CN110365717A - Industrial intrusion detection method and system based on HART-IP agreement - Google Patents

Industrial intrusion detection method and system based on HART-IP agreement Download PDF

Info

Publication number
CN110365717A
CN110365717A CN201910800364.0A CN201910800364A CN110365717A CN 110365717 A CN110365717 A CN 110365717A CN 201910800364 A CN201910800364 A CN 201910800364A CN 110365717 A CN110365717 A CN 110365717A
Authority
CN
China
Prior art keywords
hart
target word
target instruction
instruction target
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910800364.0A
Other languages
Chinese (zh)
Inventor
张彦
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201910800364.0A priority Critical patent/CN110365717A/en
Publication of CN110365717A publication Critical patent/CN110365717A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides a kind of industrial intrusion detection method and system based on HART-IP agreement is applied to industrial control system, and wherein method includes: the HART-IP protocol traffic data obtained in industrial control system;Parsing operation is carried out to HART-IP protocol traffic data, obtains the target instruction target word information based on HART-IP agreement;Obtain the normal work information of industrial control system;Judge whether HART-IP protocol traffic data belong to abnormal data based on target instruction target word information and normal work information.The present invention alleviates the technical issues of monitoring process inefficiency that the compliance existing in the prior art in industry control guard system is attacked.

Description

Industrial intrusion detection method and system based on HART-IP agreement
Technical field
The present invention relates to industrial control system security technology areas, more particularly, to a kind of work based on HART-IP agreement Industry intrusion detection method and system.
Background technique
In industrial network, common attack pattern is the protocol fields for sending irregularity, and the Industry Controls such as PLC is caused to set It is standby to be in abnormal operation, it causes the shutdown of factory or equipment is damaged to achieve the purpose that attack.However, new industry Epoch, the attack for industrial control system are no longer to send irregularity protocol fields or instruction, and equipment is allowed to be in abnormality processing Stage, but, send normal protocol field or instruction, enter equipment and do not meet the condition of current industrial system and attacked It hits.For example, the temperature of adjustment equipment, fluctuated, or conveyor belt speed is increased, industrial control system is made to be in paralysis work shape State.
Traditional industry control guard system, monitors both for the compliance of agreement, and the attack of compliance is lacked Effective detection means.And emerging industry control system for monitoring intrusion, some agreements can also accomplish the depth to industrial control system agreement Level parsing, can define the value range of field, with this come cope with compliance instruction attack (for example, elevated temperature because Temperature value has been more than setting, therefore reaches alarm purpose).But there are following technologies to ask for these monitoring systems in the prior art Topic: these monitorings require technical staff, in conjunction with the environment of plant, are linked up, and understand value range, then the corresponding rule of editor Then, time- and labor-consuming, it is also necessary to and plant personnel's docking, result in the low technical problem of intrusion detection process efficiency.
Summary of the invention
In view of this, the industrial intrusion detection method that the purpose of the present invention is to provide a kind of based on HART-IP agreement and System, to alleviate the detection process inefficiency existing in the prior art for the compliance attack in industry control guard system The technical issues of.
In a first aspect, the embodiment of the invention provides a kind of industrial intrusion detection method based on HART-IP agreement, application In industrial control system, comprising: obtain the HART-IP protocol traffic data in the industrial control system;To the HART-IP Protocol traffic data carry out parsing operation, obtain the target instruction target word information based on HART-IP agreement;The target instruction target word packet It includes: target instruction target word type and target instruction target word parameter;Obtain the normal work information of the industrial control system;The normal work Information includes: multiple normal instructions types and multiple normal instructions parameter areas, wherein a normal instructions type is one corresponding Normal instructions parameter area;The HART-IP protocol streams are judged based on the target instruction target word information and the normal work information Whether amount data belong to abnormal data.
Further, the HART-IP protocol streams are judged based on the target instruction target word information and the normal work information Whether amount data belong to abnormal data, further includes: if not inquiring the target instruction target word in the multiple normal instructions type Type, alternatively, the target instruction target word parameter is not in the range of normal instructions parameter area corresponding with the target instruction target word parameter Within, then judge that the HART-IP protocol traffic data belong to abnormal data;If being inquired in the multiple normal instructions type To the target instruction target word type, also, the target instruction target word parameter is the corresponding normal instructions ginseng of the target instruction target word parameter Within the scope of number range, then judge that the HART-IP protocol traffic data belong to normal data.
Further, the HART-IP agreement is being judged based on the target instruction target word information and the normal work information Whether data on flows belongs to after abnormal data, the method also includes: if judging, the HART-IP protocol traffic data belong to The HART-IP protocol traffic data are then stored in storage device by normal data.
Further, the HART-IP agreement is being judged based on the target instruction target word information and the normal work information Whether data on flows belongs to after abnormal data, the method also includes: if judging, the HART-IP protocol traffic data belong to Abnormal data then issues alarm signal.
Further, parsing operation is being carried out to the HART-IP protocol traffic data, obtained based on HART-IP agreement Target instruction target word information after, further includes: judge whether described instruction information meets the protocol instructions of the industrial control system Regulation;If judging, described instruction information does not meet the protocol instructions regulation of the industrial control system, judges the HART- IP agreement data on flows belongs to abnormal data.
Second aspect, the embodiment of the invention also provides a kind of industrial system for monitoring intrusion based on HART-IP agreement, answer For industrial control system, comprising: acquisition module, parsing module obtain module and judgment module, wherein the acquisition module, For obtaining the HART-IP protocol traffic data in the industrial control system;The parsing module, for the HART- IP agreement data on flows carries out parsing operation, obtains the target instruction target word information based on HART-IP agreement;The target instruction target word information It include: target instruction target word type and target instruction target word parameter;The acquisition module, for obtaining the normal work of the industrial control system Make information;The normal work information includes: multiple normal instructions types and multiple normal instructions parameter areas, wherein one Normal instructions type corresponds to a normal instructions parameter area;The judgment module, for based on the target instruction target word information and The normal work information judges whether the HART-IP protocol traffic data belong to abnormal data.
Further, the judgment module is also used to: if not inquiring the mesh in the multiple normal instructions type Instruction type is marked, alternatively, the target instruction target word parameter is not in normal instructions parameter area corresponding with the target instruction target word parameter Within the scope of, then judge that the HART-IP protocol traffic data belong to abnormal data;If in the multiple normal instructions type In inquire the target instruction target word type, also, the target instruction target word parameter is that the target instruction target word parameter is corresponding normal Within the scope of order parameter range, then judge that the HART-IP protocol traffic data belong to normal data.
Further, the industrial system for monitoring intrusion further include: alarm module, if for judging the HART-IP association View data on flows belongs to abnormal data, then issues alarm signal.
The third aspect the embodiment of the invention also provides a kind of electronic equipment, including memory, processor and is stored in institute The computer program that can be run on memory and on the processor is stated, the processor executes real when the computer program The step of method described in existing above-mentioned first aspect.
Fourth aspect, the embodiment of the invention also provides a kind of non-volatile program codes that can be performed with processor Computer-readable medium, said program code make the processor execute above-mentioned first aspect the method.
The present invention provides a kind of industrial intrusion detection method and system based on HART-IP agreement is applied to industry control System processed, by obtaining the HART-IP protocol traffic data in industrial control system, then to HART-IP protocol traffic data Parsing operation is carried out, obtains the target instruction target word information based on HART-IP agreement, while obtaining the normal work of industrial control system Information finally judges whether HART-IP protocol traffic data belong to abnormal number based on target instruction target word information and normal work information According to alleviating the skill of the monitoring process inefficiency of the compliance attack existing in the prior art in industry control guard system Art problem.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of the industrial intrusion detection method based on HART-IP agreement provided in an embodiment of the present invention;
Fig. 2 is the process of another industrial intrusion detection method based on HART-IP agreement provided in an embodiment of the present invention Figure;
Fig. 3 is a kind of flow chart of data acquisition provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of the industrial intrusion system based on HART-IP agreement provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of another industrial intrusion system based on HART-IP agreement provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of a kind of audit and monitoring platform provided in an embodiment of the present invention.
Specific embodiment
Technical solution of the present invention is clearly and completely described below in conjunction with attached drawing, it is clear that described implementation Example is a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill Personnel's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Embodiment one:
The arrival of " industry 4.0 " and the proposition of " made in China 2025 " programme of action, accelerate China's industrialization and letter The fusion process of breathization improves social production efficiency, while but also more and more original works under enclosed environment Industry controls equipment, has been exposed on internet, directly subjects the attack from internet and threatens.Pacify relative to traditional information Entirely, the consequence that industrial control system safety problem causes is often more serious, even catastrophic, such as causes large area to stop production, personnel Injures and deaths, equipment and the destruction of environment etc..
Existing industrial protection system, mainly there is following problems:
(1) compliance that industrial system protection is all based on agreement is monitored.This attack is opposite to fall behind, existing Attack be all based on journey instruction operation, can only cause industrial control system can not work normally environmental damage;
(2) the existing compliance attack of industrial system, is all based on technical staff and goes to define for the specific field of agreement Normal range, takes time and effort, and factory technician's majority does not know the normal parameters of field, it is understood that there may be omits Or setting deviation, lead to not correctly identify Network Intrusion;
(3) in existing industrial protection system there are no doing the method and system parsed for HART-IP protocol, This, which will lead to, omits important industrial control system data information.
Therefore, new industrial protection system just needs the intelligentized identification environment of plant, the attack of intelligent recognition exceptional instructions Behavior.In view of this, the embodiment of the invention provides a kind of industrial intrusion detection method based on HART-IP agreement.
Fig. 1 is a kind of stream of the industrial intrusion detection method based on HART-IP agreement provided according to embodiments of the present invention Cheng Tu is applied to industrial control system, as shown in Figure 1, this method specifically comprises the following steps:
Step S102 obtains the HART-IP protocol traffic data in industrial control system.
Step S104 carries out parsing operation to HART-IP protocol traffic data, obtains the target based on HART-IP agreement Command information;Target instruction target word information includes: target instruction target word type and target instruction target word parameter.
For example, carrying out deep analysis operation to HART-IP protocol traffic data, obtained target instruction target word information is for work The parameter setting instruction of target device in industry control system, and parameter is specifically set.
Step S106 obtains the normal work information of industrial control system;Working normally information includes: multiple normal instructions Type and multiple normal instructions parameter areas, wherein the corresponding normal instructions parameter area of a normal instructions type.
Optionally, the normal work information of industrial control system whithin a period of time is obtained, for example, obtaining industry in one week The job information of control system in normal operation, wherein job information includes the instruction class received within this week Type (i.e. normal instructions type) and in this week order parameter corresponding to each instruction type fluctuation range (i.e. it is multiple just Normal order parameter range).
Step S108 judges whether HART-IP protocol traffic data belong to based on target instruction target word information and normal work information In abnormal data.
Specifically, if not inquiring target instruction target word type in multiple normal instructions types, alternatively, target instruction target word parameter is not Within the scope of normal instructions parameter area corresponding with target instruction target word parameter, then HART-IP protocol traffic data category is judged In abnormal data.
For example, judging HART-IP protocol traffic if not inquiring target instruction target word type in multiple normal instructions types Data belong to abnormal data;Or target instruction target word type has been inquired in multiple normal instructions types, but target instruction target word class Target instruction target word parameter corresponding to type has exceeded normal instructions parameter area, then it is different to judge that HART-IP protocol traffic data belong to Regular data.
Specifically, target instruction target word type is only inquired in multiple normal instructions types, and target instruction target word parameter exists When two kinds of conditions are set up simultaneously within the scope of the corresponding normal instructions parameter area of target instruction target word parameter, just judge HART-IP protocol traffic data belong to normal data.
The industrial intrusion detection method based on HART-IP agreement that the present invention provides a kind of, by obtaining Industry Control system Then HART-IP protocol traffic data are carried out parsing operation by the HART-IP protocol traffic data in system, obtain based on HART- The target instruction target word information of IP agreement, while the normal work information of industrial control system is obtained, finally it is based on target instruction target word information Judge whether HART-IP protocol traffic data belong to abnormal data with information is worked normally, alleviates existing in the prior art For in industry control guard system compliance attack monitoring process inefficiency the technical issues of.
Optionally, after step S104 obtains target instruction target word information, the embodiment of the invention also includes protect for industry control The monitoring process of irregularity sexual assault in system, specifically comprises the following steps:
Whether decision instruction information meets the protocol instructions regulation of industrial control system;
If judging, command information does not meet the protocol instructions regulation of industrial control system, judges HART-IP protocol streams Amount data belong to abnormal data, are simultaneously emitted by alarm signal.
Optionally, after step S108, method provided in an embodiment of the present invention further include:
Step S110, if judging, HART-IP protocol traffic data belong to normal data, by HART-IP protocol traffic number According to deposit storage device.
Step S112, if judging, HART-IP protocol traffic data belong to abnormal data, issue alarm signal.
Optionally, Fig. 2 is another industrial intrusion detection based on HART-IP agreement provided according to embodiments of the present invention Method.As shown in Fig. 2, this method comprises:
Step S21 obtains the HRAT-IP protocol traffic of the monitoring audit intruded into industrial control system.
Step S22 parses HART-IP protocol traffic in industrial system, obtains the instruction based on HART-IP agreement.
Step S23, whether decision instruction closes rule, if so, thening follow the steps S24;If not, thening follow the steps S26.
Step S24, continues whether decision instruction meets current industry control environment, if so, thening follow the steps S25;If not, Then follow the steps S26.
Step S25 obtains the working condition of current industrial devices in system, judges that equipment working state is in industrial system It is no normal, if so, S26 is thened follow the steps, if not, thening follow the steps S27.
Step S26 issues warning information, and directly terminates testing process.
Step S27 judges that current system flow is normal, and records all protocol data informations to database, and terminate Testing process.
Optionally, before the embodiment of the present invention carries out monitoring method step shown in Fig. 2, this method further includes that data are adopted Collection process, specific flow chart is as shown in figure 3, the collection process includes the following steps:
Step S31 acquires the HART-IP protocol traffic data in industrial system.
Step S32 parses HART-IP protocol traffic in industrial system, obtains the IP of equipment, the address mac, the number such as instruction According to.
Step S33, by the IP of equipment, the data such as the address mac and instruction are stored in database.
Step S34, acquisition data phase terminate.
As can be seen from the above description, a kind of industrial intrusion detection based on HART-IP agreement provided in an embodiment of the present invention Method makes corresponding safeguard procedures primarily directed to the intrusion behavior of the industrial control system of HART-IP agreement, specifically includes following two A aspect: the irregularity attack of HART-IP agreement;It is attacked with the compliance of HART-IP agreement, but is not belonging to the industrial control system just The behavior often operated.
Wherein, it is attacked for irregularity, is judged and alerted analyzing the instruction that layer, to achieve the purpose that protection.
It is attacked for compliance, but is not belonging to the operation behavior of industrial control system.When Monitoring instruction issues, so that it may will refer to Code and the ip information of deployment (i.e. target instruction target word information) are enabled, it is (i.e. normal in conjunction with the command information collected in mysql data before Job information) matching, if it find that the instruction operation not be suitable for current industrial control system, then can issue warning information (for example, Device temperature is deliberately raised, revolving speed is increased, stops important process equipment).In order to avoid the omission of monitoring, if industrial control system Equipment is hacked, exception occurs so as to cause equipment, at the same this method also can when acquiring facility information, in conjunction with Assets common parameters facility information in mysql, judges whether the assets receive Network Intrusion.
Embodiment two:
Fig. 4 is a kind of showing for the industrial system for monitoring intrusion based on HART-IP agreement provided according to embodiments of the present invention It is intended to, is applied to industrial control system.Specifically, as shown in figure 4, the system includes: acquisition module 10, parsing module 20 is obtained Modulus block 30 and judgment module 40.
Specifically, acquisition module 10, for obtaining the HART-IP protocol traffic data in industrial control system.
Parsing module 20 is obtained for carrying out parsing operation to HART-IP protocol traffic data based on HART-IP agreement Target instruction target word information;Target instruction target word information includes: target instruction target word type and target instruction target word parameter.
Module 30 is obtained, for obtaining the normal work information of industrial control system.Wherein, working normally information includes: Multiple normal instructions types and multiple normal instructions parameter areas, and, the corresponding normal instructions of a normal instructions type Parameter area.
Judgment module 40, for judging HART-IP protocol traffic data based on target instruction target word information and normal work information Whether abnormal data is belonged to.
Specifically, if not inquiring target instruction target word type in multiple normal instructions types, alternatively, target instruction target word parameter is not Within the scope of normal instructions parameter area corresponding with target instruction target word parameter, then HART-IP protocol traffic data category is judged In abnormal data.
Specifically, if inquiring target instruction target word type in multiple normal instructions types, also, target instruction target word parameter is Within the scope of the corresponding normal instructions parameter area of target instruction target word parameter, then judge that HART-IP protocol traffic data belong to just Regular data.
The embodiment of the invention provides a kind of industrial system for monitoring intrusion based on HART-IP agreement, pass through acquisition module 10 obtain the HART-IP protocol traffic data in industrial control system, then using parsing module 20 to HART-IP protocol traffic Data carry out parsing operation, obtain the target instruction target word information based on HART-IP agreement, while obtaining industry by obtaining module 30 The normal work information of control system is based on target instruction target word information finally by judgment module 40 and works normally information judgement Whether HART-IP protocol traffic data belong to abnormal data, alleviate existing in the prior art in industry control guard system Compliance attack monitoring process inefficiency the technical issues of.
Optionally, Fig. 5 is another industrial intrusion detection based on HART-IP agreement provided according to embodiments of the present invention System, as shown in figure 5, the system further include: alarm module 50, if for judging that HART-IP protocol traffic data belong to exception Data then issue alarm signal.
Optionally, as shown in figure 5, the system further include: memory module 60, if for judging HART-IP protocol traffic number According to normal data is belonged to, then HART-IP protocol traffic data are stored in storage device.
Embodiment three:
Fig. 6 is the schematic diagram of a kind of audit and monitoring platform that provide according to embodiments of the present invention, and the audit and monitoring are flat A kind of industrial system for monitoring intrusion based on HART-IP agreement provided in above-described embodiment two is provided on platform.Such as Fig. 6 institute Show, which is connected with monitoring platform with industrial control system, and specifically, the audit and monitoring platform are deployed in Industry Control The bypass segment of system is connected by interchanger with the control network in industrial control system.
Specifically, industrial system control network in each industrial switch position bypass deployment one audit with Monitoring platform, each audit pass through a all-network stream for passing through the interchanger of interchanger mirror port duplication with monitoring platform Amount.Because each audit and monitoring platform are bypass deployment, and probe of auditing only receives network flow, so the present invention is implemented Audit that example provides and monitoring platform will not control network to industrial system generate any interference message, therefore will not be to life Industrial process is produced to have any impact.
Optionally, it is provided in an embodiment of the present invention it is a kind of audit and monitoring platform mainly for based on HART-IP agreement Flow, but can also support the flow monitoring of the industrial protocols such as Modbus, IEC-104 and Profinet simultaneously.
The embodiment of the invention also provides a kind of electronic equipment, including memory, processor and storage are on a memory simultaneously The computer program that can be run on a processor, processor realize the method in above-described embodiment one when executing computer program Step.
The embodiment of the invention also provides a kind of computers of non-volatile program code that can be performed with processor can Medium is read, program code makes processor execute the method in above-described embodiment one.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (10)

1. a kind of industrial intrusion detection method based on HART-IP agreement, which is characterized in that be applied to industrial control system, packet It includes:
Obtain the HART-IP protocol traffic data in the industrial control system;
Parsing operation is carried out to the HART-IP protocol traffic data, obtains the target instruction target word information based on HART-IP agreement; The target instruction target word information includes: target instruction target word type and target instruction target word parameter;
Obtain the normal work information of the industrial control system;The normal work information includes: multiple normal instructions types With multiple normal instructions parameter areas, wherein the corresponding normal instructions parameter area of a normal instructions type;
Judge whether the HART-IP protocol traffic data belong to based on the target instruction target word information and the normal work information Abnormal data.
2. the method according to claim 1, wherein being believed based on the target instruction target word information and the normal work Breath judges whether the HART-IP protocol traffic data belong to abnormal data, comprising:
If not inquiring the target instruction target word type in the multiple normal instructions type, alternatively, the target instruction target word parameter Not within the scope of normal instructions parameter area corresponding with the target instruction target word parameter, then the HART-IP agreement is judged Data on flows belongs to abnormal data;
If inquiring the target instruction target word type in the multiple normal instructions type, also, the target instruction target word parameter exists Within the scope of the corresponding normal instructions parameter area of the target instruction target word parameter, then the HART-IP protocol traffic is judged Data belong to normal data.
3. according to the method described in claim 2, it is characterized in that, being based on the target instruction target word information and the normal work Information judges whether the HART-IP protocol traffic data belong to after abnormal data, the method also includes:
If judging, the HART-IP protocol traffic data belong to normal data, and the HART-IP protocol traffic data are stored in Storage device.
4. according to the method described in claim 2, it is characterized in that, being based on the target instruction target word information and the normal work Information judges whether the HART-IP protocol traffic data belong to after abnormal data, the method also includes:
If judging, the HART-IP protocol traffic data belong to abnormal data, issue alarm signal.
5. the method according to claim 1, wherein being parsed to the HART-IP protocol traffic data Operation, after obtaining the target instruction target word information based on HART-IP agreement, further includes:
Judge whether described instruction information meets the protocol instructions regulation of the industrial control system;
If judging, described instruction information does not meet the protocol instructions regulation of the industrial control system, judges the HART- IP agreement data on flows belongs to abnormal data.
6. a kind of industrial system for monitoring intrusion based on HART-IP agreement, which is characterized in that be applied to industrial control system, packet Include: acquisition module, parsing module obtain module and judgment module, wherein
The acquisition module, for obtaining the HART-IP protocol traffic data in the industrial control system;
The parsing module obtains assisting based on HART-IP for carrying out parsing operation to the HART-IP protocol traffic data The target instruction target word information of view;The target instruction target word information includes: target instruction target word type and target instruction target word parameter;
The acquisition module, for obtaining the normal work information of the industrial control system;The normal work information includes: Multiple normal instructions types and multiple normal instructions parameter areas, wherein the corresponding normal instructions of a normal instructions type Parameter area;
The judgment module, for judging the HART-IP association based on the target instruction target word information and the normal work information Whether view data on flows belongs to abnormal data.
7. industry system for monitoring intrusion according to claim 6, which is characterized in that the judgment module is also used to:
If not inquiring the target instruction target word type in the multiple normal instructions type, alternatively, the target instruction target word parameter Not within the scope of normal instructions parameter area corresponding with the target instruction target word parameter, then the HART-IP agreement is judged Data on flows belongs to abnormal data;
If inquiring the target instruction target word type in the multiple normal instructions type, also, the target instruction target word parameter exists Within the scope of the corresponding normal instructions parameter area of the target instruction target word parameter, then the HART-IP protocol traffic is judged Data belong to normal data.
8. industry system for monitoring intrusion according to claim 7, which is characterized in that the industry system for monitoring intrusion also wraps It includes: alarm module, if issuing alarm signal for judging that the HART-IP protocol traffic data belong to abnormal data.
9. a kind of electronic equipment, including memory, processor and it is stored on the memory and can transports on the processor Capable computer program, which is characterized in that the processor realizes the claims 1 to 5 when executing the computer program The step of described in any item methods.
10. a kind of computer-readable medium for the non-volatile program code that can be performed with processor, which is characterized in that described Program code makes the processor execute described any the method for claim 1-5.
CN201910800364.0A 2019-08-27 2019-08-27 Industrial intrusion detection method and system based on HART-IP agreement Pending CN110365717A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910800364.0A CN110365717A (en) 2019-08-27 2019-08-27 Industrial intrusion detection method and system based on HART-IP agreement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910800364.0A CN110365717A (en) 2019-08-27 2019-08-27 Industrial intrusion detection method and system based on HART-IP agreement

Publications (1)

Publication Number Publication Date
CN110365717A true CN110365717A (en) 2019-10-22

Family

ID=68225422

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910800364.0A Pending CN110365717A (en) 2019-08-27 2019-08-27 Industrial intrusion detection method and system based on HART-IP agreement

Country Status (1)

Country Link
CN (1) CN110365717A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112468488A (en) * 2020-11-25 2021-03-09 杭州安恒信息技术股份有限公司 Industrial anomaly monitoring method and device, computer equipment and readable storage medium
CN116112380A (en) * 2023-02-13 2023-05-12 山东云天安全技术有限公司 Industrial control safety control system based on abnormal flow
CN114584527B (en) * 2022-03-16 2024-04-09 杭州和利时自动化有限公司 HART communication method, device, equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120326844A1 (en) * 2006-10-31 2012-12-27 Blaignan Vincent B Radio-frequency identification (rfid) tag event occurrence detection, reporting, and monitoring, and related rfid readers, systems, and methods
CN106998326A (en) * 2017-03-22 2017-08-01 北京匡恩网络科技有限责任公司 Industrial control network behavior monitoring method, device and system
CN109743187A (en) * 2018-11-23 2019-05-10 北京奇安信科技有限公司 Industry control network method for detecting abnormality and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120326844A1 (en) * 2006-10-31 2012-12-27 Blaignan Vincent B Radio-frequency identification (rfid) tag event occurrence detection, reporting, and monitoring, and related rfid readers, systems, and methods
CN106998326A (en) * 2017-03-22 2017-08-01 北京匡恩网络科技有限责任公司 Industrial control network behavior monitoring method, device and system
CN109743187A (en) * 2018-11-23 2019-05-10 北京奇安信科技有限公司 Industry control network method for detecting abnormality and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112468488A (en) * 2020-11-25 2021-03-09 杭州安恒信息技术股份有限公司 Industrial anomaly monitoring method and device, computer equipment and readable storage medium
CN112468488B (en) * 2020-11-25 2023-05-23 杭州安恒信息技术股份有限公司 Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium
CN114584527B (en) * 2022-03-16 2024-04-09 杭州和利时自动化有限公司 HART communication method, device, equipment and readable storage medium
CN116112380A (en) * 2023-02-13 2023-05-12 山东云天安全技术有限公司 Industrial control safety control system based on abnormal flow
CN116112380B (en) * 2023-02-13 2024-02-02 山东云天安全技术有限公司 Industrial control safety control system based on abnormal flow

Similar Documents

Publication Publication Date Title
CN112799358B (en) Industrial control safety defense system
CN107204975B (en) Industrial control system network attack detection technology based on scene fingerprints
CN110365717A (en) Industrial intrusion detection method and system based on HART-IP agreement
CN109922085B (en) Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller)
CN108055282A (en) Industry control abnormal behaviour analysis method and system based on self study white list
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
CN113055375B (en) Power station industrial control system physical network oriented attack process visualization method
Settanni et al. Protecting cyber physical production systems using anomaly detection to enable self-adaptation
CN104052730A (en) Intelligent Cyberphysical Intrusion Detection And Prevention Systems And Methods For Industrial Control Systems
CN112612669A (en) Infrastructure monitoring and early warning method and system based on situation awareness
CN111935189B (en) Industrial control terminal strategy control system and industrial control terminal strategy control method
CN114143064B (en) Multi-source network security alarm event tracing and automatic disposal method and device
CN111181971A (en) System for automatically detecting industrial network attack
CN112149120A (en) Transparent transmission type double-channel electric power Internet of things safety detection system
Li et al. Using data mining methods to detect simulated intrusions on a modbus network
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN107368054A (en) Performance analysis management system and factory management system
CN115941317A (en) Network security comprehensive analysis and situation awareness platform
CN114125083B (en) Industrial network distributed data acquisition method and device, electronic equipment and medium
CN117240594B (en) Multi-dimensional network security operation and maintenance protection management system and method
CN114172921A (en) Log auditing method and device for scheduling recording system
CN115618353B (en) Industrial production safety identification system and method
CN113132370A (en) Universal integrated safety pipe center system
CN112804190B (en) Security event detection method and system based on boundary firewall flow
CN115550034A (en) Service flow monitoring method and device for distribution network power monitoring system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191022