CN110868408A - Industrial control equipment safety detection method and system based on industrial protocol analysis - Google Patents
Industrial control equipment safety detection method and system based on industrial protocol analysis Download PDFInfo
- Publication number
- CN110868408A CN110868408A CN201911079311.0A CN201911079311A CN110868408A CN 110868408 A CN110868408 A CN 110868408A CN 201911079311 A CN201911079311 A CN 201911079311A CN 110868408 A CN110868408 A CN 110868408A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- industrial
- network data
- control network
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safety detection method and a system of industrial control equipment based on industrial protocol analysis, wherein the safety detection method of the industrial control equipment comprises the following steps: writing the monitored first characteristic information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, wherein the protocol ID configuration file corresponds to the industrial protocol analysis classes; determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the protocol ID configuration file written in the first characteristic information; judging whether the industrial control network data comprises safety threat characteristic information or not according to the industrial protocol analysis class; and if the industrial control network data comprises the safety threat characteristic information, carrying out safety early warning on the industrial control network data. The technical scheme of the invention can solve the problems of low reaction speed and inaccurate identification of the safety detection of the industrial control equipment in the prior art.
Description
Technical Field
The invention relates to the technical field of industrial control, in particular to a safety detection method and a safety detection system for industrial control equipment based on industrial protocol analysis.
Background
The industrial control network is a network for realizing interconnection and intercommunication among industrial equipment in an industrial control system, and can access a large amount of industrial equipment to the internet so as to perform real-time presentation of production state and issue related tasks, further tightly connect the industrial equipment, industrial production lines, employees, factories, warehouses, suppliers, products and customers, and share various element resources of the whole process of industrial production.
Industrial control networks require various network protocols to achieve interconnection and interworking of various industrial devices. However, as the development of industrial control systems is more and more rapid, protocols in industrial control networks are more and more diversified; the diversification of protocols inevitably causes the increase of information data volume and information interaction modes in the industrial control network. Therefore, in order to ensure the safety of the industrial control system, how to quickly detect the safety condition of the equipment in the industrial control network becomes more and more important.
Industrial control network security technology is in a development stage, technology applications of all aspects of the industrial control network security technology are not mature enough, a mature application scheme is not provided for security detection of industrial equipment, and especially for analysis of industrial control protocols, the existing mainstream industrial control protocol analysis technology is deficient to a certain extent. Moreover, with the continuous complication of industrial control systems and the appearance of a large number of new protocols, the industrial protocol analysis technologies have the problems of low accuracy, slow analysis speed and the like, and further have the problems of slow reaction speed, inaccurate identification and the like when the safety condition of industrial control equipment is detected.
Disclosure of Invention
The invention provides a safety detection method and a safety detection system for industrial control equipment based on industrial protocol analysis, and aims to solve the problems of low reaction speed and inaccurate identification in the safety detection of the industrial control equipment in the prior art.
In order to achieve the above object, according to a first aspect of the present invention, the present invention provides a method for detecting safety of an industrial control device based on industrial protocol analysis, including:
writing the monitored first characteristic information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, wherein the protocol ID configuration file corresponds to the industrial protocol analysis classes;
determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the protocol ID configuration file written in the first characteristic information;
judging whether the industrial control network data comprises safety threat characteristic information or not according to the industrial protocol analysis class;
and if the industrial control network data comprises the safety threat characteristic information, carrying out safety early warning on the industrial control network data.
Preferably, in the method for detecting safety of industrial control equipment, the step of writing the monitored first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes includes:
loading a plurality of preset industrial protocol analysis classes, wherein the industrial protocol analysis classes comprise second characteristic information;
monitoring industrial control network data, and extracting second characteristic information in the industrial control network data;
matching second characteristic information in the industrial control network with second characteristic information in the industrial protocol analysis class;
and writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information.
Preferably, in the method for detecting safety of industrial control equipment, the step of writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information includes: and if the second characteristic information of the industrial control network data is not matched with the second characteristic information in any industrial protocol analysis class, writing the first characteristic information of the industrial control network data into the non-protocol ID configuration file.
Preferably, in the safety detection method for industrial control equipment, the step of determining the industrial protocol analysis class to which each piece of subsequently monitored industrial control network data belongs according to the protocol ID configuration file written with the first feature information includes:
loading a protocol ID configuration file written with the first characteristic information;
matching each subsequently monitored industrial control network data with a protocol ID configuration file by using the first characteristic information;
and determining the industrial protocol analysis class to which each industrial control network data belongs according to the matching relation between each industrial control network data and the protocol ID configuration file and the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class.
Preferably, in the method for detecting the safety of the industrial control device, the step of determining whether the industrial control network data includes the safety threat characteristic information according to the industrial protocol analysis class includes:
extracting a function code of industrial control network data;
matching the function code of the industrial control network data with the function code of the protocol analysis class to which the industrial control network data belongs;
and searching and judging safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes.
According to a second aspect provided by the technical solution of the present invention, the present invention further provides an industrial control device security detection system based on industrial protocol analysis, including:
the characteristic writing module is used for writing the monitored first characteristic information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, wherein the protocol ID configuration file corresponds to the industrial protocol analysis classes;
the category determining module is used for determining the industrial protocol analysis category to which each piece of industrial control network data monitored subsequently belongs according to the protocol ID configuration file written in the first characteristic information by the characteristic writing module;
the information judgment module is used for judging whether the industrial control network data comprises safety threat characteristic information or not according to the industrial protocol analysis class determined by the class determination module;
and the safety early warning module is used for carrying out safety early warning on the industrial control network data if the information judgment module judges that the industrial control network data comprises the safety threat characteristic information.
Preferably, in the safety detection system for industrial control equipment, the feature writing module includes:
the category loading submodule is used for loading a plurality of preset industrial protocol analysis categories, wherein the industrial protocol analysis categories comprise second characteristic information;
the characteristic extraction submodule is used for monitoring the industrial control network data and extracting second characteristic information in the industrial control network data;
the characteristic matching submodule is used for matching second characteristic information in the industrial control network with second characteristic information in the industrial protocol analysis class;
and the file writing sub-module is used for writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information.
Preferably, in the safety detection system for industrial control equipment, the file writing sub-module is further configured to write the first feature information of the industrial control network data into the non-protocol ID configuration file if the feature matching sub-module determines that the second feature information of the industrial control network data does not match the second feature information in any industrial protocol analysis class.
Preferably, in the safety detection system for industrial control equipment, the category determining module includes:
the file loading submodule is used for loading the protocol ID configuration file written with the first characteristic information;
the data matching submodule is used for matching each subsequently monitored industrial control network data with the protocol ID configuration file by using the first characteristic information;
and the type determining submodule is used for determining the industrial protocol analysis class to which each industrial control network data belongs according to the matching relation between each industrial control network data and the protocol ID configuration file and the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class.
Preferably, in the safety detection system for industrial control equipment, the information determination module includes:
the function code extraction submodule is used for extracting the function code of the industrial control network data;
the function code matching submodule is used for matching the function code of the industrial control network data and the function code of the protocol analysis class to which the industrial control network data belongs;
the threat characteristic information searching submodule is used for searching the safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes;
and the threat characteristic information judgment submodule is used for judging the safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes.
According to the industrial control equipment safety detection scheme based on industrial protocol analysis, a plurality of industrial protocol analysis classes are preset, then a thread for monitoring industrial control network data is started, and first characteristic information is obtained; and writing the first characteristic information into the corresponding protocol ID configuration file according to the plurality of industrial protocol analysis classes, so that the protocol ID configuration file corresponding to the industrial protocol analysis class has the first characteristic information. And then determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the first characteristic information contained in the protocol ID configuration file. And through the industrial protocol analysis class, whether the industrial control network data comprises safety threat characteristic information can be judged, so that safety early warning is carried out on the industrial control network data. According to the industrial control equipment safety detection scheme, the protocol ID configuration file can be established, and industrial control network data can be rapidly analyzed through the protocol ID configuration file, so that the analysis speed is accelerated. Through the technical scheme, the industrial control equipment safety detection scheme provided by the technical scheme can solve the problems that in the prior art, the industrial control equipment safety detection is slow in reaction speed and not accurate enough in identification.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a first method for detecting safety of industrial control equipment according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a method for writing feature information according to the embodiment shown in FIG. 1;
FIG. 3 is a schematic flow chart diagram illustrating a method for determining an industrial protocol analysis class according to the embodiment of FIG. 1;
FIG. 4 is a schematic flow chart illustrating a method for determining security threat characteristic information according to the embodiment shown in FIG. 1;
fig. 5 is a schematic flow chart of a second method for detecting safety of industrial control equipment according to an embodiment of the present invention;
fig. 6 is a schematic flow chart of a third method for detecting safety of industrial control equipment according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a first safety detection system for industrial control equipment according to an embodiment of the present invention;
FIG. 8 is a schematic structural diagram of a feature writing module provided in the embodiment shown in FIG. 7;
FIG. 9 is a block diagram of a category determination module provided in the embodiment shown in FIG. 7;
fig. 10 is a schematic structural diagram of an information determining module according to the embodiment shown in fig. 7.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flow chart of an industrial control device security detection method based on industrial protocol analysis according to an embodiment of the present invention. As shown in fig. 1, the safety detection method for industrial control equipment includes the following steps:
s110: and writing the monitored first characteristic information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, wherein the protocol ID configuration file corresponds to the industrial protocol analysis classes.
Firstly, a plurality of industrial protocol analysis classes are required to be preset, then all the industrial protocol analysis classes are loaded, and a thread for monitoring industrial control network data is started. And after the thread is started, extracting the monitored characteristic information of the industrial control network data, matching the characteristic information with the characteristic information in the industrial protocol analysis class, and writing the first characteristic information of the industrial control network data into a corresponding protocol ID configuration file after the matching is successful. The first characteristic information comprises a port number, an IP address and the like of industrial control network data.
Specifically, as shown in fig. 2, the step of writing the monitored first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the preset multiple industrial protocol analysis classes specifically includes:
s111: and loading a plurality of preset industrial protocol analysis classes, wherein the industrial protocol analysis classes comprise second characteristic information, and the second characteristic information comprises port numbers and protocol names.
S112: and monitoring the industrial control network data, and extracting second characteristic information in the industrial control network data.
S113: and matching the second characteristic information in the industrial control network with the second characteristic information in the industrial protocol analysis class.
S114: and writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information.
In step S114, if the second characteristic information of the industrial control network data does not match the second characteristic information in any industrial protocol analysis class, the first characteristic information of the industrial control network data is written into the non-protocol ID configuration file.
Specifically, a plurality of industrial protocol analysis classes are preset, then all the industrial protocol analysis classes are loaded by the main program, and a thread for monitoring industrial control network data is started. After the thread is started, monitoring an industrial control network data packet in an industrial control network through a wincap thread to collect industrial control network data, and asynchronously informing a corresponding analysis data function to analyze second characteristic information of the industrial control network data by another thread; the first characteristic information comprises a port number, a protocol name and the like of industrial control network data. And matching the port numbers of the industrial control network data streams with default port numbers in the existing industrial protocol analysis classes through the probe network ports. For example: if the port number of the industrial control network data is 102 and the port number of the industrial protocol Siemens S7 is 102, matching the industrial control network data with Siemens S7; if the industrial control network data and the default port number of the industrial protocol analysis class are successfully matched, matching the industrial control network data and the protocol name of the industrial protocol analysis class in the next step; and when the default port number and the protocol name are successfully matched, writing first characteristic information (the first characteristic information comprises an IP address and a port number) of the industrial control network data into a corresponding protocol ID configuration file.
And if the industrial control network data and the default port number of the industrial protocol analysis class are successfully matched, but the protocol names of the industrial control network data and the industrial protocol analysis class are not matched, directly matching the industrial control network data and the next protocol analysis class with the protocol names until the matching is successful. After matching is successful, first characteristic information of the industrial control network data, such as an IP address and a port number, is pasted with a corresponding label and written into a corresponding protocol ID configuration file; finally, stopping the whole process when external triggering is finished; the thread asynchronously notifies the resolution of the next piece of data when the end is not triggered.
In summary, by writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file, the protocol ID configuration file has the first characteristic information, and the protocol ID configuration file corresponds to the industrial protocol analysis class, and the first characteristic information of the industrial control network data is correspondingly extracted according to the industrial protocol analysis class, so that the industrial protocol analysis class corresponding to the subsequent industrial control network data can be quickly and accurately determined by the first characteristic information in the protocol ID configuration file.
In addition, after step S110, as shown in fig. 1, the method further includes:
s120: and determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the protocol ID configuration file written in the first characteristic information.
Because the protocol ID configuration file is written into the first characteristic information, each subsequently monitored industrial control network data also has the first characteristic information, according to the protocol ID configuration file, the protocol ID configuration file corresponding to each industrial control network data can be determined by matching the first characteristic information, and the protocol ID configuration file corresponds to the industrial protocol analysis class, so that the industrial protocol analysis class to which each subsequently monitored industrial control network data belongs can be determined through the corresponding relation.
Specifically, as shown in fig. 3, the step S120: determining the industrial protocol analysis class to which each industrial control network data subsequently monitored belongs according to the protocol ID configuration file written with the first characteristic information specifically comprises:
s121: and loading the protocol ID configuration file written with the first characteristic information. In addition, the protocol ID configuration file can be loaded, and meanwhile, the corresponding information such as the port number, the IP address and the like can also be loaded.
S122: and matching each subsequently monitored industrial control network data with the protocol ID configuration file by using the first characteristic information.
Because the protocol ID configuration file is written with the first characteristic information, industrial control network data can be matched with the protocol ID configuration file according to the first characteristic information, and further the industrial protocol analysis class corresponding to each industrial control network data is determined according to the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class.
S123: and determining the industrial protocol analysis class to which each industrial control network data belongs according to the matching relation between each industrial control network data and the protocol ID configuration file and the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class.
Specifically, on the basis of the established protocol ID configuration file, the related program can quickly identify the industrial control network data stream in the industrial control network and determine the safety condition of the industrial control device. Starting a thread for monitoring industrial control network data after all the industrial protocol analysis classes are loaded; and the other thread asynchronously informs the analysis data function to analyze first characteristic information of the industrial control network data, wherein the first characteristic information comprises an IP address and a port number.
The probe network port respectively matches the IP address and the port number of the industrial control network data with the IP and the port number in the protocol ID configuration file; the corresponding relation between the industrial control network data and the protocol ID configuration file can be established, the industrial protocol analysis class to which the industrial control network data belongs is determined according to the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class, and then corresponding feature extraction is carried out through the industrial protocol analysis class. By the method, industrial control network data and industrial protocol analysis can be accurately matched.
S130: and judging whether the industrial control network data comprises safety threat characteristic information or not according to the industrial protocol analysis class.
Specifically, as shown in fig. 4, the step S130: according to the industrial protocol analysis class, whether industrial control network data comprises safety threat characteristic information is judged, and the method specifically comprises the following steps:
s131: and extracting the function code of the industrial control network data.
S132: and matching the function code of the industrial control network data with the function code of the protocol analysis class to which the industrial control network data belongs.
S133: and searching and judging safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes.
And after the industrial control network data is successfully matched with the first characteristic information of the industrial protocol analysis class, carrying out corresponding characteristic extraction on the industrial control network data through an industrial protocol analysis tool in the industrial protocol analysis class. Specifically, the function codes of industrial control network data are matched with the function codes of protocol analysis class, and then the functions and contents of the function codes in the industrial control network data are compared; through the function and the content, whether the industrial control network data has the characteristics influencing the safe production of the equipment is judged, such as the characteristics of writing data, restarting the equipment, modifying the parameters of the equipment and the like.
By matching the function codes, whether the industrial control network data contain safety threat characteristic information or not can be quickly searched and judged.
S140: and if the industrial control network data comprises the safety threat characteristic information, carrying out safety early warning on the industrial control network data.
Specifically, the industrial control network data, related security threat characteristic information and alarm data can be sent to a monitoring cloud platform, meanwhile, a thread asynchronous notification is used for analyzing the next industrial control network data, and when the power network data has no related security threat characteristic information, the thread asynchronous notification is used for analyzing the next data and matching the data with a protocol ID configuration file; and (4) until all the industrial control network data are analyzed.
According to the technical scheme provided by the embodiment of the application, a plurality of industrial protocol analysis classes are preset, then a thread for monitoring industrial control network data is started, and first characteristic information is obtained; and writing the first characteristic information into the corresponding protocol ID configuration file according to the plurality of industrial protocol analysis classes, so that the protocol ID configuration file corresponding to the industrial protocol analysis class has the first characteristic information. And then determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the first characteristic information contained in the protocol ID configuration file. And through the industrial protocol analysis class, whether the industrial control network data comprises safety threat characteristic information can be judged, so that safety early warning is carried out on the industrial control network data. According to the industrial control equipment safety detection scheme, the protocol ID configuration file can be established, and industrial control network data can be rapidly analyzed through the protocol ID configuration file, so that the analysis speed is accelerated. Through the technical scheme, the industrial control equipment safety detection scheme provided by the technical scheme can solve the problems that in the prior art, the industrial control equipment safety detection is slow in reaction speed and not accurate enough in identification.
In addition, referring to fig. 5, fig. 5 is a schematic flow chart of an industrial control device security detection method based on industrial protocol analysis according to an embodiment of the present invention. As shown in fig. 5, the method comprises the steps of:
s501: all the industrial protocol analysis classes set are loaded.
S502: and starting a thread for monitoring industrial control network data.
S503: and acquiring industrial control network data through wincap.
S504: an asynchronous notification parsing data function is started.
S505: and analyzing the IP address and the port number of the industrial control network data by using the analysis data function.
S506: and matching the port number of the industrial control network data with the default port number of the protocol.
S507: judging whether the port numbers are successfully matched; if the matching is successful, executing step S508; if not, go to step S510.
S508: and writing the IP and the port number into a corresponding protocol ID matching file.
S509: and recording the state.
S510: the feature is matched to the next protocol.
S511: judging whether the features are successfully matched, if so, executing step S512; if not, step S513 is executed.
S512: and writing the IP and the port number into a corresponding protocol ID configuration file.
S513: judging whether all the protocol analysis classes are completely taken; if yes, go to step S514; if not, go to step S510.
S514: next protocol feature matching is performed.
S515: judging whether the features are successfully matched or not, and if so, ending the process; if not, the original step S505 is executed.
By the industrial control equipment security detection method shown in fig. 5, an industrial control protocol configuration file including an IP address and a port number can be established.
After the industrial control protocol configuration file containing the IP address and the port number is established, it is further required to detect whether the industrial control network data contains security threat feature information or not by using the industrial control protocol configuration file.
Referring to fig. 6 in particular, the safety detection method for industrial control equipment shown in fig. 6 includes the following steps:
s601: a protocol ID configuration file including an IP address and a port number is loaded.
S602: all industrial protocol analysis classes are loaded.
S603: and starting the wincap to acquire industrial control network data.
S604: the asynchronous notification resolves the data function.
S605: and resolving the IP address and the port number of the industrial control network data by using an asynchronous resolving function.
S606: and comparing and matching the IP address and the port number with the protocol port and the IP address in the protocol ID configuration file.
S607: judging whether the matching is successful; if successful, go to step S608; if not, the process returns to step S604.
S608: and (5) carrying out feature extraction.
S609: judging whether security threat characteristic information influencing equipment security production exists or not; if yes, go to step S610; if not, the process returns to step S604.
S610: and sending alarm data to the cloud platform.
In addition, based on the same concept of the embodiment of the method, the embodiment of the invention also provides an industrial control equipment safety detection system based on industrial protocol analysis, which is used for realizing the method of the invention.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an industrial control device security detection system based on industrial protocol analysis according to an embodiment of the present invention, and as shown in fig. 7, the industrial control device security detection system includes:
a feature writing module 701, configured to write the monitored first feature information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, where the protocol ID configuration file corresponds to the industrial protocol analysis classes;
a category determining module 702, configured to determine, according to the protocol ID configuration file written in the first feature information by the feature writing module, an industrial protocol analysis class to which each piece of subsequently monitored industrial control network data belongs;
the information judgment module 703 is configured to judge whether the industrial control network data includes security threat feature information according to the industrial protocol analysis class determined by the class determination module;
and the safety early warning module 704 is used for carrying out safety early warning on the industrial control network data if the information judgment module judges that the industrial control network data comprises safety threat characteristic information.
According to the industrial control equipment safety detection system provided by the embodiment of the application, a plurality of industrial protocol analysis classes are preset, then a thread for monitoring industrial control network data is started, and first characteristic information is obtained; and writing the first characteristic information into the corresponding protocol ID configuration file according to the plurality of industrial protocol analysis classes, so that the protocol ID configuration file corresponding to the industrial protocol analysis class has the first characteristic information. And then determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the first characteristic information contained in the protocol ID configuration file. And through the industrial protocol analysis class, whether the industrial control network data comprises safety threat characteristic information can be judged, so that safety early warning is carried out on the industrial control network data. According to the industrial control equipment safety detection scheme, the protocol ID configuration file can be established, and industrial control network data can be rapidly analyzed through the protocol ID configuration file, so that the analysis speed is accelerated. Through the technical scheme, the industrial control equipment safety detection scheme provided by the technical scheme can solve the problems that in the prior art, the industrial control equipment safety detection is slow in reaction speed and not accurate enough in identification.
The feature writing module 701 includes:
the category loading submodule 7011 is configured to load a plurality of preset industrial protocol analysis categories, where the industrial protocol analysis categories include second feature information;
the feature extraction sub-module 7012 is configured to monitor industrial control network data and extract second feature information in the industrial control network data;
the characteristic matching submodule 7013 is configured to match second characteristic information in the industrial control network with second characteristic information in the industrial protocol analysis class;
and the file writing sub-module 7014 is configured to write the first feature information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second feature information.
In addition, the file writing sub-module 7014 is further configured to write the first feature information of the industrial control network data into the non-protocol ID configuration file if the feature matching sub-module determines that the second feature information of the industrial control network data does not match the second feature information in any of the industrial protocol analysis classes.
In addition, in the safety detection system of the industrial control equipment in fig. 7, the category determination module 702 includes:
the file loading sub-module 7021 is configured to load the protocol ID configuration file into which the first feature information has been written.
And the data matching sub-module 7022 is configured to match each subsequently monitored industrial control network data with the protocol ID configuration file, using the first feature information.
And the type determining submodule 7023 is configured to determine an industrial protocol analysis class to which each industrial control network data belongs according to a matching relationship between each industrial control network data and the protocol ID configuration file and a corresponding relationship between the protocol ID configuration file and the industrial protocol analysis class.
As shown in fig. 10, in the safety detection system for industrial control equipment shown in fig. 7, the information determination module 703 includes:
the function code extraction submodule 7031 is used for extracting the function code of the industrial control network data;
the function code matching submodule 7032 is configured to match a function code of the industrial control network data with a function code of a protocol analysis class to which the industrial control network data belongs;
the threat characteristic information searching submodule 7033 is configured to search, according to the matching result of the function code, security threat characteristic information included in the industrial control network data;
and the threat characteristic information judging submodule 7034 is configured to judge, according to the matching result of the function code, security threat characteristic information included in the industrial control network data.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. An industrial control equipment safety detection method based on industrial protocol analysis is characterized by comprising the following steps:
writing monitored first characteristic information of industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, wherein the protocol ID configuration file corresponds to the industrial protocol analysis classes;
determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the protocol ID configuration file written with the first characteristic information;
judging whether the industrial control network data comprises safety threat characteristic information or not according to the industrial protocol analysis class;
and if the industrial control network data is judged to comprise the safety threat characteristic information, carrying out safety early warning on the industrial control network data.
2. The industrial control equipment safety detection method according to claim 1, wherein the step of writing the monitored first characteristic information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes comprises:
loading the preset plurality of industrial protocol analysis classes, wherein the industrial protocol analysis classes comprise second characteristic information;
monitoring the industrial control network data, and extracting second characteristic information in the industrial control network data;
matching second characteristic information in the industrial control network with second characteristic information in the industrial protocol analysis class;
and writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information.
3. The industrial control equipment safety detection method according to claim 2, wherein the step of writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information includes:
and if the second characteristic information of the industrial control network data is not matched with the second characteristic information in any industrial protocol analysis class, writing the first characteristic information of the industrial control network data into a non-protocol ID configuration file.
4. The industrial control equipment safety detection method according to claim 2, wherein the step of determining the industrial protocol analysis class to which each piece of subsequently monitored industrial control network data belongs according to the protocol ID configuration file written with the first feature information includes:
loading the protocol ID configuration file written with the first characteristic information;
matching each subsequently monitored industrial control network data with the protocol ID configuration file by using the first characteristic information;
and determining the industrial protocol analysis class to which each industrial control network data belongs according to the matching relation between each industrial control network data and the protocol ID configuration file and the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class.
5. The industrial control equipment safety detection method according to claim 1, wherein the step of judging whether industrial control network data includes safety threat characteristic information according to the industrial protocol analysis class comprises:
extracting a function code of the industrial control network data;
matching the function code of the industrial control network data with the function code of the protocol analysis class to which the industrial control network data belongs;
and searching and judging safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes.
6. The utility model provides an industrial control equipment safety inspection system based on industry agreement is analytic which characterized in that includes:
the characteristic writing module is used for writing the monitored first characteristic information of the industrial control network data into a corresponding protocol ID configuration file according to a plurality of preset industrial protocol analysis classes, wherein the protocol ID configuration file corresponds to the industrial protocol analysis classes;
the category determining module is used for determining the industrial protocol analysis class to which each industrial control network data monitored subsequently belongs according to the protocol ID configuration file written with the first characteristic information by the characteristic writing module;
the information judgment module is used for judging whether the industrial control network data comprises safety threat characteristic information or not according to the industrial protocol analysis class determined by the class determination module;
and the safety early warning module is used for carrying out safety early warning on the industrial control network data if the information judgment module judges that the industrial control network data comprises the safety threat characteristic information.
7. The industrial equipment safety detection system according to claim 6, wherein the feature writing module comprises:
the category loading submodule is used for loading the preset plurality of industrial protocol analysis categories, wherein the industrial protocol analysis categories comprise second characteristic information;
the characteristic extraction submodule is used for monitoring the industrial control network data and extracting second characteristic information in the industrial control network data;
the characteristic matching sub-module is used for matching second characteristic information in the industrial control network with second characteristic information in the industrial protocol analysis class;
and the file writing sub-module is used for writing the first characteristic information of the industrial control network data into the corresponding protocol ID configuration file according to the matching result of the second characteristic information.
8. The industrial control equipment safety detection system of claim 7, wherein the file writing submodule is further configured to:
and if the characteristic matching sub-module judges that the second characteristic information of the industrial control network data is not matched with the second characteristic information in any industrial protocol analysis class, writing the first characteristic information of the industrial control network data into a non-protocol ID configuration file.
9. The industrial control equipment safety detection system according to claim 7, wherein the category determination module comprises:
the file loading submodule is used for loading the protocol ID configuration file written with the first characteristic information;
the data matching sub-module is used for matching each subsequently monitored industrial control network data with the protocol ID configuration file by using the first characteristic information;
and the type determining submodule is used for determining the industrial protocol analysis class to which each industrial control network data belongs according to the matching relation between each industrial control network data and the protocol ID configuration file and the corresponding relation between the protocol ID configuration file and the industrial protocol analysis class.
10. The industrial control equipment safety detection system according to claim 6, wherein the information judgment module comprises:
the function code extraction submodule is used for extracting the function code of the industrial control network data;
the function code matching submodule is used for matching the function code of the industrial control network data with the function code of the protocol analysis class to which the industrial control network data belongs;
the threat characteristic information searching submodule is used for searching the safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes;
and the threat characteristic information judgment submodule is used for judging the safety threat characteristic information contained in the industrial control network data according to the matching result of the function codes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911079311.0A CN110868408A (en) | 2019-11-07 | 2019-11-07 | Industrial control equipment safety detection method and system based on industrial protocol analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911079311.0A CN110868408A (en) | 2019-11-07 | 2019-11-07 | Industrial control equipment safety detection method and system based on industrial protocol analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110868408A true CN110868408A (en) | 2020-03-06 |
Family
ID=69654324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911079311.0A Pending CN110868408A (en) | 2019-11-07 | 2019-11-07 | Industrial control equipment safety detection method and system based on industrial protocol analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110868408A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112272184A (en) * | 2020-10-29 | 2021-01-26 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN113364746A (en) * | 2021-05-24 | 2021-09-07 | 湖南华菱涟源钢铁有限公司 | Equipment identification method, device, equipment and computer storage medium |
| CN115065552A (en) * | 2022-07-27 | 2022-09-16 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546625A (en) * | 2011-12-31 | 2012-07-04 | 深圳市永达电子股份有限公司 | Semi-supervised clustering integrated protocol identification system |
| CN108737417A (en) * | 2018-05-16 | 2018-11-02 | 南京大学 | A kind of vulnerability checking method towards industrial control system |
| CN109922087A (en) * | 2019-04-23 | 2019-06-21 | 广东技术师范大学 | Analytic method, device, system and the computer storage medium of industry control agreement |
| CN110011968A (en) * | 2019-02-28 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of tactful access control method based on industry control agreement general framework |
| CN110351238A (en) * | 2019-05-23 | 2019-10-18 | 中国科学院信息工程研究所 | Industry control honey pot system |
-
2019
- 2019-11-07 CN CN201911079311.0A patent/CN110868408A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546625A (en) * | 2011-12-31 | 2012-07-04 | 深圳市永达电子股份有限公司 | Semi-supervised clustering integrated protocol identification system |
| CN108737417A (en) * | 2018-05-16 | 2018-11-02 | 南京大学 | A kind of vulnerability checking method towards industrial control system |
| CN110011968A (en) * | 2019-02-28 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of tactful access control method based on industry control agreement general framework |
| CN109922087A (en) * | 2019-04-23 | 2019-06-21 | 广东技术师范大学 | Analytic method, device, system and the computer storage medium of industry control agreement |
| CN110351238A (en) * | 2019-05-23 | 2019-10-18 | 中国科学院信息工程研究所 | Industry control honey pot system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112272184A (en) * | 2020-10-29 | 2021-01-26 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN112272184B (en) * | 2020-10-29 | 2022-07-01 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN113364746A (en) * | 2021-05-24 | 2021-09-07 | 湖南华菱涟源钢铁有限公司 | Equipment identification method, device, equipment and computer storage medium |
| CN115065552A (en) * | 2022-07-27 | 2022-09-16 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110868408A (en) | Industrial control equipment safety detection method and system based on industrial protocol analysis | |
| CN109802953B (en) | Industrial control asset identification method and device | |
| CN113645232A (en) | Intelligent flow monitoring method and system for industrial internet and storage medium | |
| CN110532056B (en) | Control identification method and device applied to user interface | |
| CN110727572A (en) | Buried point data processing method, device, equipment and storage medium | |
| CN112636942B (en) | Method and device for monitoring service host node | |
| CN110149247B (en) | Network state detection method and device | |
| CN114461864A (en) | Alarm tracing method and device | |
| CN113641544A (en) | Method, apparatus, device, medium and product for detecting application status | |
| CN112565232B (en) | Log analysis method and system based on template and flow state | |
| CN116647389A (en) | Network access security early warning system and method for industrial control system | |
| CN106775960B (en) | Unique marking method and system for Windows process | |
| CN110971483B (en) | Pressure testing method and device and computer system | |
| CN113901849A (en) | Intelligent material detection method and system | |
| CN112131611A (en) | Data correctness verification method, device, equipment, system and storage medium | |
| US20210208998A1 (en) | Function analyzer, function analysis method, and function analysis program | |
| CN111798237A (en) | Abnormal transaction diagnosis method and system based on application log | |
| CN113836291B (en) | Data processing method, device, equipment and storage medium | |
| CN117493127B (en) | Application program detection method, device, equipment and medium | |
| CN112333048B (en) | Method and device for detecting connectivity of opened service online user | |
| CN117056110B (en) | System fault investigation method and device, electronic equipment and storage medium | |
| CN110298935B (en) | Method for acquiring user operation habit information, diagnosis equipment and server | |
| CN117809395A (en) | Collected data association method, data recharging method and device of vehicle-mounted equipment | |
| CN113572768A (en) | Method and device for detecting family-scale abnormality of botnet | |
| CN115361308A (en) | Industrial control network data risk determination method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200306 |
|
| RJ01 | Rejection of invention patent application after publication |