CN109840077A - A kind of industry control safety auditing system and its application based on protocol depth analysis - Google Patents
A kind of industry control safety auditing system and its application based on protocol depth analysis Download PDFInfo
- Publication number
- CN109840077A CN109840077A CN201910029343.3A CN201910029343A CN109840077A CN 109840077 A CN109840077 A CN 109840077A CN 201910029343 A CN201910029343 A CN 201910029343A CN 109840077 A CN109840077 A CN 109840077A
- Authority
- CN
- China
- Prior art keywords
- layer
- control
- protocol
- industry control
- depth analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The present invention relates to a kind of industry control safety auditing system based on protocol depth analysis and its applications, the system comprises: the back-end processing layer for carrying out the front end represent layer of direct control operation to industrial control system and for auditing O&M operational order with control passes through middle-end and communicates to connect between front end display module and back-end processing layer;When operation, front end represent layer initiates message synchrodata, and is attached with back-end processing layer by middle-end communication and passes through back-end processing layer and receive and parse through message information, carries out log recording according to result, and the connection with service is closed, notify front end represent layer protocol communication result.The present invention has flexible adaptability and good scalability, pass through the functions such as electric power specialized protocol deep analysis, business conduct control, particular attack defence, it finds in real time and blocks security risk present in electric power industrial control system, ensure enterprise production service application under industry control network environment it is controllable, can control, control, effective safety is formed to industrial control system.
Description
Technical field
The present invention relates to industrial control system Prevention-Security technical fields, and in particular to it is a kind of based on protocol depth analysis
Industry control safety auditing system and its application.
Background technique
In recent years, with the gradually popularization of Industrial Ethernet and application, industrial control system product uses more and more
Puppy parc, common hardware and common software are indirectly connected with public networks such as internets in various ways, traditional IT Information Network
In security threat gradually penetrate into production control network.In order to promote the security protection ability of power industry, reinforce electricity
Power monitoring system security protection, National Development and Reform Committee in 2014 have issued 14 commands " electric power monitoring system security protection regulation ",
The publication of National Energy Board in 2015 is " about printing and distributing security protections scheme and the assessments such as electric power monitoring system security protection overall plan
The notice of specification " (state can safe (2015) No. 36), referred to as No. 36 texts, further clarify safety management responsibility, perfect electricity
Power monitoring system security protection scheme, implements safety prevention measure conscientiously, actively develops electric power monitoring system and information system peace
Full assessment and protection based on security rank assessment, and site assessment and assessment are completed in time according to documentation requirements.
Modern information technologies are bringing new innovation chance for control technology, are being in conjunction with the depth of modern control technology
While enterprise brings new business model, also the information security issue in information network has been brought into modern industry control together
In system." shake net virus " event well-known from 2010,2011 " Duqu virus ", 2012 " flame virus " and
Ukraine's power grid in 2015 meets with attack power-off event, then to the hacking tool being seen everywhere on internet today, place
What place showed is " situation " that industrial control system is attacked, and sufficiently shows that the reality of industrial control system information security issue is compeled
Cutting property.Therefore, using the U.S. as represent " industry internet ", using Germany as " industry 4.0 " of representative, all using information security as
The most important thing.In Industry Control intelligence progradation, security assurance information work is but made slow progress, and is embodied in following several
Aspect:
Information security blank: while improving production efficiency by information-based means, there is no consider protecting information safety
Measure, some industrial control systems even keep " intimate contact " with internet.
Information security superficial: Some Enterprises, will original mutually independent industrial control system in order to meet production linkage
Interconnection, or production control net is linked into business administration net;In order to meet information security demand, although increasing information security
Safeguard, but what is used is the common firewall of information system.
Information security ossifys: individual enterprises recognize the importance of industrial control system information security, in Industry Control system
It unites in transformation process, actively increases safety prevention measure, such as industrial fireproof wall, industry control network monitoring system, but due to work
Requirement of the industry control system to highly reliable operation production, as user, during information safety operation and maintenance, corresponding information peace
Full strategy is adjusted there is no the development with outside world technology, is caused in actual moving process, information security issue according to
So happen occasionally.
Attack tool emerges one after another: two change in fusion, and security assurance information is not in place, but for industrial control system
Attack technology but shows development trend with rapid changepl. never-ending changes and improvements, for the attack tool of industrial control system, is hacked customized work and dissipates
Cloth on the internet so that intrusion scene is lower and lower.
Firing area expands rapidly: being attacked, is needed for the industrial control system for being deployed in critical infrastructures in early days
Want stronger attacking ability;But after the industrial control system information security issue publicization, many hackers start with interconnection
The attack tool being readily available on the net, aiming does not much have the industry of protecting information safety ability substantially or enterprise is attacked
It hits, although causing serious financial consequences without serious malignant event.
Summary of the invention
For this purpose, the present invention provides a kind of industry control safety auditing systems based on protocol depth analysis, by using privately owned
The conversed analysis technology of industry control control protocol, credible operation management technology, to meet at the business under electric power industry control network environment
Reason, security audit, intrusion detection needs.
In order to achieve the above objectives, the present invention adopts the following technical scheme:
A kind of industry control safety auditing system based on protocol depth analysis, comprising: for directly being controlled to industrial control system
Make the front end represent layer of operation and the back-end processing layer for auditing O&M operational order with control, the front end display module
It is communicated to connect between back-end processing layer by middle-end;When operation, the front end represent layer initiates message synchrodata, and passes through
Middle-end communication is attached with the back-end processing layer and receives and parses through message information by the back-end processing layer, according to knot
Fruit carries out log recording, and closes the connection with service, notifies front end represent layer protocol communication result.
The front end represent layer is the B/S system based on JAVA language exploitation, and user can visit in such a way that WEB is accessed
It asks.
The front end represent layer includes:
Display layer: realize that page effect is shown based on JSP/HTML cooperation jQuery;
Control layer: SpringMVC frame is used, while with the use of SHIRO as permission control assembly;
Service layer: the main services of business operation logic are provided in the represent layer of front end for system, are made on Technology Selection
Use Spring as Container Management frame, carry out log management and output using Log4j, and report, safety, permission are provided etc.
Infrastructure service and operation interface;
Cache layer: Cache Framework selection uses EhCache, is a kind of widely used open source Java distributed caching.
Data Layer: data persistence engine uses MyBatis in the choice of technology.
The back-end processing layer includes:
Normal protocol: the O&M function based on Telnet, SSH, RDP and RemoteApp agreement is provided for user;
Industry control agreement: the rule dimension of the agreements such as Modbus, OPC, Siemens S7, IEC104, Profinet and DNP3
It protects and issues, and carry out white list, the regular maintenance of control for all kinds of agreements and issue operation.
The normal protocol is the agreement with audit function.
The industry control agreement further includes warning processing module, for handling implementing result feedback and touching after rule issues
Warning information after hair rule.
Application of the industry control safety auditing system that the above is analyzed based on protocol depth under industry control network environment.
Technical solution of the present invention has the following beneficial effects:
A, the present invention is based on the industry control safety auditing system of protocol depth analysis, has flexible adaptability and good expansion
Malleability is to pass through electric power specialized protocol depth solution to reinforce the dynamics that industrial control system security audit is managed under environment of industrial network
The functions such as analysis, electric power dedicated service behavior control, particular attack defence, find in real time and block present in electric power industrial control system
The security risks such as malicious instructions attack, crucial unauthorized operation, trojan horse propagation, manufacturer's operation maintenance personnel violation O&M, meet
Urgent need of the current enterprise to network content analysis and monitoring class equipment ensures enterprise's production service application in industry control network ring
Under border it is controllable, can control, control, effective safety is formed to electric power industrial control system.
B, the present invention is based on the industry control safety auditing system of protocol depth analysis, petroleum, water conservancy, cigarette can be applied directly to
In the intense industrializations industry such as grass, while the products such as industrial fireproof wall, industrial trusted gateway can be derived.In industrial control system
The equipment such as PLC, DCS, industrial switch, HMI, operator station, engineer station and historical data base, real-time data base show
In the maintenance of field, it will help user that malicious code is prevented to be diffused into industrial control system by O&M, prevent leakage production technology from matching
Number formulary according to, prevent violation operation is improper from causing production accident, improve the granularity of monitoring and audit, reinforce risk identification and early warning
Ability promotes the effective execution of industry control safety management system, promotes safety management performance.
Detailed description of the invention
It, below will be to needed in specific embodiment in order to illustrate more clearly of the specific embodiment of the invention
Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is some embodiments of the present invention, for this field
For those of ordinary skill, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is industry control safety auditing system schematic diagram of the present invention;
Fig. 2 is middle-end communication flow diagram of the present invention;
Fig. 3 is that industry control protocol integrated test system rule issues procedure chart in the present invention;
Fig. 4 is warning processing module process flow diagram in the present invention.
Description of symbols:
The front end 1- represent layer, 11- display layer, 12- control layer, 13- service layer, 14- cache layer, 15- data Layer;2- middle-end
Communication;3- back-end processing layer, 31- normal protocol, 32- industry control agreement.
Specific embodiment
Technical solution of the present invention is clearly and completely described below in conjunction with attached drawing, it is clear that described implementation
Example is a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill
Personnel's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
As shown in Figure 1, the present invention provides a kind of industry control safety auditing systems based on protocol depth analysis, comprising: use
In the front end represent layer 1 for carrying out direct control operation to industrial control system and for rear end O&M operational order audit and controlled
Process layer 3 communicates 2 connections by middle-end between front end display module 1 and back-end processing layer 3;When operation, middle-end communication 2 can be first
First control back-end processing layer 3 starts TCP service, and waits communication request to be received, and in front end, represent layer 1 initiates the same step number of message
According to, and be attached by middle-end communication 2 with back-end processing layer 3 and message information, root are received and parsed through by back-end processing layer 3
Log recording is carried out according to result, and closes the connection with service, notifies 1 protocol communication result of front end represent layer.
Front end represent layer 1 is the B/S system based on JAVA language exploitation, and user can access in such a way that WEB is accessed.Before
Holding represent layer 1 mainly includes display layer 11, control layer 12, service layer 13, several parts such as cache layer 14 and data Layer 15.
(1) display layer 11: display layer 11 is mainly based upon JSP/HTML cooperation jQuery and realizes that page effect is shown.Wherein
JQuery includes control abundant and special efficacy, is prefixed a variety of styles and selects for user, avoids stereotyped.It can also lead to
The visualization interface of jQuery UI is crossed, the self-service display effect to foreground configures, and very convenient, can effectively be promoted can
Depending on changing effect.
(2) control layer 12: control layer 12 mainly uses SpringMVC frame, while with the use of SHIRO as permission control
Component processed.
Shiro is a powerful and easy-to-use Java security framework, executes authentication, authorization, cryptography and session pipe
Reason.Use Shiro that can also effectively control unauthorized access as filter;Cooperate effective filtering control that can prevent simultaneously
XSS cross-site attack and SQL injection.
(3) service layer 13: control layer 13 is that total system provides the main services of business operation logic in front end shows,
It uses Spring as Container Management frame on Technology Selection, carries out log management and output using Log4j, and provide report
The infrastructure services such as table, safety, permission and operation interface.
(4) cache layer 14: the frame selection of cache layer 14 uses EhCache.Ehcache is a kind of widely used open source
Java distributed caching.It is mainly directed towards general caching, Java EE and Lightweight Container.It has memory and disk storage, caching
Loader, caching extension cache exception handler, and a gzip caches servlet filter, supports REST and SOAP API
The features such as.
(5) data Layer 15: data Layer 15 is primarily referred to as data persistence engine, and MyBatis is used in the choice of technology.
MyBatis mainly completes two pieces thing: 1. establish the connection with database according to JDBC specification;2. passing through Annotaion/XML+
JAVA reflection technology is realized and is mutually converted between Java object and relational database.Its advantage: it efficiently, supports dynamic, is complicated
SQL building is supported to have done lightweight Mapper encapsulation with Spring integration and AOP affairs, result set, supports to cache.
In systems in end communication 2: business service end is developed using Java, and the association of TCP/IP is selected in the communication technology
View, communication process first starts TCP service in back-end processing layer 3 as shown in Fig. 2, system communicates 2 Shi Huixian in middle-end, and waits waiting
Receive communication request.The represent layer 1 in front end can first create TCP Client with clothes after system meets the synchronous requirement of initiation data
Business carries out First Contact Connections.It can be required to generate corresponding message format according to message protocol after creation connection, and record transmission
Log, while message content is sent to server.Will do it after server-side receives message information message information parsing and
The processing such as format check notifies client exception information after parsing fails or format goes wrong, otherwise notifies client
Request is handled successfully.Log recording is carried out according to success/failure result after client receives server-side feedback result, and
The connection with service is closed, notifies 1 protocol communication result of front end represent layer.
Back-end processing layer 3 can be divided mainly into two major classes from the protocol type of processing: normal protocol 31 and industry control agreement 32.
31 part of normal protocol provides the O&M function based on Telnet, SSH, RDP and RemoteApp agreement for user
Can, system additionally provides corresponding audit function for the process of O&M and behavior.Its design principle is can be grasped by one
Action control system realizes the reception and forwarding operated to O&M, while receiving with forwarding, realizes to O&M operational order
Audit and control, and require the O&M operating right of realization system to control according to management.
Industry control agreement 32 relates generally to the agreements such as Modbus, OPC, Siemens S7, IEC104, Profinet and DNP3
Rule maintenance and issue.Major function is to carry out white list, the regular maintenance of control for all kinds of agreements and issue operation.
Because the rule and interface of various industry control agreements are relatively independent, in design, each processing module is also independent from each other.?
It is parallel to each other, is independent of each other in processing.This allow for subsequent protocol extension become easily, whenever need increase newly an agreement
Processing module when, it is only necessary to a newly-increased module simultaneously does a little adjustment to configuration information.
White list or control rule issue process as shown in figure 3, back-end processing layer can wait first front end represent layer send out
Trigger condition is sent, existing newest control rule or white list information can be retrieved if receiving message.And it will be final
Query result assemble message according to corresponding interface specification, message is sent completely, and entirely issuing process terminates.
The part is exactly warning processing module there are one important module, and module master to be processed is that rule issues
The warning information after implementing result feedback and triggering rule afterwards.Process flow is as shown in figure 4, when the rule triggering issued
It has corresponding alarm information to generate, which is mainly responsible for receiving, parsing, classification and stores warning information.So as to front end exhibition
Now displaying or other subsequent processings (such as short message or mail notification).
The present invention is based on the industry control safety auditing systems of protocol depth analysis, have flexible adaptability and good extension
Property, be for reinforce environment of industrial network under industrial control system security audit manage dynamics, by electric power specialized protocol deep analysis,
The functions such as electric power dedicated service behavior control, particular attack defence, find in real time and block evil present in electric power industrial control system
Mean that security risks, the satisfactions such as attack, crucial unauthorized operation, trojan horse propagation, manufacturer's operation maintenance personnel violation O&M is enabled to work as
Urgent need of the preceding enterprise to network content analysis and monitoring class equipment ensures enterprise's production service application in industry control network environment
Under it is controllable, can control, control, effective safety is formed to electric power industrial control system.
In addition, the present invention can also be applied directly in the intense industrializations industry such as petroleum, water conservancy, tobacco, while can be with
Derive the products such as industrial fireproof wall, industrial trusted gateway.In PL C of industrial control system, DCS, industrial switch, HMI, operation
In the on-site maintenance of equipment such as member station, engineer station and historical data base, real-time data base, user will be helped to prevent
Malicious code by O&M be diffused into industrial control system, prevent leakage production technology formulation data, prevent violation operation is improper from causing
Production accident improves the granularity of monitoring and audit, reinforces the ability of risk identification and early warning, promotes industry control safety management system
Effective execution promotes safety management performance.
Obviously, the above embodiments are merely examples for clarifying the description, and does not limit the embodiments.It is right
For those of ordinary skill in the art, can also make on the basis of the above description it is other it is various forms of variation or
It changes.There is no necessity and possibility to exhaust all the enbodiments.And it is extended from this it is obvious variation or
Variation is still in the protection scope of this invention.
Claims (7)
1. it is a kind of based on protocol depth analysis industry control safety auditing system characterized by comprising for industrial control system into
The front end represent layer (1) of row direct control operation and for O&M operational order audit with control back-end processing layer (3), institute
It states and is connect between front end display module (1) and back-end processing layer (3) by middle-end communication (2);When operation, the front end represent layer
(1) initiate message synchrodata, and by middle-end communication (2) and the back-end processing layer (3) be attached and pass through it is described after
End process layer (3) receives and parses through message information, log recording is carried out according to result, and close the connection with service, before notice
Hold represent layer (1) protocol communication result.
2. the industry control safety auditing system according to claim 1 based on protocol depth analysis, which is characterized in that before described
End represent layer (1) is the B/S system based on JAVA language exploitation, and user can access in such a way that WEB is accessed.
3. the industry control safety auditing system according to claim 2 based on protocol depth analysis, which is characterized in that before described
End represent layer (1) includes:
Display layer (11): realize that page effect is shown based on JSP/HTML cooperation jQuery;
Control layer (12): SpringMVC frame is used, while with the use of SHIRO as permission control assembly;
Service layer (13): the main services of business operation logic are provided in front end represent layer (1) for system, on Technology Selection
Use Spring as Container Management frame, carries out log management and output using Log4j, and provide report, safety, permission
Equal infrastructure services and operation interface;
Cache layer (14): Cache Framework selection uses EhCache, is a kind of widely used open source J ava distributed caching.
Data Layer (15): data persistence engine uses MyBatis in the choice of technology.
4. the industry control safety auditing system according to claim 1 based on protocol depth analysis, which is characterized in that after described
End process layer (3) includes:
Normal protocol (31): the O&M function based on Telnet, SSH, RDP and RemoteApp agreement is provided for user;
Industry control agreement (32): the rule dimension of the agreements such as Modbus, OPC, Siemens S7, IEC104, Profinet and DNP3
It protects and issues, and carry out white list, the regular maintenance of control for all kinds of agreements and issue operation.
5. the industry control safety auditing system according to claim 4 based on protocol depth analysis, which is characterized in that described normal
Advising agreement (31) is the agreement with audit function.
6. the industry control safety auditing system according to claim 4 based on protocol depth analysis, which is characterized in that the work
Controlling agreement (32) further includes warning processing module, after handling the implementing result feedback after rule issues and triggering rule
Warning information.
7. the industry control safety auditing system described in any one of claims 1-6 based on protocol depth analysis is in industry control network environment
Under application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910029343.3A CN109840077A (en) | 2019-01-13 | 2019-01-13 | A kind of industry control safety auditing system and its application based on protocol depth analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910029343.3A CN109840077A (en) | 2019-01-13 | 2019-01-13 | A kind of industry control safety auditing system and its application based on protocol depth analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109840077A true CN109840077A (en) | 2019-06-04 |
Family
ID=66883814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910029343.3A Pending CN109840077A (en) | 2019-01-13 | 2019-01-13 | A kind of industry control safety auditing system and its application based on protocol depth analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109840077A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112799358A (en) * | 2020-12-30 | 2021-05-14 | 上海磐御网络科技有限公司 | Industrial control safety defense system |
| CN113311809A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Industrial control system-based safe operation and maintenance instruction blocking device and method |
-
2019
- 2019-01-13 CN CN201910029343.3A patent/CN109840077A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112799358A (en) * | 2020-12-30 | 2021-05-14 | 上海磐御网络科技有限公司 | Industrial control safety defense system |
| CN112799358B (en) * | 2020-12-30 | 2022-11-25 | 上海磐御网络科技有限公司 | Industrial control safety defense system |
| CN113311809A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Industrial control system-based safe operation and maintenance instruction blocking device and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Radoglou-Grammatikis et al. | Attacking iec-60870-5-104 scada systems | |
| Chandia et al. | Security strategies for SCADA networks | |
| Lee et al. | Design and implementation of cybersecurity testbed for industrial IoT systems | |
| CA2623120C (en) | Network security appliance | |
| CN107347047B (en) | Attack protection method and device | |
| RU2634209C1 (en) | System and method of autogeneration of decision rules for intrusion detection systems with feedback | |
| CN101438255A (en) | Network and application attack protection based on application layer message inspection | |
| CN104394122A (en) | HTTP (Hyper Text Transport Protocol) service firewall based on adaptive agent mechanism | |
| CN109840077A (en) | A kind of industry control safety auditing system and its application based on protocol depth analysis | |
| CN109672569A (en) | A kind of research of industry control safety monitoring system and application based on protocol depth analysis | |
| Guo et al. | A survey of industrial control system devices on the Internet | |
| KR101887544B1 (en) | Sdn-based network-attacks blocking system for micro server management system protection | |
| Wanying et al. | The study of security issues for the industrial control systems communication protocols | |
| CN106453336B (en) | Method for internal network to actively provide external network host calling service | |
| CN113467311A (en) | Electric power Internet of things safety protection device and method based on software definition | |
| CN108933707B (en) | Safety monitoring system and method for industrial network | |
| Li et al. | A defense model study based on IDS and firewall linkage | |
| Ponomarev | Intrusion Detection System of industrial control networks using network telemetry | |
| CN103944896A (en) | Smart power grid safety protection system | |
| Masset et al. | Simulating industrial control systems using mininet | |
| Feng et al. | Security analysis of simple network management protocol based IEEE P21451 internet of things | |
| Takano | Sustainable cyber security for tility facilities control system based on defense-in-depth concept | |
| Cruz et al. | A distributed IDS for industrial control systems | |
| Yang et al. | Research on computer network information security and protection strategy based on internet of things | |
| CN116032512A (en) | Multi-node dynamic trapping system and method for industrial control network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190604 |