CN110995733A - Intrusion detection system in industrial control field based on remote measuring technology - Google Patents
Intrusion detection system in industrial control field based on remote measuring technology Download PDFInfo
- Publication number
- CN110995733A CN110995733A CN201911276194.7A CN201911276194A CN110995733A CN 110995733 A CN110995733 A CN 110995733A CN 201911276194 A CN201911276194 A CN 201911276194A CN 110995733 A CN110995733 A CN 110995733A
- Authority
- CN
- China
- Prior art keywords
- unit
- industrial control
- module
- data packet
- responsible
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention relates to an intrusion detection system based on a remote measuring technology in the industrial control field, and belongs to the technical field of industrial control safety. The system comprises a data packet capturing module, a safety management module, an analysis and processing module and a graphical interface module. The data packet capturing module, the analyzing and processing module, the information pushing module and the graphical interface module are mutually independent. The data packet capturing module is connected with the industrial control system and the analyzing module, the analyzing module is connected with the processing module, and the processing module is connected with the graphical interface module. The safety management module is positioned in the intrusion detection system and is independent of the modules. The invention can capture and analyze the data packet transmitted in the communication process of the industrial control system in real time, and can analyze the analyzed data to judge the current state of the industrial control system. Different prompt messages can be sent to technicians according to different judgments. The system can timely respond to the invasion of the industrial control system, can accurately identify various attacks to the industrial control system, and has the advantages of high instantaneity and accuracy. Meanwhile, the detection system and the industrial control system are separated from each other, so that technicians can remotely know the condition of the industrial control system, and the consumption of manpower and material resources is greatly saved.
Description
Technical Field
The invention relates to an intrusion detection system based on a remote measuring technology in the industrial control field, and belongs to the technical field of industrial control safety.
Background
An industrial control system is a control system applied in the industrial field. The accurate regulation and control and scheduling of the industrial production flow are completed through a computer technology, and the method plays a vital role in the industries of mining, metallurgy, hydropower and the like. With the development of internet technology, it has become a hot spot of research to combine an industrial control system with internet technology.
The existing framework of the industrial control system does not take security into consideration at the beginning of design, and a plurality of potential safety hazards are exposed in the process of combining with the internet technology. For example, an operating system used in an industrial control system is hardly updated and bug-repaired, which brings great convenience to an intruder; moreover, the communication protocol (such as Modbus and the like) used by the industrial control system is not designed in consideration of safety factors, and even plaintext transmission is used. All the factors result in that the industrial control system cannot be further fused with the internet technology without updating and upgrading the existing industrial control system. The intrusion detection technology is applied to the industrial control system, and active defense can be performed on actions such as detection, attack and the like aiming at the industrial control system, so that the safety of the industrial control system is guaranteed.
However, the existing intrusion detection technology applied to the industrial control system still has some defects, and data packets in the internal and external networks cannot be accurately classified, and the waste of system resources can be caused because the internal and external networks cannot be accurately classified under different safety conditions; the detection accuracy of the existing intrusion detection system depends on the establishment of a model, and once a novel attack is met, the system cannot respond effectively.
The emerging network telemetry technology integrates data related to the network state by capturing data packets in a network link in real time, and can monitor the state of network equipment in real time and accurately. The combination of this technology with intrusion detection technology can greatly make up for the deficiencies of the existing intrusion detection systems.
Disclosure of Invention
In view of this, the present invention provides an intrusion detection system in the industrial control field based on the telemetry technology. The system uses a telemetry technology to capture and analyze a data packet transmitted in the communication process of the industrial control system in real time, classifies whether the data packet belongs to intranet communication or extranet communication by using a built-in classification algorithm, and then correspondingly processes the classified data packet, thereby judging the current state (including normal state and attacked state) of the industrial control system. The built-in classification algorithm model of the system is short in building time, can be rapidly deployed in an industrial control system and does not occupy excessive resources; the accuracy of the classification algorithm is high, and the false alarm rate is low; meanwhile, the algorithm supports remote control, so that technicians can know the current state of the industrial control system in real time, and the real-time performance is high.
The system comprises: the system comprises a data packet capturing module, a safety management module, an analysis and processing module and a graphical interface module. The data packet capturing module, the analyzing and processing module, the information pushing module and the graphical interface module are mutually independent. The data packet capturing module is connected with the industrial control system and the analyzing module, the analyzing module is connected with the processing module, and the processing module is connected with the graphical interface module. The safety management module is positioned in the intrusion detection system and is independent of the modules.
The data packet capturing module comprises an external network interface unit, a filtering unit, a storage unit, a data packet information pushing unit and an internal network interface unit. The external network interface unit is responsible for establishing connection with an industrial control system so as to receive data packets; the filtering unit can set specific rules to filter the captured data packets; the data packet information pushing unit is responsible for completely transmitting the captured data packet to the analysis module; the intranet interface unit is responsible for establishing connection with the analysis module.
The external network interface unit comprises connection establishment and connection disconnection. The connection establishment uses a TCP protocol to establish safe and reliable connection with a network of an industrial control system; the disconnection is responsible for safely disconnecting the network connection with the industrial control system after the information transmission is completed, and immediately informing the industrial control system to disconnect the connection of the two parties when the unsafe transmission environment is detected.
The filtering unit is responsible for filtering the captured data packets according to a set rule, discarding the data packets which do not accord with the rule, and enabling the data packets which accord with the rule to smoothly pass through the unit.
The storage unit comprises a receiving process and an encrypted storage process. The receiving process is responsible for receiving the data packets transmitted from the filtering unit, and the encryption storage process is responsible for encrypting the received data packets and storing the encrypted data packets in a local hard disk.
The security management module comprises an encryption algorithm generating unit, a threat identifying unit and a response unit. The encryption algorithm generating unit is responsible for providing encryption algorithms for connection among the units and data storage inside the units; the threat identification unit is responsible for identifying attacks aiming at intrusion detection and generating different information according to an identification result; the response unit is responsible for making different responses according to the information generated by the threat identification unit.
The encryption algorithm generating unit comprises encryption algorithm generation and key storage. The encryption algorithm generation is responsible for receiving an encryption storage information requirement sent by the storage unit and an internal communication encryption requirement provided by the information sending module and generating a corresponding encryption algorithm for the encryption algorithm generation; the key storage is responsible for storing the generated key of the encryption algorithm, so that the loss of the key is avoided.
The threat identification unit comprises unauthorized access identification and malicious operation identification. The unauthorized access identification is responsible for determining whether access to the intrusion detection system is authorized; the malicious operation identification is responsible for identifying the operation of a worker to judge whether malicious operation exists.
The analysis module comprises a protocol identification unit and an analysis unit. And the system is responsible for identifying which communication protocol is used by the received data packet and then performing corresponding analysis on the received data packet.
The protocol identification unit is responsible for identifying the protocol used by the received data packet and preparing for analyzing the data packet later.
The analysis unit is responsible for analyzing the data packet. The content active IP address, the target IP address, the source MAC address, the target MAC address, the type of the used communication protocol, the transmission delay and the like can be obtained through analysis.
The analysis and processing module comprises a classification unit and an analysis processing unit. And the data packet is responsible for receiving and analyzing the data packet analyzed by the analysis unit so as to judge the current state of the industrial control system.
The classification unit is responsible for judging whether the received data packet is used for internal communication or external communication of the industrial control system. The following method was used for the determination.
Firstly, training is carried out, n data packets used for internal communication of the industrial control system are captured, respective time delays of the n data packets are recorded, and values of all the time delays are used as a set I.
And then capturing data packets used by the n industrial control systems for communicating with the outside, recording respective time delays of the n data packets, and taking the values of the n data packets as a set O.
The packet is then classified using a built-in classification algorithm.
The formula of the algorithm is
Therein, maxiRepresents the ith maximum value, minx, in set IiRepresentative setAnd the ith minimum value in the sum O. If the value of n is set to be too large, the formula can lead to the past network state being included in the calculation range, and if the state can not occur any more, the accuracy of the calculated threshold value can be reduced; if the value of n is set small, the sample size is small, and the accuracy of the threshold is also reduced.
And taking the calculated K value as a threshold value, if the time delay in a later received data packet is lower than the value, proving that the data packet is used for internal communication of the industrial control system, and otherwise, using the data packet for external communication.
And the analysis processing unit is responsible for processing the classified data packets.
The system can determine whether the interior of the industrial control system is abnormal or not by clustering and analyzing the IP address, the MAC address and the time delay in the internal communication data packet by using a Logistic algorithm.
The system can judge whether the connection between the industrial control system and the external network is abnormal or not by clustering analysis of the MAC address and the time delay in the external communication data packet by using a REP-Tree algorithm.
To illustrate the workflow of the analysis processing module in more detail, the following is exemplified: if the analysis processing module is supposed to be trained and calculate the value of K, and a data packet is captured, comparing the time delay in the data packet with the value of K, and if the time delay is greater than K, listing the data packet for external communication; if the number of the data packets is less than K, the data packets are listed as used for internal communication. The data packet marked for external communication is classified by a REP-Tree algorithm next, so that whether the data packet is abnormal or not is judged, and whether the connection between the industrial control system and the external network is abnormal or not can be further judged; the data packets marked for internal communication are classified by a Logistic algorithm, so that whether the data packets are abnormal or not is judged, and whether the internal of the industrial control system is abnormal or not can be further judged.
The graphical interface module is composed of a display unit and an alarm unit. And the system is responsible for receiving and displaying the system state information output by the analysis unit in real time. An alarm may be raised if the system is subjected to an attack.
The display unit can display the whole framework of the industrial control system, simultaneously display the states of all parts of the industrial control system in real time, and can prompt the parts with problems.
The alarm unit consists of two LED display lamps and an alarm bell. When the system is in a normal state, the green light is on; if the system is attacked, the red light is on, and meanwhile, an alarm is sounded to remind technicians to perform corresponding processing.
The invention has the following advantages: the invention can capture and analyze the data packet generated in the industrial control system in real time, and can analyze the analyzed data to judge the current state of the industrial control system. Different prompt messages can be sent to technicians according to different judgments. The system can timely respond to the invasion of the industrial control system, can accurately identify various attacks to the industrial control system, and has the advantages of high instantaneity and accuracy. Meanwhile, the detection system and the industrial control system are separated from each other, so that technicians can remotely know the condition of the industrial control system, and manpower and material resources are greatly saved.
Drawings
FIG. 1 is an overall framework diagram of an intrusion detection system in the field of industrial control based on telemetry
Fig. 2 is a diagram for completing data packet analysis of an analysis module of an intrusion detection system in the field of industrial control based on a telemetry technology.
Fig. 3 is a flowchart of the operation of an analysis and processing module of an intrusion detection system in the industrial control field based on telemetry.
Fig. 4 is an overall work flow diagram of an intrusion detection system in the industrial control field based on the telemetry technology.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the present invention will be described clearly and completely with reference to the accompanying drawings, and it is obvious that the described embodiments are a part of the embodiments of the present invention, but not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the intrusion detection system in the industrial control field based on the telemetry disclosed in the present invention includes: the system comprises a data packet capturing module, a safety management module, an analysis and processing module and a graphical interface module. The data packet capturing module, the analyzing and processing module, the information pushing module and the graphical interface module are mutually independent. The data packet capturing module is connected with the industrial control system and the analyzing module, the analyzing module is connected with the processing module, and the processing module is connected with the graphical interface module. The safety management module is positioned in the intrusion detection system and is independent of the modules.
As shown in fig. 2, the parsing module includes a protocol identification unit and a parsing unit. And the system is responsible for identifying which communication protocol is used by the received data packet and then performing corresponding analysis on the received data packet.
The protocol identification unit is responsible for identifying the protocol used by the received data packet and preparing for analyzing the data packet later. The module can identify protocols such as Modbus, S7, SNMP, HTTP, Telnet, SMB, SMTP, HTTPS, SSH, FTP and TCP.
The analysis unit is responsible for analyzing the data packet. The content active IP address, the target IP address, the source MAC address, the target MAC address, the type of the used communication protocol, the transmission delay and the like can be obtained through analysis.
As shown in fig. 3, the analyzing and processing module includes a classifying unit and an analyzing and processing unit. And the data packet is responsible for receiving and analyzing the data packet analyzed by the analysis unit so as to judge the current state of the industrial control system.
The classification unit is responsible for judging whether the received data packet is used for internal communication or external communication of the industrial control system. The following method was used for the determination.
Firstly, training is carried out, n data packets used for internal communication of the industrial control system are captured, respective time delays of the n data packets are recorded, and values of all the time delays are used as a set I.
And then capturing data packets used by the n industrial control systems for communicating with the outside, recording respective time delays of the n data packets, and taking the values of the n data packets as a set O.
The packet is then classified using a built-in K classification algorithm.
The formula of the algorithm is
Therein, maxiRepresents the ith maximum value, minx, in set IiRepresenting the ith minimum value in the set O. If the value of n is too large, the formula can lead to the fact that the past network state is included in the calculation range, and the state can not occur any more, so that the accuracy of the calculated threshold value can be reduced; and if the value of n is too small, the sample size will be small, and the accuracy of the threshold will be reduced.
And taking the calculated K value as a threshold value, if the time delay in a later received data packet is lower than the value, proving that the data packet is used for internal communication of the industrial control system, and otherwise, using the data packet for external communication.
And the analysis processing unit is responsible for processing the classified data packets.
The system can determine whether the interior of the industrial control system is abnormal or not by clustering and analyzing the IP address, the MAC address and the time delay in the internal communication data packet by using a Logistic algorithm.
The system can judge whether the connection between the industrial control system and the external network is abnormal or not by clustering analysis of the MAC address and the time delay in the external communication data packet by using a REP-Tree algorithm.
As shown in fig. 4, the data packet capturing module includes an external network interface unit, a filtering unit, a storage unit, a data packet information pushing unit, and an internal network interface unit. The external network interface unit is responsible for establishing connection with an industrial control system so as to receive data packets; the filtering unit can set specific rules to filter the captured data packets; the data packet information pushing unit is responsible for completely transmitting the captured data packet to the analysis module; the intranet interface unit is responsible for establishing connection with the analysis module.
The external network interface unit comprises connection establishment and connection disconnection. The connection establishment uses a TCP protocol to establish safe and reliable connection with a network of an industrial control system; the disconnection is responsible for safely disconnecting the network connection with the industrial control system after the information transmission is completed, and immediately informing the industrial control system to disconnect the connection of the two parties when the unsafe transmission environment is detected.
The filtering unit is responsible for filtering the captured data packets according to a set rule, discarding the data packets which do not accord with the rule, and enabling the data packets which accord with the rule to smoothly pass through the unit.
The storage unit comprises a receiving process and an encrypted storage process. The receiving process is responsible for receiving the data packets transmitted from the filtering unit, and the encryption storage process is responsible for encrypting the received data packets and storing the encrypted data packets in a local hard disk.
The security management module comprises an encryption algorithm generating unit, a threat identifying unit and a response unit. The encryption algorithm generating unit is responsible for providing encryption algorithms for connection among the units and data storage inside the units; the threat identification unit is responsible for identifying attacks aiming at intrusion detection and generating different information according to an identification result; the response unit is responsible for making different responses according to the information generated by the threat identification unit.
The encryption algorithm generating unit comprises encryption algorithm generation and key storage. The encryption algorithm generation is responsible for receiving an encryption storage information requirement sent by the storage unit and an internal communication encryption requirement provided by the information sending module and generating a corresponding encryption algorithm for the encryption algorithm generation; the key storage is responsible for storing the generated key of the encryption algorithm, so that the loss of the key is avoided.
The threat identification unit comprises unauthorized access identification and malicious operation identification. The unauthorized access identification is responsible for determining whether access to the intrusion detection system is authorized; the malicious operation identification is responsible for identifying the operation of a worker to judge whether malicious operation exists.
The graphical interface module is composed of a display unit and an alarm unit. And the system is responsible for receiving and displaying the system state information output by the analysis unit in real time. An alarm may be raised if the system is subjected to an attack.
The display unit can display the whole framework of the industrial control system, simultaneously display the states of all parts of the industrial control system in real time, and can prompt the parts with problems.
The alarm unit consists of two LED display lamps and an alarm bell. When the system is in a normal state, the green light is on; if the system is attacked, the red light is on, and meanwhile, an alarm is sounded to remind technicians to perform corresponding processing.
The embodiments of the present invention have been described in detail, and the principles and embodiments of the present invention are explained in detail herein using specific embodiments, which are merely used to help understand the principles of the present invention; meanwhile, for a person skilled in the art, the embodiment of the present invention may be changed in the specific implementation manner and the application scope, and in summary, the content of the present description should not be construed as limiting the present invention.
Claims (12)
1. The intrusion detection system based on the telemetry industrial control field is characterized by comprising a data packet capturing module, a safety management module, an analysis and processing module and a graphical interface module. The data packet capturing module, the analyzing and processing module, the information pushing module and the graphical interface module are mutually independent. The data packet capturing module is connected with the industrial control system and the analyzing module, the analyzing module is connected with the processing module, and the processing module is connected with the graphical interface module. The safety management module is positioned in the intrusion detection system and is independent of the modules.
2. The system of claim 1, wherein the packet capture module comprises an extranet interface unit, a filtering unit, a storage unit, a packet information pushing unit, and an intranet interface unit. The external network interface unit is responsible for establishing connection with an industrial control system so as to receive data packets; the filtering unit can set specific rules to filter the captured data packets; the data packet information pushing unit is responsible for completely transmitting the captured data packet to the analysis module; the intranet interface unit is responsible for establishing connection with the analysis module.
3. The system of claim 2, wherein the extranet interface unit comprises connection establishment and connection disconnection. The connection establishment uses a TCP protocol to establish safe and reliable connection with a network of an industrial control system; the disconnection is responsible for safely disconnecting the network connection with the industrial control system after the information transmission is completed, and immediately informing the industrial control system to disconnect the connection of the two parties when the unsafe transmission environment is detected.
4. The system of claim 2, wherein the filtering unit is configured to filter the captured packets according to a predetermined rule, discard packets that do not meet the predetermined rule, and allow packets that do meet the predetermined rule to pass through the filtering unit. The storage unit comprises a receiving process and an encrypted storage process. The receiving process is responsible for receiving the data packets transmitted from the filtering unit, and the encryption storage process is responsible for encrypting the received data packets and storing the encrypted data packets in a local hard disk.
5. The system of claim 1, wherein the security management module comprises an encryption algorithm generation unit, a threat identification unit, and a response unit. The encryption algorithm generating unit is responsible for providing encryption algorithms for connection among the units and data storage inside the units; the threat identification unit is responsible for identifying attacks aiming at intrusion detection and generating different information according to an identification result; the response unit is responsible for making different responses according to the information generated by the threat identification unit.
6. The system of claim 5, wherein the encryption algorithm generating unit comprises encryption algorithm generation and key storage. The encryption algorithm generation is responsible for receiving an encryption storage information requirement sent by the storage unit and an internal communication encryption requirement provided by the information sending module and generating a corresponding encryption algorithm for the encryption algorithm generation; the key storage is responsible for storing the generated key of the encryption algorithm, so that the loss of the key is avoided. The threat identification unit comprises unauthorized access identification and malicious operation identification. The unauthorized access identification is responsible for determining whether access to the intrusion detection system is authorized; the malicious operation identification is responsible for identifying the operation of a worker to judge whether malicious operation exists.
7. The system of claim 1, wherein the parsing module comprises a protocol recognition unit and a parsing unit. And the system is responsible for identifying which communication protocol is used by the received data packet and then performing corresponding analysis on the received data packet.
8. The system of claim 7, wherein the protocol recognition unit is responsible for recognizing a protocol used by the received data packet in preparation for parsing the data packet. The module can identify protocols such as Modbus, S7, SNMP, HTTP, Telnet, SMB, SMTP, HTTPS, SSH, FTP and TCP. The analysis unit is responsible for analyzing the data packet. The content active IP address, the target IP address, the source MAC address, the target MAC address, the type of the used communication protocol, the transmission delay and the like can be obtained through analysis.
9. The system of claim 1, wherein the analysis and processing module comprises a classification unit and an analysis and processing unit. And the data packet is responsible for receiving and analyzing the data packet analyzed by the analysis unit so as to judge the current state of the industrial control system.
10. The system of claim 9, wherein the classification unit is responsible for determining whether the received data packet is for internal or external communication of the industrial control system. The following method was used for the determination.
Firstly, training is carried out, n data packets used for internal communication of the industrial control system are captured, respective time delays of the n data packets are recorded, and values of all the time delays are used as a set I.
And then capturing data packets used by the n industrial control systems for communicating with the outside, recording respective time delays of the n data packets, and taking the values of the n data packets as a set O.
The packet is then classified using a built-in classification algorithm.
The formula of the algorithm is
Therein, maxiRepresents the ith maximum value, minx, in set IiRepresenting the ith minimum value in the set O. If the value of n is set to be too large, the formula can lead to the past network state being included in the calculation range, and the state can not occur any more, so that the accuracy of the calculated threshold value can be reduced; and if the value of n is set too small, the sample size will be small, and the accuracy of the threshold will be reduced.
And taking the calculated K value as a threshold value, if the time delay in a later received data packet is lower than the value, proving that the data packet is used for internal communication of the industrial control system, and otherwise, using the data packet for external communication.
And the analysis processing unit is responsible for processing the classified data packets.
The system can determine whether the interior of the industrial control system is abnormal or not by clustering and analyzing the IP address, the MAC address and the time delay in the internal communication data packet by using a Logistic algorithm.
The system can judge whether the connection between the industrial control system and the external network is abnormal or not by clustering analysis of the MAC address and the time delay in the external communication data packet by using a REP-Tree algorithm.
11. The system of claim 1, wherein the graphical interface module comprises a display unit and an alarm unit. And the system is responsible for receiving and displaying the system state information output by the analysis unit in real time. An alarm may be raised if the system is subjected to an attack.
12. The system of claim 11, wherein the display unit is capable of displaying the entire structure of the industrial control system, displaying the status of each part of the industrial control system in real time, and prompting the part with problems.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911276194.7A CN110995733B (en) | 2019-12-12 | 2019-12-12 | Intrusion detection system in industrial control field based on remote measuring technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911276194.7A CN110995733B (en) | 2019-12-12 | 2019-12-12 | Intrusion detection system in industrial control field based on remote measuring technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110995733A true CN110995733A (en) | 2020-04-10 |
| CN110995733B CN110995733B (en) | 2022-10-28 |
Family
ID=70092882
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911276194.7A Active CN110995733B (en) | 2019-12-12 | 2019-12-12 | Intrusion detection system in industrial control field based on remote measuring technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995733B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114489025A (en) * | 2022-02-14 | 2022-05-13 | 上海交通大学宁波人工智能研究院 | Model-driven industrial control system safety protection method |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789931A (en) * | 2009-12-31 | 2010-07-28 | 暨南大学 | Network intrusion detection system and method based on data mining |
| KR20140093060A (en) * | 2013-01-17 | 2014-07-25 | 주식회사 윈스 | Reverse access detecting system and method based on latency |
| US20150156211A1 (en) * | 2013-11-29 | 2015-06-04 | Macau University Of Science And Technology | Method for Predicting and Detecting Network Intrusion in a Computer Network |
| CN106209870A (en) * | 2016-07-18 | 2016-12-07 | 北京科技大学 | A kind of Network Intrusion Detection System for distributed industrial control system |
| CN107635022A (en) * | 2016-07-18 | 2018-01-26 | 华为软件技术有限公司 | Across intranet and extranet service access methods and device |
| CN108494672A (en) * | 2018-04-17 | 2018-09-04 | 上海振华重工(集团)股份有限公司 | A kind of industrial communication gateway, industrial data security isolation system and method |
| CN108737417A (en) * | 2018-05-16 | 2018-11-02 | 南京大学 | A kind of vulnerability checking method towards industrial control system |
| CN109639733A (en) * | 2019-01-24 | 2019-04-16 | 南方电网科学研究院有限责任公司 | Safety detection and monitoring system suitable for industrial control system |
| CN110535854A (en) * | 2019-08-28 | 2019-12-03 | 南京市晨枭软件技术有限公司 | One kind being used for industrial control system intrusion detection method and system |
-
2019
- 2019-12-12 CN CN201911276194.7A patent/CN110995733B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789931A (en) * | 2009-12-31 | 2010-07-28 | 暨南大学 | Network intrusion detection system and method based on data mining |
| KR20140093060A (en) * | 2013-01-17 | 2014-07-25 | 주식회사 윈스 | Reverse access detecting system and method based on latency |
| US20150156211A1 (en) * | 2013-11-29 | 2015-06-04 | Macau University Of Science And Technology | Method for Predicting and Detecting Network Intrusion in a Computer Network |
| CN106209870A (en) * | 2016-07-18 | 2016-12-07 | 北京科技大学 | A kind of Network Intrusion Detection System for distributed industrial control system |
| CN107635022A (en) * | 2016-07-18 | 2018-01-26 | 华为软件技术有限公司 | Across intranet and extranet service access methods and device |
| CN108494672A (en) * | 2018-04-17 | 2018-09-04 | 上海振华重工(集团)股份有限公司 | A kind of industrial communication gateway, industrial data security isolation system and method |
| CN108737417A (en) * | 2018-05-16 | 2018-11-02 | 南京大学 | A kind of vulnerability checking method towards industrial control system |
| CN109639733A (en) * | 2019-01-24 | 2019-04-16 | 南方电网科学研究院有限责任公司 | Safety detection and monitoring system suitable for industrial control system |
| CN110535854A (en) * | 2019-08-28 | 2019-12-03 | 南京市晨枭软件技术有限公司 | One kind being used for industrial control system intrusion detection method and system |
Non-Patent Citations (2)
| Title |
|---|
| NADIR AMIN CARREON: "Hardware-Based Probabilistic Threat Detection and Estimation for Embedded Systems", 《2018 IEEE 36TH INTERNATIONAL CONFERENCE ON COMPUTER DESIGN (ICCD)》 * |
| 夏尊背: "入侵检测技术发展趋势研究", 《宜春学院学报》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114489025A (en) * | 2022-02-14 | 2022-05-13 | 上海交通大学宁波人工智能研究院 | Model-driven industrial control system safety protection method |
| CN114489025B (en) * | 2022-02-14 | 2023-07-04 | 上海交通大学宁波人工智能研究院 | Model-driven industrial control system safety protection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110995733B (en) | 2022-10-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Meidan et al. | N-baiot—network-based detection of iot botnet attacks using deep autoencoders | |
| US20220225101A1 (en) | Ai cybersecurity system monitoring wireless data transmissions | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN107040517B (en) | Cognitive intrusion detection method oriented to cloud computing environment | |
| CN110958262A (en) | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN113098878B (en) | Industrial Internet intrusion detection method based on support vector machine and implementation system | |
| CN111181971B (en) | System for automatically detecting industrial network attack | |
| US20080186876A1 (en) | Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor | |
| CN113037745A (en) | Intelligent substation risk early warning system and method based on security situation awareness | |
| Pan et al. | Anomaly based intrusion detection for building automation and control networks | |
| Sudharsan et al. | Edge2guard: Botnet attacks detecting offline models for resource-constrained iot devices | |
| CN113315771B (en) | Safety event alarm device and method based on industrial control system | |
| CN109462621A (en) | Network safety protective method, device and electronic equipment | |
| EP2747365A1 (en) | Network security management | |
| CN111709034A (en) | Machine learning-based industrial control environment intelligent safety detection system and method | |
| CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
| Janabi et al. | Convolutional neural network based algorithm for early warning proactive system security in software defined networks | |
| CN111698209A (en) | Network abnormal flow detection method and device | |
| CN110995733B (en) | Intrusion detection system in industrial control field based on remote measuring technology | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| CN116781412A (en) | Automatic defense method based on abnormal behaviors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |