CN110958231A - Industrial control safety event monitoring platform and method based on Internet - Google Patents

Industrial control safety event monitoring platform and method based on Internet Download PDF

Info

Publication number
CN110958231A
CN110958231A CN201911152394.1A CN201911152394A CN110958231A CN 110958231 A CN110958231 A CN 110958231A CN 201911152394 A CN201911152394 A CN 201911152394A CN 110958231 A CN110958231 A CN 110958231A
Authority
CN
China
Prior art keywords
industrial control
flow
internet
protocol
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911152394.1A
Other languages
Chinese (zh)
Inventor
傅涛
邓勇
郑轶
王力
王路路
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bozhi Safety Technology Co Ltd
Original Assignee
Bozhi Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bozhi Safety Technology Co Ltd filed Critical Bozhi Safety Technology Co Ltd
Priority to CN201911152394.1A priority Critical patent/CN110958231A/en
Publication of CN110958231A publication Critical patent/CN110958231A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

An industrial control security event monitoring platform based on the internet and a method thereof comprise a DPI flow filtering subsystem and an industrial control flow monitoring and auditing subsystem, wherein the industrial control flow monitoring and auditing subsystem comprises a data receiving and processing module, a flow monitoring and analyzing module, an industrial control security event recognition module and a log storage module. And the DPI flow filtering subsystem is used for shunting only the corresponding industrial control protocol flow by combining with a flow shunting rule and sending the flow into the industrial control flow monitoring and auditing subsystem. The defects that an active detection system of the Internet industrial control safety event in the prior art can generate extra non-industrial control flow on the Internet industrial control system, cause the industrial control system to be abnormal, cannot identify industrial control assets and safety events and cannot be directly used at an industrial Internet outlet are effectively overcome by combining other structures or methods.

Description

Industrial control safety event monitoring platform and method based on Internet
Technical Field
The invention relates to the technical field of computer security equipment network communication, in particular to an industrial control security event monitoring platform and a method thereof based on the Internet, and particularly relates to a method for identifying industrial control assets and industrial control security events based on passive monitoring analysis.
Background
The essence and core of the industrial internet is that the equipment, production lines, factories, suppliers, products and customers are tightly connected and converged through an industrial internet platform. The method can help the manufacturing industry to elongate an industrial chain, and form interconnection and intercommunication of cross equipment, cross system, cross factory and cross region, thereby improving the efficiency and promoting the intellectualization of the whole manufacturing service system. The method is also beneficial to promoting the melting development of the manufacturing industry, realizing the crossing development between the manufacturing industry and the service industry and efficiently sharing various key resources of the industrial economy. The digitalization step of national infrastructure taking industrial internet as a characteristic and target in China is continuously increased, more and more industrial control devices are connected to the internet, once being discovered and utilized by hackers, immeasurable consequences can be caused, and the security problem of the national industrial infrastructure becomes more prominent. The following problems may result.
The Internet industrial control security event monitoring in the prior art has the following defects:
1) currently, most of the existing markets adopt an active detection technology to discover the industrial control system and analyze the existing safety risk, and the active detection system can generate extra non-industrial control flow on the networked industrial control system, which may cause the abnormality of the industrial control system.
2) The traditional internet flow detection system cannot identify industrial control assets and safety events.
3) The traditional industrial control safety monitoring system does not consider the condition of large flow, so the system cannot be directly used at the outlet of an industrial internet.
Disclosure of Invention
In order to solve the problems, the invention provides an industrial control safety event monitoring platform based on the internet and a method thereof, which effectively overcome the defects that an active detection system of the internet industrial control safety event in the prior art can generate extra non-industrial control flow on a networked industrial control system, can cause the industrial control system to be abnormal, can not identify industrial control assets and safety events and can not be directly used at an industrial internet outlet.
In order to overcome the defects in the prior art, the invention provides an industrial control safety event monitoring platform based on the internet and a solution of the method thereof, which comprises the following specific steps:
an industrial control safety event monitoring platform based on the internet comprises a DPI flow filtering subsystem and an industrial control flow monitoring and auditing subsystem, wherein the industrial control flow monitoring and auditing subsystem comprises a data receiving and processing module, a flow monitoring and analyzing module, an industrial control safety event identification module and a log storage module.
And the DPI flow filtering subsystem is used for shunting only the corresponding industrial control protocol flow by combining with a flow shunting rule and sending the flow into the industrial control flow monitoring and auditing subsystem.
The data receiving and processing module is used for acquiring flow from the DPI flow filtering subsystem and analyzing the data flow; after primary IP fragment recombination and data packet statistics are carried out on the original stream, the original stream is sent to a detection engine for analysis;
the data receiving and processing module generates a stream object by taking a 5-tuple of a data packet as a main part, and counts and records a log field for subsequent data flow, wherein the counted content comprises the number of receiving and transmitting packets and the number of receiving and transmitting bytes;
the log field of the record includes: source/destination IP, source/destination MAC, source/destination port, number of flow bytes, number of flow packets, protocol packets, and underlying protocol type.
The flow monitoring analysis processing module adopts a modular design method and is divided into a decoder and a preprocessor according to functions.
The decoder is used for protocol decoding of the second layer, the third layer and the fourth layer of the data message, message header check and verification of the data message, and message header pointers are set for subsequent modules.
The preprocessor is used for analyzing the industrial control protocol and the application protocol and identifying the interactive process of the industrial control protocol and the application protocol according to the characteristics of the industrial control protocol and the application protocol.
The industrial control safety event identification module identifies industrial control assets and industrial control safety events by using an industrial control safety event rule analysis library and a key data message in a detection plug-in unit in a fingerprint matching mode, and comprises a detection engine, a rule analysis library, a detection plug-in unit and a rule library.
The detection engine is used for calling a detection plug-in to detect the message according to the rule;
the rule parser is used for converting rule features into internal data structures which can be used by the detection engine;
the detection plug-in is used for providing a function for comparing whether the data message is consistent with the rule characteristics or not;
the rule base comprises a system provided built-in rule base and a user-defined rule base, wherein the built-in rule base comprises a protocol identification rule base, a malicious code identification rule base, a malicious domain name and domain name hijacking rule base and an industrial control network attack base.
The log storage module is used for recording all the industrial control assets, industrial control safety events and other useful information which are monitored and analyzed into the database, so that the subsequent searching and retrieval are convenient.
The method for the industrial control safety event monitoring platform based on the internet comprises the following steps:
step 1: at an internet access, mirroring a flow to a DPI flow filtering subsystem;
step 2: filtering out the flow related to the industrial control protocol according to a specified rule through a preset industrial control protocol flow rule, and sending the filtered flow to a flow monitoring and analyzing module;
and step 3: the flow monitoring and analyzing module acquires the flow, analyzes the industrial control protocol to which the flow belongs, sends the industrial control protocol to an industrial control protocol analyzing plug-in, performs industrial control protocol deep analysis, and identifies the industrial control asset attribute corresponding to the industrial control protocol by using an industrial control equipment fingerprint library;
and 4, step 4: correlating the industrial control asset attributes with an industrial control leak library, and analyzing potential industrial control equipment risks; comparing and analyzing key data in industrial control protocol flow extracted with an industrial control safety event rule base to detect whether an industrial control safety event of an attack behavior exists or not;
and 5: and storing the analyzed industrial control safety events and other important information into a log storage sub-module for information storage.
The invention has the beneficial effects that:
the invention mainly adopts flow filtration and passive flow monitoring audit, and combines an asset identification library and an industrial control safety event identification library to identify industrial control assets and industrial control safety events.
(1) The industrial control assets are discovered by adopting a flow acquisition and distribution mode, and safety events in the industrial control assets are analyzed, so that the service influence on non-industrial control flow introduced by industrial control equipment caused by adopting active packet sending to detect the industrial control assets is avoided.
(2) The method not only can identify industrial control assets on the Internet, but also can analyze industrial control security events according to a built-in industrial control security threat event library to find out real threats.
(3) The DPI flow filtering equipment is introduced to filter out non-industrial control flow, only flow related to industrial control is introduced into the monitoring equipment, industrial control asset identification and safety event analysis are carried out, and the analysis efficiency of the monitoring equipment is improved.
Drawings
Fig. 1 is a structural diagram of an internet-based industrial safety event monitoring platform according to the present invention.
Fig. 2 is a flow chart of the method of the internet-based industrial safety event monitoring platform.
Detailed Description
The invention will be further described with reference to the following figures and examples.
As shown in fig. 1-2, the system comprises an industrial control security event monitoring platform based on the internet, a DPI flow filtering subsystem and an industrial control flow monitoring and auditing subsystem, wherein the industrial control flow monitoring and auditing subsystem comprises core modules such as a data receiving and processing module, a flow monitoring and analyzing module, an industrial control security event recognition module and a log storage module. The DPI flow filtering subsystem as the DPI shunting subsystem is used for shunting only the industrial control protocol flow corresponding to the set concern by combining with the flow shunting rule and sending the flow into the industrial control flow monitoring and auditing subsystem. The data receiving and processing module is used for acquiring flow from a DPI flow filtering subsystem serving as a DPI shunting subsystem and analyzing the data flow; after primary IP fragment recombination and data packet statistics are carried out on the original stream, the original stream is sent to a detection engine for analysis; the data receiving and processing module mainly generates a stream object by taking a 5-tuple of a data packet as a main object, and counts and records log fields of subsequent data flow, wherein the counted content comprises information such as the number of received and transmitted packets, the number of received and transmitted bytes and the like; the log field of the record includes: source/destination IP, source/destination MAC, source/destination port, number of streaming bytes, number of streaming packets, protocol packet, and base protocol type, etc. The flow monitoring, analyzing and processing module adopts a modular design method and is divided into a decoder and a preprocessor according to functions. The decoder is used for protocol decoding of the second layer, the third layer and the fourth layer of the data message, message header check and verification of the data message, and message header pointers are set for subsequent modules. The second layer protocol which is responsible for decoding by the decoder is Ethernet, VLAN, MPLS, PPPoE and the like, the third layer protocol which is responsible for decoding is IPv4, ARP and the like, and the fourth layer protocol which is responsible for decoding is TCP, UDP, ICMP and the like. The preprocessor is used for analyzing the industrial control protocol and the application protocol and identifying the interactive process of the industrial control protocol and the application protocol according to the characteristics of the industrial control protocol and the application protocol. The preprocessor uses different parsing plug-ins to support different protocols. Industrial control protocols as supported include, but are not limited to: Modbus/TCP, OPC, DDE, Bacnet/IP, IECE102/103/104, S7/TCP, Profibusnet, IEC61850, FINS, DNP3.0/IP, etc. The industrial control safety event identification module mainly utilizes an industrial control safety event rule analysis library to identify industrial control assets and industrial control safety events by using a fingerprint matching mode for key data messages in the detection plug-in unit, and comprises a detection engine, a rule analysis library, a detection plug-in unit and a rule library. The detection engine is a core module and is used for calling a detection plug-in to detect the message according to the rule; in practice, the detection engine performs detection in two steps, the first step being pattern matching of the data message content according to the simple characteristics of all rules. And secondly, completely comparing suspicious data messages according to detailed rule characteristics, and calling various detection plug-ins or carrying out complex regular expression search. If the data message is found to have the characteristics defined by the rule, marking the data message and submitting the data message to a subsequent module for processing, otherwise, not performing any processing. The rule analyzer is used for converting rule features into an internal data structure which can be used by the detection engine; the rule characteristics are defined by using a description language in both a protocol identification rule base and an industrial control network attack identification rule base. When the system is started, the rule base is loaded, the rules are analyzed one by one, and a huge rule base data structure is generated. This data structure is categorized by protocol and there are multiple indexing ways for subsequent detection engines to speed up processing. When the rule base is updated, the rule base data structure needs to be reloaded and regenerated. The detection plug-in is used for providing a function for comparing whether the data message is consistent with the rule characteristics, and the whole detection process is a process of calling the detection plug-in one by one in practice. Each protocol has its own detection plug-in, which is meaningful only when called on the protocol in charge of itself; the rule base comprises a system provided built-in rule base and a user-defined rule base, wherein the built-in rule base comprises a protocol identification rule base, a malicious code identification rule base, a malicious domain name and domain name hijack rule base, an industrial control network attack base and the like. The log storage module is used for recording all the industrial control assets, industrial control safety events and other useful information which are monitored and analyzed into the database, so that the subsequent searching and retrieval are convenient. In addition, the protocol identification rule base comprises characteristic identification fingerprints of protocols such as http, ssh, ftp, modbus, IEC61850, DNP3 and the like, and the protocol used in the current network traffic can be identified through the protocol identification rule base; the malicious code identification rule base comprises fingerprint characteristics of viruses, trojans and malicious programs, and the viruses, the trojans and the malicious programs can be identified through the malicious code identification rule base; the malicious domain name library comprises a website with malicious links, and the website is usually accessed by inducing a user to access by implanting trojans, virus programs and the like into the website by using bugs of application software or a browser; the industrial control network attack library comprises a class of fingerprints aiming at attack characteristics of an industrial system and an environment, such as port scanning characteristic fingerprints, controller start-stop control fingerprints, denial of service attack fingerprints, buffer overflow attack fingerprints and the like.
The method for the industrial control safety event monitoring platform based on the Internet solves the problems that the extra flow introduced by industrial control equipment by active scanning and industrial control safety events cannot be identified and analyzed for industrial control assets of the industrial Internet in the traditional technology. The method mainly comprises a DPI flow filtering subsystem and an industrial control flow monitoring and auditing subsystem, wherein the industrial control flow monitoring and auditing subsystem comprises a flow monitoring and analyzing module, an industrial control safety event identification module, a log storage module and other core modules. The specific method mainly comprises the following steps:
step 1: at a main access of the internet, mirroring a flow to a DPI flow filtering subsystem serving as a DPI shunting subsystem;
step 2: filtering out the flow related to the industrial control protocol according to a specified rule through a preset industrial control protocol flow rule, and sending the filtered flow to a flow monitoring and analyzing module;
and step 3: the flow monitoring and analyzing module acquires the flow, analyzes the industrial control protocol to which the flow belongs, sends the industrial control protocol to an industrial control protocol analyzing plug-in, performs industrial control protocol deep analysis, and identifies the industrial control asset attribute corresponding to the industrial control protocol by using an industrial control equipment fingerprint library;
and 4, step 4: correlating the industrial control asset attributes with an industrial control leak library, and analyzing potential industrial control equipment risks; the method comprises the steps of extracting key data in industrial control protocol flow and comparing and analyzing the key data with an industrial control security event rule base with industrial control security event rules, and detecting whether industrial control security events with attack behaviors such as virus Trojan attack, industrial control network attack and the like exist or not;
and 5: and storing the analyzed industrial control safety events and other important information such as potential industrial control equipment risks into a log storage submodule for information storage.
The method has the following advantages:
1. the passive detection and analysis technology is adopted to identify industrial control safety events, and extra flow introduced to industrial control equipment is avoided.
2. The DPI flow filtering subsystem is introduced, 90% of non-industrial control flow of the internet can be filtered, and the detection performance of the industrial control detection and analysis subsystem is indirectly improved.
3. The industrial control fingerprint library, the malicious code library and the user-defined industrial control security event library are rich in arrangement, and the industrial control equipment and the security events on the Internet can be accurately identified and analyzed.
The present invention solves the following problems:
1) and a passive monitoring analysis technology is adopted, so that the additional flow introduced to the industrial control equipment by actively sending the industrial control identification message is avoided.
2) And a DPI filtering device is added in front of the industrial control flow monitoring and auditing system, only industrial control flow is introduced, industrial control asset analysis is carried out, and industrial control safety events are identified.
The present invention has been described in an illustrative manner by the embodiments, and it should be understood by those skilled in the art that the present disclosure is not limited to the embodiments described above, but is capable of various changes, modifications and substitutions without departing from the scope of the present invention.

Claims (9)

1. The industrial control safety event monitoring platform based on the Internet is characterized by comprising a DPI flow filtering subsystem and an industrial control flow monitoring and auditing subsystem, wherein the industrial control flow monitoring and auditing subsystem comprises a data receiving and processing module, a flow monitoring and analyzing module, an industrial control safety event identification module and a log storage module.
2. The internet-based industrial safety event monitoring platform according to claim 1, wherein the DPI subsystem is configured to combine with a traffic distribution rule, distribute only corresponding industrial control protocol traffic, and send the distributed traffic to the industrial control traffic monitoring and auditing subsystem.
3. The internet-based industrial safety event monitoring platform according to claim 1, wherein the data receiving and processing module is configured to obtain traffic from a DPI traffic filtering subsystem and perform data flow analysis; after primary IP fragment recombination and data packet statistics are carried out on the original stream, the original stream is sent to a detection engine for analysis;
the data receiving and processing module generates a stream object by taking a 5-tuple of a data packet as a main part, and counts and records log fields of subsequent data flow, wherein the counted content comprises the number of receiving and transmitting packets and the number of receiving and transmitting bytes;
the log field of the record includes: source/destination IP, source/destination MAC, source/destination port, number of streaming bytes, number of streaming packets, protocol packets, and base protocol type.
4. The internet-based industrial safety event monitoring platform according to claim 1, wherein the traffic monitoring analysis processing module adopts a modular design method and is divided into a decoder and a preprocessor according to functions.
5. The internet-based industrial safety event monitoring platform according to claim 4, wherein the decoder is used for protocol decoding of the second layer, the third layer and the fourth layer of the data message, message header check and verification of the data message, and message header pointer setting for subsequent modules;
the preprocessor is used for analyzing the industrial control protocol and the application protocol and identifying the interactive process of the industrial control protocol and the application protocol according to the characteristics of the industrial control protocol and the application protocol.
6. The internet-based industrial control security event monitoring platform according to claim 1, wherein the industrial control security event recognition module performs industrial control asset and industrial control security event recognition on a key data message in a detection plug-in by using a fingerprint matching method through an industrial control security event rule parsing library, and the industrial control security event recognition module includes a detection engine, a rule parser, a detection plug-in and a rule library.
7. The internet-based industrial safety event monitoring platform according to claim 6, wherein the detection engine is used for calling a detection plug-in to detect a message according to a rule;
the rule parser is used for converting rule features into internal data structures which can be used by the detection engine;
the detection plug-in is used for providing a function for comparing whether the data message is consistent with the rule characteristics or not;
the rule base comprises a built-in rule base provided by the system and a user-defined rule base, wherein the built-in rule base comprises a protocol identification rule base, a malicious code identification rule base, a malicious domain name and an industrial control network attack base.
8. The internet-based industrial control security event monitoring platform as claimed in claim 1, wherein the log storage module is configured to record all the monitored and analyzed industrial control assets, industrial control security events and other useful information into the database for facilitating subsequent searching and retrieval.
9. A method for an industrial control safety event monitoring platform based on the Internet is characterized by comprising the following steps:
step 1: at an internet access, mirroring a flow to a DPI flow filtering subsystem;
step 2: filtering out the flow related to the industrial control protocol according to a specified rule through a preset industrial control protocol flow rule, and sending the filtered flow to a flow monitoring and analyzing module;
and step 3: the flow monitoring and analyzing module acquires the flow, analyzes the industrial control protocol to which the flow belongs, sends the industrial control protocol to an industrial control protocol analyzing plug-in, performs industrial control protocol deep analysis, and identifies the industrial control asset attribute corresponding to the industrial control protocol by using an industrial control equipment fingerprint library;
and 4, step 4: correlating the industrial control asset attributes with an industrial control leak library, and analyzing potential industrial control equipment risks; comparing and analyzing key data in industrial control protocol flow extracted with an industrial control safety event rule base to detect whether an industrial control safety event of an attack behavior exists or not;
and 5: and storing the analyzed industrial control safety events and other important information into a log storage submodule for information storage.
CN201911152394.1A 2019-11-21 2019-11-21 Industrial control safety event monitoring platform and method based on Internet Pending CN110958231A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911152394.1A CN110958231A (en) 2019-11-21 2019-11-21 Industrial control safety event monitoring platform and method based on Internet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911152394.1A CN110958231A (en) 2019-11-21 2019-11-21 Industrial control safety event monitoring platform and method based on Internet

Publications (1)

Publication Number Publication Date
CN110958231A true CN110958231A (en) 2020-04-03

Family

ID=69978071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911152394.1A Pending CN110958231A (en) 2019-11-21 2019-11-21 Industrial control safety event monitoring platform and method based on Internet

Country Status (1)

Country Link
CN (1) CN110958231A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111506022A (en) * 2019-01-30 2020-08-07 中国石油天然气集团有限公司 Industrial control system and safety auditing method in industrial control system
CN111586058A (en) * 2020-05-09 2020-08-25 成都安恒信息技术有限公司 Mixed protocol agent system and method for operation and maintenance audit system
CN114422341A (en) * 2022-01-14 2022-04-29 杭州立思辰安科科技有限公司 Industrial control asset identification method and system based on fingerprint characteristics

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170126745A1 (en) * 2015-11-04 2017-05-04 Monico Monitoring, Inc. Industrial Network Security Translator
CN106911529A (en) * 2015-12-22 2017-06-30 国网青海省电力公司 Power network industry control safety detecting system based on protocol analysis
CN107612733A (en) * 2017-09-19 2018-01-19 杭州安恒信息技术有限公司 A kind of network audit and monitoring method and its system based on industrial control system
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN109639733A (en) * 2019-01-24 2019-04-16 南方电网科学研究院有限责任公司 Safety detection and monitoring system suitable for industrial control system
CN110008713A (en) * 2019-05-06 2019-07-12 杭州齐安科技有限公司 A kind of novel industry control system vulnerability detection method and system
CN110113335A (en) * 2019-05-06 2019-08-09 杭州齐安科技有限公司 A kind of industrial control equipment fingerprint method for normalizing
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170126745A1 (en) * 2015-11-04 2017-05-04 Monico Monitoring, Inc. Industrial Network Security Translator
CN106911529A (en) * 2015-12-22 2017-06-30 国网青海省电力公司 Power network industry control safety detecting system based on protocol analysis
CN107612733A (en) * 2017-09-19 2018-01-19 杭州安恒信息技术有限公司 A kind of network audit and monitoring method and its system based on industrial control system
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN109639733A (en) * 2019-01-24 2019-04-16 南方电网科学研究院有限责任公司 Safety detection and monitoring system suitable for industrial control system
CN110008713A (en) * 2019-05-06 2019-07-12 杭州齐安科技有限公司 A kind of novel industry control system vulnerability detection method and system
CN110113335A (en) * 2019-05-06 2019-08-09 杭州齐安科技有限公司 A kind of industrial control equipment fingerprint method for normalizing
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
李明维: "基于协议解析的工控安全威胁", 《自动化系统.技术及应用》 *
毛华阳: "基于大数据的工业互联网安全初探", 《电信技术》 *
程冬梅: "基于规则匹配的分布式工控人侵检测系统", 《NETINFO SECURITY 技术研究》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111506022A (en) * 2019-01-30 2020-08-07 中国石油天然气集团有限公司 Industrial control system and safety auditing method in industrial control system
CN111586058A (en) * 2020-05-09 2020-08-25 成都安恒信息技术有限公司 Mixed protocol agent system and method for operation and maintenance audit system
CN114422341A (en) * 2022-01-14 2022-04-29 杭州立思辰安科科技有限公司 Industrial control asset identification method and system based on fingerprint characteristics

Similar Documents

Publication Publication Date Title
US20190034631A1 (en) System and method for malware detection
CN110149350B (en) Network attack event analysis method and device associated with alarm log
US7260846B2 (en) Intrusion detection system
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN101924757B (en) Method and system for reviewing Botnet
KR101010302B1 (en) Security management system and method of irc and http botnet
US20030084326A1 (en) Method, node and computer readable medium for identifying data in a network exploit
US20060212942A1 (en) Semantically-aware network intrusion signature generator
US20150341389A1 (en) Log analyzing device, information processing method, and program
JP2014057307A (en) Detection of infected network devices via analysis of non-responsive outgoing network traffic
CN111277578A (en) Encrypted flow analysis feature extraction method, system, storage medium and security device
CN103795709A (en) Network security detection method and system
EP3297248B1 (en) System and method for generating rules for attack detection feedback system
KR102033169B1 (en) intelligence type security log analysis method
Erlacher et al. On high-speed flow-based intrusion detection using snort-compatible signatures
US20030084330A1 (en) Node, method and computer readable medium for optimizing performance of signature rule matching in a network
Radoglou-Grammatikis et al. Implementation and detection of modbus cyberattacks
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
US20180020014A1 (en) Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method, and malicious communication pattern extraction program
Kaushik et al. Network forensic system for ICMP attacks
CN112437070A (en) Operation-based spanning tree state machine integrity verification calculation method and system
Kheir et al. Peerviewer: Behavioral tracking and classification of P2P malware
Lu et al. Integrating traffics with network device logs for anomaly detection
CN112104628B (en) Adaptive feature rule matching real-time malicious flow detection method
CN112910842A (en) Network attack event evidence obtaining method and device based on flow reduction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination