipment through a security communication module.
Specifically, after the scanning result of the security vulnerability does not exist in the first device is sent to the second device, the secure communication module receives the first security detection component from the second device.
To further secure communications between the first device and the second device, the security verification module is further configured to: after the first security detection component is received from the second device, the authentication key sent by the second device to the first device is received, and the security of communication between the first device and the second device is improved through the authentication key.
The second security component is used for performing security management on the first device, and as a security management mode, the second security component acquires a network environment where the first device is located, performs security evaluation on the network environment, and obtains a first evaluation value. Under the condition that the first evaluation value is larger than a first threshold value, acquiring a program to be tested in the first equipment, triggering the starting of the program to be tested, and evaluating the starting process of the program to be tested to obtain a second evaluation value, wherein the second evaluation value comprises a characteristic value of the program to be tested and a starting parameter of the program to be tested.
The second evaluation value can be uploaded to a second device, whether matching data corresponding to the second evaluation value exists or not is searched in a security sample database of the second device, and when the matching data exists, vulnerability detection is carried out in the first device based on the second evaluation value.
The security verification module may further obtain a communication log of the first device and the second device, determine a security key between the first device and the second device based on the communication log, and receive a security authentication request sent by a security management module of the second device based on the security key.
Specifically, in the process of communicating between the first device and the second device, a log file of the communication between the first device and the second device may be stored in the first device, where the communication log includes details of the communication between the first device and the second device, such as whether the communication is performed in an encrypted manner, a security key used for encrypted communication, and the like. For security, the first device and the second device may communicate with each other through an agreed security key, where the agreed security key may be sent by the second device to the first device in a distributed manner, or the first device may determine a common security key through a negotiation with the second device. As one approach, a security key used by the first device to communicate with the second device last time may be adopted as the current security key. After the first device and the second device complete the current communication, the security key between the first device and the second device may be updated.
As an embodiment, referring to fig. 2, performing security management on the first device may include steps S101-S104:
s101, a remote security management service request initiated by a security management module in second equipment is obtained from first equipment, and the second equipment is in communication connection with the first equipment.
The first device is a hardware device that needs security management, and as an example, the first device may be a computer, a mobile phone, or other computing device. An operating system (e.g., a windows system, a Linux system, an IOS system, an Android system) may be run in the first device, and the program to be tested is an application program running in the operating system of the first device.
The second equipment is in communication connection with the first equipment, a safety management module is installed in the second equipment, and based on the safety management module, the second equipment can perform safety management on the equipment connected with the second equipment. Specifically, after acquiring the information of the first device, the second device may send a remote security management service request to the first device in a wired or wireless manner, and further perform security management on the first device by receiving a response of the first device to the remote security management service request.
S102, based on the remote security management service request, executing an initialization scanning operation from the security management module on a first device, and installing a first security detection component after the initialization scanning is completed, wherein the first security detection component is used for extracting environment information of the first device.
The first device, upon receiving a remote security management service request from the second device, is able to parse the remote security management service request. For example, the first device can perform data verification on the remote security management service request, and after the second device is resolved as a trusted device through the remote security management service request, perform further communication connection with the second device.
The remote security management service request comprises an initialization scanning operation request aiming at the first device, and when the first device determines that the second device is a trusted device, the initialization scanning operation from the security management module can be executed. By initializing the scanning operation, the environmental information on the first device can be preliminarily scanned, and the characteristic information related to the device safety on the first device can be extracted.
After the initialization scanning is completed, the first device sends a scanned result to the second device, a security management module in the second device analyzes the scanned result after receiving the scanned result sent by the first device, and when the analyzed result shows that the security environment of the first device needs to be further managed, a first security detection component is installed to the first device through a network and used for further extracting environment information of the first device. The first security detection component may have security software of a specific function.
S103, the first safety detection component is utilized to send the environment information of the first equipment to third equipment which is in communication connection with the first equipment, and a plurality of customized safety modules related to safety management are arranged on the third equipment.
After the first security detection component obtains the information scanning and collecting authority on the first device, the environment information of the first device can be sent to a third device appointed by a security management module in the second device. The third equipment is in communication connection with the first equipment, a plurality of customized security modules related to security management are arranged on the third equipment, and each customized security module has different security detection functions. For example, the customized security module may include a module for detecting a specific network virus, and may also include a module for detecting whether a vulnerability exists in a specific application program. The customization module may exist in the form of software.
The second device is communicatively coupled to a third device, and a security management module on the second device is capable of maintaining and updating one or more customized security modules on the third device.
And S104, receiving and installing a second security component distributed by the third device on the first device, wherein the second security component is one or more customized security module sets selected by the third device from the plurality of customized security modules based on the environment information of the first device, and after the second security component is successfully installed, performing security management on the first device based on the second security component.
After the first device sends the request to the third device, and the third device verifies the request sent by the first device, the first device sends the second security component to the first device. According to the content of the environmental information on the first device, the third device selects one or more customized security modules from the customized security module set to form a new software combination, the environmental information on the first device is different, the software combination on the second security component is also different, and because different customized security modules have different functions, the software set which is most suitable for security management of the first device, namely the second security component, can be configured in a software combination mode. The second security component can conduct targeted security management on the first device, and therefore efficiency of security management is improved.
In the process of executing step S101, referring to fig. 3, a specific implementation method according to an embodiment of the present invention may include the following steps:
s201, performing security verification on the remote security management service request of the second device.
After receiving the remote security management service request of the second device, the first device needs to perform security verification on the remote security management service request, specifically, it may analyze whether the remote security management service request includes a preset management instruction, and after the preset management instruction exists, it may determine that the remote security management service request belongs to a legal source.
S202, after the security verification is passed, the first device is started to register with the second device, and the first device is set to be in an isolation state.
After the security verification is completed, the first device may be registered on the second device, and specifically, the identification information and other identity information of the first device may be registered together in the security management module on the second device. In the registration process, in order to place a communication request of other devices to the first device, the first device sets itself to be in an isolated state.
S203, after receiving the registration success message of the second device, setting the isolated state of the first device to a scanning state.
After the first device has registered with the second device, the next security scanning operation may be performed, and to this end, the state of the first device is converted from the isolated state to the scanning state.
In the process of executing step S102, as an alternative embodiment, referring to fig. 4, the step of executing the initialization scanning operation from the security management module on the first device may include the following steps:
s301, receiving a vulnerability scanning request from the second device.
After the second device completes the initial security scanning of the first device, the second device may further perform targeted vulnerability scanning on the first device, and for this purpose, a security management module of the second device sends a vulnerability scanning request to the first device, and the first device can receive the vulnerability scanning request from the second device.
S302, responding to the vulnerability scanning request, and installing a first security detection component on the first equipment.
The second equipment stores a first safety detection assembly for detecting the environment of the equipment, the second equipment issues the first safety detection assembly to the first equipment in a lower mode, and the first equipment receives the first safety detection assembly and then installs the first safety detection assembly on the first equipment.
S303, request the first security detection component to perform vulnerability scanning for the first device.
After the first security detection component completes installation, the first device may start the first security detection component and request the first security detection component to perform vulnerability scanning for the first device. The first security detection component is used for extracting environment information of the first device.
S304, sending the result of vulnerability scanning to the second device.
As some optional embodiments, the first security detection component may be installed at multiple occasions, and as an application scenario, the first security detection component may be received from the second device after a scan result that there is no security breach in the first device is sent to the second device.
In order to ensure the security of data interaction, after receiving the first security detection component from the second device, the authentication key in the first device may be updated from the second device. The first device and the second device perform encrypted communication by the authentication key.
In addition to the embodiment disclosed in step S104, referring to fig. 5, performing security management on the first device based on the second security component may further include:
s401, acquiring a network environment where a program to be tested in first equipment is located, and performing security evaluation on the network environment to obtain a first evaluation value.
The first device is a hardware operating environment of the program under test, and as an example, the first device may be a computer, a mobile phone, or other computing device. An operating system (e.g., a windows system, a Linux system, an IOS system, an Android system) may be run in the first device, and the program to be tested is an application program running in the operating system of the first device.
Before vulnerability detection is carried out on the program to be detected, security evaluation needs to be carried out on the network environment of the program to be detected, and the current environment of the first equipment can be ensured to meet the vulnerability detection condition by evaluating the security of the network environment.
Specifically, the network structure in the current network environment may be obtained, and the network structure may be extracted into the first network model, where the first network model may refine information included in the current network structure. In order to evaluate the first network model, a network evaluation model may be set in advance based on an information security criterion. And analyzing the first network model based on a preset network evaluation model to obtain a second network model containing a plurality of evaluation elements. Illustratively, the plurality of evaluation elements may include network area boundaries, protection levels, and the like. The evaluation element may be provided according to actual needs, and the specific content of the evaluation element is not limited herein.
