CN110365717A - Industrial intrusion detection method and system based on HART-IP agreement - Google Patents
Industrial intrusion detection method and system based on HART-IP agreement Download PDFInfo
- Publication number
- CN110365717A CN110365717A CN201910800364.0A CN201910800364A CN110365717A CN 110365717 A CN110365717 A CN 110365717A CN 201910800364 A CN201910800364 A CN 201910800364A CN 110365717 A CN110365717 A CN 110365717A
- Authority
- CN
- China
- Prior art keywords
- hart
- target word
- target instruction
- instruction target
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of industrial intrusion detection method and system based on HART-IP agreement is applied to industrial control system, and wherein method includes: the HART-IP protocol traffic data obtained in industrial control system;Parsing operation is carried out to HART-IP protocol traffic data, obtains the target instruction target word information based on HART-IP agreement;Obtain the normal work information of industrial control system;Judge whether HART-IP protocol traffic data belong to abnormal data based on target instruction target word information and normal work information.The present invention alleviates the technical issues of monitoring process inefficiency that the compliance existing in the prior art in industry control guard system is attacked.
Description
Technical field
The present invention relates to industrial control system security technology areas, more particularly, to a kind of work based on HART-IP agreement
Industry intrusion detection method and system.
Background technique
In industrial network, common attack pattern is the protocol fields for sending irregularity, and the Industry Controls such as PLC is caused to set
It is standby to be in abnormal operation, it causes the shutdown of factory or equipment is damaged to achieve the purpose that attack.However, new industry
Epoch, the attack for industrial control system are no longer to send irregularity protocol fields or instruction, and equipment is allowed to be in abnormality processing
Stage, but, send normal protocol field or instruction, enter equipment and do not meet the condition of current industrial system and attacked
It hits.For example, the temperature of adjustment equipment, fluctuated, or conveyor belt speed is increased, industrial control system is made to be in paralysis work shape
State.
Traditional industry control guard system, monitors both for the compliance of agreement, and the attack of compliance is lacked
Effective detection means.And emerging industry control system for monitoring intrusion, some agreements can also accomplish the depth to industrial control system agreement
Level parsing, can define the value range of field, with this come cope with compliance instruction attack (for example, elevated temperature because
Temperature value has been more than setting, therefore reaches alarm purpose).But there are following technologies to ask for these monitoring systems in the prior art
Topic: these monitorings require technical staff, in conjunction with the environment of plant, are linked up, and understand value range, then the corresponding rule of editor
Then, time- and labor-consuming, it is also necessary to and plant personnel's docking, result in the low technical problem of intrusion detection process efficiency.
Summary of the invention
In view of this, the industrial intrusion detection method that the purpose of the present invention is to provide a kind of based on HART-IP agreement and
System, to alleviate the detection process inefficiency existing in the prior art for the compliance attack in industry control guard system
The technical issues of.
In a first aspect, the embodiment of the invention provides a kind of industrial intrusion detection method based on HART-IP agreement, application
In industrial control system, comprising: obtain the HART-IP protocol traffic data in the industrial control system;To the HART-IP
Protocol traffic data carry out parsing operation, obtain the target instruction target word information based on HART-IP agreement;The target instruction target word packet
It includes: target instruction target word type and target instruction target word parameter;Obtain the normal work information of the industrial control system;The normal work
Information includes: multiple normal instructions types and multiple normal instructions parameter areas, wherein a normal instructions type is one corresponding
Normal instructions parameter area;The HART-IP protocol streams are judged based on the target instruction target word information and the normal work information
Whether amount data belong to abnormal data.
Further, the HART-IP protocol streams are judged based on the target instruction target word information and the normal work information
Whether amount data belong to abnormal data, further includes: if not inquiring the target instruction target word in the multiple normal instructions type
Type, alternatively, the target instruction target word parameter is not in the range of normal instructions parameter area corresponding with the target instruction target word parameter
Within, then judge that the HART-IP protocol traffic data belong to abnormal data;If being inquired in the multiple normal instructions type
To the target instruction target word type, also, the target instruction target word parameter is the corresponding normal instructions ginseng of the target instruction target word parameter
Within the scope of number range, then judge that the HART-IP protocol traffic data belong to normal data.
Further, the HART-IP agreement is being judged based on the target instruction target word information and the normal work information
Whether data on flows belongs to after abnormal data, the method also includes: if judging, the HART-IP protocol traffic data belong to
The HART-IP protocol traffic data are then stored in storage device by normal data.
Further, the HART-IP agreement is being judged based on the target instruction target word information and the normal work information
Whether data on flows belongs to after abnormal data, the method also includes: if judging, the HART-IP protocol traffic data belong to
Abnormal data then issues alarm signal.
Further, parsing operation is being carried out to the HART-IP protocol traffic data, obtained based on HART-IP agreement
Target instruction target word information after, further includes: judge whether described instruction information meets the protocol instructions of the industrial control system
Regulation;If judging, described instruction information does not meet the protocol instructions regulation of the industrial control system, judges the HART-
IP agreement data on flows belongs to abnormal data.
Second aspect, the embodiment of the invention also provides a kind of industrial system for monitoring intrusion based on HART-IP agreement, answer
For industrial control system, comprising: acquisition module, parsing module obtain module and judgment module, wherein the acquisition module,
For obtaining the HART-IP protocol traffic data in the industrial control system;The parsing module, for the HART-
IP agreement data on flows carries out parsing operation, obtains the target instruction target word information based on HART-IP agreement;The target instruction target word information
It include: target instruction target word type and target instruction target word parameter;The acquisition module, for obtaining the normal work of the industrial control system
Make information;The normal work information includes: multiple normal instructions types and multiple normal instructions parameter areas, wherein one
Normal instructions type corresponds to a normal instructions parameter area;The judgment module, for based on the target instruction target word information and
The normal work information judges whether the HART-IP protocol traffic data belong to abnormal data.
Further, the judgment module is also used to: if not inquiring the mesh in the multiple normal instructions type
Instruction type is marked, alternatively, the target instruction target word parameter is not in normal instructions parameter area corresponding with the target instruction target word parameter
Within the scope of, then judge that the HART-IP protocol traffic data belong to abnormal data;If in the multiple normal instructions type
In inquire the target instruction target word type, also, the target instruction target word parameter is that the target instruction target word parameter is corresponding normal
Within the scope of order parameter range, then judge that the HART-IP protocol traffic data belong to normal data.
Further, the industrial system for monitoring intrusion further include: alarm module, if for judging the HART-IP association
View data on flows belongs to abnormal data, then issues alarm signal.
The third aspect the embodiment of the invention also provides a kind of electronic equipment, including memory, processor and is stored in institute
The computer program that can be run on memory and on the processor is stated, the processor executes real when the computer program
The step of method described in existing above-mentioned first aspect.
Fourth aspect, the embodiment of the invention also provides a kind of non-volatile program codes that can be performed with processor
Computer-readable medium, said program code make the processor execute above-mentioned first aspect the method.
The present invention provides a kind of industrial intrusion detection method and system based on HART-IP agreement is applied to industry control
System processed, by obtaining the HART-IP protocol traffic data in industrial control system, then to HART-IP protocol traffic data
Parsing operation is carried out, obtains the target instruction target word information based on HART-IP agreement, while obtaining the normal work of industrial control system
Information finally judges whether HART-IP protocol traffic data belong to abnormal number based on target instruction target word information and normal work information
According to alleviating the skill of the monitoring process inefficiency of the compliance attack existing in the prior art in industry control guard system
Art problem.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art
Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of the industrial intrusion detection method based on HART-IP agreement provided in an embodiment of the present invention;
Fig. 2 is the process of another industrial intrusion detection method based on HART-IP agreement provided in an embodiment of the present invention
Figure;
Fig. 3 is a kind of flow chart of data acquisition provided in an embodiment of the present invention;
Fig. 4 is a kind of schematic diagram of the industrial intrusion system based on HART-IP agreement provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of another industrial intrusion system based on HART-IP agreement provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of a kind of audit and monitoring platform provided in an embodiment of the present invention.
Specific embodiment
Technical solution of the present invention is clearly and completely described below in conjunction with attached drawing, it is clear that described implementation
Example is a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill
Personnel's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Embodiment one:
The arrival of " industry 4.0 " and the proposition of " made in China 2025 " programme of action, accelerate China's industrialization and letter
The fusion process of breathization improves social production efficiency, while but also more and more original works under enclosed environment
Industry controls equipment, has been exposed on internet, directly subjects the attack from internet and threatens.Pacify relative to traditional information
Entirely, the consequence that industrial control system safety problem causes is often more serious, even catastrophic, such as causes large area to stop production, personnel
Injures and deaths, equipment and the destruction of environment etc..
Existing industrial protection system, mainly there is following problems:
(1) compliance that industrial system protection is all based on agreement is monitored.This attack is opposite to fall behind, existing
Attack be all based on journey instruction operation, can only cause industrial control system can not work normally environmental damage;
(2) the existing compliance attack of industrial system, is all based on technical staff and goes to define for the specific field of agreement
Normal range, takes time and effort, and factory technician's majority does not know the normal parameters of field, it is understood that there may be omits
Or setting deviation, lead to not correctly identify Network Intrusion;
(3) in existing industrial protection system there are no doing the method and system parsed for HART-IP protocol,
This, which will lead to, omits important industrial control system data information.
Therefore, new industrial protection system just needs the intelligentized identification environment of plant, the attack of intelligent recognition exceptional instructions
Behavior.In view of this, the embodiment of the invention provides a kind of industrial intrusion detection method based on HART-IP agreement.
Fig. 1 is a kind of stream of the industrial intrusion detection method based on HART-IP agreement provided according to embodiments of the present invention
Cheng Tu is applied to industrial control system, as shown in Figure 1, this method specifically comprises the following steps:
Step S102 obtains the HART-IP protocol traffic data in industrial control system.
Step S104 carries out parsing operation to HART-IP protocol traffic data, obtains the target based on HART-IP agreement
Command information;Target instruction target word information includes: target instruction target word type and target instruction target word parameter.
For example, carrying out deep analysis operation to HART-IP protocol traffic data, obtained target instruction target word information is for work
The parameter setting instruction of target device in industry control system, and parameter is specifically set.
Step S106 obtains the normal work information of industrial control system;Working normally information includes: multiple normal instructions
Type and multiple normal instructions parameter areas, wherein the corresponding normal instructions parameter area of a normal instructions type.
Optionally, the normal work information of industrial control system whithin a period of time is obtained, for example, obtaining industry in one week
The job information of control system in normal operation, wherein job information includes the instruction class received within this week
Type (i.e. normal instructions type) and in this week order parameter corresponding to each instruction type fluctuation range (i.e. it is multiple just
Normal order parameter range).
Step S108 judges whether HART-IP protocol traffic data belong to based on target instruction target word information and normal work information
In abnormal data.
Specifically, if not inquiring target instruction target word type in multiple normal instructions types, alternatively, target instruction target word parameter is not
Within the scope of normal instructions parameter area corresponding with target instruction target word parameter, then HART-IP protocol traffic data category is judged
In abnormal data.
For example, judging HART-IP protocol traffic if not inquiring target instruction target word type in multiple normal instructions types
Data belong to abnormal data;Or target instruction target word type has been inquired in multiple normal instructions types, but target instruction target word class
Target instruction target word parameter corresponding to type has exceeded normal instructions parameter area, then it is different to judge that HART-IP protocol traffic data belong to
Regular data.
Specifically, target instruction target word type is only inquired in multiple normal instructions types, and target instruction target word parameter exists
When two kinds of conditions are set up simultaneously within the scope of the corresponding normal instructions parameter area of target instruction target word parameter, just judge
HART-IP protocol traffic data belong to normal data.
The industrial intrusion detection method based on HART-IP agreement that the present invention provides a kind of, by obtaining Industry Control system
Then HART-IP protocol traffic data are carried out parsing operation by the HART-IP protocol traffic data in system, obtain based on HART-
The target instruction target word information of IP agreement, while the normal work information of industrial control system is obtained, finally it is based on target instruction target word information
Judge whether HART-IP protocol traffic data belong to abnormal data with information is worked normally, alleviates existing in the prior art
For in industry control guard system compliance attack monitoring process inefficiency the technical issues of.
Optionally, after step S104 obtains target instruction target word information, the embodiment of the invention also includes protect for industry control
The monitoring process of irregularity sexual assault in system, specifically comprises the following steps:
Whether decision instruction information meets the protocol instructions regulation of industrial control system;
If judging, command information does not meet the protocol instructions regulation of industrial control system, judges HART-IP protocol streams
Amount data belong to abnormal data, are simultaneously emitted by alarm signal.
Optionally, after step S108, method provided in an embodiment of the present invention further include:
Step S110, if judging, HART-IP protocol traffic data belong to normal data, by HART-IP protocol traffic number
According to deposit storage device.
Step S112, if judging, HART-IP protocol traffic data belong to abnormal data, issue alarm signal.
Optionally, Fig. 2 is another industrial intrusion detection based on HART-IP agreement provided according to embodiments of the present invention
Method.As shown in Fig. 2, this method comprises:
Step S21 obtains the HRAT-IP protocol traffic of the monitoring audit intruded into industrial control system.
Step S22 parses HART-IP protocol traffic in industrial system, obtains the instruction based on HART-IP agreement.
Step S23, whether decision instruction closes rule, if so, thening follow the steps S24;If not, thening follow the steps S26.
Step S24, continues whether decision instruction meets current industry control environment, if so, thening follow the steps S25;If not,
Then follow the steps S26.
Step S25 obtains the working condition of current industrial devices in system, judges that equipment working state is in industrial system
It is no normal, if so, S26 is thened follow the steps, if not, thening follow the steps S27.
Step S26 issues warning information, and directly terminates testing process.
Step S27 judges that current system flow is normal, and records all protocol data informations to database, and terminate
Testing process.
Optionally, before the embodiment of the present invention carries out monitoring method step shown in Fig. 2, this method further includes that data are adopted
Collection process, specific flow chart is as shown in figure 3, the collection process includes the following steps:
Step S31 acquires the HART-IP protocol traffic data in industrial system.
Step S32 parses HART-IP protocol traffic in industrial system, obtains the IP of equipment, the address mac, the number such as instruction
According to.
Step S33, by the IP of equipment, the data such as the address mac and instruction are stored in database.
Step S34, acquisition data phase terminate.
As can be seen from the above description, a kind of industrial intrusion detection based on HART-IP agreement provided in an embodiment of the present invention
Method makes corresponding safeguard procedures primarily directed to the intrusion behavior of the industrial control system of HART-IP agreement, specifically includes following two
A aspect: the irregularity attack of HART-IP agreement;It is attacked with the compliance of HART-IP agreement, but is not belonging to the industrial control system just
The behavior often operated.
Wherein, it is attacked for irregularity, is judged and alerted analyzing the instruction that layer, to achieve the purpose that protection.
It is attacked for compliance, but is not belonging to the operation behavior of industrial control system.When Monitoring instruction issues, so that it may will refer to
Code and the ip information of deployment (i.e. target instruction target word information) are enabled, it is (i.e. normal in conjunction with the command information collected in mysql data before
Job information) matching, if it find that the instruction operation not be suitable for current industrial control system, then can issue warning information (for example,
Device temperature is deliberately raised, revolving speed is increased, stops important process equipment).In order to avoid the omission of monitoring, if industrial control system
Equipment is hacked, exception occurs so as to cause equipment, at the same this method also can when acquiring facility information, in conjunction with
Assets common parameters facility information in mysql, judges whether the assets receive Network Intrusion.
Embodiment two:
Fig. 4 is a kind of showing for the industrial system for monitoring intrusion based on HART-IP agreement provided according to embodiments of the present invention
It is intended to, is applied to industrial control system.Specifically, as shown in figure 4, the system includes: acquisition module 10, parsing module 20 is obtained
Modulus block 30 and judgment module 40.
Specifically, acquisition module 10, for obtaining the HART-IP protocol traffic data in industrial control system.
Parsing module 20 is obtained for carrying out parsing operation to HART-IP protocol traffic data based on HART-IP agreement
Target instruction target word information;Target instruction target word information includes: target instruction target word type and target instruction target word parameter.
Module 30 is obtained, for obtaining the normal work information of industrial control system.Wherein, working normally information includes:
Multiple normal instructions types and multiple normal instructions parameter areas, and, the corresponding normal instructions of a normal instructions type
Parameter area.
Judgment module 40, for judging HART-IP protocol traffic data based on target instruction target word information and normal work information
Whether abnormal data is belonged to.
Specifically, if not inquiring target instruction target word type in multiple normal instructions types, alternatively, target instruction target word parameter is not
Within the scope of normal instructions parameter area corresponding with target instruction target word parameter, then HART-IP protocol traffic data category is judged
In abnormal data.
Specifically, if inquiring target instruction target word type in multiple normal instructions types, also, target instruction target word parameter is
Within the scope of the corresponding normal instructions parameter area of target instruction target word parameter, then judge that HART-IP protocol traffic data belong to just
Regular data.
The embodiment of the invention provides a kind of industrial system for monitoring intrusion based on HART-IP agreement, pass through acquisition module
10 obtain the HART-IP protocol traffic data in industrial control system, then using parsing module 20 to HART-IP protocol traffic
Data carry out parsing operation, obtain the target instruction target word information based on HART-IP agreement, while obtaining industry by obtaining module 30
The normal work information of control system is based on target instruction target word information finally by judgment module 40 and works normally information judgement
Whether HART-IP protocol traffic data belong to abnormal data, alleviate existing in the prior art in industry control guard system
Compliance attack monitoring process inefficiency the technical issues of.
Optionally, Fig. 5 is another industrial intrusion detection based on HART-IP agreement provided according to embodiments of the present invention
System, as shown in figure 5, the system further include: alarm module 50, if for judging that HART-IP protocol traffic data belong to exception
Data then issue alarm signal.
Optionally, as shown in figure 5, the system further include: memory module 60, if for judging HART-IP protocol traffic number
According to normal data is belonged to, then HART-IP protocol traffic data are stored in storage device.
Embodiment three:
Fig. 6 is the schematic diagram of a kind of audit and monitoring platform that provide according to embodiments of the present invention, and the audit and monitoring are flat
A kind of industrial system for monitoring intrusion based on HART-IP agreement provided in above-described embodiment two is provided on platform.Such as Fig. 6 institute
Show, which is connected with monitoring platform with industrial control system, and specifically, the audit and monitoring platform are deployed in Industry Control
The bypass segment of system is connected by interchanger with the control network in industrial control system.
Specifically, industrial system control network in each industrial switch position bypass deployment one audit with
Monitoring platform, each audit pass through a all-network stream for passing through the interchanger of interchanger mirror port duplication with monitoring platform
Amount.Because each audit and monitoring platform are bypass deployment, and probe of auditing only receives network flow, so the present invention is implemented
Audit that example provides and monitoring platform will not control network to industrial system generate any interference message, therefore will not be to life
Industrial process is produced to have any impact.
Optionally, it is provided in an embodiment of the present invention it is a kind of audit and monitoring platform mainly for based on HART-IP agreement
Flow, but can also support the flow monitoring of the industrial protocols such as Modbus, IEC-104 and Profinet simultaneously.
The embodiment of the invention also provides a kind of electronic equipment, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, processor realize the method in above-described embodiment one when executing computer program
Step.
The embodiment of the invention also provides a kind of computers of non-volatile program code that can be performed with processor can
Medium is read, program code makes processor execute the method in above-described embodiment one.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to
So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into
Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (10)
1. a kind of industrial intrusion detection method based on HART-IP agreement, which is characterized in that be applied to industrial control system, packet
It includes:
Obtain the HART-IP protocol traffic data in the industrial control system;
Parsing operation is carried out to the HART-IP protocol traffic data, obtains the target instruction target word information based on HART-IP agreement;
The target instruction target word information includes: target instruction target word type and target instruction target word parameter;
Obtain the normal work information of the industrial control system;The normal work information includes: multiple normal instructions types
With multiple normal instructions parameter areas, wherein the corresponding normal instructions parameter area of a normal instructions type;
Judge whether the HART-IP protocol traffic data belong to based on the target instruction target word information and the normal work information
Abnormal data.
2. the method according to claim 1, wherein being believed based on the target instruction target word information and the normal work
Breath judges whether the HART-IP protocol traffic data belong to abnormal data, comprising:
If not inquiring the target instruction target word type in the multiple normal instructions type, alternatively, the target instruction target word parameter
Not within the scope of normal instructions parameter area corresponding with the target instruction target word parameter, then the HART-IP agreement is judged
Data on flows belongs to abnormal data;
If inquiring the target instruction target word type in the multiple normal instructions type, also, the target instruction target word parameter exists
Within the scope of the corresponding normal instructions parameter area of the target instruction target word parameter, then the HART-IP protocol traffic is judged
Data belong to normal data.
3. according to the method described in claim 2, it is characterized in that, being based on the target instruction target word information and the normal work
Information judges whether the HART-IP protocol traffic data belong to after abnormal data, the method also includes:
If judging, the HART-IP protocol traffic data belong to normal data, and the HART-IP protocol traffic data are stored in
Storage device.
4. according to the method described in claim 2, it is characterized in that, being based on the target instruction target word information and the normal work
Information judges whether the HART-IP protocol traffic data belong to after abnormal data, the method also includes:
If judging, the HART-IP protocol traffic data belong to abnormal data, issue alarm signal.
5. the method according to claim 1, wherein being parsed to the HART-IP protocol traffic data
Operation, after obtaining the target instruction target word information based on HART-IP agreement, further includes:
Judge whether described instruction information meets the protocol instructions regulation of the industrial control system;
If judging, described instruction information does not meet the protocol instructions regulation of the industrial control system, judges the HART-
IP agreement data on flows belongs to abnormal data.
6. a kind of industrial system for monitoring intrusion based on HART-IP agreement, which is characterized in that be applied to industrial control system, packet
Include: acquisition module, parsing module obtain module and judgment module, wherein
The acquisition module, for obtaining the HART-IP protocol traffic data in the industrial control system;
The parsing module obtains assisting based on HART-IP for carrying out parsing operation to the HART-IP protocol traffic data
The target instruction target word information of view;The target instruction target word information includes: target instruction target word type and target instruction target word parameter;
The acquisition module, for obtaining the normal work information of the industrial control system;The normal work information includes:
Multiple normal instructions types and multiple normal instructions parameter areas, wherein the corresponding normal instructions of a normal instructions type
Parameter area;
The judgment module, for judging the HART-IP association based on the target instruction target word information and the normal work information
Whether view data on flows belongs to abnormal data.
7. industry system for monitoring intrusion according to claim 6, which is characterized in that the judgment module is also used to:
If not inquiring the target instruction target word type in the multiple normal instructions type, alternatively, the target instruction target word parameter
Not within the scope of normal instructions parameter area corresponding with the target instruction target word parameter, then the HART-IP agreement is judged
Data on flows belongs to abnormal data;
If inquiring the target instruction target word type in the multiple normal instructions type, also, the target instruction target word parameter exists
Within the scope of the corresponding normal instructions parameter area of the target instruction target word parameter, then the HART-IP protocol traffic is judged
Data belong to normal data.
8. industry system for monitoring intrusion according to claim 7, which is characterized in that the industry system for monitoring intrusion also wraps
It includes: alarm module, if issuing alarm signal for judging that the HART-IP protocol traffic data belong to abnormal data.
9. a kind of electronic equipment, including memory, processor and it is stored on the memory and can transports on the processor
Capable computer program, which is characterized in that the processor realizes the claims 1 to 5 when executing the computer program
The step of described in any item methods.
10. a kind of computer-readable medium for the non-volatile program code that can be performed with processor, which is characterized in that described
Program code makes the processor execute described any the method for claim 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910800364.0A CN110365717A (en) | 2019-08-27 | 2019-08-27 | Industrial intrusion detection method and system based on HART-IP agreement |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910800364.0A CN110365717A (en) | 2019-08-27 | 2019-08-27 | Industrial intrusion detection method and system based on HART-IP agreement |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110365717A true CN110365717A (en) | 2019-10-22 |
Family
ID=68225422
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910800364.0A Pending CN110365717A (en) | 2019-08-27 | 2019-08-27 | Industrial intrusion detection method and system based on HART-IP agreement |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110365717A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
CN116112380A (en) * | 2023-02-13 | 2023-05-12 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
CN114584527B (en) * | 2022-03-16 | 2024-04-09 | 杭州和利时自动化有限公司 | HART communication method, device, equipment and readable storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120326844A1 (en) * | 2006-10-31 | 2012-12-27 | Blaignan Vincent B | Radio-frequency identification (rfid) tag event occurrence detection, reporting, and monitoring, and related rfid readers, systems, and methods |
CN106998326A (en) * | 2017-03-22 | 2017-08-01 | 北京匡恩网络科技有限责任公司 | Industrial control network behavior monitoring method, device and system |
CN109743187A (en) * | 2018-11-23 | 2019-05-10 | 北京奇安信科技有限公司 | Industry control network method for detecting abnormality and device |
-
2019
- 2019-08-27 CN CN201910800364.0A patent/CN110365717A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120326844A1 (en) * | 2006-10-31 | 2012-12-27 | Blaignan Vincent B | Radio-frequency identification (rfid) tag event occurrence detection, reporting, and monitoring, and related rfid readers, systems, and methods |
CN106998326A (en) * | 2017-03-22 | 2017-08-01 | 北京匡恩网络科技有限责任公司 | Industrial control network behavior monitoring method, device and system |
CN109743187A (en) * | 2018-11-23 | 2019-05-10 | 北京奇安信科技有限公司 | Industry control network method for detecting abnormality and device |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
CN112468488B (en) * | 2020-11-25 | 2023-05-23 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium |
CN114584527B (en) * | 2022-03-16 | 2024-04-09 | 杭州和利时自动化有限公司 | HART communication method, device, equipment and readable storage medium |
CN116112380A (en) * | 2023-02-13 | 2023-05-12 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
CN116112380B (en) * | 2023-02-13 | 2024-02-02 | 山东云天安全技术有限公司 | Industrial control safety control system based on abnormal flow |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112799358B (en) | Industrial control safety defense system | |
CN107204975B (en) | Industrial control system network attack detection technology based on scene fingerprints | |
CN110365717A (en) | Industrial intrusion detection method and system based on HART-IP agreement | |
CN109922085B (en) | Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller) | |
CN108055282A (en) | Industry control abnormal behaviour analysis method and system based on self study white list | |
CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
CN113055375B (en) | Power station industrial control system physical network oriented attack process visualization method | |
Settanni et al. | Protecting cyber physical production systems using anomaly detection to enable self-adaptation | |
CN104052730A (en) | Intelligent Cyberphysical Intrusion Detection And Prevention Systems And Methods For Industrial Control Systems | |
CN112612669A (en) | Infrastructure monitoring and early warning method and system based on situation awareness | |
CN111935189B (en) | Industrial control terminal strategy control system and industrial control terminal strategy control method | |
CN114143064B (en) | Multi-source network security alarm event tracing and automatic disposal method and device | |
CN111181971A (en) | System for automatically detecting industrial network attack | |
CN112149120A (en) | Transparent transmission type double-channel electric power Internet of things safety detection system | |
Li et al. | Using data mining methods to detect simulated intrusions on a modbus network | |
CN111786986B (en) | Numerical control system network intrusion prevention system and method | |
CN107368054A (en) | Performance analysis management system and factory management system | |
CN115941317A (en) | Network security comprehensive analysis and situation awareness platform | |
CN114125083B (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
CN117240594B (en) | Multi-dimensional network security operation and maintenance protection management system and method | |
CN114172921A (en) | Log auditing method and device for scheduling recording system | |
CN115618353B (en) | Industrial production safety identification system and method | |
CN113132370A (en) | Universal integrated safety pipe center system | |
CN112804190B (en) | Security event detection method and system based on boundary firewall flow | |
CN115550034A (en) | Service flow monitoring method and device for distribution network power monitoring system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191022 |