CN110752951A - Industrial network flow monitoring and auditing method, device and system - Google Patents
Industrial network flow monitoring and auditing method, device and system Download PDFInfo
- Publication number
- CN110752951A CN110752951A CN201911020510.4A CN201911020510A CN110752951A CN 110752951 A CN110752951 A CN 110752951A CN 201911020510 A CN201911020510 A CN 201911020510A CN 110752951 A CN110752951 A CN 110752951A
- Authority
- CN
- China
- Prior art keywords
- industrial
- auditing
- monitoring
- network
- industrial network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention provides a method, a device and a system for monitoring and auditing industrial network flow, which relate to the technical field of industrial control, are applied to terminal equipment and comprise the following steps: collecting mirror image flow of an industrial exchanger; determining an industrial control protocol of mirror flow based on a port of an industrial switch, and analyzing the industrial control protocol according to a protocol specification corresponding to the industrial control protocol to obtain protocol analysis information; processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch; receiving variable information derived by an industrial control system, and matching industrial behaviors in the asset file based on the variable information; based on a preset management strategy, variable information and industrial behaviors are determined as first processing data, and the first processing data are sent to an industrial network monitoring and auditing platform, so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing. The distributed industrial network flow monitoring and auditing device is low in cost, convenient to deploy, and stable and practical.
Description
Technical Field
The invention relates to the technical field of industrial control, in particular to a method, a device and a system for monitoring and auditing industrial network flow.
Background
Any network attack behavior, even artificial irregular operation can be embodied in network flow, the industrial flow monitoring and auditing equipment can quickly identify abnormal behaviors existing in an industrial control network based on deep analysis of communication messages of an industrial control protocol through technologies such as real-time dynamic analysis, data flow monitoring and network behavior auditing, real-time detection of behaviors aiming at network attack of the industrial protocol, illegal equipment access and propagation of malicious software such as worms and viruses and real-time alarm are realized, all network communication behaviors are recorded in detail, and a solid foundation is provided for security accident investigation of an industrial control system.
However, for large-scale production enterprises, many production workshops, large number of industrial control systems, numerous and complicated industrial production networks and large industrial data traffic are required, and a traditional method needs to deploy very many monitoring and auditing devices at various distributed points and needs additional devices (such as a management platform) to realize information sharing and linkage among a plurality of monitoring and auditing devices. The method brings great implementation difficulty and high safety investment, and becomes an obstacle to industrial information safety construction of enterprises.
Disclosure of Invention
The invention aims to provide a method, a device and a system for monitoring and auditing the flow of an industrial network, which can increase the stability and the practicability, reduce the implementation difficulty and save the equipment cost.
The invention provides an industrial network flow monitoring and auditing method, which is applied to terminal equipment and comprises the following steps: collecting mirror image flow of an industrial exchanger; determining an industrial control protocol of the mirror image flow based on a port of the industrial switch, and analyzing the industrial control protocol according to a protocol specification corresponding to the industrial control protocol to obtain protocol analysis information; processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch; receiving variable information derived by an industrial control system, and matching industrial behaviors in the asset file based on the variable information; and determining the variable information and the industrial behavior as first processing data based on a preset management strategy, and sending the first processing data to an industrial network monitoring and auditing platform so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing.
The invention provides an industrial network flow monitoring and auditing method, which is applied to an industrial network monitoring and auditing platform and comprises the following steps: receiving first processing data uploaded by terminal equipment; analyzing and restoring the first processed data to obtain an original behavior; extracting features based on the first processing data, and generating a white list security policy rule corresponding to the current industrial control network environment based on the features; and monitoring and auditing the original behavior based on the white list security policy rule.
Further, monitoring and auditing the original behavior based on the white list security policy rule includes: judging whether the original behavior accords with the white list security policy rule, determining the original behavior which does not accord with the white list security policy rule as an alarm event, and generating alarm information; checking the alarm information and judging whether the alarm event is a false alarm or not; and if the alarm event is determined to be not false alarm, generating a network alarm distribution map based on the alarm event.
Further, after generating the network alarm distribution map, the method further includes: and generating a risk report based on the network alarm distribution graph and the threat degree of the alarm information.
The invention provides an industrial network flow monitoring and auditing device, which is applied to terminal equipment and comprises: the acquisition module is used for acquiring the mirror image flow of the industrial switch; the determining and analyzing module is used for determining the industrial control protocol of the mirror flow based on the port of the industrial switch and analyzing the industrial control protocol according to the protocol specification corresponding to the industrial control protocol to obtain protocol analysis information; the processing module is used for processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch; the receiving and matching module is used for receiving variable information derived by an industrial control system and matching the industrial behaviors in the asset file based on the variable information; and the determining and sending module is used for determining the variable information and the industrial behavior as first processing data based on a preset management strategy, and sending the first processing data to an industrial network monitoring and auditing platform so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing.
The invention provides an industrial network flow monitoring and auditing device, which is applied to an industrial network monitoring and auditing platform and comprises: the receiving module is used for receiving first processing data uploaded by the terminal equipment; the analysis and reduction module is used for analyzing and reducing the first processing data to obtain an original behavior; the generating module is used for extracting features based on the first processing data and generating a white list security policy rule corresponding to the current industrial control network environment based on the features; and the monitoring and auditing module is used for monitoring and auditing the original behavior based on the white list security policy rule.
The invention provides an industrial network flow monitoring and auditing system, which comprises: terminal equipment and an industrial network monitoring and auditing platform; the terminal device is used for acquiring industrial network flow and carrying out primary processing on the industrial network flow to obtain first processing data; and the industrial network monitoring and auditing platform is used for analyzing and restoring the first processing data to obtain an original behavior of industrial network flow, and monitoring and auditing the original behavior.
Further, the industrial network monitoring and auditing platform comprises at least one of the following: distributed operating systems, distributed programming languages, distributed file systems, and distributed database systems.
The invention also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor implements the industrial network traffic monitoring and auditing method when executing the computer program.
The present invention also provides a computer readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to execute the industrial network traffic monitoring and auditing method.
The invention provides a method, a device and a system for monitoring and auditing industrial network flow, which are applied to terminal equipment and comprise the following steps: collecting mirror image flow of an industrial exchanger; determining an industrial control protocol of mirror flow based on a port of an industrial switch, and analyzing the industrial control protocol according to a protocol specification corresponding to the industrial control protocol to obtain protocol analysis information; processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch; receiving variable information derived by an industrial control system, and matching industrial behaviors in the asset file based on the variable information; based on a preset management strategy, variable information and industrial behaviors are determined as first processing data, and the first processing data are sent to an industrial network monitoring and auditing platform, so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing. The industrial network flow monitoring and auditing system is a distributed industrial network flow monitoring and auditing device, and is based on the idea of edge calculation, terminal equipment is deployed at each industrial network node to complete preliminary work such as flow acquisition, restoration, preliminary analysis and the like, and then the preliminary work is uploaded to a central monitoring and auditing platform to perform network behavior auditing and the like. The distributed industrial network flow monitoring and auditing device increases stability and practicability, reduces implementation difficulty, saves equipment cost, is suitable for large-scale industrial production control networks with wide distribution regions and large data volume, provides industrial network behavior auditing service for industrial enterprises, and prevents industrial information safety problems.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an industrial network traffic monitoring and auditing method according to an embodiment of the present invention;
FIG. 2 is a flow chart of another industrial network traffic monitoring and auditing method according to an embodiment of the present invention;
FIG. 3 is a flowchart of step S204 in FIG. 2;
fig. 4 is a schematic structural diagram of an industrial network traffic monitoring and auditing apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another industrial network traffic monitoring and auditing apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an industrial network traffic monitoring and auditing system according to an embodiment of the present invention.
Icon:
11-an acquisition module; 12-determining a parsing module; 13-a processing module; 14-a reception matching module; 15-determining a sending module; 16-a receiving module; 17-resolution reduction module; 18-a generation module; 19-monitoring audit module.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
With the implementation of "two-way integration" and the strong advance of policies in "industrial 4.0", "smart manufacturing 2025" and "industrial internet" in recent years, the informatization and industrialization of modern industrial production enterprises have been highly integrated, which means that industrial control systems are increasingly going to be open and interconnected, and complete isolation of industrial control systems from the outside is almost impossible.
In addition, the mobile equipment or the mobile computer for maintenance and use breaks the isolation between the system and the outside, and opens the door of network security risk. According to monitoring statistical data, the number of industrial control systems and equipment exposed on the internet on the global scale is more than 10 thousands by 11 months in 2017, and key manufacturing, communication, energy, water supply and municipal facilities are the first five industries with more safety incidents.
Corresponding to the severe security situation, due to the occurrence of hacker meetings, white hat communities and open source communities, the attack method for obtaining the industrial control system is easier and easier, and a large number of security holes and utilization methods of software and hardware equipment of the industrial control system can be obtained through public or semi-public channels, so that the difficulty of the industrial control network attack is greatly reduced.
The existing industrial control monitoring and auditing method is that one auditing device acquires corresponding network node mirror image flow, and when the quantity of enterprise industrial control systems is large and one audit is not enough to meet the operation requirement, a scheme for upgrading hardware or deploying a plurality of auditing devices is generated. The first solution to upgrade a hardware device has the disadvantage of increasing economic pressure, according to the Grosch theorem, the computing power of the device is proportional to the square of its price. The other scheme is that a plurality of auditing devices are deployed, so that an additional management platform is needed to perform policy management, information sharing and linkage on a plurality of design devices.
Based on this, the embodiment of the invention adopts an industrial network monitoring and auditing platform and a 1+ N mode of N terminal devices, the terminal devices perform preliminary operations such as data acquisition and reduction, and the industrial network monitoring and auditing platform realizes functions such as deep analysis, flow monitoring, behavior monitoring, device linkage and the like.
For the convenience of understanding the embodiment, a detailed description is first given to an industrial network traffic monitoring and auditing method disclosed in the embodiment of the present invention.
The first embodiment is as follows:
referring to fig. 1, an embodiment of the present invention provides an industrial network traffic monitoring and auditing method, where the method is applied to a terminal device, and includes:
and step S101, collecting the mirror image flow of the industrial switch.
In the embodiment of the present invention, the embodiment may include one or more terminal devices, and each terminal device corresponds to one or more industrial switches to be collected.
Step S102, an industrial control protocol of the mirror flow is determined based on the port of the industrial switch, and the industrial control protocol is analyzed according to the protocol specification corresponding to the industrial control protocol to obtain protocol analysis information.
In the embodiment of the invention, the mirror flow of different industrial switches can correspond to different industrial control protocols, and the different industrial control protocols correspond to respective protocol specifications. Parsing information includes, but is not limited to: instruction code, parameters, response code, and primitive behavior.
And step S103, processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch.
In the embodiment of the invention, the asset file can be divided into two files, one is an asset self information file, the other is an inter-asset interaction relation file, and the inter-asset interaction relation can refer to the communication relation between assets; the asset self information file is an asset list, and the asset comprises the following components: host computer, industrial control system and network equipment, wherein, the host computer includes industrial computer and server, and industrial control system includes: DCS (Distributed Control System), PLC (Programmable logic controller), and RTU (Remote Terminal Control System).
And step S104, receiving variable information derived by the industrial control system, and matching the industrial behaviors in the asset file based on the variable information.
In the embodiment of the invention, when a certain device is changed, the industrial control system acquires the variable information of the device and derives the variable information, and the embodiment can match the corresponding industrial behavior based on the variable information.
And step S105, determining the variable information and the industrial behavior as first processing data based on a preset management strategy, and sending the first processing data to the industrial network monitoring and auditing platform so that the industrial network monitoring and auditing platform can perform industrial network flow monitoring and auditing.
In the embodiment of the invention, the preset management strategy comprises a preset behavior rule, the terminal equipment can store the first processing data and send the first processing data to the industrial network monitoring and auditing platform, so that the industrial network monitoring and auditing platform can complete the industrial network flow monitoring and auditing.
The embodiment of the invention provides an industrial network flow monitoring and auditing method, which is applied to terminal equipment and comprises the following steps: collecting mirror image flow of an industrial exchanger; determining an industrial control protocol of mirror flow based on a port of an industrial switch, and analyzing the industrial control protocol according to a protocol specification corresponding to the industrial control protocol to obtain protocol analysis information; processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch; receiving variable information derived by an industrial control system, and matching industrial behaviors in the asset file based on the variable information; based on a preset management strategy, variable information and industrial behaviors are determined as first processing data, and the first processing data are sent to an industrial network monitoring and auditing platform, so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing. The industrial network flow monitoring and auditing system provided by the invention is characterized in that a distributed industrial network flow monitoring and auditing device deploys terminal equipment at each industrial network node based on the idea of edge calculation, completes preliminary work such as flow acquisition, reduction, preliminary analysis and the like, and uploads the preliminary work to a central monitoring and auditing platform for network behavior auditing and the like. The distributed industrial network flow monitoring and auditing device increases stability and practicability, reduces implementation difficulty, saves equipment cost, is suitable for large-scale industrial production control networks with wide distribution regions and large data volume, provides industrial network behavior auditing service for industrial enterprises, and prevents industrial information safety problems.
Example two:
referring to fig. 2, an embodiment of the present invention provides another industrial network traffic monitoring and auditing method, where the method is applied to an industrial network monitoring and auditing platform, and includes:
step S201, receiving first processing data uploaded by terminal equipment;
step S202, analyzing and restoring the first processing data to obtain an original behavior;
step S203, extracting features based on the first processing data, and generating a white list security policy rule corresponding to the current industrial control network environment based on the features;
in the embodiment of the present invention, the white list security policy rules include, but are not limited to: an IP connection white list security policy rule and an instruction behavior white list security policy rule. The embodiment of the invention can send the white list security policy rule to the client so that the security worker can confirm the white list security policy rule through the manual rechecking interface.
And step S204, monitoring and auditing the original behavior based on the white list security policy rule.
Further, referring to fig. 3, step S204 includes:
step S301, judging whether the original behavior accords with the white list security policy rule, determining the original behavior which does not accord with the white list security policy rule as an alarm event, and generating alarm information;
in the embodiment of the invention, the alarm information is generated and the original behavior is recorded, so that the time tracing and evidence obtaining analysis are facilitated.
Step S302, checking the alarm information and judging whether the alarm event is a false alarm;
in the embodiment of the present invention, if it is determined that the alarm event is false alarm, the alarm information of the alarm event is corrected, the alarm state of the alarm event is changed, the alarm event is marked, and further processing is performed on the alarm information, for example: generating a report, reporting to a relevant responsible person, and the like.
Step S303, if the alarm event is determined to be non-false alarm, a network alarm distribution map is generated based on the alarm event.
In the embodiment of the present invention, the network alarm distribution map may refer to a network alarm distribution map in which a source IP and a destination IP in alarm information are associated on a network topology map based on the network topology map using an IP of an industrial switch as a node and a connection relationship between the IPs as a model. The network alarm distribution map can be used for mastering the distribution condition of the network alarm information in real time.
The embodiment of the invention can carry out IP flow statistics, namely, the IP is taken as the node, the flow between each pair of IPs is counted, and the IP-based flow statistics model is generated, so that the flow proportion in the network system is clearly and visually displayed, and the information interaction condition between all IP nodes in the industrial control network system is further conveniently mastered.
Further, referring to fig. 3, after step S303, the method further includes:
and step S304, generating a risk report based on the network alarm distribution map and the threat degree of the alarm information.
In the embodiment of the invention, based on the alarm information and the frequency of the alarm information, a strategy suggestion can be provided; and generating and exporting a risk report periodically based on the network alarm distribution diagram and the threat degree of the alarm information.
In the embodiment of the present invention, the industrial network monitoring and auditing platform of the embodiment and the terminal device in the first embodiment form a distributed industrial network traffic monitoring and auditing system, and the distributed industrial network traffic monitoring and auditing system deploys the terminal device at each industrial network node based on the idea of edge computation to complete preliminary work such as traffic collection, restoration, preliminary message analysis, and the like, and then uploads the preliminary work to the industrial network monitoring and auditing platform to perform network behavior auditing, and the like.
Example three:
referring to fig. 4, an embodiment of the present invention provides an industrial network traffic monitoring and auditing apparatus, where the apparatus is applied to a terminal device, and includes:
the acquisition module 11 is used for acquiring the mirror image flow of the industrial switch;
the determining and analyzing module 12 is used for determining an industrial control protocol of the mirror flow based on a port of the industrial switch, and analyzing the industrial control protocol according to a protocol specification corresponding to the industrial control protocol to obtain protocol analysis information;
the processing module 13 is used for processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch;
the receiving matching module 14 is used for receiving variable information derived by the industrial control system and matching industrial behaviors in the asset file based on the variable information;
and the determining and sending module 15 is configured to determine the variable information and the industrial behavior as first processing data based on a preset management policy, and send the first processing data to the industrial network monitoring and auditing platform, so that the industrial network monitoring and auditing platform performs industrial network traffic monitoring and auditing.
The industrial network flow monitoring and auditing device provided by the embodiment of the invention is applied to terminal equipment and can complete primary work such as flow acquisition, restoration, primary analysis and the like.
Example four:
referring to fig. 5, an embodiment of the present invention provides another industrial network traffic monitoring and auditing apparatus, where the apparatus is applied to an industrial network monitoring and auditing platform, and includes:
the receiving module 16 is configured to receive first processing data uploaded by the terminal device;
the analysis and reduction module 17 is used for analyzing and reducing the first processing data to obtain an original behavior;
a generating module 18, configured to extract features based on the first processing data, and generate a white list security policy rule corresponding to the current industrial control network environment based on the features;
and the monitoring and auditing module 19 is used for monitoring and auditing the original behaviors based on the white list security policy rules.
The industrial network flow monitoring and auditing device provided by the embodiment of the invention comprises: the receiving module 16, the analysis and restoration module 17, the generation module 18 and the monitoring and auditing module 19 are used for carrying out operations such as network behavior auditing and the like, so that the stability and the practicability of the distributed industrial network flow monitoring and auditing device can be increased.
Example five:
referring to fig. 6, an embodiment of the present invention provides an industrial network traffic monitoring and auditing system, including: terminal equipment and an industrial network monitoring and auditing platform; the terminal equipment is used for acquiring industrial network flow and carrying out primary processing on the industrial network flow to obtain first processing data; and the industrial network monitoring and auditing platform is used for analyzing and restoring the first processing data to obtain an original behavior of the industrial network flow, and monitoring and auditing the original behavior.
In the embodiment of the invention, the industrial network flow monitoring and auditing system can be of a multi-processor system structure, is suitable for a large-scale industrial production control network with wide distribution regions and large data volume, provides industrial network flow monitoring and auditing service for industrial enterprises, ensures the safety of industrial information, and protects the safety and stability of production and driving of the industrial enterprises.
Further, the industrial network monitoring and auditing platform comprises at least one of the following: distributed operating systems, distributed programming languages, distributed file systems, and distributed database systems.
In the embodiment of the invention, the industrial network monitoring and auditing platform can be interconnected with all terminal equipment through a communication network.
In the embodiment of the invention, the distributed industrial network flow monitoring and auditing system supports distributed processing, one or more terminal devices are used for sharing the operation load, the network load and the storage load of the industrial network monitoring and auditing platform, and the functions of flow reduction, useless information filtration, preliminary message analysis and the like are completed by utilizing the computing power of a plurality of terminal devices, so that the problem of throughput bottleneck of the traditional centralized auditing is solved, and the reliability, the availability and the expansibility of the industrial control system are improved.
The embodiment of the invention solves the problems of high deployment and cost of the traditional industrial monitoring and auditing equipment, and the 1+ N mode has higher stability and practicability.
In another embodiment of the present invention, an electronic device is further provided, which includes a memory and a processor, where the memory stores a computer program executable on the processor, and the processor implements the steps of the method of the above method embodiment when executing the computer program.
In yet another embodiment of the invention, a computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of the method embodiment is also provided.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. The method for monitoring and auditing the industrial network flow is applied to terminal equipment and comprises the following steps:
collecting mirror image flow of an industrial exchanger;
determining an industrial control protocol of the mirror image flow based on a port of the industrial switch, and analyzing the industrial control protocol according to a protocol specification corresponding to the industrial control protocol to obtain protocol analysis information;
processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch;
receiving variable information derived by an industrial control system, and matching industrial behaviors in the asset file based on the variable information;
and determining the variable information and the industrial behavior as first processing data based on a preset management strategy, and sending the first processing data to an industrial network monitoring and auditing platform so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing.
2. The method for monitoring and auditing the industrial network flow is applied to an industrial network monitoring and auditing platform and comprises the following steps:
receiving first processing data uploaded by terminal equipment;
analyzing and restoring the first processed data to obtain an original behavior;
extracting features based on the first processing data, and generating a white list security policy rule corresponding to the current industrial control network environment based on the features;
and monitoring and auditing the original behavior based on the white list security policy rule.
3. The industrial network traffic monitoring and auditing method of claim 2 where monitoring and auditing the original behavior based on the whitelist security policy rules includes:
judging whether the original behavior accords with the white list security policy rule, determining the original behavior which does not accord with the white list security policy rule as an alarm event, and generating alarm information;
checking the alarm information and judging whether the alarm event is a false alarm or not;
and if the alarm event is determined to be not false alarm, generating a network alarm distribution map based on the alarm event.
4. The industrial network traffic monitoring and auditing method of claim 3 further comprising, after generating the network alarm profile:
and generating a risk report based on the network alarm distribution graph and the threat degree of the alarm information.
5. The utility model provides an industrial network flow monitoring audit device which characterized in that is applied to terminal equipment, includes:
the acquisition module is used for acquiring the mirror image flow of the industrial switch;
the determining and analyzing module is used for determining the industrial control protocol of the mirror flow based on the port of the industrial switch and analyzing the industrial control protocol according to the protocol specification corresponding to the industrial control protocol to obtain protocol analysis information;
the processing module is used for processing the mirror image flow based on the protocol analysis information to obtain an asset file of the industrial switch;
the receiving and matching module is used for receiving variable information derived by an industrial control system and matching the industrial behaviors in the asset file based on the variable information;
and the determining and sending module is used for determining the variable information and the industrial behavior as first processing data based on a preset management strategy, and sending the first processing data to an industrial network monitoring and auditing platform so that the industrial network monitoring and auditing platform carries out industrial network flow monitoring and auditing.
6. The utility model provides an industrial network flow monitoring audit device which characterized in that is applied to industrial network monitoring audit platform, includes:
the receiving module is used for receiving first processing data uploaded by the terminal equipment;
the analysis and reduction module is used for analyzing and reducing the first processing data to obtain an original behavior;
the generating module is used for extracting features based on the first processing data and generating a white list security policy rule corresponding to the current industrial control network environment based on the features;
and the monitoring and auditing module is used for monitoring and auditing the original behavior based on the white list security policy rule.
7. An industrial network traffic monitoring and auditing system, comprising: terminal equipment and an industrial network monitoring and auditing platform;
the terminal device is used for acquiring industrial network flow and carrying out primary processing on the industrial network flow to obtain first processing data;
and the industrial network monitoring and auditing platform is used for analyzing and restoring the first processing data to obtain an original behavior of industrial network flow, and monitoring and auditing the original behavior.
8. The industrial network traffic monitoring and auditing system of claim 7, the industrial network monitoring and auditing platform including at least one of: distributed operating systems, distributed programming languages, distributed file systems, and distributed database systems.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method according to any one of claims 1 to 4 when executing the computer program.
10. A computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911020510.4A CN110752951A (en) | 2019-10-24 | 2019-10-24 | Industrial network flow monitoring and auditing method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911020510.4A CN110752951A (en) | 2019-10-24 | 2019-10-24 | Industrial network flow monitoring and auditing method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110752951A true CN110752951A (en) | 2020-02-04 |
Family
ID=69279841
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911020510.4A Pending CN110752951A (en) | 2019-10-24 | 2019-10-24 | Industrial network flow monitoring and auditing method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110752951A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111506022A (en) * | 2019-01-30 | 2020-08-07 | 中国石油天然气集团有限公司 | Industrial control system and safety auditing method in industrial control system |
| CN111654477A (en) * | 2020-05-21 | 2020-09-11 | 杭州安恒信息技术股份有限公司 | Information topology method and device of industrial control network based on FINS protocol and computer equipment |
| CN112437041A (en) * | 2020-10-27 | 2021-03-02 | 北京珞安科技有限责任公司 | Industrial control safety audit system and method based on artificial intelligence |
| CN112511545A (en) * | 2020-12-03 | 2021-03-16 | 北京国泰网信科技有限公司 | Method for reporting security event in industrial audit system |
| CN112508513A (en) * | 2020-11-27 | 2021-03-16 | 中国大唐集团科学技术研究院有限公司 | Network centralized control auditing method and centralized control auditing center for industrial control system of unmanned hydropower station |
| CN113301049A (en) * | 2021-05-26 | 2021-08-24 | 杭州安恒信息技术股份有限公司 | Industrial control equipment auditing method, device, equipment and readable storage medium |
| CN113656799A (en) * | 2021-08-18 | 2021-11-16 | 浙江国利网安科技有限公司 | Industrial control virus analysis method, device, storage medium and equipment |
| CN113691561A (en) * | 2021-09-07 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Auditing method and device for communication data |
| CN113746706A (en) * | 2021-09-16 | 2021-12-03 | 杭州安恒信息技术股份有限公司 | Flow analysis method, device and equipment and readable storage medium |
| CN113852623A (en) * | 2021-09-18 | 2021-12-28 | 浙江国利网安科技有限公司 | Virus industrial control behavior detection method and device |
| CN115102725A (en) * | 2022-06-07 | 2022-09-23 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Safety audit method, device and medium for industrial robot |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105515180A (en) * | 2015-07-14 | 2016-04-20 | 国家电网公司 | Intelligent substation communication network dynamic monitoring system and monitoring method thereof |
| US20170155851A1 (en) * | 2015-12-01 | 2017-06-01 | Maarten Van Laere | Thermal imaging sensor which connects to base units and makes thermal temperature data available over industrial protocols to monitoring systems |
| CN106998326A (en) * | 2017-03-22 | 2017-08-01 | 北京匡恩网络科技有限责任公司 | Industrial control network behavior monitoring method, device and system |
| CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
| CN108933658A (en) * | 2018-08-13 | 2018-12-04 | 杭州安恒信息技术股份有限公司 | White list base establishing method and device based on industrial control equipment fingerprint |
| CN110113345A (en) * | 2019-05-13 | 2019-08-09 | 四川长虹电器股份有限公司 | A method of the assets based on Internet of Things flow are found automatically |
-
2019
- 2019-10-24 CN CN201911020510.4A patent/CN110752951A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105515180A (en) * | 2015-07-14 | 2016-04-20 | 国家电网公司 | Intelligent substation communication network dynamic monitoring system and monitoring method thereof |
| US20170155851A1 (en) * | 2015-12-01 | 2017-06-01 | Maarten Van Laere | Thermal imaging sensor which connects to base units and makes thermal temperature data available over industrial protocols to monitoring systems |
| CN106998326A (en) * | 2017-03-22 | 2017-08-01 | 北京匡恩网络科技有限责任公司 | Industrial control network behavior monitoring method, device and system |
| CN107612733A (en) * | 2017-09-19 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of network audit and monitoring method and its system based on industrial control system |
| CN108933658A (en) * | 2018-08-13 | 2018-12-04 | 杭州安恒信息技术股份有限公司 | White list base establishing method and device based on industrial control equipment fingerprint |
| CN110113345A (en) * | 2019-05-13 | 2019-08-09 | 四川长虹电器股份有限公司 | A method of the assets based on Internet of Things flow are found automatically |
Non-Patent Citations (1)
| Title |
|---|
| 程冬梅等: "基于规则匹配的分布式工控入侵检测系统设计与实现", 《信息网络安全》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111506022A (en) * | 2019-01-30 | 2020-08-07 | 中国石油天然气集团有限公司 | Industrial control system and safety auditing method in industrial control system |
| CN111654477A (en) * | 2020-05-21 | 2020-09-11 | 杭州安恒信息技术股份有限公司 | Information topology method and device of industrial control network based on FINS protocol and computer equipment |
| CN112437041A (en) * | 2020-10-27 | 2021-03-02 | 北京珞安科技有限责任公司 | Industrial control safety audit system and method based on artificial intelligence |
| CN112508513A (en) * | 2020-11-27 | 2021-03-16 | 中国大唐集团科学技术研究院有限公司 | Network centralized control auditing method and centralized control auditing center for industrial control system of unmanned hydropower station |
| CN112511545A (en) * | 2020-12-03 | 2021-03-16 | 北京国泰网信科技有限公司 | Method for reporting security event in industrial audit system |
| CN113301049B (en) * | 2021-05-26 | 2023-02-24 | 杭州安恒信息技术股份有限公司 | Industrial control equipment auditing method, device, equipment and readable storage medium |
| CN113301049A (en) * | 2021-05-26 | 2021-08-24 | 杭州安恒信息技术股份有限公司 | Industrial control equipment auditing method, device, equipment and readable storage medium |
| CN113656799A (en) * | 2021-08-18 | 2021-11-16 | 浙江国利网安科技有限公司 | Industrial control virus analysis method, device, storage medium and equipment |
| CN113691561B (en) * | 2021-09-07 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Auditing method and device for communication data |
| CN113691561A (en) * | 2021-09-07 | 2021-11-23 | 北京天融信网络安全技术有限公司 | Auditing method and device for communication data |
| CN113746706A (en) * | 2021-09-16 | 2021-12-03 | 杭州安恒信息技术股份有限公司 | Flow analysis method, device and equipment and readable storage medium |
| CN113852623A (en) * | 2021-09-18 | 2021-12-28 | 浙江国利网安科技有限公司 | Virus industrial control behavior detection method and device |
| CN115102725A (en) * | 2022-06-07 | 2022-09-23 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Safety audit method, device and medium for industrial robot |
| CN115102725B (en) * | 2022-06-07 | 2024-04-09 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security audit method, device and medium for industrial robot |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110752951A (en) | Industrial network flow monitoring and auditing method, device and system | |
| CN107566163B (en) | Alarm method and device for user behavior analysis association | |
| RU2583703C2 (en) | Malicious attack detection and analysis | |
| CN109391613A (en) | A kind of intelligent substation method for auditing safely based on SCD parsing | |
| CN108810034A (en) | A kind of safety protecting method of industrial control system information assets | |
| CN104468631A (en) | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal | |
| CN109005162B (en) | Industrial control system security audit method and device | |
| Chopade et al. | Critical infrastructure interdependency modeling: Using graph models to assess the vulnerability of smart power grid and SCADA networks | |
| CN110866265A (en) | Data storage method, device and storage medium based on block chain | |
| CN104811437A (en) | Industrial control network safety strategy generation system and method | |
| CN111935189B (en) | Industrial control terminal strategy control system and industrial control terminal strategy control method | |
| CN102083091A (en) | Network management alarm managing method and system, and alarm collecting server | |
| CN111651170B (en) | Instance dynamic adjustment method and device and related equipment | |
| CN113433882A (en) | Station room intelligent assistance and artificial intelligence visual gateway control method and system | |
| CN112491579A (en) | SDN-based alarm information processing method and device | |
| CN113507691B (en) | Information pushing system and method based on power distribution network cross-region service | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN105045100A (en) | Intelligent operation monitoring platform for management by use of mass data | |
| CN108933707B (en) | Safety monitoring system and method for industrial network | |
| Phiri et al. | Cyberphysical security analysis of digital control systems in hydro electric power grids | |
| CN107104853A (en) | A kind of test bed system and method for testing for Terminal Security Management software | |
| CN104104526A (en) | Network logging-on behavior monitoring method, device and system | |
| CN116416764A (en) | Alarm threshold generation method and device, electronic equipment and storage medium | |
| CN108038585A (en) | A kind of fast quick-recovery householder method of event of failure based on multi-source data | |
| CN113098837B (en) | Industrial firewall state detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200204 |