CN111695115A - Industrial control system network attack tracing method based on communication delay and security evaluation - Google Patents

Industrial control system network attack tracing method based on communication delay and security evaluation Download PDF

Info

Publication number
CN111695115A
CN111695115A CN202010451084.6A CN202010451084A CN111695115A CN 111695115 A CN111695115 A CN 111695115A CN 202010451084 A CN202010451084 A CN 202010451084A CN 111695115 A CN111695115 A CN 111695115A
Authority
CN
China
Prior art keywords
attack
nodes
network
node
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010451084.6A
Other languages
Chinese (zh)
Other versions
CN111695115B (en
Inventor
王宇
李俊娥
黄桂容
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202010451084.6A priority Critical patent/CN111695115B/en
Publication of CN111695115A publication Critical patent/CN111695115A/en
Application granted granted Critical
Publication of CN111695115B publication Critical patent/CN111695115B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses an industrial control system network attack tracing method based on communication time delay and security evaluation, which comprises the following steps: s1, determining a potential attack source address list L; s2, sending network state feedback requests to all nodes in the L, judging the nodes as attack sources if the network connection of the nodes is disconnected or no feedback is received after the preset times of requests, otherwise, turning to S3; s3, sending a system running state information feedback request to all nodes in the L; s4, performing security evaluation according to the system running state information, and taking the node with the lowest security degree as an attack source; s5, sending a system supervision log information feedback request to all nodes in the L; s6, performing security evaluation according to the system supervision log information, and taking the node with the lowest security degree as an attack source; and S7, outputting switch information or a router information list directly connected with the nodes in the L for checking illegal external terminals. The method realizes the comprehensive coverage of the potential attack source and accurately positions the attack source.

Description

Industrial control system network attack tracing method based on communication delay and security evaluation
Technical Field
The invention belongs to the technical field of intelligent power grid safety, and particularly relates to an industrial control system network attack tracing method based on communication delay and safety evaluation.
Background
The network attack tracing can help the electric power engineering control system to adopt a proper defense strategy, block the attack from the source and enable the electric power engineering control system to get rid of the threat of the attack to the maximum extent. At present, related research aiming at tracing industrial control system network attacks based on communication delay and security evaluation of electric power is lacked. Because the real-time control service in the electric power engineering control system has the characteristics of high real-time requirement and no TCP/IP layer in part of communication protocols, the network attack tracing method aiming at the traditional information network cannot be applied.
Disclosure of Invention
The invention aims to provide an industrial control system network attack tracing method based on communication delay and safety evaluation, and aims to solve the problem of how to effectively trace the network attack of an electric power industrial control system to determine an attack source.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a communication delay and security evaluation-based industrial control system network attack tracing method comprises the following steps:
s1, determining all potential attack sources, determining a potential attack source address list L according to all potential attack sources, wherein the potential attack sources comprise attack messages, all messages with the same time delay characteristics as the attack messages, and terminals directly connected with transmission equipment for capturing the attack messages;
s2, sending network state feedback requests to all nodes in the L, judging the nodes as attack sources if the network connection of the nodes is disconnected or no feedback is received after the preset times of requests, otherwise, turning to S3;
s3, sending a system running state information feedback request to all nodes in the L;
s4, performing security evaluation according to the system running state information to obtain a primary security degree list, if a node with the security degree lower than a first preset threshold exists, taking the node with the lowest security degree as an attack source, otherwise, turning to S5;
s5, sending a system supervision log information feedback request to all nodes in the L;
s6, performing security evaluation according to the system supervision log information to obtain a secondary security degree list, if a terminal node with the security degree lower than a second preset threshold exists, taking the node with the lowest security degree as an attack source, and if not, turning to S7;
and S7, outputting switch information or a router information list directly connected with the node in the L for checking illegal external terminals.
Further, the step S1 includes:
s1.1, initializing a potential attack source address list L; when the attack message is a non-Ethernet frame, the step is switched to S1.3; when the attack message is an Ethernet frame but has no IP head, adding a source MAC address in the attack message into the L; when the message is an Ethernet frame and has an IP head, adding the equipment MAC address corresponding to the source IP address into the L;
s1.2, acquiring MAC addresses of all non-transmission devices directly connected with the capture point, and adding L;
s1.3, obtaining the time label of the attack message, calculating the time delay information of the attack message, if no time label exists, then S1.5
S1.4, acquiring MAC addresses of all nodes with the same time delay characteristic according to the time delay information to serve as a second attack source address list, if the second attack source address list is not empty, adding L, and S1 ending; if the second attack source address list is empty, the S1.5 is switched to;
s1.5, updating L into a list of all terminal MAC addresses which are in the same network with the attack capture point.
Further, the system operation state information includes: any one or more of CPU utilization rate, memory utilization rate, exchange partition utilization rate, disk utilization rate and process number.
Further, the system supervision log information comprises file adding, deleting and modifying records and/or process detailed information.
The invention has the beneficial effects that:
the message with the same time delay characteristic as the attack message and the terminal directly connected with the transmission equipment for capturing the attack message are used as potential attack sources, so that the comprehensive coverage of the potential attack sources is realized, and omission is avoided. According to the network connection state feedback, the system operation state information feedback and the system supervision log information feedback, the attack source is traced layer by layer, and the attack source can be accurately positioned.
Drawings
The invention will be further described with reference to the accompanying drawings and embodiments, in which:
fig. 1 is a flowchart of an industrial control system network attack tracing method based on communication delay and security evaluation according to an embodiment of the present invention;
fig. 2 is an application scenario diagram of the industrial control system network attack tracing method based on communication delay and security evaluation provided by the embodiment of the present invention;
fig. 3 is a flowchart of an industrial control system network attack tracing method based on communication delay and security evaluation according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
Fig. 1 is a flowchart of an industrial control system network attack tracing method based on communication delay and security evaluation according to an embodiment of the present invention, and as shown in fig. 1, an industrial control system network attack tracing method based on communication delay and security evaluation according to an embodiment of the present invention includes the following steps:
s1, determining all potential attack sources, determining a potential attack source address list L according to all potential attack sources, wherein the potential attack sources comprise attack messages, all messages with the same time delay characteristics as the attack messages, and terminals directly connected with transmission equipment for capturing the attack messages.
Fig. 2 is an application scenario diagram of the industrial control system network attack tracing method based on communication delay and security evaluation according to the embodiment of the present invention, and as shown in fig. 2, a scenario for network attack that may be suffered by a power grid embedded terminal is shown. First, an attacker implants malicious code on the operation and maintenance personnel device. Then, when an operation and maintenance worker connects the equipment to a substation control layer network of the transformer substation for operation and maintenance, malicious codes are implanted into one terminal by using the equipment as a springboard and utilizing a leak existing in a power grid embedded terminal, namely a measurement and control terminal; the malicious code can tamper with the data field of the GOOSE control message transmitted on the network, so as to realize the on-off operation of the circuit breakers controlled by other terminals in the same VLAN as the terminal; finally, the malicious program realizes that the plurality of circuit breakers are opened/closed for a plurality of times simultaneously by continuously tampering the control message, thereby achieving the purpose of causing continuous damage to the power grid.
An intrusion detection system ("IDS") is a network security device that monitors network transmissions on-the-fly, and alerts or takes proactive steps when suspicious transmissions are found. After the IDS detects the attack message, the network attack related information is provided, so as to determine the potential attack source. In this embodiment, a server may be provided, or an existing server may be used as a network attack tracing host to execute the method. In consideration of the time delay characteristics of the attack packet, in this embodiment, the packets having the same time delay characteristics are also considered as potential attack sources. The same time delay characteristic can be determined according to a preset interval, for example, (0, 0.2 ms) is an interval, and the interval is used as the same characteristic, meanwhile, a terminal directly connected with a transmission device for capturing the attack message is also considered, and for example, a final attack source address list L is determined according to source MAC addresses and destination MAC addresses of the potential attack sources.
And S2, sending network state feedback requests to all nodes in the L, judging the node as an attack source if the network connection of the node is disconnected or no feedback is received after the preset times of requests, otherwise, turning to S3.
All suspicious nodes in the notification list L feed back the current network connection state to the network attack tracing host, if the network attack tracing hostMachine at tMAXIf the network connection state of a certain suspicious node is not received within the time, a notification command is sent to the node again, if the notification command is not received after preset times (such as three times), the position of the suspicious node is determined to be the position of an attack source, at the moment, the attack device is an illegal terminal, the MAC address and the port number of the transmission device accessed by the node are output to be the position of the attack source according to a preset network topological graph, and the network attack tracing is finished. If the connection between a suspicious node and the network where the attack capture point provided by the IDS is located is disconnected, the position where the suspicious node is located is judged to be the attack source position, at the moment, the attack device is an illegal terminal, the MAC address and the port number of the transmission device accessed by the node are output to be the position of the attack source, and the network attack tracing is finished. If the network attack tracing host receives the network connection status of all the suspicious nodes and the network connection status of all the suspicious nodes is normal, go to S3.
And S3, sending a system operation state information feedback request to all nodes in the L.
And all suspicious nodes in the notification list L feed back system operation state information to the network attack tracing host.
As an alternative embodiment, the system operation state information includes: any one or more of CPU utilization rate, memory utilization rate, exchange partition utilization rate, disk utilization rate and process number.
For example, the system operation state information includes: CPU utilization, memory utilization, swap partition utilization, disk utilization, and process number.
And S4, performing security evaluation according to the system running state information to obtain a primary security degree list, if nodes with the security degrees lower than a first preset threshold exist, taking the node with the lowest security degree as an attack source, and otherwise, turning to S5.
The network attack tracing host performs primary security evaluation on system running state information of all suspicious nodes, the evaluation is realized based on the existing method, and the evaluation algorithm can select a support vector machine to obtain a primary security degree list Lx1Judging whether a first-level safety degree is lower than a threshold value X or not1(first preset threshold) sectionDot, X1And default to 0.3, if the node with the lowest safety degree exists, the node with the lowest safety degree serves as an attack source, at the moment, the attack device serves as a legal terminal, the MAC address of the node is output, the MAC address and the port number of the transmission device accessed by the node serve as the position of the attack source according to a preset network topological graph, and the network attack tracing is finished. If not, go to S5.
And S5, sending a system supervision log information feedback request to all nodes in the L.
And all suspicious nodes in the notification list L feed back the current system supervision log information to the network attack tracing host.
As an optional embodiment, the system supervision log information comprises file addition, deletion, modification records and/or process detailed information. The above embodiments. For example, it includes at the same time: the important files add, delete, modify records and process detailed information.
S6, carrying out security evaluation according to the system supervision log information to obtain a secondary security level list Lx2If the terminal node with the security degree lower than the second preset threshold exists, the node with the lowest security degree is used as an attack source, and otherwise, the operation goes to S7.
The network attack tracing host carries out secondary security evaluation on the supervision log information of all suspicious nodes, and the evaluation algorithm can select a support vector machine to obtain a secondary security degree list Lx2Judging whether the secondary safety degree is lower than the threshold value X or not2Node of, X2And default to 0.5, if the node with the lowest safety degree exists, the node with the lowest safety degree is an attack source, at the moment, the attack device is a legal terminal, the MAC address of the node is output, the MAC address and the port number of the transmission device accessed by the node are output as the position of the attack source according to a preset network topological graph, and the network attack tracing is finished. If not, the process goes to S7, and the attacking device is an illegal terminal.
And S7, outputting switch information or a router information list directly connected with the node in the L for checking illegal external terminals.
Based on the potential attack source address list L and the preset network topological graph, the switch information or the router information of the nodes in the list L is outputList LDTEAnd informing an administrator to check whether external illegal terminals exist on the switches or the routers, and finishing the tracing of the network attack.
According to the industrial control system network attack tracing method based on communication delay and security evaluation provided by the embodiment of the invention, the message with the same delay characteristic as the attack message and the terminal directly connected with the transmission equipment for capturing the attack message are used as potential attack sources, so that the comprehensive coverage of the potential attack sources is realized, and omission is avoided. According to the network connection state feedback, the system operation state information feedback and the system supervision log information feedback, the attack source is traced layer by layer, and the attack source can be accurately positioned.
Based on the foregoing embodiment, as an alternative embodiment, fig. 3 is a flowchart of a network attack tracing method of an industrial control system based on communication delay and security evaluation according to another embodiment of the present invention, as shown in fig. 3, which is basically the same as the foregoing embodiment except for step S1, and the step S1 includes:
s1.1, initializing a potential attack source address list L; when the attack message is a non-Ethernet frame, the step is switched to S1.3; when the attack message is an Ethernet frame but has no IP head, adding a source MAC address in the attack message into the L; and when the message is an Ethernet frame and has an IP head, adding the equipment MAC address corresponding to the source IP address into the L.
Initializing a potential attack source address list L ═ MACsourceAnd if the attack message is a non-Ethernet frame, MACsourceAnd (5) setting to be empty, and turning to S1.3. If the message is an Ethernet frame but does not have an IP head, judging whether the source MAC address in the attack message is a broadcast MAC or not, if so, then the MAC addresssourceIs set to null, otherwise, the MACsourceIs the source MAC address in the attack message; if the message is an Ethernet frame and has an IP header, reading a source IP address in the IP header of the message, and if the IP address is a broadcast address, MACsourceSetting the address as null, otherwise, obtaining the equipment MAC address corresponding to the IP according to a preset network topological graph, wherein the equipment MAC address is the MACsource
S1.2, acquiring MAC addresses of all non-transmission devices directly connected with the capture point, and adding L.
MAC address MAC according to attack capture point position provided by intrusion detection systemcaptureAcquiring all MAC addresses from a preset network topological graph as MACcaptureThe transmitting device of (1) directly connects to the non-transmitting device MAC address and adds all MAC addresses to the possible attack source list L. The transmission device refers to a device for realizing a message forwarding function on a communication network, and the non-transmission device refers to a device for communication on the communication network, namely a data terminal device.
S1.3, acquiring the time label of the attack message, calculating the time delay information of the attack message, and if no time label exists, turning to S1.4.
Reading UTC time label t carried in attack messageUTCIf the time label field does not exist in the attack message, converting to S1.5 according to the message length; otherwise, according to the time t provided by IDS for capturing the messagecurrent,tUTCAnd tcurrentAll the precision of (1) is millisecond, and the time delay information is calculated to be tdelay=tcurrent-tUTC
S1.4, acquiring MAC addresses of all nodes with the same time delay characteristic according to the time delay information to serve as a second attack source address list, if the second attack source address list is not empty, adding L, and S1 ending; if the second attack source address list is empty, go to S1.5.
Will length, MACcapture、tUTCAnd tDelayInputting a communication delay model, and acquiring an MAC address list L of all nodes conforming to the delay characteristicsdelay. The communication delay model can be pre-constructed according to the mapping relation between the communication delay range (or delay characteristics) and the node MAC address. For the electric power engineering control system, when no fault occurs, the communication delay of the same device is relatively stable at the same time every day (because most of services are periodic), so that nodes with the same delay characteristics of the sent message can be obtained according to the delay of the attack message and serve as potential attack nodes, and the MAC addresses of the nodes serve as a second attack source address list. The invention takes into account the delay valueThe error of the invention adopts the time delay range rather than the determined time delay value as the mapping of different MAC addresses, thus improving the robustness of the invention. If L isdelayNot null, will list LdelayWherein all MAC addresses are added to L, i.e. L ═ L, LdelayS1 is ended, and the step is switched to S2; otherwise, go to S1.5.
S1.5, updating L into a list of all terminal MAC addresses which are in the same network with the attack capture point.
And updating the L into a list consisting of the MAC addresses of all the terminals which are positioned in the same network with the attack capture point provided by the IDS according to a preset network topological graph. Because some networks of the electric power engineering system are physically isolated, terminals in different physically isolated networks cannot communicate. When 2 terminals can communicate with each other without physical isolation, the 2 terminals are considered to be in the same network.
Based on the above embodiments, the following is illustrated by a specific example:
obtaining network attack related information from an intrusion detection system, including: attack message PG3MAC address of capture point of attack message1Time of message capture UTCcap1
The communication delay of the attack message is 0.1225ms through calculation, and the delay precision is only millisecond in consideration of the actual situation, so the delay is marked as 0 ms;
obtaining a list L of all possible attack sources using a statistics-based communication delay modelattack={MAC24,MAC26,MAC28,MAC30,MAC32,MAC34,MAC35,MAC36,MAC37,MAC38};
Obtaining LattackJudging the current network connection status of all the terminals, wherein the network connection status of the terminals is normal;
obtaining LattackThe system running state information of all the terminals comprises: CPU utilization rate, memory utilization rate, exchange partition utilization rate, disk utilization rate and process number;
to LattackPerforming primary security evaluation on system running state information of all the terminals to obtain a primary security degree list Lx1With respect to {0.7881,0.7683,0.8233,0.7374,0.8411,0.0055,0.7833,0.4543,0.7946,0.6914}, it is determined that there is a first-level security level lower than the threshold X1Terminal (X)1Taking a default value of 0.3), taking the terminal with the lowest security degree as an attack source, wherein the attack device is a legal terminal, and outputting the MAC address MAC of the terminal34And according to the preset network topological graph, outputting the MAC address of the transmission equipment accessed by the terminal18And the port number 2 is used as the network coordinate of the attack source, and the network attack source tracing is finished
The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (4)

1. A network attack tracing method of an industrial control system based on communication delay and security evaluation is characterized by comprising the following steps:
s1, determining all potential attack sources, determining a potential attack source address list L according to all potential attack sources, wherein the potential attack sources comprise attack messages, all messages with the same time delay characteristics as the attack messages, and terminals directly connected with transmission equipment for capturing the attack messages;
s2, sending network state feedback requests to all nodes in the L, judging the nodes as attack sources if the network connection of the nodes is disconnected or no feedback is received after the preset times of requests, otherwise, turning to S3;
s3, sending a system running state information feedback request to all nodes in the L;
s4, performing security evaluation according to the system running state information to obtain a primary security degree list, if a node with the security degree lower than a first preset threshold exists, taking the node with the lowest security degree as an attack source, otherwise, turning to S5;
s5, sending a system supervision log information feedback request to all nodes in the L;
s6, performing security evaluation according to the system supervision log information to obtain a secondary security degree list, if a terminal node with the security degree lower than a second preset threshold exists, taking the node with the lowest security degree as an attack source, and if not, turning to S7;
and S7, outputting switch information or a router information list directly connected with the node in the L for checking illegal external terminals.
2. The industrial control system network attack tracing method based on communication delay and security evaluation as claimed in claim 1, wherein said step S1 includes:
s1.1, initializing a potential attack source address list L; when the attack message is a non-Ethernet frame, the step is switched to S1.3; when the attack message is an Ethernet frame but has no IP head, adding a source MAC address in the attack message into the L; when the message is an Ethernet frame and has an IP head, adding the equipment MAC address corresponding to the source IP address into the L;
s1.2, acquiring MAC addresses of all non-transmission devices directly connected with the capture point, and adding L;
s1.3, obtaining the time label of the attack message, calculating the time delay information of the attack message, if no time label exists, then S1.5
S1.4, acquiring MAC addresses of all nodes with the same time delay characteristic according to the time delay information to serve as a second attack source address list, if the second attack source address list is not empty, adding L, and S1 ending; if the second attack source address list is empty, the S1.5 is switched to;
s1.5, updating L into a list of all terminal MAC addresses which are in the same network with the attack capture point.
3. The industrial control system network attack tracing method based on communication delay and security evaluation as claimed in claim 1, wherein the system operation state information includes: any one or more of CPU utilization rate, memory utilization rate, exchange partition utilization rate, disk utilization rate and process number.
4. The industrial control system network attack tracing method based on communication delay and security assessment as claimed in claim 1, wherein said system supervision log information includes file addition, deletion, modification records and/or process detailed information.
CN202010451084.6A 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation Active CN111695115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010451084.6A CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010451084.6A CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Publications (2)

Publication Number Publication Date
CN111695115A true CN111695115A (en) 2020-09-22
CN111695115B CN111695115B (en) 2023-05-05

Family

ID=72478142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010451084.6A Active CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Country Status (1)

Country Link
CN (1) CN111695115B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738089A (en) * 2020-12-29 2021-04-30 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment
CN114866298A (en) * 2022-04-21 2022-08-05 武汉大学 Power engineering control system network attack tracing method combining packet marking and packet log

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192863A1 (en) * 2005-07-01 2007-08-16 Harsh Kapoor Systems and methods for processing data flows
US20090319659A1 (en) * 2006-12-28 2009-12-24 Hiroshi Terasaki Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192863A1 (en) * 2005-07-01 2007-08-16 Harsh Kapoor Systems and methods for processing data flows
US20090319659A1 (en) * 2006-12-28 2009-12-24 Hiroshi Terasaki Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
何金栋 等: "智能变电站嵌入式终端的网络攻击类型研究及验证" *
姜建国;王继志;孔斌;胡波;刘吉强;: "网络攻击源追踪技术研究综述" *
王启林;李小鹏;郁滨;黄一才;: "基于连接认证的低功耗蓝牙泛洪攻击防御方案" *
田红成;毕军;王虹;: "可增量部署、基于采样流的IP溯源方法" *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738089A (en) * 2020-12-29 2021-04-30 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment
CN114866298A (en) * 2022-04-21 2022-08-05 武汉大学 Power engineering control system network attack tracing method combining packet marking and packet log

Also Published As

Publication number Publication date
CN111695115B (en) 2023-05-05

Similar Documents

Publication Publication Date Title
Igbe et al. Deterministic dendritic cell algorithm application to smart grid cyber-attack detection
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
CN103309307B (en) A kind of intelligent electrical appliance control controlled based on object accesses
CN110266650B (en) Identification method of Conpot industrial control honeypot
CN111695115B (en) Industrial control system network attack tracing method based on communication time delay and security evaluation
CN108053126A (en) A kind of electric power CPS methods of risk assessment under Dos attacks
CN110213233A (en) Defend the emulation platform and method for building up of power grid distributed denial of service attack
CN108833430B (en) Topology protection method of software defined network
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
CN106470187A (en) Prevent dos attack methods, devices and systems
Tebekaemi et al. Secure overlay communication and control model for decentralized autonomous control of smart micro-grids
Darwish et al. Vulnerability Assessment and Experimentation of Smart Grid DNP3.
Wang et al. Credibility-based countermeasure against slow HTTP DoS attacks by using SDN
Sun et al. Research on distributed feeder automation communication based on XMPP and GOOSE
CN114115068A (en) Heterogeneous redundancy defense strategy issuing method of endogenous security switch
CN108418794B (en) Method and system for preventing ARP attack by intelligent substation communication network
Pfrang et al. On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO.
Gu et al. Im-ofdp: An improved openflow-based topology discovery protocol for software defined network
CN105099799A (en) Botnet detection method and controller
CN110121866A (en) Detection and suppression loop
CN109195160B (en) Tamper-proof storage system of network equipment resource detection information and control method thereof
CN110995586A (en) BGP message processing method and device, electronic equipment and storage medium
CN113556327B (en) Block chain-based false flow rule injection attack detection and prevention system and method
Cebe et al. A bandwidth-efficient secure authentication module for smart grid DNP3 protocol
CN110971565A (en) Source network load system vulnerability evaluation method and system based on malicious attack modeling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant