CN112911004A - Method and device for ensuring safe operation of Internet of things system and computing equipment - Google Patents
Method and device for ensuring safe operation of Internet of things system and computing equipment Download PDFInfo
- Publication number
- CN112911004A CN112911004A CN202110149994.3A CN202110149994A CN112911004A CN 112911004 A CN112911004 A CN 112911004A CN 202110149994 A CN202110149994 A CN 202110149994A CN 112911004 A CN112911004 A CN 112911004A
- Authority
- CN
- China
- Prior art keywords
- network
- abnormal
- equipment
- physical state
- operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a method, a device, computing equipment and a computer readable storage medium for ensuring the safe operation of an Internet of things system. The method comprises the following steps: monitoring the communication state of the network equipment to judge whether the network equipment is attacked or not; monitoring the physical state of the operating equipment to judge whether the physical state of the operating equipment is abnormal or not; and executing corresponding processing operation once judging that the network equipment is subjected to network attack behavior or the physical state of the operating equipment is abnormal.
Description
Technical Field
The present invention relates to the field of internet of things, and more particularly, to a method, an apparatus, a computing device, and a computer-readable storage medium for ensuring safe operation of an internet of things system.
Background
In the 7 th year 2010, a worm attack event of a 'seismic net' (Stuxnet) warns the world, and after that, the worm attack event is proved to be an attack mechanism based on highly complex malicious codes and a plurality of zero-day holes as attack weapons, and a uranium centrifuge is taken as an attack target, so that the centrifuge is damaged in batches due to overpressure, and uranium cannot meet the weapon requirement due to the change of the revolution of the centrifuge, and the attack is aimed at blocking the progress of Iran nuclear weapons.
In fact, in large equipment plants such as electric power, petroleum and power grids based on the industrial internet of things, the risk that core operation equipment is attacked by a network exists, and once the core operation equipment is subjected to the risk, the loss is difficult to estimate. Therefore, corresponding precautions are required. As shown in fig. 1, in an equipment plant, generally under the control of a PC, an upper computer communicates with a network (for example, through an exchange), a lower computer controls an operating device (for example, an oil device), network commands are transmitted to the operating device through the upper computer and the lower computer, and information such as operating parameters of the operating device is uploaded to the network through the lower computer and the upper computer.
Patent application publication No. CN109922073A discloses a network security monitoring apparatus, however, this patent only describes security monitoring of network-related devices in a power monitoring system. In another prior art, the DPI can monitor whether the message sent from the upper computer to the lower computer is an unauthorized message to warn whether the operating device is under network attack, however, the DPI is still monitoring the network layer, which still has a network attack hijacking message, and not only sends an erroneous operating instruction to the operating device, and the operating device continuously works in an abnormal state until overload reimbursement, but also sends an artifact of normal operation of the operating device to the monitored person, and hides the true phase.
Disclosure of Invention
In view of the above, a first aspect of the present invention provides a method for ensuring safe operation of an internet of things system, wherein the internet of things system includes a network device and an operating device controlled by the network device, the method comprising:
monitoring the communication state of the network equipment to judge whether the network equipment is attacked or not;
monitoring the physical state of the operating equipment to judge whether the physical state of the operating equipment is abnormal or not;
and executing corresponding processing operation once judging that the network equipment is subjected to network attack behavior or the physical state of the operating equipment is abnormal.
In an optional embodiment, the monitoring the communication status of the network device to determine whether the network device is attacked by a network attack includes:
acquiring a message between an upper computer and a lower computer in network equipment;
and analyzing the message characteristics of the message and judging whether the message is an unauthorized message.
In an alternative embodiment, the monitoring the physical state of the operating device to determine whether the physical state of the operating device is abnormal includes:
reading the operating parameters of the operating equipment monitored by the corresponding sensors in real time;
determining whether the physical state is abnormal based on a comparison of the operating parameter with:
a historical value of the operating parameter, wherein if the historical value is beyond a first range of the historical value, the operating parameter is judged to be abnormal;
the predicted value of the operation parameter is obtained by calculating or predicting other operation parameters which have mapping relation with the operation parameter as independent variables, wherein if the predicted value exceeds a second range of the predicted value, the operation parameter is judged to be abnormal;
and reading time sequence data values of the operation parameters at different times, wherein if the time sequence data values are not matched, the operation parameters are judged to be abnormal.
In an optional embodiment, once it is determined that the network device is under a network attack or the physical state of the operating device is abnormal, the executing performs corresponding processing operations, including:
if the network equipment is judged to be subjected to the network attack behavior, inquiring whether the network attack behavior exists in an attack behavior library;
if the network attack behavior exists in the attack behavior library, executing a corresponding coping strategy; if the network attack behavior does not exist in the attack behavior library, acquiring the physical state of the operating equipment;
if the physical state of the operating equipment is abnormal, sending first alarm information; and if the physical state of the operating equipment is normal, sending second alarm information.
In an optional embodiment, if the network attack behavior does not exist in the attack behavior library, the method further comprises storing the network attack behavior in the attack behavior library.
In an optional embodiment, once it is determined that the network device is under a network attack or the physical state of the operating device is abnormal, the executing performs corresponding processing operations, including:
if the physical state of the operating equipment is judged to be abnormal, inquiring whether the physical state is abnormal in a fault mode library;
if the physical state is abnormal in the failure mode library, executing a corresponding coping strategy; if the physical state is not abnormal in the fault mode library, acquiring whether the state of the network equipment is abnormal or not;
if the network equipment is subjected to network attack behavior, third alarm information is sent; and if the network equipment is not attacked by the network, sending fourth alarm information.
In an optional embodiment, if the physical state anomaly does not exist in the failure mode library, the method further comprises storing the physical state anomaly in the failure mode library.
A second aspect of the present invention provides an apparatus for ensuring safe operation of an internet of things system, wherein the internet of things system includes a network device and an operating device controlled by the network device, the apparatus comprising:
the first monitoring unit is used for monitoring the communication state of the network equipment so as to judge whether the network equipment is attacked by the network;
the second monitoring unit is used for monitoring the physical state of the operating equipment so as to judge whether the physical state of the operating equipment is abnormal or not;
and the execution unit is used for executing corresponding processing operation once judging that the network equipment is subjected to network attack behavior or the physical state of the operating equipment is abnormal.
In an optional embodiment, the first monitoring unit further comprises:
the message acquisition module is used for acquiring messages between an upper computer and a lower computer in the network equipment;
and the message analysis module is used for analyzing the message characteristics of the message and judging whether the message is an unauthorized message.
In an optional embodiment, the second monitoring unit further comprises:
the sensor parameter acquisition module is used for reading the operating parameters of the operating equipment monitored by the corresponding sensor in real time;
a comparison module for determining whether the physical state is abnormal based on a comparison of the operating parameter with:
a historical value of the operating parameter, wherein if the historical value is beyond a first range of the historical value, the operating parameter is judged to be abnormal;
the predicted value of the operation parameter is obtained by calculating or predicting other operation parameters which have mapping relation with the operation parameter as independent variables, wherein if the predicted value exceeds a second range of the predicted value, the operation parameter is judged to be abnormal;
and reading time sequence data values of the operation parameters at different times, wherein if the time sequence data values are not matched, the operation parameters are judged to be abnormal.
In an optional embodiment, the execution unit further comprises:
the first execution module is used for inquiring whether the network attack behavior exists in an attack behavior library or not if the network attack behavior of the network equipment is judged; if the network attack behavior exists in the attack behavior library, executing a corresponding coping strategy; if the network attack behavior does not exist in the attack behavior library, acquiring the physical state of the operating equipment; if the physical state of the operating equipment is abnormal, sending first alarm information; and if the physical state of the operating equipment is normal, sending second alarm information.
In an optional embodiment, the execution unit further comprises:
the second execution module is used for inquiring whether the physical state of the operating equipment is abnormal or not in a fault mode library if the physical state of the operating equipment is judged to be abnormal; if the physical state is abnormal in the failure mode library, executing a corresponding coping strategy; if the physical state is not abnormal in the fault mode library, acquiring whether the state of the network equipment is abnormal or not; if the network equipment is subjected to network attack behavior, third alarm information is sent; and if the network equipment is not attacked by the network, sending fourth alarm information.
A third aspect of the invention provides a computing device comprising a processor and a memory storing a program which, when executed, performs the method of the first aspect of the invention.
A fourth aspect of the present invention provides a computer readable storage medium storing a program which, when executed, performs the method of the first aspect of the present invention.
The invention has the following beneficial effects:
by the embodiment of the invention, the problem of safe operation of the Internet of things system (no matter a network part or an operating equipment part) can be processed in time, so that the safety is ensured. Through the cross validation of the network monitoring and the equipment operation monitoring of the preferred embodiment of the invention, whether the operation equipment is attacked by the network or not can be detected, and furthermore, whether the fault of the operation equipment comes from the network or the operation equipment itself can be distinguished, so that the corresponding treatment can be carried out in time.
Drawings
The following describes embodiments of the present invention in further detail with reference to the accompanying drawings;
fig. 1 shows a schematic diagram of an industrial internet of things system according to the prior art.
FIG. 2 illustrates a schematic diagram of an industrial Internet of things system, according to one embodiment of the invention.
Fig. 3 shows a flowchart of a method for ensuring the safe operation of an internet of things system according to one embodiment of the invention.
Fig. 4 shows a flowchart of a method for performing a corresponding operation in case of a communication abnormality or a physical state abnormality according to an embodiment of the present invention.
Fig. 5 is a schematic diagram illustrating an apparatus for ensuring safe operation of an internet of things system according to an embodiment of the present invention.
Fig. 6 shows a schematic structural diagram of a first monitoring unit according to an embodiment of the invention.
Fig. 7 shows a schematic structural diagram of a second monitoring unit according to an embodiment of the invention.
FIG. 8 shows a schematic diagram of an execution unit, according to one embodiment of the invention.
Fig. 9 illustrates a cross-validation diagram for ensuring safe operation of an internet of things system, according to one embodiment of the invention.
Fig. 10 shows a cross-validation scheme for ensuring safe operation of an internet of things system according to another embodiment of the invention.
Fig. 11 shows a schematic diagram of a computer device implementing the method of the invention.
Detailed Description
In order to more clearly illustrate the invention, the invention is further described below with reference to preferred embodiments and the accompanying drawings. Similar parts in the figures are denoted by the same reference numerals. It is to be understood by persons skilled in the art that the following detailed description is illustrative and not restrictive, and is not to be taken as limiting the scope of the invention.
First embodiment
In order to enable the system of internet of things to operate safely, the first embodiment of the present invention provides a method for ensuring the safe operation of the system of internet of things, wherein the system of internet of things includes network devices (an upper computer 220, a lower computer 230, etc.) communicating with the internet of things 210 under the control of the PC 200 and operating devices 240 controlled by the network devices as shown in fig. 2, and sensors 250 monitoring the physical states of the operating devices.
In one embodiment, the operating equipment is illustrated as a marine oil facility in the oil industry.
As shown in fig. 3, the method comprises the steps of:
s10, monitoring the communication state of the network device to judge whether the network device is attacked or not.
In a specific example, the oil transportation equipment includes, for example, a gathering oil transportation equipment, an oil storage equipment, and an oil filling equipment. The real-time communication data of the devices, the lower computer and the upper computer are packaged by using an MQTT (Message Queuing Telemetry Transport) Message.
In one specific example, S10 further includes:
s100, acquiring a message between an upper computer and a lower computer in the network equipment;
in the above example, MQTT messages between an upper computer and a lower computer in a network device are acquired.
S105, analyzing the message characteristics of the message, and judging whether the message is an unauthorized message.
In the above example, the existing industrial internet platform is used to realize the analysis of MQTT, obtain the monitoring of unauthorized behaviors and extract message features to realize the abnormal detection of message behavior rules. For example, if the characteristics of the message do not conform to the normal message behavior rule, the message is regarded as an unauthorized message.
And S20, monitoring the physical state of the operating equipment to judge whether the physical state of the operating equipment is abnormal or not.
In a specific example, step S20 further includes:
s200, reading the operation parameters of the operation equipment monitored by the corresponding sensors in real time;
various sensors can be adopted to monitor the physical states of the oil transportation equipment, the oil storage equipment and the oil filling equipment, such as the liquid level and the flow index of an oil outlet pipe and an oil inlet pipe.
S205, based on the comparison between the operating parameter and the following value, it is determined whether the physical state is abnormal.
In one particular example, historical data, such as for fluid level height, may be extracted for the operating equipment that needs to be monitored, an equipment health model may be constructed, sensor parameters obtained from the sensors may be compared to the health historical parameters in the equipment health model, and if within a threshold range of the health historical parameters (e.g., within ± 5%), the physical condition is judged to be normal, otherwise abnormal.
However, for some operating parameters of the operating equipment, such as the level height and flow rate described above, the level height may be a function of the flow rate, which may be mapped (or functional) with respect to each other. In this case, with a method of comparing the historical data, for example, the difference between the measured liquid level height and the historical data is within a predetermined range, according to the above example, it may not be determined as abnormal.
For this reason, in another specific example, the predicted value of the liquid level height may be calculated or predicted using a mechanism model, machine learning, deep learning, or the like, using the flow rate as an independent variable, so that if the measured liquid level height is out of a second range (e.g., within ± 5%) of the predicted value, it is determined to be abnormal.
However, as exemplified by the liquid level height and the flow rate, sometimes, under the condition that there is no oil in the pipeline nor oil out of the pipeline, the liquid level height should be unchanged at a certain section of the pipeline, and neither of the above two methods determines that there is an abnormality, but by comparing the liquid level height data values (i.e. time series data values) collected at different times, if there is no match, it is determined that there is an abnormality, and there is a possibility of pipeline blockage. In a preferred example, for more visual determination of matching, time series data patterns of liquid level heights collected at different time periods are graphically presented, and matching is determined by comparing the shape of the time series data at different times (e.g., 5 minutes apart).
S30, once judging the network device is attacked or the physical state of the operating device is abnormal, executing corresponding processing operation.
As shown in fig. 4, in one embodiment, step S30 includes:
s300, if the network equipment is judged to be subjected to the network attack behavior, inquiring whether the network attack behavior exists in an attack behavior library;
in one specific example, an attack behavior library is established in advance, and known network attack behaviors and countermeasure are stored in the attack behavior library. For the network attack behavior, the network attack behavior can be compared with the existing attack behavior in the attack behavior library to judge whether the network attack behavior is in the library.
S305, if the network attack behavior exists in the attack behavior library, executing a corresponding coping strategy;
if the attack behavior exists in the library after comparison, a corresponding coping strategy is executed, for example, data writing is prohibited.
In one particular example, in this case, the cyber attack behavior is resolved, and although the cyber attack behavior occurs, an alert may not be sent to the staff. Of course, it is obvious to those skilled in the art that an alarm of a specific identifier may be sent, for example, by sending a worker by mail, and the content is "there is a network attack behavior, but the network attack behavior is solved".
S310, if the network attack behavior does not exist in the attack behavior library, acquiring the physical state of the operating equipment;
if the attack behavior does not exist in the library after the comparison, the physical state obtained in step S20 is called.
In a specific example, while the physical state is obtained by invoking step S20, the method of the present invention further includes storing the network attack behavior in the attack behavior library for subsequent use.
S315, if the physical state of the operating equipment is abnormal, sending first alarm information;
in this case, if an abnormality occurs in the state of health of the apparatus, alarm information is sent to the worker. If the monitoring results of steps S10 and S20 are negative, it indicates that the physical state of the operating device is abnormally high and is caused by the attack. The alarm information has higher priority and is more noticeable to workers. The problems mentioned in the background are prevented by network and device cross-validation.
Of course, in this case, it is also possible that the operating device itself causes an anomaly regardless of the behavior of the network attack, but in any case, in this case, the staff should be notified for verification. Therefore, the first alert information may include corresponding prompt information, such as a mail notification: the device is highly likely to be under network attack.
And S320, if the physical state of the operating equipment is normal, sending second alarm information.
In this case, it means that the functioning device is normal, but there is a network attack. The second alarm information may include corresponding prompt information to be distinguished from the first alarm information in a prompt, so that a worker can know a possible reason only through the prompt information.
Those skilled in the art can understand that the alarm information may have various forms, for example, in an industrial production site, different types of alarm information may be distinguished by different lengths of sounds, or may be distinguished by different colors of alarms and the like by blinking, and the present invention is not limited thereto.
As also shown in fig. 3, in another embodiment, step S30 includes:
s350, if the physical state of the operating equipment is judged to be abnormal, inquiring whether the physical state is abnormal in a fault mode library;
in one specific example, a failure mode library is pre-established, in which known physical state anomalies and stress strategies are stored. For a detected physical condition anomaly, a comparison may be made with existing failure modes in the failure mode library to determine whether the detected physical condition anomaly is in the library. S355, if the physical state is abnormal in the failure mode library, executing a corresponding coping strategy;
if the detected physical state is judged to be abnormal in the library after comparison, for example, the temperature exceeds a threshold value, a coping strategy is executed, for example, shutdown is carried out.
In one particular example, in such a case, the physical problem of the operating equipment, although present, is automatically resolved, and in some cases, an alert may not be sent to the personnel. Of course, it is obvious to those skilled in the art that there are situations where it is necessary to send an alarm, for example, when the equipment is shut down, the operator is sent by mail, and the content is "the running equipment is out of order and has been shut down".
S360, if the physical state is not abnormal in the fault mode library, whether the network state of the network equipment is abnormal is obtained;
if the abnormality does not exist in the library after the comparison, the communication state obtained in step S10 is called.
In a specific example, while the communication status is obtained by invoking step S10, the method of the present invention further includes storing the physical status exception in the failure mode library for subsequent use.
S365, if the network equipment is attacked by the network, sending third alarm information;
in this case, if the network device is under network attack, alarm information is sent to the staff. If the monitoring results of steps S10 and S20 are negative, it indicates that the physical state of the operating device is abnormally high and is caused by the attack. The alarm information has higher priority and is more noticeable to workers. The problems mentioned in the background are prevented by network and device cross-validation. It will be understood by those skilled in the art that the priority is the same as the priority of the first alarm information, or the prompt information of the third alarm message is the same as the prompt information of the first alarm message.
Of course, in this case, it is also possible that the operating device itself causes an anomaly regardless of the behavior of the network attack, but in any case, in this case, the staff should be notified for verification. Therefore, the first alert information may include corresponding prompt information, such as a mail notification: the device is highly likely to be under network attack.
And S370, if the network equipment is not attacked by the network, sending fourth alarm information.
In this case, it means an abnormality due to the operating device itself, not caused by a network attack. The fourth alarm information may include corresponding prompt information to distinguish from the other alarm information in a prompt, so that a worker can know a possible reason only through the prompt information.
Those skilled in the art can understand that the alarm information may have various forms, for example, in an industrial production site, different types of alarm information may be distinguished by different lengths of sounds, or may be distinguished by different colors of alarms and the like by blinking, and the present invention is not limited thereto.
The method of the embodiment is different from the CN109922073A in the prior art in that the method not only aims at the network devices in the internet of things system, but also measures and monitors the physical state of the controlled object (i.e. the core operating device) in the system, and monitors the functional safety and the physical safety of the core operating device, as well as the safety of the network device. In a further embodiment, through cross validation of network monitoring and equipment operation monitoring, classification of different anomalies can be determined, different alarms are given, wherein functional and physical anomalies of core operation equipment caused by network attack events can be further prevented, namely, a network attack hijacking message in the background technology can be prevented, an erroneous operation instruction is sent to the operation equipment, a machine is enabled to work continuously in an abnormal state until overload reimbursement, meanwhile, a false image of normal operation of the machine is sent to a monitored person, and the problem of true phase is hidden.
Although the above embodiments take oil-air equipment as an example, it can be understood by those skilled in the art that the method of the present invention is applicable to network equipment and core operation equipment in an electric power system, and is also applicable to fuel oil storage and transportation pipelines and tanks, industrial robots and mechanical arms in a continuous manufacturing production line, manned or automatic driving vehicles (including rail transit trains and trackless road traffic vehicles), manned or unmanned aircraft, oil drilling rigs and artificially lifted oil production equipment, building HVAC heating and ventilation air conditioners, heating stations, etc., and is more generally applicable to a series of complete systems which have core operation equipment and are controlled to operate by an internet of things.
Second embodiment
A second embodiment of the present invention provides an apparatus 50 for ensuring safe operation of an internet of things system, wherein the internet of things system comprises a network device and an operating device controlled by the network device, as shown in fig. 5, comprising:
the first monitoring unit 500 is configured to monitor a communication state of the network device to determine whether the network device is attacked by a network attack.
A second monitoring unit 505, configured to monitor a physical state of the operating device to determine whether the physical state of the operating device is abnormal.
An executing unit 510, configured to execute a corresponding processing operation once it is determined that the network device is subjected to a network attack or a physical state of the operating device is abnormal.
As shown in fig. 6, in a specific example, the first monitoring unit 500 further includes:
the message acquisition module 5000 is used for acquiring messages between an upper computer and a lower computer in the network equipment;
in the above example of the oil and gas equipment, the real-time data of communication between the equipment and the lower computer and the upper computer is encapsulated by using MQTT (Message queue Telemetry Transport) messages.
In the above example, the message acquiring module 5000 acquires MQTT messages between the upper computer and the lower computer in the network device.
The message analyzing module 5005 is configured to analyze a message characteristic of the message and determine whether the message is an unauthorized message.
In the above example, the message parsing module 5005 is an existing industrial internet platform, and implements parsing of MQTT, monitoring of unauthorized behaviors, and extracting message features to implement anomaly detection of message behavior rules. For example, if the characteristics of the message do not conform to the normal message behavior rule, the message is regarded as an unauthorized message.
As shown in fig. 7, in a specific example, the second monitoring unit 505 further includes:
a sensor parameter acquisition module 5050 for reading the operating parameters of the operating device monitored by the corresponding sensor in real time.
The sensor parameter acquiring module 5050 may employ various sensors to monitor physical states of the collected oil transportation equipment, oil storage equipment, and refueling equipment, such as liquid level and flow rate indexes of the oil outlet pipe and the oil inlet pipe.
The comparison module 5055 is used to compare the signals,
for determining whether the physical state is abnormal based on a comparison of the operating parameter with:
a historical value of the operating parameter, wherein if the historical value is beyond a first range of the historical value, the operating parameter is judged to be abnormal;
the predicted value of the operation parameter is obtained by calculating or predicting other operation parameters which have mapping relation with the operation parameter as independent variables, wherein if the predicted value exceeds a second range of the predicted value, the operation parameter is judged to be abnormal;
and reading time sequence data values of the operation parameters at different times, wherein if the time sequence data values are not matched, the operation parameters are judged to be abnormal.
In one particular example, historical data, such as for fluid level height, may be extracted for the operating equipment that needs to be monitored, an equipment health model may be constructed, sensor parameters obtained from the sensors may be compared to the health historical parameters in the equipment health model, and if within a threshold range of the health historical parameters (e.g., within ± 5%), the physical condition is judged to be normal, otherwise abnormal.
However, for some operating parameters of the operating equipment, such as the level height and flow rate described above, the level height may be a function of the flow rate, which may be mapped (or functional) with respect to each other. In this case, with a method of comparing the historical data, for example, the difference between the measured liquid level height and the historical data is within a predetermined range, according to the above example, it may not be determined as abnormal.
For this reason, in another specific example, the predicted value of the liquid level height may be calculated or predicted using a mechanism model, machine learning, deep learning, or the like, using the flow rate as an independent variable, so that if the measured liquid level height is out of a second range (e.g., within ± 5%) of the predicted value, it is determined to be abnormal.
However, as exemplified by the liquid level height and the flow rate, sometimes, under the condition that there is no oil in the pipeline nor oil out of the pipeline, the liquid level height should be unchanged at a certain section of the pipeline, and neither of the above two methods determines that there is an abnormality, but by comparing the liquid level height data values (i.e. time series data values) collected at different times, if there is no match, it is determined that there is an abnormality, and there is a possibility of pipeline blockage. In a preferred example, for more visual determination of matching, time series data patterns of liquid level heights collected at different time periods are graphically presented, and matching is determined by comparing the shape of the time series data at different times (e.g., 5 minutes apart).
As shown in fig. 8, in a specific example, the execution unit 510 further includes:
the first execution module 5100 is configured to query whether a network attack behavior exists in an attack behavior library if it is determined that the network device is subjected to the network attack behavior; if the network attack behavior exists in the attack behavior library, executing a corresponding coping strategy; if the network attack behavior does not exist in the attack behavior library, acquiring the physical state of the operating equipment; if the physical state of the operating equipment is abnormal, sending first alarm information; and if the physical state of the operating equipment is normal, sending second alarm information.
The steps executed by the first execution module 5100 correspond to the steps S300-S320 in the first embodiment, and the description of the series of steps is fully applicable here and will not be repeated here.
In a specific example, the execution unit 510 further includes:
the second execution module 5105 is configured to, if it is determined that the physical state of the operating device is abnormal, query whether the physical state is abnormal in the failure mode library; if the physical state is abnormal in the failure mode library, executing a corresponding coping strategy; if the physical state is not abnormal in the fault mode library, acquiring the state of the network equipment; if the network equipment is subjected to network attack behavior, third alarm information is sent; and if the network equipment is not attacked by the network, sending fourth alarm information.
The steps executed by the second execution module 5105 correspond to the steps S350-S370 in the first embodiment, and the description of the series of steps is fully applicable here and will not be repeated here.
It should be noted that, in the example shown in fig. 9, the first execution module and the first monitoring unit constitute a network anomaly monitoring unit, and the second execution module and the second monitoring unit constitute a physical state monitoring unit, so that the network anomaly monitoring unit and the physical state monitoring unit directly communicate with each other for cross validation. In the example shown in fig. 10, the first monitoring unit is a network anomaly monitoring unit, the second monitoring unit is a physical state monitoring unit, and the execution unit exists independently from the first monitoring unit and the second monitoring unit, and the first monitoring unit and the second monitoring unit respectively send the monitored communication state and the monitored physical state to the execution unit, and the execution unit completes the execution operation.
The method of the embodiment is different from CN109922073A in the prior art in that not only network devices in the internet of things system, but also controlled objects (i.e. core operating devices) in the system are measured and monitored in physical state, the security monitoring of the network devices is used as one analysis unit, the monitoring of the function and physical state of the core operating devices is used as another analysis unit, and the function security and physical security of the core operating devices are monitored, and the security of the network devices is also monitored. In a further embodiment, the data and the analysis results of the two analysis units are jointly transmitted to the safety decision control unit. The analysis and monitoring result of the safety decision control unit not only monitors the functional safety and the physical safety of the core operation equipment, but also monitors the safety of the network equipment. Through the cross validation of network monitoring and equipment operation monitoring, the classification of different abnormalities can be determined, different alarms can be given, wherein the function and physical abnormality of the core operation equipment caused by network attack events can be prevented, namely, the network attack hijack message in the background technology can be prevented, an error operation instruction is sent to the operation equipment, the machine can work under an abnormal state continuously until overload reimbursement, and meanwhile, the false image of normal operation of the machine is given to a monitored person, and the true problem is hidden.
Although the above embodiments take oil-air equipment as an example, it can be understood by those skilled in the art that the device of the present invention is applicable to network equipment and core operation equipment in an electric power system, and is also applicable to fuel oil storage and transportation pipelines and tanks, industrial robots and mechanical arms on continuous manufacturing production lines, manned or automatic driving vehicles (including rail transit trains and trackless road traffic vehicles), manned or unmanned aircraft, oil drilling rigs and artificial lifting oil production equipment, building HVAC heating and ventilation air conditioners, heating stations, etc., and is more generally applicable to a series of complete systems which have core operation equipment and are controlled to operate by an internet of things.
Third embodiment
As shown in fig. 11, a computer device adapted to be used to implement the methods provided by the above-described embodiments includes a central processing module (CPU) that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage section into a Random Access Memory (RAM). In the RAM, various programs and data necessary for the operation of the computer system are also stored. The CPU, ROM, and RAM are connected thereto via a bus. An input/output (I/O) interface is also connected to the bus.
An input section including a keyboard, a mouse, and the like; an output section including a speaker and the like such as a Liquid Crystal Display (LCD); a storage section including a hard disk and the like; and a communication section including a network interface card such as a LAN card, a modem, or the like. The communication section performs communication processing via a network such as the internet. The drive is also connected to the I/O interface as needed. A removable medium such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive as necessary, so that a computer program read out therefrom is mounted into the storage section as necessary.
In particular, according to this embodiment, the method of the first embodiment of the present invention may be implemented as a computer software program. For example, the present embodiments include a computer program product comprising a computer program tangibly embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium.
The flowchart and schematic diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to the present embodiments. In this regard, each block in the flowchart or schematic diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the schematic and/or flowchart illustration, and combinations of blocks in the schematic and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The systems and units described in the present embodiment may be implemented by software or hardware. The described units may also be located in the processor.
Fourth embodiment
The embodiment also provides a nonvolatile computer storage medium, which may be the nonvolatile computer storage medium included in the above-mentioned apparatus in the above-mentioned embodiment, or may be a nonvolatile computer storage medium that exists separately and is not assembled in the terminal. The non-volatile computer storage medium stores one or more programs that, when executed by an apparatus, cause the apparatus to implement the method of the first embodiment.
It is to be noted that, in the description of the present invention, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion.
It should be understood that the above-mentioned embodiments of the present invention are only examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention, and it will be obvious to those skilled in the art that other variations and modifications can be made on the basis of the above description, and all embodiments cannot be exhaustive, and all obvious variations and modifications belonging to the technical scheme of the present invention are within the protection scope of the present invention.
Claims (14)
1. A method for ensuring safe operation of an internet of things system, wherein the internet of things system comprises a network device and an operating device controlled by the network device, the method comprising:
monitoring the communication state of the network equipment to judge whether the network equipment is attacked or not;
monitoring the physical state of the operating equipment to judge whether the physical state of the operating equipment is abnormal or not;
and executing corresponding processing operation once judging that the network equipment is subjected to network attack behavior or the physical state of the operating equipment is abnormal.
2. The method of claim 1, wherein the monitoring the communication status of the network device to determine whether the network device is under network attack comprises:
acquiring a message between an upper computer and a lower computer in network equipment;
and analyzing the message characteristics of the message and judging whether the message is an unauthorized message.
3. The method of claim 1, wherein the monitoring the physical state of the operational equipment to determine whether the physical state of the operational equipment is abnormal comprises:
reading the operating parameters of the operating equipment monitored by the corresponding sensors in real time;
determining whether the physical state is abnormal based on a comparison of the operating parameter with:
a historical value of the operating parameter, wherein if the historical value is beyond a first range of the historical value, the operating parameter is judged to be abnormal;
the predicted value of the operation parameter is obtained by calculating or predicting other operation parameters which have mapping relation with the operation parameter as independent variables, wherein if the predicted value exceeds a second range of the predicted value, the operation parameter is judged to be abnormal;
and reading time sequence data values of the operation parameters at different times, wherein if the time sequence data values are not matched, the operation parameters are judged to be abnormal.
4. The method according to any one of claims 1 to 3, wherein, upon determining that the network device is under network attack or the physical state of the operating device is abnormal, executing corresponding processing operations, including:
if the network equipment is judged to be subjected to the network attack behavior, inquiring whether the network attack behavior exists in an attack behavior library;
if the network attack behavior exists in the attack behavior library, executing a corresponding coping strategy; if the network attack behavior does not exist in the attack behavior library, acquiring the physical state of the operating equipment;
if the physical state of the operating equipment is abnormal, sending first alarm information; and if the physical state of the operating equipment is normal, sending second alarm information.
5. The method of claim 4, wherein if the cyber attack is not present in the aggressor library, the method further comprises storing the cyber attack in the aggressor library.
6. The method according to any one of claims 1 to 3, wherein, upon determining that the network device is under network attack or the physical state of the operating device is abnormal, executing corresponding processing operations, including:
if the physical state of the operating equipment is judged to be abnormal, inquiring whether the physical state is abnormal in a fault mode library;
if the physical state is abnormal in the failure mode library, executing a corresponding coping strategy; if the physical state is not abnormal in the fault mode library, acquiring whether the state of the network equipment is abnormal or not;
if the network equipment is subjected to network attack behavior, third alarm information is sent; and if the network equipment is not attacked by the network, sending fourth alarm information.
7. The method of claim 6, wherein if the physical state anomaly does not exist in a failure mode library, the method further comprises storing the physical state anomaly in the failure mode library.
8. An apparatus for ensuring safe operation of an internet of things system, wherein the internet of things system comprises a network device and an operation device controlled by the network device, the apparatus comprising:
the first monitoring unit is used for monitoring the communication state of the network equipment so as to judge whether the network equipment is attacked by the network;
the second monitoring unit is used for monitoring the physical state of the operating equipment so as to judge whether the physical state of the operating equipment is abnormal or not;
and the execution unit is used for executing corresponding processing operation once judging that the network equipment is subjected to network attack behavior or the physical state of the operating equipment is abnormal.
9. The apparatus of claim 8, wherein the first monitoring unit further comprises:
the message acquisition module is used for acquiring messages between an upper computer and a lower computer in the network equipment;
and the message analysis module is used for analyzing the message characteristics of the message and judging whether the message is an unauthorized message.
10. The apparatus of claim 8, wherein the second monitoring unit further comprises:
the sensor parameter acquisition module is used for reading the operating parameters of the operating equipment monitored by the corresponding sensor in real time;
a comparison module for determining whether the physical state is abnormal based on a comparison of the operating parameter with:
a historical value of the operating parameter, wherein if the historical value is beyond a first range of the historical value, the operating parameter is judged to be abnormal;
the predicted value of the operation parameter is obtained by calculating or predicting other operation parameters which have mapping relation with the operation parameter as independent variables, wherein if the predicted value exceeds a second range of the predicted value, the operation parameter is judged to be abnormal;
and reading time sequence data values of the operation parameters at different times, wherein if the time sequence data values are not matched, the operation parameters are judged to be abnormal.
11. The apparatus according to any one of claims 8-10, wherein the execution unit further comprises:
the first execution module is used for inquiring whether the network attack behavior exists in an attack behavior library or not if the network attack behavior of the network equipment is judged; if the network attack behavior exists in the attack behavior library, executing a corresponding coping strategy; if the network attack behavior does not exist in the attack behavior library, acquiring the physical state of the operating equipment; if the physical state of the operating equipment is abnormal, sending first alarm information; and if the physical state of the operating equipment is normal, sending second alarm information.
12. The apparatus according to any one of claims 8-10, wherein the execution unit further comprises:
the second execution module is used for inquiring whether the physical state of the operating equipment is abnormal or not in a fault mode library if the physical state of the operating equipment is judged to be abnormal; if the physical state is abnormal in the failure mode library, executing a corresponding coping strategy; if the physical state is not abnormal in the fault mode library, acquiring whether the state of the network equipment is abnormal or not; if the network equipment is subjected to network attack behavior, third alarm information is sent; and if the network equipment is not attacked by the network, sending fourth alarm information.
13. A computing device comprising a processor and a memory storing a program, wherein the program when executed implements the method of any of claims 1-7.
14. A computer-readable storage medium storing a program, characterized in that the program, when executed, implements the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110149994.3A CN112911004B (en) | 2021-02-03 | 2021-02-03 | Method and device for ensuring safe operation of Internet of things system and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110149994.3A CN112911004B (en) | 2021-02-03 | 2021-02-03 | Method and device for ensuring safe operation of Internet of things system and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112911004A true CN112911004A (en) | 2021-06-04 |
| CN112911004B CN112911004B (en) | 2022-09-27 |
Family
ID=76121877
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110149994.3A Active CN112911004B (en) | 2021-02-03 | 2021-02-03 | Method and device for ensuring safe operation of Internet of things system and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112911004B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107613017A (en) * | 2017-10-13 | 2018-01-19 | 天津科技大学 | Dangerous matter sources monitoring system and its implementation based on Internet of Things |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108206760A (en) * | 2016-12-16 | 2018-06-26 | 南京联成科技发展股份有限公司 | A kind of safe O&M framework of industrial control system |
| CN108737410A (en) * | 2018-05-14 | 2018-11-02 | 辽宁大学 | A kind of feature based is associated limited to know industrial communication protocol anomaly detection method |
| CN111683055A (en) * | 2020-05-14 | 2020-09-18 | 北京邮电大学 | Industrial honey pot control method and device |
| CN111818009A (en) * | 2020-05-25 | 2020-10-23 | 国网思极网安科技(北京)有限公司 | Protection method and device for message based on MQTT protocol |
| CN112104604A (en) * | 2020-08-07 | 2020-12-18 | 国电南瑞科技股份有限公司 | System and method for realizing safety access service based on electric power internet of things management platform |
-
2021
- 2021-02-03 CN CN202110149994.3A patent/CN112911004B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108206760A (en) * | 2016-12-16 | 2018-06-26 | 南京联成科技发展股份有限公司 | A kind of safe O&M framework of industrial control system |
| CN107613017A (en) * | 2017-10-13 | 2018-01-19 | 天津科技大学 | Dangerous matter sources monitoring system and its implementation based on Internet of Things |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108737410A (en) * | 2018-05-14 | 2018-11-02 | 辽宁大学 | A kind of feature based is associated limited to know industrial communication protocol anomaly detection method |
| CN111683055A (en) * | 2020-05-14 | 2020-09-18 | 北京邮电大学 | Industrial honey pot control method and device |
| CN111818009A (en) * | 2020-05-25 | 2020-10-23 | 国网思极网安科技(北京)有限公司 | Protection method and device for message based on MQTT protocol |
| CN112104604A (en) * | 2020-08-07 | 2020-12-18 | 国电南瑞科技股份有限公司 | System and method for realizing safety access service based on electric power internet of things management platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112911004B (en) | 2022-09-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2006201477B2 (en) | Methods and systems for diagnosing machinery | |
| IL259608A (en) | System and method for detecting a cyber-attack at scada/ics managed plants | |
| US9261862B2 (en) | Automation management system and method | |
| CN1969240A (en) | Process equipment validation | |
| EP4062030B1 (en) | Well annulus pressure monitoring | |
| CN116105802B (en) | Underground facility safety monitoring and early warning method based on Internet of things | |
| US9188021B2 (en) | Steam turbine blade vibration monitor backpressure limiting system and method | |
| CN112668873B (en) | Mine safety situation analysis and prediction early warning method | |
| EP3916505A2 (en) | Identification of facility state and operating mode in a particular event context | |
| KR101915236B1 (en) | Integrated security management systme for smart-factory | |
| CN107431717A (en) | Apparatus and method for the automatic disposal of network security risk event | |
| CN116823175A (en) | Intelligent operation and maintenance method and system for petrochemical production informatization system | |
| CN115047848A (en) | Industrial control system anomaly detection method based on PID neural network | |
| CN112911004B (en) | Method and device for ensuring safe operation of Internet of things system and computing equipment | |
| CN116562739A (en) | Liquid chemical engineering wharf operation flow planning and dynamic monitoring system | |
| CN113204867A (en) | Intelligent scheduling method for transient process of pipe network | |
| CN111381567B (en) | Safety detection system and method for industrial control system | |
| CN116483054A (en) | Industrial robot running state monitoring and early warning system and method | |
| CN113673600B (en) | Industrial signal abnormality early warning method, system, storage medium and computing device | |
| CN103955182A (en) | Safe operation monitoring and instructing method | |
| CN113651060A (en) | Online detection system for operation state of stacker | |
| CN116700197B (en) | Industrial control monitoring, analyzing and early warning system and analyzing and early warning processing method | |
| US20220229423A1 (en) | System and method for operating an automated machine, automated machine, and computer-program product | |
| CN117291582B (en) | Industrial production interconnection monitoring system based on data analysis | |
| Ahn et al. | An Unsafe Acts Autodetection Process in Nuclear Power Plant Operations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |