CN110351237A - Honey jar method and device for numerically-controlled machine tool - Google Patents
Honey jar method and device for numerically-controlled machine tool Download PDFInfo
- Publication number
- CN110351237A CN110351237A CN201910435072.1A CN201910435072A CN110351237A CN 110351237 A CN110351237 A CN 110351237A CN 201910435072 A CN201910435072 A CN 201910435072A CN 110351237 A CN110351237 A CN 110351237A
- Authority
- CN
- China
- Prior art keywords
- request
- numerically
- machine tool
- controlled machine
- honey jar
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The embodiment of the present invention provides a kind of honey jar method and device for numerically-controlled machine tool.Wherein, method includes: the request that acquisition request source is initiated to numerically-controlled machine tool, judges whether request is probe requests thereby;If request is not probe requests thereby, request is parsed, determines the industry control agreement that request uses;If knowing that request triggers the loophole that at least one finds in advance according to the judgement of industry control agreement, request is not responded.Honey jar method and device provided in an embodiment of the present invention for numerically-controlled machine tool, by simulating response of the true numerically-controlled machine tool to request, can effectively inducing immune attack person unauthorized access, obscure the audiovisual of attacker, numerically-controlled machine tool can targetedly be protected according to the attack of attacker, the reliability of security protection can be improved.
Description
Technical field
The present invention relates to field of computer technology, more particularly, to a kind of honey jar method and dress for numerically-controlled machine tool
It sets.
Background technique
In recent years, with the continuous propulsion of intelligence manufacture, industry manufacture and internet deep are merged, intelligence manufacture behind
Network security problem constantly highlights, and demand for security constantly enhances.
Numerically-controlled machine tool plays very important role in industrial control system, is to realize that the important industry control of production automation is set
It is one of standby.But most enterprises use such as Fa Nake (being also translated into Frank, Fanuc), Siemens at present
(Siemens), the digital control system made by domestic and foreign manufacturers such as Mitsubishi (Mitsubishi) and Heidenhain (is installed on numerically-controlled machine tool
Operating system).These digital control systems are exactly flight data recorder for users, whether there is safe back door or security threat, user
Know nothing.Therefore, it is necessary to carry out security protection to numerically-controlled machine tool.
Currently, the safety protection technique for numerically-controlled machine tool also rests on service management level, it is mainly included in numerical control machine
The bed region method establishing firewall to supervise out inbound traffics, and from structure safety, behavior safety, ontological security and genetic safety
The method that four dimensions carry out the safety and Protection of numerical control network.But based on the safety protecting method of service management level, lead to
It crosses detection attack to be protected, rate of false alarm is very high, and can not carry out security protection for numerically-controlled machine tool itself, thus protects
Reliability it is poor.
Summary of the invention
The embodiment of the present invention provides a kind of honey jar method and device for numerically-controlled machine tool, to solve or at least partly
The poor defect of the reliability that the solution prior art in ground protects numerically-controlled machine tool.
In a first aspect, the embodiment of the present invention provides a kind of honey jar method for numerically-controlled machine tool, comprising:
The request that acquisition request source is initiated to numerically-controlled machine tool judges whether the request is probe requests thereby;
If the request is not probe requests thereby, the request is parsed, determines the industry control association that the request uses
View;
If knowing that the request triggers at least one loophole found in advance according to industry control agreement judgement, not to institute
Request is stated to be responded.
Preferably, it is described judge whether the request is probe requests thereby after, further includes:
If the request is probe requests thereby, the detection type of the request is obtained, is returned raw according to the detection type
At response.
Preferably, after the determination industry control agreement for requesting to use, further includes:
If knowing that the request does not trigger any loophole found in advance according to industry control agreement judgement, it is based on
The industry control agreement obtains the requested service of request, and returns to the implementing result of the service, as to the request
Response.
Preferably, it is described the request is parsed after, further includes:
If being not determined by the industry control agreement for requesting to use, data capture is carried out for the request.
Preferably, after the determination industry control agreement for requesting to use, further includes:
If knowing that the request triggers at least one described loophole found in advance, needle according to industry control agreement judgement
Data capture is carried out to the request.
Preferably, it is described judge whether the request is probe requests thereby after, further includes:
Data capture is carried out for the request.
It is preferably, described to obtain after the request that numerically-controlled machine tool is initiated, further includes:
Log recording is carried out to the request.
Second aspect, the embodiment of the present invention provide a kind of honey jar device for numerically-controlled machine tool, comprising:
Fingerprint analog module judges whether the request is spy for the request that acquisition request source is initiated to numerically-controlled machine tool
Survey request;
Protocol interaction module parses the request, described in determination if being not probe requests thereby for the request
Request the industry control agreement used;
Loophole deployment module, if at least one sends out in advance for knowing the request triggering according to industry control agreement judgement
Existing loophole does not respond the request then.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory
Computer program that is upper and can running on a processor, realizes the various possible realizations such as first aspect when executing described program
The step of honey jar method of numerically-controlled machine tool is used in mode provided by any possible implementation.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating
Machine program, when which is executed by processor realize as first aspect various possible implementations in it is any can
The step of honey jar method of numerically-controlled machine tool is used for provided by the implementation of energy.
Honey jar method and device provided in an embodiment of the present invention for numerically-controlled machine tool, by simulating true numerically-controlled machine tool pair
The response of request, can effectively inducing immune attack person unauthorized access, obscure the audiovisual of attacker, can be according to the attack row of attacker
Targetedly to be protected numerically-controlled machine tool, the reliability of security protection can be improved.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram according to the honey jar method provided in an embodiment of the present invention for numerically-controlled machine tool;
Fig. 2 is the structural schematic diagram according to the honey jar device provided in an embodiment of the present invention for numerically-controlled machine tool;
Fig. 3 is the entity structure schematic diagram according to electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
In order to overcome the above problem of the prior art, the embodiment of the present invention provides a kind of honey jar method for numerically-controlled machine tool
And device, inventive concept are, realize honey jar method by the honey jar device for numerically-controlled machine tool of building, which can
With the unauthorized access of effectively inducing immune attack person, the audiovisual of attacker is obscured, and then realize the protection to true numerically-controlled machine tool.
Fig. 1 is the flow diagram according to the honey jar method provided in an embodiment of the present invention for numerically-controlled machine tool.Such as Fig. 1 institute
Show, this method comprises: step S101, obtain to numerically-controlled machine tool initiate request, judge request whether be probe requests thereby.
It should be noted that the executing subject of the honey jar method provided in an embodiment of the present invention for numerically-controlled machine tool is preparatory
The honey jar device of building.
Numerically-controlled machine tool externally passes through specific port and provides TCP (Transmission Control Protocol, transmission
Control protocol) connection service, complete NC (Numerical Control, digital control, abbreviation numerical control) data transmission, long-range control
The functions such as system.Specific port, it is related with the digital control system of numerically-controlled machine tool.For example, the digital control system of Fanuc numerically-controlled machine tool, leads to
It crosses 8193 ports and TCP connection service is provided.
Honey jar device externally provides service by least one previously selected port.The service of offer may include searching
Rope, deletion, imports NC program at reading, reads, write-in PMC (ProgrammableMachineController, in numerically-controlled machine tool
Set formula PLC control technology) parameter, it obtains in each axial coordinate, runing time, processing number and acquisition facility information etc. at least
It is a kind of.
Honey jar device is used to act as a decoy, and decoy attack person comes to attack numerically-controlled machine tool.After attacker implements attack, pass through
Monitoring and analysis, can know how attacker attacks numerically-controlled machine tool, understand start for numerically-controlled machine tool at any time
Newest attack and loophole, so as to targetedly to numerically-controlled machine tool itself carry out security protection, the reliability of protection
It is higher.
The promoter of all requests is accordingly to be regarded as attacker by honey jar device.
Attacker initiates a request to numerically-controlled machine tool.Request is data packet.The request is for triggering numerically-controlled machine tool execution
A certain item service in digital control system, numerically-controlled machine tool generate response message according to the result that this services, return to the hair of request
Play person.Attacker can be terminal, the mobile terminals such as such as personal computer and smart phone, tablet computer.
Honey jar device can obtain the request of attacker initiation by monitoring above-mentioned previously selected each port.
Honey jar device emulates the basic training of numerically-controlled machine tool with this by parsing the request and replying corresponding response message
Can, to achieve the purpose that decoy attack.
Real attacker can network sweep by installation and sniff tool, such as Nmap (Network
Mapper), request is sent.
The request of attacker can be divided into three types: probe requests thereby, normal handshake request and industry control agreement request.Normally ask
It asks including normal handshake request and industry control agreement request.
TCP header and loading analysis are carried out to the request that attacker sends, judge that the request is probe requests thereby or normal
Request.
If not instead of probe requests thereby, the normal request, then execute step S102 below.
If step S102, request is not probe requests thereby, request is parsed, determines the industry control agreement that request uses.
It should be noted that the digital control system due to different vendor is different, and correspondingly, the work that different digital control systems uses
It is also different to control agreement.
For example, the industry control agreement that Fanuc numerically-controlled machine tool uses is FOCAS1/2 agreement, Fanuc Mate 0i-D type numerical control
The industry control agreement that lathe uses is FOCAS2 agreement.
When attacker accesses honey jar device, honey jar device can be established and is somebody's turn to do according to request source (promoter requested)
Session between request source.
Honey jar device can establish session queue to facilitate the session between management and each attacker.When attacker accesses honey
When tank arrangement, honey jar device establishes the session between the attacker, and is inserted into session queue;After conversation end, honey jar
The session is removed session queue by device.
Honey jar device may include agreement distributor.
Agreement distributor matches the application layer data of the request, (such as can be by fixed word according to fixed field
Section is defined as type field) different industry control agreements are distinguished, it may thereby determine that the industry control agreement that the request uses.
It is understood that being prefixed the basic agreement format of various industry control agreements in honey pot system, protocol format includes
Each field.Various industry control agreements can inversely be obtained in advance with the basic agreement format of various industry control agreements.
It is not right if step S103, knowing that request triggers the loophole that at least one finds in advance according to the judgement of industry control agreement
Request makes a response.
Wherein, loophole is to use the loophole in the digital control system of industry control agreement.
It should be noted that each industry control agreement can be obtained in advance and be assisted using industry control used in the request
At least one loophole in the digital control system of view, and the above-mentioned loophole of each digital control system is deployed in honey jar device.Honey jar dress
Above-mentioned each loophole can be simulated by setting, so as to preferably spoofing attack person.
For example, there are three refusals to service loophole (0Day loophole) for discovery Fanuc Mate 0i-D type numerically-controlled machine tool in advance,
Vulnerability number is respectively CNVD-2019-07658, CNVD-2019-07659 and CNVD-2019-07660.
Judge whether the request triggers any one at least one loophole in the digital control system found in advance.It should
Digital control system, for the digital control system for using industry control agreement used in the request.
When attacker carries out trial sexual assault by sending the normal request of camouflage after scanning probe, if attack
It is one at least one above-mentioned loophole, then can triggers the loophole.
For true numerically-controlled machine tool, triggering the loophole will lead to the delay machine of numerically-controlled machine tool, and numerically-controlled machine tool stops working, and
For honey jar device, honey jar device does not stop working, but does not return any as a result, not sending response message to attacker,
And stopping externally providing connection TCP service and (simulates the state that the digital control system on numerically-controlled machine tool is switched to refusal service, no sound
Answer), the case where to simulate numerically-controlled machine tool delay machine.
Since true numerically-controlled machine tool is to stop working to the response of the request, stop working then will not returning response message,
Thus honey jar device is not return to any result to attacker to the response of the request.
It is possible to further which after judgement knows that request triggers the loophole that at least one finds in advance, process is preset
Duration, honey jar device externally provide connection TCP service again.
Preset duration can be set to the time-consuming restarted with numerically-controlled machine tool and approach, such as 5 minutes, so as to so that attack
Person more firmly believes that honey jar device is true numerically-controlled machine tool.
For the occurrence of preset duration, the embodiment of the present invention is with no restriction.
It should be noted that honey jar device terminates each request of acquisition to complete response.Without response
It is a kind of response, other than no response, the form of others response is response message.
It should be noted that each session between honey jar device and attacker is independent from each other.
The embodiment of the present invention, can effectively inducing immune attack by response of the true numerically-controlled machine tool of honey jar unit simulation to request
The audiovisual of attacker is obscured in the unauthorized access of person, can be carried out according to the attack of attacker to numerically-controlled machine tool targeted
Protection, can improve the reliability of security protection.
Content based on the various embodiments described above, after judging whether request is probe requests thereby, further includes: if request is detection
Request, then the detection type of acquisition request, returns to the response generated according to detection type.
Specifically, attacker can carry out detection scanning to by attacker (numerically-controlled machine tool) in information collecting step.Detect class
Type includes sequence number detection, Internet Control Message Protocol request detection, transmission control protocol congestion detects, transmission control protocol is visited in detail
At least one of survey and User Datagram Protocol detection.
Sequence number detection is represented by sequence generation (SEQ/OPS/WIN/T1).
Internet Control Message Protocol (Internet Control Message Protocol, ICMP) request detection is represented by
ICMP echo(IE)。
The detection of transmission control protocol (Transmission Control Protocol, TCP) congestion is expressed as TCP
explicit congestion notification(ECN)
Transmission control protocol detects in detail is expressed as TCP (T2-T7)
User Datagram Protocol detection is expressed as UDP (U1).
If it is determined that request transmitted by attacker be probe requests thereby, to distinguish which kind of agreement the request belongs to, as IP,
ICMP, TCP or UDP determine the detection type of the request according to the agreement that request belongs to, then according to different detection types
The generation that response message is carried out into different execution units, after completing the above process, the response message of generation is back to
Attacker realizes fingerprint simulation, with spoofing attack person.
Below with attacker by Nmap tool to the OS of FANUC Mate 0i-D type numerically-controlled machine tool (operating system,
Operating System) fingerprint scan-detector for, illustrate honey jar device carry out fingerprint simulation realization process.
Firstly, being determined by being dissected to principle of the Nmap to the fingerprint detection of operating system mainly for its transmission
5 class probe requests therebies (detection type include sequence number detection, Internet Control Message Protocol request detection, transmission control protocol congestion visit
Survey, transmission control protocol detects in detail and User Datagram Protocol detection) it is cheated.
After determining above-mentioned 5 class probe requests thereby, under experimental situation, FANUC Mate 0i-D type lathe is scanned with Nmap,
The response data that the 5 class probe requests therebies and lathe that crawl Nmap is sent are given.
Since the digital control system of numerically-controlled machine tool is mostly the system based on Linux, the subsystem in linux system can use
(this is that committing protocol stack is handled to Local_In point in netfilter, specific 5 hook provided using netfilter frame
A point before, specially hook2 are truncated herein, are first handled), data are received in network interface card and are handled through protocol stack
In preceding process, by the request be transferred to QUEUE (this is a rule-specific value of iptables, have respectively DROP,
ACCEPT, QUEUE, and QUEUE is user's space, and all requests are all transferred to user's space) in, pass through in user's space
Call back function is handled, and is automatically switched using gevent, so as to handle be placed in queue from different requests
The request in source.
In call back function, handled using following two mode:
If judge request whether be probe requests thereby result be it is yes, the lathe that has obtained of basis to 5 class probe requests therebies to
The response data given simulates the response results of fingerprint, i.e., modifies IP layers and each field of TCP layer in such a way that true lathe is responded
Value.
If judge request whether be probe requests thereby result be it is no, discharge request and give back protocol stack processing, in turn
It is given and is responded by the service in industry control agreement, generate response results.
By the above process, honey jar device and true numerically-controlled machine tool, energy also cannot be distinguished from the angle of system fingerprint in hacker
Avoiding honey jar device from being identified by Shodan and Nmap is not true numerically-controlled machine tool.
The embodiment of the present invention is by the simulation to each response data for detecting type, so that attacker can not be from system fingerprint
Angle recognition go out honey jar device, so as to the unauthorized access of more effectively inducing immune attack person, obscure the audiovisual of attacker, can root
Numerically-controlled machine tool is targetedly protected according to the attack of attacker, the reliability of security protection can be improved.
Content based on the various embodiments described above, determination are requested after the industry control agreement used, further includes: if being assisted according to industry control
View judgement knows that request does not trigger any loophole found in advance, then is based on the requested service of industry control agreement acquisition request, and
The implementing result for returning to service, as the response to request.
It is understood that the request that attacker sends may also and be not all attack, attacker may also be sent
Normal request, to be soundd out.
Specifically, judge whether the request triggers in the digital control system of the industry control agreement of the use request found in advance extremely
After any one in a few loophole, if judging result is that the request does not trigger any loophole found in advance, it is based on
The industry control agreement that the request uses determines the requested service of the request, and simulates the implementing result of the service, as the request
Corresponding response data.
Based on the industry control agreement that the request uses, the requested service of the request is determined, and simulate the execution knot of the service
Fruit is realized particular by the basic agreement format of the industry control agreement inversely obtained to the industry control agreement in advance.
It is understood that being prefixed the various industry controls inversely obtained to various industry control agreements in advance in honey jar device
The basic agreement format of agreement.
The service that industry control agreement includes mainly has connection, NC program search to delete reading, obtain axis information, obtain PMC ginseng
Number information etc..
Implementing result is response message, and after generating response message, the response message of generation is back to attacker.
The embodiment of the present invention can be coped with more effectively by simulating the result of normal request and returning to corresponding response data
The exploration of attacker, so that attacker is more difficult to identify honey jar device, so as to the illegal visit of more effectively inducing immune attack person
It asks, obscures the audiovisual of attacker, numerically-controlled machine tool can targetedly be protected according to the attack of attacker, can be improved
The reliability of security protection.
Content based on the various embodiments described above, after being parsed to request, further includes: if being not determined by what request used
Industry control agreement then carries out data capture for request.
Specifically, it is not determined by the industry control agreement that request uses, refers to that the result of analysis request does not meet each preset
The basic agreement format of industry control agreement, at this point, using the request as abnormal data packet.
It, can be by data capture module that honey jar device includes to the attack number of the request after the data packet that notes abnormalities
According to being captured.
Data capture is the important step of honey jar method, and the purpose of data capture is to carry out data analysis.It can make
Initial data crawl and filtering are realized with Tcpdump, complete data capture.
It is understood that the embodiment of the present invention stores the attack data of capture for the partial function for failing parsing
In the local data base of honey jar device.
For the attack data of capture, can be analyzed, thus know based on the analysis results attacker be how logarithm
Control lathe is attacked, and the newest attack started for numerically-controlled machine tool and loophole is known, so as to targetedly right
Numerically-controlled machine tool itself carries out security protection, and the reliability of protection is higher.
The embodiment of the present invention carries out data capture for abnormal data packet, can analyze the data of capture, so as to
According to more targetedly security protection is carried out to numerically-controlled machine tool itself, the reliability of protection is higher.
Content based on the various embodiments described above, determination are requested after the industry control agreement used, further includes: if being assisted according to industry control
View judgement knows that request triggers the loophole that at least one finds in advance, then carries out data capture for request.
Specifically, if the number of industry control agreement that request has been disposed in honey jar device before triggering, using the request
Any loophole in control system can then carry out the attack data of the request by the data capture module that honey jar device includes
Capture.
It is understood that the embodiment of the present invention stores the attack data of capture for the partial function for failing parsing
In the local data base of honey jar device.
For the attack data of capture, can be analyzed, thus know based on the analysis results attacker be how logarithm
Control lathe is attacked, and the newest attack started for numerically-controlled machine tool and loophole is known, so as to targetedly right
Numerically-controlled machine tool itself carries out security protection, and the reliability of protection is higher.
The embodiment of the present invention carries out data capture for the request of triggering loophole, can analyze the data of capture, from
And security protection can be carried out to numerically-controlled machine tool itself according to more targetedly, the reliability of protection is higher.
Content based on the various embodiments described above, after judging whether request is probe requests thereby, further includes: carried out for request
Data capture.
Specifically, it requests if judging to know as probe requests thereby, the data capture module that can include by honey jar device
The attack data of the request are captured.
It is understood that the embodiment of the present invention stores the attack data of capture for the partial function for failing parsing
In the local data base of honey jar device.
For the attack data of capture, can be analyzed, thus know based on the analysis results attacker be how logarithm
Control lathe is attacked, and the newest attack started for numerically-controlled machine tool and loophole is known, so as to targetedly right
Numerically-controlled machine tool itself carries out security protection, and the reliability of protection is higher.
The embodiment of the present invention carries out data capture for probe requests thereby, can analyze the data of capture, so as to root
According to more targetedly security protection is carried out to numerically-controlled machine tool itself, the reliability of protection is higher.
Content based on the various embodiments described above obtains after the request that numerically-controlled machine tool is initiated, further includes: carries out to request
Log recording.
Specifically, for the ease of the analysis to request, after acquisition request, logger module that honey jar device includes
Log recording can be carried out to the request according to the corresponding log of step generation is managed everywhere in the request.
Honey jar device is while attacker requests corresponding function, by its request data in the form of log and data packet
It is stored respectively, log is handled and shown by analysis module, and data packet can then leave the personnel that research and analyse for and carry out thing
Post analysis.
Log recording is to more easily be analyzed and shown.
Log recording is can be using triple, i.e. timestamp, grade (int type), request classification (int type), in detail letter
It ceases (including request source, request message and returned packet).In order to more efficient, the log module that can include by honey jar device is mentioned
Take application layer data as request and returned packet information.
Such as: journal format is as follows
Timestamp:
Message grade: 0/1/2 (value respectively corresponds Normal/Medium/Serious)
Request classification: 0-32 (respectively corresponds 32 class functions)
Details:
Source: (ip, port),
request_data:’a0a0a0a0..’,
response_data:’a0a0a0a0..’
}
A journal file and a pcap data packet can be generated with preset time cycle (day is daily), and with the date
Name, log transfer to ELK log analysis display module to carry out analysis displaying, and pcap data packet is then left researcher for and further mentioned
Attack signature is taken, playback experiment is being carried out afterwards, is verifying whether it belongs to not found loophole and report in time.
Pcap data packet, i.e. the attack data for the request capture obtained in the time cycle.
Collection log can be established using E (Elasticsearch) L (Logstash) K (Kibana) these three open source softwares
Acquisition, analysis and a set of solution shown, the log analysis display module for including by honey jar device are realized to log
It shows and analyzes.Due to using E (Elasticsearch) L (Logstash) K (Kibana) these three open source softwares, log
Analysis display module can also be known as ELK log analysis display module.
It should be noted that after carrying out examination classification to the flow for the unauthorized access that attacker initiates, it can also be to prestige
The biggish request of side of body property is marked with alarm, when carrying out log recording, is sounded an alarm according to the label, is taken in time in time
Measure prevents attacker from further destroying.
The embodiment of the present invention carries out log recording to request, can log be analyzed and be shown, must slapped so as to more preferable
The case where holding the request, can be according to more targetedly security protection be carried out to numerically-controlled machine tool itself, and the reliability of protection is higher.
Fig. 2 is the structural schematic diagram according to the honey jar device provided in an embodiment of the present invention for numerically-controlled machine tool.Based on upper
The content of each embodiment is stated, as shown in Fig. 2, the device includes fingerprint analog module 201, protocol interaction module 202 and loophole portion
Affix one's name to module 203, in which:
Fingerprint analog module 201 judges whether request is detection for the request that acquisition request source is initiated to numerically-controlled machine tool
Request;
Protocol interaction module 202 determines that request uses if parsing for requesting not to be probe requests thereby to request
Industry control agreement;
Loophole deployment module 203, if for knowing that request triggers what at least one found in advance according to the judgement of industry control agreement
Loophole does not respond request then.
Specifically, fingerprint analog module 201 obtains attacker initiation by monitoring above-mentioned previously selected each port
Request, and TCP header and loading analysis are carried out to the request, judge that the request is probe requests thereby or normal request.
Protocol interaction module 202 matches the application layer data of the request, (such as can will be consolidated according to fixed field
Determining field definition is type field) different industry control agreements are distinguished, it may thereby determine that the industry control agreement that the request uses.
Loophole deployment module 203 judges whether the request triggers the use industry control agreement found in advance according to industry control agreement
Digital control system at least one loophole in any one, if that attack is one at least one above-mentioned loophole,
The loophole can be then triggered, loophole deployment module 203 does not return any as a result, not sending response message, and stopping pair to attacker
Outer offer connection TCP service, the case where to simulate numerically-controlled machine tool delay machine.
Honey jar device provided in an embodiment of the present invention for numerically-controlled machine tool, mentions for executing the various embodiments described above of the present invention
The honey jar method for numerically-controlled machine tool supplied, each module which includes realize corresponding function
Specific method and process are detailed in the embodiment of the above-mentioned honey jar method for numerically-controlled machine tool, and details are not described herein again.
The honey jar device for being used for numerically-controlled machine tool is used for the honey jar method for numerically-controlled machine tool of foregoing embodiments.Cause
This, the description and definition in the honey jar method for numerically-controlled machine tool in foregoing embodiments can be used for implementation of the present invention
The understanding of each execution module in example.
The embodiment of the present invention, can effectively inducing immune attack by response of the true numerically-controlled machine tool of honey jar unit simulation to request
The audiovisual of attacker is obscured in the unauthorized access of person, can be carried out according to the attack of attacker to numerically-controlled machine tool targeted
Protection, can improve the reliability of security protection.
Fig. 3 is the structural block diagram according to electronic equipment provided in an embodiment of the present invention.Content based on the above embodiment, such as
Shown in Fig. 3, which may include: processor (processor) 301, memory (memory) 302 and bus 303;Its
In, processor 301 and memory 302 pass through bus 303 and complete mutual communication;Processor 301 is stored in for calling
In reservoir 302 and the computer program instructions that can be run on processor 301, to execute provided by above-mentioned each method embodiment
Honey jar method for numerically-controlled machine tool, for example, the request that acquisition request source is initiated to numerically-controlled machine tool, judge request whether be
Probe requests thereby;If request is not probe requests thereby, request is parsed, determines the industry control agreement that request uses;If according to work
Control agreement judgement knows that request triggers the loophole that at least one finds in advance, then does not respond to request.
Another embodiment of the present invention discloses a kind of computer program product, and computer program product is non-transient including being stored in
Computer program on computer readable storage medium, computer program include program instruction, when program instruction is held by computer
When row, computer is able to carry out the honey jar method that numerically-controlled machine tool is used for provided by above-mentioned each method embodiment, for example, obtains
The request for taking request source to initiate to numerically-controlled machine tool judges whether request is probe requests thereby;If request is not probe requests thereby, to asking
It asks and is parsed, determine the industry control agreement that request uses;If knowing request triggering according to the judgement of industry control agreement, at least one is preparatory
It was found that loophole, then request is not responded.
In addition, the logical order in above-mentioned memory 302 can be realized by way of SFU software functional unit and conduct
Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally
The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words
It can be embodied in the form of software products, which is stored in a storage medium, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the present invention respectively
The all or part of the steps of a embodiment method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory
(ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk
Etc. the various media that can store program code.
Another embodiment of the present invention provides a kind of non-transient computer readable storage medium, non-transient computer readable storages
Medium storing computer instruction, computer instruction execute computer provided by above-mentioned each method embodiment for numerically-controlled machine tool
Honey jar method, for example, the request that acquisition request source is initiated to numerically-controlled machine tool, judge request whether be probe requests thereby;If
Request is not probe requests thereby, then parses to request, determines the industry control agreement that request uses;If being obtained according to the judgement of industry control agreement
Know that request triggers the loophole that at least one finds in advance, then request is not responded.
The apparatus embodiments described above are merely exemplary, wherein unit can be as illustrated by the separation member
Or may not be and be physically separated, component shown as a unit may or may not be physical unit, i.e.,
It can be located in one place, or may be distributed over multiple network units.It can select according to the actual needs therein
Some or all of the modules achieves the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creative labor
In the case where dynamic, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Such understanding, above-mentioned skill
Substantially the part that contributes to existing technology can be embodied in the form of software products art scheme in other words, the calculating
Machine software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used
So that a computer equipment (can be personal computer, server or the network equipment etc.) executes above-mentioned each implementation
The method of certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (10)
1. a kind of honey jar method for numerically-controlled machine tool characterized by comprising
The request that acquisition request source is initiated to numerically-controlled machine tool judges whether the request is probe requests thereby;
If the request is not probe requests thereby, the request is parsed, determines the industry control agreement for requesting to use;
If knowing that the request triggers at least one loophole found in advance according to industry control agreement judgement, do not asked to described
It asks and is responded.
2. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that described to judge that the request is
It is no for after probe requests thereby, further includes:
If the request is probe requests thereby, the detection type of the request is obtained, is returned according to the detection type generation
Response.
3. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that the determination request makes
After industry control agreement, further includes:
If knowing that the request does not trigger any loophole found in advance according to industry control agreement judgement, based on described
Industry control agreement obtains the requested service of request, and returns to the implementing result of the service, as the sound to the request
It answers.
4. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that described to be carried out to the request
After parsing, further includes:
If being not determined by the industry control agreement for requesting to use, data capture is carried out for the request.
5. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that the determination request makes
After industry control agreement, further includes:
If knowing that the request triggers at least one described loophole found in advance according to industry control agreement judgement, it is directed to institute
It states request and carries out data capture.
6. the honey jar method according to claim 1 for numerically-controlled machine tool, which is characterized in that described to judge that the request is
It is no for after probe requests thereby, further includes:
Data capture is carried out for the request.
7. -6 any honey jar method for numerically-controlled machine tool according to claim 1, which is characterized in that described to obtain to number
After the request for controlling lathe initiation, further includes:
Log recording is carried out to the request.
8. a kind of honey jar device for numerically-controlled machine tool characterized by comprising
Fingerprint analog module judges whether the request is that detection is asked for the request that acquisition request source is initiated to numerically-controlled machine tool
It asks;
Protocol interaction module parses the request, determines the request if being not probe requests thereby for the request
The industry control agreement used;
Loophole deployment module, if for knowing that the request triggers what at least one found in advance according to industry control agreement judgement
Loophole does not respond the request then.
9. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor realizes as described in any one of claim 1 to 7 be used for when executing described program
The step of honey jar method of numerically-controlled machine tool.
10. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer
The step of honey jar method as described in any one of claim 1 to 7 for numerically-controlled machine tool is realized when program is executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910435072.1A CN110351237B (en) | 2019-05-23 | 2019-05-23 | Honeypot method and device for numerical control machine tool |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910435072.1A CN110351237B (en) | 2019-05-23 | 2019-05-23 | Honeypot method and device for numerical control machine tool |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110351237A true CN110351237A (en) | 2019-10-18 |
CN110351237B CN110351237B (en) | 2020-07-10 |
Family
ID=68174302
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910435072.1A Active CN110351237B (en) | 2019-05-23 | 2019-05-23 | Honeypot method and device for numerical control machine tool |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110351237B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111308958A (en) * | 2019-11-14 | 2020-06-19 | 广州安加互联科技有限公司 | CNC equipment simulation method and system based on honeypot technology and industrial control honeypot |
CN112650077A (en) * | 2020-12-11 | 2021-04-13 | 中国科学院信息工程研究所 | PLC honeypot system based on industrial control service simulation, implementation method and simulation equipment |
CN112702363A (en) * | 2021-03-24 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Node hiding method, system and equipment based on deception |
CN113765846A (en) * | 2020-06-01 | 2021-12-07 | 极客信安(北京)科技有限公司 | Intelligent detection and response method and device for network abnormal behavior and electronic equipment |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
CN102571793A (en) * | 2012-01-09 | 2012-07-11 | 中国人民解放军信息工程大学 | Acquisition device for telecommunication network garbage calling |
CN105447385A (en) * | 2014-12-08 | 2016-03-30 | 哈尔滨安天科技股份有限公司 | Multilayer detection based application type database honey pot realization system and method |
CN106341819A (en) * | 2016-10-10 | 2017-01-18 | 西安瀚炬网络科技有限公司 | Phishing WiFi identification system and method based on honeypot technology |
CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
CN107465702A (en) * | 2017-09-30 | 2017-12-12 | 北京奇虎科技有限公司 | Method for early warning and device based on wireless network invasion |
CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
CN108259478A (en) * | 2017-12-29 | 2018-07-06 | 中国电力科学研究院有限公司 | Safety protecting method based on industry control terminal device interface HOOK |
CN109257326A (en) * | 2017-07-14 | 2019-01-22 | 东软集团股份有限公司 | The method, apparatus and storage medium and electronic equipment for defending data flow to attack |
CN109639733A (en) * | 2019-01-24 | 2019-04-16 | 南方电网科学研究院有限责任公司 | Safety detection and monitoring system suitable for industrial control system |
-
2019
- 2019-05-23 CN CN201910435072.1A patent/CN110351237B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101567887A (en) * | 2008-12-25 | 2009-10-28 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
CN102571793A (en) * | 2012-01-09 | 2012-07-11 | 中国人民解放军信息工程大学 | Acquisition device for telecommunication network garbage calling |
CN105447385A (en) * | 2014-12-08 | 2016-03-30 | 哈尔滨安天科技股份有限公司 | Multilayer detection based application type database honey pot realization system and method |
CN106341819A (en) * | 2016-10-10 | 2017-01-18 | 西安瀚炬网络科技有限公司 | Phishing WiFi identification system and method based on honeypot technology |
CN108092948A (en) * | 2016-11-23 | 2018-05-29 | 中国移动通信集团湖北有限公司 | A kind of recognition methods of network attack mode and device |
CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
CN109257326A (en) * | 2017-07-14 | 2019-01-22 | 东软集团股份有限公司 | The method, apparatus and storage medium and electronic equipment for defending data flow to attack |
CN107465702A (en) * | 2017-09-30 | 2017-12-12 | 北京奇虎科技有限公司 | Method for early warning and device based on wireless network invasion |
CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
CN108259478A (en) * | 2017-12-29 | 2018-07-06 | 中国电力科学研究院有限公司 | Safety protecting method based on industry control terminal device interface HOOK |
CN109639733A (en) * | 2019-01-24 | 2019-04-16 | 南方电网科学研究院有限责任公司 | Safety detection and monitoring system suitable for industrial control system |
Non-Patent Citations (1)
Title |
---|
郭骞: "《基于沙盒技术的应用层蜜罐软件实现》", 《中国优秀硕士学位论文全文数据库 程科技Ⅱ辑》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111308958A (en) * | 2019-11-14 | 2020-06-19 | 广州安加互联科技有限公司 | CNC equipment simulation method and system based on honeypot technology and industrial control honeypot |
CN111308958B (en) * | 2019-11-14 | 2021-04-20 | 广州安加互联科技有限公司 | CNC equipment simulation method and system based on honeypot technology and industrial control honeypot |
CN113765846A (en) * | 2020-06-01 | 2021-12-07 | 极客信安(北京)科技有限公司 | Intelligent detection and response method and device for network abnormal behavior and electronic equipment |
CN113765846B (en) * | 2020-06-01 | 2023-08-04 | 极客信安(北京)科技有限公司 | Intelligent detection and response method and device for network abnormal behaviors and electronic equipment |
CN112650077A (en) * | 2020-12-11 | 2021-04-13 | 中国科学院信息工程研究所 | PLC honeypot system based on industrial control service simulation, implementation method and simulation equipment |
CN112702363A (en) * | 2021-03-24 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Node hiding method, system and equipment based on deception |
Also Published As
Publication number | Publication date |
---|---|
CN110351237B (en) | 2020-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110351237A (en) | Honey jar method and device for numerically-controlled machine tool | |
CN110324310B (en) | Network asset fingerprint identification method, system and equipment | |
CN112054996B (en) | Attack data acquisition method and device for honeypot system | |
CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
CN107211016B (en) | Session security partitioning and application profiler | |
CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
CN110417778B (en) | Access request processing method and device | |
CN107347057B (en) | Intrusion detection method, detection rule generation method, device and system | |
CN108337266B (en) | Efficient protocol client vulnerability discovery method and system | |
CN105577670B (en) | A kind of warning system hitting library attack | |
CN113676449B (en) | Network attack processing method and device | |
CN107864128B (en) | Network behavior based scanning detection method and device and readable storage medium | |
CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
CN112748987B (en) | Behavior security processing method and device based on virtual host | |
CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
CN107483386A (en) | Analyze the method and device of network data | |
CN104486320B (en) | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology | |
CN107426231A (en) | A kind of method and device for identifying user behavior | |
CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
CN115150124A (en) | Fraud defense system | |
CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
CN112217777A (en) | Attack backtracking method and equipment | |
CN113489703A (en) | Safety protection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |