CN111541721B - Attack monitoring method and system applied to industrial control environment - Google Patents
Attack monitoring method and system applied to industrial control environment Download PDFInfo
- Publication number
- CN111541721B CN111541721B CN202010435025.XA CN202010435025A CN111541721B CN 111541721 B CN111541721 B CN 111541721B CN 202010435025 A CN202010435025 A CN 202010435025A CN 111541721 B CN111541721 B CN 111541721B
- Authority
- CN
- China
- Prior art keywords
- response
- address
- host
- information
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The invention discloses an attack monitoring method and system applied to an industrial control environment. However, when the ARP attack occurs, one ARP request corresponds to a plurality of ARP responses, and the knowledge base established in the learning period is further utilized for authentication, so that the real ARP response can be effectively identified, the attack detection precision and accuracy can be improved, and the phenomenon of misjudgment of the ARP attack in the ARP scanning environment is solved. In addition, through a request and response queue mode, ARP response packet attack can be discovered in time, an ARP attack host is discovered immediately, and a queue mode is adopted to record request or response information, so that the method is very helpful for understanding the whole attack process and constructing an attack deception chain, and is very suitable for being applied to an industrial control environment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an attack monitoring method and system applied to an industrial control environment.
Background
With the continuous development of industrial technologies and internet of things technologies, network technologies play an important role in the field of industrial control, and industrial production is enabled through the network technologies, so that the industrial production efficiency can be improved. However, when the network technology is applied to an industrial control environment, there is a potential safety hazard in control, which poses a huge economic threat to normal industrial production, and therefore, a safety detection method for industrial control is urgently needed to protect the stable operation of the industrial control environment.
In the aspect of existing network security detection, the problem of internet network security is mainly solved in a centralized manner, and the industrial control environment is rarely targeted. The traditional information security technology cannot be directly applied to an industrial control system, the technical characteristics of the information security of the industrial control system are mainly reflected in that the usability is emphasized on the demand and the real-time performance is emphasized on the system, the confidentiality, the integrity and the usability are mainly realized by the traditional information security, and the usability of the system is emphasized on the basis of coordinating three targets. The unique network topology structure and the unique potential safety hazard characteristics in the industrial control environment also determine that a safety detection method aiming at the industrial control environment is needed to efficiently protect the normal operation of the industrial control environment, namely, a host computer with safety threat is timely and accurately detected, and the industrial control environment is prevented from being maliciously tampered or controlled.
Disclosure of Invention
The invention aims to provide an attack monitoring method and system applied to an industrial control environment, which can improve the precision and accuracy of attack detection.
In order to solve the technical problems, the invention adopts a technical scheme that: an attack monitoring method applied to an industrial control environment is provided, which comprises the following steps: s1: collecting network messages in an industrial control network; s2: analyzing an IP protocol network packet in the network message, and extracting host request information and host response information corresponding to the host request information from the IP protocol network packet, wherein the host request information comprises a source IP address and a source MAC address, and the host response information comprises a destination IP address and a destination MAC address; s3: judging whether the occurrence time of the IP protocol network packet is in a preset learning period, and if so, recording the host request information and the corresponding host response information into a knowledge base; if the network packet is not in the learning period, analyzing an ARP protocol network packet in the network packet, extracting an operation code of the ARP protocol network packet, and then constructing a double-queue mode of a request queue formed by request information and a response queue formed by response information according to the operation code of the ARP protocol network packet; s4: periodically traversing the response information in the response queue, searching whether each piece of response information has corresponding request information in the request queue, if so, constructing a HASH table, taking the corresponding request information as a key value of the HASH table, and taking the response information as a List value of the HASH table; if the corresponding request information does not exist, adding the corresponding response information into a response information table of the suspicious host; s5: and traversing the HASH table, and judging whether ARP attack behaviors exist according to the number of response messages corresponding to each piece of statistical request information and a preset threshold value.
Preferably, the method further comprises step S6: and traversing the suspicious host response information table, extracting the source IP address and the source MAC address of each piece of response information, and generating ARP attack warning information according to the source IP address and the source MAC address.
Preferably, in step S3, the step of constructing a dual queue mode of a request queue formed by the request information and a response queue formed by the response information according to the operation code of the ARP network packet specifically includes: if the operation code is P1Extracting source IP address, source MAC address and destination IP address from the ARP protocol network packet, and adding the source IP address, source MAC address and destination IP address as request information into a request queue if the operation code is P2And extracting a source IP address, a source MAC address, a destination IP address and a destination MAC address from the ARP protocol network packet, and adding the source IP address, the source MAC address, the destination IP address and the destination MAC address into a response queue as response information.
Preferably, the method further comprises the following steps: when the request information is added into the request queue, recording the adding time of the request information; and when the response information is added into the response queue, recording the adding time of the response information.
Preferably, in step S5, the step of determining whether there is an ARP attack behavior according to the number of response information corresponding to each piece of request information counted and a preset threshold specifically includes: if the number of the response messages is more than 1, extracting a target IP address and a target MAC address in each piece of response message as response messages of the host to be checked, comparing the response messages of the host to be checked with the response messages of the host in the knowledge base, and if the host response messages which are the same as the response messages of the host to be checked do not exist in the knowledge base, adding the corresponding response messages into a suspicious host response message table; and if the number of the response messages is 1, judging that the ARP attack behavior does not exist.
In order to solve the technical problem, the invention adopts another technical scheme that: the attack monitoring system comprises a message acquisition module, a message analysis module, a knowledge base construction module, a double-queue construction module, a separation detection module and an attack judgment module; the message acquisition module is used for acquiring network messages in an industrial control network; the message analysis module is used for analyzing an IP protocol network packet in the network message, and extracting host request information and host response information corresponding to the host request information from the IP protocol network packet, wherein the host request information comprises a source IP address and a source MAC address, and the host response information comprises a destination IP address and a destination MAC address; the knowledge base construction module is used for recording the host request information and the corresponding host response information into a knowledge base when the occurrence time of the IP protocol network packet is within a preset learning period; when the occurrence time of the IP protocol network packet is not in a learning period, analyzing an ARP protocol network packet in the network packet, extracting an operation code of the ARP protocol network packet, and then constructing a double-queue mode of a request queue formed by request information and a response queue formed by response information according to the operation code of the ARP protocol network packet; the separation detection module is further configured to periodically traverse response information in the response queue, find whether each piece of response information has corresponding request information in the request queue, if yes, construct a HASH table, use the corresponding request information as a key value of the HASH table, use the response information as a List value of the HASH table, and if no corresponding request information exists, add corresponding response information into a suspicious host response information table; the attack judging module is used for traversing the HASH table and judging whether ARP attack behaviors exist according to the number of response messages corresponding to each piece of statistical request information and a preset threshold value.
Preferably, the attack monitoring system further includes an attack warning module, where the attack warning module is configured to traverse the suspicious host response information table, extract a source IP address and a source MAC address of each piece of response information, and generate ARP attack warning information according to the source IP address and the source MAC address.
Preferably, the dual queue building block is specifically configured to determine that the operation code is P1When the request is received, extracting a source IP address, a source MAC address and a destination IP address from the ARP protocol network packet, adding the source IP address, the source MAC address and the destination IP address into a request queue as request information, and if the operation code is P2Then, extracting source IP address, source MAC address, destination IP address and destination M from the ARP protocol network packetThe AC address is added as response information to the response queue.
Preferably, the double-queue building module is further configured to record the joining time of the request information when the request information is joined in the request queue, and record the joining time of the response information when the response information is joined in the response queue.
Preferably, the attack determination module is specifically configured to, when the number of the response messages is greater than 1, extract a destination IP address and a destination MAC address in each piece of the response message as response messages of the host to be checked, compare the response messages of the host to be checked with the response messages of the host in the knowledge base, and add the corresponding response messages to the suspicious host response message table if the host response messages identical to the response messages of the host to be checked do not exist in the knowledge base; and when the number of the response messages is 1, judging that the ARP attack behavior does not exist.
Different from the prior art, the invention has the beneficial effects that: the normal ARP request and response are in one-to-one correspondence through the process of recording the ARP request and the response in a double-queue mode. However, when the ARP attack occurs, one ARP request corresponds to a plurality of ARP responses, and the knowledge base established in the learning period is further utilized for authentication, so that the real ARP response can be effectively identified, the attack detection precision and accuracy can be improved, and the phenomenon of misjudgment of the ARP attack in the ARP scanning environment is solved. In addition, through a request and response queue mode, ARP response packet attack can be discovered in time, an ARP attack host is discovered immediately, and a queue mode is adopted to record request or response information, so that the method is very helpful for understanding the whole attack process and constructing an attack deception chain, and is very suitable for being applied to an industrial control environment.
Drawings
FIG. 1 is a schematic flow chart diagram of an attack monitoring method applied to an industrial control environment according to an embodiment of the present invention;
fig. 2 is a detailed flowchart of step S3 of the attack monitoring method shown in fig. 1;
FIG. 3 is a detailed flowchart of step S5 of the attack monitoring method shown in FIG. 1;
fig. 4 is a schematic topology diagram of an attack monitoring system applied to an industrial control environment in an application according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Referring to fig. 1, the attack monitoring method applied to the industrial control environment according to the embodiment of the present invention includes the following steps:
s1: and collecting network messages in the industrial control network.
The network message can be collected from a mirror port of the switch. All hosts in the industrial control network are connected to the switch by an industrial ethernet protocol.
S2: and analyzing an IP protocol network packet in the network message, and extracting host request information and host response information corresponding to the host request information from the IP protocol network packet, wherein the host request information comprises a source IP address and a source MAC address, and the host response information comprises a destination IP address and a destination MAC address.
In the present embodiment, the destination IP address in the host response information is an IP address other than the broadcast IP address or the multicast IP address, and the destination MAC address is a MAC address other than the broadcast MAC address or the multicast MAC address.
S3: judging whether the occurrence time of the IP protocol network packet is in a preset learning period, and if so, recording host request information and host response information corresponding to the host request information into a knowledge base; if the ARP network packet is not in the learning period, the ARP protocol network packet in the network packet is analyzed, the operation code of the ARP protocol network packet is extracted, and then a double-queue mode of a request queue formed by request information and a response queue formed by response information is constructed according to the operation code of the ARP protocol network packet.
The time length of the learning period is set by a system administrator and can be reasonably set by combining with an actual industrial control environment. In order to facilitate querying the host request information and the host response information in the knowledge base, in this embodiment, an information digest is further stored in the knowledge base, and the information digest is formed by splicing a character string of a source IP address and a character string of a source MAC address, and a character string of a destination IP address and a character string of a destination MAC address. The character string splicing mode is adopted, and mainly because the length of the character string obtained by the splicing mode in the actual industrial control environment is often shorter than the length of the summary information calculated by HASH, the character string of the splicing mode is relatively faster in the character string comparison process.
S4: periodically traversing the response information in the response queue, searching whether each piece of response information has corresponding request information in the request queue, if so, constructing a HASH table, taking the corresponding request information as a key value of the HASH table, and taking the response information as a List value of the HASH table; and if the corresponding request information does not exist, adding the corresponding response information into the response information table of the suspicious host.
The traversal period of the response queue may be set according to actual needs, for example, 5 seconds, that is, when the traversal of the last piece of information of the response queue is finished, 5 seconds are waited, and then the traversal is started from the first piece of information of the response queue. If one piece of response information can find the corresponding request information in the request queue, the ARP response to which the piece of response information belongs has real and normal ARP request behavior. If a piece of response information can not find the corresponding request information in the request queue, the ARP response to which the piece of response information belongs is suspicious.
S5: traversing the HASH table, and judging whether ARP attack behaviors exist according to the number of response messages corresponding to each piece of statistical request information and a preset threshold value.
Specifically, referring to fig. 2, in step S3, the step of constructing the dual queue mode of the request queue formed by the request information and the response queue formed by the response information according to the operation code of the ARP protocol network packet specifically includes: if the operation code is P1Extracting source IP address, source MAC address and destination IP address from ARP protocol network packet, adding into request queue as request information, if operation code is P2And extracting a source IP address, a source MAC address, a destination IP address and a destination MAC address from the ARP protocol network packet, and adding the source IP address, the source MAC address, the destination IP address and the destination MAC address into a response queue as response information.
The request queue and the response queue may be in a linked list form. In the ARP protocol network packet, the protocol content includes an operation code, when the operation code is P1When the operation code is P, it indicates that the ARP network packet is an ARP request packet2It indicates that the ARP protocol network packet is an ARP response packet. P is1Is for example 0, P2For example, is 1. In the request queue, the data structure of each piece of information is (source IP address, source MAC address, destination IP address), and in the response queue, the data structure of each piece of information is (source IP address, source MAC address, destination IP address, destination MAC address). In this embodiment, the dual queue building module 40 further includes: when the request information is added into the request queue, recording the adding time of the request information; and when the response information is added into the response queue, recording the adding time of the response information. Since the join time is added to the data structure, the data structure of each piece of information in the request queue is (source IP address, source MAC address, destination IP address, join time), and the data structure of each piece of information in the response queue is (source IP address, source MAC address, destination IP address, destination MAC address, join time).
Referring to fig. 3, in step S5, the step of determining whether there is an ARP attack behavior according to the number of response messages corresponding to each piece of request message counted and a preset threshold specifically includes: if the number of the response messages is more than 1, extracting a target IP address and a target MAC address in each piece of response message as response messages of the host to be checked, comparing the response messages of the host to be checked with the response messages of the host in the knowledge base, and if the host response messages which are the same as the response messages of the host to be checked do not exist in the knowledge base, adding the corresponding response messages into a suspicious host response message table; and if the number of the response messages is 1, judging that the ARP attack behavior does not exist.
Because the interaction among all the hosts in the industrial control network is stable and single, if the number of the response information is 1, the ARP request behavior is generally regarded as normal, the ARP attack behavior is judged not to exist, and if one piece of request information corresponds to a plurality of pieces of response information, the ARP attack behavior is judged to exist. In order to find out suspicious response information from the multiple pieces of response information, a destination IP address and a destination MAC address in the response information need to be extracted and compared with host response information in a knowledge base, if the same host response information exists in the knowledge base, the corresponding response information is real response information, no ARP attack behavior is judged to exist, and the rest response information is ARP attack response packets and is added into a suspicious host response information table.
In this embodiment, the attack monitoring method further includes the steps of:
s6: and traversing the suspicious host response information table, extracting the source IP address and the source MAC address of each piece of response information, and generating ARP attack warning information according to the source IP address and the source MAC address.
The ARP attack alarm information can position an ARP attack host and guide workers to respond in time.
Through the mode, the attack monitoring method applied to the industrial control environment of the embodiment of the invention more accurately monitors the attack of the industrial control environment in a multi-dimensional mode, can operate in the industrial control environment for a long period, further judges suspicious attack behaviors through comparing with a knowledge base constructed in a learning period, and gives an alarm in time, thereby improving the precision and the accuracy of attack detection.
Referring to fig. 4, an attack monitoring system 100 applied to an industrial control environment according to an embodiment of the present invention includes a packet collection module 10, a packet parsing module 20, a knowledge base construction module 30, a double queue construction module 40, a separation detection module 50, and an attack determination module 60. Attack monitoring system 100 is connected to switch 200, and industrial control host 300 and industrial controlled host 400 are both connected to switch 200 via an industrial ethernet protocol.
The message collection module 10 is used for collecting network messages in the industrial control network. Wherein the network packet may be collected from a mirror port of the switch 200.
The message parsing module 20 is configured to parse an IP protocol network packet in the network message, and extract host request information and host response information corresponding to the host request information from the IP protocol network packet, where the host request information includes a source IP address and a source MAC address, and the host response information includes a destination IP address and a destination MAC address. In the present embodiment, the destination IP address in the host response information is an IP address other than the broadcast IP address or the multicast IP address, and the destination MAC address is a MAC address other than the broadcast MAC address or the multicast MAC address.
The knowledge base building module 30 is configured to record the host request information and the host response information corresponding to the host request information into the knowledge base when the occurrence time of the IP protocol network packet is within a preset learning period. The time length of the learning period is set by a system administrator and can be reasonably set by combining with an actual industrial control environment. In order to facilitate querying the host request information and the host response information in the knowledge base, in this embodiment, the knowledge base building module 30 further stores an information digest, where the information digest is formed by splicing a character string of a source IP address, a character string of a source MAC address, and a character string of a destination IP address and a character string of a destination MAC address. The character string splicing mode is adopted, and mainly because the length of the character string obtained by the splicing mode in the actual industrial control environment is often shorter than the length of the summary information calculated by HASH, the character string of the splicing mode is relatively faster in the character string comparison process.
The double-queue building module 40 is configured to, when the occurrence time of the IP protocol network packet is not within the learning period, analyze the ARP protocol network packet in the network packet, extract an operation code of the ARP protocol network packet, and then build a double-queue mode of a request queue formed by request information and a response queue formed by response information according to the operation code of the ARP protocol network packet.
The separation detection module 50 is further configured to periodically traverse the response information in the response queue, find whether each piece of response information has corresponding request information in the request queue, if yes, construct a HASH table, use the corresponding request information as a key value of the HASH table, use the response information as a List value of the HASH table, and if no corresponding request information exists, add the corresponding response information to the suspicious host response information table. The traversal period of the response queue may be set according to actual needs, for example, 5 seconds, that is, when the traversal of the last piece of information of the response queue is finished, 5 seconds are waited, and then the traversal is started from the first piece of information of the response queue. If one piece of response information can find the corresponding request information in the request queue, the ARP response to which the piece of response information belongs has real and normal ARP request behavior. If a piece of response information can not find the corresponding request information in the request queue, the ARP response to which the piece of response information belongs is suspicious.
The attack determination module 60 is configured to traverse the HASH table, and determine whether an ARP attack behavior exists according to the counted number of response information corresponding to each piece of request information and a preset threshold.
In particular, the dual queue building block 40 is particularly adapted to operate when the opcode is P1When in use, the source IP address, the source MAC address and the destination IP address are extracted from the ARP protocol network packet and added into the request queue as request information, if the operation code is P2And when the network packet is processed, extracting a source IP address, a source MAC address, a destination IP address and a destination MAC address from the ARP protocol network packet, and adding the source IP address, the source MAC address, the destination IP address and the destination MAC address into a response queue as response information. The request queue and the response queue may be in a linked list form. In the ARP protocol network packet, the protocol content includes an operation code, when the operation code is P1When the operation code is P, it indicates that the ARP network packet is an ARP request packet2It indicates that the ARP protocol network packet is an ARP response packet. In the request queue, the data structure of each piece of information is (source IP address, source MAC address, destination IP address), and in the response queue, the data structure of each piece of information is (source IP address, source MAC address, destination IP address, destination MAC address). In this embodiment, the method further includes: when the request information is added into the request queue, recording the adding time of the request information; when response information is added into the response queue, recording the adding time of the response informationAnd (3) removing the solvent. Since the join time is added to the data structure, the data structure of each piece of information in the request queue is (source IP address, source MAC address, destination IP address, join time), and the data structure of each piece of information in the response queue is (source IP address, source MAC address, destination IP address, destination MAC address, join time). P1Is for example 0, P2For example, is 1.
The attack determination module 50 is specifically configured to, when the number of the response messages is greater than 1, extract a destination IP address and a destination MAC address in each response message as response messages of the host to be checked, compare the response messages of the host to be checked with the response messages of the host in the knowledge base, and if no host response message identical to the response message of the host to be checked exists in the knowledge base, add the corresponding response message into the suspicious host response message table; and when the number of the response messages is 1, judging that the ARP attack behavior does not exist. Since the interaction between the industrial control host 300 and the industrial controlled host 400 in the industrial control network is stable and single, if the number of the response messages is 1, the response messages are generally regarded as normal ARP request behaviors, it is determined that an ARP attack behavior does not exist, and if one request message corresponds to a plurality of response messages, it is determined that an ARP attack behavior exists. In order to find out suspicious response information from the multiple pieces of response information, a destination IP address and a destination MAC address in the response information need to be extracted and compared with host response information in the knowledge base, if the same host response information exists in the knowledge base, the corresponding response information is indicated to be real response information, no ARP attack behavior is determined to exist, and the rest response information except for the ARP attack response information is an ARP attack response packet and is added into a suspicious host response information table.
In this embodiment, the attack monitoring system further includes an attack warning module 70, where the attack warning module 70 is configured to traverse the suspicious host response information table, extract a source IP address and a source MAC address of each piece of response information, and generate ARP attack warning information according to the source IP address and the source MAC address. The ARP attack warning information can position an ARP attack host and guide workers to respond in time.
Through the mode, the attack monitoring system applied to the industrial control environment can more accurately monitor the attack of the industrial control environment in a multi-dimensional mode, can operate in the industrial control environment for a long period, further judges suspicious attack behaviors through comparing with a knowledge base constructed in a learning period, and gives an alarm in time, so that the precision and the accuracy of attack detection can be improved.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An attack monitoring method applied to an industrial control environment is characterized by comprising the following steps:
s1: collecting network messages in an industrial control network;
s2: analyzing an IP protocol network packet in the network message, and extracting host request information and host response information corresponding to the host request information from the IP protocol network packet, wherein the host request information comprises a source IP address and a source MAC address, and the host response information comprises a destination IP address and a destination MAC address;
s3: judging whether the occurrence time of the IP protocol network packet is in a preset learning period, and if so, recording the host request information and the corresponding host response information into a knowledge base; if the network packet is not in the learning period, analyzing an ARP protocol network packet in the network packet, extracting an operation code of the ARP protocol network packet, and then constructing a double-queue mode of a request queue formed by request information and a response queue formed by response information according to the operation code of the ARP protocol network packet;
s4: periodically traversing the response information in the response queue, searching whether each piece of response information has corresponding request information in the request queue, if so, constructing a HASH table, taking the corresponding request information as a key value of the HASH table, and taking the response information as a List value of the HASH table; if the corresponding request information does not exist, adding the corresponding response information into a suspicious host response information table;
s5: traversing the HASH table, and judging whether the ARP attack behavior exists according to the number of the response messages corresponding to each piece of statistical request message and a preset threshold value.
2. The attack monitoring method according to claim 1, further comprising step S6: and traversing the suspicious host response information table, extracting the source IP address and the source MAC address of each piece of response information, and generating ARP attack warning information according to the source IP address and the source MAC address.
3. The attack monitoring method according to claim 1, wherein in the step S3, the step of constructing a dual queue mode of a request queue formed by request information and a response queue formed by response information according to the operation code of the ARP protocol network packet specifically includes: if the operation code is P1Extracting source IP address, source MAC address and destination IP address from the ARP protocol network packet, and adding the source IP address, source MAC address and destination IP address as request information into a request queue if the operation code is P2And extracting a source IP address, a source MAC address, a destination IP address and a destination MAC address from the ARP protocol network packet, and adding the source IP address, the source MAC address, the destination IP address and the destination MAC address into a response queue as response information.
4. The attack monitoring method according to claim 3, further comprising: when the request information is added into the request queue, recording the adding time of the request information; and when the response information is added into the response queue, recording the adding time of the response information.
5. The attack monitoring method according to claim 1, wherein in the step S5, the step of determining whether there is an ARP attack behavior according to the number of response messages corresponding to each piece of request message and a preset threshold is specifically: if the number of the response messages is more than 1, extracting a target IP address and a target MAC address in each piece of response message as response messages of the host to be checked, comparing the response messages of the host to be checked with the response messages of the host in the knowledge base, and if the host response messages which are the same as the response messages of the host to be checked do not exist in the knowledge base, adding the corresponding response messages into a suspicious host response message table; and if the number of the response messages is 1, judging that the ARP attack behavior does not exist.
6. An attack monitoring system applied to an industrial control environment is characterized by comprising a message acquisition module, a message analysis module, a knowledge base construction module, a double-queue construction module, a separation detection module and an attack judgment module;
the message acquisition module is used for acquiring network messages in an industrial control network;
the message analysis module is used for analyzing an IP protocol network packet in the network message, and extracting host request information and host response information corresponding to the host request information from the IP protocol network packet, wherein the host request information comprises a source IP address and a source MAC address, and the host response information comprises a destination IP address and a destination MAC address;
the knowledge base construction module is used for recording the host request information and the corresponding host response information into a knowledge base when the occurrence time of the IP protocol network packet is within a preset learning period;
the double-queue construction module is used for analyzing the ARP protocol network packet in the network packet when the occurrence time of the IP protocol network packet is not in the learning period, extracting the operation code of the ARP protocol network packet, and then constructing a double-queue mode of a request queue formed by request information and a response queue formed by response information according to the operation code of the ARP protocol network packet;
the separation detection module is further configured to periodically traverse response information in the response queue, find whether each piece of response information has corresponding request information in the request queue, if yes, construct a HASH table, use the corresponding request information as a key value of the HASH table, use the response information as a List value of the HASH table, and if no corresponding request information exists, add corresponding response information into a suspicious host response information table;
the attack judging module is used for traversing the HASH table and judging whether ARP attack behaviors exist according to the number of response messages corresponding to each piece of statistical request information and a preset threshold value.
7. The attack monitoring system according to claim 6, further comprising an attack warning module, wherein the attack warning module is configured to traverse the suspicious host response information table, extract a source IP address and a source MAC address of each piece of response information therefrom, and generate ARP attack warning information according to the source IP address and the source MAC address.
8. The attack monitoring system according to claim 6 wherein the dual queue building block is specifically configured to operate when the opcode is P1When the request is received, extracting a source IP address, a source MAC address and a destination IP address from the ARP protocol network packet, adding the source IP address, the source MAC address and the destination IP address into a request queue as request information, and if the operation code is P2And then, extracting a source IP address, a source MAC address, a destination IP address and a destination MAC address from the ARP protocol network packet, and adding the source IP address, the source MAC address, the destination IP address and the destination MAC address into a response queue as response information.
9. The attack monitoring system according to claim 8, wherein the dual queue building module is further configured to record a joining time of the request message when the request message is joined in the request queue, and record a joining time of the response message when the response message is joined in the response queue.
10. The attack monitoring system according to claim 6, wherein the attack determination module is specifically configured to, when the number of the response messages is greater than 1, extract a destination IP address and a destination MAC address in each piece of response message as response messages of the host to be checked, compare the response messages of the host to be checked with the response messages of the host in the knowledge base, and add corresponding response messages to the suspicious host response message table if the host response messages identical to the response messages of the host to be checked do not exist in the knowledge base; and when the number of the response messages is 1, judging that the ARP attack behavior does not exist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010435025.XA CN111541721B (en) | 2020-05-21 | 2020-05-21 | Attack monitoring method and system applied to industrial control environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010435025.XA CN111541721B (en) | 2020-05-21 | 2020-05-21 | Attack monitoring method and system applied to industrial control environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111541721A CN111541721A (en) | 2020-08-14 |
| CN111541721B true CN111541721B (en) | 2022-05-27 |
Family
ID=71976037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010435025.XA Active CN111541721B (en) | 2020-05-21 | 2020-05-21 | Attack monitoring method and system applied to industrial control environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111541721B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN102231747A (en) * | 2011-07-18 | 2011-11-02 | 杭州华三通信技术有限公司 | Method and equipment for obtaining attack message |
| CN103152335A (en) * | 2013-02-20 | 2013-06-12 | 神州数码网络(北京)有限公司 | Method and device for preventing ARP (address resolution protocol) deceit on network equipment |
| CN104468855A (en) * | 2013-09-25 | 2015-03-25 | 阿里巴巴集团控股有限公司 | Method and device for processing ARP message |
| CN106027549A (en) * | 2016-06-30 | 2016-10-12 | 大连楼兰科技股份有限公司 | Early warning method and device for address resolution protocol (ARP) flooding attacks in local area network |
| CN106130985A (en) * | 2016-06-24 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
| CN110247899A (en) * | 2019-05-27 | 2019-09-17 | 南京大学 | The system and method for ARP attack is detected and alleviated based on SDN cloud environment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7134012B2 (en) * | 2001-08-15 | 2006-11-07 | International Business Machines Corporation | Methods, systems and computer program products for detecting a spoofed source address in IP datagrams |
| KR101270041B1 (en) * | 2011-10-28 | 2013-05-31 | 삼성에스디에스 주식회사 | System and method for detecting arp spoofing |
| CN110087242B (en) * | 2019-04-29 | 2020-08-21 | 四川英得赛克科技有限公司 | Method for rapidly judging legality of wireless access equipment in industrial control environment |
-
2020
- 2020-05-21 CN CN202010435025.XA patent/CN111541721B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN102231747A (en) * | 2011-07-18 | 2011-11-02 | 杭州华三通信技术有限公司 | Method and equipment for obtaining attack message |
| CN103152335A (en) * | 2013-02-20 | 2013-06-12 | 神州数码网络(北京)有限公司 | Method and device for preventing ARP (address resolution protocol) deceit on network equipment |
| CN104468855A (en) * | 2013-09-25 | 2015-03-25 | 阿里巴巴集团控股有限公司 | Method and device for processing ARP message |
| CN106130985A (en) * | 2016-06-24 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
| CN106027549A (en) * | 2016-06-30 | 2016-10-12 | 大连楼兰科技股份有限公司 | Early warning method and device for address resolution protocol (ARP) flooding attacks in local area network |
| CN110247899A (en) * | 2019-05-27 | 2019-09-17 | 南京大学 | The system and method for ARP attack is detected and alleviated based on SDN cloud environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111541721A (en) | 2020-08-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US8726382B2 (en) | Methods and systems for automated detection and tracking of network attacks | |
| US7995496B2 (en) | Methods and systems for internet protocol (IP) traffic conversation detection and storage | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| CN102487339B (en) | Attack preventing method for network equipment and device | |
| CN110839019A (en) | Network security threat tracing method for power monitoring system | |
| CN110808865B (en) | Passive industrial control network topology discovery method and industrial control network security management system | |
| CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
| CN105959321A (en) | Passive identification method and apparatus for network remote host operation system | |
| CN109150869A (en) | A kind of exchanger information acquisition analysis system and method | |
| CN111800419B (en) | DDoS attack detection system and method in SDN environment | |
| CN111835681A (en) | Large-scale abnormal flow host detection method and device | |
| CN113271303A (en) | Botnet detection method and system based on behavior similarity analysis | |
| CN111478925B (en) | Port scanning detection method and system applied to industrial control environment | |
| CN111541721B (en) | Attack monitoring method and system applied to industrial control environment | |
| US11159548B2 (en) | Analysis method, analysis device, and analysis program | |
| CN115664833B (en) | Network hijacking detection method based on local area network safety equipment | |
| CN109729084B (en) | Network security event detection method based on block chain technology | |
| CN110912753B (en) | Cloud security event real-time detection system and method based on machine learning | |
| CN111597556B (en) | ARP scanning detection method and system applied to industrial control environment | |
| CN115348188B (en) | DNS tunnel traffic detection method and device, storage medium and terminal | |
| Shen et al. | Research on Flow Anomaly Detection Technology Based on NetFlow | |
| Zhou et al. | Research on computer forensics based on multiple correlation analysis technology of multi-source logs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 1101, 11 / F, unit 2, building 1, No. 777, north section of Yizhou Avenue, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu 610041 Applicant after: SICHUAN YINGDESAIKE TECHNOLOGY Co.,Ltd. Address before: No.1, 3 / F, building 1, No.366, Hupan Road north section, Tianfu New District, Chengdu, Sichuan 610041 Applicant before: SICHUAN YINGDESAIKE TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |