CN110351237A - Honey jar method and device for numerically-controlled machine tool - Google Patents

Honey jar method and device for numerically-controlled machine tool Download PDF

Info

Publication number
CN110351237A
CN110351237A CN201910435072.1A CN201910435072A CN110351237A CN 110351237 A CN110351237 A CN 110351237A CN 201910435072 A CN201910435072 A CN 201910435072A CN 110351237 A CN110351237 A CN 110351237A
Authority
CN
China
Prior art keywords
request
numerically
machine tool
controlled machine
honey jar
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910435072.1A
Other languages
Chinese (zh)
Other versions
CN110351237B (en
Inventor
孙利民
栾世杰
吕世超
游建舟
石志强
李红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910435072.1A priority Critical patent/CN110351237B/en
Publication of CN110351237A publication Critical patent/CN110351237A/en
Application granted granted Critical
Publication of CN110351237B publication Critical patent/CN110351237B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Abstract

The embodiment of the present invention provides a kind of honey jar method and device for numerically-controlled machine tool.Wherein, method includes: the request that acquisition request source is initiated to numerically-controlled machine tool, judges whether request is probe requests thereby;If request is not probe requests thereby, request is parsed, determines the industry control agreement that request uses;If knowing that request triggers the loophole that at least one finds in advance according to the judgement of industry control agreement, request is not responded.Honey jar method and device provided in an embodiment of the present invention for numerically-controlled machine tool, by simulating response of the true numerically-controlled machine tool to request, can effectively inducing immune attack person unauthorized access, obscure the audiovisual of attacker, numerically-controlled machine tool can targetedly be protected according to the attack of attacker, the reliability of security protection can be improved.

Description

Honey jar method and device for numerically-controlled machine tool
Technical field
The present invention relates to field of computer technology, more particularly, to a kind of honey jar method and dress for numerically-controlled machine tool It sets.
Background technique
In recent years, with the continuous propulsion of intelligence manufacture, industry manufacture and internet deep are merged, intelligence manufacture behind Network security problem constantly highlights, and demand for security constantly enhances.
Numerically-controlled machine tool plays very important role in industrial control system, is to realize that the important industry control of production automation is set It is one of standby.But most enterprises use such as Fa Nake (being also translated into Frank, Fanuc), Siemens at present (Siemens), the digital control system made by domestic and foreign manufacturers such as Mitsubishi (Mitsubishi) and Heidenhain (is installed on numerically-controlled machine tool Operating system).These digital control systems are exactly flight data recorder for users, whether there is safe back door or security threat, user Know nothing.Therefore, it is necessary to carry out security protection to numerically-controlled machine tool.
Currently, the safety protection technique for numerically-controlled machine tool also rests on service management level, it is mainly included in numerical control machine The bed region method establishing firewall to supervise out inbound traffics, and from structure safety, behavior safety, ontological security and genetic safety The method that four dimensions carry out the safety and Protection of numerical control network.But based on the safety protecting method of service management level, lead to It crosses detection attack to be protected, rate of false alarm is very high, and can not carry out security protection for numerically-controlled machine tool itself, thus protects Reliability it is poor.
Summary of the invention
The embodiment of the present invention provides a kind of honey jar method and device for numerically-controlled machine tool, to solve or at least partly The poor defect of the reliability that the solution prior art in ground protects numerically-controlled machine tool.
In a first aspect, the embodiment of the present invention provides a kind of honey jar method for numerically-controlled machine tool, comprising:
The request that acquisition request source is initiated to numerically-controlled machine tool judges whether the request is probe requests thereby;
If the request is not probe requests thereby, the request is parsed, determines the industry control association that the request uses View;
If knowing that the request triggers at least one loophole found in advance according to industry control agreement judgement, not to institute Request is stated to be responded.
Preferably, it is described judge whether the request is probe requests thereby after, further includes:
If the request is probe requests thereby, the detection type of the request is obtained, is returned raw according to the detection type At response.
Preferably, after the determination industry control agreement for requesting to use, further includes:
If knowing that the request does not trigger any loophole found in advance according to industry control agreement judgement, it is based on The industry control agreement obtains the requested service of request, and returns to the implementing result of the service, as to the request Response.
Preferably, it is described the request is parsed after, further includes:
If being not determined by the industry control agreement for requesting to use, data capture is carried out for the request.
Preferably, after the determination industry control agreement for requesting to use, further includes:
If knowing that the request triggers at least one described loophole found in advance, needle according to industry control agreement judgement Data capture is carried out to the request.
Preferably, it is described judge whether the request is probe requests thereby after, further includes:
Data capture is carried out for the request.
It is preferably, described to obtain after the request that numerically-controlled machine tool is initiated, further includes:
Log recording is carried out to the request.
Second aspect, the embodiment of the present invention provide a kind of honey jar device for numerically-controlled machine tool, comprising:
Fingerprint analog module judges whether the request is spy for the request that acquisition request source is initiated to numerically-controlled machine tool Survey request;
Protocol interaction module parses the request, described in determination if being not probe requests thereby for the request Request the industry control agreement used;
Loophole deployment module, if at least one sends out in advance for knowing the request triggering according to industry control agreement judgement Existing loophole does not respond the request then.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory Computer program that is upper and can running on a processor, realizes the various possible realizations such as first aspect when executing described program The step of honey jar method of numerically-controlled machine tool is used in mode provided by any possible implementation.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating Machine program, when which is executed by processor realize as first aspect various possible implementations in it is any can The step of honey jar method of numerically-controlled machine tool is used for provided by the implementation of energy.
Honey jar method and device provided in an embodiment of the present invention for numerically-controlled machine tool, by simulating true numerically-controlled machine tool pair The response of request, can effectively inducing immune attack person unauthorized access, obscure the audiovisual of attacker, can be according to the attack row of attacker Targetedly to be protected numerically-controlled machine tool, the reliability of security protection can be improved.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram according to the honey jar method provided in an embodiment of the present invention for numerically-controlled machine tool;
Fig. 2 is the structural schematic diagram according to the honey jar device provided in an embodiment of the present invention for numerically-controlled machine tool;
Fig. 3 is the entity structure schematic diagram according to electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In order to overcome the above problem of the prior art, the embodiment of the present invention provides a kind of honey jar method for numerically-controlled machine tool And device, inventive concept are, realize honey jar method by the honey jar device for numerically-controlled machine tool of building, which can With the unauthorized access of effectively inducing immune attack person, the audiovisual of attacker is obscured, and then realize the protection to true numerically-controlled machine tool.
Fig. 1 is the flow diagram according to the honey jar method provided in an embodiment of the present invention for numerically-controlled machine tool.Such as Fig. 1 institute Show, this method comprises: step S101, obtain to numerically-controlled machine tool initiate request, judge request whether be probe requests thereby.
It should be noted that the executing subject of the honey jar method provided in an embodiment of the present invention for numerically-controlled machine tool is preparatory The honey jar device of building.
Numerically-controlled machine tool externally passes through specific port and provides TCP (Transmission Control Protocol, transmission Control protocol) connection service, complete NC (Numerical Control, digital control, abbreviation numerical control) data transmission, long-range control The functions such as system.Specific port, it is related with the digital control system of numerically-controlled machine tool.For example, the digital control system of Fanuc numerically-controlled machine tool, leads to It crosses 8193 ports and TCP connection service is provided.
Honey jar device externally provides service by least one previously selected port.The service of offer may include searching Rope, deletion, imports NC program at reading, reads, write-in PMC (ProgrammableMachineController, in numerically-controlled machine tool Set formula PLC control technology) parameter, it obtains in each axial coordinate, runing time, processing number and acquisition facility information etc. at least It is a kind of.
Honey jar device is used to act as a decoy, and decoy attack person comes to attack numerically-controlled machine tool.After attacker implements attack, pass through Monitoring and analysis, can know how attacker attacks numerically-controlled machine tool, understand start for numerically-controlled machine tool at any time Newest attack and loophole, so as to targetedly to numerically-controlled machine tool itself carry out security protection, the reliability of protection It is higher.
The promoter of all requests is accordingly to be regarded as attacker by honey jar device.
Attacker initiates a request to numerically-controlled machine tool.Request is data packet.The request is for triggering numerically-controlled machine tool execution A certain item service in digital control system, numerically-controlled machine tool generate response message according to the result that this services, return to the hair of request Play person.Attacker can be terminal, the mobile terminals such as such as personal computer and smart phone, tablet computer.
Honey jar device can obtain the request of attacker initiation by monitoring above-mentioned previously selected each port.
Honey jar device emulates the basic training of numerically-controlled machine tool with this by parsing the request and replying corresponding response message Can, to achieve the purpose that decoy attack.
Real attacker can network sweep by installation and sniff tool, such as Nmap (Network Mapper), request is sent.
The request of attacker can be divided into three types: probe requests thereby, normal handshake request and industry control agreement request.Normally ask It asks including normal handshake request and industry control agreement request.
TCP header and loading analysis are carried out to the request that attacker sends, judge that the request is probe requests thereby or normal Request.
If not instead of probe requests thereby, the normal request, then execute step S102 below.
If step S102, request is not probe requests thereby, request is parsed, determines the industry control agreement that request uses.
It should be noted that the digital control system due to different vendor is different, and correspondingly, the work that different digital control systems uses It is also different to control agreement.
For example, the industry control agreement that Fanuc numerically-controlled machine tool uses is FOCAS1/2 agreement, Fanuc Mate 0i-D type numerical control The industry control agreement that lathe uses is FOCAS2 agreement.
When attacker accesses honey jar device, honey jar device can be established and is somebody's turn to do according to request source (promoter requested) Session between request source.
Honey jar device can establish session queue to facilitate the session between management and each attacker.When attacker accesses honey When tank arrangement, honey jar device establishes the session between the attacker, and is inserted into session queue;After conversation end, honey jar The session is removed session queue by device.
Honey jar device may include agreement distributor.
Agreement distributor matches the application layer data of the request, (such as can be by fixed word according to fixed field Section is defined as type field) different industry control agreements are distinguished, it may thereby determine that the industry control agreement that the request uses.
It is understood that being prefixed the basic agreement format of various industry control agreements in honey pot system, protocol format includes Each field.Various industry control agreements can inversely be obtained in advance with the basic agreement format of various industry control agreements.
It is not right if step S103, knowing that request triggers the loophole that at least one finds in advance according to the judgement of industry control agreement Request makes a response.
Wherein, loophole is to use the loophole in the digital control system of industry control agreement.
It should be noted that each industry control agreement can be obtained in advance and be assisted using industry control used in the request At least one loophole in the digital control system of view, and the above-mentioned loophole of each digital control system is deployed in honey jar device.Honey jar dress Above-mentioned each loophole can be simulated by setting, so as to preferably spoofing attack person.
For example, there are three refusals to service loophole (0Day loophole) for discovery Fanuc Mate 0i-D type numerically-controlled machine tool in advance, Vulnerability number is respectively CNVD-2019-07658, CNVD-2019-07659 and CNVD-2019-07660.
Judge whether the request triggers any one at least one loophole in the digital control system found in advance.It should Digital control system, for the digital control system for using industry control agreement used in the request.
When attacker carries out trial sexual assault by sending the normal request of camouflage after scanning probe, if attack It is one at least one above-mentioned loophole, then can triggers the loophole.
For true numerically-controlled machine tool, triggering the loophole will lead to the delay machine of numerically-controlled machine tool, and numerically-controlled machine tool stops working, and For honey jar device, honey jar device does not stop working, but does not return any as a result, not sending response message to attacker, And stopping externally providing connection TCP service and (simulates the state that the digital control system on numerically-controlled machine tool is switched to refusal service, no sound Answer), the case where to simulate numerically-controlled machine tool delay machine.
Since true numerically-controlled machine tool is to stop working to the response of the request, stop working then will not returning response message, Thus honey jar device is not return to any result to attacker to the response of the request.
It is possible to further which after judgement knows that request triggers the loophole that at least one finds in advance, process is preset Duration, honey jar device externally provide connection TCP service again.
Preset duration can be set to the time-consuming restarted with numerically-controlled machine tool and approach, such as 5 minutes, so as to so that attack Person more firmly believes that honey jar device is true numerically-controlled machine tool.
For the occurrence of preset duration, the embodiment of the present invention is with no restriction.
It should be noted that honey jar device terminates each request of acquisition to complete response.Without response It is a kind of response, other than no response, the form of others response is response message.
It should be noted that each session between honey jar device and attacker is independent from each other.
The embodiment of the present invention, can effectively inducing immune attack by response of the true numerically-controlled machine tool of honey jar unit simulation to request The audiovisual of attacker is obscured in the unauthorized access of person, can be carried out according to the attack of attacker to numerically-controlled machine tool targeted Protection, can improve the reliability of security protection.
Content based on the various embodiments described above, after judging whether request is probe requests thereby, further includes: if request is detection Request, then the detection type of acquisition request, returns to the response generated according to detection type.
Specifically, attacker can carry out detection scanning to by attacker (numerically-controlled machine tool) in information collecting step.Detect class Type includes sequence number detection, Internet Control Message Protocol request detection, transmission control protocol congestion detects, transmission control protocol is visited in detail At least one of survey and User Datagram Protocol detection.
Sequence number detection is represented by sequence generation (SEQ/OPS/WIN/T1).
Internet Control Message Protocol (Internet Control Message Protocol, ICMP) request detection is represented by ICMP echo(IE)。
The detection of transmission control protocol (Transmission Control Protocol, TCP) congestion is expressed as TCP explicit congestion notification(ECN)
Transmission control protocol detects in detail is expressed as TCP (T2-T7)
User Datagram Protocol detection is expressed as UDP (U1).
If it is determined that request transmitted by attacker be probe requests thereby, to distinguish which kind of agreement the request belongs to, as IP, ICMP, TCP or UDP determine the detection type of the request according to the agreement that request belongs to, then according to different detection types The generation that response message is carried out into different execution units, after completing the above process, the response message of generation is back to Attacker realizes fingerprint simulation, with spoofing attack person.
Below with attacker by Nmap tool to the OS of FANUC Mate 0i-D type numerically-controlled machine tool (operating system, Operating System) fingerprint scan-detector for, illustrate honey jar device carry out fingerprint simulation realization process.
Firstly, being determined by being dissected to principle of the Nmap to the fingerprint detection of operating system mainly for its transmission 5 class probe requests therebies (detection type include sequence number detection, Internet Control Message Protocol request detection, transmission control protocol congestion visit Survey, transmission control protocol detects in detail and User Datagram Protocol detection) it is cheated.
After determining above-mentioned 5 class probe requests thereby, under experimental situation, FANUC Mate 0i-D type lathe is scanned with Nmap, The response data that the 5 class probe requests therebies and lathe that crawl Nmap is sent are given.
Since the digital control system of numerically-controlled machine tool is mostly the system based on Linux, the subsystem in linux system can use (this is that committing protocol stack is handled to Local_In point in netfilter, specific 5 hook provided using netfilter frame A point before, specially hook2 are truncated herein, are first handled), data are received in network interface card and are handled through protocol stack In preceding process, by the request be transferred to QUEUE (this is a rule-specific value of iptables, have respectively DROP, ACCEPT, QUEUE, and QUEUE is user's space, and all requests are all transferred to user's space) in, pass through in user's space Call back function is handled, and is automatically switched using gevent, so as to handle be placed in queue from different requests The request in source.
In call back function, handled using following two mode:
If judge request whether be probe requests thereby result be it is yes, the lathe that has obtained of basis to 5 class probe requests therebies to The response data given simulates the response results of fingerprint, i.e., modifies IP layers and each field of TCP layer in such a way that true lathe is responded Value.
If judge request whether be probe requests thereby result be it is no, discharge request and give back protocol stack processing, in turn It is given and is responded by the service in industry control agreement, generate response results.
By the above process, honey jar device and true numerically-controlled machine tool, energy also cannot be distinguished from the angle of system fingerprint in hacker Avoiding honey jar device from being identified by Shodan and Nmap is not true numerically-controlled machine tool.
The embodiment of the present invention is by the simulation to each response data for detecting type, so that attacker can not be from system fingerprint Angle recognition go out honey jar device, so as to the unauthorized access of more effectively inducing immune attack person, obscure the audiovisual of attacker, can root Numerically-controlled machine tool is targetedly protected according to the attack of attacker, the reliability of security protection can be improved.
Content based on the various embodiments described above, determination are requested after the industry control agreement used, further includes: if being assisted according to industry control View judgement knows that request does not trigger any loophole found in advance, then is based on the requested service of industry control agreement acquisition request, and The implementing result for returning to service, as the response to request.
It is understood that the request that attacker sends may also and be not all attack, attacker may also be sent Normal request, to be soundd out.
Specifically, judge whether the request triggers in the digital control system of the industry control agreement of the use request found in advance extremely After any one in a few loophole, if judging result is that the request does not trigger any loophole found in advance, it is based on The industry control agreement that the request uses determines the requested service of the request, and simulates the implementing result of the service, as the request Corresponding response data.
Based on the industry control agreement that the request uses, the requested service of the request is determined, and simulate the execution knot of the service Fruit is realized particular by the basic agreement format of the industry control agreement inversely obtained to the industry control agreement in advance.
It is understood that being prefixed the various industry controls inversely obtained to various industry control agreements in advance in honey jar device The basic agreement format of agreement.
The service that industry control agreement includes mainly has connection, NC program search to delete reading, obtain axis information, obtain PMC ginseng Number information etc..
Implementing result is response message, and after generating response message, the response message of generation is back to attacker.
The embodiment of the present invention can be coped with more effectively by simulating the result of normal request and returning to corresponding response data The exploration of attacker, so that attacker is more difficult to identify honey jar device, so as to the illegal visit of more effectively inducing immune attack person It asks, obscures the audiovisual of attacker, numerically-controlled machine tool can targetedly be protected according to the attack of attacker, can be improved The reliability of security protection.
Content based on the various embodiments described above, after being parsed to request, further includes: if being not determined by what request used Industry control agreement then carries out data capture for request.
Specifically, it is not determined by the industry control agreement that request uses, refers to that the result of analysis request does not meet each preset The basic agreement format of industry control agreement, at this point, using the request as abnormal data packet.
It, can be by data capture module that honey jar device includes to the attack number of the request after the data packet that notes abnormalities According to being captured.
Data capture is the important step of honey jar method, and the purpose of data capture is to carry out data analysis.It can make Initial data crawl and filtering are realized with Tcpdump, complete data capture.
It is understood that the embodiment of the present invention stores the attack data of capture for the partial function for failing parsing In the local data base of honey jar device.
For the attack data of capture, can be analyzed, thus know based on the analysis results attacker be how logarithm Control lathe is attacked, and the newest attack started for numerically-controlled machine tool and loophole is known, so as to targetedly right Numerically-controlled machine tool itself carries out security protection, and the reliability of protection is higher.
The embodiment of the present invention carries out data capture for abnormal data packet, can analyze the data of capture, so as to According to more targetedly security protection is carried out to numerically-controlled machine tool itself, the reliability of protection is higher.
Content based on the various embodiments described above, determination are requested after the industry control agreement used, further includes: if being assisted according to industry control View judgement knows that request triggers the loophole that at least one finds in advance, then carries out data capture for request.
Specifically, if the number of industry control agreement that request has been disposed in honey jar device before triggering, using the request Any loophole in control system can then carry out the attack data of the request by the data capture module that honey jar device includes Capture.
It is understood that the embodiment of the present invention stores the attack data of capture for the partial function for failing parsing In the local data base of honey jar device.
For the attack data of capture, can be analyzed, thus know based on the analysis results attacker be how logarithm Control lathe is attacked, and the newest attack started for numerically-controlled machine tool and loophole is known, so as to targetedly right Numerically-controlled machine tool itself carries out security protection, and the reliability of protection is higher.
The embodiment of the present invention carries out data capture for the request of triggering loophole, can analyze the data of capture, from And security protection can be carried out to numerically-controlled machine tool itself according to more targetedly, the reliability of protection is higher.
Content based on the various embodiments described above, after judging whether request is probe requests thereby, further includes: carried out for request Data capture.
Specifically, it requests if judging to know as probe requests thereby, the data capture module that can include by honey jar device The attack data of the request are captured.
It is understood that the embodiment of the present invention stores the attack data of capture for the partial function for failing parsing In the local data base of honey jar device.
For the attack data of capture, can be analyzed, thus know based on the analysis results attacker be how logarithm Control lathe is attacked, and the newest attack started for numerically-controlled machine tool and loophole is known, so as to targetedly right Numerically-controlled machine tool itself carries out security protection, and the reliability of protection is higher.
The embodiment of the present invention carries out data capture for probe requests thereby, can analyze the data of capture, so as to root According to more targetedly security protection is carried out to numerically-controlled machine tool itself, the reliability of protection is higher.
Content based on the various embodiments described above obtains after the request that numerically-controlled machine tool is initiated, further includes: carries out to request Log recording.
Specifically, for the ease of the analysis to request, after acquisition request, logger module that honey jar device includes Log recording can be carried out to the request according to the corresponding log of step generation is managed everywhere in the request.
Honey jar device is while attacker requests corresponding function, by its request data in the form of log and data packet It is stored respectively, log is handled and shown by analysis module, and data packet can then leave the personnel that research and analyse for and carry out thing Post analysis.
Log recording is to more easily be analyzed and shown.
Log recording is can be using triple, i.e. timestamp, grade (int type), request classification (int type), in detail letter It ceases (including request source, request message and returned packet).In order to more efficient, the log module that can include by honey jar device is mentioned Take application layer data as request and returned packet information.
Such as: journal format is as follows
Timestamp:
Message grade: 0/1/2 (value respectively corresponds Normal/Medium/Serious)
Request classification: 0-32 (respectively corresponds 32 class functions)
Details:
Source: (ip, port),
request_data:’a0a0a0a0..’,
response_data:’a0a0a0a0..’
}
A journal file and a pcap data packet can be generated with preset time cycle (day is daily), and with the date Name, log transfer to ELK log analysis display module to carry out analysis displaying, and pcap data packet is then left researcher for and further mentioned Attack signature is taken, playback experiment is being carried out afterwards, is verifying whether it belongs to not found loophole and report in time.
Pcap data packet, i.e. the attack data for the request capture obtained in the time cycle.
Collection log can be established using E (Elasticsearch) L (Logstash) K (Kibana) these three open source softwares Acquisition, analysis and a set of solution shown, the log analysis display module for including by honey jar device are realized to log It shows and analyzes.Due to using E (Elasticsearch) L (Logstash) K (Kibana) these three open source softwares, log Analysis display module can also be known as ELK log analysis display module.
It should be noted that after carrying out examination classification to the flow for the unauthorized access that attacker initiates, it can also be to prestige The biggish request of side of body property is marked with alarm, when carrying out log recording, is sounded an alarm according to the label, is taken in time in time Measure prevents attacker from further destroying.
The embodiment of the present invention carries out log recording to request, can log be analyzed and be shown, must slapped so as to more preferable The case where holding the request, can be according to more targetedly security protection be carried out to numerically-controlled machine tool itself, and the reliability of protection is higher.
Fig. 2 is the structural schematic diagram according to the honey jar device provided in an embodiment of the present invention for numerically-controlled machine tool.Based on upper The content of each embodiment is stated, as shown in Fig. 2, the device includes fingerprint analog module 201, protocol interaction module 202 and loophole portion Affix one's name to module 203, in which:
Fingerprint analog module 201 judges whether request is detection for the request that acquisition request source is initiated to numerically-controlled machine tool Request;
Protocol interaction module 202 determines that request uses if parsing for requesting not to be probe requests thereby to request Industry control agreement;
Loophole deployment module 203, if for knowing that request triggers what at least one found in advance according to the judgement of industry control agreement Loophole does not respond request then.
Specifically, fingerprint analog module 201 obtains attacker initiation by monitoring above-mentioned previously selected each port Request, and TCP header and loading analysis are carried out to the request, judge that the request is probe requests thereby or normal request.
Protocol interaction module 202 matches the application layer data of the request, (such as can will be consolidated according to fixed field Determining field definition is type field) different industry control agreements are distinguished, it may thereby determine that the industry control agreement that the request uses.
Loophole deployment module 203 judges whether the request triggers the use industry control agreement found in advance according to industry control agreement Digital control system at least one loophole in any one, if that attack is one at least one above-mentioned loophole, The loophole can be then triggered, loophole deployment module 203 does not return any as a result, not sending response message, and stopping pair to attacker Outer offer connection TCP service, the case where to simulate numerically-controlled machine tool delay machine.
Honey jar device provided in an embodiment of the present invention for numerically-controlled machine tool, mentions for executing the various embodiments described above of the present invention The honey jar method for numerically-controlled machine tool supplied, each module which includes realize corresponding function Specific method and process are detailed in the embodiment of the above-mentioned honey jar method for numerically-controlled machine tool, and details are not described herein again.
The honey jar device for being used for numerically-controlled machine tool is used for the honey jar method for numerically-controlled machine tool of foregoing embodiments.Cause This, the description and definition in the honey jar method for numerically-controlled machine tool in foregoing embodiments can be used for implementation of the present invention The understanding of each execution module in example.
The embodiment of the present invention, can effectively inducing immune attack by response of the true numerically-controlled machine tool of honey jar unit simulation to request The audiovisual of attacker is obscured in the unauthorized access of person, can be carried out according to the attack of attacker to numerically-controlled machine tool targeted Protection, can improve the reliability of security protection.
Fig. 3 is the structural block diagram according to electronic equipment provided in an embodiment of the present invention.Content based on the above embodiment, such as Shown in Fig. 3, which may include: processor (processor) 301, memory (memory) 302 and bus 303;Its In, processor 301 and memory 302 pass through bus 303 and complete mutual communication;Processor 301 is stored in for calling In reservoir 302 and the computer program instructions that can be run on processor 301, to execute provided by above-mentioned each method embodiment Honey jar method for numerically-controlled machine tool, for example, the request that acquisition request source is initiated to numerically-controlled machine tool, judge request whether be Probe requests thereby;If request is not probe requests thereby, request is parsed, determines the industry control agreement that request uses;If according to work Control agreement judgement knows that request triggers the loophole that at least one finds in advance, then does not respond to request.
Another embodiment of the present invention discloses a kind of computer program product, and computer program product is non-transient including being stored in Computer program on computer readable storage medium, computer program include program instruction, when program instruction is held by computer When row, computer is able to carry out the honey jar method that numerically-controlled machine tool is used for provided by above-mentioned each method embodiment, for example, obtains The request for taking request source to initiate to numerically-controlled machine tool judges whether request is probe requests thereby;If request is not probe requests thereby, to asking It asks and is parsed, determine the industry control agreement that request uses;If knowing request triggering according to the judgement of industry control agreement, at least one is preparatory It was found that loophole, then request is not responded.
In addition, the logical order in above-mentioned memory 302 can be realized by way of SFU software functional unit and conduct Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words It can be embodied in the form of software products, which is stored in a storage medium, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the present invention respectively The all or part of the steps of a embodiment method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk Etc. the various media that can store program code.
Another embodiment of the present invention provides a kind of non-transient computer readable storage medium, non-transient computer readable storages Medium storing computer instruction, computer instruction execute computer provided by above-mentioned each method embodiment for numerically-controlled machine tool Honey jar method, for example, the request that acquisition request source is initiated to numerically-controlled machine tool, judge request whether be probe requests thereby;If Request is not probe requests thereby, then parses to request, determines the industry control agreement that request uses;If being obtained according to the judgement of industry control agreement Know that request triggers the loophole that at least one finds in advance, then request is not responded.
The apparatus embodiments described above are merely exemplary, wherein unit can be as illustrated by the separation member Or may not be and be physically separated, component shown as a unit may or may not be physical unit, i.e., It can be located in one place, or may be distributed over multiple network units.It can select according to the actual needs therein Some or all of the modules achieves the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creative labor In the case where dynamic, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Such understanding, above-mentioned skill Substantially the part that contributes to existing technology can be embodied in the form of software products art scheme in other words, the calculating Machine software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used So that a computer equipment (can be personal computer, server or the network equipment etc.) executes above-mentioned each implementation The method of certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of honey jar method for numerically-controlled machine tool characterized by comprising
The request that acquisition request source is initiated to numerically-controlled machine tool judges whether the request is probe requests thereby;
If the request is not probe requests thereby, the request is parsed, determines the industry control agreement for requesting to use;
If knowing that the request triggers at least one loophole found in advance according to industry control agreement judgement, do not asked to described It asks and is responded.
2. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that described to judge that the request is It is no for after probe requests thereby, further includes:
If the request is probe requests thereby, the detection type of the request is obtained, is returned according to the detection type generation Response.
3. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that the determination request makes After industry control agreement, further includes:
If knowing that the request does not trigger any loophole found in advance according to industry control agreement judgement, based on described Industry control agreement obtains the requested service of request, and returns to the implementing result of the service, as the sound to the request It answers.
4. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that described to be carried out to the request After parsing, further includes:
If being not determined by the industry control agreement for requesting to use, data capture is carried out for the request.
5. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that the determination request makes After industry control agreement, further includes:
If knowing that the request triggers at least one described loophole found in advance according to industry control agreement judgement, it is directed to institute It states request and carries out data capture.
6. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that described to judge that the request is It is no for after probe requests thereby, further includes:
Data capture is carried out for the request.
7. -6 any honey jar method for numerically-controlled machine tool according to claim 1, which is characterized in that described to obtain to number After the request for controlling lathe initiation, further includes:
Log recording is carried out to the request.
8. a kind of honey jar device for numerically-controlled machine tool characterized by comprising
Fingerprint analog module judges whether the request is that detection is asked for the request that acquisition request source is initiated to numerically-controlled machine tool It asks;
Protocol interaction module parses the request, determines the request if being not probe requests thereby for the request The industry control agreement used;
Loophole deployment module, if for knowing that the request triggers what at least one found in advance according to industry control agreement judgement Loophole does not respond the request then.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor realizes as described in any one of claim 1 to 7 be used for when executing described program The step of honey jar method of numerically-controlled machine tool.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer The step of honey jar method as described in any one of claim 1 to 7 for numerically-controlled machine tool is realized when program is executed by processor.
CN201910435072.1A 2019-05-23 2019-05-23 Honeypot method and device for numerical control machine tool Active CN110351237B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910435072.1A CN110351237B (en) 2019-05-23 2019-05-23 Honeypot method and device for numerical control machine tool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910435072.1A CN110351237B (en) 2019-05-23 2019-05-23 Honeypot method and device for numerical control machine tool

Publications (2)

Publication Number Publication Date
CN110351237A true CN110351237A (en) 2019-10-18
CN110351237B CN110351237B (en) 2020-07-10

Family

ID=68174302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910435072.1A Active CN110351237B (en) 2019-05-23 2019-05-23 Honeypot method and device for numerical control machine tool

Country Status (1)

Country Link
CN (1) CN110351237B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111308958A (en) * 2019-11-14 2020-06-19 广州安加互联科技有限公司 CNC equipment simulation method and system based on honeypot technology and industrial control honeypot
CN112650077A (en) * 2020-12-11 2021-04-13 中国科学院信息工程研究所 PLC honeypot system based on industrial control service simulation, implementation method and simulation equipment
CN112702363A (en) * 2021-03-24 2021-04-23 远江盛邦(北京)网络安全科技股份有限公司 Node hiding method, system and equipment based on deception
CN113765846A (en) * 2020-06-01 2021-12-07 极客信安(北京)科技有限公司 Intelligent detection and response method and device for network abnormal behavior and electronic equipment

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN102571793A (en) * 2012-01-09 2012-07-11 中国人民解放军信息工程大学 Acquisition device for telecommunication network garbage calling
CN105447385A (en) * 2014-12-08 2016-03-30 哈尔滨安天科技股份有限公司 Multilayer detection based application type database honey pot realization system and method
CN106341819A (en) * 2016-10-10 2017-01-18 西安瀚炬网络科技有限公司 Phishing WiFi identification system and method based on honeypot technology
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN107070929A (en) * 2017-04-20 2017-08-18 中国电子技术标准化研究院 A kind of industry control network honey pot system
CN107465702A (en) * 2017-09-30 2017-12-12 北京奇虎科技有限公司 Method for early warning and device based on wireless network invasion
CN107566401A (en) * 2017-09-30 2018-01-09 北京奇虎科技有限公司 The means of defence and device of virtualized environment
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN108092948A (en) * 2016-11-23 2018-05-29 中国移动通信集团湖北有限公司 A kind of recognition methods of network attack mode and device
CN108259478A (en) * 2017-12-29 2018-07-06 中国电力科学研究院有限公司 Safety protecting method based on industry control terminal device interface HOOK
CN109257326A (en) * 2017-07-14 2019-01-22 东软集团股份有限公司 The method, apparatus and storage medium and electronic equipment for defending data flow to attack
CN109639733A (en) * 2019-01-24 2019-04-16 南方电网科学研究院有限责任公司 Safety detection and monitoring system suitable for industrial control system

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101567887A (en) * 2008-12-25 2009-10-28 中国人民解放军总参谋部第五十四研究所 Vulnerability simulation overload honeypot method
CN102571793A (en) * 2012-01-09 2012-07-11 中国人民解放军信息工程大学 Acquisition device for telecommunication network garbage calling
CN105447385A (en) * 2014-12-08 2016-03-30 哈尔滨安天科技股份有限公司 Multilayer detection based application type database honey pot realization system and method
CN106341819A (en) * 2016-10-10 2017-01-18 西安瀚炬网络科技有限公司 Phishing WiFi identification system and method based on honeypot technology
CN108092948A (en) * 2016-11-23 2018-05-29 中国移动通信集团湖北有限公司 A kind of recognition methods of network attack mode and device
CN107070929A (en) * 2017-04-20 2017-08-18 中国电子技术标准化研究院 A kind of industry control network honey pot system
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN109257326A (en) * 2017-07-14 2019-01-22 东软集团股份有限公司 The method, apparatus and storage medium and electronic equipment for defending data flow to attack
CN107465702A (en) * 2017-09-30 2017-12-12 北京奇虎科技有限公司 Method for early warning and device based on wireless network invasion
CN107566401A (en) * 2017-09-30 2018-01-09 北京奇虎科技有限公司 The means of defence and device of virtualized environment
CN107770199A (en) * 2017-12-08 2018-03-06 东北大学 It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application
CN108259478A (en) * 2017-12-29 2018-07-06 中国电力科学研究院有限公司 Safety protecting method based on industry control terminal device interface HOOK
CN109639733A (en) * 2019-01-24 2019-04-16 南方电网科学研究院有限责任公司 Safety detection and monitoring system suitable for industrial control system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郭骞: "《基于沙盒技术的应用层蜜罐软件实现》", 《中国优秀硕士学位论文全文数据库 程科技Ⅱ辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111308958A (en) * 2019-11-14 2020-06-19 广州安加互联科技有限公司 CNC equipment simulation method and system based on honeypot technology and industrial control honeypot
CN111308958B (en) * 2019-11-14 2021-04-20 广州安加互联科技有限公司 CNC equipment simulation method and system based on honeypot technology and industrial control honeypot
CN113765846A (en) * 2020-06-01 2021-12-07 极客信安(北京)科技有限公司 Intelligent detection and response method and device for network abnormal behavior and electronic equipment
CN113765846B (en) * 2020-06-01 2023-08-04 极客信安(北京)科技有限公司 Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
CN112650077A (en) * 2020-12-11 2021-04-13 中国科学院信息工程研究所 PLC honeypot system based on industrial control service simulation, implementation method and simulation equipment
CN112702363A (en) * 2021-03-24 2021-04-23 远江盛邦(北京)网络安全科技股份有限公司 Node hiding method, system and equipment based on deception

Also Published As

Publication number Publication date
CN110351237B (en) 2020-07-10

Similar Documents

Publication Publication Date Title
CN110351237A (en) Honey jar method and device for numerically-controlled machine tool
CN110324310B (en) Network asset fingerprint identification method, system and equipment
CN112054996B (en) Attack data acquisition method and device for honeypot system
CN107659543B (en) Protection method for APT (android packet) attack of cloud platform
CN107211016B (en) Session security partitioning and application profiler
CN102088379B (en) Detecting method and device of client honeypot webpage malicious code based on sandboxing technology
CN110417778B (en) Access request processing method and device
CN107347057B (en) Intrusion detection method, detection rule generation method, device and system
CN108337266B (en) Efficient protocol client vulnerability discovery method and system
CN105577670B (en) A kind of warning system hitting library attack
CN113676449B (en) Network attack processing method and device
CN107864128B (en) Network behavior based scanning detection method and device and readable storage medium
CN109587156A (en) Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN112748987B (en) Behavior security processing method and device based on virtual host
CN112738095A (en) Method, device, system, storage medium and equipment for detecting illegal external connection
CN107483386A (en) Analyze the method and device of network data
CN104486320B (en) Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology
CN107426231A (en) A kind of method and device for identifying user behavior
CN112688932A (en) Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium
CN114531258B (en) Network attack behavior processing method and device, storage medium and electronic equipment
CN115150124A (en) Fraud defense system
CN112231679B (en) Terminal equipment verification method and device and storage medium
CN112217777A (en) Attack backtracking method and equipment
CN113489703A (en) Safety protection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant