CN111431906A - Method, device, system, equipment and storage medium for generating security data set - Google Patents
Method, device, system, equipment and storage medium for generating security data set Download PDFInfo
- Publication number
- CN111431906A CN111431906A CN202010226677.2A CN202010226677A CN111431906A CN 111431906 A CN111431906 A CN 111431906A CN 202010226677 A CN202010226677 A CN 202010226677A CN 111431906 A CN111431906 A CN 111431906A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- control system
- attack
- data
- data set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention belongs to the technical field of industrial control, and particularly relates to a method, a device, a system, equipment and a storage medium for generating a safety data set, wherein the method for generating the safety data set comprises the following steps: sending a preset system attack program to a preset industrial control system to attack the industrial control system; acquiring system data change information of the industrial control system when the industrial control system is attacked; and integrating the system data change information into a safety data set and outputting the safety data set. According to the method for generating the safety data set, provided by the embodiment of the invention, the industrial control system is attacked, and the system data change information of the industrial control system is collected, so that the industrial control system can be tested and evaluated, meanwhile, the system data change information can be formed into the safety data set corresponding to the industrial control system, and a more complete safety data set is provided, so that the industrial control system can be further researched.
Description
Technical Field
The invention belongs to the technical field of industrial control, and particularly relates to a method, a device, a system, equipment and a storage medium for generating a safety data set.
Background
With the advance of automation and informatization, the connection between an industrial control system and a traditional information system and the internet is tighter and tighter, so that the original closure of the industrial control system is broken gradually, and the network information security problem is more and more.
Because the industrial control system has great difference from the traditional information system, different safety requirements, different network architectures, and different software and hardware devices and communication protocols, the safety solution of the traditional information system is difficult to solve the safety problem of the industrial control system well.
Therefore, the security data creation method generally used in the prior art cannot be well adapted to the industrial control system, and a technology capable of forming security data for the industrial control system is lacked.
Disclosure of Invention
The embodiment of the invention aims to provide a safety data set generation method which can well form an effective safety data set aiming at an industrial control system.
The embodiment of the invention is realized in such a way that a method for generating a security data set comprises the following steps:
sending a preset system attack program to a preset industrial control system to attack the industrial control system;
acquiring system data change information of the industrial control system when the industrial control system is attacked, wherein the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in an attacking process;
and integrating the system data change information into a safety data set and outputting the safety data set.
It is another object of an embodiment of the present invention to provide a secure data set generating apparatus, including:
the attack launching unit is used for sending a preset system attack program to a preset industrial control system and attacking the industrial control system;
the system comprises a data collection unit, a data analysis unit and a data analysis unit, wherein the data collection unit is used for acquiring system data change information of the industrial control system when the industrial control system is attacked, and the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in an attacking process;
and the data aggregation unit is used for aggregating the system data change information into a safety data set and outputting the safety data set.
It is another object of an embodiment of the present invention to provide a secure data set generation system, including:
an industrial control system; and
the safety data set generating device is used for initiating attack and data collection on the industrial control system and generating the safety data set of the industrial control system.
It is a further object of embodiments of the present invention to provide a computer device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of the security data set generation method.
It is a further object of embodiments of the present invention to provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of the security data set generation method.
According to the method for generating the safety data set, provided by the embodiment of the invention, the industrial control system is attacked, and the system data change information of the industrial control system is collected, so that the industrial control system can be tested and evaluated, meanwhile, the system data change information can be formed into the safety data set corresponding to the industrial control system, and a more complete safety data set is provided, so that the industrial control system can be further researched.
Drawings
FIG. 1 is a diagram of an application environment of a secure data set generation method provided by an embodiment of the present invention;
FIG. 2 is a flow diagram of a method for generating a secure data set provided by an embodiment of the present invention;
fig. 3 is a flowchart of acquiring system parameter change information according to an embodiment of the present invention;
FIG. 4 is a flow chart of a process flow attack program generation provided by an embodiment of the present invention;
fig. 5 is a flowchart of acquiring network traffic record information according to an embodiment of the present invention;
FIG. 6 is a block diagram of a secure data set generating apparatus according to an embodiment of the present invention;
FIG. 7 is a block diagram of an attack preparation module of a secure data set generating apparatus according to an embodiment of the present invention;
FIG. 8 is a block diagram of a secure data set generation system provided by an embodiment of the present invention;
FIG. 9 is a block diagram showing an internal configuration of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It will be understood that, as used herein, the terms "first," "second," and the like may be used herein to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element from another. For example, a first xx script may be referred to as a second xx script, and similarly, a second xx script may be referred to as a first xx script, without departing from the scope of the present application.
Fig. 1 is a diagram of an application environment of a security data set generating method according to an embodiment of the present invention, as shown in fig. 1, in the application environment, including a terminal 110, a computer device 120, and an industrial control system 130.
The terminal 110 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like.
The computer device 120 may be an independent physical server or terminal, may also be a server cluster formed by a plurality of physical servers, and may be a cloud server providing basic cloud computing services such as a cloud server, a cloud database, a cloud storage, and a CDN.
In the embodiment of the present invention, the terminal 110, the computer device 120, and the industrial control system 130 may perform three-way communication, the security data set generating method may be run on the terminal 110 or the computer device 120, an attack is initiated on the industrial control system 130 by the computer device 120, system data change information of the industrial control system 130 is collected, the industrial control system 130 may be tested and evaluated, and the system data change information may be formed into a security data set corresponding to the industrial control system 130, so as to provide a more complete security data set, so as to further research the industrial control system 130.
Example one
As shown in FIG. 2, in one embodiment, a method for generating a security data set is provided, and the embodiment is mainly illustrated by applying the method to the computer device 120 in FIG. 1. A method for generating a security data set specifically comprises the following steps:
step S202, sending a preset system attack program to a preset industrial control system to attack the industrial control system;
step S204, acquiring system data change information of the industrial control system when the industrial control system is attacked, wherein the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in the attacking process;
and step S206, integrating the system data change information into a safety data set and outputting the safety data set.
In the embodiment of the present invention, the preset system attack program at least includes one or a combination of two of a process flow attack program and a system network protocol attack program.
In the embodiment of the present invention, the system parameter change information of the industrial control system in the attack process refers to a change situation of a system parameter, which is set for process control in the industrial control system, when the system parameter is attacked, and the system parameter may specifically be a value of each sensor or actuator in the process.
Specifically, in the embodiment of the present invention, as shown in fig. 3, when the system data change information is system parameter change information, step S204 may specifically include the following steps:
step S302, acquiring initial system parameter data of the industrial control system before attack;
step S304, acquiring process system parameter data of the industrial control system after the system attack program executes each step according to the preset attack steps of the system attack program;
and S306, comparing the initial system parameter data with the process system parameter data to obtain system parameter change information of the industrial control system when the industrial control system is attacked.
The system parameters may faithfully reflect the operation state of the physical process of the industrial control system, and configuration software of the industrial control system, which is commonly used, may also periodically acquire and record the system parameters in a polling manner. In view of the security data set, all slight changes of the physical process can be checked by acquiring and recording the changes of the system parameters and using the changes as a part of the data set, so that attack influence can be better analyzed, and in addition, the secret physical process attack can be discovered by carrying out data mining on the process parameter records. For example, there are two attack methods, namely, an attack a and an attack B, where the attack a causes process interruption, and the attack B causes process parameter change, but the process is still performed, and the conventional security data set cannot effectively record the two different data, and it is difficult to evaluate the damage of the attack B.
In the embodiment of the present invention, as shown in fig. 4, before performing step S202, in order to test the industrial control system and collect safety data in a targeted manner, the method further includes:
step S402, acquiring a process flow control program arranged in the industrial control system;
step S404, extracting process flow key parameters according to the process flow control program;
step S406, generating a process attack program aiming at the process key parameters, wherein the attack process program is used for modifying the process key parameters.
The process flow control program described in the embodiment of the present invention refers to a program for controlling various process parameters, steps, and the like involved in a process flow in an industrial control system, and specifically may be a control program for various devices, an overall process control program for a production line, and the like, and a process flow control program that needs to be analyzed may be added in the field according to the adaptability of an actual industrial control system, which is not described in detail herein.
Specifically, by attacking the process flow control program of the industrial control system and collecting data such as system parameter change in the attacking process, comprehensive data of the influence of the industrial control system under the attack can be effectively formed, and a more complete safety data set can be conveniently formed.
In the embodiment of the present invention, the network traffic record information of the industrial control system in the attack process refers to traffic records of a network architecture of the industrial control system itself, specifically, various network protocols may be used in the industrial control system, and the attack on the system is usually performed based on the various network protocols of the system itself.
As described above, in the embodiment of the present invention, the preset system attack program may also include a system network protocol attack program, and in the embodiment of the present invention, an existing, public, or general system network protocol attack program is mainly used, and these attacks are basically based on the industrial control system network and implemented by monitoring, tampering, and forging the data packet of the industrial control system. As shown in table 1 below, the classification of the attack method for an industrial control system using the Modbus protocol is listed in the embodiment of the present invention, and can be divided into 5 broad categories, 27 attack methods, and it can be understood by those skilled in the art that the present invention is only illustrated as an example, and is not a strict limitation on the industrial control system to which the embodiment of the present invention is directed.
Table 1 attack method classification for Modbus protocol industrial control system
TABLE 1 (continuation) attack method Classification for Modbus protocol industrial control system
Specifically, in this embodiment of the present invention, as shown in fig. 5, when the system data change information is network traffic record information, step S204 may specifically include the following steps:
step S502, obtaining system network flow data of the industrial control system;
step S504, extracting the flow log information in the system network flow data, and using the flow log information as the network flow record information.
In the embodiment, the flow log is structured data formed by extracting certain key data from the network flow data and extracting key information in the network flow data, the flow log can completely store interactive information during attack, and by extracting the network flow log information in the network flow data of the system, data analysis can be performed from multiple angles and multiple sides, so that the attack can be better discovered.
In one embodiment, the attacked recording information specifically includes one or more of attack type, attack start time, attack end time, attack start position and attack path. By recording the attack and bringing the recorded information into the security data set, the attack security data set is beneficial to quickly knowing various attributes of the attack, and is convenient to quickly analyze the attack and the influence caused by the attack based on the security data set.
According to the method for generating the safety data set, provided by the embodiment of the invention, the industrial control system is attacked, the system parameter change information, the network flow record information and the attacked record information of the industrial control system are collected when the industrial control system is attacked, and the data of the industrial control system, the network flow record information and the attacked record information are integrated to form the safety data set, so that the industrial control system can be tested and evaluated, and meanwhile, a more complete safety data set is provided, so that the industrial control system can be further researched.
Example two
As shown in fig. 6, in an embodiment, a security data set generating apparatus is provided, which may be integrated in the computer device 120, and specifically may include:
the attack launching unit 610 is used for sending a preset system attack program to a preset industrial control system to attack the industrial control system;
the data collecting unit 620 is configured to obtain system data change information of the industrial control system when the industrial control system is attacked, where the system data change information at least includes one of system parameter change information, network traffic record information, and attacked record information of the industrial control system in an attacking process;
and a data aggregation unit 630, configured to aggregate the system data change information into a security data set and output the security data set.
In the embodiment of the present invention, the preset system attack program at least includes one or a combination of two of a process flow attack program and a system network protocol attack program.
In the embodiment of the present invention, the system parameter change information of the industrial control system in the attack process refers to a change situation of a system parameter, which is set for process control in the industrial control system, when the system parameter is attacked, and the system parameter may specifically be a value of each sensor or actuator in the process.
Specifically, when the system data change information is system parameter change information, the data collection unit 620 may be specifically configured to perform the following steps:
acquiring initial system parameter data of the industrial control system before attack;
acquiring process system parameter data of the industrial control system after the system attack program executes each step according to the preset attack steps of the system attack program;
and comparing the initial system parameter data with the process system parameter data to obtain system parameter change information of the industrial control system when the industrial control system is attacked.
The system parameters may faithfully reflect the operation state of the physical process of the industrial control system, and configuration software of the industrial control system, which is commonly used, may also periodically acquire and record the system parameters in a polling manner. From the perspective of a security test set, all slight changes of the physical process can be checked by acquiring and recording the changes of the system parameters and using the changes as a part of a data set, so that attack influence can be better analyzed, and in addition, secret physical process attacks can be discovered by carrying out data mining on process parameter records. For example, there are two attack methods, namely, an attack a and an attack B, where the attack a causes process interruption, and the attack B causes process parameter change, but the process is still performed, and the conventional security data set cannot effectively record the two different data, and it is difficult to evaluate the damage of the attack B.
In one embodiment, as shown in fig. 7, the security data set generating apparatus further includes an attack preparation module 710, and the attack preparation module 710 specifically includes the following units:
a program acquisition unit 711 configured to acquire a process flow control program set inside the industrial control system;
a parameter extraction unit 712 for extracting process flow key parameters according to the process flow control program;
the program generating unit 713 is configured to generate a process flow attack program for the process flow key parameter, where the attack process program is used to modify the process flow key parameter.
The process flow control program described in the embodiment of the present invention refers to a program for controlling various process parameters, steps, and the like involved in a process flow in an industrial control system, and specifically may be a control program for various devices, an overall process control program for a production line, and the like, and a process flow control program that needs to be analyzed may be added in the field according to the adaptability of an actual industrial control system, which is not described in detail herein.
Specifically, by attacking the process flow control program of the industrial control system and collecting data such as system parameter change in the attacking process, comprehensive data of the influence of the industrial control system under the attack can be effectively formed, and a more complete safety data set can be conveniently formed.
In the embodiment of the present invention, the network traffic record information of the industrial control system in the attack process refers to traffic records of a network architecture of the industrial control system itself, specifically, various network protocols may be used in the industrial control system, and the attack on the system is usually performed based on the various network protocols of the system itself.
As described above, in the embodiment of the present invention, the preset system attack program may also include a system network protocol attack program, and in the embodiment of the present invention, an existing, public, or general system network protocol attack program is mainly used, and these attacks are basically based on the industrial control system network and implemented by monitoring, tampering, and forging the data packet of the industrial control system.
In an embodiment, when the system data change information is network traffic record information, the data collection unit 620 may be specifically configured to perform the following steps:
acquiring system network flow data of an industrial control system;
and extracting the flow log information in the system network flow data, and taking the flow log information as network flow record information.
In the embodiment, the flow log is structured data formed by extracting certain key data from the network flow data and extracting key information in the network flow data, the flow log can completely store interactive information during attack, and by extracting the network flow log information in the network flow data of the system, data analysis can be performed from multiple angles and multiple sides, so that the attack can be better discovered.
In one embodiment, the attacked recording information specifically includes one or more of attack type, attack start time, attack end time, attack start position and attack path. By recording the attack and bringing the recorded information into the security data set, the attack security data set is beneficial to quickly knowing various attributes of the attack, and is convenient to quickly analyze the attack and the influence caused by the attack based on the security data set.
According to the safety data set generating device provided by the embodiment of the invention, the industrial control system is attacked, the system parameter change information, the network flow record information and the attacked record information of the industrial control system when the industrial control system is attacked are collected, and the data of the three are integrated to form the safety data set, so that the industrial control system can be tested and evaluated, and meanwhile, a more complete safety data set is provided, so that the industrial control system can be further researched.
EXAMPLE III
As shown in fig. 8, in one embodiment, a secure data set generation system is provided, which may specifically include:
an industrial control system 100; and
in the security data set generating apparatus 200 in the foregoing embodiment, the security data set generating apparatus 200 is used for initiating an attack and data collection on the industrial control system 100, and generating the security data set of the industrial control system 100.
In the present embodiment, the industrial control system 100 is a generic term for a control system of a manufacturing process in various industrial application environments. At present, monitoring and data acquisition systems, distributed control systems, process control systems and the like are common, and more specifically, industrial control systems of various industries are available, and further description and illustration are omitted, so that a person skilled in the art can perform simple adaptive adjustment according to an actual industrial control system.
In particular, data exchange between the industrial control system 100 and the secure data set generating device 200 may be performed through a physical interface via a network or a data port, which will not be described in further detail.
The safety data set generation system provided by the embodiment of the invention can be used for specifically attacking the industrial control system, collecting the system parameter change information, the network flow record information and the attacked record information of the industrial control system when the industrial control system is attacked, and integrating the data of the system parameter change information, the network flow record information and the attacked record information to form the safety data set, so that the industrial control system can be tested and evaluated, and meanwhile, a more complete safety data set is provided, so that the industrial control system can be further researched.
Example four
In one embodiment, a computer device is proposed, the computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
sending a preset system attack program to a preset industrial control system to attack the industrial control system;
acquiring system data change information of the industrial control system when the industrial control system is attacked, wherein the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in the attacking process;
and (4) integrating the system data change information into a safety data set and outputting the safety data set.
FIG. 9 is a diagram illustrating an internal structure of a computer device in one embodiment. The computer device may be specifically an independent physical server or a terminal, may also be a server cluster formed by a plurality of physical servers, and may be a cloud server providing basic cloud computing services such as a cloud server, a cloud database, a cloud storage, and a CDN. But not limited thereto, the smart phone, the tablet computer, the notebook computer, the desktop computer, the smart speaker, the smart watch, and the like may also be used. As shown in fig. 9, the computer apparatus includes a processor, a memory, a network interface, an input device, and a display screen linked by a system bus. Wherein the memory includes a non-volatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system and may also store a computer program that, when executed by the processor, causes the processor to implement the secure data set generation method. The internal memory may also have stored therein a computer program that, when executed by the processor, causes the processor to perform the security data set generation method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 9 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
EXAMPLE five
In one embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which, when executed by a processor, causes the processor to perform the steps of:
sending a preset system attack program to a preset industrial control system to attack the industrial control system;
acquiring system data change information of the industrial control system when the industrial control system is attacked, wherein the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in the attacking process;
and (4) integrating the system data change information into a safety data set and outputting the safety data set.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
It will be understood by those of ordinary skill in the art that all or a portion of the processes of the methods of the embodiments described above may be implemented by computer programs instructing associated hardware, which programs may be stored in a non-volatile computer-readable storage medium, which programs, when executed, may include the processes of the embodiments of the methods described above, wherein any reference to memory, storage, database or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only show some embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for secure data set generation, comprising:
sending a preset system attack program to a preset industrial control system to attack the industrial control system;
acquiring system data change information of the industrial control system when the industrial control system is attacked, wherein the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in an attacking process;
and integrating the system data change information into a safety data set and outputting the safety data set.
2. The method according to claim 1, wherein when the system data change information is system parameter change information, the obtaining of the system data change information of the industrial control system when the industrial control system is attacked specifically includes:
acquiring initial system parameter data of the industrial control system before attack;
according to the preset attack steps of the system attack program, acquiring process system parameter data of the industrial control system after the system attack program executes each step;
and comparing the initial system parameter data with the process system parameter data to obtain system parameter change information of the industrial control system when the industrial control system is attacked.
3. The method according to claim 1, wherein when the system data change information is network traffic record information, the obtaining of the system data change information of the industrial control system when the industrial control system is attacked specifically includes:
acquiring system network flow data of the industrial control system;
and extracting the flow log information in the system network flow data, and taking the flow log information as network flow record information.
4. The method of claim 1, wherein the system attack program comprises at least one or a combination of a process flow attack program and a system network protocol attack program.
5. The method according to claim 4, wherein before sending the preset system attack program to the preset industrial control system and attacking the industrial control system, the method further comprises:
acquiring a process flow control program arranged in the industrial control system;
extracting process flow key parameters according to the process flow control program;
and generating a process flow attack program aiming at the process flow key parameters, wherein the attack process program is used for modifying the process flow key parameters.
6. The method according to claim 1, wherein the attacked recording information specifically includes one or more of attack type, attack start time, attack end time, attack start position and attack path.
7. A secure data set generating apparatus, comprising:
the attack launching unit is used for sending a preset system attack program to a preset industrial control system and attacking the industrial control system;
the system comprises a data collection unit, a data analysis unit and a data analysis unit, wherein the data collection unit is used for acquiring system data change information of the industrial control system when the industrial control system is attacked, and the system data change information at least comprises one of system parameter change information, network flow record information and attacked record information of the industrial control system in an attacking process;
and the data aggregation unit is used for aggregating the system data change information into a safety data set and outputting the safety data set.
8. A secure data set generation system, comprising:
an industrial control system; and the security data set generating device of claim 7, the security data set generating device being configured to initiate an attack and data collection on the industrial control system to generate the security data set for the industrial control system.
9. A computer arrangement comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, causes the processor to carry out the steps of the security data set generation method of any one of claims 1 to 6.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, causes the processor to carry out the steps of the security data set generation method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010226677.2A CN111431906A (en) | 2020-03-27 | 2020-03-27 | Method, device, system, equipment and storage medium for generating security data set |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010226677.2A CN111431906A (en) | 2020-03-27 | 2020-03-27 | Method, device, system, equipment and storage medium for generating security data set |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111431906A true CN111431906A (en) | 2020-07-17 |
Family
ID=71548980
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010226677.2A Pending CN111431906A (en) | 2020-03-27 | 2020-03-27 | Method, device, system, equipment and storage medium for generating security data set |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111431906A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401843A (en) * | 2013-07-11 | 2013-11-20 | 广州中长康达信息技术有限公司 | Method and system for simulating and detecting cloud security |
| CN104331072A (en) * | 2014-10-28 | 2015-02-04 | 冶金自动化研究设计院 | Information security risk assessment method oriented to typical metallurgy process control system |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| US20190271975A1 (en) * | 2018-03-01 | 2019-09-05 | Siemens Aktiengesellschaft | Safety monitoring method and apparatus for an industrial control system |
-
2020
- 2020-03-27 CN CN202010226677.2A patent/CN111431906A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401843A (en) * | 2013-07-11 | 2013-11-20 | 广州中长康达信息技术有限公司 | Method and system for simulating and detecting cloud security |
| CN104331072A (en) * | 2014-10-28 | 2015-02-04 | 冶金自动化研究设计院 | Information security risk assessment method oriented to typical metallurgy process control system |
| US20190271975A1 (en) * | 2018-03-01 | 2019-09-05 | Siemens Aktiengesellschaft | Safety monitoring method and apparatus for an industrial control system |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10432660B2 (en) | Advanced cybersecurity threat mitigation for inter-bank financial transactions | |
| US11601475B2 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| US11750631B2 (en) | System and method for comprehensive data loss prevention and compliance management | |
| US10248910B2 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US20220060511A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20170324768A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
| US20220078210A1 (en) | System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces | |
| US11818169B2 (en) | Detecting and mitigating attacks using forged authentication objects within a domain | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| US20180295154A1 (en) | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management | |
| CN104144081A (en) | General application log management method, device and system | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| EP3494506A1 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US11074652B2 (en) | System and method for model-based prediction using a distributed computational graph workflow | |
| US20170126517A1 (en) | Highly scalable distributed connection interface for data capture from multiple network service sources | |
| US20230116838A1 (en) | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments | |
| CN110286998A (en) | Virtual machine graphics user interface comes into force, implementation procedure recording method and device | |
| CN111796997A (en) | Log information processing method and device and electronic equipment | |
| WO2019018829A1 (en) | Advanced cybersecurity threat mitigation using behavioral and deep analytics | |
| CN114584359B (en) | Security trapping method, device and computer equipment | |
| US20220058745A1 (en) | System and method for crowdsensing-based insurance premiums | |
| Lee et al. | ATMSim: An anomaly teletraffic detection measurement analysis simulator | |
| CN111431906A (en) | Method, device, system, equipment and storage medium for generating security data set | |
| EP3679506A2 (en) | Advanced cybersecurity threat mitigation for inter-bank financial transactions | |
| CN114268468A (en) | Network traffic processing system, method, apparatus, computer device, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200717 |
|
| WD01 | Invention patent application deemed withdrawn after publication |