CN111431752A - Safety detection method based on adaptive flow control - Google Patents
Safety detection method based on adaptive flow control Download PDFInfo
- Publication number
- CN111431752A CN111431752A CN202010250979.3A CN202010250979A CN111431752A CN 111431752 A CN111431752 A CN 111431752A CN 202010250979 A CN202010250979 A CN 202010250979A CN 111431752 A CN111431752 A CN 111431752A
- Authority
- CN
- China
- Prior art keywords
- flow
- task
- adaptive
- detection
- scheduling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
Abstract
The invention relates to the technical field of industrial control safety, in particular to a safety detection method based on adaptive flow control. At present, the active fingerprint detection technology mostly adopts a multitask mode to perform scanning detection, limits the current of an introduced detection packet by limiting the number of multiple processes or multiple threads, and only limits the number of the processes or the threads, so that the control granularity is not accurate enough and has no foresight. The invention comprises the following steps: adaptive scheduling, traffic prediction and real-time network traffic monitoring. The flow prediction specifically comprises: the method comprises the following steps: data cleaning; step two: selecting characteristics; step three: establishing a model; step four: and (5) training a model. The equipment fingerprint detection realized based on the method can achieve the purposes of no interference to the service flow of the industrial control system, no flow wave crest and stable flow speed.
Description
Technical Field
The invention relates to the technical field of industrial control safety, in particular to a safety detection method based on adaptive flow control.
Background
In the field of industrial control security, device fingerprinting is a technique for describing devices or software running in a network with different information. The device fingerprint information contains the hardware, operating system, running software and its associated version number, configuration parameters that are used to identify the device.
The fingerprint detection method of the equipment is mainly divided into an active type and a passive type. The active fingerprint detection requires a detection system to send various types of industrial protocol messages to actively scan and detect a network system to acquire information, the flow introduced by active scanning may cause network busy and system overload, and the passive fingerprint detection method adopts as little network interference as possible but has the problem of fingerprint accuracy.
At present, the active fingerprint detection technology mostly adopts a multitask mode to perform scanning detection, and in order to avoid influencing the normal service of a detected industrial control network, the introduced detection packets are limited by limiting the number of multiple processes or multiple threads. Only by a method of limiting the number of processes or threads, the control granularity is not accurate enough, the method has no foresight property, and the phenomenon that rapid concurrency occurs to flow introduced in the detection process to cause negative effects on the service of the tested industrial control system cannot be avoided, for example, the Modbus protocol and the DNP3 protocol have particularity, the two protocols poll the function codes to acquire detection information, and rapid concurrency of detection data streams can be caused within a period of time; and the introduction flow rate is positively correlated with the number of detected devices.
Disclosure of Invention
1. The purpose is as follows:
the method for detecting the fingerprint of the self-adaptive flow control equipment based on the flow prediction can achieve the purposes of no interference to the service flow of an industrial control system, no flow wave crest and stable flow speed.
2. The technical scheme is as follows:
when a detection task is scheduled, a new task flow predicted value is obtained from a prediction server according to the industrial control protocol type of the scheduling task and the number of network hosts, a real-time flow value of a network port outlet of a detection system is obtained, and whether scheduling is carried out or not is determined. The core function of the method is an adaptive scheduling function, and the auxiliary functions are a flow prediction function and a real-time monitoring function of the outlet flow of the network port:
1) a traffic prediction function for predicting how much traffic the task to be scheduled will newly introduce to the scanned probe network.
2) And the real-time monitoring function of the network port outlet flow is used for monitoring the network port outlet flow in real time and supplying the network port outlet flow to the self-adaptive scheduling function.
3) And the self-adaptive scheduling function is used for scheduling the scanning detection task, and the scheduling algorithm is based on the current network port outlet flow monitoring value and the new task flow predicted value.
A safety detection method based on adaptive flow control comprises the following steps: the method comprises the following steps of self-adaptive scheduling, flow prediction and network flow real-time monitoring, wherein the self-adaptive scheduling specifically comprises the following steps:
(1) when equipment fingerprint detection is carried out, an initial task queue is created, each task in the queue comprises a detected industrial protocol type, a detected equipment IP and a port number, a threshold value R is set for the outlet flow of the network port, a return difference value Y is obtained based on the threshold value R and experience, the outlet flow of the current network port is detected in real time to be C, and the flow introduced by a new detection task is predicted to be N;
the return difference value Y is artificially set to be 90% threshold value R or 80% threshold value R;
(2) if the current real-time detection of the network port is monitored, if the outlet flow C is smaller than the return difference value Y, the flow continues descending, otherwise, the new task is suspended to be scheduled, the task is inserted into the task queue to wait for 1 second and then returns to the scheduling starting point again for scheduling;
(3) if the current real-time detection outlet flow C of the network port is smaller than the return difference value Y, a new task is taken from the task queue and the flow N introduced by the new detection task is predicted through a prediction service interface;
(4) if the sum of the current real-time detection outlet flow C of the network port and the flow N introduced by the new detection task is predicted to be larger than the set threshold value R of the outlet flow of the network port, the task is not processed, the task is inserted back into a task queue, and the next task is continuously selected for prediction;
(5) if the current real-time detection outlet flow C of the network port and the flow N introduced by the new detection task are smaller than the outlet flow setting threshold value R of the network port, checking whether an idle thread exists, directly scheduling the new task if the idle thread exists, and creating a thread to execute the new thread if the idle thread does not exist and the work queue does not reach the maximum value.
The flow prediction specifically comprises: the method comprises the following steps: data cleaning; step two: selecting characteristics; step three: establishing a model; step four: and (5) training a model.
The first step is as follows: the data cleaning comprises the following steps: the prediction server continuously collects a large amount of test data and stores the test data in the database, and the data are cleaned, wherein the cleaning process comprises the step of removing data such as collection abnormity or storage abnormity, such as null values and the like.
The second step is that: the characteristic selection comprises the following steps: the "type of the detection task" and the "number of detected devices" are used as characteristics.
The third step is that: the model building method comprises the following steps: and obtaining a model from a database, training the model by using a large amount of collected historical data, and providing prediction service for the adaptive scheduling module.
The fourth step is that: the model training comprises the following steps: and storing the model and inputting the model into a database, and outputting training data to the first step for data cleaning by the database so as to form a training closed loop.
The real-time monitoring of the network flow specifically comprises: and acquiring real-time flow from the network flow monitoring module for scheduling, and inputting the real-time flow into a database.
3. The effect is as follows:
the equipment fingerprint detection based on the method can achieve the purposes of no interference to the service flow of the industrial control system, no flow wave crest and stable flow speed.
The industrial safety detection system based on the method is applied to a laboratory network, and practical application shows that the system has stable network flow and does not have an abnormal condition of no response in the process of detecting network equipment.
Drawings
FIG. 1 is a block diagram of a relationship diagram
FIG. 2 adaptive scheduling diagram
FIG. 3 schematic diagram of traffic prediction service
FIG. 4 is a partial schematic diagram of a probe task scheduling process in accordance with an embodiment of the present invention
Detailed Description
Referring to the module relation diagram of fig. 1, the whole system includes an adaptive scheduling module, a traffic prediction service and a real-time monitoring module for the traffic of the internet access, the core module is the adaptive scheduling module, which obtains a traffic prediction value from the traffic prediction service module through an interface and obtains a real-time traffic value from the traffic monitoring module for scheduling, and the detection method specifically includes the following steps:
1) the construction of the flow prediction service, as shown in a flow prediction service schematic diagram of fig. 3, a prediction server continuously collects a large amount of test data and stores the test data in a database, the data is cleaned (data such as null values and the like which are abnormal in collection or abnormal in storage are removed), a prediction model is established by adopting a detection task type and a detected equipment number as characteristics, and the model is trained by using a large amount of collected historical data to provide prediction service for an adaptive scheduling module;
2) the flow of adaptive scheduling, shown in the adaptive scheduling diagram of fig. 2 and the device fingerprint detection task scheduling flow diagram of fig. 4, is to create an initial task queue when performing device fingerprint detection, where each task in the queue includes a detected industrial protocol type, an IP of a device to be detected, and a port number. The scheduling scheme is shown in fig. 2 as an adaptive scheduling diagram, where a threshold value R is set for the traffic at the egress of the network port, see the solid line in fig. 2, and a back difference value Y is obtained based on the threshold value and experience, see the dashed line in fig. 2, where the value of Y is set to 90% R or 80% R, and the value setting affects the scheduling efficiency. If the current flow C of the monitoring network port is smaller than the return difference threshold Y, the flow continues descending, otherwise, the new task is suspended to be scheduled, and the task is inserted into the task queue to wait for 1 second and then returns to the scheduling starting point again to be scheduled; if the current flow C is smaller than the return difference threshold Y, taking a new task from the task queue and acquiring the flow N to be introduced by the new task through a prediction service interface; if the sum of C and N is larger than R, the task is not processed and is inserted back to the task queue, and the next task is continuously selected for prediction; if the current flow C plus the predicted flow N is smaller than R, checking whether an idle thread exists, if the idle thread exists, directly scheduling the new task, and if the idle thread does not exist and the work queue does not reach the maximum value, creating a thread to execute the new thread.
Claims (8)
1. A safety detection method based on adaptive flow control comprises the following steps: the method is characterized by comprising the following steps of self-adaptive scheduling, flow prediction and network flow real-time monitoring: the adaptive scheduling specifically includes:
(1) when equipment fingerprint detection is carried out, an initial task queue is created, each task in the queue comprises a detected industrial protocol type, a detected equipment IP and a port number, a threshold value R is set for the outlet flow of the network port, a return difference value Y is obtained based on the threshold value R and experience, the outlet flow of the current network port is detected in real time to be C, and the flow introduced by a new detection task is predicted to be N;
(2) if the current real-time detection of the network port is monitored, if the outlet flow C is smaller than the return difference value Y, the flow continues descending, otherwise, the new task is suspended to be scheduled, the task is inserted into the task queue to wait for 1 second and then returns to the scheduling starting point again for scheduling;
(3) if the current real-time detection outlet flow C of the network port is smaller than the return difference value Y, a new task is taken from the task queue and the flow N introduced by the new detection task is predicted through a prediction service interface;
(4) if the sum of the current real-time detection outlet flow C of the network port and the flow N introduced by the new detection task is predicted to be larger than the set threshold value R of the outlet flow of the network port, the task is not processed, the task is inserted back into a task queue, and the next task is continuously selected for prediction;
(5) if the current real-time detection outlet flow C of the network port and the flow N introduced by the new detection task are smaller than the outlet flow setting threshold value R of the network port, checking whether an idle thread exists, directly scheduling the new task if the idle thread exists, and creating a thread to execute the new thread if the idle thread does not exist and the work queue does not reach the maximum value.
2. A security detection method based on adaptive flow control according to claim 1, characterized in that: the flow prediction specifically comprises: the method comprises the following steps: data cleaning; step two: selecting characteristics; step three: establishing a model; step four: and (5) training a model.
3. A security detection method based on adaptive flow control according to claim 2, characterized in that: the first step is as follows: the data cleaning comprises the following steps: the prediction server continuously collects a large amount of test data and stores the test data in the database, and the data are cleaned, wherein the cleaning process comprises the step of removing data such as collection abnormity or storage abnormity, such as null values and the like.
4. A security detection method based on adaptive flow control according to claim 2, characterized in that: the second step is that: the characteristic selection comprises the following steps: the "type of the detection task" and the "number of detected devices" are used as characteristics.
5. A security detection method based on adaptive flow control according to claim 2, characterized in that: the third step is that: the model building method comprises the following steps: and obtaining a model from a database, training the model by using a large amount of collected historical data, and providing prediction service for the adaptive scheduling module.
6. A security detection method based on adaptive flow control according to claim 2, characterized in that: the fourth step is that: the model training comprises the following steps: and storing the model and inputting the model into a database, and outputting training data to the first step for data cleaning by the database so as to form a training closed loop.
7. A security detection method based on adaptive flow control according to claim 1, characterized in that: the real-time monitoring of the network flow specifically comprises: and acquiring real-time flow from the network flow monitoring module for scheduling, and inputting the real-time flow into a database.
8. A security detection method based on adaptive flow control according to claim 1, characterized in that: the return difference value Y is artificially set to be 90% threshold value R or 80% threshold value R.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010250979.3A CN111431752B (en) | 2020-04-01 | 2020-04-01 | Safety detection method based on adaptive flow control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010250979.3A CN111431752B (en) | 2020-04-01 | 2020-04-01 | Safety detection method based on adaptive flow control |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111431752A true CN111431752A (en) | 2020-07-17 |
CN111431752B CN111431752B (en) | 2023-04-07 |
Family
ID=71550761
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010250979.3A Active CN111431752B (en) | 2020-04-01 | 2020-04-01 | Safety detection method based on adaptive flow control |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111431752B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112367290A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Endogenous safe WAF construction method |
CN116112399A (en) * | 2022-12-23 | 2023-05-12 | 中核武汉核电运行技术股份有限公司 | Industrial control network flow analysis system |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008104100A1 (en) * | 2007-02-28 | 2008-09-04 | Zte Corporation | An apparatus and a method for realizing flow control based on rate restrict for mstp device |
CN101695050A (en) * | 2009-10-19 | 2010-04-14 | 浪潮电子信息产业股份有限公司 | Dynamic load balancing method based on self-adapting prediction of network flow |
CN102025640A (en) * | 2010-12-24 | 2011-04-20 | 北京星网锐捷网络技术有限公司 | Flow control method, device and network device |
US20130010597A1 (en) * | 2010-04-29 | 2013-01-10 | Thomson Licensing Llc | Coexistence of multiple wireless networks |
CN104753863A (en) * | 2013-12-26 | 2015-07-01 | 中国移动通信集团公司 | DDoS (Distributed Denial of Service) attack prevention method, device and system |
CN105471759A (en) * | 2016-01-11 | 2016-04-06 | 北京百度网讯科技有限公司 | Network traffic scheduling method and apparatus for data centers |
WO2018036094A1 (en) * | 2016-08-25 | 2018-03-01 | 华为技术有限公司 | Data processing method and physical machine |
-
2020
- 2020-04-01 CN CN202010250979.3A patent/CN111431752B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008104100A1 (en) * | 2007-02-28 | 2008-09-04 | Zte Corporation | An apparatus and a method for realizing flow control based on rate restrict for mstp device |
CN101695050A (en) * | 2009-10-19 | 2010-04-14 | 浪潮电子信息产业股份有限公司 | Dynamic load balancing method based on self-adapting prediction of network flow |
US20130010597A1 (en) * | 2010-04-29 | 2013-01-10 | Thomson Licensing Llc | Coexistence of multiple wireless networks |
CN102025640A (en) * | 2010-12-24 | 2011-04-20 | 北京星网锐捷网络技术有限公司 | Flow control method, device and network device |
CN104753863A (en) * | 2013-12-26 | 2015-07-01 | 中国移动通信集团公司 | DDoS (Distributed Denial of Service) attack prevention method, device and system |
CN105471759A (en) * | 2016-01-11 | 2016-04-06 | 北京百度网讯科技有限公司 | Network traffic scheduling method and apparatus for data centers |
WO2018036094A1 (en) * | 2016-08-25 | 2018-03-01 | 华为技术有限公司 | Data processing method and physical machine |
Non-Patent Citations (1)
Title |
---|
计国君: "信息流量预测模型及其研究", 《厦门大学学报(自然科学版)》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112367290A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Endogenous safe WAF construction method |
CN116112399A (en) * | 2022-12-23 | 2023-05-12 | 中核武汉核电运行技术股份有限公司 | Industrial control network flow analysis system |
Also Published As
Publication number | Publication date |
---|---|
CN111431752B (en) | 2023-04-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112769796B (en) | Cloud network side collaborative defense method and system based on end side edge computing | |
Blazek et al. | A novel approach to detection of “denial–of–service” attacks via adaptive sequential and batch–sequential change–point detection methods | |
CN108989136B (en) | Business end-to-end performance monitoring method and device | |
KR100748246B1 (en) | Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine | |
CN108076019B (en) | Abnormal flow detection method and device based on flow mirror image | |
Jalili et al. | Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks | |
JP6823501B2 (en) | Anomaly detection device, anomaly detection method and program | |
CN111431752B (en) | Safety detection method based on adaptive flow control | |
CN104734916B (en) | A kind of high-efficiency multi-stage anomalous traffic detection method based on Transmission Control Protocol | |
CN112422554B (en) | Method, device, equipment and storage medium for detecting abnormal traffic external connection | |
Al-Yaseen et al. | Real-time intrusion detection system using multi-agent system | |
Lin et al. | Timing patterns and correlations in spontaneous {SCADA} traffic for anomaly detection | |
KR101281456B1 (en) | Apparatus and method for anomaly detection in SCADA network using self-similarity | |
CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
CN114116172A (en) | Flow data acquisition method, device, equipment and storage medium | |
CN110839042B (en) | Flow-based self-feedback malicious software monitoring system and method | |
TWI704782B (en) | Method and system for backbone network flow anomaly detection | |
CN114499917B (en) | CC attack detection method and CC attack detection device | |
CN113727092B (en) | Video monitoring quality inspection method and device based on decision tree | |
CN109408246A (en) | A kind of adaptive auditing method of industry control network | |
CN112204928B (en) | Abnormality detection device, abnormality detection method, and recording medium | |
CN112383563A (en) | Intrusion detection method and related device | |
CN114338189B (en) | Situation awareness defense method, device and system based on node topology relation chain | |
CN112445641B (en) | Operation maintenance method and system for big data cluster | |
US20230064755A1 (en) | Data processing method and apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |