CN109768952B - Industrial control network abnormal behavior detection method based on credible model - Google Patents
Industrial control network abnormal behavior detection method based on credible model Download PDFInfo
- Publication number
- CN109768952B CN109768952B CN201811264739.8A CN201811264739A CN109768952B CN 109768952 B CN109768952 B CN 109768952B CN 201811264739 A CN201811264739 A CN 201811264739A CN 109768952 B CN109768952 B CN 109768952B
- Authority
- CN
- China
- Prior art keywords
- data packet
- model
- industrial control
- credible
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 67
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000006399 behavior Effects 0.000 claims abstract description 25
- 238000004458 analytical method Methods 0.000 claims abstract description 11
- 230000008569 process Effects 0.000 claims abstract description 11
- 238000012549 training Methods 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 7
- 238000009776 industrial production Methods 0.000 claims description 7
- 230000007704 transition Effects 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000004519 manufacturing process Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 2
- 238000002347 injection Methods 0.000 claims description 2
- 239000007924 injection Substances 0.000 claims description 2
- 230000000737 periodic effect Effects 0.000 claims description 2
- 238000012216 screening Methods 0.000 claims 2
- 238000004088 simulation Methods 0.000 claims 2
- 238000013519 translation Methods 0.000 claims 2
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000007689 inspection Methods 0.000 description 10
- 239000000470 constituent Substances 0.000 description 3
- 239000000523 sample Substances 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000003111 delayed effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000003208 petroleum Substances 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network flow detection of industrial control systems, and aims to provide an industrial control network abnormal behavior detection method based on a credible model. The method adopts a time automaton-based algorithm to establish a detection model on the basis of fully analyzing the network flow of the industrial control system. After analysis, the network data packet transmitted by adopting the industrial control protocol has the characteristics of fixed control channel, fixed data packet length, fixed data packet state machine and transmission data packet according with a certain time rule. During the detection process, an alarm is generated once a strange channel, a strange data packet type and a data packet which does not meet the time constraint. The method is different from the traditional detection method based on signature and white list, introduces the characteristic vector of time dimension, and can detect higher-level attack behaviors. The invention provides a new solution for detecting abnormal behaviors in the industrial control system.
Description
Technical Field
The invention relates to the technical field of network flow detection of an industrial control system, which is characterized in that a credible model is learned by adopting normal historical flow data, and particularly, a credible model restricted by a time automaton model is introduced, so that higher-level attack behaviors aiming at an industrial control network can be found.
Background
Industrial control systems have been widely used in the national civilization aspects (such as power systems, rail transit systems, petroleum and petrochemical systems, etc.), and the safety of industrial control has not been ignored. In recent years, industrial control systems have increased to the national security level, and large industrial control enterprises start to perform routine inspection on their own control systems and information systems in order to eliminate potential safety hazards as soon as possible. The current detection means mainly comprises two types, the first type is inquiry type detection, and the industrial control system is checked item by item according to an industrial control system information safety protection guide. The second method is contact inspection, which is to check the system abnormality by connecting the detection device to the industrial control network. The contact type inspection is also divided into active inspection and passive inspection, wherein the active inspection is to actively detect the loopholes of all parts of the industrial control system so as to find the weak points of the system; the passive check is that after the equipment is accessed to the industrial control network, the equipment does not actively send out a detection packet, but passively receives a data packet interacted in the industrial control system to check whether an abnormal behavior exists. The active inspection mode can send out a large number of probe packets, which may cause delayed response of the industrial control component to normal services, and affect industrial production, so that the passive inspection mode is the most likely inspection mode at present. There are three methods for passive inspection of industrial control network data packets.
The first method is a signature-based detection method, which finds abnormal behaviors by matching feature codes, but cannot detect advanced attack behaviors aiming at an industrial control system.
The second method is a white list-based detection method, which is widely adopted in the industry at present, but cannot cope with higher-level attack behaviors, and due to the particularity of an industrial control system, the production flow can be damaged only by disturbing the sequence of control instructions (such as sequence attack and time sequence attack), and the attack behaviors cannot be detected by a white list-based detection means.
The third method is a detection method based on abnormal behaviors, which mostly utilizes the characteristic that industrial control network traffic is periodically sent, and regards the behavior disturbing the periodicity as the abnormal behavior, but the current methods mostly focus on establishing an abnormal detection model based on a data packet sequence, and rarely combine the state of a time dimension to establish the detection model, so that the attack behaviors based on time characteristics cannot be responded, for example, a certain gate closing command is changed into a gate opening command.
Therefore, in the face of the situation that attacks on industrial control systems are more advanced and professional, a new method is urgently needed, and the defects of the traditional detection method can be overcome, so that the purpose of effectively detecting higher-level attack behaviors can be achieved.
Disclosure of Invention
The invention discloses an industrial control network abnormal behavior detection method based on a credible model, which is provided in the process of network intrusion detection research of an industrial control system and aims at the technical problems existing at present. The invention aims to overcome the defect that the existing detection method can not detect high-level attack behaviors, provides an industrial control network abnormal behavior detection method based on a credible model, and deeply utilizes the characteristics of industrial control network data flow to detect abnormal behaviors. The credible model is based on the characteristics that in a normal industrial production environment, an industrial control network control channel is fixed, the length of a data packet is fixed, a data packet state machine is fixed, and a transmitted data packet accords with a certain time rule, and is established into a detection model consisting of a credible channel, a credible length and a credible time state machine. The invention provides a new detection method, which is different from the existing method, and is characterized in that a credible model is established to represent trusted network behaviors based on deep analysis of industrial control flow, and behaviors which are not identified by the credible model are regarded as abnormal behaviors. The application technology belongs to a passive detection method, detection is carried out in a bypass mirror flow mode, normal operation of an industrial control system cannot be influenced in the process, and higher-level attack behaviors can be detected due to the fact that the detection method is deeply based on the characteristic of industrial control flow.
In order to achieve the aim, the invention provides an industrial control network abnormal behavior detection method based on a credible model, which is based on deep analysis of industrial control network flow, establishes the credible model under a normal industrial production mode from multiple dimensions (including a control channel, a data packet message and a time dimension), and thereby discovers abnormal behaviors deviating from the model. The method design framework comprises the following steps: the data packet flow acquisition layer passively acquires the flow of a control channel in the industrial control network and divides the flow into different control channels according to the quadruple information; the characteristic extraction layer is used for extracting state machine characteristics and time dimension characteristics required by modeling; a credible model building layer, training a detection model consisting of a credible channel, a credible length and a credible time automaton through sample data, and storing the model according to an xml syntax format; the credible behavior detection layer mainly judges credible behaviors, reads in an established credible model, judges the credibility of a data packet transmitted in real time, and saves the incredible communication behaviors as alarms.
Drawings
The objects, implementations, advantages and features of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which.
FIG. 1 is an architectural diagram showing the detection method of the present invention.
FIG. 2 is a flow chart illustrating the detection method of the present invention for a data packet acquisition layer.
Fig. 3 is a flow chart illustrating the feature extraction layer of the detection method of the present invention.
FIG. 4 is a flow chart illustrating the detection method trust model modeling layer of the present invention.
Fig. 5 is an exemplary diagram illustrating the content of the data packet and the time interval information in the detection method of the present invention.
FIG. 6 is an exemplary diagram illustrating the detection method of the present invention modeling the constituent elements of the document.
FIG. 7 is a flow chart illustrating the detection of the trusted model of the detection method of the present invention.
Detailed Description
The detection method of the invention can detect various network attacks aiming at the industrial control system, including general attack behaviors and advanced attack behaviors, and comprises the following steps: denial of service attacks, command injection attacks, sequence attacks, time sequence attacks. The invention is further described below with reference to the accompanying drawings. The invention only provides a network attack detection method aiming at an industrial control system, and establishes an abnormal behavior detection method based on a credible model on the basis of deep analysis of industrial control network flow characteristics so as to efficiently and accurately identify network attack behaviors damaging industrial production.
FIG. 1 is an architectural diagram illustrating the method of the present invention
As shown in fig. 1, is an architectural diagram depicting the method of the present invention. Each layer is a processing unit, and when one layer is processed, the layer is transmitted to the next layer. The method comprises the following steps that the graph is divided into two steps, wherein the first step is a training stage, through sample data captured in a normal industrial production environment, a characteristic stream is transferred to a modeling layer through the processing of a characteristic extraction layer, and the training of a credible model is completed; the second step is a detection stage, wherein the bottom layer is a real-time network data packet acquisition layer, and is divided into different channels according to the quadruple information and then delivered to the lower layer; the characteristic extraction layer is mainly used for extracting characteristics which can represent a data packet state machine and a time dimension and transmitting the characteristics to the detection layer; the credible behavior detection layer firstly reads in the trained credible model, then judges the credibility of the data packet transmitted in real time and stores the abnormal alarm into the database. Each layer will be described in detail below.
FIG. 2 is a flow chart depicting a data packet acquisition layer
As shown in fig. 2, it is a work flow diagram of a data packet acquisition layer, which is divided into different channels according to different quadruples of a data packet; and filtering out a data packet carrying the control instruction according to the destination port, for example, an industrial control device adopting siemens S7 protocol, where the data stream with the destination port 102 is a data stream carrying the control instruction. Therefore, the data packet acquisition layer finally screens and arranges the original network data packets into network data packets which belong to different channels and carry control instructions.
FIG. 3 is a flow chart depicting a feature extraction layer
As shown in fig. 3, a flow chart of the work of the feature extraction layer is shown. The layer needs to analyze protocols according to different industrial control protocols, and the method mainly extracts features of the network data packet adopting the Siemens S7 protocol. Firstly, in the industrial control flow, the length of the data packet of each channel is fixed, so that the data packets can be classified according to the length. Analyzing whether each type of data packet contains a function code or not, and if so, returning a function code value, a length, a characteristic character string and a time stamp; if not, only the length is returned. Finally, the returned data and channel quadruplet set { srcIP, srcPort, dstIP, dstPort } is passed to the next layer.
FIG. 4 is a flow chart depicting a modeling layer of a trust model
As shown in fig. 4, a work flow diagram of the modeling layer of the trusted model includes a core algorithm for building the trusted model. This layer
According to the characteristics of industrial control network flow, namely channel fixation, data packet length fixation and data packet state machine fixation, a certain time constraint is met, wherein the data packet state machine and the time constraint can be modeled by a time automaton algorithm. Therefore, the model which can be established is composed of a trusted channel set, a trusted length set and a trusted time automaton. Establishing a credible channel set and a credible data packet length set by utilizing the characteristics transmitted by the upper layer; reading in a data packet containing a control instruction, and establishing a credible time automaton set; and finally, constructing the model into a file described by the xml grammar and storing the file.
The time automaton is a time constraint mechanism added on the basis of a classical finite state machine algorithm. According to the characteristics of the network flow of the industrial control system, the message set of the data packet can be regarded as a limited position set, namelySThe initial data packet iss 0(ii) a The time interval between the arrival of the data packets being a finite set of clocks, i.e.X(ii) a Time constraint functionΦ(X) May be expressed in terms of the interval of arrival of a packet. The following description will be given by taking an application scenario as an example of how to construct a model based on a time automaton algorithm, which uses siemensS 7Communication protocol, a simulated set of power generation processes, wherein the interactive data is shown in fig. 5, an exemplary graph of packet application layer content distribution and time interval information from the last same type of packet shown in hexadecimal.
FIG. 5 is a diagram of exemplary packet content and time interval information
As shown in FIG. 5, the field contents from the 1 st-4 th byte offsets and the 7 th-28 th byte offsets are unchanged, with the changed portions at the 5 th-6 th byte offsets and the 29 th-30 th byte offsets. Meanwhile, the content at the 5 th-6 th byte offset is obviously increased with the arrival of the data packet, and the content has no periodic rule; the byte content at the 29 th-30 th byte offset is periodically changed from 0x0258 to 0x0320, then to ox00c8, then to x0190 and then to ox0258, and after analysis, all the collected data packets are orderly changed according to the rule and can be used as the state characteristics of the data packets. Meanwhile, the time interval of the same data packet is about 3 seconds, that is, the time interval between the data packet with sequence number 5 and the data packet with sequence number 1, and through analysis, the same data packet interval time is maintained about 3 seconds, which can be used to set the time constraint condition. Then, according to the time automaton algorithm, the modeling process has the following steps:
1. the contents of the fields with offsets of 29-30 are used as input characters, and the set of input characters is: Σ = { σ =1, σ2, σ3, σ4} = {0x0258, 0x0320, 0x00c8, 0x0190 }. The sequence of industrial control network data packet messages can be represented as:
2. viand τiAs can be derived from the time intervals in fig. 5. The time interval of the data packets carrying the same input characters is relatively fixed, and is about 3 seconds. A minimum value of interval time (counted:)min) 3.02 seconds, maximum value of interval time: (max) It was 3.21 seconds. During the detection process, the lower boundary of the clock constraint is smaller than the minimum value of the training phase, and the upper boundary of the clock constraint is larger than the maximum value. Thus, the calculation of the clock constraint may be:
in the formula (1), the first and second groups,minrepresents the minimum value of the time interval of the training phase,maxthe maximum value is represented by the number of lines,
denotes the mean value, alpha denotes the tolerance, alpha1Representing a smaller tolerance at detection than the minimum during training, alpha2Indicating a greater tolerance at detection than the maximum during training. It is considered that the data packet is more likely to have a delayed arrival phenomenon during the transmission process. Thus, for example, take a first time1Empirical value of 0.02, take alpha2The empirical value is 0.05, and according to experimental data, the acceptable time constraint interval is obtained as follows: (2.947, 3.361);
3. So far, all elements required for establishing a detection model based on a time automaton algorithm are obtained, and the model is composed as follows:
1) the input character set is: sigmai∈∑={σ1, σ2, σ3, σ4} = {0x0258, 0x0320, 0x00c8, 0x0190}
2) Sequence transfer of the model is:
3) the clock constraints of the model are: tau isi - τi-4∈ (2.947, 3.361), i≥4
If, in the feature stream delivered at the upper layer, the feature word is not in the input character set, or the sequence with the previous data packet is not in the sequence transition, or the time interval between the feature word and the previous data packet of the same feature word does not comply with the clock constraint, an alarm is generated.
In the modeling stage, after obtaining the modeling parameters, the model can be saved in a file according to the xml syntax, as shown in fig. 6, which is a saved training model.
FIG. 6 is a diagram of the constituent elements of a description modeling file
As shown in fig. 6, a composition diagram of the modeling file is shown. Different channel models can be described under the model root node according to different channels, as shown by channel labels; under different channels, there are different sets of packet lengths, as indicated by length labels; under different channels, there are also different time automata models, as indicated by the TimeAuto tag; under the TimeAuto tag, there is a set of state words as shown by the words tag, a set of state transitions as shown by the state, and a time constraint as shown by the time _ range. The constituent elements shown in the figure are the trusted model description files of the method.
FIG. 7 is a flowchart illustrating a detection process based on a confidence model
Fig. 7 is a flowchart of detection based on the trusted model. Xml is read in and analyzed in the detection process, and then the real-time incoming data is detected. Firstly, judging a channel, and if the channel is not a credible channel in the model, generating an alarm; if yes, checking whether the length of the data packet is a credible length in the model, and if not, generating an alarm; if yes, checking whether the position state of the data packet conforms to the time state machine model, if not, generating an alarm, if so, detecting the next data packet, and repeating the steps.
As described above, the present invention detects the industrial production-damaging behavior of the industrial control system by establishing the credible model, and has the advantages that: 1. the detection pertinence is strong, the industrial control flow characteristics are mastered from multiple dimensions based on deep analysis of industrial control network flow, and a detection model is established according to the characteristics; 2. the method is based on the idea of credible behaviors, the credible behaviors in a normal production mode are semantically described in an all-around manner, and the model is stored into an xml file; 3. the method is different from the traditional detection method, and can detect higher-level attack behaviors due to the introduction of the characteristics of time dimension and the adoption of a time automaton algorithm for modeling.
Although the preferred embodiments of the present invention have been described for illustrative purposes, those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.
Claims (11)
1. A method for detecting abnormal behaviors of an industrial control network based on a credible model is characterized by comprising the following steps:
A. under a normal industrial production mode, capturing industrial control network data in a mirror image mode, and analyzing the flow characteristics of the industrial control network; carrying out simulation attack on the industrial control network, capturing attack flow, and comparing the difference between normal flow and attack flow;
B. screening flow data carrying control instructions from the HMI to the PLC direction on a data acquisition layer, and dividing the flow data into different channels according to a quadruple form;
C. extracting various features required by modeling in data in a feature extraction layer;
D. establishing a trusted channel set, a trusted data packet length set and a trusted time automaton model set in a trusted model establishing layer, and storing the established models into xml files;
E. identifying abnormal behaviors in a credible behavior detection layer according to a credible model;
the credible channel set refers to all industrial control system control channel sets which are divided according to quadruples and appear in the training process;
the credible length set refers to a data packet length set appearing in each channel;
the trusted time automata model is established by adopting a time automata algorithm, and the time automata model comprises: the method comprises a data packet state set, a data packet state transition set and a time constraint condition for the occurrence of data packets with the same state characteristics.
2. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 1, wherein the step A further comprises the following steps:
a1, building an industrial control production simulation environment, and acquiring network flow data in a normal industrial production process in a bypass mirror image mode;
a2, simulating an attack to destroy an industrial control process, comprising: denial of service attack, command injection attack, sequence attack and time sequence attack, and collecting network data traffic carrying the attack;
a3, analyzing the characteristics of the industrial control flow, comparing the difference between the normal flow and the attack flow, and summarizing the flow characteristics capable of describing the credible behaviors.
3. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 1, wherein the step B further comprises the following steps:
b1, screening out the network flow of the control command according to the destination port;
b2, dividing into different communication channels according to different quadruple information, including { srcIP, srcPort, dstIP, dstPort };
b3, filtering other network data traffic which does not adopt the industrial control protocol.
4. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 1, wherein the step C further comprises the following steps:
c1, extracting characteristics for the data packet of each channel, and extracting corresponding characteristics according to whether the data packet contains a function code;
and C2, transmitting the data packet characteristics to the next layer according to the channel in the form of the characteristic stream, and ensuring that the sequence order of the data packets is not changed in the process.
5. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 4, wherein in the step C1, the characteristics are described in detail as follows:
if the data packet does not contain the function code, only extracting the length of the data packet; if the data packet contains a function code, extracting the features comprises: the characteristics of a function code value, a data packet length, a data packet timestamp and a data packet status word; the packet status word is characterized by a characteristic that reflects the periodic occurrence of the packet.
6. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 4, wherein in step C2, the detail description of the transfer feature flow is as follows:
if the data packet does not contain the function code, only transmitting the quadruple information of the data packet and the length of the data packet to the next layer; if the data packet contains a function code, the transfer characteristic is as follows: characteristics of quad information, function code value, packet length, packet timestamp, and packet status of the packet.
7. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 1, wherein the step D further comprises the following steps:
d1, receiving the feature stream transmitted in the previous step, and establishing a trusted channel set and a trusted length set;
d2, establishing a credible time automaton model according to the characteristic flow;
d3, forming a model file according to the obtained model parameters in the xml syntax format, and delivering the model file to the lower layer to be read and used by the detection module.
8. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 7, wherein the establishing of the time automaton model in the step D2 specifically means:
in each channel, regarding data packets with the same length as data packets of the same type, judging whether the data packets of the same type contain a function code, if so, establishing a time automaton model to obtain a data packet state feature word set, a data packet state transition set and a time constraint condition for the data packets with the same state feature; if not, then no establishment is needed.
9. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 7, wherein the xml model file in the step D3 specifically means:
the method comprises the steps that a model root node in an xml file can contain a plurality of channel sub-nodes, and the channel sub-nodes are identified by data packet IP layer quadruple information { srCIP, srCIPT, dstIP and dstPort }; the channel subnode comprises a data packet length set, length label analysis and a time automatic machine subnode, wherein the time automatic label analysis is carried out and the value of the function is used for marking; under the TimeAuto node, the state characteristics of the data packet are included, the keyword label is used for analyzing, and for _ offset and after _ offset are used for representing the offset range of the data packet field to be extracted; under the keyword tag, a state feature word set is contained, and word tag analysis is carried out; under the TimeAuto node, also include the state transfer node, analyze and mark with the value length of the data packet length with the translation label; under the translation node, a state transition state label is included, two characteristic words are used for representing the sequence of the appearance of the data packet, and a time constraint time _ range label is included for representing the allowed range of the appearance time interval of the data packet with the same characteristic word as the current data packet.
10. The industrial control network abnormal behavior detection method based on the credible model as claimed in claim 1, wherein the step E further comprises the following steps:
e1, reading in an xml model file, and after the analysis is completed, starting to capture a data packet and detecting the data packet;
e2, extracting the characteristics of the data packet, and judging whether the quadruple of the data packet belongs to a credible channel set, if so, judging whether the length of the data packet is in the credible length set under the channel, and if so, judging whether the data packet conforms to the time automaton model; if not, an alarm is generated.
11. The method for detecting the abnormal behavior of the industrial control network based on the trusted model as claimed in claim 9, wherein the step E2 of determining whether the time automaton model is satisfied specifically includes:
by extracting the state machine characteristics of the data packet, the method comprises the following steps: the functional code value function code of the data packet, the characteristic word of the data packet and the timestamp of the data packet, and if the data packet does not contain the functional code value, the detection of the next data packet is returned; if yes, judging whether the state characteristic words of the data packet are in the state characteristic word set or not; if not, alarming; if so, judging whether the sequence formed by the data packet and the previous data packet is in a data packet state transition set or not; if not, alarming; if so, judging whether the time interval of the data packet which is the same as the last state characteristic word meets the time constraint condition or not; if not, alarming; if the data packet is matched with the data packet, returning and detecting the next data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811264739.8A CN109768952B (en) | 2018-10-29 | 2018-10-29 | Industrial control network abnormal behavior detection method based on credible model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811264739.8A CN109768952B (en) | 2018-10-29 | 2018-10-29 | Industrial control network abnormal behavior detection method based on credible model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109768952A CN109768952A (en) | 2019-05-17 |
| CN109768952B true CN109768952B (en) | 2021-05-18 |
Family
ID=66449539
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811264739.8A Expired - Fee Related CN109768952B (en) | 2018-10-29 | 2018-10-29 | Industrial control network abnormal behavior detection method based on credible model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109768952B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110390357A (en) * | 2019-07-17 | 2019-10-29 | 国网浙江省电力有限公司电力科学研究院 | A kind of DTU safety monitoring method based on side channel |
| CN110442837B (en) * | 2019-07-29 | 2023-04-07 | 北京威努特技术有限公司 | Generation method and device of complex periodic model and detection method and device thereof |
| US11165794B2 (en) * | 2019-09-30 | 2021-11-02 | Infineon Technologies Ag | Alert system for controller area networks |
| CN111722539B (en) * | 2020-06-03 | 2021-05-28 | 西安交通大学 | Digital twin manufacturing unit behavior modeling method based on time automaton |
| CN112305986B (en) * | 2020-10-23 | 2021-08-17 | 广州大学 | PLC protection system, method and medium based on verification separation |
| CN112153081A (en) * | 2020-11-24 | 2020-12-29 | 浙江齐安信息科技有限公司 | Method for detecting abnormal state of industrial network |
| CN113067819A (en) * | 2021-03-18 | 2021-07-02 | 哈尔滨工业大学 | Distributed asynchronous parallel detection algorithm for multi-path attack of MPTCP (Multi-path Transmission control protocol) |
| CN114237180B (en) * | 2021-12-17 | 2023-10-13 | 内蒙古工业大学 | Industrial control system attack detection method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101502337A (en) * | 2009-02-26 | 2009-08-12 | 孟科峰 | Method for controlling model building in leaf moisture-regaining process of tobacco shred production |
| CN106817363A (en) * | 2016-12-24 | 2017-06-09 | 国网江苏省电力公司信息通信分公司 | Intelligent electric meter method for detecting abnormality based on neutral net |
| CN107204975A (en) * | 2017-05-11 | 2017-09-26 | 四川大学 | A kind of industrial control system network attack detection technology based on scene fingerprint |
-
2018
- 2018-10-29 CN CN201811264739.8A patent/CN109768952B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101502337A (en) * | 2009-02-26 | 2009-08-12 | 孟科峰 | Method for controlling model building in leaf moisture-regaining process of tobacco shred production |
| CN106817363A (en) * | 2016-12-24 | 2017-06-09 | 国网江苏省电力公司信息通信分公司 | Intelligent electric meter method for detecting abnormality based on neutral net |
| CN107204975A (en) * | 2017-05-11 | 2017-09-26 | 四川大学 | A kind of industrial control system network attack detection technology based on scene fingerprint |
Non-Patent Citations (1)
| Title |
|---|
| 《基于条件随机场的DDoS攻击检测方法》;刘运等;《软件学报》;20110815;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109768952A (en) | 2019-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109768952B (en) | Industrial control network abnormal behavior detection method based on credible model | |
| US20210319113A1 (en) | Method for generating malicious samples against industrial control system based on adversarial learning | |
| CN109063745B (en) | Network equipment type identification method and system based on decision tree | |
| WO2020143226A1 (en) | Industrial control system intrusion detection method based on integrated learning | |
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
| CN111245848B (en) | Industrial control intrusion detection method for hierarchical dependency modeling | |
| CN113114618B (en) | Internet of things equipment intrusion detection method based on traffic classification recognition | |
| CN110430191A (en) | Safe early warning method and device in dispatch data net based on protocol identification | |
| CN112688946B (en) | Method, module, storage medium, device and system for constructing abnormality detection features | |
| Matoušek et al. | Efficient modelling of ICS communication for anomaly detection using probabilistic automata | |
| CN112491917A (en) | Unknown vulnerability identification method and device for Internet of things equipment | |
| CN112333211B (en) | Industrial control behavior detection method and system based on machine learning | |
| Li et al. | Theoretical basis for intrusion detection | |
| CN115396324A (en) | Network security situation perception early warning processing system | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN111669411B (en) | Industrial control equipment abnormity detection method and system | |
| CN111211948B (en) | Shodan flow identification method based on load characteristics and statistical characteristics | |
| CN115333915A (en) | Network management and control system for heterogeneous host | |
| CN112995175B (en) | Method for carrying out network safety protection based on power generation state of hydroelectric generating set | |
| CN113098837B (en) | Industrial firewall state detection method and device, electronic equipment and storage medium | |
| Dheeraj et al. | Design and development of scada firewall security features for protecting industrial operations | |
| CN112637017B (en) | Network data analysis method based on application layer data | |
| CN117041362B (en) | Checking method and system for industrial control protocol semantic reverse result |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210518 |