Different weights can be set for different evaluation elements based on different needs, and therefore a weighted evaluation model can be set in a fourth device (for example, a server), when a network structure in the current network environment is evaluated, the weighted evaluation model at the current moment is obtained from the fourth device, and the second network model is weighted based on the weighted evaluation model to obtain a first processing result.
Besides, before the network topology information is acquired, a traffic data packet in a preset time period in the first device may be further acquired, and the traffic data packet is analyzed to obtain a first analysis result. The first parsing result may include traffic data within the traffic packet related to network security. And performing behavior characteristic analysis on the traffic data packet based on the first analysis result to obtain a first analysis result, wherein the first analysis result comprises contents such as whether the traffic packet contains network threat information or not. And based on the first analysis result, carrying out availability detection on the communication link in the first equipment to obtain a second processing result.
After the first and second processing results are obtained, normalization processing may be performed on the first and second processing results, for example, the first and second processing results may be made to be a numerical value between 0 and 1. Thereby, the first evaluation value is obtained based on the first processing result and the second processing result.
S402, under the condition that the first evaluation value is larger than a first threshold value, triggering the starting of the program to be tested, and evaluating the starting process of the program to be tested to obtain a second evaluation value, wherein the second evaluation value comprises a characteristic value of the program to be tested and a starting parameter of the program to be tested.
Based on the difference of the first device operating system, the program to be tested may be various types of software, for example, the program to be tested may be an application program under a Windows operating system, or an application program under an Android operating system. When the first evaluation value is detected to be larger than a preset first threshold value, the current operating system environment can be considered to belong to a relatively safe evaluation environment, and vulnerability detection of the program to be detected can be started.
As one way, the start of the program to be tested may be initiated by calling the program to be tested. In the process of starting the program to be tested, an input request of the program to be tested may be obtained, and based on the input request, parameter values of the test program corresponding to the program to be tested may be determined, where the parameter values may include a program type of the program to be tested, a start input request, and the like.
And generating a second evaluation value based on the parameter value of the test program, and determining the vulnerability detection mode of the program to be tested through the second evaluation value.
And S403, searching whether matched data corresponding to the second evaluation value exists in a security sample database of the second device, and when the matched data exists, performing vulnerability detection in the first device based on the second evaluation value.
After the second evaluation value is obtained, a vulnerability detection scheme corresponding to the second evaluation value needs to be determined, a second device in communication connection with the first device is specially arranged for the vulnerability detection scheme, the second device can be a server located at the cloud end, and the latest software vulnerability detection scheme to be detected is stored in a matching database in the second device. The second device can be in communication connection with the first device and can also be in communication connection with other devices needing vulnerability detection, so that a uniform vulnerability detection scheme is provided for more vulnerability detection devices.
And when the matching data exists in the matching database, vulnerability detection can be directly carried out in the first equipment. Specifically, after a second evaluation value is obtained, a corresponding vulnerability testing program is called to execute testing operation on the program to be tested according to the second evaluation value. As an example, the bug detection can be performed on the software to be tested by adopting a fuzzy test mode. For example, when the obtained to-be-tested program is an application program based on a Windows system, the corresponding first test parameter may be configured for the type of application program, so that the test program may perform vulnerability detection on the to-be-tested program according to the configured first test parameter; or when the obtained program to be tested is the Android-based application program, automatically configuring second test parameters corresponding to the test program based on the type, so that the test program can carry out fuzzy test on the command line program according to the configured second test parameters. Therefore, the embodiment of the invention can configure the test parameters corresponding to the test program according to the different types corresponding to the to-be-tested programs, so that the test program can adopt different test parameters to carry out the fuzzy test on the to-be-tested programs of different types, thereby improving the bug processing efficiency.
In the testing process, the program to be tested can generate a log file related to vulnerability detection, so that an abnormal log related to the testing operation can be obtained from the log file, and the overflow vulnerability of the program to be tested is determined according to the abnormal log.
In addition, a buffer area corresponding to the abnormal bug can be searched, and the bug instruction address of the program to be tested can be determined based on the buffer area.
When the matching data does not exist, the vulnerability detection is carried out by a third device in communication connection with the first device. At this time, a file parsing engine is required to be used in the third device to perform file parsing on the program to be tested, so as to generate a second parsing result, where the second parsing result includes the source code and the binary file information of the program to be tested.
Through the second analysis result, the characteristics of the program to be tested can be extracted, then the second analysis result can be subjected to result matching by adopting a preset vulnerability mode matching rule, and the vulnerability (first vulnerability) of the program to be tested is determined based on the matching similarity.
The first vulnerability is obtained in a similarity matching mode, whether a matching result is accurate or not needs to be verified, specifically, the vulnerability position and the vulnerability type of the first vulnerability can be searched, malformed test data corresponding to the vulnerability position and the vulnerability type are constructed, the malformed test data are injected into the program to be tested, and whether the first vulnerability is a real vulnerability of the program to be tested or not is judged based on response data of the program to be tested aiming at the malformed test data.
According to a specific implementation manner of the embodiment of the present invention, performing security evaluation on the network environment to obtain a first evaluation value may include the following steps:
s2201, acquiring a network structure in the network environment, and extracting the network structure into a first network model.
Network topology generation, which is the front-end input of network simulation, is an important content of network simulation and also an important factor for determining the authenticity and reliability of network simulation. The network structure of the first device may also be different according to different network environments. Simulation generation of the network topology can be performed based on a network model using a Brite or Inet topology generator, and network conditions and protocol performance in the first device network structure can be studied through the generated network topology data.
After extracting the network structure, the network structure may be extracted into any one of a stochastic model, a hierarchical model, or a power law model.
S2202 analyzes the first network model based on a preset network evaluation model to obtain a second network model including a plurality of evaluation elements.
In order to evaluate the first network model, a network evaluation model may be set in advance based on an information security criterion. And analyzing the first network model based on a preset network evaluation model to obtain a second network model containing a plurality of evaluation elements. Illustratively, the plurality of evaluation elements may include network area boundaries, protection levels, and the like. The evaluation element may be provided according to actual needs, and the specific content of the evaluation element is not limited herein.
S2203, acquiring a weighted evaluation model of the current time from the fourth device, and performing weighted processing on the second network model based on the weighted evaluation model to obtain a first processing result.
Different weights can be set for different evaluation elements based on different needs, and therefore a weighted evaluation model can be set in a fourth device (for example, a server), when a network structure in the current network environment is evaluated, the weighted evaluation model at the current moment is obtained from the fourth device, and the second network model is weighted based on the weighted evaluation model to obtain a first processing result.
In addition to performing security evaluation on a network structure, according to a specific implementation manner of the embodiment of the present invention, the performing security evaluation on the network environment to obtain a first evaluation value may further include:
s3301, obtaining a traffic data packet in the first device within a preset time period, and analyzing the traffic data packet to obtain a first analysis result.
The data packet capture at the network bottom layer can be realized in various ways, for example, by using the broadcast characteristic of the ethernet, and in addition, the data packet capture can be realized by setting a router snooping end.
After the traffic data packet is obtained, since more data irrelevant to the vulnerability analysis exists in the traffic data packet, the data packet needs to be analyzed, and data relevant to vulnerability detection is selected to form a first analysis result.
And S3302, based on the first analysis result, performing behavior feature analysis on the traffic data packet to obtain a first analysis result.
And detecting the content in the first analysis result, and further extracting abnormal behavior flow from the content. The abnormal flow detection utilizes behavior characteristic analysis to detect malicious codes such as industrial Trojan horse viruses and the like in the simulation platform, records threat information including attack time, attack source IP, attack destination IP, application layer protocol, network layer protocol and the like, and finally forms a first analysis result.
S3303, based on the first analysis result, performing availability detection on the communication link in the first device to obtain a second processing result.
And selecting a target node matched with the first analysis result according to the first analysis result, performing communication connection between the first equipment and a preset target node, testing the communication availability between the first equipment and the target node, and obtaining a second processing result based on the availability information.
S3304, obtaining the first evaluation value based on the first processing result and the second processing result.
After the first and second processing results are obtained, normalization processing may be performed on the first and second processing results, for example, the first and second processing results may be made to be a numerical value between 0 and 1. Thereby, the first evaluation value is obtained based on the first processing result and the second processing result.
According to a specific implementation manner of the embodiment of the present invention, triggering the start of the program to be tested, and evaluating the start process of the program to be tested to obtain a second evaluation value includes:
s4401, acquiring an input request of the program to be tested in the process of starting the program to be tested.
The input request of the program to be tested is an input item required when the program to be tested is started, and the specific requirement of the program to be tested can be obtained by obtaining the input request.
And S4402, determining parameter values of the test program corresponding to the program to be tested based on the input request.
The test program is bug detection software matched with the program to be tested, the parameter value of the test program needs to be configured before the test program is tested, and the test program can be subjected to type-specific detection through the parameter value.
S4403, generating a second evaluation value based on the parameter value of the test program.
And generating a second evaluation value based on the parameter value of the test program, and determining the vulnerability detection mode of the program to be tested through the second evaluation value.
And after the second evaluation value is acquired, configuring a test according to the second evaluation value, and calling a test program to execute a test operation on the program to be tested. In the testing process, an abnormal log related to the testing operation can be obtained, and the overflow vulnerability of the program to be tested can be determined according to the abnormal log.
As an example, the first device, the second device, and the third device may be the electronic device shown in fig. 6, and reference is made to fig. 6, which shows a schematic structural diagram of an electronic device 60 suitable for implementing an embodiment of the present disclosure. The electronic devices in the embodiments of the present disclosure may include, but are not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., car navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, the electronic device 60 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage means 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 60 are also stored. The processing device 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 608 including, for example, tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 60 to communicate with other devices wirelessly or by wire to exchange data. While the figures illustrate an electronic device 60 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 609, or may be installed from the storage means 608, or may be installed from the ROM 602. The computer program, when executed by the processing device 601, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring at least two internet protocol addresses; sending a node evaluation request comprising the at least two internet protocol addresses to node evaluation equipment, wherein the node evaluation equipment selects the internet protocol addresses from the at least two internet protocol addresses and returns the internet protocol addresses; receiving an internet protocol address returned by the node evaluation equipment; wherein the obtained internet protocol address indicates an edge node in the content distribution network.
Alternatively, the computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: receiving a node evaluation request comprising at least two internet protocol addresses; selecting an internet protocol address from the at least two internet protocol addresses; returning the selected internet protocol address; wherein the received internet protocol address indicates an edge node in the content distribution network.
Computer program code for carrying out operations for aspects of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. An industrial control network security detection system, comprising:
the system comprises a first device and a second device, wherein the first device is provided with a safety communication module and a scanning module, and the safety communication module is connected with the second device and the third device through a communication network;
the second equipment is provided with a safety management module, and the safety management module sends a remote safety management service request to the first equipment;
the scanning module executes an initialization scanning operation from the security management module on a first device based on the remote security management service request, and receives a first security detection component from a second device after the initialization scanning is completed and a scanning result of security holes which do not exist in the first device is sent to the second device, so that the first security detection component is installed on the first device and used for extracting environment information of the first device;
the security communication module sends environment information of the first device to a third device in communication connection with the first device, a customized security device related to security management and a matching module are arranged on the third device, and the matching module matches a second security component to the first device based on the environment information;
receiving and installing, on a first device, a second security component distributed from the third device, the second security component being a set of one or more customized security modules selected by the third device from the customized security apparatuses based on environmental information of the first device, performing security management on the first device based on the second security component after successful installation of the second security component.
2. The system of claim 1, wherein the second device further comprises:
the rule module issues a security scanning rule to the scanning module before the scanning module executes initialization scanning on the first device;
and the security sample database is used for carrying out data matching on the file characteristics extracted by the scanning module on the first equipment and distributing a first security detection component to the first equipment based on the result of the data matching.
3. The system of claim 1, wherein the first device further comprises:
the security verification module is used for performing security verification on the remote security management service request sent by the second equipment;
and the registration module is used for starting the registration of the first equipment to the second equipment after the security verification is passed, setting the first equipment to be in an isolation state, and setting the first equipment from the isolation state to be in a scanning state after a registration success message of the second equipment is received.
4. The system of claim 3, wherein the security verification module is further configured to:
and after receiving the first security detection component from the second device, receiving an authentication key sent by the second device to the first device.
5. The system of claim 1, wherein the second security component is further configured to:
the method comprises the steps of obtaining a network environment where first equipment is located, and carrying out security evaluation on the network environment to obtain a first evaluation value.
6. The system of claim 5, wherein the second security component is further configured to:
under the condition that the first evaluation value is larger than a first threshold value, acquiring a program to be tested in the first equipment, triggering the starting of the program to be tested, and evaluating the starting process of the program to be tested to obtain a second evaluation value, wherein the second evaluation value comprises a characteristic value of the program to be tested and a starting parameter of the program to be tested.
7. The system of claim 6, wherein the second security component is further configured to:
and searching whether matched data corresponding to the second evaluation value exists in a security sample database of the second equipment, and when the matched data exists, performing vulnerability detection in the first equipment based on the second evaluation value.
8. The system of claim 3, wherein the security verification module is further configured to:
acquiring a communication log of a first device and a second device;
determining a security key between the first device and a second device based on the communication log;
and receiving a security authentication request sent by a security management module of the second device based on the security key.
CN201910186014.XA 2019-03-12 2019-03-12 Industrial control network safety detection system Active CN109714371B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910186014.XA CN109714371B (en) 2019-03-12 2019-03-12 Industrial control network safety detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910186014.XA CN109714371B (en) 2019-03-12 2019-03-12 Industrial control network safety detection system

Publications (2)

Publication Number Publication Date
CN109714371A CN109714371A (en) 2019-05-03
CN109714371B true CN109714371B (en) 2021-07-09

Family

ID=66265779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910186014.XA Active CN109714371B (en) 2019-03-12 2019-03-12 Industrial control network safety detection system

Country Status (1)

Country Link
CN (1) CN109714371B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115065552B (en) * 2022-07-27 2023-01-10 北京六方云信息技术有限公司 Industrial communication protection method, device, terminal equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040119A (en) * 2018-09-11 2018-12-18 腾讯科技(深圳)有限公司 A kind of leak detection method and device of intelligent building network
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104268476B (en) * 2014-09-30 2017-06-23 北京奇虎科技有限公司 A kind of method for running application program
US10445506B2 (en) * 2016-03-30 2019-10-15 Airwatch Llc Detecting vulnerabilities in managed client devices
CN106230837A (en) * 2016-08-04 2016-12-14 湖南傻蛋科技有限公司 A kind of WEB vulnerability scanning method supporting Dynamic expansion and scanning device
CN107273751B (en) * 2017-06-21 2020-06-02 北京计算机技术及应用研究所 Multi-mode matching-based security vulnerability online discovery method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040119A (en) * 2018-09-11 2018-12-18 腾讯科技(深圳)有限公司 A kind of leak detection method and device of intelligent building network
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system

Also Published As

Publication number Publication date
CN109714371A (en) 2019-05-03

Similar Documents

Publication Publication Date Title
JP5802848B2 (en) Computer-implemented method, non-temporary computer-readable medium and computer system for identifying Trojanized applications (apps) for mobile environments
KR101558715B1 (en) System and Method for Server-Coupled Malware Prevention
US8875296B2 (en) Methods and systems for providing a framework to test the security of computing system over a network
US8806644B1 (en) Using expectation measures to identify relevant application analysis results
EP2759956A1 (en) System for testing computer application
CN104683409A (en) Method for sharing applications between terminals and terminal
EP2769324A1 (en) System and method for whitelisting applications in a mobile network environment
CN109818972B (en) Information security management method and device for industrial control system and electronic equipment
WO2013059138A1 (en) System and method for whitelisting applications in a mobile network environment
US9747449B2 (en) Method and device for preventing application in an operating system from being uninstalled
US11170105B2 (en) Verifying updates based on update behavior-based profiles
CN102867143A (en) Quick filtering method for malicious application programs
CN110708335A (en) Access authentication method and device and terminal equipment
CN106713315B (en) Login method and device of plug-in application program
US20220253297A1 (en) Automated deployment of changes to applications on a cloud computing platform
CN104579830A (en) Service monitoring method and device
Yankson et al. Security assessment for Zenbo robot using Drozer and mobSF frameworks
CN109491908B (en) Page detection method and device, electronic equipment and storage medium
CN109688096B (en) IP address identification method, device, equipment and computer readable storage medium
KR20160090566A (en) Apparatus and method for detecting APK malware filter using valid market data
CN109714371B (en) Industrial control network safety detection system
CN109933990B (en) Multi-mode matching-based security vulnerability discovery method and device and electronic equipment
CN113239397A (en) Information access method, device, computer equipment and medium
CN112953896A (en) Playback method and device of log message
KR20160031590A (en) Malicious app categorization apparatus and malicious app categorization method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant