CN109981583A - A kind of industry control network method for situation assessment - Google Patents
A kind of industry control network method for situation assessment Download PDFInfo
- Publication number
- CN109981583A CN109981583A CN201910141568.8A CN201910141568A CN109981583A CN 109981583 A CN109981583 A CN 109981583A CN 201910141568 A CN201910141568 A CN 201910141568A CN 109981583 A CN109981583 A CN 109981583A
- Authority
- CN
- China
- Prior art keywords
- data
- data packet
- situation assessment
- plc
- situation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a kind of industry control network method for situation assessment, the industrial control network equipment being related to includes: security gateway, programmable logic controller (PLC), spot sensor equipment and safety management platform, engineer station;Method includes the following steps: S1: engineer station carries out configuration, operation to industrial control system, and the controlled plant that PLC where each region connects its I/O module identifies, and matches controlled plant information list, forms the periodical communication mode of main website, slave station;S2:PLC is by data information Real-time Feedback to security gateway, the data packet deep analysis system of security gateway extracts data characteristics, remove extra attributive character, leave behind status information, industry control network system status information and the network flow characteristic about the relevant feature of system action mode, including data characteristics, programmable logic controller (PLC) based on communication protocol;S3: industry control network Situation Evaluation Model carries out Situation Assessment to system and forms assessment result.
Description
Technical field
The present invention relates to industrial control system technical field more particularly to a kind of industry control network method for situation assessment.
Background technique
Since industrial control system is widely used general software and hardware and the network facilities, and with management information system in enterprise
It is integrated, cause industrial control system more and more open, and and corporate intranet, even data exchange is produced with internet.
That is relative closure and industrial control system soft and hardware of the industrial control system on physical environment is dedicated before
Property will be broken, by internet or corporate intranet would be possible to obtain the more detailed information of related industries control system,
Along with the enterprise security consciousness of operation industrial control system is universal poor, thus between hostile government, terroristic organization, business
Spy, internal lawless people, external illegal invasion person etc. create opportunity.
Industrial control system itself have communication protocol type is more, secure authentication mechanisms missing or it is not perfect, practitioner is safe
The features such as consciousness is weak, compared to the more attack faces of traditional network security presence, as protocol bug, upper computer software loophole,
Industrial control equipment loophole, service loophole etc..It has the following disadvantages: 1) since equipment vendor is numerous in ICS, lacking and unified be
It unites hardware, operating software and application software, protocol specification standard, leads in ICS configuration that there are the fragility of itself.2) this is
Widely used Modbus Transmission Control Protocol lacks certification, licensing scheme in system, and data are plaintext transmission, are only possible to by network
Security gateway security protection is carried out to the collected data of scene equipment level, and traditional safety protecting method is mainly base
In the matched filtering technique of the data packet format of communication protocol, this rule configuration method is difficult to intercept numerous malicious attackers
Attack is attacked as construction meets protocol specification data packet.3) at the scene in mechanical floor device register value easily by attacker
It distorts, and data packet format still conforms to protocol specification, which is not easy to be noticeable, and company manager is made to make erroneous decision.
Therefore, for the more flexible multiplicity of the attack means of industrial control system, or even gradually to have developed out threat degree higher
And it is difficult to the APT defendd attack.In face of the unknown network attack means to emerge one after another, it is desirable to pass through traditional intrusion detection system
The passive securities mean of defense such as system, industrial fireproof wall, white list intercepts all attacks can not accomplish except protection.Cause
This, for industry control Prevention-Security research hotspot gradually from Passive Defence technology to the multi-level depth defense based on Initiative Defense
Technical change.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of industry control network method for situation assessment, this method is able to solve work
Control the features such as network system is low to unknown attack and unit exception classification recognition accuracy, and generalization ability is weak.
The present invention solves above-mentioned technical problem by following technological means:
A kind of industry control network method for situation assessment, the industrial control network that the industry control network method for situation assessment is related to are set
Standby includes security gateway, programmable logic controller (PLC), spot sensor equipment and safety management platform, engineer station;The peace
Full gateway includes Situation Assessment subsystem and data packet deep analysis system, and the industry control network method for situation assessment includes:
Engineer station carries out configuration, operation to industrial control system, what PLC where each region connect the I/O module of the PLC
Controlled plant is identified, and is matched controlled plant information list, is formed the periodical communication mode at master and slave station;
PLC by data information Real-time Feedback to security gateway, extract by the data packet deep analysis system of the security gateway
The data characteristics of the data information, obtains feature vector;
Situation Assessment subsystem is assessed and is counted according to classifier according to described eigenvector, and Situation Assessment is carried out,
And abnormal results are sounded an alarm to safety management platform.
Further, the PLC is by data information Real-time Feedback to security gateway, the data packet depth solution of the security gateway
The step of analysis system extracts the data characteristics of the data information, obtains feature vector include:
Data packet deep analysis system is provided for the message format of Modbus Transmission Control Protocol should be existing in data packet
The desired value of feature field and these fields successively carries out deep analysis to message, concludes the instruction and state feature of agreement;
One main website, the sliding time window of slave station communication are established, important feature is carried out by periodic time window
Frequency marker carries out periodical acquisition and feature extraction to data packet, establishes feature vector;
According in the industrial control system of Modbus Transmission Control Protocol, the communication between scene equipment level main website, slave station is deposited
In periodic feature and main website to the periodical read-write operation of slave station equipment, show that control order interval, controller increase
Benefit, controller cycle time increment, controller gain increment, the address slave station Address, data packet cyclic check code, data are long
Degree, function code, order or response, data packet direction of transfer, thus based on communication frequency to every regular characteristic value of one kind
Construct feature vector, X=(x1,x2,x3···xn)。
Further, the time interval for the same instructions that PLC issues controlled plant, institute are divided between the control order
Stating controller gain, controller cycle time increment, controller gain increment is obtained according to the feedback of controller, indicates control
The status information of device;The address slave station Address, data packet cyclic check code, data length, function code, order or response are logical
Modbus Transmission Control Protocol feature and periodic law-analysing are crossed, obtains the characteristic frequency of each field of data packet;Data packet
When direction refers to PLC and controlled plant data interaction, the transmitting side of data packet is generated according to the source address of data packet, destination address
To.
Further, Situation Assessment subsystem is assessed and is counted according to classifier according to described eigenvector, carries out state
Gesture assessment, and the step of sounding an alarm to abnormal results to safety management platform includes:
Data prediction is carried out to described eigenvector;
Linear dimensionality reduction is carried out to pretreated feature vector using Principal Component Analysis, reflects number from multi-dimension feature extraction
According to the information pivot of attribute.
Further, the Situation Assessment subsystem includes being based on improved multiclass SVM, and the multiclass SVM's builds step
Include:
Industry control platform is built, typical industry control attack is constructed;
Construct the situation section of Initial situation value and typical attack, meanwhile, extract feature vector, to characteristic vector data into
Row pretreatment, and preextraction and optimization support vector;
Construct the multiclass SVM based on binary tree;
Multiclass SVM parameter is optimized;
Multiclass SVM builds completion.
Further, the typical attack includes: order injection attacks (Command Injection), response injection attacks
(Response Injection) and Denial of Service attack (Denial ofService, DoS).
Beneficial effects of the present invention:
1, using the thought of regular amendment Situation Evaluation Model, constantly to the increase of exceptional sample and study and situation
The re -training of assessment models, to improve the accuracy rate and its generalization ability of Situation Assessment.
2, the thought of the Situation Evaluation Model proposes protocol characteristic not only for the data transmission procedure of control layer network
Detection algorithm, and comprehensively considered controller state and network traffic conditions, the result enable is more accurate
Reaction system integrality.
3, by taking the pre- training method for extracting supporting vector and loop iteration, can more rapidly be with accurately obtaining
The situation value of system judges the situation state of system.
4, the mapping table about typical attack and situation value is drawn out by the attack of three quasi-representative industrial control systems, according to mapping table
Rule sets the section of each quasi-representative situation.The multi-class support vector machine model based on binary tree is established, can directly be judged
The attack type that system is subjected to is conducive to the security situation of more accurate reaction system.
Detailed description of the invention
Fig. 1 is a kind of system structure diagram of industry control network method for situation assessment of the present invention;
Fig. 2 is Modbus TCP message structure chart;
Fig. 3 is PLC control system example;
Fig. 4 is the multiclass svm classifier based on binary tree;
Fig. 5 is that Situation Awareness section corresponds to table;
Fig. 6 is that multiclass SVM builds flow chart;
Specific embodiment
Below with reference to the drawings and specific embodiments, the present invention is described in detail:
The present invention is for Modbus Transmission Control Protocol feature in industrial control system, according to control order interval, controller
Gain, controller cycle time increment, controller gain increment, the address slave station Address, data packet cyclic check code, data
Length, function code, order or response, data packet direction of transfer, construct based on the system modes feature such as communication behavior frequency
Feature vector is established based on the industry control network Situation Evaluation Model for improving multi-class support vector machine.Using normal condition and respectively
Kind typical attack state establishes situation value and corresponds to table, and the situation value in this situation table is substituted into support vector machines and is trained, so
Afterwards delimit industrial control system normal condition with by each quasi-representative industry control attack situation section, using the junction in each section as
Thus the root node of binary tree establishes the multi-class support vector machine model based on binary tree.
As shown in Figure 1, the key industry control network equipment being related in the method for situation assessment has: security gateway,
Main control PLC, controlled plant, safety management platform, engineer station, respective role are as follows:
1. security gateway: including data packet deep analysis system and Situation Assessment subsystem, data packet deep analysis system
To the deep analysis and feature extraction of Modbus TCP data packet, Situation Assessment subsystem is bottom-layer network and safety management platform
The detection and alarm of interaction data.Its Modbus Transmission Control Protocol feature is as shown in Figure 2.
2. main control PLC: in ICS, according to Supervisory Surveillance Program, PLC is used as local controller.PLC possesses a user can
The memory of programming, for storing instruction to realize specific function, as I/O control, logic, timing, counting, Three models ratio
Example-Integrated Derivative (PID) control, communication, arithmetic and data and file process.PLC can be by being located at engineer work station's
Programming interface access.As shown in Figure 3.
3. controlled plant: including liquidometer, pressure gauge, Temperature Humidity Sensor, actuator etc., being responsible in industrial processes
The acquisition of physical quantity, and acquisition information is uploaded to security gateway through PLC and carries out Situation Assessment, meanwhile, controlled plant receives PLC
Control instruction, complete instruction action, carry out industrial processes orderly.
4. safety management platform: being responsible for the configuration of security gateway security mechanism and the processing of abnormal alarm.
5. engineer station: the engineer for providing industrial stokehold uses, and carries out configuration to computer system, programs, repairs
The work station changed etc..
This programme is mainly for the industrial control system based on Modbus Transmission Control Protocol, first by engineer station to system group
State, operation, the controlled plant that PLC where each region connects its I/O module identify, and match controlled plant information list,
Form the periodical communication mode at master and slave station.
For PLC by data information Real-time Feedback to security gateway, the data packet deep analysis system of gateway extracts data characteristics,
Extra attributive character is removed, is left behind about the relevant feature of system action mode, it is special including the data based on communication protocol
Sign, the status information of programmable logic controller (PLC), industry control network system status information and network flow characteristic.
Then, the data analysis module of Situation Assessment subsystem carries out system trend assessment, and to abnormal results to safety
Management platform sounds an alarm.
Situation Assessment subsystem is to be carried out according to the extracted feature vector of data packet deep analysis system according to classifier
Measurement and statistics.
Present invention relates generally to following 3 modules: data packet deep analysis system, Situation Assessment subsystem, bursting tube
Platform.
Data packet deep analysis system is successively to carry out deep analysis to message, about Modbus application protocol heading,
It contains transmission mark, protocol-identifier, length and unit marks etc. and mark function code periodic characteristics, concludes agreement
Instruction and state feature, and according to master-salve station communication cycle record communication behavior frequency.
Situation Assessment subsystem carries out real-time data analysis according to the information from data packet deep analysis system, for
Modbus Transmission Control Protocol, construction control order interval, controller gain, controller cycle time increment, controller gain increase
Amount, the address slave station Address, data packet cyclic check code, data length, function code, order or response, data packet transmitting side
To feature vector, establish the industry control network Situation Evaluation Model of multi-class support vector machine, for typical industry control attack, lead to
Quantitative Hierarchical Threat Evaluation Model for Network Security is crossed, the situation value for establishing normal condition and various attack states is corresponding
Table, and situation value section and the alarm critical value of all kinds of attacks are set, if the situation value assessed in real time is more than alarm critical value,
Situation Assessment subsystem sends warning information to safety management platform at once.
Safety management platform be mainly responsible for management and monitor scene equipment level to process monitoring layer whole network operation.
Main method for the Situation Assessment based on Modbus Transmission Control Protocol feature in ICS is, from the layer of message structure
Surface analysis, Modbus TCP message contain Modbus application protocol heading (MBAP, Modbus Application
Protocol) and protocol Data Unit (PDU, Protocol Data Unit) two large divisions, for Modbus application protocol report
Literary head, it contains transmission mark (Transaction ID), protocol-identifier (Protocol ID), length (Length) and list
Member mark (Unit ID).Function code common for Modbus TCP communication, for example, read coil function code 01, read input are discrete
Amount 02 writes single coil 05, writes multiple coils 15, read input register 04, writes single register 06 etc., in the agreement to master,
There are high degree of periodicity for the communication of slave station, in conjunction with controller state information and network traffic information, construction control order
Interval, controller gain, controller cycle time increment, controller gain increment, the address slave station Address, data packet loop
Check code, data length, function code, order or response, data packet direction of transfer feature vector.
Under ICS normal operation, training sample is obtained by security gateway, firstly, data prediction is returned comprising data
One change and Data Dimensionality Reduction.
In the present solution, being carried out using vector characteristics of the mapminmax normalization algorithm to ModbusTCP agreement, pre- place
For reason by feature value range specification to [0,1], the normalization formula used is as follows:
Value=(fmax-fmin) * (x-xmin)/(xmax-xmin)+fmin
Wherein, x, Value respectively correspond normalization front and back data.Xmax, xmin respectively correspond the maximum for handling preceding data
Value and minimum value, and the maximum value and minimum value of fmax, the fmin data that are then that treated.It is mapped by a kind of by initial data
It is mapped within the scope of standard attribute, avoids the biggish feature of numerical value Zhan Tai great specific gravity in the training process, be also convenient for carrying out numerical value
It calculates.
In the present solution, linear dimensionality reduction is carried out using Principal Component Analysis, from the letter of multi-dimension feature extraction reflection data attribute
Pivot is ceased, these pivots can reflect most high dimensional information, and reduction process is as follows:
Step1: setting original input data sample number as m, and each sample has p characteristic attribute, calculates the covariance of sample X
The mean vector of matrix S and X;
Step2: the P eigenvalue λ of S is sought with Eigenvalues Decomposition1,λ2,...,λpCorresponding feature vector E=(θ1,
θ2,...,θp).Characteristic value is sorted by size;
Step3: the contribution rate of i-th of principal component component sample is calculated;
Step4: the number of principal component component sample is determined by contribution rate of accumulative total.Usual contribution rate of accumulative total reach 90% with
On.N principal component substitution is originally inputted variable before choosing as a result, can achieve the purpose of Data Dimensionality Reduction.
Then, preextraction is carried out to supporting vector and optimization, pre- extraction process is as follows:
Assuming that giving two element x 1, x2 (is belonging respectively to two samples), then the distance between two samples can be with table
It is shown as d (x1, x2) (x1 belongs to the element of sample 1, and x2 belongs to the element of sample 2), it is different in the case where linear
The distance between this x1, x2 are defined as follows:
In the nonlinear case, two sample x1, the distance between x2 are defined as follows:
Wherein φ (x) is vector corresponding after being mapped to vector two in former space in high-dimensional vector space, K (x1,x2)
=φ (x1)·φ(x2) it is kernel function.Firstly, choosing first element in x1, sample x2 is traversed, a minimum is certainly existed
Value mind (x1, x2), the corresponding vector of the minimum value are then a boundary value in sample x2, successively take element in x1, then
The element in x2 is traversed, is obtained minimum value min d (x1, x2), all and first kind sample of the second class sample thus can be obtained
The retive boundary vector of first kind sample similarly can be obtained in the Margin Vector set of this retive boundary.In this way, we just obtain
It include the retive boundary vector of supporting vector with sizable probability, and the quantity of retive boundary vector is far smaller than the number of sample
Amount.Gathered using this as initial working set B.
Loop iteration algorithm, process are as follows:
A) using working set B as training sample, Optimal Separating Hyperplane is obtained;
B) training sample set A is tested using obtained Optimal Separating Hyperplane, then calculates sample and classification in A
Distance d and classification accuracy rate P between hyperplane.Sample and optimal hyperlane distance d can be taken in test set to be less than Q, and (value is
A threshold values between 1.05 to 2.0) sample put in people's working set B, replace original working set B, as next
The training sample of secondary loop iteration;
C) when classification accuracy rate P is less than 1, step 1 is repeated, jumps out circulation when classification accuracy rate P is equal to 1, circulation changes
In generation, terminates.
Again, the situation section for constructing Initial situation value and all kinds of typical attacks, passes through the three of analytical industry control system
Quasi-representative attacks data: order injection attacks (Command Injection), response injection attacks (Response
Injection), Denial of Service attack (Denial ofService, DoS) is by the potential risk to different attacks
It unites practical damage degree, the difference of the influence to network entirety, by Quantitative Hierarchical Threat Evaluation Model for Network Security,
This method is broadly divided into three seeervice level, host-level and network level levels, according to getting on, get off, whole principle behind first part,
According to attack to the security threat and the normal amount of access of service, the importance of service, the severity to host harm, master of service
The features such as significance level, the occupancy of network broadband, the system vulnerability information of machine, by assigning corresponding power to each feature
Limit first carries out quantitative calculating to each layer security threat index, then between each layer also by assigning corresponding permission, the amount of progress
Change superposition, it is final to determine network normal condition and the situation value of network state when by all kinds of attacks, and establish normal condition
With the situation value interval table of various attack states, as shown in Figure 5.
Finally, multi-class support vector machine model of the building based on binary tree, and support vector machines parameter is optimized.Root
According to situation area corresponding to the supporting vector obtained in above-mentioned steps and its corresponding situation value and all kinds of states of system
Between, construct the multi-class support vector machine model based on binary tree.Firstly, using primary sources as one kind, other remaining institutes
There are data as another kind of (assuming that shared K class data), SVM1 is trained, then, by number remaining in the first subseries
As a kind of, remaining other data are trained SVM2 as another kind of for secondary sources in, and so on, directly
Two class data are only remained to the end, train SVM (k-1).In this manner, available using support vector machines as root node
Two Binomial Tree Model.Under this model, it will use SVM1 first and feature vector judged, if it is determined that obtaining this feature vector
Belonging to the first kind, then judgement terminates, if being not belonging to the first kind, will continue to be judged using SVM2, and so on, until
Judge classification belonging to feature vector.In this programme, as long as the sample of the 1st class can be obtained by it by a subseries
Affiliated class, the sample of the 2nd class need only can be obtained by the class belonging to it by double classification, obtain institute by K-1 subseries
There is classification.In order to meet industrial control system requirement of real-time, carried out using parameter of the substep grid-search algorithms to support vector machines
Optimization.Firstly, setting the optimal value search range of parameter (penalty factor parameter) to, g (Radial basis kernel function parameter) is searched
Rope range is that step pitch is set as 5, to obtain local optimum.On the basis of local optimum parameter, essence is being set by step pitch
The 0.1 of fine searching, to obtain final optimized parameter.By large-scale parameter optimization, then carries out small-scale parameter and seek
It is excellent, the time of parameter optimization is reduced, the requirement of industrial control system high real-time is more applicable for.
The above examples are only used to illustrate the technical scheme of the present invention and are not limiting, although referring to preferred embodiment to this hair
It is bright to be described in detail, those skilled in the art should understand that, it can modify to technical solution of the present invention
Or equivalent replacement should all cover without departing from the objective and range of technical solution of the present invention in claim of the invention
In range.Technology not described in detail in the present invention, shape, construction portion are well-known technique.
Claims (6)
1. a kind of industry control network method for situation assessment, it is characterised in that: the industry that the industry control network method for situation assessment is related to
Controlling the network equipment includes security gateway, programmable logic controller (PLC), spot sensor equipment and safety management platform, engineer
It stands;The security gateway includes Situation Assessment subsystem and data packet deep analysis system, the industry control network Situation Assessment side
Method includes:
Engineer station carries out configuration, operation to industrial control system, and PLC where each region connects the I/O module of the PLC controlled
Equipment is identified, and is matched controlled plant information list, is formed the periodical communication mode at master and slave station;
PLC by data information Real-time Feedback to security gateway, described in the data packet deep analysis system of the security gateway is extracted
The data characteristics of data information, obtains feature vector;
Situation Assessment subsystem is assessed and is counted according to classifier according to described eigenvector, carries out Situation Assessment, and right
Abnormal results are sounded an alarm to safety management platform.
2. a kind of industry control network method for situation assessment according to claim 1, it is characterised in that: the PLC believes data
Real-time Feedback is ceased to security gateway, and the data that the data packet deep analysis system of the security gateway extracts the data information are special
Sign, the step of obtaining feature vector include:
Data packet deep analysis system is provided for the message format of Modbus Transmission Control Protocol should existing feature in data packet
The desired value of field and these fields successively carries out deep analysis to message, concludes the instruction and state feature of agreement;
One main website, the sliding time window of slave station communication are established, frequency is carried out to important feature by periodic time window
Label carries out periodical acquisition and feature extraction to data packet, establishes feature vector;
According in the industrial control system of Modbus Transmission Control Protocol, there is week in the communication between scene equipment level main website, slave station
The characteristics of phase property and main website obtain control order interval, controller gain, control to the periodical read-write operation of slave station equipment
Device cycle time increment processed, controller gain increment, the address slave station Address, data packet cyclic check code, data length, function
Can code, order or response, data packet direction of transfer, to constructed to every regular characteristic value of one kind based on communication frequency
Feature vector, X=(x1,x2,x3···xn)。
3. a kind of industry control network method for situation assessment according to claim 2, it is characterised in that: between the control order
It is divided into the time interval for the same instructions that PLC issues controlled plant, the controller gain, controller cycle time increase
Amount, controller gain increment are obtained according to the feedback of controller, indicate the status information of controller;The address slave station Address,
Data packet cyclic check code, data length, function code, order or response be by Modbus Transmission Control Protocol feature and periodically
Law-analysing obtains the characteristic frequency of each field of data packet;The direction of data packet refers to PLC and controlled plant data interaction
When, the direction of transfer of data packet is generated according to the source address of data packet, destination address.
4. a kind of industry control network method for situation assessment according to claim 1, it is characterised in that: Situation Assessment subsystem according to
It according to described eigenvector, is assessed and is counted according to classifier, carry out Situation Assessment, and pat to bursting tube to abnormal results
The step of platform sounds an alarm include:
Data prediction is carried out to described eigenvector;
Linear dimensionality reduction is carried out to pretreated feature vector using Principal Component Analysis, reflects data category from multi-dimension feature extraction
The information pivot of property.
5. a kind of industry control network method for situation assessment according to claim 1, which is characterized in that the Situation Assessment subsystem
System includes being based on improved multiclass SVM, and the step of building of the multiclass SVM includes:
Industry control platform is built, typical industry control attack is constructed;
The situation section of Initial situation value and typical attack is constructed, meanwhile, feature vector is extracted, characteristic vector data is carried out pre-
Processing, and preextraction and optimization support vector;
Construct the multiclass SVM based on binary tree;
Multiclass SVM parameter is optimized;
Multiclass SVM builds completion.
6. a kind of industry control network method for situation assessment according to claim 5, which is characterized in that the typical attack packet
It includes: order injection attacks (Command Injection), response injection attacks (Response Injection) and refusal
Service attack (Denial of Service, DoS).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910141568.8A CN109981583B (en) | 2019-02-26 | 2019-02-26 | Industrial control network situation assessment method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910141568.8A CN109981583B (en) | 2019-02-26 | 2019-02-26 | Industrial control network situation assessment method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109981583A true CN109981583A (en) | 2019-07-05 |
CN109981583B CN109981583B (en) | 2021-09-24 |
Family
ID=67077358
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910141568.8A Active CN109981583B (en) | 2019-02-26 | 2019-02-26 | Industrial control network situation assessment method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109981583B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111669375A (en) * | 2020-05-26 | 2020-09-15 | 武汉大学 | Online safety situation assessment method and system for power industrial control terminal |
CN111723377A (en) * | 2020-06-17 | 2020-09-29 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
CN112230584A (en) * | 2020-10-28 | 2021-01-15 | 浙江中烟工业有限责任公司 | Safety monitoring visualization system and safety monitoring method applied to industrial control field |
CN112637143A (en) * | 2020-12-08 | 2021-04-09 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
CN113114489A (en) * | 2021-03-29 | 2021-07-13 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
CN114741575A (en) * | 2022-02-25 | 2022-07-12 | 中国人民解放军63921部队 | Network power target behavior analysis method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102420723A (en) * | 2011-12-14 | 2012-04-18 | 南京邮电大学 | Anomaly detection method for various kinds of intrusion |
CN102722726A (en) * | 2012-06-05 | 2012-10-10 | 江苏省电力公司南京供电公司 | Multi-class support vector machine classification method based on dynamic binary tree |
CN102915447A (en) * | 2012-09-20 | 2013-02-06 | 西安科技大学 | Binary tree-based SVM (support vector machine) classification method |
US20150248556A1 (en) * | 2014-02-28 | 2015-09-03 | Government Of The United States, As Represented By The Secretary Of The Air Force | Firmware Disassembly System |
CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
-
2019
- 2019-02-26 CN CN201910141568.8A patent/CN109981583B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102420723A (en) * | 2011-12-14 | 2012-04-18 | 南京邮电大学 | Anomaly detection method for various kinds of intrusion |
CN102722726A (en) * | 2012-06-05 | 2012-10-10 | 江苏省电力公司南京供电公司 | Multi-class support vector machine classification method based on dynamic binary tree |
CN102915447A (en) * | 2012-09-20 | 2013-02-06 | 西安科技大学 | Binary tree-based SVM (support vector machine) classification method |
US20150248556A1 (en) * | 2014-02-28 | 2015-09-03 | Government Of The United States, As Represented By The Secretary Of The Air Force | Firmware Disassembly System |
CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
Non-Patent Citations (5)
Title |
---|
安金龙等: ""一种新的支持向量机多类分类方法"", 《信息与控制》 * |
王华忠等: ""融合PCA和PSO-SVM方法在工控入侵检测中的应用 "", 《科技通报》 * |
祝琦等: ""无线传感器网络中基于SVM的合作型入侵检测系统"", 《计算机应用研究 》 * |
陈秀真等: ""层次化网络安全威胁态势量化评估方法"", 《软件学报》 * |
陈美霞等: ""二叉树多类SVM在网络入侵检测中的应用 "", 《微计算机信息》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111669375A (en) * | 2020-05-26 | 2020-09-15 | 武汉大学 | Online safety situation assessment method and system for power industrial control terminal |
CN111669375B (en) * | 2020-05-26 | 2021-03-16 | 武汉大学 | Online safety situation assessment method and system for power industrial control terminal |
CN111723377A (en) * | 2020-06-17 | 2020-09-29 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
CN111723377B (en) * | 2020-06-17 | 2023-02-07 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
CN112230584A (en) * | 2020-10-28 | 2021-01-15 | 浙江中烟工业有限责任公司 | Safety monitoring visualization system and safety monitoring method applied to industrial control field |
CN112637143A (en) * | 2020-12-08 | 2021-04-09 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
CN113114489A (en) * | 2021-03-29 | 2021-07-13 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
CN113114489B (en) * | 2021-03-29 | 2022-06-17 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
CN114741575A (en) * | 2022-02-25 | 2022-07-12 | 中国人民解放军63921部队 | Network power target behavior analysis method and device |
Also Published As
Publication number | Publication date |
---|---|
CN109981583B (en) | 2021-09-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109981583A (en) | A kind of industry control network method for situation assessment | |
CN106502234B (en) | Industrial control system method for detecting abnormality based on double skeleton patterns | |
CA3132346C (en) | User abnormal behavior recognition method and device and computer readable storage medium | |
Wang et al. | An exhaustive research on the application of intrusion detection technology in computer network security in sensor networks | |
CN106789885A (en) | User's unusual checking analysis method under a kind of big data environment | |
Wei et al. | Strategic application of ai intelligent algorithm in network threat detection and defense | |
Sarwar et al. | Design of an advance intrusion detection system for IoT networks | |
Yi et al. | Network security risk assessment model based on fuzzy theory | |
Wu et al. | Factor-analysis based anomaly detection and clustering | |
Perez et al. | Forget the myth of the air gap: Machine learning for reliable intrusion detection in SCADA systems | |
Om et al. | Statistical techniques in anomaly intrusion detection system | |
Chen et al. | Multi-level adaptive coupled method for industrial control networks safety based on machine learning | |
Lambert II | Security analytics: Using deep learning to detect Cyber Attacks | |
Wassan et al. | A Smart Comparative Analysis for Secure Electronic Websites. | |
Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
Diaba et al. | SCADA securing system using deep learning to prevent cyber infiltration | |
Meduri | Cybersecurity threats in banking: Unsupervised fraud detection analysis | |
Goyal et al. | A semantic machine learning approach for cyber security monitoring | |
Alalayah et al. | Optimal Deep Learning Based Intruder Identification in Industrial Internet of Things Environment. | |
Zhang et al. | An anomaly detection model for network intrusions using one-class SVM and scaling strategy | |
Saheed et al. | Autoencoder via DCNN and LSTM models for intrusion detection in industrial control systems of critical infrastructures | |
CN115758336A (en) | Asset identification method and device | |
Zhou et al. | IBBO-LSSVM-based network anomaly intrusion detection | |
Ding et al. | High efficient intrusion detection methodology with twin support vector machines | |
Muliukha et al. | Anomaly Detection Approach in Cyber Security for User and Entity Behavior Analytics System. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |