CN111404920B - Anomaly detection method applied to industrial control environment - Google Patents

Anomaly detection method applied to industrial control environment Download PDF

Info

Publication number
CN111404920B
CN111404920B CN202010170200.7A CN202010170200A CN111404920B CN 111404920 B CN111404920 B CN 111404920B CN 202010170200 A CN202010170200 A CN 202010170200A CN 111404920 B CN111404920 B CN 111404920B
Authority
CN
China
Prior art keywords
communication
data packet
received
communication connection
abnormal information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010170200.7A
Other languages
Chinese (zh)
Other versions
CN111404920A (en
Inventor
谢东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Yingdesaike Technology Co ltd
Original Assignee
Sichuan Yingdesaike Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Yingdesaike Technology Co ltd filed Critical Sichuan Yingdesaike Technology Co ltd
Priority to CN202010170200.7A priority Critical patent/CN111404920B/en
Publication of CN111404920A publication Critical patent/CN111404920A/en
Application granted granted Critical
Publication of CN111404920B publication Critical patent/CN111404920B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The invention discloses an anomaly detection method applied to an industrial control environment, which comprises the following steps: step 1, establishing an environment baseline by adopting an autonomous learning mode based on a production field network environment; the environment baseline comprises a production field device set, a communication connection set, a communication protocol set, a connection data packet set and a communication content set; step 2, monitoring each communication connection, judging whether the communication devices, the communication connections, the communication protocols, the data packets to be sent and received and the contents of the data packets to be sent and received of the two communication parties are normal or not by utilizing the established environmental base line, and sending out abnormal information when monitoring abnormality; and 3, judging whether the received abnormal information is correct abnormal information, if so, marking the abnormal information as false alarm and feeding back the abnormal information to a system for environment baseline calibration. The invention establishes an environment baseline, so as to carry out multi-feature fusion anomaly detection, and can realize the detection of communication anomaly behaviors in the industrial environment.

Description

Anomaly detection method applied to industrial control environment
Technical Field
The invention relates to the technical field of industrial network security, in particular to an anomaly detection method applied to an industrial control environment.
Background
Communication of a power system in an industrial environment is relatively stable, abnormal communication is sporadic, operation and maintenance or malicious attack is mostly corresponded to at the moment, and the potential threat of such sporadic behaviors is huge. With the gradual construction of the ubiquitous power internet of things, a power system is moving towards a new era of the interconnection of everything, the operation environment is gradually transited from relative independence to the power interconnection, and the faced potential threat is also increased sharply. Most of the traditional anomaly detection methods are based on industry experience or single characteristics, and the corresponding anomaly behaviors are single and have no universality.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: in view of the above-described problems, an anomaly detection method applied to an industrial control environment is provided.
The technical scheme adopted by the invention is as follows:
an anomaly detection method applied to an industrial control environment, comprising:
step 1, establishing an environment baseline by adopting an autonomous learning mode based on a production field network environment, wherein the environment baseline comprises a production field device set DEV, a communication connection set CONN, a communication PROTOCOL set PROTOCOL, a connection data packet set CONNDATA and a communication content set EMBEDDING;
step 2, monitoring each communication connection, judging whether the communication devices, the communication connections, the communication protocols, the data packets to be sent and received and the contents of the data packets to be sent and received of the two communication parties are normal or not by utilizing the established environmental base line, and sending out abnormal information when monitoring abnormality;
and 3, judging whether the received abnormal information is correct abnormal information, if so, marking the abnormal information as false alarm and feeding back the abnormal information to a system for environment baseline calibration.
Specifically, the method in step 1 is to grab a data packet in a network environment in a production field, and an environment baseline is established in an autonomous learning manner by the following method:
(1) constructing a DEV set of production field devices using IP and MAC of the communication device as unique identifiers;
(2) establishing a communication connection set CONN by taking a communication server IP, a communication client IP and a service port as communication connection ids;
(3) constructing a communication PROTOCOL set PROTOCOL by using the communication PROTOCOLs;
(4) taking communication connection id as a key, and taking all data packet length sets appearing under the communication connection as values to construct a < key, value > set as a connection data packet set CONNDATA;
(5) and taking the communication connection id and the length of the data packet as keys, and taking a word vector matrix list corresponding to the text content of the data packet as a value to construct a < key, value > set as a communication content set EMBEDDING.
Specifically, the method for determining whether the communication device is normal in step 2 includes:
(1) analyzing the IP and MAC of the communication service end, and judging whether the analyzed IP and MAC of the communication service end exist in a production field device set DEV or not;
(2) analyzing the IP and MAC of the communication client, and judging whether the analyzed IP and MAC of the communication client exist in a production field device set DEV or not;
(3) if the analyzed IP and MAC of the communication service terminal and the analyzed IP and MAC of the communication client exist in the DEV, the communication device is judged to be normal, and if not, abnormal information is sent out.
Specifically, the method for determining whether the communication connection is normal in step 2 includes: and analyzing the IP of the communication server, the IP of the communication client and the service port, constructing a communication connection id, judging whether the communication connection id exists in the communication connection set CONN, and if not, sending abnormal information.
Specifically, the method for determining whether the communication protocol is normal in step 2 includes: and detecting whether the communication PROTOCOLs adopted by the two communication parties exist in the communication PROTOCOL set PROTOCOL, and if not, sending abnormal information.
Specifically, the method for determining whether the data packet transmitted and received in step 2 is normal includes:
(1) analyzing the IP of the communication server, the IP of the communication client and the service port, and constructing a communication connection id; acquiring a data packet length set DATASET corresponding to the communication connection id from a connection data packet set CONNDATA according to the communication connection id;
(2) and acquiring the length of the data packet sent and received in the communication connection, detecting whether the length of the data packet exists in a data packet length set DATASET, and if not, sending abnormal information.
Specifically, the method for determining whether the contents of the transmitted and received data packets are normal in step 2 is as follows:
(1) analyzing the IP of the communication server, the IP of the communication client and the service port, and constructing a communication connection id;
(2) acquiring the length of a data packet sent and received in the communication connection;
(3) acquiring a corresponding word vector matrix list VECTORS from a communication content set EMBEDDING according to the constructed communication connection id and the acquired data packet length;
(4) converting the text content of the transmitted and received data packet into a word VECTOR matrix VECTOR _ CONCURRENT, judging whether a word VECTOR matrix list VECTOR contains the word VECTOR matrix VECTOR _ CONCURRENT or not, and if not, sending abnormal information.
Specifically, the method for calibrating the environmental baseline in step 3 includes:
(1) if the received false alarm information is that the communication device is judged to be illegal access equipment, the IP and the MAC of the communication device are used as unique identifiers and are stored into a production field device set DEV;
(2) if the received false alarm information is that the communication connection is judged to be illegal connection, storing the communication connection id into a communication connection set CONN;
(3) if the received false alarm information is that the sent and received data packet is judged to be an illegal communication packet, adding the packet length of the data packet to a corresponding data packet length set DATASET in a connection data packet set CONNDATA;
(4) and if the received false alarm information is that the contents of the data packet sent and received are judged to be illegal data communication, adding a word VECTOR matrix VECTOR _ CONCURRENT corresponding to the data packet into a word VECTOR matrix list VECTORS corresponding to a communication content set EMBEDDING.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
1. the invention establishes an environment baseline to perform multi-feature fusion anomaly detection, and can realize detection of communication anomaly behaviors in the industrial environment applied to a power transformation plant and a station in the industrial control environment.
2. The invention is based on the deep anomaly detection of the protocol content, so that the detection is more ready.
3. The invention realizes the maintenance of the environmental baseline in an autonomous learning mode through the automatic baseline calibration.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a flow diagram of an anomaly detection method applied in an industrial control environment in accordance with the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the detailed description and specific examples, while indicating embodiments of the invention, are given by way of illustration only, not by way of limitation, i.e., the embodiments described are intended as a selection of the best mode contemplated for carrying out the invention, not as a full mode. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The system is a panoramic perception intelligent analysis system, and is a system which organically combines behavioristics, an immune network, artificial intelligence and an electric power monitoring system and realizes multidimensional monitoring, intelligent analysis and panoramic display.
As shown in fig. 1, an abnormality detection method applied to an industrial control environment includes:
step 1, establishing an environment baseline by adopting an autonomous learning mode based on a production field network environment; the environment baseline comprises a production field device set DEV, a communication connection set CONN, a communication PROTOCOL set PROTOCOL, a connection data packet set CONNDATA and a communication content set EMBEDDING;
step 2, monitoring each communication connection, judging whether the communication devices, the communication connections, the communication protocols, the data packets to be sent and received and the contents of the data packets to be sent and received of both communication parties (namely, a communication client and a communication server) are normal or not by utilizing the established environment base line, and sending out abnormal information when monitoring abnormality;
and 3, judging whether the received abnormal information is correct abnormal information (which can be judged manually and generally executed by an on-duty manager), and if the received abnormal information is false-alarm abnormal information, marking the abnormal information as false alarm and feeding the false alarm abnormal information back to the system for environment baseline calibration.
The features and properties of the present invention are described in further detail below with reference to examples.
1. Establishing an environmental baseline
The method of step 1 is to grab the data packet in the network environment of the production site, and adopts the mode of autonomous learning, and establishes the environment baseline by the following method:
(1) constructing a DEV set of production field devices using IP and MAC of the communication device as unique identifiers;
(2) establishing a communication connection set CONN by taking a communication server IP, a communication client IP and a service port as communication connection ids;
(3) constructing a communication PROTOCOL set PROTOCOL by using the communication PROTOCOLs;
(4) taking communication connection id as a key, and taking all data packet length sets appearing under the communication connection as values to construct a < key, value > set as a connection data packet set CONNDATA;
(5) and taking the communication connection id and the length of the data packet as keys, and taking a word vector matrix list corresponding to the text content of the data packet as value to construct a set of < key, value > as a communication content set EMBEDDING.
In the embodiment of the present invention, the capturing of the data packet in the network environment of the production field is an original communication packet captured by the wireshark.
2. Monitoring each communication connection
In the embodiment of the invention, each communication connection is monitored by monitoring equipment in the system, and data of each communication connection in the industrial field is pushed to the message middleware after being captured and converted. And the real-time stream processing engine Flink pulls the data on the message middleware, and performs data grouping and windowing according to the site, the monitoring equipment and the connection number. When the window is triggered, an anomaly detection interface (including the established environmental baseline) is invoked to detect data within the window, such as communication devices, communication connections, communication protocols, transmitted and received data packets, and whether the contents of the transmitted and received data packets are anomalous. The method comprises the following specific steps:
2.1, the method for judging whether the communication device is normal comprises the following steps:
(1) analyzing the IP and MAC of the communication service end, and judging whether the analyzed IP and MAC of the communication service end exist in a production field device set DEV or not;
(2) analyzing the IP and MAC of the communication client, and judging whether the analyzed IP and MAC of the communication client exist in a DEV (device development tool) set;
(3) if the analyzed IP and MAC of the communication service terminal and the analyzed IP and MAC of the communication client exist in the DEV, the communication device is judged to be normal, and if not, abnormal information is sent out.
2.2, the method for judging whether the communication connection is normal is as follows: and analyzing the IP of the communication server, the IP of the communication client and the service port, constructing a communication connection id, judging whether the communication connection id exists in the communication connection set CONN, and if not, sending abnormal information. In order to facilitate distinguishing a connected communication client from a connected communication server when establishing a communication connection, in the embodiment of the present invention, the service port refers to a port of the communication server.
2.3, the method for judging whether the communication protocol is normal is as follows: and detecting whether the communication PROTOCOLs adopted by the two communication parties exist in the communication PROTOCOL set PROTOCOL, and if not, sending abnormal information.
2.4, the method for judging whether the sent and received data packet is normal is as follows:
(1) analyzing the IP of the communication server, the IP of the communication client and the service port, and constructing a communication connection id; acquiring a data packet length set DATASET corresponding to the communication connection id from a connection data packet set CONNDATA according to the communication connection id;
(2) and acquiring the length of the data packet sent and received in the communication connection, detecting whether the length of the data packet exists in a data packet length set DATASET, and if not, sending abnormal information.
2.5, the method for judging whether the contents of the transmitted and received data packets are normal is as follows:
(1) analyzing the IP of the communication server, the IP of the communication client and the service port, and constructing a communication connection id;
(2) acquiring the length of a data packet sent and received in the communication connection;
(3) acquiring a corresponding word vector matrix list VECTORS from a communication content set EMBEDDING according to the constructed communication connection id and the acquired data packet length;
(4) converting the text content of the transmitted and received data packet into a word VECTOR matrix VECTOR _ CONCURRENT, judging whether a word VECTOR matrix list VECTOR contains the word VECTOR matrix VECTOR _ CONCURRENT or not, and if not, sending abnormal information.
3. Environmental baseline calibration
The method for calibrating the environmental baseline in the step 3 comprises the following steps:
(1) if the received false alarm information is that the communication device is judged to be illegal access equipment, the IP and the MAC of the communication device are used as unique identifiers and are stored into a production field device set DEV;
(2) if the received false alarm information is that the communication connection is judged to be illegal connection, storing the communication connection id into a communication connection set CONN;
(3) if the received false alarm information is that the sent and received data packet is judged to be an illegal communication packet, adding the packet length of the data packet to a corresponding data packet length set DATASET in a connection data packet set CONNDATA;
(4) and if the received false alarm information is that the contents of the data packet sent and received are judged to be illegal data communication, adding a word VECTOR matrix VECTOR _ CONCURRENT corresponding to the data packet into a word VECTOR matrix list VECTORS corresponding to a communication content set EMBEDDING.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (7)

1. An anomaly detection method applied to an industrial control environment, comprising:
step 1, establishing an environment baseline by adopting an autonomous learning mode based on a production field network environment; the environment baseline comprises a production field device set DEV, a communication connection set CONN, a communication PROTOCOL set PROTOCOL, a connection data packet set CONNDATA and a communication content set EMBEDDING;
step 2, monitoring each communication connection, judging whether the communication devices, the communication connections, the communication protocols, the data packets to be sent and received and the contents of the data packets to be sent and received of the two communication parties are normal or not by utilizing the established environmental base line, and sending out abnormal information when monitoring abnormality;
step 3, judging whether the received abnormal information is correct abnormal information, if the received abnormal information is false-alarm abnormal information, marking the abnormal information as false alarm and feeding back the abnormal information to a system for environment baseline calibration;
the method of step 1 is to grab the data packet in the network environment of the production site, and adopts the mode of autonomous learning, and establishes the environment baseline by the following method:
(1) constructing a DEV set of production field devices using IP and MAC of the communication device as unique identifiers;
(2) establishing a communication connection set CONN by taking a communication server IP, a communication client IP and a service port as communication connection ids;
(3) constructing a communication PROTOCOL set PROTOCOL by using the communication PROTOCOLs;
(4) taking communication connection id as a key, and taking all data packet length sets appearing under the communication connection as values to construct a < key, value > set as a connection data packet set CONNDATA;
(5) and taking the communication connection id and the length of the data packet as keys, and taking a word vector matrix list corresponding to the text content of the data packet as a value to construct a < key, value > set as a communication content set EMBEDDING.
2. The abnormality detection method applied to an industrial control environment according to claim 1, wherein the method of determining whether the communication device is normal in step 2 is:
(1) analyzing the IP and MAC of the communication service end, and judging whether the analyzed IP and MAC of the communication service end exist in a production field device set DEV or not;
(2) analyzing the IP and MAC of the communication client, and judging whether the analyzed IP and MAC of the communication client exist in a production field device set DEV or not;
(3) if the analyzed IP and MAC of the communication service terminal and the analyzed IP and MAC of the communication client exist in the DEV, the communication device is judged to be normal, and if not, abnormal information is sent out.
3. The abnormality detection method applied to an industrial control environment according to claim 1, wherein the method of determining whether the communication connection is normal in step 2 is: and analyzing the IP of the communication server, the IP of the communication client and the service port, constructing a communication connection id, judging whether the communication connection id exists in a communication connection set CONN, and if not, sending abnormal information.
4. The abnormality detection method applied to the industrial control environment according to claim 1, wherein the method of determining whether the communication protocol is normal in step 2 is: detecting whether the communication PROTOCOLs adopted by the two communication parties exist in the communication PROTOCOL set PROTOCOL, and if not, sending abnormal information.
5. The abnormality detection method applied to an industrial control environment according to claim 1, wherein the method of determining whether the transmitted and received data packet is normal in step 2 is:
(1) analyzing the IP of the communication server, the IP of the communication client and the service port, and constructing a communication connection id; acquiring a data packet length set DATASET corresponding to the communication connection id from a connection data packet set CONNDATA according to the communication connection id;
(2) and acquiring the length of the data packet sent and received in the communication connection, detecting whether the length of the data packet exists in a data packet length set DATASET, and if not, sending abnormal information.
6. The anomaly detection method applied to the industrial control environment according to claim 1, wherein the method for judging whether the contents of the transmitted and received data packets are normal in step 2 is as follows:
(1) analyzing the IP of the communication server, the IP of the communication client and the service port, and constructing a communication connection id;
(2) acquiring the length of a data packet sent and received in the communication connection;
(3) acquiring a corresponding word vector matrix list VECTORS from a communication content set EMBEDDING according to the constructed communication connection id and the acquired data packet length;
(4) converting the text content of the transmitted and received data packet into a word VECTOR matrix VECTOR _ CONCURRENT, judging whether a word VECTOR matrix list VECTOR contains the word VECTOR matrix VECTOR _ CONCURRENT or not, and if not, sending abnormal information.
7. The anomaly detection method applied to the industrial control environment according to claim 1, wherein the method for calibrating the environmental baseline in step 3 is as follows:
(1) if the received false alarm information is that the communication device is judged to be illegal access equipment, the IP and the MAC of the communication device are used as unique identifiers and are stored into a production field device set DEV;
(2) if the received false alarm information is that the communication connection is judged to be illegal, storing the communication connection id into a communication connection set CONN;
(3) if the received false alarm information is that the sent and received data packet is judged to be an illegal communication packet, adding the packet length of the data packet to a corresponding data packet length set DATASET in a connection data packet set CONNDATA;
(4) and if the received false alarm information is that the contents of the data packet sent and received are judged to be illegal data communication, adding a word VECTOR matrix VECTOR _ CONCURRENT corresponding to the data packet into a word VECTOR matrix list VECTORS corresponding to a communication content set EMBEDDING.
CN202010170200.7A 2020-03-12 2020-03-12 Anomaly detection method applied to industrial control environment Active CN111404920B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010170200.7A CN111404920B (en) 2020-03-12 2020-03-12 Anomaly detection method applied to industrial control environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010170200.7A CN111404920B (en) 2020-03-12 2020-03-12 Anomaly detection method applied to industrial control environment

Publications (2)

Publication Number Publication Date
CN111404920A CN111404920A (en) 2020-07-10
CN111404920B true CN111404920B (en) 2022-05-27

Family

ID=71430711

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010170200.7A Active CN111404920B (en) 2020-03-12 2020-03-12 Anomaly detection method applied to industrial control environment

Country Status (1)

Country Link
CN (1) CN111404920B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106921676A (en) * 2017-04-20 2017-07-04 电子科技大学 A kind of intrusion detection method based on OPCClassic
CN110324316A (en) * 2019-05-31 2019-10-11 河南恩湃高科集团有限公司 A kind of industry control anomaly detection method based on a variety of machine learning algorithms

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106921676A (en) * 2017-04-20 2017-07-04 电子科技大学 A kind of intrusion detection method based on OPCClassic
CN110324316A (en) * 2019-05-31 2019-10-11 河南恩湃高科集团有限公司 A kind of industry control anomaly detection method based on a variety of machine learning algorithms

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
工业控制系统入侵检测技术研究;刘灿成;《中国优秀硕士论文全文数据库信息科技辑》;20180215;正文第2章-第5章 *

Also Published As

Publication number Publication date
CN111404920A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
US8065722B2 (en) Semantically-aware network intrusion signature generator
CN113364752B (en) Flow abnormity detection method, detection equipment and computer readable storage medium
CN106921676B (en) Intrusion detection method based on OPCClasic
WO2019200944A1 (en) Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis
CN105323247A (en) Intrusion detection system for mobile terminal
CN114050979B (en) Industrial control protocol safety test system and device
CN109347880A (en) A kind of safety protecting method, apparatus and system
KR20190017208A (en) Apparatus for serial port based cyber security vulnerability assessment and method for the same
CN114448830B (en) Equipment detection system and method
CN110266680B (en) Industrial communication anomaly detection method based on dual similarity measurement
CN114611576B (en) Accurate identification method for terminal equipment in power grid
CN112783602A (en) Sensitive data discovery and detection method and system
CN105721514A (en) User device, cloud server and shared link identification method thereof
CN112699378A (en) Industrial control equipment vulnerability detection system and method
Berthier et al. On the practicality of detecting anomalies with encrypted traffic in AMI
CN109474540B (en) Method and device for identifying OPC (optical proximity correction) flow
CN111404920B (en) Anomaly detection method applied to industrial control environment
US20210152587A1 (en) Method and system to detect abnormal message transactions on a network
CN117375957A (en) Industrial control flow analysis system and equipment
EP3985920A1 (en) Network traffic analysis
CN111212022A (en) OPC data transmission system and method capable of penetrating firewall
CN116668259A (en) Method and apparatus for detecting anomalies in infrastructure in a network
CN109379356A (en) The method and device of automatic capture cpu attack message
CN114579961A (en) Sensitive data identification method based on multi-industry detection rules and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 1101, 11 / F, unit 2, building 1, No. 777, north section of Yizhou Avenue, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu 610041

Applicant after: SICHUAN YINGDESAIKE TECHNOLOGY Co.,Ltd.

Address before: No.1, 3 / F, building 1, No.366, Hupan Road north section, Tianfu New District, Chengdu, Sichuan 610041

Applicant before: SICHUAN YINGDESAIKE TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant