CN110753049B - Safety situation sensing system based on industrial control network flow - Google Patents
Safety situation sensing system based on industrial control network flow Download PDFInfo
- Publication number
- CN110753049B CN110753049B CN201910998682.2A CN201910998682A CN110753049B CN 110753049 B CN110753049 B CN 110753049B CN 201910998682 A CN201910998682 A CN 201910998682A CN 110753049 B CN110753049 B CN 110753049B
- Authority
- CN
- China
- Prior art keywords
- data
- module
- flow
- industrial control
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Abstract
The invention discloses a security situation perception system based on industrial control network flow, which is characterized by comprising the following components: the system comprises an industrial control network flow collection module (10), a network flow proxy forwarding module (20), a flow data storage module (30), an abnormity detection module (40), a configuration management module (50), a security situation visualization module (60) and a modeling and algorithm updating module (70); the safety situation perception system is beneficial to improving the efficiency and the accuracy of abnormal detection of industrial control network flow, and improves the usability and the expandability of the system.
Description
Technical Field
The invention relates to a technology of industrial network security situation awareness, in particular to a security situation awareness system based on industrial control network flow.
Background
The industrial control network has various data and huge data volume, communication flows of various industrial equipment, upper computers, controllers and the like exist in the network, a large amount of redundant data is formed, key flows are difficult to mine, and the performance of the system is greatly influenced. Most of data obtained in the industrial control network are normal data, and only a few abnormal data exist, so that the problem of serious data imbalance exists, and the existing machine learning or deep learning abnormal detection technology is difficult to apply to the industrial network.
In the prior art, modeling is often performed on existing network traffic, however, correlation of industrial control network traffic data is complex, and analysis capability of abnormal data correlation is insufficient. In addition, industrial control network protocols are various, and the data meaning of the protocol field is variable, so that the detection reliability is influenced. Specifically, with the traditional traffic-based security situation awareness system, the following problems exist:
(1) the performance is low: the ultra-large-scale industrial control network flow data is difficult to forward, store and query, and the system throughput and performance are extremely low;
(2) inaccuracy: the reliability of the detection result is floating, unknown abnormal data are difficult to deal with, and the accuracy of the detection result is reduced due to unknown abnormality;
(3) and (3) difficult updating: the industrial control environment is an environment which continuously evolves, an existing sensing system cannot perform anomaly detection self-updating according to an existing detection result, and a user-defined configuration item is insufficient.
Disclosure of Invention
The invention aims to: the design method of the safety situation perception system based on the industrial control network flow is provided, the situation perception performance and the abnormality detection accuracy are improved, and the configuration capability and the self-updating capability of the system are improved.
In order to achieve the above object, a technical solution of the present invention provides a security situation awareness system based on industrial control network traffic, which is characterized in that the security situation awareness system includes: the system comprises an industrial control network flow collection module, a network flow proxy forwarding module, a flow data storage module, an abnormality detection module, a configuration management module, a safety situation visualization module and a modeling and algorithm updating module;
the industrial control network flow collection module is used for collecting, analyzing and sending data to be processed in the upper computer, wherein the data to be processed is extracted from the industrial control network flow data and comprises data message information, message protocol information and analyzed protocol field information;
the network flow proxy forwarding module receives the analyzed flow data, screens unneeded protocol data, aggregates the flow data in a short time and sends the aggregated flow data to the flow data storage module and the anomaly detection module, so that redundant data are reduced, and the burden of the storage module is relieved;
the flow data storage module stores the aggregated industrial control network flow data, and a distributed storage cluster is built in a data fragmentation mode to realize industrial control network data persistence and backup;
the anomaly detection module performs anomaly detection calculation on data characteristics by using algorithms of different classifications, reports an anomaly result to an alarm interface, and feeds the calculation result back to the flow data storage module so as to facilitate data persistence;
the configuration management module defines an anomaly detection algorithm and an alarm rule which need to be used, wherein the anomaly detection algorithm needs to configure data source characteristics, the algorithm used and an algorithm parameter rule;
the safety situation visualization module reads data of the data flow storage module, comprehensively displays existing flow data and a calculation result fed back by the anomaly detection module, and visualizes the safety situation of the current industrial control network;
the modeling and algorithm updating module establishes a high-order model for the collected normal and abnormal industrial control network flow data, and the parameters used by the abnormal detection algorithm are updated by training the high-order model, so that the identification accuracy of the abnormal detection module is improved.
Further, the industrial control network traffic collection module is characterized by further comprising a protocol analysis unit and a data sending unit;
the protocol analysis unit is used for extracting and identifying a protocol used by the flow data, analyzing different protocol fields in the industrial network, and arranging all field information and the message information of the flow into a uniform standard data format;
and the data sending unit collects and arranges the analyzed standard flow data, and regularly packages and sends the processed data to the network flow proxy forwarding module.
Further, the network traffic proxy forwarding module is configured to cache the parsed protocol data in a buffer pool, and perform preprocessing on the protocol data, that is, perform aggregation processing on a large amount of repeated data in a short time, so as to prevent a large writing pressure from being applied to the storage module;
the network flow proxy forwarding module can also realize asynchronous threads and forward the aggregated data to the flow data storage module.
Further, the flow data storage module has the following characteristics:
storing network traffic data blocks in a fragmentation mode, wherein each fragment stores fixed-size traffic data, and each fragment is backed up and stored in different servers; meanwhile, an inverted index is established for the newly added flow data, and the rapid field-based retrieval and full-text field retrieval of the industrial control network flow data are supported.
Further, the anomaly detection module can perform anomaly detection using four configurable algorithms, including density-based anomaly detection methods, cluster-based anomaly detection methods, adjacency-based anomaly detection methods, and statistic-based anomaly detection methods.
Further, the configuration management module comprises a data configuration unit and an algorithm configuration unit, wherein:
the data configuration unit is used for configuring data items required to be acquired by each abnormality detection task, and the data items comprise data sources, data types, data time windows and used data characteristic fields;
the algorithm configuration unit is used for configuring the algorithm used for each abnormality detection, and the algorithm comprises algorithm classification, the algorithm specifically used in each classification, the parameters of the algorithm and the threshold value for voting and determining the abnormal data of the algorithm.
Furthermore, the safety situation visualization module can comprehensively display the stored flow data, display the stored industrial control network flow data in a user-defined chart console mode, and visually monitor the industrial control network flow; and comprehensively displaying the detection result of the abnormal detection module, and establishing a visual relation between the detection result and the flow data by combining the existing flow data display and positioning the detected abnormal data.
Further, the modeling and algorithm updating module specifically comprises a complex modeling unit and a parameter updating unit, wherein: the complex modeling unit establishes a high-order complex model for the existing normal flow data and abnormal flow data set, and detects the applicability of the model by using the existing flow data and an abnormal detection algorithm; the parameter updating unit asynchronously updates specific parameters of various algorithms of the anomaly detection module by using the established high-order complex model, and the normal operation of the anomaly detection module is not influenced in the updating process.
The invention has the beneficial effects that:
(1) high performance: the network flow proxy forwarding module buffers and integrates the original flow data, thereby reducing the pressure of writing the flow data and lightening the data storage and index burden of the storage module. The storage module improves the data availability and retrieval speed by using a distributed module and data index, and improves the security situation perception performance;
(2) high precision: the anomaly detection process is finished by a plurality of anomaly detection algorithms which are jointly decided, and the anomaly detection process comprises four types of methods, namely an anomaly detection method based on density, an anomaly detection method based on clustering, an anomaly detection method based on adjacency and an anomaly detection method based on statistics. By setting the voting threshold value of the method, different requirements of avoiding abnormal missing detection or avoiding a large number of false alarms can be met;
(3) self-updating: the detection model used by the anomaly detection algorithm is provided by a modeling and algorithm updating module and comprises a constructed hypergraph model, a statistical model, a depth model and the like. The models and parameters can be continuously evolved after acquiring more data, and higher detection accuracy is provided. And the evolved model is updated to the anomaly detection module by the algorithm updating module, so that the whole system is continuously updated and evolved.
Drawings
The advantages of the above and/or additional aspects of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic block diagram of a security posture awareness system based on industrial control network traffic according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a data storage module performing sharding to store data according to an embodiment of the invention;
FIG. 3 is a schematic flow chart diagram of an abnormal data determination method based on industrial control network traffic according to an embodiment of the present invention;
FIG. 4 is a schematic flow diagram of an anomaly detection model updating method according to one embodiment of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments of the present invention and features of the embodiments may be combined with each other without conflict.
As shown in fig. 1, the present embodiment provides a security situation awareness system based on industrial control network traffic, including: the system comprises an industrial control network flow collection module 10, a network flow proxy forwarding module 20, a flow data storage module 30, an anomaly detection module 40, a configuration management module 50, a security situation visualization module 60 and a modeling and algorithm updating module 70, wherein:
the industrial control network flow collection module 10 is used for collecting, analyzing and sending data to be processed in the upper computer;
specifically, as shown in fig. 2, a packet capturing tool is used in an upper computer of the industrial network to obtain industrial control network traffic data, and an industrial control network traffic collection module 10 is deployed. The industrial control network traffic collection module 10 specifically comprises a protocol analysis unit 11 and a data transmission unit 12;
the protocol analysis unit 11 is used for extracting and identifying a protocol used by the flow data, analyzing different protocol fields in the industrial network, and collating all field information and the message information of the flow into a uniform standard data format;
the data sending unit 12 collects and arranges the analyzed standard traffic data, and regularly packages and sends the processed data to the network traffic proxy forwarding module.
In the working process, the industrial control network flow collection module 10 firstly identifies the protocol used in the acquired flow data, analyzes different protocol fields in the industrial network flow data, arranges all field information and the message information of the flow into a uniform JSON format, and stores the uniform JSON format into the buffer pool of the collection module. The module then reads the traffic data buffer pool using asynchronous multithreading and sends the traffic data to the industrial control network traffic collection module 20 using HTTP requests.
The industrial control network flow collection module 20 receives the analyzed flow data and screens the unnecessary protocol data;
the industrial control network traffic collection module 20 buffers the received analyzed traffic data into a buffer queue, and performs preprocessing on the data. The pretreatment includes two aspects: firstly, whether the protocol is the protocol required by situation awareness is checked, and if the protocol is not related to a situation awareness detection item, the flow data is directly discarded; secondly, for a large amount of similar data in a short time, the data are combined into a small amount of data by means of average value aggregation and the like, and the data amount of subsequent processing is reduced. The proxy forwarding module also implements an asynchronous thread, and forwards the aggregated data to the traffic data storage module 30. If the requirement on the real-time performance of the anomaly detection is high, the data can be optionally forwarded to the anomaly detection module 40.
The traffic data storage module 30 stores the aggregated industrial control network traffic data, and builds a distributed storage cluster in a data slicing mode.
The traffic data storage module 30 stores network traffic data blocks in a fragmentation manner, wherein each fragment stores fixed-size traffic data, and each fragment has a backup and is stored in a different server;
and establishing an inverted index for the newly added flow data, and supporting quick retrieval according to fields and full-text field retrieval of the industrial control network flow data.
As shown in fig. 2, after receiving the traffic data, the module needs to perform the following steps:
step 1: receiving a request;
the storage module provides an interface based on RESTful API, when receiving a request of the flow proxy forwarding module, firstly identifies the content of the request, such as adding a piece of data, and then the main storage module calculates the fragment number of the data to be stored according to the request data;
step 2: forwarding the main fragment;
after calculating the primary partition number, the request is forwarded to the storage module 3, since the primary partition 1 where the data needs to be stored is currently stored in the storage module 3;
and step 3: forwarding the backup fragments;
the storage module 3 first executes the storage request, and forwards the request to the storage module 1 and the storage module 2 in parallel after the storage is successful, because there is a corresponding copy of the main fragment 1 to prepare for the fragment 1. After the request is successfully executed, the storage module 3 reports the execution result to the main storage module.
The anomaly detection module 40 performs anomaly detection calculation on the specific characteristics of the specific data by using algorithms of different classifications, reports an anomaly result to an alarm interface, and feeds the calculation result back to the flow data storage module 30 so as to facilitate data persistence;
after the timing detection task is triggered, the anomaly detection module 40 reads data from the storage module 2, performs anomaly detection by using four configurable algorithms, and selects a data anomaly range by using various algorithm voting and a configurable vote threshold.
The anomaly detection module 40 uses four configurable algorithms to perform anomaly detection, and uses a plurality of algorithm voting and a configurable vote threshold to select a data anomaly range, wherein the four methods include a density-based anomaly detection method, a cluster-based anomaly detection method, an adjacency-based anomaly detection method and a statistic-based anomaly detection method, and the four methods include:
the density anomaly detection unit 41 implements a series of density-based anomaly detection methods, such as comparing the inverse of the average distance to the K nearest neighbors.
The clustering abnormality detecting unit 42 creates a normal data model, and detects whether there is an abnormal point unit distortion or destruction of the model.
The proximity anomaly detection unit 43 detects the distance between each data point and other data points, and the flow data far away from most data points is determined as anomalous data.
The statistical anomaly detection unit 44 estimates the anomaly point range using a series of statistical methods, including a probability distribution model.
The configuration management module 50 defines an anomaly detection algorithm and an alarm rule to be used, wherein the anomaly detection algorithm needs to configure data source characteristics, a used algorithm and an algorithm parameter rule;
as shown in fig. 3, the configuration management module 50 includes a data configuration unit 51 and an algorithm configuration unit 52, wherein:
the data configuration unit 51 is configured to configure data items that need to be acquired by each anomaly detection task, including a data source, a data type, a data time window, a used data feature field, and the like; and the anomaly detection module acquires data from the distributed cluster according to the data configuration after receiving the configuration items, performs feature extraction operation on the data items, and then sends the data items to different algorithm detection units according to the algorithm configuration.
The algorithm configuration unit 52 is used to configure the algorithm used for each anomaly detection, including the algorithm classification, the algorithm specifically used in each classification, the parameters of the algorithm itself, and the threshold value for voting to determine the anomaly data.
The four types of anomaly detection methods include density-based anomaly detection methods, cluster-based anomaly detection methods, adjacency-based anomaly detection methods, statistic-based anomaly detection methods, wherein the density anomaly detection unit implements a series of density-based anomaly detection methods, such as comparing the reciprocal of the average distance to K nearest neighbors; a clustering abnormity detection unit creates a normal data model, and detects whether an abnormal point unit is distorted or not and destroys the model; the adjacent anomaly detection unit detects the distance between each data point and other data points, and the flow data far away from most data points can be judged as anomalous data; the statistical anomaly detection unit estimates the anomaly point range using a series of statistical methods including a probability distribution model.
After the algorithm detection is completed, the anomaly detection module integrates the algorithm detection results, generates a detection report according to the result of each algorithm and feeds the detection report back to the storage cluster. If the abnormal result exceeds the defined threshold, an abnormal report is additionally generated, describing the source of the possible abnormal value and the reason of the presumed abnormality.
In addition, the modeling and algorithm updating module can update the parameters and the models used by the abnormal detection unit in a timing and asynchronous mode, and the detection accuracy of the system is improved along with the increase of collected flow data and feedback results.
The safety situation visualization module 60 reads the data of the data flow storage module, comprehensively displays the existing flow data and the calculation result fed back by the anomaly detection module 40, and visualizes the safety situation of the current industrial control network;
comprehensively displaying the stored flow data, displaying the stored industrial control network flow data in a user-defined chart console mode, and visually monitoring the industrial control network flow;
the detection result of the anomaly detection module 40 is comprehensively displayed, and the visual relation between the detection result and the flow data is established by combining the existing flow data display and positioning the detected anomaly data.
The modeling and algorithm updating module 70 establishes a high-order model including a hypergraph model, a statistical model, a depth model and the like for the collected normal and abnormal industrial control network traffic data, and updates parameters used by various abnormal detection algorithms by training the models, so as to improve the identification accuracy of the abnormal detection module 40.
Specifically, as shown in fig. 4, the modeling and algorithm updating module 70 includes a complex modeling unit 71 and a parameter updating unit 72;
the complex modeling unit 71 establishes a high-order complex model for the existing normal flow data and abnormal flow data set, and detects the applicability of the model by using the existing flow data and an abnormal detection algorithm;
the parameter updating unit 72 asynchronously updates the specific parameters of the algorithms of the anomaly detection module 40 by using the established high-order complex model, and the updating process does not influence the normal operation of the anomaly detection module 40
The modeling and algorithm updating module 70 reads the collected historical traffic data and the fed-back detection result from the distributed storage cluster, trains through the complex modeling unit, and puts the training result into the parameter updating unit. The parameter updating unit synchronizes the existing updating model to the abnormal detection module at regular time, and the normal detection process is ensured not to be influenced by a multithreading asynchronous updating mode.
Although the present invention has been disclosed in detail with reference to the accompanying drawings, it is to be understood that such description is merely illustrative of and not restrictive on the application of the present invention. The scope of the invention is defined by the appended claims and may include various modifications, adaptations and equivalents of the invention without departing from its scope and spirit.
Claims (5)
1. The utility model provides a security situation perception system based on industry control network flow which characterized in that: the security posture awareness system comprises: the system comprises an industrial control network flow collection module (10), a network flow proxy forwarding module (20), a flow data storage module (30), an abnormity detection module (40), a configuration management module (50), a security situation visualization module (60) and a modeling and algorithm updating module (70);
the industrial control network flow collection module (10) is used for collecting, analyzing and sending data to be processed in the upper computer, wherein the data to be processed is extracted from the industrial control network flow data and comprises data message information, message protocol information and analyzed protocol field information;
the network flow proxy forwarding module (20) receives the analyzed flow data, screens unneeded protocol data, aggregates the flow data in a short time and sends the aggregated flow data to the flow data storage module (30) and the anomaly detection module (40), so that redundant data are reduced, and the burden of the storage module is relieved;
the network flow proxy forwarding module (20) is used for caching the analyzed protocol data into a buffer pool, preprocessing the protocol data, namely aggregating a large amount of repeated data in a short time, and preventing a storage module from causing large writing pressure;
the network flow proxy forwarding module (20) also can realize an asynchronous thread and forward the aggregated data to the flow data storage module (30);
the flow data storage module (30) stores the aggregated industrial control network flow data, and a distributed storage cluster is built in a data fragmentation mode to realize industrial control network data persistence and backup;
the anomaly detection module (40) performs anomaly detection calculation on data characteristics by using algorithms of different classifications, reports an anomaly result to an alarm interface, and feeds the calculation result back to the flow data storage module (30) so as to facilitate data persistence, wherein the algorithms of different classifications at least comprise: density-based anomaly detection methods, cluster-based anomaly detection methods, adjacency-based anomaly detection methods, statistics-based anomaly detection methods;
the configuration management module (50) defines an anomaly detection algorithm and an alarm rule which need to be used, wherein the anomaly detection algorithm needs to configure data source characteristics, the algorithm used and algorithm parameter rules; the configuration management module (50) comprises a data configuration unit (51) and an algorithm configuration unit (52), wherein:
the data configuration unit (51) is used for configuring data items required to be acquired by each abnormality detection task, and the data items comprise data sources, data types, data time windows and used data characteristic fields;
the algorithm configuration unit (52) is used for configuring the algorithm used by each abnormality detection, and the algorithm comprises algorithm classifications, the algorithm specifically used under each classification, the parameters of the algorithm and the threshold value of the algorithm voting decision abnormal data;
the safety situation visualization module (60) reads data of the data flow storage module, comprehensively displays existing flow data and a calculation result fed back by the abnormity detection module (40), and visualizes the safety situation of the current industrial control network;
the modeling and algorithm updating module (70) establishes a high-order model for the collected normal and abnormal industrial control network traffic data, and the high-order model is trained to update parameters used by the abnormal detection algorithm, so that the identification accuracy of the abnormal detection module (40) is improved.
2. The industrial control network traffic-based security situation awareness system according to claim 1, wherein the industrial control network traffic collection module (10) further comprises a protocol parsing unit (11) and a data sending unit (12);
the protocol analysis unit (11) is used for extracting and identifying a protocol used by the flow data, analyzing different protocol fields in the industrial network, and collating all field information and the message information of the flow into a uniform standard data format;
the data sending unit (12) collects and arranges the analyzed standard flow data, and regularly packages and sends the processed data to the network flow proxy forwarding module (20).
3. The industrial control network traffic-based security situation awareness system according to claim 1, wherein the traffic data storage module (30) has the following features:
storing network traffic data blocks in a fragmentation mode, wherein each fragment stores fixed-size traffic data, and each fragment is backed up and stored in different servers; meanwhile, an inverted index is established for the newly added flow data, and the rapid field-based retrieval and full-text field retrieval of the industrial control network flow data are supported.
4. The industrial control network traffic-based security situation awareness system according to claim 1, wherein the security situation visualization module (60) is capable of comprehensively displaying the stored traffic data, displaying the stored industrial control network traffic data in a user-defined chart console manner, and visually monitoring the industrial control network traffic itself; and comprehensively displaying the detection result of the abnormal detection module (40), and establishing a visual relation between the detection result and the flow data by combining the existing flow data display and positioning the detected abnormal data.
5. The industrial control network traffic-based security situation awareness system according to claim 1, wherein the modeling and algorithm updating module (70) further comprises a complex modeling unit (71) and a parameter updating unit, wherein:
the complex modeling unit (71) establishes a high-order complex model for the existing normal flow data and abnormal flow data set, and detects the applicability of the model by using the existing flow data and an abnormal detection algorithm; the parameter updating unit (72) utilizes the established high-order complex model to asynchronously update specific parameters of various algorithms of the abnormality detection module (40), and the updating process does not influence the normal operation of the abnormality detection module (40).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910998682.2A CN110753049B (en) | 2019-10-21 | 2019-10-21 | Safety situation sensing system based on industrial control network flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910998682.2A CN110753049B (en) | 2019-10-21 | 2019-10-21 | Safety situation sensing system based on industrial control network flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110753049A CN110753049A (en) | 2020-02-04 |
| CN110753049B true CN110753049B (en) | 2021-04-13 |
Family
ID=69278994
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910998682.2A Active CN110753049B (en) | 2019-10-21 | 2019-10-21 | Safety situation sensing system based on industrial control network flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110753049B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113872958B (en) * | 2021-09-24 | 2023-07-28 | 中能融合智慧科技有限公司 | Intelligent network identification tool based on industrial control security situation awareness |
| CN115208703B (en) * | 2022-09-16 | 2022-12-13 | 北京安帝科技有限公司 | Industrial control equipment intrusion detection method and system of fragment parallelization mechanism |
| CN117240603B (en) * | 2023-11-10 | 2024-02-06 | 紫光恒越技术有限公司 | Data transmission method, system, device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222491A (en) * | 2017-06-22 | 2017-09-29 | 北京工业大学 | A kind of inbreak detection rule creation method based on industrial control network mutation attacks |
| CN109547409A (en) * | 2018-10-19 | 2019-03-29 | 中国电力科学研究院有限公司 | A kind of method and system for being parsed to industrial network transport protocol |
| CN109818971A (en) * | 2019-03-12 | 2019-05-28 | 清华大学 | A kind of network data method for detecting abnormality and system based on High order correletion excavation |
| CN109861988A (en) * | 2019-01-07 | 2019-06-07 | 浙江大学 | A kind of industrial control system intrusion detection method based on integrated study |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103716204B (en) * | 2013-12-20 | 2017-02-08 | 中国科学院信息工程研究所 | Abnormal intrusion detection ensemble learning method and apparatus based on Wiener process |
| CN105704103B (en) * | 2014-11-26 | 2017-05-10 | 中国科学院沈阳自动化研究所 | Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model |
| CN104767692B (en) * | 2015-04-15 | 2018-05-29 | 中国电力科学研究院 | A kind of net flow assorted method |
| CN104994056B (en) * | 2015-05-11 | 2018-01-19 | 中国电力科学研究院 | The dynamic updating method of flow identification model in a kind of Power Information Network |
| US9699205B2 (en) * | 2015-08-31 | 2017-07-04 | Splunk Inc. | Network security system |
| CN108322445A (en) * | 2018-01-02 | 2018-07-24 | 华东电力试验研究院有限公司 | A kind of network inbreak detection method based on transfer learning and integrated study |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN109840415A (en) * | 2018-12-29 | 2019-06-04 | 江苏博智软件科技股份有限公司 | A kind of industry control network Security Situation Awareness Systems |
| CN110324316B (en) * | 2019-05-31 | 2022-04-22 | 河南九域恩湃电力技术有限公司 | Industrial control abnormal behavior detection method based on multiple machine learning algorithms |
-
2019
- 2019-10-21 CN CN201910998682.2A patent/CN110753049B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222491A (en) * | 2017-06-22 | 2017-09-29 | 北京工业大学 | A kind of inbreak detection rule creation method based on industrial control network mutation attacks |
| CN109547409A (en) * | 2018-10-19 | 2019-03-29 | 中国电力科学研究院有限公司 | A kind of method and system for being parsed to industrial network transport protocol |
| CN109861988A (en) * | 2019-01-07 | 2019-06-07 | 浙江大学 | A kind of industrial control system intrusion detection method based on integrated study |
| CN109818971A (en) * | 2019-03-12 | 2019-05-28 | 清华大学 | A kind of network data method for detecting abnormality and system based on High order correletion excavation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110753049A (en) | 2020-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110753049B (en) | Safety situation sensing system based on industrial control network flow | |
| CN107577588B (en) | Intelligent operation and maintenance system for mass log data | |
| US11831523B2 (en) | Systems and methods for displaying adjustable metrics on real-time data in a computing environment | |
| US11657309B2 (en) | Behavior analysis and visualization for a computer infrastructure | |
| CN111931860B (en) | Abnormal data detection method, device, equipment and storage medium | |
| CN107749859B (en) | Malicious mobile application detection method for network encryption traffic | |
| US20210126931A1 (en) | System and a method for detecting anomalous patterns in a network | |
| CN108334033A (en) | Punching machine group failure prediction method and its system based on Internet of Things and machine learning | |
| CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
| CN113645232A (en) | Intelligent flow monitoring method and system for industrial internet and storage medium | |
| CN114553591B (en) | Training method of random forest model, abnormal flow detection method and device | |
| CN114338188B (en) | Intelligent cloud detection system for malicious software based on process behavior sequence segmentation | |
| CN111274218A (en) | Multi-source log data processing method for power information system | |
| CN113409555A (en) | Real-time alarm linkage method and system based on Internet of things | |
| CN115277113A (en) | Power grid network intrusion event detection and identification method based on ensemble learning | |
| CN111651760B (en) | Method for comprehensively analyzing equipment safety state and computer readable storage medium | |
| CN113705714A (en) | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence | |
| CN112905671A (en) | Time series exception handling method and device, electronic equipment and storage medium | |
| CN107666399A (en) | A kind of method and apparatus of monitoring data | |
| US20150150132A1 (en) | Intrusion detection system false positive detection apparatus and method | |
| CN113391900A (en) | Abnormal event processing method and system in discrete production environment | |
| CN113033639A (en) | Training method of abnormal data detection model, electronic device and storage medium | |
| CN112363891A (en) | Exception reason obtaining method based on fine-grained event and KPIs analysis | |
| US20160239264A1 (en) | Re-streaming time series data for historical data analysis | |
| CN112288317A (en) | Industrial big data analysis platform and method based on multi-source heterogeneous data governance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |