CN110113332A - A kind of detection industry control agreement whether there is the method and device of exception - Google Patents

A kind of detection industry control agreement whether there is the method and device of exception Download PDF

Info

Publication number
CN110113332A
CN110113332A CN201910362413.7A CN201910362413A CN110113332A CN 110113332 A CN110113332 A CN 110113332A CN 201910362413 A CN201910362413 A CN 201910362413A CN 110113332 A CN110113332 A CN 110113332A
Authority
CN
China
Prior art keywords
industry control
control agreement
default
absence
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910362413.7A
Other languages
Chinese (zh)
Inventor
张钊
陶耀东
肖晨强
毛庆梅
黄东华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201910362413.7A priority Critical patent/CN110113332A/en
Publication of CN110113332A publication Critical patent/CN110113332A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The embodiment of the present invention provides a kind of detection industry control agreement with the presence or absence of abnormal method and device, which comprises obtains the communication message of industry control agreement;The communication message is the multiple communication messages for having identical message length and reaching preset quantity;Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining the variable aiming field of sequence content;Determine the corresponding classification type of all aiming fields, carry out semantic deduction respectively to every class aiming field, every class semanteme inferred results are compared with default abnormality detection rule, and infer that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme;Wherein, the classification type is divided based on message format, and the default abnormality detection rule includes default semantic constraint relationship corresponding with default classification type.Described device executes the above method.Method and device provided in an embodiment of the present invention can comprehensively detect industry control agreement with the presence or absence of abnormal.

Description

A kind of detection industry control agreement whether there is the method and device of exception
Technical field
The present invention relates to industry control network security technology areas more particularly to a kind of detection industry control agreement with the presence or absence of exception Method and device.
Background technique
With the development of industry control technology, high-risk security risk easily occurs for industry control network, therefore, to these high-risk safety winds Danger, which carries out identification, to be particularly important.
The prior art carries out the identification of high-risk security risk generally directed to industry control environment or industry control agreement, for industry control ring Border is normally based on the application scenarios of industry control industry to realize, such as has corresponding high-risk security risk for petrochemical industry Recognition methods, since the recognition methods and petrochemical industry application scenarios are closely related, therefore, it is impossible to apply this method to it The application scenarios of his industry control industry have biggish application limitation, special by extracting industry control behavior for industry control agreement Sign, so that detected rule is generated, for example, for Modbus request message, it is necessary to have response message, still, the detection method without Method is comprehensive, is accurately detected potential industry control network security risk.
Therefore, how drawbacks described above is avoided, accurately, efficiently, comprehensively detection industry control agreement is with the presence or absence of exception, in turn, Industry control network security risk is determined whether there is, becoming need solve the problems, such as.
Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of detection industry control agreement with the presence or absence of abnormal Method and device.
The embodiment of the present invention provides a kind of detection industry control agreement with the presence or absence of abnormal method, comprising:
Obtain the communication message of industry control agreement;The communication message is that have identical message length and reach preset quantity Multiple communication messages;
Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining what sequence content can be changed Aiming field;
It determines the corresponding classification type of all aiming fields, carries out semantic deduction respectively to every class aiming field, it will Every class semanteme inferred results are compared with default abnormality detection rule, and infer that comparison result determines the industry control according to semanteme Agreement is with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, the default abnormality detection rule It then include default semantic constraint relationship corresponding with default classification type.
The embodiment of the present invention provides a kind of detection industry control agreement with the presence or absence of abnormal device, comprising:
Acquiring unit, for obtaining the communication message of industry control agreement;The communication message be have identical message length and Reach multiple communication messages of preset quantity;
Comparison unit, for carrying out Multiple Sequence Alignment to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining sequence The aiming field of column content-variable;
Detection unit, for determining the corresponding classification type of all aiming fields, to every class aiming field respectively into Row is semantic to infer, every class semanteme inferred results is compared with default abnormality detection rule, and inferred according to semanteme and compare knot Fruit determines the industry control agreement with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, described Default abnormality detection rule includes default semantic constraint relationship corresponding with default classification type.
The embodiment of the present invention provides a kind of electronic equipment, comprising: memory, processor and storage are on a memory and can be The computer program run on processor, wherein
The processor realizes following method and step when executing described program:
Obtain the communication message of industry control agreement;The communication message is that have identical message length and reach preset quantity Multiple communication messages;
Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining what sequence content can be changed Aiming field;
It determines the corresponding classification type of all aiming fields, carries out semantic deduction respectively to every class aiming field, it will Every class semanteme inferred results are compared with default abnormality detection rule, and infer that comparison result determines the industry control according to semanteme Agreement is with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, the default abnormality detection rule It then include default semantic constraint relationship corresponding with default classification type.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, should Following method and step is realized when computer program is executed by processor:
Obtain the communication message of industry control agreement;The communication message is that have identical message length and reach preset quantity Multiple communication messages;
Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining what sequence content can be changed Aiming field;
It determines the corresponding classification type of all aiming fields, carries out semantic deduction respectively to every class aiming field, it will Every class semanteme inferred results are compared with default abnormality detection rule, and infer that comparison result determines the industry control according to semanteme Agreement is with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, the default abnormality detection rule It then include default semantic constraint relationship corresponding with default classification type.
Detection industry control agreement provided in an embodiment of the present invention passes through Multiple Sequence Alignment with the presence or absence of abnormal method and device All communication messages to obtain the variable aiming field of sequence content, then are based on message format and divide all aiming fields Class, then will be compared for the semantic inferred results of every class aiming field with default abnormality detection rule, so as to accurately, Efficiently, comprehensively detection industry control agreement is with the presence or absence of exception, in turn, it is determined whether there are industry control network security risks.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is present invention detection industry control agreement with the presence or absence of abnormal embodiment of the method flow chart;
Fig. 2 is the message fragment schematic diagram obtained using MSA algorithm;
Fig. 3 is present invention detection industry control agreement with the presence or absence of abnormal Installation practice structural schematic diagram;
Fig. 4 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is present invention detection industry control agreement with the presence or absence of abnormal embodiment of the method flow chart, as shown in Figure 1, this hair A kind of detection industry control agreement that bright embodiment provides is with the presence or absence of abnormal method, comprising the following steps:
S101: the communication message of industry control agreement is obtained;The communication message is that have identical message length and reach default Multiple communication messages of quantity.
Specifically, device obtains the communication message of industry control agreement;The communication message is that have identical message length and reach To multiple communication messages of preset quantity.Multiple communication messages in preset period of time can be obtained, preset period of time can basis Actual conditions are independently arranged, and are chosen as 1 day.Communication message may include request message, the response message for the request message, The step can be realized by following concrete mode:
It is serviced according to provided by different industrial control equipments, industry control network flow is grouped;Secondly, in every group of industry control In network flow, by taking request message as an example, further grouping is made to the request message of identical message length;Finally, when certain group When message reaches preset quantity, using these messages as above-mentioned multiple communication messages.
S102: carrying out Multiple Sequence Alignment to all communication messages, and according to Multiple Sequence Alignment as a result, acquisition sequence content can The aiming field of change.
Specifically, device carries out Multiple Sequence Alignment to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining sequence The aiming field of content-variable.Multiple Sequence Alignment can be carried out to all communication messages using MSA algorithm.Multiple sequence alignments (Multiple sequence alignment, abbreviation MSA).Fig. 2 is the message fragment schematic diagram obtained using MSA algorithm, such as Shown in Fig. 2, Multiple Sequence Alignment is carried out to the identical message of multiple message lengths.Specifically, MSA algorithm is by original message Pi(1 ≤ i≤m) same segment being alternately present is divided into (in different message PiThe identical byte sequence of middle content) and different segmentations (in different message PiThe different byte sequence of middle content), and each PiIn include division number it is identical, be all n segmentation. Referring to table 1, the content of each message fragment in each sequence corresponding diagram 2 in table 1, such as the S in 8c corresponding diagram 21,2;Sequence The aiming field of column content-variable is the corresponding field of secondary series, the 4th column, the 6th column in table 1.
Table 1
0300001f02f0803201000028 8c 000e00000401120a100200 04 0000 83 000000
0300001f02f0803201000028 8d 000e00000401120a100200 01 0000 81 000000
0300001f02f0803201000028 8e 000e00000401120a100200 01 0000 82 000000
0300001f02f0803201000028 8f 000e00000401120a100200 04 0000 83 000000
S103: determining the corresponding classification type of all aiming fields, carries out semanteme respectively to every class aiming field and pushes away It is disconnected, every class semanteme inferred results are compared with default abnormality detection rule, and infer that comparison result determines institute according to semanteme Industry control agreement is stated with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, the default exception Detected rule includes default semantic constraint relationship corresponding with default classification type.
Specifically, device determines the corresponding classification type of all aiming fields, every class aiming field is carried out respectively Semanteme is inferred, every class semanteme inferred results are compared with default abnormality detection rule, and infers comparison result according to semanteme Determine the industry control agreement with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, described pre- If abnormality detection rule includes default semantic constraint relationship corresponding with default classification type.It is in Baidupedia that semanteme, which is inferred, Semantic reasoning, specific semantic reasoning method can be heuristic inference method, be not especially limited.Classification type can wrap Function code field, counter field, session negotiation field, numeric field within the scope of fixed numbers etc. are included, referring to table 1, second Arrange corresponding counter field, the 4th column and the 6th arrange the numeric field respectively corresponded within the scope of fixed numbers, wherein function code word Section is for example: programming software or the configuration software operation different from controller (such as PLC) progress, for example, write variable, reading variable, on The corresponding code of the operation such as biography, downloading, starting, stopping, diagnosis, pressure, corresponding default semantic constraint relationship is specified The byte value of position byte is different and byte value is default value, the default value be denoted as write variable, read variable, upload, It downloads, start, stopping, diagnosing, forcing corresponding byte value, the corresponding semanteme for meeting default semantic constraint relationship pushes away Disconnected result may be that the byte value of above-mentioned designated position byte is different and byte value is default value, not meet default The semantic inferred results of semantic constraint relationship can be that designated position byte is the same byte value always, or including except upper State other numerical value etc. other than 8 byte values.I.e. if there is not meeting default semantic constraint corresponding with function code field The semantic inferred results of relationship can directly determine industry control agreement and there is exception.
Counter field such as S7COMM agreement, programming configuration instrument (client) are sent to the data of PLC (server) Multiple messages that frame length is 87.Data are incremental, and (these data frames are respectively 01 00,02 00,03 00,04 00,05 It 00 ...), is counter field, referring to the example above, 8c~8f is also possible to counter field, corresponding default semantic constraint Relationship is that the byte value of designated position byte is incremented by successively, the corresponding semantic inferred results for meeting default semantic constraint relationship Or the byte value of designated position byte is incremented by;The corresponding semantic inferred results for not meeting default semantic constraint relationship It can successively decrease for the byte value presence of designated position byte or numerical value has jump etc..I.e. if there is not meeting and count The semantic inferred results of the corresponding default semantic constraint relationship of number device field can directly determine industry control agreement and there is exception.
Session negotiation field: in different TCP connections, the field of same position is different from every time, and same position Field remained unchanged in fixed TCP connection, can be speculated as this field is session negotiation field, and the purpose of session is Different TCP connections is distinguished, corresponding default semantic constraint relationship is the word of designated position byte in different TCP connections Section value is different from every time, and in fixed TCP connection, the byte value of designated position byte remains unchanged every time, The corresponding semantic inferred results for meeting default semantic constraint relationship may be above content, corresponding not meet default semanteme The semantic inferred results of the constraint relationship can be in different TCP connections, there are numerical value phases for the byte value of designated position byte Same number, or in fixed TCP connection, the byte value of the designated position byte number etc. different there are numerical value.I.e. If there is the semantic inferred results for not meeting default semantic constraint relationship corresponding with session negotiation field, work can be directly determined It controls agreement and there is exception.
Numeric field within the scope of fixed numbers: referring to the example above, providing according to agreement, Length and Area the two Field is all the numeric field within the scope of fixed numbers, the i.e. value of Length and the value of Area all in fixed numbers range Interior, corresponding default semantic constraint relationship is the byte value of designated position byte within the scope of fixed numbers, corresponding to meet The semantic inferred results of default semantic constraint relationship may be above content;It is corresponding not meet default semantic constraint relationship Semantic inferred results can be the byte value of designated position byte not within the scope of fixed numbers.I.e. if there is do not meet with The semantic inferred results of the corresponding default semantic constraint relationship of numeric field within the scope of fixed numbers can directly determine industry control association View exists abnormal.
It should be understood that passing through above-mentioned and function code field, counter field, session negotiation field, fixed numbers model The corresponding default semantic constraint relationship of numeric field in enclosing, which is all not detected to exist, does not meet all default semantemes about The semantic inferred results of beam relationship, then can determining industry control agreement, there is no exceptions, and determining industry control agreement, there is no exceptions It afterwards, can be further via manually being confirmed.
Default abnormality detection rule can be white list rule common in industrial control field.The form of rule can refer to, But the rule for the abnormality detections engine such as be not limited to snort, bro, suricata.Newly-increased sequence of message can also be carried out Feedback validation, and default abnormality detection rule is updated according to feedback validation result, it, can before updating default abnormality detection rule With further via manually being confirmed, to further increase the accuracy of detection.
When detecting that industry control agreement deposits when abnormal, warning information can also be generated.
Detection industry control agreement provided in an embodiment of the present invention is all logical by Multiple Sequence Alignment with the presence or absence of abnormal method Believe message, to obtain the variable aiming field of sequence content, then is based on message format and classifies to all aiming fields, then will It is compared for the semantic inferred results of every class aiming field with default abnormality detection rule, so as to accurate, efficient, complete Detect to face industry control agreement with the presence or absence of exception, in turn, it is determined whether there are industry control network security risks.
On the basis of the above embodiments, the classification type includes function code field, corresponding default semantic constraint pass System is that the byte value of designated position byte is different and byte value is default value;Correspondingly, described infer every class semanteme As a result it is compared with default abnormality detection rule, and infers that comparison result determines that the industry control agreement whether there is according to semanteme It is abnormal, comprising:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with function code field, Industry control agreement can then be directly determined and there is exception.
Specifically, if device judgement is known in the presence of the language for not meeting default semantic constraint relationship corresponding with function code field Adopted inferred results can then directly determine industry control agreement and there is exception.It can refer to above description, repeat no more.
Detection industry control agreement provided in an embodiment of the present invention is corresponding by function code field with the presence or absence of abnormal method Default semantic constraint relationship, is further able to that accurate, efficient, comprehensively detection industry control agreement in turn, is determined with the presence or absence of abnormal With the presence or absence of industry control network security risk.
On the basis of the above embodiments, the classification type includes counter field, corresponding default semantic constraint pass System is that the byte value of designated position byte is incremented by successively;Correspondingly, described by every class semanteme inferred results and default exception inspection Gauge is then compared, and infers that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme, comprising:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with counter field, Industry control agreement can be directly determined and there is exception.
Specifically, if device judgement is known in the presence of the language for not meeting default semantic constraint relationship corresponding with counter field Adopted inferred results can directly determine industry control agreement and there is exception.It can refer to above description, repeat no more.
Detection industry control agreement provided in an embodiment of the present invention is corresponding by counter field with the presence or absence of abnormal method Default semantic constraint relationship, is further able to that accurate, efficient, comprehensively detection industry control agreement in turn, is determined with the presence or absence of abnormal With the presence or absence of industry control network security risk.
On the basis of the above embodiments, the classification type includes session negotiation field, corresponding default semantic constraint Relationship is in different TCP connections, and the byte value of designated position byte is different from every time, and in fixed TCP connection In, the byte value of designated position byte remains unchanged every time;Correspondingly, it is described by every class semanteme inferred results with preset it is different Normal detected rule is compared, and infers that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme, comprising:
If judgement is known in the presence of the semantic deduction knot for not meeting default semantic constraint relationship corresponding with session negotiation field Fruit can directly determine industry control agreement and there is exception.
Specifically, if device judgement, which is known to exist, does not meet default semantic constraint relationship corresponding with session negotiation field Semantic inferred results can directly determine industry control agreement and there is exception.It can refer to above description, repeat no more.
Detection industry control agreement provided in an embodiment of the present invention is corresponding by session negotiation field with the presence or absence of abnormal method Default semantic constraint relationship, be further able to that accurate, efficient, comprehensively detection industry control agreement is with the presence or absence of abnormal, in turn, really Surely it whether there is industry control network security risk.
On the basis of the above embodiments, the classification type include numeric field within the scope of fixed numbers, it is corresponding Default semantic constraint relationship is the byte value of designated position byte within the scope of fixed numbers;Correspondingly, described by every class language Adopted inferred results are compared with default abnormality detection rule, and infer that comparison result determines that the industry control agreement is according to semanteme It is no to there is exception, comprising:
If judgement, which is known to exist, does not meet default semantic constraint relationship corresponding with the numeric field within the scope of fixed numbers Semantic inferred results, can directly determine industry control agreement exist it is abnormal.
Specifically, if device judgement, which is known to exist, does not meet default language corresponding with the numeric field within the scope of fixed numbers The semantic inferred results of adopted the constraint relationship can directly determine industry control agreement and there is exception.It can refer to above description, repeat no more.
Detection industry control agreement provided in an embodiment of the present invention is with the presence or absence of abnormal method, by within the scope of fixed numbers The corresponding default semantic constraint relationship of numeric field, be further able to it is accurate, efficient, comprehensively detection industry control agreement whether there is It is abnormal, in turn, it is determined whether there are industry control network security risks.
On the basis of the above embodiments, the default abnormality detection rule further includes and predetermined sequence off-note;Phase It answers, the method also includes:
Identify the sequence signature of all communication messages, at least one sequence signature and the predetermined sequence are abnormal if detecting Feature is corresponding, it is determined that the industry control agreement exists abnormal.
Specifically, device identifies the sequence signature of all communication messages, if detect at least one sequence signature with it is described Predetermined sequence off-note is corresponding, it is determined that the industry control agreement exists abnormal.Predetermined sequence off-note may include sequence The length of column is abnormal, sequence place communication message sending cycle interval is abnormal etc., is not especially limited.
Detection industry control agreement provided in an embodiment of the present invention is extremely special by predetermined sequence with the presence or absence of abnormal method It levies, further accurate, efficiently, comprehensively can detect industry control agreement with the presence or absence of exception, in turn, it is determined whether there are industry controls Network security risk.
On the basis of the above embodiments, described pair of all communication messages carry out Multiple Sequence Alignment, comprising:
Multiple Sequence Alignment is carried out to all communication messages using Multiple sequence alignments MSA algorithm.
Specifically, device carries out Multiple Sequence Alignment to all communication messages using Multiple sequence alignments MSA algorithm.It can refer to Above description repeats no more.
Detection industry control agreement provided in an embodiment of the present invention is with the presence or absence of abnormal method, by using MSA algorithm to institute There is communication message to carry out Multiple Sequence Alignment, is further ensured that the technical solution can be realized efficiently.
Fig. 3 is present invention detection industry control agreement with the presence or absence of abnormal Installation practice structural schematic diagram, as shown in figure 3, The embodiment of the invention provides a kind of detection industry control agreements with the presence or absence of abnormal device, including acquiring unit 301, comparison unit 302 and detection unit 303, in which:
Acquiring unit 301 is used to obtain the communication message of industry control agreement;The communication message be have identical message length, And reach multiple communication messages of preset quantity;Comparison unit 302 is used to carry out all communication messages Multiple Sequence Alignment, and root According to Multiple Sequence Alignment as a result, obtaining the variable aiming field of sequence content;Detection unit 303 is for determining all aiming fields point Not corresponding classification type carries out semantic deduction to every class aiming field respectively, by every class semanteme inferred results and default exception Detected rule is compared, and infers that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme;Wherein, described Classification type is divided based on message format, and the default abnormality detection rule includes corresponding with default classification type Default semantic constraint relationship.
Specifically, acquiring unit 301 is used to obtain the communication message of industry control agreement;The communication message is that have identical report Literary length and the multiple communication messages for reaching preset quantity;Comparison unit 302 is used to carry out multisequencing ratio to all communication messages It is right, and according to Multiple Sequence Alignment as a result, obtaining the variable aiming field of sequence content;Detection unit 303 is for determining all mesh The corresponding classification type of marking-up section carries out semantic deduction to every class aiming field respectively, by every class semanteme inferred results with Default abnormality detection rule is compared, and infers that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme; Wherein, the classification type is divided based on message format, and the default abnormality detection rule includes and default classification The corresponding default semantic constraint relationship of type.
Detection industry control agreement provided in an embodiment of the present invention is all logical by Multiple Sequence Alignment with the presence or absence of abnormal device Believe message, to obtain the variable aiming field of sequence content, then is based on message format and classifies to all aiming fields, then will It is compared for the semantic inferred results of every class aiming field with default abnormality detection rule, so as to accurate, efficient, complete Detect to face industry control agreement with the presence or absence of exception, in turn, it is determined whether there are industry control network security risks.
On the basis of the above embodiments, the classification type includes function code field, corresponding default semantic constraint pass System is that the byte value of designated position byte is different and byte value is default value;Correspondingly, the detection unit 303 has Body is used for:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with function code field, Industry control agreement can then be directly determined and there is exception.
Specifically, the detection unit 303 is specifically used for: if judging to know corresponding with function code field in the presence of not meeting The semantic inferred results of default semantic constraint relationship can then directly determine industry control agreement and there is exception.
Detection industry control agreement provided in an embodiment of the present invention is corresponding by function code field with the presence or absence of abnormal device Default semantic constraint relationship, is further able to that accurate, efficient, comprehensively detection industry control agreement in turn, is determined with the presence or absence of abnormal With the presence or absence of industry control network security risk.
On the basis of the above embodiments, the classification type further includes counter field, corresponding default semantic constraint Relationship is that the byte value of designated position byte is incremented by successively;Correspondingly, the detection unit 303 is specifically used for:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with counter field, Industry control agreement can be directly determined and there is exception.
Specifically, the detection unit 303 is specifically used for: if judging to know corresponding with counter field in the presence of not meeting The semantic inferred results of default semantic constraint relationship can directly determine industry control agreement and there is exception.
Detection industry control agreement provided in an embodiment of the present invention is corresponding by counter field with the presence or absence of abnormal device Default semantic constraint relationship, is further able to that accurate, efficient, comprehensively detection industry control agreement in turn, is determined with the presence or absence of abnormal With the presence or absence of industry control network security risk.
On the basis of the above embodiments, the classification type further include session negotiation field, it is corresponding it is default it is semantic about Beam relationship is in different TCP connections, and the byte value of designated position byte is different from every time, and is connected in fixed TCP In connecing, the byte value of designated position byte remains unchanged every time;Correspondingly, the detection unit 303 is specifically used for:
If judgement is known in the presence of the semantic deduction knot for not meeting default semantic constraint relationship corresponding with session negotiation field Fruit can directly determine industry control agreement and there is exception.
Specifically, the detection unit 303 is specifically used for: if judging to know corresponding with session negotiation field in the presence of not meeting Default semantic constraint relationship semantic inferred results, can directly determine industry control agreement exist it is abnormal.
Detection industry control agreement provided in an embodiment of the present invention is corresponding by session negotiation field with the presence or absence of abnormal device Default semantic constraint relationship, be further able to that accurate, efficient, comprehensively detection industry control agreement is with the presence or absence of abnormal, in turn, really Surely it whether there is industry control network security risk.
On the basis of the above embodiments, the classification type further includes numeric field within the scope of fixed numbers, correspondence Default semantic constraint relationship be designated position byte byte value within the scope of fixed numbers;Correspondingly, the detection is single Member 303 is specifically used for:
If judgement, which is known to exist, does not meet default semantic constraint relationship corresponding with the numeric field within the scope of fixed numbers Semantic inferred results, can directly determine industry control agreement exist it is abnormal.
Specifically, the detection unit 303 is specifically used for: if judgement know in the presence of do not meet within the scope of fixed numbers The semantic inferred results of the corresponding default semantic constraint relationship of numeric field can directly determine industry control agreement and there is exception.
Detection industry control agreement provided in an embodiment of the present invention is with the presence or absence of abnormal device, by within the scope of fixed numbers The corresponding default semantic constraint relationship of numeric field, be further able to it is accurate, efficient, comprehensively detection industry control agreement whether there is It is abnormal, in turn, it is determined whether there are industry control network security risks.
On the basis of the above embodiments, the default abnormality detection rule further includes and predetermined sequence off-note;Phase It answers, described device is also used to:
Identify the sequence signature of all communication messages, at least one sequence signature and the predetermined sequence are abnormal if detecting Feature is corresponding, it is determined that the industry control agreement exists abnormal.
Specifically, described device is also used to: the sequence signature of all communication messages is identified, if detecting at least one sequence Feature is corresponding with the predetermined sequence off-note, it is determined that the industry control agreement exists abnormal.
Detection industry control agreement provided in an embodiment of the present invention is extremely special by predetermined sequence with the presence or absence of abnormal device It levies, further accurate, efficiently, comprehensively can detect industry control agreement with the presence or absence of exception, in turn, it is determined whether there are industry controls Network security risk.
On the basis of the above embodiments, the comparison unit 302 is specifically used for:
Multiple Sequence Alignment is carried out to all communication messages using Multiple sequence alignments MSA algorithm.
Specifically, the comparison unit 302 is specifically used for: using Multiple sequence alignments MSA algorithm to all communication messages Carry out Multiple Sequence Alignment.
Detection industry control agreement provided in an embodiment of the present invention is with the presence or absence of abnormal device, by using MSA algorithm to institute There is communication message to carry out Multiple Sequence Alignment, is further ensured that the technical solution can be realized efficiently.
Detection industry control agreement provided in an embodiment of the present invention specifically can be used for executing above-mentioned with the presence or absence of abnormal device The process flow of each method embodiment, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 4 is electronic equipment entity structure schematic diagram provided in an embodiment of the present invention, as shown in figure 4, the electronic equipment It include: processor (processor) 401, memory (memory) 402 and bus 403;
Wherein, the processor 401, memory 402 complete mutual communication by bus 403;
The processor 401 is used to call the program instruction in the memory 402, to execute above-mentioned each method embodiment Provided method, for example, obtain the communication message of industry control agreement;The communication message be have identical message length, And reach multiple communication messages of preset quantity;Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment knot Fruit obtains the variable aiming field of sequence content;Every class semanteme inferred results are compared with default abnormality detection rule, and Infer that comparison result determines the industry control agreement with the presence or absence of abnormal determining corresponding point of all aiming fields according to semanteme Class Type carries out semantic deduction to every class aiming field respectively, by every class semanteme inferred results and default abnormality detection rule into Row compares, and infers that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme;Wherein, the classification type is Divided based on message format, the default abnormality detection rule include it is corresponding with default classification type it is default it is semantic about Beam relationship.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine executes, computer is able to carry out method provided by above-mentioned each method embodiment, for example, obtains the logical of industry control agreement Believe message;The communication message is the multiple communication messages for having identical message length and reaching preset quantity;To all communications Message carries out Multiple Sequence Alignment, and according to Multiple Sequence Alignment as a result, obtaining the variable aiming field of sequence content;Every class is semantic Inferred results are compared with default abnormality detection rule, and infer whether comparison result determines the industry control agreement according to semanteme In the presence of the corresponding classification type of extremely determining all aiming fields, semantic deduction is carried out respectively to every class aiming field, it will Every class semanteme inferred results are compared with default abnormality detection rule, and infer that comparison result determines the industry control according to semanteme Agreement is with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, the default abnormality detection rule It then include default semantic constraint relationship corresponding with default classification type.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium Computer instruction is stored, the computer instruction makes the computer execute method provided by above-mentioned each method embodiment, example It such as include: the communication message for obtaining industry control agreement;The communication message has identical message length and reaches preset quantity Multiple communication messages;Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment as a result, acquisition sequence content can The aiming field of change;Every class semanteme inferred results are compared with default abnormality detection rule, and is inferred according to semanteme and is compared As a result the industry control agreement is determined with the presence or absence of the corresponding classification type of extremely determining all aiming fields, to every class target Field carries out semantic deduction respectively, every class semanteme inferred results is compared with default abnormality detection rule, and according to semanteme Infer that comparison result determines the industry control agreement with the presence or absence of abnormal;Wherein, the classification type is carried out based on message format It divides, the default abnormality detection rule includes default semantic constraint relationship corresponding with default classification type.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light The various media that can store program code such as disk.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (16)

1. a kind of detection industry control agreement is with the presence or absence of abnormal method characterized by comprising
Obtain the communication message of industry control agreement;The communication message is that have identical message length and reach the more of preset quantity A communication message;
Multiple Sequence Alignment is carried out to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining the variable target of sequence content Field;
It determines the corresponding classification type of all aiming fields, semantic deduction is carried out respectively to every class aiming field, by every class Semantic inferred results are compared with default abnormality detection rule, and infer that comparison result determines the industry control agreement according to semanteme With the presence or absence of exception;Wherein, the classification type is divided based on message format, the default abnormality detection rule packet Include default semantic constraint relationship corresponding with default classification type.
2. detection industry control agreement according to claim 1 is with the presence or absence of abnormal method, which is characterized in that the classification class The byte value difference and byte number that type includes function code field, corresponding default semantic constraint relationship is designated position byte Value is default value;Correspondingly, described every class semanteme inferred results are compared with default abnormality detection rule, and according to language Justice infers that comparison result determines the industry control agreement with the presence or absence of abnormal, comprising:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with function code field, can It directly determines industry control agreement and there is exception.
3. detection industry control agreement according to claim 2 is with the presence or absence of abnormal method, which is characterized in that the classification class The byte value that type further includes counter field, corresponding default semantic constraint relationship is designated position byte is incremented by successively;Phase It answers, it is described that every class semanteme inferred results are compared with default abnormality detection rule, and comparison result is inferred according to semanteme Determine the industry control agreement with the presence or absence of abnormal, comprising:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with counter field, can be straight It connects determining industry control agreement and there is exception.
4. detection industry control agreement according to claim 3 is with the presence or absence of abnormal method, which is characterized in that the classification class Type further include session negotiation field, corresponding default semantic constraint relationship be in different TCP connections, designated position byte Byte value is different from every time, and in fixed TCP connection, the byte value of designated position byte is kept not every time Become;Correspondingly, described every class semanteme inferred results are compared with default abnormality detection rule, and are inferred according to semanteme and compared As a result determine the industry control agreement with the presence or absence of abnormal, comprising:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with session negotiation field, can It directly determines industry control agreement and there is exception.
5. detection industry control agreement according to claim 4 is with the presence or absence of abnormal method, which is characterized in that the classification class Type further includes numeric field within the scope of fixed numbers, the byte number that corresponding default semantic constraint relationship is designated position byte Value is within the scope of fixed numbers;It is correspondingly, described that every class semanteme inferred results are compared with default abnormality detection rule, and Infer that comparison result determines the industry control agreement with the presence or absence of abnormal according to semanteme, comprising:
If judgement is known in the presence of the language for not meeting default semantic constraint relationship corresponding with the numeric field within the scope of fixed numbers Adopted inferred results can directly determine industry control agreement and there is exception.
6. detection industry control agreement according to any one of claims 1 to 5 is with the presence or absence of abnormal method, which is characterized in that institute Stating default abnormality detection rule further includes and predetermined sequence off-note;Correspondingly, the method also includes:
The sequence signature of all communication messages is identified, if detecting at least one sequence signature and the predetermined sequence off-note It is corresponding, it is determined that the industry control agreement exists abnormal.
7. detection industry control agreement according to any one of claims 1 to 5 is with the presence or absence of abnormal method, which is characterized in that institute It states and Multiple Sequence Alignment is carried out to all communication messages, comprising:
Multiple Sequence Alignment is carried out to all communication messages using Multiple sequence alignments MSA algorithm.
8. a kind of detection industry control agreement is with the presence or absence of abnormal device characterized by comprising
Acquiring unit, for obtaining the communication message of industry control agreement;The communication message is that have identical message length and reach Multiple communication messages of preset quantity;
Comparison unit, for carrying out Multiple Sequence Alignment to all communication messages, and according to Multiple Sequence Alignment as a result, obtaining in sequence Hold variable aiming field;
Detection unit carries out language to every class aiming field for determining the corresponding classification type of all aiming fields respectively Justice is inferred, every class semanteme inferred results are compared with default abnormality detection rule, and infers that comparison result is true according to semanteme The fixed industry control agreement is with the presence or absence of abnormal;Wherein, the classification type is divided based on message format, described default Abnormality detection rule includes default semantic constraint relationship corresponding with default classification type.
9. detection industry control agreement according to claim 8 is with the presence or absence of abnormal device, which is characterized in that the classification class The byte value difference and byte number that type includes function code field, corresponding default semantic constraint relationship is designated position byte Value is default value;Correspondingly, the detection unit is specifically used for:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with function code field, can It directly determines industry control agreement and there is exception.
10. detection industry control agreement according to claim 9 is with the presence or absence of abnormal device, which is characterized in that the classification The byte value that type further includes counter field, corresponding default semantic constraint relationship is designated position byte is incremented by successively; Correspondingly, the detection unit is specifically used for:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with counter field, can be straight It connects determining industry control agreement and there is exception.
11. detection industry control agreement according to claim 10 is with the presence or absence of abnormal device, which is characterized in that the classification Type further include session negotiation field, corresponding default semantic constraint relationship be in different TCP connections, designated position byte Byte value be different from every time, and in fixed TCP connection, the byte value of designated position byte is kept not every time Become;Correspondingly, the detection unit is specifically used for:
If judgement is known in the presence of the semantic inferred results for not meeting default semantic constraint relationship corresponding with session negotiation field, can It directly determines industry control agreement and there is exception.
12. detection industry control agreement according to claim 11 is with the presence or absence of abnormal device, which is characterized in that the classification Type further includes numeric field within the scope of fixed numbers, the byte that corresponding default semantic constraint relationship is designated position byte Numerical value is within the scope of fixed numbers;Correspondingly, the detection unit is specifically used for:
If judgement is known in the presence of the language for not meeting default semantic constraint relationship corresponding with the numeric field within the scope of fixed numbers Adopted inferred results can directly determine industry control agreement and there is exception.
13. according to any detection industry control agreement of claim 8 to 12 with the presence or absence of abnormal device, which is characterized in that The default abnormality detection rule further includes and predetermined sequence off-note;Correspondingly, described device is also used to:
The sequence signature of all communication messages is identified, if detecting at least one sequence signature and the predetermined sequence off-note It is corresponding, it is determined that the industry control agreement exists abnormal.
14. according to any detection industry control agreement of claim 8 to 12 with the presence or absence of abnormal device, which is characterized in that The comparison unit is specifically used for:
Multiple Sequence Alignment is carried out to all communication messages using Multiple sequence alignments MSA algorithm.
15. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor is realized when executing described program such as any one of claim 1 to 7 the method Step.
16. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer It is realized when program is executed by processor such as the step of any one of claim 1 to 7 the method.
CN201910362413.7A 2019-04-30 2019-04-30 A kind of detection industry control agreement whether there is the method and device of exception Pending CN110113332A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910362413.7A CN110113332A (en) 2019-04-30 2019-04-30 A kind of detection industry control agreement whether there is the method and device of exception

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910362413.7A CN110113332A (en) 2019-04-30 2019-04-30 A kind of detection industry control agreement whether there is the method and device of exception

Publications (1)

Publication Number Publication Date
CN110113332A true CN110113332A (en) 2019-08-09

Family

ID=67487937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910362413.7A Pending CN110113332A (en) 2019-04-30 2019-04-30 A kind of detection industry control agreement whether there is the method and device of exception

Country Status (1)

Country Link
CN (1) CN110113332A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110891068A (en) * 2019-12-18 2020-03-17 北京网太科技发展有限公司 Routing protocol anomaly detection method and device based on correlation analysis
CN110912927A (en) * 2019-12-09 2020-03-24 北京神州绿盟信息安全科技股份有限公司 Method and device for detecting control message in industrial control system
CN111478966A (en) * 2020-04-07 2020-07-31 全球能源互联网研究院有限公司 Internet of things protocol analysis method and device, computer equipment and storage medium
CN111585832A (en) * 2020-04-01 2020-08-25 浙江树人学院(浙江树人大学) Industrial control protocol reverse analysis method based on semantic pre-mining
CN112039196A (en) * 2020-04-22 2020-12-04 广东电网有限责任公司 Power monitoring system private protocol analysis method based on protocol reverse engineering
CN112468516A (en) * 2020-12-17 2021-03-09 全球能源互联网研究院有限公司 Security defense method and device, electronic equipment and storage medium
CN115361308A (en) * 2022-08-19 2022-11-18 一汽解放汽车有限公司 Industrial control network data risk determination method, device, equipment and storage medium
CN116595529A (en) * 2023-07-18 2023-08-15 山东溯源安全科技有限公司 Information security detection method, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891852A (en) * 2012-10-11 2013-01-23 中国人民解放军理工大学 Message analysis-based protocol format automatic inferring method
CN107665191A (en) * 2017-10-19 2018-02-06 中国人民解放军陆军工程大学 Private protocol message format inference method based on extended prefix tree
CN108337266A (en) * 2018-03-07 2018-07-27 中国科学院信息工程研究所 A kind of efficient protocol client vulnerability mining method and system
US10050987B1 (en) * 2017-03-28 2018-08-14 Symantec Corporation Real-time anomaly detection in a network using state transitions
CN109040081A (en) * 2018-08-10 2018-12-18 哈尔滨工业大学(威海) A kind of protocol fields conversed analysis system and method based on BWT
CN110401624A (en) * 2018-04-25 2019-11-01 全球能源互联网研究院有限公司 The detection method and system of source net G system mutual message exception

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891852A (en) * 2012-10-11 2013-01-23 中国人民解放军理工大学 Message analysis-based protocol format automatic inferring method
US10050987B1 (en) * 2017-03-28 2018-08-14 Symantec Corporation Real-time anomaly detection in a network using state transitions
CN107665191A (en) * 2017-10-19 2018-02-06 中国人民解放军陆军工程大学 Private protocol message format inference method based on extended prefix tree
CN108337266A (en) * 2018-03-07 2018-07-27 中国科学院信息工程研究所 A kind of efficient protocol client vulnerability mining method and system
CN110401624A (en) * 2018-04-25 2019-11-01 全球能源互联网研究院有限公司 The detection method and system of source net G system mutual message exception
CN109040081A (en) * 2018-08-10 2018-12-18 哈尔滨工业大学(威海) A kind of protocol fields conversed analysis system and method based on BWT

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912927A (en) * 2019-12-09 2020-03-24 北京神州绿盟信息安全科技股份有限公司 Method and device for detecting control message in industrial control system
CN110891068A (en) * 2019-12-18 2020-03-17 北京网太科技发展有限公司 Routing protocol anomaly detection method and device based on correlation analysis
CN111585832A (en) * 2020-04-01 2020-08-25 浙江树人学院(浙江树人大学) Industrial control protocol reverse analysis method based on semantic pre-mining
CN111478966A (en) * 2020-04-07 2020-07-31 全球能源互联网研究院有限公司 Internet of things protocol analysis method and device, computer equipment and storage medium
CN112039196A (en) * 2020-04-22 2020-12-04 广东电网有限责任公司 Power monitoring system private protocol analysis method based on protocol reverse engineering
CN112468516A (en) * 2020-12-17 2021-03-09 全球能源互联网研究院有限公司 Security defense method and device, electronic equipment and storage medium
CN115361308A (en) * 2022-08-19 2022-11-18 一汽解放汽车有限公司 Industrial control network data risk determination method, device, equipment and storage medium
CN116595529A (en) * 2023-07-18 2023-08-15 山东溯源安全科技有限公司 Information security detection method, electronic equipment and storage medium
CN116595529B (en) * 2023-07-18 2023-09-19 山东溯源安全科技有限公司 Information security detection method, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110113332A (en) A kind of detection industry control agreement whether there is the method and device of exception
CN110191094A (en) Monitoring method and device, storage medium, the terminal of abnormal data
US20170075746A1 (en) Information processing device and monitoring method
US20150293755A1 (en) System and automated method for configuring a predictive model and deploying it on a target platform
EP3428828B1 (en) System and method for locating and correcting vulnerabilites in a target computer system
US11687658B2 (en) Software code vulnerability remediation
CN106326119A (en) Method and device for generating test case
CN111813635A (en) Monitoring method, system and device for intelligent contracts of block chains
CN108153643A (en) Daily record monitoring system and method
EP3896543A1 (en) Device for evaluating a classification made for a measured data point
CN111768287A (en) Period identification method, period identification device, server and readable storage medium
US20140245440A1 (en) Software Inspection System
US20240192668A1 (en) Defect profiling and tracking system for process-manufacturing enterprise
WO2015055373A2 (en) Case-based reasoning
CN111884858A (en) Equipment asset information verification method, device, system and medium
EP4221081A1 (en) Detecting behavioral change of iot devices using novelty detection based behavior traffic modeling
Stratulat E-Cyclist: Implementation of an efficient validation of FOLID cyclic induction reasoning
US20220229430A1 (en) System and method for cause and effect analysis of anomaly detection applications
CN116644028A (en) Log archiving method, device, equipment and medium
CN114722025A (en) Data prediction method, device and equipment based on prediction model and storage medium
CN112994931A (en) Rule matching method and equipment
EP4354244A1 (en) Anomaly detection for industrial assets
US20150112912A1 (en) Case-based reasoning
CN110347713A (en) Business monitoring rule, business monitoring index generate method and device
CN105608374B (en) The detection method and device of virtual machine escape

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190809

RJ01 Rejection of invention patent application after publication