CN111193727A - Operation monitoring system and operation monitoring method - Google Patents

Operation monitoring system and operation monitoring method Download PDF

Info

Publication number
CN111193727A
CN111193727A CN201911336250.1A CN201911336250A CN111193727A CN 111193727 A CN111193727 A CN 111193727A CN 201911336250 A CN201911336250 A CN 201911336250A CN 111193727 A CN111193727 A CN 111193727A
Authority
CN
China
Prior art keywords
industrial equipment
vulnerability
submodule
industrial
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911336250.1A
Other languages
Chinese (zh)
Inventor
雷承霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Fengchuang Technology Co Ltd
Original Assignee
Chengdu Fengchuang Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Fengchuang Technology Co Ltd filed Critical Chengdu Fengchuang Technology Co Ltd
Priority to CN201911336250.1A priority Critical patent/CN111193727A/en
Publication of CN111193727A publication Critical patent/CN111193727A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/048Monitoring; Safety
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application belongs to the technical field of industrial control and discloses an operation monitoring system and an operation monitoring method. The system comprises: the acquisition module is used for acquiring the IP information of the industrial equipment and scanning and determining the industrial equipment in the current running state according to the IP information of the industrial equipment; the determining module is used for sending a communication protocol data packet to the industrial equipment in the current running state, and receiving and analyzing running information fed back by the industrial equipment in response to the communication protocol data packet; and the monitoring module is used for searching a preset vulnerability database according to the feedback operation information and determining the operation vulnerability of the industrial equipment. Through the method and the device, the potential operation loopholes of the industrial equipment can be quickly and accurately found out, so that the safe operation monitoring of all the industrial equipment in the operation state in the whole industrial control system is realized, and the safety performance of the whole industrial control system is improved.

Description

Operation monitoring system and operation monitoring method
Technical Field
The application belongs to the technical field of industrial control, and particularly relates to an operation monitoring system and an operation monitoring method.
Background
With the convergence and development of industrial networks, an industrial control system is gradually converted from physical isolation and sealing into open and interconnected. It follows that conventional cyber attack behavior is gradually penetrating into industrial control networks. The sources of the safety threats of the industrial control system are wider, and the safety situation of the industrial control system is more severe. In addition, because the industrial communication protocol of the industrial control system is relatively simple, and the industrial operating system and the industrial software lack better security measures, the vulnerability of the industrial control system is easily attacked by bad molecules. Furthermore, the industrial control system often has the characteristics of numerous devices, wide regional distribution and the like when being deployed, and a plurality of industrial devices are directly connected with the internet, so that the industrial control system has great potential safety hazards.
Moreover, in the related art, there is no method for quickly and accurately finding out the potential operation holes of each industrial device, so that the safety performance of the whole industrial control system cannot be ensured at all.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present application and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the embodiment of the present application provides an operation monitoring system and an operation monitoring method, so as to solve the technical problem that the potential operation vulnerabilities of each industrial device cannot be found out quickly and accurately in the prior art.
In a first aspect of the present application, there is provided an operation monitoring system, comprising: the device comprises an acquisition module, a determination module and a monitoring module;
the acquisition module comprises an IP list acquisition submodule and an IP scanning submodule, wherein the IP list acquisition submodule is used for acquiring IP information of the industrial equipment, and the IP scanning submodule is used for scanning and determining the industrial equipment in the current running state according to the IP information of the industrial equipment;
the determining module comprises a sending submodule and a receiving submodule, wherein the sending submodule is used for sending a communication protocol data packet to the industrial equipment in the current running state, and the receiving submodule is used for receiving and analyzing the running information fed back by the industrial equipment in response to the communication protocol data packet;
the monitoring module comprises a searching submodule for searching a preset vulnerability database according to the feedback operation information and determining the operation vulnerability of the industrial equipment.
In some embodiments of the present application, the determining module further comprises: the system comprises at least 2 plug-in sub-modules corresponding to different communication protocol types and a configuration sub-module corresponding to the plug-in sub-modules, wherein the plug-in sub-modules are used for sending data packets corresponding to communication protocol formats to the industrial equipment according to the corresponding communication protocol types, and the configuration sub-module is used for setting the communication protocol types, the scanning rates and the scanning periods corresponding to the plug-in sub-modules.
In some embodiments of the present application, the operation monitoring system further comprises: and the display module is used for distinguishing and displaying the operation loopholes of the industrial equipment according to a preset mode.
In some embodiments of the present application, the operation monitoring system further comprises: and the risk management module comprises a safety index calculation submodule, and the safety index calculation submodule is used for calculating the safety index of the industrial equipment according to the risk level of the operation vulnerability of the industrial equipment and the preset weight of each operation vulnerability risk level.
In some embodiments of the present application, the risk management module further comprises: and the vulnerability repairing submodule is used for determining a vulnerability repairing scheme of the industrial equipment according to the operation vulnerability type of the industrial equipment and the security index of the industrial equipment.
In some embodiments of the present application, the operation monitoring system further comprises: and the data transmission module is used for uploading the operation information, the operation bugs and the repair schemes corresponding to the operation bugs of the industrial equipment to a specified platform.
In some embodiments of the present application, the operation monitoring system further comprises: the management module comprises a historical information management submodule, a user information management submodule and a system management submodule, wherein the historical information management submodule is used for managing historical operation information of the industrial equipment and carrying out risk marking on the industrial equipment, the user information management submodule is used for carrying out information management on a user using the operation monitoring system, and the system management submodule is used for carrying out use authority distribution on the user using the operation monitoring system.
In a second aspect of the present application, there is provided an operation monitoring method, the method including:
acquiring IP information of industrial equipment;
scanning and determining the industrial equipment in the current running state according to the IP information of the industrial equipment;
sending a communication protocol data packet to the industrial equipment in the current running state;
receiving and analyzing the operation information fed back by the industrial equipment in response to the communication protocol data packet;
and searching a preset vulnerability database according to the feedback operation information, and determining the operation vulnerability of the industrial equipment.
In some embodiments of the present application, the sending the communication protocol data packet to the industrial device in the operating state includes:
and predetermining the communication protocol type of the industrial equipment, and sending a data packet in a corresponding communication protocol format to the industrial equipment.
In some embodiments of the present application, the method further comprises:
calculating to obtain a security index of the industrial equipment according to the risk level of the operation vulnerability of the industrial equipment and the preset weight of each operation vulnerability risk level;
and determining a vulnerability repair scheme of the industrial equipment according to the operation vulnerability type of the industrial equipment and the security index of the industrial equipment.
Compared with the prior art, the embodiment of the application has the advantages that: firstly, acquiring IP information of all industrial equipment in the operation monitoring system; scanning and determining the industrial equipment in the running state in the running monitoring system according to the IP information; then sending a communication protocol data packet to the industrial equipment in the running state; then receiving and analyzing the operation information fed back by the industrial equipment in response to the communication protocol data packet; and finally, searching a preset vulnerability database according to the feedback operation information, and determining the operation vulnerability of the industrial equipment. Therefore, the automatic and effective monitoring effect on all the industrial equipment in the running state is achieved. According to the technical scheme, the potential operation loopholes of the industrial equipment can be quickly and accurately found out, so that the safe operation monitoring of all the industrial equipment in the operation state in the whole industrial control system is realized, and the safety performance of the whole industrial control system is improved.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of a system architecture of an operation monitoring system and an application of an operation monitoring method according to an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating the structural relationship of the modules of an operation monitoring system according to an embodiment of the present application;
FIG. 3 is a schematic flow chart diagram of a method of operation monitoring in one embodiment of the present application;
FIG. 4 is a schematic flow chart diagram of another method of operation monitoring in one embodiment of the present application;
fig. 5 is a schematic block diagram of a monitoring server in an embodiment of the present application.
Detailed Description
In order to make the objects, features and advantages of the present invention more apparent and understandable, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the embodiments described below are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
In addition, in the description of the present application, the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
Fig. 1 is a schematic diagram of a system architecture of an operation monitoring system and an application of an operation monitoring method provided in an embodiment of the present application. The system architecture comprises a monitoring server 1, at least 2 industrial devices 2 and a general monitoring platform 3. The monitoring server 1 may be an operation monitoring apparatus preset by a user; the general monitoring platform 3 is a general platform for monitoring the monitoring servers 1, the general monitoring platform 3 is connected with the monitoring servers 1 through a network unit 6, and the monitoring servers 1 are also connected with the industrial equipment 2 through the network unit 6. The network element 6 may comprise various connection types, such as wired communication links, wireless communication links, and so on. The master monitoring platform 3 may issue the latest potential operation vulnerability to the monitoring server 1, so that the monitoring server 1 adds the latest potential operation vulnerability to a vulnerability database stored in the master monitoring platform.
Fig. 2 is a schematic diagram illustrating a structural relationship between modules of an operation monitoring system according to an embodiment of the present application, where the operation monitoring system may be executed by the monitoring server 1 in fig. 1, and the operation monitoring system at least includes: an acquisition module 210, a determination module 220, and a monitoring module 230;
the obtaining module 210 includes an IP list obtaining submodule and an IP scanning submodule, where the IP list obtaining submodule is configured to obtain IP information of an industrial device, and the IP scanning submodule is configured to scan and determine an industrial device currently in a running state according to the IP information of the industrial device.
It can be understood that the IP list obtaining sub-module is configured to obtain IP information of the industrial device, and specifically, the IP information of the industrial device may be obtained from a channel such as the main monitoring platform 3. The IP information includes: IP address, port identification, etc.
And the IP scanning submodule is used for scanning and determining the industrial equipment in the current running state according to the IP information of the industrial equipment. Specifically, the IP scanning sub-module may perform batch IP scanning according to the IP information of the industrial device, where the scanning manner includes, but is not limited to, using Ping, TCPConnect, and the like, so as to detect the industrial device currently in a running state. For example, it is possible to detect whether an industrial device is in an operation state by transmitting a request packet of ICMP echo, ICMP timestamp, TCPConnect, SYN, etc. to the industrial device, by analyzing whether the industrial device receives the request packet and transmitting a response packet.
In an embodiment of the present application, the IP information may be divided into different IP sections according to different geographic areas of the industrial equipment, and an IP address library is formed, so that the IP scanning sub-module is convenient to call. Of course, the IP information may be imported from a customized IP list library by the user or predetermined in other ways.
The determining module 220 includes a sending submodule and a receiving submodule, where the sending submodule is configured to send a communication protocol data packet to the industrial device currently in the operating state, and the receiving submodule is configured to receive and analyze operation information fed back by the industrial device in response to the communication protocol data packet.
It is understood that after determining the industrial device in the operating state, the sending submodule in the determination module may send a communication protocol data packet to the industrial device.
It can be understood that the receiving sub-module is configured to receive and parse the operation information fed back by the industrial equipment in response to the communication protocol data packet. For example, the communication protocol data packet includes information requesting to access a certain port service in the industrial device, and if the industrial device searches a pre-stored port access authority table and finds that the communication protocol data packet has an authority to access the port, the industrial device returns a corresponding response data packet to the monitoring server as response information when receiving the communication protocol data packet. The analysis submodule can analyze the response data packet to obtain the operation information of the industrial equipment. The operational information may include one or more of the following: the device comprises an industrial device type identification, an industrial device model, an industrial device manufacturer identification, a software version identification used by the industrial device, an industrial device attribution identification, longitude and latitude information and the like. On the contrary, if the industrial device searches a pre-stored port access authority table, and finds that the communication protocol data packet does not have the authority of accessing the port or the corresponding port is in an abnormal state such as service suspension, a response data packet is not returned to the monitoring server.
In one embodiment of the present application, the determining module further comprises: the determining module further comprises: the system comprises at least 2 plug-in sub-modules corresponding to different communication protocol types and a configuration sub-module corresponding to the plug-in sub-modules, wherein the plug-in sub-modules are used for sending data packets corresponding to communication protocol formats to the industrial equipment according to the corresponding communication protocol types, and the configuration sub-module is used for setting the communication protocol types, the scanning rates and the scanning periods corresponding to the plug-in sub-modules.
It is to be understood that although each industrial device and the monitoring server are connected via a network, the communication protocol employed by each industrial device is not the same. Therefore, it is necessary to determine in advance a communication protocol suitable for each industrial apparatus. Specifically, the plug-in sub-module may be used to send a data packet in a format specified by a corresponding communication protocol to the industrial device according to the corresponding communication protocol type. Specifically, the determining module may send data packets of corresponding communication protocols to the industrial devices using different communication protocols through a plurality of plug-in sub-modules of different communication protocol types, respectively. The plug-in sub-modules can comprise industrial communication protocol plug-in sub-modules such as an OPCUA plug-in sub-module, a Modbus plug-in sub-module and an IEC61850 plug-in sub-module.
It can be understood that the configuration submodule is configured to set a communication protocol type, a scanning rate, and a scanning period corresponding to the plug-in submodule. Specifically, the communication protocol type corresponding to the plug-in sub-module is preset, so that a data packet which can be received and responded by the plug-in sub-module can be conveniently and accurately sent to a specific certain type of industrial equipment. The scanning speed of the plug-in sub-module is preset, so that the phenomenon of packet loss caused by overhigh speed when the plug-in sub-module scans the industrial equipment can be avoided. The scanning period of the plug-in sub-module is preset, so that the scanning task can be carried out according to a preset scanning rhythm, and the timeliness of acquiring the data packet is guaranteed.
In an embodiment of the application, the industrial equipment may perform ranking according to parameters such as the historical total number of visited times, the average daily number of visited times, and the like of each port, so as to obtain a port visit sequence table.
This has the advantage that probe packets can be sent to the ports of the industrial device in sequence according to the port access sequence list, thereby shortening the total probe time for the industrial device.
The monitoring module 230 includes a searching sub-module, configured to search a pre-configured vulnerability database according to the fed back operation information, and determine the operation vulnerability of the industrial device.
The searching submodule is used for searching a preset vulnerability database according to the fed back operation information to determine the operation vulnerability of the industrial equipment. Specifically, the monitoring module may be configured to determine a potential operation vulnerability that may exist at the current time of the industrial device according to the fed back operation information and a preconfigured vulnerability database. For example, according to the software version identifier used by the industrial equipment, the vulnerability list information of each software version in a pre-configured vulnerability database is combined to analyze the potential operation vulnerability of the industrial equipment at the current moment.
The operation vulnerability of the industrial equipment comprises but is not limited to the following information: vulnerability names, vulnerability types, vulnerability influence ranges and the like of the industrial equipment.
In one embodiment of the present application, the operation monitoring system further includes: and the risk management module comprises a safety index calculation submodule, and the safety index calculation submodule is used for calculating the safety index of the industrial equipment according to the risk level of the operation vulnerability of the industrial equipment and the preset weight of each operation vulnerability risk level.
It is understood that the category of the operation vulnerability can be classified into different levels according to the risk, such as a level a, a level B, a level C, and a level D. Meanwhile, different weighted values can be preset for each risk level according to the hazard degree of each risk level. For example, a weight of 0.1 is assigned to level a risk, a weight of 0.2 is assigned to level B risk, a weight of 0.3 is assigned to level C risk, and a weight of 0.4 is assigned to level D risk. Thereafter, a safety index for the industrial equipment may be calculated based on the risk levels and the weights corresponding to the respective risk levels.
In another embodiment of the present application, the risk management module may generate a potential security risk prompt list and/or a potential security risk statistical report according to the monitoring result, thereby implementing risk quantification.
In one embodiment of the present application, the risk management module further comprises: and the vulnerability repairing submodule is used for determining a vulnerability repairing scheme of the industrial equipment according to the operation vulnerability type of the industrial equipment and the security index of the industrial equipment.
The vulnerability repairing sub-module is used for determining the security vulnerability of the vulnerability repairing scheme of the industrial equipment to the industrial equipment according to the operation vulnerability category of the industrial equipment and the security index of the industrial equipment. For example, when the operation vulnerability type of the industrial equipment is an injection vulnerability and the security index of the industrial equipment is greater than 0.5 and less than 0.8, the corresponding vulnerability repairing scheme is as follows: and parameters are filtered to ensure the legality of input information. For another example, when the operation vulnerability category of the industrial device is a service logic vulnerability and the security index of the industrial device is greater than 0.5 and less than 0.8, the corresponding vulnerability repairing scheme is as follows: and at least 2 times of verification is carried out on the business process, so that logic errors are prevented. For another example, when the operation vulnerability category of the industrial device is a system vulnerability, no matter how large the security index of the industrial device is, the corresponding vulnerability repairing scheme is as follows: and (6) upgrading the patch.
In one embodiment of the present application, the operation monitoring system further includes: and the display module is used for distinguishing and displaying the operation loopholes of the industrial equipment according to a preset mode.
The display module is used for distinguishing and displaying the operation vulnerabilities of the industrial equipment according to a preset mode. Specifically, the distinguishing and displaying sub-module may highlight information such as the operation state, the operation bug, and the corresponding bug fixing scheme of the industrial equipment in a preset area map. Of course, different colors, color depths and the like can be used for distinguishing and displaying the vulnerability risks in different levels, so that monitoring personnel can intuitively know the vulnerability risk area distribution condition of the whole industrial system.
In one embodiment of the present application, the operation monitoring system further includes: and the data transmission module is used for uploading the operation information, the operation bugs and the repair schemes corresponding to the operation bugs of the industrial equipment to a specified platform.
It is to be understood that the operation monitoring system further comprises: and the data transmission module is used for uploading the operation information, the operation bugs and the repair schemes corresponding to the operation bugs of the industrial equipment to a specified platform. For example, uploading to a designated platform such as a national level platform, a provincial level platform, etc.
The method has the advantages that the designated platform can conveniently carry out big data analysis according to the monitoring results of the monitoring servers, and can comb out the equivalent data of the current ubiquitous loopholes and the loopholes with higher risks of the monitoring servers.
In one embodiment of the present application, the operation monitoring system further includes: the management module comprises a historical information management submodule, a user information management submodule and a system management submodule, wherein the historical information management submodule is used for managing historical operation information of the industrial equipment and carrying out risk marking on the industrial equipment, the user information management submodule is used for carrying out information management on a user using the operation monitoring system, and the system management submodule is used for carrying out use authority distribution on the user using the operation monitoring system.
It can be understood that the user information management sub-module is used for performing information management on a user using the operation monitoring system, for example, managing user login log viewing. The system management submodule is used for distributing the use authority of the user using the operation monitoring system, for example, distributing the authority to the range of the user viewing the operation log. The operation log may be a record of operation behaviors such as risk calibration and risk confirmation performed on the industrial equipment.
As shown in fig. 3, which is a flowchart of an operation monitoring method provided in an embodiment of the present application, the operation monitoring method includes the following steps:
step S310, IP information of industrial equipment is obtained;
step S320, according to the IP information of the industrial equipment, scanning and determining the industrial equipment which is in the running state currently;
step S330, sending a communication protocol data packet to the industrial equipment in the current running state;
step S340, receiving and analyzing the operation information fed back by the industrial equipment responding to the communication protocol data packet;
and S350, searching a preset vulnerability database according to the feedback operation information, and determining the operation vulnerability of the industrial equipment.
The above steps will be described in detail below.
In step S310, IP information of the industrial device is acquired.
It can be understood that the IP list obtaining sub-module in the obtaining module 210 can be utilized to obtain IP information of the industrial device, where the IP information includes: IP address, port identification, etc.
In step S320, according to the IP information of the industrial device, the industrial device currently in the operating state is scanned and determined.
It can be understood that the IP scanning sub-module in the obtaining module 210 may be utilized to scan and determine the industrial device currently in the operating state according to the IP information of the industrial device. Specifically, the IP scanning sub-module may perform batch IP scanning according to the IP information of the industrial device, where the scanning manner includes, but is not limited to, using Ping, TCPConnect, and the like, so as to detect the industrial device currently in a running state. For example, it is possible to detect whether the industrial device is in an operating state by transmitting a request packet of ICMP echo, icmpstimestamp, TCPConnect, SYN, or the like to the industrial device, by analyzing whether the industrial device receives the request packet and transmitting a response packet.
In step S330, a communication protocol data packet is sent to the currently running industrial device.
It can be understood that, after the industrial device in the operating state is determined, the sending submodule in the determination module may be used to send the communication protocol data packet to the industrial device currently in the operating state.
In step S340, the operation information fed back by the industrial equipment in response to the communication protocol data packet is received and parsed.
It is to be understood that the receiving sub-module in the determination module can be utilized to receive and parse the operation information fed back by the industrial equipment in response to the communication protocol data packet. The operational information may include one or more of the following: the device comprises an industrial device type identification, an industrial device model, an industrial device manufacturer identification, a software version identification used by the industrial device, an industrial device attribution identification, longitude and latitude information and the like.
In step S350, a pre-configured vulnerability database is searched according to the feedback operation information, and the operation vulnerability of the industrial device is determined.
It can be understood that the searching submodule in the monitoring module may be utilized to search a preconfigured vulnerability database according to the fed back operation information, so as to determine the operation vulnerability of the industrial equipment. The operation vulnerability of the industrial equipment comprises but is not limited to the following information: vulnerability names, vulnerability types, vulnerability influence ranges and the like of the industrial equipment.
In an embodiment of the present application, the sending a communication protocol data packet to the industrial device in the operating state includes: and predetermining the communication protocol type of the industrial equipment, and sending a data packet in a corresponding communication protocol format to the industrial equipment.
It is to be understood that although each industrial device and the monitoring server are connected via a network, the communication protocol employed by each industrial device is not the same. Therefore, it is necessary to determine in advance a communication protocol suitable for each industrial apparatus. Specifically, a configuration submodule in the determination module may be used to configure a plurality of plug-in submodules of different communication protocol types according to industrial devices of different communication protocols, and the plug-in submodules may be used to send data packets of corresponding communication protocols to the industrial devices.
As shown in fig. 4, in one embodiment of the present application, the method comprises the steps of:
and S410, calculating to obtain the safety index of the industrial equipment according to the risk level of the operation vulnerability of the industrial equipment and the preset weight of each operation vulnerability risk level.
It is understood that the category of the operation vulnerability can be classified into different levels according to the risk, such as a level a, a level B, a level C, and a level D. Meanwhile, different weighted values can be preset for each risk level according to the hazard degree of each risk level. For example, a weight of 0.1 is assigned to level a risk, a weight of 0.2 is assigned to level B risk, a weight of 0.3 is assigned to level C risk, and a weight of 0.4 is assigned to level D risk. Thereafter, a safety index for the industrial equipment may be calculated based on the risk levels and the weights corresponding to the respective risk levels.
Step S420, determining a vulnerability repair scheme of the industrial equipment according to the operation vulnerability type of the industrial equipment and the security index of the industrial equipment.
The vulnerability repairing sub-module is used for determining the security vulnerability of the vulnerability repairing scheme of the industrial equipment to the industrial equipment according to the operation vulnerability category of the industrial equipment and the security index of the industrial equipment. For example, when the operation vulnerability type of the industrial equipment is an injection vulnerability and the security index of the industrial equipment is greater than 0.5 and less than 0.8, the corresponding vulnerability repairing scheme is as follows: and parameters are filtered to ensure the legality of input information. For another example, when the operation vulnerability category of the industrial device is a service logic vulnerability and the security index of the industrial device is greater than 0.5 and less than 0.8, the corresponding vulnerability repairing scheme is as follows: and at least 2 times of verification is carried out on the business process, so that logic errors are prevented. For another example, when the operation vulnerability category of the industrial device is a system vulnerability, no matter how large the security index of the industrial device is, the corresponding vulnerability repairing scheme is as follows: and (6) upgrading the patch.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, modules and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Fig. 5 shows a schematic block diagram of a monitoring server provided in an embodiment of the present application, and for convenience of explanation, only the portions related to the embodiment of the present application are shown.
As shown in fig. 5, the monitoring server 5 of this embodiment includes: a processor 50, a memory 51 and a computer program 52 stored in said memory 51 and executable on said processor 50. The processor 50 executes the computer program 52 to implement the steps in the above-mentioned operation monitoring method embodiments, such as the steps S310 to S350 shown in fig. 3. Alternatively, the processor 50, when executing the computer program 52, implements the functions of the modules/units in the above device embodiments, such as the functions of the modules 210 to 230 shown in fig. 2.
Illustratively, the computer program 52 may be partitioned into one or more modules/units, which are stored in the memory 51 and executed by the processor 50 to accomplish the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution process of the computer program 52 in the monitoring server 5.
The monitoring server 5 may be an industrial device with a PLC control unit. It will be appreciated by those skilled in the art that fig. 5 is merely an example of the monitoring server 5, and does not constitute a limitation of the monitoring server 5, and may include more or less components than those shown, or combine some components, or different components, for example, the monitoring server 5 may further include input and output devices, network access devices, buses, etc.
The Processor 50 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 51 may be an internal storage unit of the monitoring server 5, such as a hard disk or a memory of the monitoring server 5. The memory 51 may also be an external storage device of the monitoring server 5, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the monitoring server 5. Further, the memory 51 may also include both an internal storage unit and an external storage device of the monitoring server 5. The memory 51 is used for storing the computer programs and other programs and data required by the monitoring server 5. The memory 51 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the above-described embodiments of the apparatus/terminal device are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow in the method of the embodiments described above can be realized by a computer program, which can be stored in a computer-readable storage medium and can realize the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. An operation monitoring system, characterized by comprising at least: the device comprises an acquisition module, a determination module and a monitoring module;
the acquisition module comprises an IP list acquisition submodule and an IP scanning submodule, wherein the IP list acquisition submodule is used for acquiring IP information of the industrial equipment, and the IP scanning submodule is used for scanning and determining the industrial equipment in the current running state according to the IP information of the industrial equipment;
the determining module comprises a sending submodule and a receiving submodule, wherein the sending submodule is used for sending a communication protocol data packet to the industrial equipment in the current running state, and the receiving submodule is used for receiving and analyzing the running information fed back by the industrial equipment in response to the communication protocol data packet;
the monitoring module comprises a searching submodule for searching a preset vulnerability database according to the feedback operation information and determining the operation vulnerability of the industrial equipment.
2. The operational monitoring system of claim 1, wherein the determination module further comprises: the system comprises at least 2 plug-in sub-modules corresponding to different communication protocol types and a configuration sub-module corresponding to the plug-in sub-modules, wherein the plug-in sub-modules are used for sending data packets corresponding to communication protocol formats to the industrial equipment according to the corresponding communication protocol types, and the configuration sub-module is used for setting the communication protocol types, the scanning rates and the scanning periods corresponding to the plug-in sub-modules.
3. The operation monitoring system according to claim 1 or 2, characterized by further comprising: and the display module is used for distinguishing and displaying the operation loopholes of the industrial equipment according to a preset mode.
4. The operation monitoring system according to claim 1 or 2, characterized by further comprising: and the risk management module comprises a safety index calculation submodule, and the safety index calculation submodule is used for calculating the safety index of the industrial equipment according to the risk level of the operation vulnerability of the industrial equipment and the preset weight of each operation vulnerability risk level.
5. The operational monitoring system of claim 4, wherein the risk management module further comprises: and the vulnerability repairing submodule is used for determining a vulnerability repairing scheme of the industrial equipment according to the operation vulnerability type of the industrial equipment and the security index of the industrial equipment.
6. The operation monitoring system according to claim 1, further comprising: and the data transmission module is used for uploading the operation information, the operation bugs and the repair schemes corresponding to the operation bugs of the industrial equipment to a specified platform.
7. The operation monitoring system according to claim 1, further comprising: the management module comprises a historical information management submodule, a user information management submodule and a system management submodule, wherein the historical information management submodule is used for managing historical operation information of the industrial equipment and carrying out risk marking on the industrial equipment, the user information management submodule is used for carrying out information management on a user using the operation monitoring system, and the system management submodule is used for carrying out use authority distribution on the user using the operation monitoring system.
8. An operation monitoring method, characterized in that the method comprises:
acquiring IP information of industrial equipment;
scanning and determining the industrial equipment in the current running state according to the IP information of the industrial equipment;
sending a communication protocol data packet to the industrial equipment in the current running state;
receiving and analyzing the operation information fed back by the industrial equipment in response to the communication protocol data packet;
and searching a preset vulnerability database according to the feedback operation information, and determining the operation vulnerability of the industrial equipment.
9. The operation monitoring method according to claim 8, wherein the sending of the communication protocol packet to the industrial device in the operation state comprises:
and predetermining the communication protocol type of the industrial equipment, and sending a data packet in a corresponding communication protocol format to the industrial equipment.
10. The operation monitoring method according to claim 8, characterized in that the method further comprises:
calculating to obtain a security index of the industrial equipment according to the risk level of the operation vulnerability of the industrial equipment and the preset weight of each operation vulnerability risk level;
and determining a vulnerability repair scheme of the industrial equipment according to the operation vulnerability type of the industrial equipment and the security index of the industrial equipment.
CN201911336250.1A 2019-12-23 2019-12-23 Operation monitoring system and operation monitoring method Pending CN111193727A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911336250.1A CN111193727A (en) 2019-12-23 2019-12-23 Operation monitoring system and operation monitoring method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911336250.1A CN111193727A (en) 2019-12-23 2019-12-23 Operation monitoring system and operation monitoring method

Publications (1)

Publication Number Publication Date
CN111193727A true CN111193727A (en) 2020-05-22

Family

ID=70709300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911336250.1A Pending CN111193727A (en) 2019-12-23 2019-12-23 Operation monitoring system and operation monitoring method

Country Status (1)

Country Link
CN (1) CN111193727A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178760A (en) * 2019-12-30 2020-05-19 成都烽创科技有限公司 Risk monitoring method and device, terminal equipment and computer readable storage medium
CN112668010A (en) * 2020-12-17 2021-04-16 哈尔滨工大天创电子有限公司 Method, system and computing device for scanning industrial control system for bugs
CN114553867A (en) * 2022-01-21 2022-05-27 北京云思智学科技有限公司 Cloud-native cross-cloud network monitoring method and device and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075503A1 (en) * 2004-09-13 2006-04-06 Achilles Guard, Inc. Dba Critical Watch Method and system for applying security vulnerability management process to an organization
CN102045313A (en) * 2009-10-10 2011-05-04 中兴通讯股份有限公司 Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network)
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
WO2014099195A1 (en) * 2012-12-18 2014-06-26 Mcafee, Inc. User device security profile
CN104618178A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug online evaluation method and device
CN107480533A (en) * 2017-08-08 2017-12-15 深圳市腾讯计算机系统有限公司 A kind of method, apparatus and device of leak reparation
CN108696544A (en) * 2018-09-05 2018-10-23 杭州安恒信息技术股份有限公司 Security breaches detection method based on industrial control system and device
CN109495502A (en) * 2018-12-18 2019-03-19 北京威努特技术有限公司 A kind of safe and healthy Index Assessment method and apparatus of industry control network
CN109617910A (en) * 2019-01-08 2019-04-12 平安科技(深圳)有限公司 Loophole methods of risk assessment, device and storage medium, server
CN110460571A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Operation system loophole processing method, device, computer equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075503A1 (en) * 2004-09-13 2006-04-06 Achilles Guard, Inc. Dba Critical Watch Method and system for applying security vulnerability management process to an organization
CN102045313A (en) * 2009-10-10 2011-05-04 中兴通讯股份有限公司 Method and system for controlling SILSN (Subscriber Identifier & Locator Separation Network)
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
WO2014099195A1 (en) * 2012-12-18 2014-06-26 Mcafee, Inc. User device security profile
CN104618178A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug online evaluation method and device
CN107480533A (en) * 2017-08-08 2017-12-15 深圳市腾讯计算机系统有限公司 A kind of method, apparatus and device of leak reparation
CN108696544A (en) * 2018-09-05 2018-10-23 杭州安恒信息技术股份有限公司 Security breaches detection method based on industrial control system and device
CN109495502A (en) * 2018-12-18 2019-03-19 北京威努特技术有限公司 A kind of safe and healthy Index Assessment method and apparatus of industry control network
CN109617910A (en) * 2019-01-08 2019-04-12 平安科技(深圳)有限公司 Loophole methods of risk assessment, device and storage medium, server
CN110460571A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Operation system loophole processing method, device, computer equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111178760A (en) * 2019-12-30 2020-05-19 成都烽创科技有限公司 Risk monitoring method and device, terminal equipment and computer readable storage medium
CN112668010A (en) * 2020-12-17 2021-04-16 哈尔滨工大天创电子有限公司 Method, system and computing device for scanning industrial control system for bugs
CN114553867A (en) * 2022-01-21 2022-05-27 北京云思智学科技有限公司 Cloud-native cross-cloud network monitoring method and device and storage medium

Similar Documents

Publication Publication Date Title
CN111371638B (en) Intelligent equipment testing method and device, server and storage medium
CN110635971A (en) Industrial control asset detection and management method and device and electronic equipment
CN111178760B (en) Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium
EP3188436A1 (en) Platform for protecting small and medium enterprises from cyber security threats
CN111193727A (en) Operation monitoring system and operation monitoring method
CN111193728B (en) Network security evaluation method, device, equipment and storage medium
CN113259392B (en) Network security attack and defense method, device and storage medium
CN103581185B (en) Resist the cloud checking and killing method of test free to kill, Apparatus and system
CN110708315A (en) Asset vulnerability identification method, device and system
CN112087462A (en) Vulnerability detection method and device of industrial control system
CN111176202A (en) Safety management method, device, terminal equipment and medium for industrial control network
CN113055379A (en) Risk situation perception method and system for key infrastructure of whole network
CN112653669A (en) Network terminal security threat early warning method and system and network terminal management device
CA2990611A1 (en) Systems and methods for categorization of web assets
CN115190108B (en) Method, device, medium and electronic equipment for detecting monitored equipment
CN108206769A (en) Method, apparatus, equipment and the medium of screen quality alarm
CN111181978A (en) Abnormal network traffic detection method and device, electronic equipment and storage medium
CN114666101B (en) Attack tracing detection system and method
CN115733646A (en) Network security threat assessment method, device, equipment and readable storage medium
CN114598506B (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN113098852B (en) Log processing method and device
CN110399723B (en) Vulnerability detection method and device, storage medium and electronic device
CN112650180B (en) Safety warning method, device, terminal equipment and storage medium
CN116015983B (en) Network security vulnerability analysis method and system based on digital twin
CN114070624B (en) Message monitoring method, device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200522