CN111314278A - Safety detection method based on Ethernet IP industrial control protocol - Google Patents
Safety detection method based on Ethernet IP industrial control protocol Download PDFInfo
- Publication number
- CN111314278A CN111314278A CN201911152920.4A CN201911152920A CN111314278A CN 111314278 A CN111314278 A CN 111314278A CN 201911152920 A CN201911152920 A CN 201911152920A CN 111314278 A CN111314278 A CN 111314278A
- Authority
- CN
- China
- Prior art keywords
- establishing
- ethernet
- module
- industrial control
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
Abstract
The invention relates to a safety detection method based on an Ethernet IP industrial control protocol, which comprises the following steps: step 1: establishing a network data packet capturing module; step 2: establishing a data analysis module; and step 3: establishing a data learning module; and 4, step 4: establishing a behavior validity judging module; and 5: and establishing a behavior abnormity response module. According to the technical scheme, the related commands and function calls are deeply analyzed according to the protocol characteristics of the Ethernet IP, and the analysis result can be directly processed by some visual tools, so that a user can intuitively feel the contents circulated in the industrial control network.
Description
Technical Field
The invention relates to a detection method, in particular to a safety detection method based on an Ethernet IP industrial control protocol, and belongs to the technical field of general network safety detection.
Background
With the arrival of the 4.0 era of industry, the way of transmitting industrial control commands and industrial data by using the universal network technology, especially using the ethernet for communication, is becoming more and more extensive in industrial production, and the related industrial devices support such transmission, and due to the need of industrial automation, industrial enterprises (such as energy, power, etc.) also rely heavily on the universal network technology for remote control, which brings about several problems as follows:
1. generally speaking, the industrial control protocol is a plaintext transmission mode, and few or almost no encryption algorithm is used, so that the industrial control protocol is easy to forge, and an attacker can generally adopt a man-in-the-middle mode to send a data packet so as to destroy an operating system;
2. although most of the industrial control protocols are published at present, the mainstream safety equipment generally does not provide support for the relevant industrial control protocols, so that the main safety equipment cannot be distinguished when the industrial control protocol is attacked, and the response to the threat is not mentioned;
3. for industrial control protocols, especially complex industrial control protocols such as Ethernet IP, deep decoding and understanding are lacked, most of the industrial control protocols are incapable of providing power when threats occur and are traced, powerful support cannot be provided for enterprise users, and security protection cannot be talk from the beginning.
Obviously, it is necessary to provide relevant methods for effectively monitoring or auditing the security problems of the industrial network, and some relevant security events in this year also show importance in this respect, and typical industrial control network security events include:
in 8 months ■ 2006, when the unit 3 of the brown ferro nuclear power station in alabama in the united states was under network attack, the reactor recirculation pump and the condensate demineralization controller failed to work, resulting in the unit 3 being forced to shut down;
■ 2013 in 2013, in the report of the release military newspaper of China, the United states used a worm virus of a seismic net to attack the uranium enrichment equipment of the Iran, so that the generation of the Iran nuclear power station is delayed;
■ 2016 year 2016 computer system of 24 days Gundremmingen Nuclear Power plant in Germany, found malicious programs in routine safety checks.
In addition, according to the well-known report, the three countries with the most attacks on the system in the global scope are Vietnam, Alja and Liya and Morocco, the attack degrees are 71%, 67.1% and 65.4% respectively, the attack degree of the Chinese industrial control system is ranked in the fifth place, and the percentage of attack reaches 57.1%.
Disclosure of Invention
The invention provides a safety detection method based on an Ethernet IP industrial control protocol, which mainly aims at the relevant commands and functions of the Ethernet IP protocol to process the safety, thereby completely supporting the requirement of industrial enterprise users on safety monitoring and threat blocking of the Ethernet IP industrial control protocol. The main idea is to establish a probability suffix tree by using a method for learning related industrial control data, and if violation on a behavior sequence occurs and is higher than a certain threshold value, the probability suffix tree is considered to be abnormal, so that alarm or blocking is performed.
In order to achieve the above object, a technical solution of the present invention is a security detection method based on an Ethernet IP industrial control protocol, which is characterized in that the detection method includes the following steps:
step 1: establishing a network data packet capturing module;
step 2: establishing a data analysis module;
and step 3: establishing a data learning module;
and 4, step 4: establishing a behavior validity judging module;
and 5: and establishing a behavior abnormity response module.
As a modification of the present invention, the step 1: establishing a network data packet capturing module, and acquiring network flow from a network card to decode a link layer, a network layer and a transmission layer; and decoding a related application layer, wherein the application layer comprises related control commands, function codes and data of an industrial control network protocol Ethernet IP.
As a modification of the present invention, the step 2: establishing a data analysis module: analyzing the command of the related Ethernet IP protocol, and analyzing the related function code on the basis of the command analysis;
as a modification of the present invention, the step 3: establishing a data learning module: establishing a learning model aiming at the data of the analysis result, wherein the learning content mainly comprises a request command of a client, a related function code and some additional parameters; establishing a probability suffix tree model, wherein the depth of a suffix tree is generally controlled by parameters and generally does not need to be too deep, and the maximum depth is 2-3 layers; models were built for common sequences of operations.
As a modification of the present invention, the step 4: and establishing a behavior validity judging module, judging the operation sequence of the operation data, judging the operation sequence to be abnormal if the occurrence probability is lower than a threshold value, evaluating the related credibility, and providing a judging process for a user in a graphical method to prompt the user whether to receive in order to improve the model accuracy.
As a modification of the present invention, the step 5: the method is characterized in that a behavior abnormity response module is established, and response actions such as alarming, mail and blocking are provided for abnormal behaviors as an improvement of the method, and the metal lock shell is a cuboid and does not comprise a right side face.
Compared with the prior art, the method has the advantages that 1) according to the protocol characteristics of the Ethernet IP, the related commands and function calls are deeply analyzed, and the analysis result can be directly processed by some visual tools, so that a user can visually feel the content circulated in the industrial control network; 2) the processing of relevant functional parameters is fused in the protocol analysis, so that the whole processing process is deeper, the result is more credible, and relevant processing can be performed on some user-defined parts; 3) the method of using the probability suffix tree is used for learning the relevant PLC control commands sent by the client, once abnormal parts are found, relevant response processing is carried out, the memory is mainly saved, the space sparsity of the Markov transfer matrix is avoided, and different from the method of using the Markov transfer matrix, the use of the probability suffix tree can be saved as much as possible, so that the sparsity caused by using the Markov transfer matrix is avoided.
Drawings
FIG. 1 is a schematic diagram of a probabilistic Prefix Tree (PST);
fig. 2 is a schematic diagram of the overall implementation process.
The specific implementation mode is as follows:
for the purposes of promoting an understanding and appreciation of the invention, the present embodiments are described in detail below with reference to the accompanying drawings.
The relative terms in this scheme explain:
an industrial control protocol: generally, the network protocol is specially used for industrial control, and the industrial control network protocol includes operations aiming at a Programmable Logic Controller (PLC), such as sending commands, transmitting data and the like; currently, common industrial control protocols use Ethernet transmission, and the common industrial control protocols include, for example, Modbus, S7Comm, Ethernet IP/CIP, IEC, OPC (UA), etc., among which Ethernet IP/CIP is the most complex;
the programmable logic controller: according to the IEC (international electrotechnical commission) definition, a programmable controller is an electronic system for digital arithmetic operation, designed specifically for application in an industrial environment; it adopts a kind of programmable memory for storing program in it, and executing instructions facing to user, such as logic operation, sequence control, timing, counting and arithmetic operation, etc.; and control various types of machinery or production processes by digital or analog input/output;
SCADA: an scada (supervisory Control And Data acquisition) system, i.e. a Data acquisition And monitoring Control system. The SCADA system is a DCS and electric power automatic monitoring system based on a computer; the method has wide application field, and can be applied to various fields such as data acquisition and monitoring control and process control in the fields of electric power, metallurgy, petroleum, chemical industry, gas, railway and the like;
probabilistic suffix tree: the Probability Suffix Tree, also called PST (Probability Suffix Tree), represents the transition proportion between different events by the form of Tree, which is similar to markov transition Probability, but uses much less than markov transition matrix in sparse case.
Example 1: referring to fig. 1 and 2, a security detection method based on an Ethernet IP industrial control protocol includes the following steps: step 1, establishing a network data packet capturing module which is mainly performed aiming at an Ethernet; the module decodes the data link layer in the general Ethernet frame, and the decoding is compatible with the VLAN format to adapt to the general requirements of the industrial control network; then, the module decodes the three layers of the network, i.e. the network layer, and analyzes the IP addresses, etc. respectively, and then the module decodes the transmission layer of the data packet, i.e. the source port and the destination port can be analyzed, the communication port of the general Ethernet IP protocol is 44818, after analyzing the related information of the transmission layer, the application layer information is obtained, which is the related main content of the industrial control protocol; for the Ethernet IP protocol, there may be multiple requests and responses in one connection, and the requests and responses may correspond to each other through a sequence number, and the sequence number is unique in one session, so it is necessary to be able to correspond the requests and responses and to handle the long connection condition, i.e. the network session cannot be closed after a certain time of packet reception, but should be continuously processed, and accordingly, for the intermediate session (i.e. the condition that a normal three-way handshake data packet is not captured), it should also be able to be processed, but cannot be directly discarded, so as to avoid data loss, which is different from a general intrusion detection system; when processing such long network sessions or called long connections, in order to achieve a real-time effect, the module stores session information regularly, and the stored contents mainly include the number of currently received and sent data packets, the number of bytes, and real-time commands and function analysis results;
step 2: establishing a data analysis module, wherein the module mainly works to analyze related commands and functions according to protocol protocols; the precise identification of the Ethernet IP protocol also depends on the commands and services unique to the protocol, and at least part of the command/service party that has acquired the request can be considered as the Ethernet IP protocol. Since the Ethernet IP protocol is designed according to the object-oriented method, for a so-called object, it includes the type of the object, the object instance, and the service (the service here can be understood as the method in the object-oriented design), and basically most of the contents in the Ethernet IP protocol are developed around these contents; objects of the Ethernet IP protocol are 1-byte coded and include some objects of common classes including, for example, message routing (0x02), port (0xF4), file (0x37), connection manager (0x06), and other objects of some types; the services generally include the following more common services: service enumeration (ListService), Interface enumeration (List Interface), Register Session (Register Session), RR data Send command, etc., and the service includes obtaining single object attribute,
Acquiring a plurality of object attributes and the like; each command is generally bidirectional, that is, there are both request data packet and response data packet, and the object in the service that obtains the attribute of single/multiple objects in the above service refers to a built-in object, such as a file, a port, etc.; these service request packets are all made by sending RR Data command (Send RR Data); particularly worthy of detailed analysis is that the Connection Manager (Connection Manager) object contains request and response information, and some user-defined services may be contained in the Connection Manager, and in particular, the multi-service request is more important because it is a main analysis object, and it is analyzed in detail in the parsing module, and embedded service types (e.g. 0x52, 0x53, etc.), ASCII names of request path and request path, request data content, backplane number of request, and PLC address are completely parsed and stored in the persistent medium in a certain format, and the basic format is as follows:
data packet sequence number, direction (request or response), time of occurrence, command, object, service, embedded service type, request path name, request data content, backplane number, PLC address;
and step 3: the data learning module is established, the input content of data comes from the previous step, and the data learning module mainly adopts an unsupervised mode, so that the learning needs to be carried out on line, which is not the same as the supervised mode. The learning method mainly adopts the method of the probability prefix tree proposed in the foregoing, and the main steps include:
■ grouping according to the source and destination IP addresses analyzed in step 1, reading in the relevant analysis data outputted in step 2 (these data should be learned for a period of time in actual field or simulation environment);
■, learning the related analysis data according to the preset window size and sliding mode, the sliding mode includes overlapping (overlapping) and non-overlapping, the overlapping is that the sliding step number is smaller than the window size, otherwise it should be equal to the window size, if it is larger than the window, it is not considered, the window is generally 8 or 10, the content in the window is the request sent by the client;
■ learning is to count quantitatively according to the corresponding value of the packet, where the counting needs to be performed according to the set transition step number (e.g. command a- > command b), which is not suitable for being set too large, generally 2 or 3, so the method is similar to the establishment of a markov transition probability matrix, but the method of probability suffix tree is used in the present invention, and fig. 1 is a schematic diagram (using 3-step transition method, but step 3 is not shown at space):
in the example in fig. 1, assuming that the system learns 5 different data according to the grouping information, which are respectively represented by a-e, the vector under each node respectively represents the transition probability vector, e.g., (0.5,0.25,0.25,0,0) of the vector under node a represents 50%, 25%, 0% of the probability of transition from a to a, b, c, d, e respectively;
and 4, step 4: establishing a behavior legality judging module, analyzing an actual request sequence according to a probability suffix tree model (which may need to be approved and accepted by service personnel as a system available legal model) of pre-learning statistics, and judging that an illegal request exists when more than 50% (the value can also be set) sequences (for example, a window is 10, the depth of a PST is 3, each window comprises 8 calling sequences) are abnormal, namely more than 5 (including) sequences which are never or rarely (for example, an unusual threshold value can be set at the position, and the value is lower than 20%) are existed in the window, so that a basis is provided for next abnormal behavior response;
and 5: the method comprises the steps of establishing an abnormal behavior response module, wherein response modes comprise alarming, mail, blocking and the like, and because the packet capturing mode provided by the text is a bypass, a bypass blocking method can be adopted, namely when abnormal behaviors are found, a TCP RST data packet is formed by utilizing related three-layer information and four-layer information in request information to be blocked, the blocking must be used with caution, otherwise, normal use is influenced, and even major accidents are possibly caused.
In the scheme, a relatively complex application identification method with high efficiency is used, so that the situation that only a port is used for identifying an Ethernet IP protocol is avoided, and the correlation accuracy is improved; the Ethernet IP protocol generally adopts a long connection mode for interaction, the method adopts a special mode to process the interaction so as to improve the accuracy and the reliability of system detection, and the method can avoid the defects of a common intrusion detection system (because the intrusion detection system only recombines partial data packets, and the excess part is discarded); fine analysis of the Ethernet IP industrial control protocol, and deep direct connection of the Ethernet IP industrial control protocol to related calling parameters comprise related contents of a user-defined part (mainly analyzing embedded services and request paths thereof); establishing a behavior baseline for an Ethernet IP protocol, and carrying out related inspection and processing on the behavior baseline and actual data by using a Probability Suffix Tree (PST) method; such inspection methods are mainly based on an unsupervised approach, and therefore do not require pre-training of the model; a manual intervention part is introduced into the related inspection result so as to avoid the risk caused by the deviation of the related result; the part mainly provides a relevant visualization means; therefore, the protocol is generally transferred by a TCP method, so that a method of bypassing is utilized to block the serious deviation, and the method of using the blocking is mainly to send RST data packets.
It should be noted that the above-mentioned embodiments are not intended to limit the scope of the present invention, and all equivalent modifications and substitutions based on the above-mentioned technical solutions are within the scope of the present invention as defined in the claims.
Claims (6)
1. A safety detection method based on an Ethernet IP industrial control protocol is characterized by comprising the following steps:
step 1: establishing a network data packet capturing module;
step 2: establishing a data analysis module;
and step 3: establishing a data learning module;
and 4, step 4: establishing a behavior validity judging module;
and 5: and establishing a behavior abnormity response module.
2. The Ethernet IP industrial control protocol-based security detection method according to claim 1, wherein the step 1: establishing a network data packet capturing module, and acquiring network flow from a network card to decode a link layer, a network layer and a transmission layer; and decoding a related application layer, wherein the application layer comprises related control commands, function codes and data of an industrial control network protocol Ethernet IP.
3. The Ethernet IP industrial control protocol-based security detection method according to claim 2, wherein the step 2: establishing a data analysis module: and analyzing the command of the related Ethernet IP protocol, and analyzing the related function code on the basis of the command analysis.
4. The Ethernet IP industrial control protocol-based security detection method according to claim 3, wherein the step 3: establishing a data learning module: establishing a learning model aiming at the data of the analysis result, wherein the learning content mainly comprises a request command of a client, a related function code and some additional parameters; establishing a probability suffix tree model, wherein the depth of a suffix tree is controlled by parameters, and the suffix tree model comprises 2-3 layers; models were built for common sequences of operations.
5. The Ethernet IP industrial control protocol-based security detection method according to claim 4, wherein the step 4: and establishing a behavior validity judging module, judging the operation sequence of the operation data, judging the operation sequence to be abnormal if the occurrence probability is lower than a threshold value, evaluating the related credibility, and providing a judging process for a user in a graphical method to prompt the user whether to receive in order to improve the model accuracy.
6. The Ethernet IP industrial control protocol-based security detection method according to claim 4, wherein the step 5: and establishing a behavior abnormal response module, and providing response actions such as warning, mail, blocking and the like for abnormal behaviors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911152920.4A CN111314278A (en) | 2019-11-22 | 2019-11-22 | Safety detection method based on Ethernet IP industrial control protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911152920.4A CN111314278A (en) | 2019-11-22 | 2019-11-22 | Safety detection method based on Ethernet IP industrial control protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111314278A true CN111314278A (en) | 2020-06-19 |
Family
ID=71150480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911152920.4A Pending CN111314278A (en) | 2019-11-22 | 2019-11-22 | Safety detection method based on Ethernet IP industrial control protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314278A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115604040A (en) * | 2022-12-16 | 2023-01-13 | 国网江苏省电力有限公司信息通信分公司(Cn) | Abnormal access behavior identification method based on IP access sequence |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9516053B1 (en) * | 2015-08-31 | 2016-12-06 | Splunk Inc. | Network security threat detection by user/user-entity behavioral analysis |
| CN108234430A (en) * | 2016-12-22 | 2018-06-29 | 中国航天系统工程有限公司 | A kind of abnormal flow monitoring method towards Distributed Control System |
| CN109167796A (en) * | 2018-09-30 | 2019-01-08 | 浙江大学 | A kind of deep-packet detection platform based on industrial SCADA system |
-
2019
- 2019-11-22 CN CN201911152920.4A patent/CN111314278A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9516053B1 (en) * | 2015-08-31 | 2016-12-06 | Splunk Inc. | Network security threat detection by user/user-entity behavioral analysis |
| CN108234430A (en) * | 2016-12-22 | 2018-06-29 | 中国航天系统工程有限公司 | A kind of abnormal flow monitoring method towards Distributed Control System |
| CN109167796A (en) * | 2018-09-30 | 2019-01-08 | 浙江大学 | A kind of deep-packet detection platform based on industrial SCADA system |
Non-Patent Citations (3)
| Title |
|---|
| 杨安等: "基于信息流和状态流融合的工控系统异常检测算法", 《计算机研究与发展》 * |
| 王宇盛: "基于Modbus_TCP工业控制网络入侵检测分析方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 郑琪等: "概率后缀树在入侵检测中的应用研究", 《计算机工程与应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115604040A (en) * | 2022-12-16 | 2023-01-13 | 国网江苏省电力有限公司信息通信分公司(Cn) | Abnormal access behavior identification method based on IP access sequence |
| CN115604040B (en) * | 2022-12-16 | 2023-03-10 | 国网江苏省电力有限公司信息通信分公司 | Abnormal access behavior identification method based on IP access sequence |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| Ghaeini et al. | Hamids: Hierarchical monitoring intrusion detection system for industrial control systems | |
| Lin et al. | Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol | |
| Yang et al. | Intrusion detection system for IEC 60870-5-104 based SCADA networks | |
| Fovino et al. | Modbus/DNP3 state-based intrusion detection system | |
| Lin et al. | Cyber attack and defense on industry control systems | |
| Chandia et al. | Security strategies for SCADA networks | |
| CN109922085B (en) | Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller) | |
| Carcano et al. | State-based network intrusion detection systems for SCADA protocols: a proof of concept | |
| EP3133793A1 (en) | Method for mitigation of cyber attacks on industrial control systems | |
| CN109739203B (en) | Industrial network boundary protection system | |
| Yusheng et al. | Intrusion detection of industrial control system based on Modbus TCP protocol | |
| US20100325685A1 (en) | Security Integration System and Device | |
| US11546295B2 (en) | Industrial control system firewall module | |
| Satyanarayana | Detection and blocking of replay, false command, and false access injection commands in scada systems with modbus protocol | |
| Katulić et al. | Protecting Modbus/TCP-Based Industrial Automation and Control Systems Using Message Authentication Codes | |
| CN111314278A (en) | Safety detection method based on Ethernet IP industrial control protocol | |
| Roh et al. | Cyber security system with FPGA-based network intrusion detector for nuclear power plant | |
| Hong et al. | Security monitoring and network management for the power control network | |
| Fernandez et al. | On building secure SCADA systems using security patterns | |
| Alsabbagh et al. | A fully-blind false data injection on PROFINET I/O systems | |
| CN113645241B (en) | Intrusion detection method, device and equipment for industrial control proprietary protocol | |
| CN115484326A (en) | Method, system and storage medium for processing data | |
| Wu et al. | Real-time monitoring of smart grid terminals based on multi-dimensional information fusion | |
| Wang et al. | Intrusion detection model of SCADA using graphical features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |