CN110798484B - Industrial control protocol characteristic attack filtering and analyzing system - Google Patents

Industrial control protocol characteristic attack filtering and analyzing system Download PDF

Info

Publication number
CN110798484B
CN110798484B CN201911103368.XA CN201911103368A CN110798484B CN 110798484 B CN110798484 B CN 110798484B CN 201911103368 A CN201911103368 A CN 201911103368A CN 110798484 B CN110798484 B CN 110798484B
Authority
CN
China
Prior art keywords
time
unit
attack
virus
type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911103368.XA
Other languages
Chinese (zh)
Other versions
CN110798484A (en
Inventor
刘智勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Hongrui Information Technology Co Ltd
Original Assignee
Zhuhai Hongrui Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Hongrui Information Technology Co Ltd filed Critical Zhuhai Hongrui Information Technology Co Ltd
Priority to CN201911103368.XA priority Critical patent/CN110798484B/en
Publication of CN110798484A publication Critical patent/CN110798484A/en
Application granted granted Critical
Publication of CN110798484B publication Critical patent/CN110798484B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an industrial control protocol characteristic attack filtering and analyzing system which comprises an industrial control network, an attack monitoring end, a data induction unit, a data fusion unit, a reaction monitoring unit, a processor, a display unit, a database, an opinion generating unit and an input unit, wherein the attack monitoring end is connected with the industrial control network; the invention picks up the suffered attacks through the attack monitoring end and classifies the attacks according to the prior technical rule; then, processing is carried out by means of a data induction unit and related data to obtain some key influence factors, specifically, the same-frequency hit type, high-risk signals and common signals; and then the reaction monitoring unit picks up the influence caused by the received attack and related data, and then the data summarized by the data summarization unit are combined to carry out comprehensive analysis to obtain the total of the accommodation time, the inertial virus type and the damage value, and different warnings are processed according to the results to remind a user of the specific attacked condition and the stability degree of the current industrial control network.

Description

Industrial control protocol characteristic attack filtering and analyzing system
Technical Field
The invention belongs to the field of filtering analysis, relates to a characteristic attack analysis and filtering technology, and particularly relates to an industrial control protocol characteristic attack filtering and analyzing system.
Background
The patent with publication number CN106599997A discloses a zero dynamic industrial control attack detection and identification system, which comprises an industrial control modeling module, an attack detection module and an attack identification module: the industrial control modeling module is used for constructing an industrial control system structure model framework facing petrochemical and power industries; the attack detection module is used for extracting corresponding attack state observed values and characteristics, and comprises a centralized attack detection filter model and a distributed attack detection filter model; the attack identification module is used for constructing a centralized attack identification filter and identifying a corresponding attack set. The invention also relates to a zero dynamic industrial control attack detection and identification method, and provides a safety model and an attack detection and identification filter for an industrial control system, which are used for detecting and identifying the safety threat of the industrial control system, particularly various attacks suffered in the application process, so that the intelligent analysis, the safety evaluation and the accurate positioning of safety events of the industrial control system information are realized, and the abnormal behavior detection of the industrial control system is realized.
However, the patent only identifies the characteristics of the attack, classifies the types of the attack, summarizes and analyzes the types of the attack, and controls the safety degree of the current industrial control network; in order to solve this technical drawback, a solution is now provided.
Disclosure of Invention
The invention aims to provide an industrial control protocol characteristic attack filtering and analyzing system.
The purpose of the invention can be realized by the following technical scheme:
the industrial control protocol feature attack filtering and analyzing system comprises an industrial control network, an attack monitoring end, a data induction unit, a data fusion unit, a reaction monitoring unit, a processor, a display unit, a database, an opinion generating unit and an input unit;
the attack monitoring end is used for monitoring the industrial control network and automatically acquiring the attacked information of the industrial control network, wherein the attacked information comprises an attacked type and attacked time; the attacked type is the attacked virus type, and the virus types are specifically classified into five types, namely, the virus types are divided into worm virus, Trojan horse virus, system virus, script virus and other types according to the existing virus classification method; and the above types are marked as Bi, i 1.. 5 in sequence; the attack monitoring end is used for transmitting the attacked information to the data induction unit, the data induction unit is used for carrying out attacked analysis on the attacked information, and the specific analysis steps are as follows:
the method comprises the following steps: acquiring the attack type and attack time in the attack information;
step two: marking the type of each hit as Bij, i 1.. 5, j 1.. n; bij is specifically expressed as the j-th attacked type i virus; marking the corresponding hit time as Tj, wherein j is 1.. n, and Bij and Tj are in one-to-one correspondence;
step three: acquiring the latest shot time Tn, and summarizing the shot type Bij according to the shot time Tn, wherein the summarizing method comprises the following steps:
s1: obtaining corresponding Tn-1 by changing n to n-1, and obtaining a time interval value G1 between the Tn and the Tn-1;
s2: obtaining Tn-1;
s3: taking n-1 as n, and repeating the step S1 to obtain a time interval value G2 between Tn-1 and Tn-2;
s4: repeating step S3 until all time interval values Gi, i ═ 1.. n-1 are obtained;
s5: acquiring Gi;
s6: let i equal to 1; acquiring a corresponding G1;
s7: i +1, obtaining corresponding G2;
s8: averaging the selected Gi, denoted P, which may be represented herein as the average between G1 and G2;
s9: the associated value Qg of the selected Gi is obtained,
Figure GDA0003221611630000031
when Qg is less than or equal to X1, G2 is associated with G1, and the corresponding attack time Tn, Tn-1 and Tn-2 are classified as same frequency attack;
s10: obtaining corresponding G3 by making i-i +1, and then judging whether Tn-3 corresponding to G3 meets the condition according to the principle of steps S8-S9, wherein the Tn-3 belongs to the same frequency attack, and specifically, the G3 is added into the formula of S8-S9 for calculation;
s11: acquiring attack types corresponding to attack time of all same-frequency attacks, marking the attack types as same-frequency attack types Hij, i is 1.. 5, j is 1.. m, acquiring interval time between the earliest time and the latest time of the attack time in the same-frequency attacks, marking the interval time as accommodation time, acquiring the total number of the attack types in the accommodation time, and marking the interval time as the accommodation number;
s12: marking the attacked type suffering the most attack number in the interval time as the current hot type attack;
s13: calculating a receiving level according to a formula, wherein the receiving level is the receiving number/the receiving time; when the receiving level is greater than X2, indicating that a high-risk time interval comes, and generating a high-risk signal; otherwise, generating a common signal;
the data induction unit is used for transmitting the accommodation time, the same-frequency hit type Hij, the high-risk signals and the common signals to the data fusion unit;
the response monitoring unit is used for monitoring the troubling time of the attack type, wherein the troubling time refers to the time from the occurrence of an abnormality to the abnormal restoration after the attack; the reaction monitoring unit is used for marking the puzzlement time of the same-frequency attack type Hij as the same-frequency puzzlement time Kij; the reaction monitoring unit is used for transmitting the same-frequency troubling time Kij to the data fusion unit, and the data fusion unit is used for carrying out fusion processing on the same-frequency troubling time Kij and the same-frequency attacked type Hij to obtain the sum of the inertial virus type and the harmful value;
the data fusion unit is used for transmitting the accommodation time, the inertia virus type and the sum of the harm values to the processor;
the processor is further used for transmitting the inertial virus types to the display unit when receiving the inertial virus types transmitted by the data fusion unit, and the display unit receives the inertial virus types transmitted by the processor and displays the current type of viruses, the inertial virus types and the high-frequency viruses in real time, so that the user can pay attention to protection of the type.
Further, the fusion process comprises the following specific processing steps:
s100: and (3) calibrating the difference score Cij of the Hij according to the common-frequency troubling time Kij, wherein the specific calibration is as follows:
when Kij is 0, marking the corresponding difference score Cij as 1;
when 0< Kij is less than or equal to X3, marking the corresponding difference score Cij as 1.5;
when Kij > X3, label the corresponding difference score Cij as 2.5;
s200: according to the counted same-frequency hit type Hij, assigning the value of Hij to be 1;
s300: according to the formula
Figure GDA0003221611630000041
Calculating to obtain harm values Vi corresponding to five types of viruses, wherein i is 1.. 5;
s400: summing Vi to obtain a sum of harm values;
s500: and marking the corresponding virus type with the minimum Vi value as an inertia virus type.
Further, the processor is configured to transmit the harm value total to the opinion generating unit; the opinion generation unit is used for carrying out opinion analysis on the harm value sum, and the specific analysis steps are as follows:
SS 1: obtaining the sum of the harm values;
SS 2: when the sum of the damage values is less than or equal to X4, automatically generating a common damage value signal;
SS 3: when X4< sum of damage values < X5, automatically generating a medium damage value signal;
SS 4: when the sum of the damage values is larger than or equal to X5, automatically generating a high damage value signal;
the opinion generating unit returns the general damage value signal to the processor when producing the general damage value signal, and the processor automatically drives the display unit to display 'accommodating time + general damage degree' when receiving the general damage value signal returned by the opinion generating unit.
Further, the opinion generation unit returns the signals with medium damage value to the processor when producing the signals with medium damage value, and the processor automatically drives the display unit to display ' the holding time + the higher damage degree and call the user's attention ' when receiving the signals with medium damage value returned by the opinion generation unit.
Further, the opinion generation unit returns the high harm value signal to the processor when producing the high harm value signal, and when the processor receives the high harm value signal returned by the opinion generation unit, the processor automatically drives the display unit to display 'the accommodation time + the harm degree is extremely high, and the processor is requested to react most immediately'.
Further, the data fusion unit transmits the high-risk signal transmitted by the data induction unit to the processor when receiving the high-risk signal, and the processor is used for driving the display unit to display the current frequent virus attack and please note when receiving the high-risk signal transmitted by the data fusion unit.
Further, the data fusion unit transmits the common signal to the processor when receiving the common signal transmitted by the data summarization unit, and the processor is used for driving the display unit to display 'virus attack exists currently and please note' when receiving the common signal transmitted by the data fusion unit.
The invention has the beneficial effects that:
the invention picks up the suffered attacks through the attack monitoring end and classifies the attacks according to the prior technical rule, attack association is carried out according to related factors, and the attacks in a period of time are classified into same-frequency attacks; then, processing is carried out by means of a data induction unit and related data to obtain some key influence factors, specifically, the same-frequency hit type, high-risk signals and common signals; then, the reaction monitoring unit is used for picking up the influence caused by the received attack and related data, then the data summarized by the data summarization unit is combined for comprehensive analysis to obtain the total of the accommodation time, the inertial virus type and the damage value, and different warnings are processed according to the results to remind a user of the specific attacked condition and the stability degree of the current industrial control network; the invention is simple, effective and easy to use.
Drawings
In order to facilitate understanding for those skilled in the art, the present invention will be further described with reference to the accompanying drawings.
FIG. 1 is a system block diagram of an industrial control protocol feature attack filtering analysis system according to the present invention.
Detailed Description
As shown in fig. 1, the system for filtering and analyzing the industrial control protocol feature attack comprises an industrial control network, an attack monitoring end, a data induction unit, a data fusion unit, a reaction monitoring unit, a processor, a display unit, a database, an opinion generation unit and an input unit;
the attack monitoring end is used for monitoring the industrial control network and automatically acquiring the attacked information of the industrial control network, wherein the attacked information comprises an attacked type and attacked time; the attacked type is the attacked virus type, and the virus types are specifically classified into five types, namely, the virus types are divided into worm virus, Trojan horse virus, system virus, script virus and other types according to the existing virus classification method; and the above types are marked as Bi, i 1.. 5 in sequence; the attack monitoring end is used for transmitting the attacked information to the data induction unit, the data induction unit is used for carrying out attacked analysis on the attacked information, and the specific analysis steps are as follows:
the method comprises the following steps: acquiring the attack type and attack time in the attack information;
step two: marking the type of each hit as Bij, i 1.. 5, j 1.. n; bij is specifically expressed as the j-th attacked type i virus; marking the corresponding hit time as Tj, wherein j is 1.. n, and Bij and Tj are in one-to-one correspondence;
step three: acquiring the latest shot time Tn, and summarizing the shot type Bij according to the shot time Tn, wherein the summarizing method comprises the following steps:
s1: obtaining corresponding Tn-1 by changing n to n-1, and obtaining a time interval value G1 between the Tn and the Tn-1;
s2: obtaining Tn-1;
s3: taking n-1 as n, and repeating the step S1 to obtain a time interval value G2 between Tn-1 and Tn-2;
s4: repeating step S3 until all time interval values Gi, i ═ 1.. n-1 are obtained;
s5: acquiring Gi;
s6: let i equal to 1; acquiring a corresponding G1;
s7: i +1, obtaining corresponding G2;
s8: averaging the selected Gi, denoted P, which may be represented herein as the average between G1 and G2;
s9: the associated value Qg of the selected Gi is obtained,
Figure GDA0003221611630000071
when Qg is less than or equal to X1, G2 is associated with G1, and the corresponding attack time Tn, Tn-1 and Tn-2 are classified as same frequency attack;
s10: obtaining corresponding G3 by making i-i +1, and then judging whether Tn-3 corresponding to G3 meets the condition according to the principle of steps S8-S9, wherein the Tn-3 belongs to the same frequency attack, and specifically, the G3 is added into the formula of S8-S9 for calculation;
s11: acquiring attack types corresponding to attack time of all same-frequency attacks, marking the attack types as same-frequency attack types Hij, i is 1.. 5, j is 1.. m, acquiring interval time between the earliest time and the latest time of the attack time in the same-frequency attacks, marking the interval time as accommodation time, acquiring the total number of the attack types in the accommodation time, and marking the interval time as the accommodation number;
s12: marking the attacked type suffering the most attack number in the interval time as the current hot type attack;
s13: calculating a receiving level according to a formula, wherein the receiving level is the receiving number/the receiving time; when the receiving level is greater than X2, indicating that a high-risk time interval comes, and generating a high-risk signal; otherwise, generating a common signal;
the data induction unit is used for transmitting the accommodation time, the same-frequency hit type Hij, the high-risk signals and the common signals to the data fusion unit;
the response monitoring unit is used for monitoring the troubling time of the attack type, wherein the troubling time refers to the time from the occurrence of an abnormality to the abnormal restoration after the attack; the reaction monitoring unit is used for marking the puzzlement time of the same-frequency attack type Hij as the same-frequency puzzlement time Kij; the reaction monitoring unit is used for transmitting the same-frequency troubling time Kij to the data fusion unit, the data fusion unit is used for carrying out fusion processing on the same-frequency troubling time Kij and the same-frequency hit type Hij, and the specific processing steps are as follows:
s100: and (3) calibrating the difference score Cij of the Hij according to the common-frequency troubling time Kij, wherein the specific calibration is as follows:
when Kij is 0, marking the corresponding difference score Cij as 1;
when 0< Kij is less than or equal to X3, marking the corresponding difference score Cij as 1.5;
when Kij > X3, label the corresponding difference score Cij as 2.5;
s200: according to the counted same-frequency hit type Hij, assigning the value of Hij to be 1;
s300: according to the formula
Figure GDA0003221611630000081
Calculating to obtain harm values Vi corresponding to five types of viruses, wherein i is 1.. 5;
s400: summing Vi to obtain a sum of harm values;
s500: marking the corresponding virus type with the minimum Vi value as an inertial virus type;
the data fusion unit is used for transmitting the accommodation time, the inertia virus type and the sum of the harm values to the processor; the processor is used for transmitting the harm value to the opinion generating unit; the opinion generation unit is used for carrying out opinion analysis on the harm value sum, and the specific analysis steps are as follows:
SS 1: obtaining the sum of the harm values;
SS 2: when the sum of the damage values is less than or equal to X4, automatically generating a common damage value signal;
SS 3: when X4< sum of damage values < X5, automatically generating a medium damage value signal;
SS 4: when the sum of the damage values is larger than or equal to X5, automatically generating a high damage value signal;
the opinion generation unit returns the general harm value signal to the processor when producing the general harm value signal, and the processor automatically drives the display unit to display 'accommodation time + general harm degree' when receiving the general harm value signal returned by the opinion generation unit;
when the processor receives the signals with the medium harm value returned by the opinion generating unit, the processor automatically drives the display unit to display ' the holding time + the harm degree is higher, and the user is reminded ' to pay attention ';
when the opinion generation unit produces the high harm value signal, the opinion generation unit returns the high harm value signal to the processor, and when the processor receives the high harm value signal returned by the opinion generation unit, the processor automatically drives the display unit to display 'the accommodation time + the harm degree is extremely high, and the opinion generation unit is requested to react most immediately';
the processor is further used for transmitting the inertial virus types to the display unit when receiving the inertial virus types transmitted by the data fusion unit, and the display unit receives the inertial virus types transmitted by the processor and displays the current type of viruses, the inertial virus types and the high-frequency viruses in real time, so that the user can pay attention to protection of the type.
The data fusion unit transmits the high-risk signal transmitted by the data induction unit to the processor when receiving the high-risk signal, and the processor is used for driving the display unit to display 'frequently attacking the current virus and please note' when receiving the high-risk signal transmitted by the data fusion unit;
the data fusion unit transmits the common signals transmitted by the data induction unit to the processor when receiving the common signals transmitted by the data fusion unit, and the processor is used for driving the display unit to display 'virus attack exists at present and please note' when receiving the common signals transmitted by the data fusion unit.
When the industrial control protocol characteristic attack filtering and analyzing system works, firstly, the attacks suffered by an attack monitoring end are picked up and classified according to the prior technical rule, attack association is carried out according to related factors, and the attacks in a period of time are divided into same-frequency attacks; then, processing is carried out by means of a data induction unit and related data to obtain some key influence factors, specifically, the same-frequency hit type, high-risk signals and common signals; then, the reaction monitoring unit is used for picking up the influence caused by the received attack and related data, then the data summarized by the data summarization unit is combined for comprehensive analysis to obtain the total of the accommodation time, the inertial virus type and the damage value, and different warnings are processed according to the results to remind a user of the specific attacked condition and the stability degree of the current industrial control network; the invention is simple, effective and easy to use.
The foregoing is merely exemplary and illustrative of the present invention and various modifications, additions and substitutions may be made by those skilled in the art to the specific embodiments described without departing from the scope of the invention as defined in the following claims.

Claims (6)

1. The system is characterized by comprising an industrial control network, an attack monitoring end, a data induction unit, a data fusion unit, a reaction monitoring unit, a processor, a display unit, a database, an opinion generation unit and an input unit;
the attack monitoring end is used for monitoring the industrial control network and automatically acquiring the attacked information of the industrial control network, wherein the attacked information comprises an attacked type and attacked time; the attacked type is the attacked virus type, and the virus types are specifically classified into five types, namely, the virus types are divided into worm virus, Trojan horse virus, system virus, script virus and other types according to the existing virus classification method; and the above types are marked as Bi, i 1.. 5 in sequence; the attack monitoring end is used for transmitting the attacked information to the data induction unit, the data induction unit is used for carrying out attacked analysis on the attacked information, and the specific analysis steps are as follows:
the method comprises the following steps: acquiring the attack type and attack time in the attack information;
step two: marking the type of each hit as Bij, i 1.. 5, j 1.. n; bij is specifically expressed as the j-th attacked type i virus; marking the corresponding hit time as Tj, wherein j is 1.. n, and Bij and Tj are in one-to-one correspondence;
step three: acquiring the latest shot time Tn, and summarizing the shot type Bij according to the shot time Tn, wherein the summarizing method comprises the following steps:
s1: obtaining corresponding Tn-1 by changing n to n-1, and obtaining a time interval value G1 between the Tn and the Tn-1;
s2: obtaining Tn-1;
s3: taking n-1 as n, and repeating the step S1 to obtain a time interval value G2 between Tn-1 and Tn-2;
s4: repeating step S3 until all time interval values Gi, i ═ 1.. n-1 are obtained;
s5: acquiring Gi;
s6: let i equal to 1; acquiring a corresponding G1;
s7: i +1, obtaining corresponding G2;
s8: averaging the selected Gi, denoted P, which may be represented herein as the average between G1 and G2;
s9: the associated value Qg of the selected Gi is obtained,
Figure FDA0003221611620000021
when Qg is less than or equal to X1, G2 is associated with G1, and the corresponding attack time Tn, Tn-1 and Tn-2 are classified as same frequency attack;
s10: obtaining corresponding G3 by making i-i +1, and then judging whether Tn-3 corresponding to G3 meets the condition according to the principle of steps S8-S9, wherein the Tn-3 belongs to the same frequency attack, and specifically, the G3 is added into the formula of S8-S9 for calculation;
s11: acquiring attack types corresponding to attack time of all same-frequency attacks, marking the attack types as same-frequency attack types Hij, i is 1.. 5, j is 1.. m, acquiring interval time between the earliest time and the latest time of the attack time in the same-frequency attacks, marking the interval time as accommodation time, acquiring the total number of the attack types in the accommodation time, and marking the interval time as the accommodation number;
s12: marking the attacked type suffering the most attack number in the interval time as the current hot type attack;
s13: calculating a receiving level according to a formula, wherein the receiving level is the receiving number/the receiving time; when the receiving level is greater than X2, indicating that a high-risk time interval comes, and generating a high-risk signal; otherwise, generating a common signal;
the data induction unit is used for transmitting the accommodation time, the same-frequency hit type Hij, the high-risk signals and the common signals to the data fusion unit;
the response monitoring unit is used for monitoring the troubling time of the attack type, wherein the troubling time refers to the time from the occurrence of an abnormality to the abnormal restoration after the attack; the reaction monitoring unit is used for marking the puzzlement time of the same-frequency attack type Hij as the same-frequency puzzlement time Kij; the reaction monitoring unit is used for transmitting the same-frequency troubling time Kij to the data fusion unit, the data fusion unit is used for carrying out fusion processing on the same-frequency troubling time Kij and the same-frequency attacked type Hij to obtain the sum of the inertial virus type and the harmful value, and the specific processing steps of the fusion processing are as follows:
s100: and (3) calibrating the difference score Cij of the Hij according to the common-frequency troubling time Kij, wherein the specific calibration is as follows:
when Kij is 0, marking the corresponding difference score Cij as 1;
when 0< Kij is less than or equal to X3, marking the corresponding difference score Cij as 1.5;
when Kij > X3, label the corresponding difference score Cij as 2.5;
s200: according to the counted same-frequency hit type Hij, assigning the value of Hij to be 1;
s300: according to the formula
Figure FDA0003221611620000031
Calculating to obtain harmful values Vi, i corresponding to the five types of viruses=1...5;
S400: summing Vi to obtain a sum of harm values;
s500: marking the corresponding virus type with the minimum Vi value as an inertial virus type;
the data fusion unit is used for transmitting the accommodation time, the inertia virus type and the sum of the harm values to the processor;
the processor is further used for transmitting the inertial virus types to the display unit when receiving the inertial virus types transmitted by the data fusion unit, and the display unit receives the inertial virus types transmitted by the processor and displays the current type of viruses, the inertial virus types and the high-frequency viruses in real time, so that the user can pay attention to protection of the type.
2. The system of claim 1, wherein the processor is configured to transmit the sum of the harm values to an opinion generation unit; the opinion generation unit is used for carrying out opinion analysis on the harm value sum, and the specific analysis steps are as follows:
SS 1: obtaining the sum of the harm values;
SS 2: when the sum of the damage values is less than or equal to X4, automatically generating a common damage value signal;
SS 3: when X4< sum of damage values < X5, automatically generating a medium damage value signal;
SS 4: when the sum of the damage values is larger than or equal to X5, automatically generating a high damage value signal;
the opinion generating unit returns the general damage value signal to the processor when producing the general damage value signal, and the processor automatically drives the display unit to display 'accommodating time + general damage degree' when receiving the general damage value signal returned by the opinion generating unit.
3. The system as claimed in claim 2, wherein the opinion generating unit returns the medium damage signal to the processor when the opinion generating unit produces the medium damage signal, and the processor automatically drives the display unit to display "the holding time + is damaged to a higher degree and to prompt the user to pay attention" when the processor receives the medium damage signal returned by the opinion generating unit.
4. The system as claimed in claim 2, wherein the opinion generating unit returns the high-harm-value signal to the processor when producing the high-harm-value signal, and the processor automatically drives the display unit to display "the accommodation time + the harm degree is extremely high and please react most immediately" when receiving the high-harm-value signal returned by the opinion generating unit.
5. The system for filtering and analyzing industrial control protocol feature attacks according to claim 1, wherein the data fusion unit transmits the high-risk signal transmitted by the data summarization unit to the processor when receiving the high-risk signal transmitted by the data fusion unit, and the processor is configured to drive the display unit to display "frequent attack of current virus, please note" when receiving the high-risk signal transmitted by the data fusion unit.
6. The system for filtering and analyzing industrial control protocol feature attacks according to claim 1, wherein the data fusion unit transmits the common signal to the processor when receiving the common signal transmitted by the data summarization unit, and the processor is configured to drive the display unit to display "virus attack exists currently, please note" when receiving the common signal transmitted by the data fusion unit.
CN201911103368.XA 2019-11-13 2019-11-13 Industrial control protocol characteristic attack filtering and analyzing system Active CN110798484B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911103368.XA CN110798484B (en) 2019-11-13 2019-11-13 Industrial control protocol characteristic attack filtering and analyzing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911103368.XA CN110798484B (en) 2019-11-13 2019-11-13 Industrial control protocol characteristic attack filtering and analyzing system

Publications (2)

Publication Number Publication Date
CN110798484A CN110798484A (en) 2020-02-14
CN110798484B true CN110798484B (en) 2021-10-01

Family

ID=69444233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911103368.XA Active CN110798484B (en) 2019-11-13 2019-11-13 Industrial control protocol characteristic attack filtering and analyzing system

Country Status (1)

Country Link
CN (1) CN110798484B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115102738B (en) * 2022-06-15 2023-02-10 珠海市鸿瑞信息技术股份有限公司 Equipment base station health situation perception system and method based on network attack trend

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532949A (en) * 2013-10-14 2014-01-22 刘胜利 Self-adaptive trojan communication behavior detection method on basis of dynamic feedback
CN108055228A (en) * 2017-10-09 2018-05-18 全球能源互联网研究院有限公司 A kind of intelligent grid intruding detection system and method
CN108520187A (en) * 2018-04-20 2018-09-11 西安交通大学 Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal
CN110032869A (en) * 2019-04-19 2019-07-19 湖南科技学院 A kind of cloud computing protection early warning system based on big data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532949A (en) * 2013-10-14 2014-01-22 刘胜利 Self-adaptive trojan communication behavior detection method on basis of dynamic feedback
CN108055228A (en) * 2017-10-09 2018-05-18 全球能源互联网研究院有限公司 A kind of intelligent grid intruding detection system and method
CN108520187A (en) * 2018-04-20 2018-09-11 西安交通大学 Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal
CN110032869A (en) * 2019-04-19 2019-07-19 湖南科技学院 A kind of cloud computing protection early warning system based on big data

Also Published As

Publication number Publication date
CN110798484A (en) 2020-02-14

Similar Documents

Publication Publication Date Title
WO2019136955A1 (en) Network anomaly detection method, apparatus and device based on portrait technology, and medium
CN111680906B (en) Industrial control system safety detection and early warning oriented system construction method and device
EP3691189B1 (en) Method, apparatus and computer program for predicting fault of optical module
CN110716476B (en) Industrial control system network security situation perception system based on artificial intelligence
CN111193728B (en) Network security evaluation method, device, equipment and storage medium
CN110430226B (en) Network attack detection method and device, computer equipment and storage medium
CN110798484B (en) Industrial control protocol characteristic attack filtering and analyzing system
CN106790062B (en) Anomaly detection method and system based on reverse DNS query attribute aggregation
CN109784668B (en) Sample feature dimension reduction processing method for detecting abnormal behaviors of power monitoring system
EP3534232B1 (en) A safety monitoring method and apparatus for an industrial control system
CN111131247B (en) Vehicle-mounted internal network intrusion detection system
CN109802973A (en) Method and apparatus for detection flows
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN114628016A (en) Laparoscope surgical instrument operation fault prediction system based on big data
CN116127456A (en) Virus intrusion detection system and method based on network security situation awareness
CN113676498B (en) Prediction machine management system for accessing third-party information based on distributed network technology
CN103366119B (en) The monitoring method and device of virus trend anomaly
CN111654405B (en) Method, device, equipment and storage medium for fault node of communication link
CN116319014A (en) Cloud-based multi-service abnormal behavior detection method and device
CN115694846B (en) Security detection system and method based on industrial protocol
CN114866350B (en) SDN data plane low-rate attack detection method and system
CN115774159A (en) Fault detection system for power unit of high-voltage frequency converter
CN109474593A (en) A method of the identification C&amp;C periodically company&#39;s of returning behavior
CN109803301B (en) Offline identification management system for wireless network
KR102037192B1 (en) Device and method for continuous signal traffic detection of network traffic through hierarchical structure learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant