CN112367322B - Power station industrial control system abnormal flow identification method based on bubbling sequencing method - Google Patents

Power station industrial control system abnormal flow identification method based on bubbling sequencing method Download PDF

Info

Publication number
CN112367322B
CN112367322B CN202011249001.1A CN202011249001A CN112367322B CN 112367322 B CN112367322 B CN 112367322B CN 202011249001 A CN202011249001 A CN 202011249001A CN 112367322 B CN112367322 B CN 112367322B
Authority
CN
China
Prior art keywords
flow
real
time
serial number
industrial control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011249001.1A
Other languages
Chinese (zh)
Other versions
CN112367322A (en
Inventor
刘超飞
毕玉冰
崔逸群
朱博迪
王文庆
董夏昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Thermal Power Research Institute Co Ltd
Original Assignee
Xian Thermal Power Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Thermal Power Research Institute Co Ltd filed Critical Xian Thermal Power Research Institute Co Ltd
Priority to CN202011249001.1A priority Critical patent/CN112367322B/en
Publication of CN112367322A publication Critical patent/CN112367322A/en
Application granted granted Critical
Publication of CN112367322B publication Critical patent/CN112367322B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/06Arrangements for sorting, selecting, merging, or comparing data on individual record carriers
    • G06F7/08Sorting, i.e. grouping record carriers in numerical or other ordered sequence according to the classification of at least some of the information they carry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for identifying abnormal flow of a power station industrial control system based on a bubbling sequencing method comprises the following steps: 1) monitoring points are created in a real-time library according to the number of the nodes of the power station industrial control system, and the monitoring points comprise flow lengths received and sent by the nodes and corresponding sequencing serial numbers; 2) acquiring network flow in a system in a port mirroring mode, classifying, counting and storing the flow length in seconds; 3) sorting the real-time receiving and sending flow lengths of each node according to two queues by a bubble sorting method and storing serial numbers; 4) updating the flow length and the sequence number data of each node in time, accumulating to obtain hourly accumulated flow, obtaining hourly accumulated sequence numbers by using a bubbling sorting method, and alarming the nodes with real-time sequence number change, hourly accumulated sequence number change and deviation of the real-time sequence numbers and the hourly accumulated sequence numbers exceeding a threshold value. The invention can identify the abnormal flow generated by the network attack of known type and unknown type in real time without affecting the system operation.

Description

Power station industrial control system abnormal flow identification method based on bubbling sequencing method
Technical Field
The invention relates to the technical field of industrial control safety monitoring, in particular to a power station industrial control system abnormal flow identification method based on a bubbling sequencing method.
Background
Aiming at the network attack of hackers, monitoring and analyzing network flow is carried out, and the identification and discovery of abnormal flow is the first step of safety protection. The current flow monitoring models are mainly divided into two types: feature library based and behavioral bias based detection systems. Feature library based detection systems are used primarily to identify known types of network attacks. The invention relates to a detection system based on behavior deviation, which can be used for identifying known and unknown network attacks.
The industrial control system of the power station is a system for monitoring and controlling the production and transmission of electric power and the like, a main power station in China is a coal-fired power station, safety factors such as the action of thermal stress and the like are considered in the operation process, a unit is required to stably operate under a target load as much as possible, and sufficient buffer preparation is required even in the load increasing and load reducing processes, so that the stable and excessive process is ensured. Therefore, the change of the interactive flow among the nodes of the power station industrial control system is stable and smooth in the daily operation process. If the traffic received and sent by a certain network node has large sudden change or continuous change, a network attack event may occur in the system. The invention is based on bubble sorting method to make statistic sorting to the byte length of the receiving and sending flow packet of the network node, and identify the abnormal flow according to the change of the sequence number.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a method for identifying abnormal flow of a power station industrial control system based on a bubbling sequencing method, which is used for monitoring the abnormal flow generated by network attack in the system in real time and further identifying and alarming without constructing a network attack feature library on the premise of not influencing the operation of the industrial control system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a power station industrial control system abnormal flow identification method based on a bubbling sequencing method comprises the following steps:
1) monitoring points are created in a real-time library according to the number of nodes of the power station industrial control system, each node corresponds to a byte length of a received flow packet (called receiving flow length for short), a byte length sequencing serial number of the received flow packet (called receiving flow serial number for short), a byte length of a sent flow packet (called sending flow length for short) and a byte length sequencing serial number of the sent flow packet (called sending flow serial number for short), and the number of the monitoring points is created to be the number of the nodes of the industrial control system multiplied by 4;
2) arranging a flow packet capturing tool, acquiring network flow in an industrial control system in a port mirror image mode, classifying and counting the byte length of a flow packet according to a source IP and a target IP by taking seconds as a unit, comparing the corresponding relation between nodes and the IP, calculating the flow length received and sent by each node in real time, and storing the calculated flow length in a real-time library;
3) reading real-time receiving flow lengths of all nodes from a real-time library to form a queue, sequencing the queue according to a bubble sequencing method to obtain sequence number data corresponding to the receiving flow lengths of the nodes, storing the sequence number data into the real-time library, and processing a sending flow length queue in the same way;
4) updating the flow length received and sent by each node and the corresponding serial number data in units of seconds, comparing the flow length and the corresponding serial number data with the previous time, and finding out the node with the serial number change exceeding the threshold value to alarm in real time;
5) accumulating the received flow lengths of all nodes according to the latest hour to obtain the accumulated received flow length of the current hour, sequencing a queue formed by the accumulated received flow lengths of the current hour according to a bubbling sequencing method to obtain an accumulated received flow serial number of the current hour, processing the accumulated received flow length of the previous hour in the same way to obtain a serial number of the previous hour, and processing the accumulated sending flow in the same way to obtain two groups of serial numbers;
6) and comparing the current hour accumulated received flow serial number with the previous hour serial number, alarming by the node with the changed over threshold value, alarming by the node with the deviation of the real-time received flow serial number and the current hour accumulated received flow serial number over the threshold value, and processing the hour accumulated sent flow in the same way.
The method is suitable for identifying abnormal flow among a plurality of industrial control systems, and each industrial control system is treated as a node; the system can be further subdivided according to the communication protocol types in the industrial control system and then subjected to sequencing and alarm processing; the statistics for real-time flow may be changed to 3-5 seconds, or half an hour or two for cumulative time.
The method does not need to construct a feature library as the traditional network attack flow detection method, can identify abnormal flow generated by known and unknown network attacks at the same time, and realizes real-time monitoring and alarming.
Preferably, the alarm mode is characterized in that alarms of the real-time receiving flow serial number, the real-time sending flow serial number, the hour accumulated receiving flow serial number and the hour accumulated sending flow serial number are marked in 4 different colors, and nodes with the largest serial number change and meeting double alarms are marked in a flashing mode.
The invention has the following beneficial technical effects: the network flow is obtained in a port mirroring mode, the operation of an industrial control system is not affected, a feature library of a known attack mode is not required to be constructed, the known type and unknown type of network attack flow can be identified, and short-time centralized attack flow and long-time dispersed attack flow can be identified.
Drawings
FIG. 1 is a flow chart of the identification method of the present invention.
Detailed Description
The present invention is described in further detail below with reference to the attached drawings.
As shown in fig. 1, the method for identifying abnormal flow of the power station industrial control system based on the bubbling sequencing method of the invention comprises the following steps:
1) and monitoring points are created in a real-time library according to the number of nodes of the power station industrial control system, each node comprises a byte length of a received flow packet, a byte length sequencing serial number of the received flow packet, a byte length of a sent flow packet and a byte length sequencing serial number of the sent flow packet, and for the industrial control system with k nodes, a node set is { N } 1 ,N i ...,N k And k × 4 measuring points are required to be created, and the four monitoring points corresponding to each node are respectively N # IN _ BL _ RT, N # IN _ BL _ ON _ RT, N # OUT _ BL _ RT and N # OUT _ BL _ ON _ RT, wherein # represents the node number.
2) The network flow in the industrial control system is obtained in a port mirroring mode, a full-flow packet capturing tool is deployed at an observation port of a switch and a router, flow byte lengths are classified and counted according to a source IP and a target IP by taking seconds as a unit, one node possibly comprises a plurality of IPs, the corresponding relation between the node and the IPs is compared, and the flow byte lengths received and sent by each node in real time are calculated and stored in a real-time library. For all the flows of the source IP and the target IP inside the system, the flows of the receiving party and the sending party are increased simultaneously; and only counting the sending flow of the specific node when the target IP is the node flow outside the system, and only counting the receiving flow of the specific node when the source IP is the node flow outside the system.
3) The real-time library reads real-time receiving flow length of k nodes to form a queue which is a two-dimensional array of k rows and 2 columns, wherein the k rows represent the k nodes, the 2 columns represent a receiving flow length column and a node number column, and IL is shown in the following table k Indicating the length of the real-time received traffic of the kth node.
IL 1 1
IL 2 2
IL k k
The queue is sorted by bubble sort, with a single comparison, e.g., IL, in the k-1 sorting of the algorithm, according to the top row of large length, i.e., bubbles up i+1 >IL i Then IL i+1 And IL i The positions are exchanged, the positions of the node numbers i +1 and i are also exchanged at the same time, wherein i is more than or equal to 1 and less than or equal to k-1, and the node numbers i +1 and i need to pass through at most
Figure GDA0003811433600000051
The next comparison, bubble sort execution ends. Finding out the corresponding line number according to the node label is the serial number after sequencing the received flow length, and obtaining serial number data { A) corresponding to the received flow length of the node 1 ,A 2 ...,A k }。
Node N i The sequence number of the received flow length is A i A is i The time stamp corresponding to the length of the received flow is stored in the node N i The flow length sequence number measuring points are received, and the flow length queues sent by all the nodes in real time are processed in the same way to obtain sequence number data { B } corresponding to the sending flow length 1 ,B 2 ...,B k };
4) Updating the receiving and sending flow length and corresponding serial number data of k nodes by taking second as unit, and for the node N i The length sequence number of the real-time receiving flow is A i And the length sequence number of the real-time sending flow is B i And the received flow length sequence number at the previous moment is A' i And the transmission traffic length number is B' i If one of the following conditions is satisfied:
|A i -A' i if the value is greater than alpha, receiving the traffic serial number change in real time and exceeding a threshold value;
|B i -B' i if the value is greater than alpha, the change of the flow serial number is transmitted in real time and exceeds a threshold value;
to node N i And (4) performing real-time alarm, wherein alpha is a change threshold value, and generally selecting one half of the node number according to the actual network node number.
5) Accumulating the received flow lengths of the k nodes according to the latest hour to obtain the current hour accumulated received flow length, sequencing the queue formed by the current hour accumulated received flow lengths of the k nodes according to a bubble sequencing method (refer to step 3) to obtain a sequence number { C ] of the current hour accumulated received flow length 1 ,C 2 ...,C k Processing the current hour cumulative sending flow in the same way to obtain a length serial number (D) of the current hour cumulative sending flow 1 ,D 2 ...,D k }。
For node N i The length sequence number of the cumulative receiving flow in the current hour is C i The sequence number of the cumulative sending flow length in the current hour is D i The cumulative received flow length number in the previous hour is C' i D 'is the cumulative transmission flow length number of the previous hour' i If one of the following conditions is satisfied:
|C i -C' i if the value is larger than alpha, the change of the accumulated receiving flow serial number in the current hour exceeds a threshold value;
|D i -D' i if the flow rate is larger than alpha, the change of the accumulated sending flow rate sequence number in the current hour exceeds a threshold value;
|A i -C i if the value is greater than alpha, the deviation between the real-time receiving flow length serial number and the current hour accumulated receiving flow length serial number exceeds a threshold value;
|B i -D i if the value is greater than alpha, the deviation between the real-time sending flow length serial number and the current hour accumulated sending flow length serial number exceeds a threshold value;
to node N i And alarming in real time.
6) For the nodes N meeting the conditions in the steps 4) and 5) i And when real-time alarming is carried out, distinguishing according to different colors, and if the serial number changes and the deviation is k-1 or the serial number accords with a plurality of alarming nodes, carrying out key reminding in a flashing mode.
The examples of the present invention are set forth merely to help illustrate the invention and not to elaborate all details of the technical solutions, and those skilled in the art may make substitutions, modifications to some technical parameters without departing from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (4)

1. A power station industrial control system abnormal flow identification method based on a bubbling sequencing method is characterized by comprising the following steps:
1) monitoring points are created in a real-time library according to the number of nodes of the power station industrial control system, each node corresponds to a receiving flow packet byte length, a receiving flow packet byte length sequencing serial number, a sending flow packet byte length and a sending flow packet byte length sequencing serial number, and the monitoring points are created to be the number of the nodes of the industrial control system multiplied by 4;
2) arranging a traffic packet capturing tool, acquiring network traffic in an industrial control system in a port mirroring mode, classifying and counting the byte length of a traffic packet according to a source IP and a target IP by taking seconds as a unit, comparing the corresponding relation between nodes and the IP, calculating the traffic length received and sent by each node in real time, and storing the traffic length into a real-time library;
3) reading real-time receiving flow lengths of all nodes from a real-time library to form a queue, sequencing the queue according to a bubble sequencing method to obtain sequence number data corresponding to the receiving flow lengths of the nodes, storing the sequence number data into the real-time library, and processing a sending flow length queue in the same way;
4) updating the flow length received and sent by each node and the corresponding serial number data in units of seconds, comparing the flow length and the corresponding serial number data with the previous time, and finding out the node with the serial number change exceeding the threshold value to alarm in real time;
5) accumulating the received flow lengths of all nodes according to the latest hour to obtain the accumulated received flow length of the current hour, sequencing a queue formed by the accumulated received flow lengths of the current hour according to a bubbling sequencing method to obtain an accumulated received flow serial number of the current hour, processing the accumulated received flow length of the previous hour in the same way to obtain a serial number of the previous hour, and processing the accumulated sending flow in the same way to obtain two groups of serial numbers;
6) and comparing the current hour accumulated received flow serial number with the previous hour serial number, alarming by the node with the changed super-threshold value, alarming by the node with the deviation of the real-time received flow serial number and the current hour accumulated received flow serial number exceeding the threshold value, and processing the hour accumulated sending flow in the same way.
2. The power station industrial control system abnormal flow identification method based on the bubbling sorting method according to claim 1, characterized in that: the method is suitable for identifying abnormal flow among a plurality of industrial control systems, and each industrial control system is treated as a node; the system can be further subdivided according to the communication protocol types in the industrial control system and then subjected to sequencing and alarm processing; the statistics for real-time flow can be changed to 3-5 seconds and the cumulative time can be changed to half an hour or two hours.
3. The power station industrial control system abnormal flow identification method based on the bubble sorting method according to claim 1, characterized in that: the method does not need to establish a feature library as the traditional network attack flow detection method, can identify abnormal flow generated by known and unknown network attacks at the same time, and realizes real-time monitoring and alarming.
4. The power station industrial control system abnormal flow identification method based on the bubbling sorting method according to claim 1, characterized in that: and the alarm mode is characterized in that alarms of the real-time receiving flow serial number, the real-time sending flow serial number, the hour accumulated receiving flow serial number and the hour accumulated sending flow serial number are marked in 4 different colors, and nodes with the largest serial number change and meeting double alarms are marked in a flashing mode.
CN202011249001.1A 2020-11-10 2020-11-10 Power station industrial control system abnormal flow identification method based on bubbling sequencing method Active CN112367322B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011249001.1A CN112367322B (en) 2020-11-10 2020-11-10 Power station industrial control system abnormal flow identification method based on bubbling sequencing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011249001.1A CN112367322B (en) 2020-11-10 2020-11-10 Power station industrial control system abnormal flow identification method based on bubbling sequencing method

Publications (2)

Publication Number Publication Date
CN112367322A CN112367322A (en) 2021-02-12
CN112367322B true CN112367322B (en) 2022-09-30

Family

ID=74509546

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011249001.1A Active CN112367322B (en) 2020-11-10 2020-11-10 Power station industrial control system abnormal flow identification method based on bubbling sequencing method

Country Status (1)

Country Link
CN (1) CN112367322B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113542268B (en) * 2021-07-14 2023-07-28 中能融合智慧科技有限公司 Method for obtaining single industrial control protocol flow based on network link

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7823202B1 (en) * 2007-03-21 2010-10-26 Narus, Inc. Method for detecting internet border gateway protocol prefix hijacking attacks
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN105306436A (en) * 2015-09-16 2016-02-03 广东睿江科技有限公司 Abnormal traffic detection method
CN106657025A (en) * 2016-11-29 2017-05-10 神州网云(北京)信息技术有限公司 Network attack behavior detection method and device
CN110677386A (en) * 2019-08-29 2020-01-10 北京孚耐尔科技有限公司 Abnormal flow monitoring and predicting method and device based on big data

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7823202B1 (en) * 2007-03-21 2010-10-26 Narus, Inc. Method for detecting internet border gateway protocol prefix hijacking attacks
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN105306436A (en) * 2015-09-16 2016-02-03 广东睿江科技有限公司 Abnormal traffic detection method
CN106657025A (en) * 2016-11-29 2017-05-10 神州网云(北京)信息技术有限公司 Network attack behavior detection method and device
CN110677386A (en) * 2019-08-29 2020-01-10 北京孚耐尔科技有限公司 Abnormal flow monitoring and predicting method and device based on big data

Also Published As

Publication number Publication date
CN112367322A (en) 2021-02-12

Similar Documents

Publication Publication Date Title
WO2017218636A1 (en) System and method for automated network monitoring and detection of network anomalies
KR20180120558A (en) System and method for predicting communication apparatuses failure based on deep learning
CN107888441B (en) Network traffic baseline self-learning self-adaption method
CN109150859B (en) Botnet detection method based on network traffic flow direction similarity
CN111181971B (en) System for automatically detecting industrial network attack
CN111930592A (en) Method and system for detecting log sequence abnormity in real time
KR20210115991A (en) Method and apparatus for detecting network anomaly using analyzing time-series data
CN111935063B (en) Abnormal network access behavior monitoring system and method for terminal equipment
CN109558727B (en) Routing security detection method and system
CN111738308A (en) Dynamic threshold detection method for monitoring index based on clustering and semi-supervised learning
CN111262849A (en) Method for identifying and blocking network abnormal flow behaviors based on flow table information
CN116055413B (en) Tunnel network anomaly identification method based on cloud edge cooperation
CN114021135B (en) LDoS attack detection and defense method based on R-SAX
CN113660209B (en) DDoS attack detection system based on sketch and federal learning and application
CN112367322B (en) Power station industrial control system abnormal flow identification method based on bubbling sequencing method
CN108366065A (en) Attack detection method and SDN switch
CN116582574B (en) Atmospheric monitoring system based on Internet of things
CN108170702A (en) A kind of power communication alarm association model based on statistical analysis
CN116032526A (en) Abnormal network flow detection method based on machine learning model optimization
CN113259367B (en) Industrial control network flow multistage anomaly detection method and device
CN113612657A (en) Method for detecting abnormal HTTP connection
CN106713307A (en) Method and system for detecting consistency of flow tables in SDN (Software-defined Networking)
Hammerschmidt et al. Behavioral clustering of non-stationary IP flow record data
CN105634781B (en) Multi-fault data decoupling method and device
CN112953910A (en) DDoS attack detection method based on software defined network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant