CN110868425A - Industrial control information safety monitoring system adopting black and white list for analysis - Google Patents
Industrial control information safety monitoring system adopting black and white list for analysis Download PDFInfo
- Publication number
- CN110868425A CN110868425A CN201911178231.0A CN201911178231A CN110868425A CN 110868425 A CN110868425 A CN 110868425A CN 201911178231 A CN201911178231 A CN 201911178231A CN 110868425 A CN110868425 A CN 110868425A
- Authority
- CN
- China
- Prior art keywords
- white list
- alarm
- communication
- protocol
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention relates to the field of information security of industrial control systems, in particular to an industrial control information security monitoring system adopting a black-and-white list for analysis, which comprises the following steps of ⑴ initial sample library acquisition, ⑵ black list rule formation and alarm generation, ⑶ white list rule formation and alarm generation, 4 communication white list intelligent generation, 5 protocol rule formation and alarm generation, and 6 visual alarm and report display.
Description
Technical Field
The invention relates to the field of information security of industrial control systems, in particular to an industrial control information security monitoring system adopting a black and white list for analysis.
Background
The control network composed of DCS, PLC, SCADA and other control systems has been in the trend of being open as a whole in the past decades. With the application of information technology in enterprises, the industrial control network largely adopts the general TCP/IP and OPC protocol technology, and the connection between the ICS network and the enterprise management network is more and more tight. However, the traditional industrial control system adopts special hardware, software and communication protocols, and the communication safety problem of interconnection is basically not considered in design.
In general industrial system safety protection, a single blacklist or whitelist mechanism is used, the blacklist and the whitelist mechanism are not combined to be used as a defense system, a large amount of manual operations exist, and time and labor are wasted. In the industrial system safety protection system using the single blacklist, the blacklist is limited by the rule and cannot monitor and judge the newly appeared attack behavior, and in addition, a blacklist mechanism has a plurality of false alarms, so that inconvenience is brought to a user for judging whether the attack is true or not.
In the industrial system security protection system using a single white list, a white list mechanism cannot give specific details of being attacked, so that potential safety hazards in a network cannot be checked and eliminated in a targeted manner.
An effective safety theory system and a method are urgently lacked in the field of industrial control information safety, various technologies in the traditional information safety can be integrated, an industrial control system can be adapted, and new problems are not introduced due to the fact that the complexity of the system is improved as far as possible.
Therefore, an industrial control information safety monitoring system which adopts a black and white list for analysis is developed, the abnormity encountered in the industrial production environment is monitored in real time, and the information flow which combines the black and white lists is imperative to generate an alarm.
Disclosure of Invention
The invention aims to provide an industrial control information safety monitoring system adopting a black and white list for analysis, which expands the related research of an industrial control protocol, starts from the analysis of the black and white lists, and establishes a complete industrial control network monitoring system, thereby providing a data acquisition and analysis method for the analysis of information flow and instruction flow in the industrial control aspect, reducing false alarm and manual operation, effectively improving the alarm accuracy of the system, providing a basis and a verification tool for the formulation of an industrial control information safety strategy, and being a solution idea which is very consistent with the requirements of the traditional information safety development and the industrial control field on information safety.
In order to achieve the purpose, the invention provides the following technical scheme:
the industrial control information safety monitoring system adopting the black and white list for analysis comprises the following steps:
s1, collecting an initial sample library: the monitoring device collects all data packets on a field monitoring network, analyzes the data packets to obtain seven-element group information, and can set a white list rule and an asset list according to a sample library;
s2, blacklist rule forming and alarm generating: the system comprises a built-in intrusion detection rule base, wherein when the monitoring device analyzes a data packet, the monitoring device generates an intrusion detection alarm when the characteristics are matched, and a user can check detailed information of each rule, including behaviors, descriptions and processing suggestions;
s3, white list rule forming and alarm generating: the assets in the sample library are converted into an asset white list, the asset white list is a list of legal assets, the assets which are not listed as the white list are illegal assets, no matter what communication behaviors, the alarm can be given immediately, the alarm type is unknown equipment, on the basis of configuring the asset white list, the communication behaviors in the sample library can be converted into a communication white list, a communication white list is used for adding the legal communication behaviors into a white list rule, the assets which are not listed as the communication white list are illegal communication behaviors, the communication white list rule can be automatically analyzed and generated by combining a black list rule in an intelligent learning mode, when the occurring communication behaviors are not in the range of the white list rule, the alarm type is unknown communication behaviors;
s4: intelligent generation of a communication white list: through long-time learning, the system grasps the dynamic of data change in the network, particularly the change and rule of communication between each asset and other equipment, and forms a high-accuracy communication white list rule by combining the basis of eliminating the detection result of a black list, thereby reducing the false alarm rate of the system and enhancing the detection accuracy;
s5, protocol rule forming and alarm generating: the protocol rules comply with the principle of the white list rules, after the asset white list rules and the communication white list rules are configured, the product can carry out industrial protocol analysis on the communication behaviors of the assets in the white list to obtain the protocol white list, under the condition that the rules are not configured, the automatic alarm can be given out on instruction change, configuration change and load change, and the alarm can be given out only when the correct range needs to be configured for threshold alarm;
s6, visual alarm and report display: managing all devices monitored on site, generating a network topological graph semi-automatically according to the field devices and the network conditions, flashing red marks on the devices to clearly position the alarm devices when finding out alarm, and performing a report display function of analyzing, classifying and counting alarm logs and flow logs and finally displaying and presenting the alarm logs and the flow logs in a graph form.
The blacklist rule formation in S2 refers to a network intrusion detection system based on pattern matching, where the pattern matching corresponds to state analysis, and refers to that the system predefines some feature codes of intrusion detection, matches an actual data packet with the feature codes to determine whether the detected data packet includes an intrusion behavior, and the detectable intrusion behavior includes viruses, trojans, denial of service attacks, WEB attacks, DNS attacks, ARP attacks, port scanning, buffer overflow attacks, FTP attacks, ICMP attacks, and the like.
The sample library in S1 is a database that collects original data in the network through the system and performs layer-by-layer analysis, and stores seven-tuple information of data frame source MAC, destination MAC, source IP, destination IP, source port, destination port, and protocol type.
The asset white list in the S3 has functions of displaying asset names, asset IPs, asset types and descriptions, modifying, adding and deleting, and mainly converts legal target IPs and source IPs into legal assets according to customer requirements after data acquisition, and the assets which are not in the legal assets generate data communication behaviors, so that alarm information can be generated.
The communication white list in S3 has functions of showing source IP, source port, destination IP, destination port, protocol type, application protocol type, and adding, modifying, and deleting, and after data acquisition, transfers legitimate source IP, source port, destination IP, and destination port to legitimate communication, and generates an alarm if not in this service communication.
The protocol white list in the S5 is used for showing a Modbus protocol, an Opc protocol, an S7 protocol, a Iec103 protocol, a Iec104 protocol, a Cip protocol and a Fins protocol, and can be configured with a control parameter white list and threshold parameter configuration, wherein the S7 protocol and the Modbus protocol have uploading and downloading rules and a communication state monitoring function, and after the industrial control protocol is configured, an analysis data packet can give an alarm according to the configuration.
Compared with the prior art, the invention has the beneficial effects that:
1. the blacklist and whitelist mechanisms are applied in the system at the same time. The blacklist mechanism extracts attack traits in network data as blacklist rules, thereby realizing detection. But the blacklist mechanism cannot be detected when new types of attacks occur. The white list mechanism takes network communication behaviors as a rule list, communication in the list is regarded as normal communication, behaviors which are not in the white list are uniformly regarded as illegal, and the white list mechanism lacks matching of characteristic values. The blacklist and the white list are combined for use, even if the communication in the white list has an attack behavior, the attack behavior can be discovered by a blacklist mechanism, and the fine-grained analysis of the system on the attack behavior is enhanced; the management personnel can be more reliable, and the white list can be configured to specific equipment assets, so that the investigation range can be reduced when alarm behaviors are found, the alarm judgment can be accurately judged, and the alarm accuracy is improved. When a novel attack which cannot be covered by the blacklist occurs, the white list mechanism only regards communication in the rule trust range as legal, and the novel attack can be discovered by the white list mechanism and gives an alarm. The blacklist and the white list are used together, attack fine granularity of the blacklist can be reflected, accuracy and strictness of the white list can be combined, and the two mechanisms are complementary, so that overall performance efficiency is improved.
2. And intelligently generating a communication white list. The intelligent generation can reduce the complexity and errors of manual operation and can more accurately formulate the white list rule. Through long-time learning, the system grasps the dynamic of data change in the network, particularly the change and the rule of communication between each asset and other equipment, and forms a high-accuracy communication white list rule by combining the basis of eliminating the detection result of the black list, thereby reducing the false alarm rate of the system and enhancing the detection accuracy.
3. And (6) visually displaying. The mapping of the topological graph can restore the asset position in the network system, when an alarm occurs, the specific asset position can be quickly positioned, the position in the network is clear at a glance, and accurate reference is provided for the next safety precaution. The method can generate a report aiming at monthly or customized time, wherein the report is used for summarizing and counting the alarms and threats generated by a monitoring system, analyzing a large amount of data, counting the threat behaviors and forming a pie chart and a histogram, and can quickly know the safety problem in the network on the whole.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The industrial control information safety monitoring system adopting the black and white list for analysis comprises the following steps:
s1, collecting an initial sample library: the monitoring device collects all data packets on a field monitoring network, analyzes the data packets to obtain seven-element group information, and can set a white list rule and an asset list according to a sample library;
s2, blacklist rule forming and alarm generating: the system comprises a built-in intrusion detection rule base, wherein when the monitoring device analyzes a data packet, the monitoring device generates an intrusion detection alarm when the characteristics are matched, and a user can check detailed information of each rule, including behaviors, descriptions and processing suggestions;
s3, white list rule forming and alarm generating: the assets in the sample library are converted into an asset white list, the asset white list is a list of legal assets, the assets which are not listed as the white list are illegal assets, no matter what communication behaviors, the alarm can be given immediately, the alarm type is unknown equipment, on the basis of configuring the asset white list, the communication behaviors in the sample library can be converted into a communication white list, a communication white list is used for adding the legal communication behaviors into a white list rule, the assets which are not listed as the communication white list are illegal communication behaviors, the communication white list rule can be automatically analyzed and generated by combining a black list rule in an intelligent learning mode, when the occurring communication behaviors are not in the range of the white list rule, the alarm type is unknown communication behaviors;
s4: intelligent generation of a communication white list: through long-time learning, the system grasps the dynamic of data change in the network, particularly the change and rule of communication between each asset and other equipment, and forms a high-accuracy communication white list rule by combining the basis of eliminating the detection result of a black list, thereby reducing the false alarm rate of the system and enhancing the detection accuracy;
s5, protocol rule forming and alarm generating: the protocol rules comply with the principle of the white list rules, after the asset white list rules and the communication white list rules are configured, the product can carry out industrial protocol analysis on the communication behaviors of the assets in the white list to obtain the protocol white list, under the condition that the rules are not configured, the automatic alarm can be given out on instruction change, configuration change and load change, and the alarm can be given out only when the correct range needs to be configured for threshold alarm;
s6, visual alarm and report display: managing all devices monitored on site, generating a network topological graph semi-automatically according to the field devices and the network conditions, flashing red marks on the devices to clearly position the alarm devices when finding out alarm, and performing a report display function of analyzing, classifying and counting alarm logs and flow logs and finally displaying and presenting the alarm logs and the flow logs in a graph form.
The blacklist rule formation in S2 refers to a network intrusion detection system based on pattern matching, where the pattern matching corresponds to state analysis, and refers to that the system predefines some feature codes of intrusion detection, matches an actual data packet with the feature codes to determine whether the detected data packet includes an intrusion behavior, and the detectable intrusion behavior includes viruses, trojans, denial of service attacks, WEB attacks, DNS attacks, ARP attacks, port scanning, buffer overflow attacks, FTP attacks, ICMP attacks, and the like.
The sample library in S1 is a database that collects original data in the network through the system and performs layer-by-layer analysis, and stores seven-tuple information of data frame source MAC, destination MAC, source IP, destination IP, source port, destination port, and protocol type.
The asset white list in the S3 has functions of displaying asset names, asset IPs, asset types and descriptions, modifying, adding and deleting, and mainly converts legal target IPs and source IPs into legal assets according to customer requirements after data acquisition, and the assets which are not in the legal assets generate data communication behaviors, so that alarm information can be generated.
The communication white list in S3 has functions of showing source IP, source port, destination IP, destination port, protocol type, application protocol type, and adding, modifying, and deleting, and after data acquisition, transfers legitimate source IP, source port, destination IP, and destination port to legitimate communication, and generates an alarm if not in this service communication.
And (3) intelligent learning of a communication white list: through intelligent learning of data in a network, a communication preselection white list is automatically generated, communication behaviors appearing in a black list are eliminated, and finally an intelligent communication white list rule is generated.
The protocol white list in the S5 is used for showing a Modbus protocol, an Opc protocol, an S7 protocol, a Iec103 protocol, a Iec104 protocol, a Cip protocol and a Fins protocol, and can be configured with a control parameter white list and threshold parameter configuration, wherein the S7 protocol and the Modbus protocol have uploading and downloading rules and a communication state monitoring function, and after the industrial control protocol is configured, an analysis data packet can give an alarm according to the configuration.
Topology management: the method has the advantages that the method can visually reflect asset information by performing new deletion modification on legal assets and binding the asset network cards, the assets can be rendered according to alarm levels when the assets alarm, and new modification and deletion can be performed on asset element packages (network cards, dispatching stations, monitoring engines, servers, routes, gateways and the like). The problems that the alarm problem is lack of visualization and difficult to locate are solved.
And (5) counting a report form: according to the starting date and the ending date, statistics are carried out, the alarm quantity, the alarm type distribution, the alarm grade proportion, the asset quantity statistics, the asset classification, the asset health value, the asset alarm ranking, the network communication type, the communication health value, the total flow trend graph, the abnormal flow trend graph, the intrusion behavior classification, the intrusion behavior health value, the protocol alarm analysis and the protocol alarm detailed statistics, and a PDF (portable document format) deriving function is provided so as to make a report.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (6)
1. The utility model provides an industrial control information safety monitoring system who adopts black and white list to carry out analysis which characterized in that: the industrial control information safety monitoring system comprises the following steps:
s1, collecting an initial sample library: the monitoring device collects all data packets on a field monitoring network, analyzes the data packets to obtain seven-element group information, and can set a white list rule and an asset list according to a sample library;
s2, blacklist rule forming and alarm generating: the system comprises a built-in intrusion detection rule base, wherein when the monitoring device analyzes a data packet, the monitoring device generates an intrusion detection alarm when the characteristics are matched, and a user can check detailed information of each rule, including behaviors, descriptions and processing suggestions;
s3, white list rule forming and alarm generating: the assets in the sample library are converted into an asset white list, the asset white list is a list of legal assets, the assets which are not listed as the white list are illegal assets, no matter what communication behaviors, the alarm can be given immediately, the alarm type is unknown equipment, on the basis of configuring the asset white list, the communication behaviors in the sample library can be converted into a communication white list, a communication white list is used for adding the legal communication behaviors into a white list rule, the assets which are not listed as the communication white list are illegal communication behaviors, the communication white list rule can be automatically analyzed and generated by combining a black list rule in an intelligent learning mode, when the occurring communication behaviors are not in the range of the white list rule, the alarm type is unknown communication behaviors;
s4: intelligent generation of a communication white list: through long-time learning, the system grasps the dynamic of data change in the network, particularly the change and rule of communication between each asset and other equipment, and forms a high-accuracy communication white list rule by combining the basis of eliminating the detection result of a black list, thereby reducing the false alarm rate of the system and enhancing the detection accuracy;
s5, protocol rule forming and alarm generating: the protocol rules comply with the principle of the white list rules, after the asset white list rules and the communication white list rules are configured, the product can carry out industrial protocol analysis on the communication behaviors of the assets in the white list to obtain the protocol white list, under the condition that the rules are not configured, the automatic alarm can be given out on instruction change, configuration change and load change, and the alarm can be given out only when the correct range needs to be configured for threshold alarm;
s6, visual alarm and report display: managing all devices monitored on site, generating a network topological graph semi-automatically according to the field devices and the network conditions, flashing red marks on the devices to clearly position the alarm devices when finding out alarm, and performing a report display function of analyzing, classifying and counting alarm logs and flow logs and finally displaying and presenting the alarm logs and the flow logs in a graph form.
2. The industrial control information safety monitoring system adopting the black and white list for analysis as claimed in claim 1, wherein: the blacklist rule formation in S2 refers to a network intrusion detection system based on pattern matching, where the pattern matching corresponds to state analysis, and refers to that the system predefines some feature codes of intrusion detection, matches an actual data packet with the feature codes to determine whether the detected data packet includes an intrusion behavior, and the detectable intrusion behavior includes viruses, trojans, denial of service attacks, WEB attacks, DNS attacks, ARP attacks, port scanning, buffer overflow attacks, FTP attacks, ICMP attacks, and the like.
3. The industrial control information safety monitoring system adopting the black and white list for analysis as claimed in claim 1, wherein: the sample library in S1 is a database that collects original data in the network through the system and performs layer-by-layer analysis, and stores seven-tuple information of data frame source MAC, destination MAC, source IP, destination IP, source port, destination port, and protocol type.
4. The industrial control information safety monitoring system adopting the black and white list for analysis as claimed in claim 1, wherein: the asset white list in the S3 has functions of displaying asset names, asset IPs, asset types and descriptions, modifying, adding and deleting, and mainly converts legal target IPs and source IPs into legal assets according to customer requirements after data acquisition, and the assets which are not in the legal assets generate data communication behaviors, so that alarm information can be generated.
5. The industrial control information safety monitoring system adopting the black and white list for analysis as claimed in claim 1, wherein: the communication white list in S3 has functions of showing source IP, source port, destination IP, destination port, protocol type, application protocol type, and adding, modifying, and deleting, and after data acquisition, transfers legitimate source IP, source port, destination IP, and destination port to legitimate communication, and generates an alarm if not in this service communication.
6. The industrial control information safety monitoring system adopting the black and white list for analysis as claimed in claim 1, wherein: the protocol white list in the S5 is used for showing a Modbus protocol, an Opc protocol, an S7 protocol, a Iec103 protocol, a Iec104 protocol, a Cip protocol and a Fins protocol, and can be configured with a control parameter white list and threshold parameter configuration, wherein the S7 protocol and the Modbus protocol have uploading and downloading rules and a communication state monitoring function, and after the industrial control protocol is configured, an analysis data packet can give an alarm according to the configuration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911178231.0A CN110868425A (en) | 2019-11-27 | 2019-11-27 | Industrial control information safety monitoring system adopting black and white list for analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911178231.0A CN110868425A (en) | 2019-11-27 | 2019-11-27 | Industrial control information safety monitoring system adopting black and white list for analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110868425A true CN110868425A (en) | 2020-03-06 |
Family
ID=69656224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911178231.0A Pending CN110868425A (en) | 2019-11-27 | 2019-11-27 | Industrial control information safety monitoring system adopting black and white list for analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110868425A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
| CN112258054A (en) * | 2020-10-26 | 2021-01-22 | 福建奇点时空数字科技有限公司 | Network asset compliance analysis method based on flow perception |
| CN112383514A (en) * | 2020-10-28 | 2021-02-19 | 北京珞安科技有限责任公司 | Industrial control abnormal behavior analysis method and system based on self-learning white list |
| CN112468512A (en) * | 2020-12-13 | 2021-03-09 | 北京哈工信息产业股份有限公司 | Enterprise safety protection system and method based on white list mechanism |
| CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
| CN112491915A (en) * | 2020-12-03 | 2021-03-12 | 杭州迪普科技股份有限公司 | Protocol white list configuration method and device |
| CN112751839A (en) * | 2020-12-25 | 2021-05-04 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| CN112995192A (en) * | 2021-03-16 | 2021-06-18 | 深圳融安网络科技有限公司 | White list generation method, system, device and storage medium |
| CN113315777A (en) * | 2021-06-03 | 2021-08-27 | 珠海市鸿瑞信息技术股份有限公司 | Intelligent operation and maintenance monitoring system based on power protocol operation |
| CN113315771A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Safety event warning device and method based on industrial control system |
| CN113472580A (en) * | 2021-07-01 | 2021-10-01 | 交通运输信息安全中心有限公司 | Alarm system and alarm method based on dynamic loading mechanism |
| CN114553537A (en) * | 2022-02-22 | 2022-05-27 | 上海帝焚思信息科技有限公司 | Abnormal flow monitoring method and system for industrial Internet |
| CN114745197A (en) * | 2022-04-28 | 2022-07-12 | 东方电气中能工控网络安全技术(成都)有限责任公司 | Method and system for monitoring industrial control network intrusion in real time |
| CN114839938A (en) * | 2022-04-28 | 2022-08-02 | 东方电气中能工控网络安全技术(成都)有限责任公司 | DCS industrial control network security audit analysis system and method |
| CN115271053A (en) * | 2022-06-07 | 2022-11-01 | 四川大学 | AI processor operator overflow optimization method and system under CANN computing architecture |
| CN115529162A (en) * | 2022-08-26 | 2022-12-27 | 中国科学院信息工程研究所 | Method and system for protecting abnormal behaviors of industrial control flow |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917776A (en) * | 2015-06-23 | 2015-09-16 | 北京威努特技术有限公司 | Industrial control network safety protection equipment and industrial control network safety protection method |
| CN105208018A (en) * | 2015-09-09 | 2015-12-30 | 上海三零卫士信息安全有限公司 | Industrial control network information security monitoring method based on funnel type white list |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN107483444A (en) * | 2017-08-22 | 2017-12-15 | 北京邮电大学 | A kind of intelligent grid information transmission security protector and safety protecting method |
| CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
| CN108933658A (en) * | 2018-08-13 | 2018-12-04 | 杭州安恒信息技术股份有限公司 | White list base establishing method and device based on industrial control equipment fingerprint |
| US20190036926A1 (en) * | 2017-07-26 | 2019-01-31 | Bank Of America Corporation | Network Device Location Information Validation For Access Control and Information Security |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
-
2019
- 2019-11-27 CN CN201911178231.0A patent/CN110868425A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104917776A (en) * | 2015-06-23 | 2015-09-16 | 北京威努特技术有限公司 | Industrial control network safety protection equipment and industrial control network safety protection method |
| CN105208018A (en) * | 2015-09-09 | 2015-12-30 | 上海三零卫士信息安全有限公司 | Industrial control network information security monitoring method based on funnel type white list |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| US20190036926A1 (en) * | 2017-07-26 | 2019-01-31 | Bank Of America Corporation | Network Device Location Information Validation For Access Control and Information Security |
| CN107483444A (en) * | 2017-08-22 | 2017-12-15 | 北京邮电大学 | A kind of intelligent grid information transmission security protector and safety protecting method |
| CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
| CN108933658A (en) * | 2018-08-13 | 2018-12-04 | 杭州安恒信息技术股份有限公司 | White list base establishing method and device based on industrial control equipment fingerprint |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
Non-Patent Citations (1)
| Title |
|---|
| 程冬梅等: "基于规则匹配的分布式工控入侵检测系统设计与实现", 《信息网络安全》 * |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
| CN112258054A (en) * | 2020-10-26 | 2021-01-22 | 福建奇点时空数字科技有限公司 | Network asset compliance analysis method based on flow perception |
| CN112383514A (en) * | 2020-10-28 | 2021-02-19 | 北京珞安科技有限责任公司 | Industrial control abnormal behavior analysis method and system based on self-learning white list |
| CN112383514B (en) * | 2020-10-28 | 2023-02-24 | 北京珞安科技有限责任公司 | Industrial control abnormal behavior analysis method and system based on self-learning white list |
| CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
| CN112468488B (en) * | 2020-11-25 | 2023-05-23 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium |
| CN112491915A (en) * | 2020-12-03 | 2021-03-12 | 杭州迪普科技股份有限公司 | Protocol white list configuration method and device |
| CN112468512A (en) * | 2020-12-13 | 2021-03-09 | 北京哈工信息产业股份有限公司 | Enterprise safety protection system and method based on white list mechanism |
| CN112468512B (en) * | 2020-12-13 | 2021-07-13 | 北京哈工信息产业股份有限公司 | Enterprise safety protection system and method based on white list mechanism |
| CN112751839A (en) * | 2020-12-25 | 2021-05-04 | 江苏省未来网络创新研究院 | Anti-virus gateway processing acceleration strategy based on user traffic characteristics |
| CN112995192B (en) * | 2021-03-16 | 2022-11-15 | 深圳融安网络科技有限公司 | White list generation method, system, device and storage medium |
| CN112995192A (en) * | 2021-03-16 | 2021-06-18 | 深圳融安网络科技有限公司 | White list generation method, system, device and storage medium |
| CN113315771A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Safety event warning device and method based on industrial control system |
| CN113315777B (en) * | 2021-06-03 | 2021-12-07 | 珠海市鸿瑞信息技术股份有限公司 | Intelligent operation and maintenance monitoring system based on power protocol operation |
| CN113315777A (en) * | 2021-06-03 | 2021-08-27 | 珠海市鸿瑞信息技术股份有限公司 | Intelligent operation and maintenance monitoring system based on power protocol operation |
| CN113472580A (en) * | 2021-07-01 | 2021-10-01 | 交通运输信息安全中心有限公司 | Alarm system and alarm method based on dynamic loading mechanism |
| CN113472580B (en) * | 2021-07-01 | 2023-04-07 | 交通运输信息安全中心有限公司 | Alarm system and alarm method based on dynamic loading mechanism |
| CN114553537A (en) * | 2022-02-22 | 2022-05-27 | 上海帝焚思信息科技有限公司 | Abnormal flow monitoring method and system for industrial Internet |
| CN114745197A (en) * | 2022-04-28 | 2022-07-12 | 东方电气中能工控网络安全技术(成都)有限责任公司 | Method and system for monitoring industrial control network intrusion in real time |
| CN114839938A (en) * | 2022-04-28 | 2022-08-02 | 东方电气中能工控网络安全技术(成都)有限责任公司 | DCS industrial control network security audit analysis system and method |
| CN114839938B (en) * | 2022-04-28 | 2022-12-09 | 东方电气中能工控网络安全技术(成都)有限责任公司 | DCS industrial control network security audit analysis system and method |
| CN115271053A (en) * | 2022-06-07 | 2022-11-01 | 四川大学 | AI processor operator overflow optimization method and system under CANN computing architecture |
| CN115529162A (en) * | 2022-08-26 | 2022-12-27 | 中国科学院信息工程研究所 | Method and system for protecting abnormal behaviors of industrial control flow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110868425A (en) | Industrial control information safety monitoring system adopting black and white list for analysis | |
| CN112651006B (en) | Power grid security situation sensing system | |
| CN109818985B (en) | Industrial control system vulnerability trend analysis and early warning method and system | |
| KR100955281B1 (en) | Security Risk Evaluation Method for Threat Management | |
| CN108646722B (en) | Information security simulation model and terminal of industrial control system | |
| CN111245793A (en) | Method and device for analyzing abnormity of network data | |
| CN104486141B (en) | A kind of network security situation prediction method that wrong report is adaptive | |
| CN113055375B (en) | Power station industrial control system physical network oriented attack process visualization method | |
| CN111935172B (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN104509034B (en) | Pattern merges to identify malicious act | |
| CN108810034A (en) | A kind of safety protecting method of industrial control system information assets | |
| US20140137257A1 (en) | System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure | |
| CN108848069A (en) | A kind of electric power networks information security Active Defending System Against based on big data | |
| EP3623983A1 (en) | Method and device for identifying security threats, storage medium, processor and terminal | |
| CN113671909A (en) | Safety monitoring system and method for steel industrial control equipment | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN113434866A (en) | Unified risk quantitative evaluation method for instrument functional safety and information safety strategies | |
| CN106886202A (en) | Control device, integrated manufacturing system (IMS) and its control method | |
| CN106254318A (en) | A kind of Analysis of Network Attack method | |
| CN114640548A (en) | Network security sensing and early warning method and system based on big data | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| CN114125083A (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| KR102590081B1 (en) | Security compliance automation method | |
| CN102111302B (en) | Worm detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200306 |
|
| WD01 | Invention patent application deemed withdrawn after publication |