CN111224856A - Multi-node cooperation and linkage method for industrial control mimicry security gateway - Google Patents
Multi-node cooperation and linkage method for industrial control mimicry security gateway Download PDFInfo
- Publication number
- CN111224856A CN111224856A CN202010039019.2A CN202010039019A CN111224856A CN 111224856 A CN111224856 A CN 111224856A CN 202010039019 A CN202010039019 A CN 202010039019A CN 111224856 A CN111224856 A CN 111224856A
- Authority
- CN
- China
- Prior art keywords
- gateway
- linkage
- transformation
- industrial control
- gateways
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
Abstract
The invention provides a multi-node cooperation and linkage method for an industrial control mimicry security gateway, which is characterized in that a secret feature set, a pseudorandom sequence generation function set, a secret transformation rule and the like are agreed in advance among the multi-node gateways; and by using a tunnel technology, through the embedded synchronous message of the protocol, the cooperation among the nodes of the multiple gateways and the application of a dynamically agreed pseudorandom sequence, the industrial control protocol integrally presents the characteristics of random and dynamic change.
Description
Technical Field
The invention belongs to the technical field of network security, relates to the field of mimicry gateways, and particularly relates to a multi-node cooperation and linkage method for an industrial control mimicry security gateway.
Background
The traditional industrial control security gateway is used as an important defense line of a security guarantee system and defends against hacker attacks through access control. But as more and more operating system bugs per se and application system bugs are discovered, the security gateway becomes an attack target. How to effectively solve the problems of static structure and instantaneous protection effect of the existing industrial safety gateway becomes a difficult problem to be faced when the industrial safety gateway is deployed.
Different from the traditional network defense means, the mimicry defense changes the operation or execution environment of a network information system by means of dynamic, randomization and active means, breaks through the embarrassment of the traditional network information security passive defense, converts the passive defense of ' sheep death reinforcement ' type into the active defense which is difficult to detect, and changes the current situation of easy attack and difficulty guard '.
Because the availability of the industrial control system is always put at the head, and any equipment and components applied in the industrial control system must meet availability limiting conditions in real-time performance, reliability and performance, a DHR model proposed by the current mimicry mechanism cannot be simply adopted, the functions and industrial control network particularity of the industrial gateway need to be deeply analyzed, and a novel industrial control mimicry security gateway system architecture is constructed, so that the industrial control security gateway system architecture not only can meet the functions and performance requirements of the industrial control gateway, but also has the characteristics of heterogeneity, diversity, dynamic randomness and initiative required by mimicry defense.
Disclosure of Invention
The invention aims to provide a multi-node cooperation and linkage method for an industrial control mimicry security gateway, aiming at the defects of the prior art.
The purpose of the invention is realized by the following technical scheme: a multi-node cooperation and linkage method for an industrial control mimicry security gateway comprises the following steps:
(1) the industrial control site comprises a data management layer, a monitoring operation layer and a site bus layer, the industrial control mimicry security gateway is deployed at the boundary of each layer of the data management layer, the monitoring operation layer, the site bus layer and the like, and the upper and lower level relations are defined among the gateways according to the flow direction of engineering data, so that the industrial control site is called a group of linkage gateways. The specific process for specifying the relationship between the upper level and the lower level is as follows: the direction of the data flow passing through the data management layer, the monitoring operation layer and the field bus layer is defined as the positive direction of the data flow, and the data flow passes through the upper gateway G in the positive direction of the data flowkFlow direction subordinate gateway Gk+1And no other gateway in the middle.
(2) And (2) agreeing a secret feature set S and a pseudo-random sequence function set F of each gateway in the group of linkage gateways in the step (1) through an IPSec protocol tunnel mode, and forming a secret transformation rule (S, F).
(3) Upper gateway GkWhen linkage change is needed, the secret transformation rule (S, F) and the lower gateway G are connected through an IPSec protocol tunnel mode according to the secret transformation rule (S, F) in the step (2)k+1A lower gateway G for performing communication and performing linkage changek+1Deciding whether to inform its forward linkage gateway G according to communication contentk+2And linkage is carried out.
(3.1) if the current communication content needs the lower gateway to continue the linkage transformation, namely the current communication content does not reach the transformation range boundary, Gk+1Needs to inform its linkage gateway Gk+2And performing linkage according to the IPSec protocol tunnel mode and the secret transformation rule (S, F). The transformation range boundary is based on the communication content, GkN gateways are required to implement slave Gk+1To Gk+nPerforming linkage transformation, and the transformation range boundary is Gk+n。
(3.2) if the current communication content does not need the downstream gateway to continue the linkage transformation, that is, the transformation range boundary is reached, Gk+1Without notifying it of the linkage gateway Gk+2And performing linkage to stop forward communication.
(4) And (4) repeating the step (3) until all gateways complete linkage, and reversely transmitting the linkage transformation result to the gateway at the center according to the IPSec protocol tunnel mode.
Compared with the prior art, the invention has the following beneficial effects:
(1) the mimicry mechanism DHR model cannot be well adapted to the industrial control network, the industrial control gateway particularity is deeply analyzed, a multi-gateway node linkage method is adopted, and a secret characteristic set is agreed, so that the heterogeneity, diversity, dynamic randomness and the like of the industrial control gateway can be met;
(2) the invention adopts IPSec protocol tunnel mode to establish a transmission tunnel from the gateway to the gateway, thereby ensuring the integrity and confidentiality of data.
Drawings
FIG. 1 is an industrial control mimicry security gateway deployment diagram;
FIG. 2 is a flow chart of gateway collaborative linking;
fig. 3 is a schematic diagram of IPSec tunnel mode.
Detailed Description
The invention provides a multi-node cooperation and linkage method for an industrial control mimicry security gateway, which is characterized in that a secret feature set, a pseudorandom sequence generation function set, a secret transformation rule and the like are agreed in advance among the multi-node gateways; and by using a tunnel technology, through the embedded synchronous message of the protocol, the cooperation among the nodes of the multiple gateways and the application of a dynamically agreed pseudorandom sequence, the industrial control protocol integrally presents the characteristics of random and dynamic change.
Fig. 1 shows a multi-node cooperation and linkage method for an industrial control mimicry security gateway, which specifically includes the following steps:
(1) the industrial control mimicry gateway group shown in fig. 2 is deployed, an industrial control field comprises a data management layer, a monitoring operation layer and a field bus layer, the industrial control mimicry security gateway is deployed at boundary boundaries of the data management layer, the monitoring operation layer, the field bus layer and other layers, and a more targeted access control strategy is implemented according to characteristics of engineering data streams of the layers. And according to the flow direction of the engineering data, the upper and lower level relations are defined among the gateways, and the gateways are called a group of linkage gateways. The specific process for specifying the relationship between the upper level and the lower level is as follows: the direction of the data flow passing through the data management layer, the monitoring operation layer and the field bus layer is defined as the positive direction of the data flow, and the data flow passes through the upper gateway G in the positive direction of the data flowkFlow direction subordinate gateway Gk+1And no other gateway in the middle.
(2) And (2) agreeing a secret feature set S and a pseudorandom sequence function set F of each gateway in the group of linkage gateways in the step (1) through an IPSec protocol tunnel mode, and forming a secret transformation rule (S, F) which is used as a basis of the gateway transformation rule.
(3) Upper gateway GkWhen linkage change is needed, the secret transformation rule (S, F) and the lower gateway G are connected through an IPSec protocol tunnel mode according to the secret transformation rule (S, F) in the step (2)k+1A lower gateway G for performing communication and performing linkage changek+1Deciding whether to inform its forward linkage gateway G according to communication contentk+2And linkage is carried out, so that the usability and the real-time performance of the industrial control system are guaranteed.
(3.1) if the current communication content needs the lower gateway to continue the linkage transformation, namely the current communication content does not reach the transformation range boundary, Gk+1Needs to inform its linkage gateway Gk+2And performing linkage according to the IPSec protocol tunnel mode and the secret transformation rule (S, F). The transformation range boundary is based on the communication content, GkN gateways are required to implement slave Gk+1To Gk+nPerforming linkage transformation, and the transformation range boundary is Gk+n。;
(3.2) if the current communication content does not need the downstream gateway to continue the linkage transformation, that is, the transformation range boundary is reached, Gk+1Without notifying it of the linkage gateway Gk+2And performing linkage to stop forward communication.
(4) And (4) repeating the step (3) until all gateways are linked, reversely transmitting the linkage transformation result to the gateway at the center according to the IPSec protocol tunnel mode, checking feedback by the gateway at the center, if the feedback fails, repeatedly executing the step (3), and if the feedback succeeds, outputting the linkage transformation result.
Therefore, according to an industrial control system attack chain model, key nodes for blocking an attack chain and a 'nondeterministic' technology of node operation are researched, and the 'determinacy' of the processing result and the processing performance of the industrial control gateway is ensured.
Claims (1)
1. A multi-node cooperation and linkage method for an industrial control mimicry security gateway is characterized by comprising the following steps:
(1) the industrial control site comprises a data management layer, a monitoring operation layer and a site bus layer, the industrial control mimicry security gateway is deployed at the boundary of each layer of the data management layer, the monitoring operation layer, the site bus layer and the like, and the upper and lower level relations are defined among the gateways according to the flow direction of engineering data, so that the industrial control site is called a group of linkage gateways. The specific process for specifying the relationship between the upper level and the lower level is as follows: specifying the direction of flow through the data management layer-monitoring operation layer-field bus layer as the forward direction of the data flow, inData flow is from the upper gateway G in the positive directionkFlow direction subordinate gateway Gk+1And no other gateway in the middle.
(2) And (2) agreeing a secret feature set S and a pseudo-random sequence function set F of each gateway in the group of linkage gateways in the step (1) through an IPSec protocol tunnel mode, and forming a secret transformation rule (S, F).
(3) Upper gateway GkWhen linkage change is needed, the secret transformation rule (S, F) and the lower gateway G are connected through an IPSec protocol tunnel mode according to the secret transformation rule (S, F) in the step (2)k+1A lower gateway G for performing communication and performing linkage changek+1Deciding whether to inform its forward linkage gateway G according to communication contentk+2And linkage is carried out.
(3.1) if the current communication content needs the lower gateway to continue the linkage transformation, namely the current communication content does not reach the transformation range boundary, Gk+1Needs to inform its linkage gateway Gk+2And performing linkage according to the IPSec protocol tunnel mode and the secret transformation rule (S, F). The transformation range boundary is based on the communication content, GkN gateways are required to implement slave Gk+1To Gk+nPerforming linkage transformation, and the transformation range boundary is Gk+n。
(3.2) if the current communication content does not need the downstream gateway to continue the linkage transformation, that is, the transformation range boundary is reached, Gk+1Without notifying it of the linkage gateway Gk+2And performing linkage to stop forward communication.
(4) And (4) repeating the step (3) until all gateways complete linkage, and reversely transmitting the linkage transformation result to the gateway at the center according to the IPSec protocol tunnel mode.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010039019.2A CN111224856B (en) | 2020-01-14 | 2020-01-14 | Multi-node cooperation and linkage method for industrial control mimicry security gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010039019.2A CN111224856B (en) | 2020-01-14 | 2020-01-14 | Multi-node cooperation and linkage method for industrial control mimicry security gateway |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111224856A true CN111224856A (en) | 2020-06-02 |
CN111224856B CN111224856B (en) | 2020-12-29 |
Family
ID=70828255
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010039019.2A Active CN111224856B (en) | 2020-01-14 | 2020-01-14 | Multi-node cooperation and linkage method for industrial control mimicry security gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111224856B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080075068A1 (en) * | 2000-06-01 | 2008-03-27 | Tekelec | Methods and systems for providing converged network management functionality in a gateway routing node |
CN104994104A (en) * | 2015-07-06 | 2015-10-21 | 浙江大学 | Server fingerprint mimicry and sensitive information mimicry method based on WEB security gateway |
CN106254231A (en) * | 2016-08-18 | 2016-12-21 | 中京天裕科技(北京)有限公司 | A kind of industrial safety encryption gateway based on state and its implementation |
CN106990745A (en) * | 2017-06-06 | 2017-07-28 | 承德龙庆智能科技有限公司 | A kind of vehicle intelligent terminal and monitoring system based on Beidou navigation |
CN108234657A (en) * | 2018-01-04 | 2018-06-29 | 江苏十月中宸科技有限公司 | A kind of high performance information safe processing system based on Internet of Things |
CN209805847U (en) * | 2019-08-09 | 2019-12-17 | 烟台东方纵横科技股份有限公司 | Safety production data front-end processor |
-
2020
- 2020-01-14 CN CN202010039019.2A patent/CN111224856B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080075068A1 (en) * | 2000-06-01 | 2008-03-27 | Tekelec | Methods and systems for providing converged network management functionality in a gateway routing node |
CN104994104A (en) * | 2015-07-06 | 2015-10-21 | 浙江大学 | Server fingerprint mimicry and sensitive information mimicry method based on WEB security gateway |
CN106254231A (en) * | 2016-08-18 | 2016-12-21 | 中京天裕科技(北京)有限公司 | A kind of industrial safety encryption gateway based on state and its implementation |
CN106990745A (en) * | 2017-06-06 | 2017-07-28 | 承德龙庆智能科技有限公司 | A kind of vehicle intelligent terminal and monitoring system based on Beidou navigation |
CN108234657A (en) * | 2018-01-04 | 2018-06-29 | 江苏十月中宸科技有限公司 | A kind of high performance information safe processing system based on Internet of Things |
CN209805847U (en) * | 2019-08-09 | 2019-12-17 | 烟台东方纵横科技股份有限公司 | Safety production data front-end processor |
Non-Patent Citations (1)
Title |
---|
陈双喜等: "《基于攻击转移的拟态安全网关技术的研究》", 《通信学报》 * |
Also Published As
Publication number | Publication date |
---|---|
CN111224856B (en) | 2020-12-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110943913A (en) | Industrial safety isolation gateway | |
Igbe et al. | Deterministic dendritic cell algorithm application to smart grid cyber-attack detection | |
CN105282172B (en) | Uniprocesser system and network security partition method based on hardware data converter technique | |
CN111770092B (en) | Numerical control system network security architecture and secure communication method and system | |
Giannetsos et al. | Spy-sense: Spyware tool for executing stealthy exploits against sensor networks | |
Hosseinzadeh et al. | Security in the internet of things through obfuscation and diversification | |
Shao et al. | Blockchain-based SDN security guaranteeing algorithm and analysis model | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
CN111224856B (en) | Multi-node cooperation and linkage method for industrial control mimicry security gateway | |
AbuEmera et al. | Security framework for identifying threats in smart manufacturing systems using STRIDE approach | |
Wang et al. | Mdpas: Markov decision process based adaptive security for sensors in internet of things | |
Abdulghani et al. | Vulnerabilities and security issues in IoT protocols | |
Alampalayam et al. | An adaptive security model for mobile agents in wireless networks | |
Yi et al. | A security-enhanced Modbus TCP protocol and authorized access mechanism | |
Das et al. | A novel security scheme for wireless adhoc network | |
Wang | Research on edge data Processing security technology in Industrial Internet | |
CN106789318B (en) | Network power supply safety management system | |
Nigussie et al. | Energy-aware adaptive security management for wireless sensor networks | |
Feng et al. | A Cross-domain Collaborative DDoS Defense Scheme Based on Blockchain-SDN in the IoT | |
Adat et al. | Risk transfer mechanism to defend DDoS attacks in IoT scenario | |
Zhonghua et al. | Detection of deception attacks on the backward channel of networked control systems | |
Lin et al. | Research on the vulnerability of software defined network | |
Jin et al. | Research on network security technology of industrial control system | |
Hu et al. | A Lightweight and Confidential Communication Scheme for on-Vehicle ECUs | |
Karimireddy et al. | A hybrid method for secure and reliable transmission on industrial automation and control networks in Industry 4.0 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |