CN113259396A - S7comm protocol anomaly detection method and device - Google Patents

S7comm protocol anomaly detection method and device Download PDF

Info

Publication number
CN113259396A
CN113259396A CN202110760845.0A CN202110760845A CN113259396A CN 113259396 A CN113259396 A CN 113259396A CN 202110760845 A CN202110760845 A CN 202110760845A CN 113259396 A CN113259396 A CN 113259396A
Authority
CN
China
Prior art keywords
time period
s7comm
operation command
data
command data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110760845.0A
Other languages
Chinese (zh)
Inventor
宋贤飞
姜双林
周磊
饶志波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Andi Technology Co Ltd
Original Assignee
Beijing Andi Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Andi Technology Co Ltd filed Critical Beijing Andi Technology Co Ltd
Priority to CN202110760845.0A priority Critical patent/CN113259396A/en
Publication of CN113259396A publication Critical patent/CN113259396A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an abnormality detection method and a device for an S7comm protocol, wherein the method comprises the following steps: collecting S7comm flow data of the PLC equipment in a first time period; extracting operation command data in the S7comm flow data; establishing an abnormal instruction detection model according to the operation command data; and carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period. The technical problem that the conventional protocol analysis means cannot accurately predict the abnormality of the network traffic of the S7Comm protocol is solved.

Description

S7comm protocol anomaly detection method and device
Technical Field
The invention relates to industrial network security, in particular to an S7comm protocol anomaly detection method and device.
Background
Currently, industrial network security is more and more important, and a plurality of large-scale industrial network attack events are generated, so that huge loss is caused to industrial production. How to protect industrial networks, especially industrial equipment from external hazards, is an increasingly important issue at home and abroad. The protocol analysis is one of important means for preventing the industrial network from being attacked, mainly refers to analyzing the network flow and discovering the attacking behavior, and the main method is a process of analyzing the contents of IP, ports, data and the like contained in the network flow packet and matching and hitting the alarm to the contents of the flow packet according to the known analysis rule.
S7comm is a Siemens proprietary protocol that runs between Siemens S7-300/400 series of Programmable Logic Controllers (PLCs). It is used for PLC programming, exchanging data between PLCs, accessing PLC data from SCADA (supervisory control and data acquisition) systems and for diagnostic purposes. The S7Comm data is coming as the payload of the COTP packet, and the S7Comm protocol mainly includes commands of start, stop, read register, write register, upload, download, and the like.
It should be noted that, because the S7Comm is only a protocol applied to device management and does not include any user information, the conventional protocol analysis means cannot accurately predict the anomaly of the network traffic of the S7Comm protocol.
Disclosure of Invention
The invention provides an S7Comm protocol anomaly detection method and device, which are used for solving the technical problem that a conventional protocol analysis means cannot accurately predict anomalies aiming at network traffic of an S7Comm protocol.
According to a first aspect of the present invention, there is provided an abnormality detection method of an S7comm protocol, the method comprising: collecting S7comm flow data of the PLC equipment in a first time period; extracting operation command data in the S7comm flow data; establishing an abnormal instruction detection model according to the operation command data; and carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period.
Further, prior to collecting S7comm flow data for the PLC device for the first time period, the method includes: collecting running state data of the PLC equipment in the first time period; and judging that the PLC equipment normally operates in the first time period based on the operating state data.
Further, the first time period is M days, M is greater than or equal to 1, wherein the establishing of the abnormal instruction detection model according to the operation command data includes: dividing each day into N intervals according to a preset time interval, wherein N is more than or equal to 1; determining M pieces of operation command data occurring in each of the N intervals on the M days; generating a two-dimensional array from the M pieces of operation command data corresponding to each interval; and processing the two-dimensional array corresponding to each interval by adopting an isolated forest algorithm to generate the abnormal instruction detection model of a plurality of unit intervals.
Further, the abnormal detection of the S7comm traffic data of the PLC device at the second time period by the abnormal command detection model includes: determining operation command data of an L interval of the second time period; and inputting the operation command data of the L interval of the second time period into the abnormal instruction detection model to generate an abnormal detection result.
Further, after extracting the operation command data in the S7comm traffic data, the method further includes: and receiving standard working parameters of a user, and correcting the operation command data in the S7comm flow data according to the standard working parameters.
According to another aspect of the present invention, there is provided an abnormality detection apparatus of an S7comm protocol, the apparatus including: the first acquisition unit is used for acquiring S7comm flow data of the PLC equipment in a first time period; an extracting unit for extracting the operation command data in the S7comm flow data; the establishing unit is used for establishing an abnormal instruction detection model according to the operation command data; and the detection unit is used for carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period.
Further, the apparatus further comprises: the second acquisition unit is used for acquiring the running state data of the PLC equipment in the first time period; and the judging unit is used for judging that the PLC equipment normally operates in the first time period based on the operating state data.
Further, the first time period is M days, where M is greater than or equal to 1, where the establishing unit includes: the device comprises a dividing module, a judging module and a judging module, wherein the dividing module is used for dividing each day into N intervals according to a preset time interval, and N is more than or equal to 1; a first determining module, configured to determine M pieces of operation command data occurring in each of the N intervals on the M days; a first generating module, configured to generate a two-dimensional array from the M pieces of operation command data corresponding to each interval; and the second generation module is used for processing the two-dimensional array corresponding to each interval by adopting an isolated forest algorithm to generate the abnormal instruction detection model of a plurality of unit intervals.
Further, the detection unit includes: the second determining module is used for determining the operation command data of the L interval of the second time period; and the detection module is used for inputting the operation command data of the L interval of the second time period into the abnormal instruction detection model and generating an abnormal detection result.
Further, the apparatus further comprises: and the correcting unit is used for receiving standard working parameters of a user and correcting the operation command data in the S7comm flow data according to the standard working parameters.
The invention provides an abnormality detection method and a device for an S7comm protocol, wherein the method comprises the following steps: collecting S7comm flow data of the PLC equipment in a first time period; extracting operation command data in the S7comm flow data; establishing an abnormal instruction detection model according to the operation command data; and carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period. The technical problem that the conventional protocol analysis means cannot accurately predict the abnormality of the network traffic of the S7Comm protocol is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 illustrates an abnormality detection method of the S7comm protocol according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of an abnormality detection device of the S7comm protocol according to the second embodiment of the present invention.
Detailed Description
In order to make the above and other features and advantages of the present invention more apparent, the present invention is further described below with reference to the accompanying drawings. It is understood that the specific embodiments described herein are for purposes of illustration only and are not intended to be limiting.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, to one skilled in the art that the specific details need not be employed to practice the present invention. In other instances, well-known steps or operations are not described in detail to avoid obscuring the invention.
Example one
As shown in fig. 1, the present embodiment provides an abnormality detection method for an S7comm protocol, the method including:
and step S11, collecting S7comm flow data of the PLC equipment in the first time period.
Specifically, the scheme can adopt a dedicated server to collect S7comm flow data of the PLC equipment in the first time period, the first time period can be a preset period, the preset period can be M days, M is more than or equal to 1, and the scheme can control the server to collect the S7comm flow data of the PLC equipment in running for M days continuously. In the first time zone, the PLC device is S7comm flow data generated during normal operation in the industrial environment.
It should be noted here that, in the present solution, the S7comm flow data of the PLC device in the first time period may be collected in real time, or the S7comm flow data of the PLC device may be obtained by analyzing the work log afterwards.
And step S13, extracting the operation command data in the S7comm flow data.
Specifically, in the present solution, after the S7comm flow data generated by normal operation of the PLC device in the first time period is collected, the S7comm flow data may be extracted to obtain the operation command data in the S7comm flow data, and examples of values and meanings of the operation command data may be as shown in table 1 below:
table 1:
Figure 312810DEST_PATH_IMAGE001
it should be noted that, in the present embodiment, after the operation command data is extracted, the extracted content may be formatted, that is, a table of time and key operation is formed, as shown in table 2 below:
table 2:
Figure 652828DEST_PATH_IMAGE002
and step S15, establishing an abnormal instruction detection model according to the operation command data.
Specifically, in this embodiment, an abnormal instruction detection model may be established according to the operation command data of the first time period extracted in the step S14, and preferably, the operation command data may adopt an iforest (isolation forest) algorithm, that is, an isolated forest algorithm is adopted to train and obtain the abnormal instruction detection model, where the abnormal instruction model includes association relationships between different time points and the operation command data.
And step S17, carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period.
Specifically, in this solution, the S7comm flow data of the PLC device in the second time period may be collected, it should be noted that whether the S7comm flow data generated by the PLC device in the second time period is abnormal is unknown, and the abnormal instruction detection model established in step S15 is adopted to perform abnormal detection on the S7comm flow data in the second time period, and since the abnormal instruction detection model is trained according to the S7comm flow data generated in the first time period (i.e., the stage in which the PLC device is operating normally) and the time, it may be accurately detected whether the S7comm flow data of the PLC device in the second time period is abnormal. Therefore, the technical problem that a conventional protocol analysis means cannot accurately predict the abnormal network traffic of the S7Comm protocol is solved, and it needs to be explained that in order to solve the problem that the conventional protocol analysis detection method cannot effectively act on the S7Comm protocol, the invention adopts a machine learning technology to perform abnormal detection on an S7Comm protocol command, monitors the running state of the PLC equipment, forms an abnormal detection basis based on the learning of the monitoring data of the original equipment, monitors the running state of the PLC equipment in the future, and can timely discover abnormal stop running of the equipment caused by external attack, misoperation and machine failure.
It should be further noted that, the invention is triggered from the device monitoring perspective, performs machine learning modeling on the operating state of the PLC device, records the relationship between time and operation of the device in the normal operating state, and can detect the abnormal operating state of the PLC device in real time, which is caused by external attack, illegal operation, and device abnormality, and this detection mode cannot be completed by the existing protocol analysis device.
Optionally, before collecting the S7comm flow data of the PLC device in the first time period in step S11, the method provided in this embodiment may include:
and step S09, acquiring the running state data of the PLC equipment in the first time period.
And step S10, judging that the PLC equipment normally operates in the first time period based on the operation state data.
Specifically, in this scheme, this scheme can gather the running state data of PLC equipment at first time quantum, and this running state data can be for the memory occupation condition of this PLC equipment, the processing speed of data etc. this scheme can judge that PLC operates normally at first time quantum through above-mentioned running state data, and only under the normal circumstances of first time quantum operation is judged to PLC equipment according to this scheme, this scheme just begins to gather the S7comm flow data that above-mentioned PLC equipment took place at first time quantum.
Optionally, the first time period is M days, M is greater than or equal to 1, wherein the step S15 of establishing the abnormal instruction detection model according to the operation command data may include:
and step S151, dividing each day into N intervals according to a preset time interval, wherein N is more than or equal to 1.
Specifically, in the present solution, N may be 48, that is, in order to make the data suitable for machine learning to model, the present solution may normalize the data, and the present solution may divide the time into 48 sections, which are set as X1-X48, where 30 minutes is taken as a unit section, and 24 hours a day is taken.
Step S152, determining M pieces of operation command data occurring in each of the N intervals on the M days.
Specifically, in the present embodiment, M pieces of operation command data occurring in M days per interval, for example, X1 interval, may be determined to be 00: 00 to 00: 30, the scheme can determine M pieces of operation command data which occur in the X1 interval every day for M days.
Step S153, generating a two-dimensional array from the M pieces of operation command data corresponding to each interval.
Specifically, the scheme can record all operation instructions (operation command data) generated in each unit interval, and after data normalization, a two-dimensional array is formed. For the X1 interval (00: 00 to 00: 30), the resulting data are shown in table 3:
TABLE 3
Start upload Upload Write Var ...... PLC Stop
Day 1 1 0 1 0 0
Day 2 1 0 1 0 1
....... 1 1 1 0 1
Day M 1 0 0 0 1
And S154, processing the two-dimensional array corresponding to each interval by adopting an isolated forest algorithm to generate the abnormal instruction detection model of a plurality of unit intervals.
Specifically, in the scheme, after the data normalization is completed, the machine learning iForest algorithm can be applied to each interval to obtain all interval abnormal instruction detection models.
Optionally, the step S17, performing, by using the abnormal instruction detection model, abnormal detection on the S7comm flow data of the PLC device in the second time period includes:
in step S171, the operation command data of the L section of the second period is determined.
Step S172, inputting the operation command data of the L interval of the second time period to the abnormal instruction detection model, and generating an abnormal detection result.
Specifically, in the present solution, after the S7Comm traffic data of the second time period is acquired, the operation command data of the L interval of the second time period may be determined, then the operation command data of the L interval is input to the abnormal command detection model, and then the detection model is applied to the real-time monitoring of the S7Comm through the abnormal command detection model, for example, if the normal condition (the first time period) is 9:00-9:30 point is the normal production time, the PLC operation is known to be in the operating state, and if a PLC Stop command suddenly occurs in the L interval of a certain day (for example, 9:00-9:30 of the second time period), an equipment abnormal alarm may be triggered.
Optionally, after the step S13, after the operation command data in the S7comm traffic data is extracted, the method further includes: and receiving standard working parameters of a user, and correcting the operation command data in the S7comm flow data according to the standard working parameters.
Specifically, in the scheme, before the S7comm flow data of the PLC device in the first time period is collected, it is not necessary to determine whether the PLC device is normal through the operation state data of the PLC device, and as an optional embodiment of the scheme, the scheme may receive the standard operating parameters of the user, and modify the operation command data in the S7comm flow data by using the standard operating parameters. And taking the operation command data in the corrected S7comm flow data as the sample data of modeling.
In summary, the scheme can achieve the following effects: the S7Comm protocol can be analyzed, and a key operation instruction is extracted; an anomaly monitoring model can be formed for the S7Comm protocol; the method can detect the abnormity of the S7Comm operation instruction at a certain time point; the anomaly detection model can be applied to real-time anomaly detection; the method can detect the running state of the equipment, and discover the abnormal running of the PLC caused by external attack, illegal operation and equipment abnormality in real time.
Example two
As shown in fig. 2, the present solution provides an abnormality detection apparatus of an S7comm protocol, which may be used for executing the method of one embodiment, and may also be disposed in a server, and the apparatus may include: the first acquisition unit 20 is used for acquiring S7comm flow data of the PLC equipment in the first time period; an extracting unit 22 for extracting the operation command data in the S7comm traffic data; the establishing unit 24 is used for establishing an abnormal instruction detection model according to the operation command data; and the detection unit 26 is used for carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period.
Specifically, the scheme can adopt the acquisition unit in the exclusive server to acquire the S7comm flow data of the PLC equipment in the first time period, the first time period can be a preset period, the preset period can be M days, M is more than or equal to 1, and the scheme can control the server to acquire the S7comm flow data of the PLC equipment in the running process for continuous M days. In the first time zone, the PLC device is S7comm flow data generated during normal operation in the industrial environment.
It should be noted here that, in the present solution, the S7comm flow data of the PLC device in the first time period may be collected in real time, or the S7comm flow data of the PLC device may be obtained by analyzing the work log afterwards.
In the scheme, after the S7comm flow data generated by normal operation of the PLC equipment in the first time period is collected, the S7comm flow data can be extracted to obtain the operation command data in the S7comm flow data. Preferably, the abnormal instruction detection model may be created according to the extracted operation command data of the first time period, and in this scheme, the operation command data may adopt an iforest (isolation forest) algorithm, that is, an isolated forest algorithm is adopted to train and obtain the abnormal instruction detection model, where it is to be noted that the abnormal instruction model includes association relationships between different time points and the operation command data. The method can collect S7comm flow data of the PLC equipment in the second time period, and it needs to be noted that whether the S7comm flow data generated by the PLC equipment in the second time period is abnormal or not is unknown, the method adopts the established abnormal instruction detection model to perform abnormal detection on the S7comm flow data in the second time period, and the abnormal instruction detection model is trained according to the S7comm flow data generated in the first time period (namely the normal operation stage of the PLC equipment) and the time, so that whether the S7comm flow data of the PLC equipment in the second time period is abnormal or not can be accurately detected. Therefore, the second embodiment provides a device for solving the technical problem that the conventional protocol analysis means cannot accurately predict the abnormal operation of the network traffic of the S7Comm protocol, and it should be noted that, in order to solve the problem that the conventional protocol analysis detection method cannot effectively act on the S7Comm protocol, the invention adopts the machine learning technology to perform the abnormal detection on the S7Comm protocol command, monitors the running state of the PLC device, forms the basis of the abnormal detection based on the learning of the monitoring data of the original device, monitors the running state of the PLC device in the future, and can timely find the abnormal stop of the device caused by external attack, misoperation and machine failure.
It should be further noted that, in the second embodiment, the second embodiment is triggered from the device monitoring perspective, the machine learning modeling is performed on the operating state of the PLC device, the relationship between the time and the operation of the device in the normal operating state is recorded, and the abnormal operating state of the PLC device caused by external attack, illegal operation, and device abnormality can be detected in real time.
Optionally, the apparatus further comprises: the second acquisition unit is used for acquiring the running state data of the PLC equipment in the first time period; and the judging unit is used for judging that the PLC equipment normally operates in the first time period based on the operating state data.
Optionally, the first time period is M days, where M is greater than or equal to 1, where the establishing unit includes: the device comprises a dividing module, a judging module and a judging module, wherein the dividing module is used for dividing each day into N intervals according to a preset time interval, and N is more than or equal to 1; a first determining module, configured to determine M pieces of operation command data occurring in each of the N intervals on the M days; a first generating module, configured to generate a two-dimensional array from the M pieces of operation command data corresponding to each interval; and the second generation module is used for processing the two-dimensional array corresponding to each interval by adopting an isolated forest algorithm to generate the abnormal instruction detection model of a plurality of unit intervals.
Optionally, the detecting unit includes: the second determining module is used for determining the operation command data of the L interval of the second time period; and the detection module is used for inputting the operation command data of the L interval of the second time period into the abnormal instruction detection model and generating an abnormal detection result.
Optionally, the apparatus further comprises: and the correcting unit is used for receiving standard working parameters of a user and correcting the operation command data in the S7comm flow data according to the standard working parameters.
It will be understood that the specific features, operations and details described herein above with respect to the method of the present invention may be similarly applied to the apparatus and system of the present invention, or vice versa. In addition, each step of the method of the present invention described above may be performed by a respective component or unit of the device or system of the present invention.
It should be understood that the various modules/units of the apparatus of the present invention may be implemented in whole or in part by software, hardware, firmware, or a combination thereof. The modules/units may be embedded in the processor of the computer device in the form of hardware or firmware or independent from the processor, or may be stored in the memory of the computer device in the form of software for being called by the processor to execute the operations of the modules/units. Each of the modules/units may be implemented as a separate component or module, or two or more modules/units may be implemented as a single component or module.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored thereon computer instructions executable by the processor, the computer instructions, when executed by the processor, instructing the processor to perform the steps of the method of the invention. The computer device may broadly be a server, a terminal, or any other electronic device having the necessary computing and/or processing capabilities. In one embodiment, the computer device may include a processor, memory, a network interface, a communication interface, etc., connected by a system bus. The processor of the computer device may be used to provide the necessary computing, processing and/or control capabilities. The memory of the computer device may include non-volatile storage media and internal memory. An operating system, a computer program, and the like may be stored in or on the non-volatile storage medium. The internal memory may provide an environment for the operating system and the computer programs in the non-volatile storage medium to run. The network interface and the communication interface of the computer device may be used to connect and communicate with an external device through a network. Which when executed by a processor performs the steps of the method for charging a battery of the invention.
The invention may be implemented as a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, causes the steps of the method of the invention to be performed. In one embodiment, the computer program is distributed across a plurality of computer devices or processors coupled by a network such that the computer program is stored, accessed, and executed by one or more computer devices or processors in a distributed fashion. A single method step/operation, or two or more method steps/operations, may be performed by a single computer device or processor or by two or more computer devices or processors. One or more method steps/operations may be performed by one or more computer devices or processors, and one or more other method steps/operations may be performed by one or more other computer devices or processors. One or more computer devices or processors may perform a single method step/operation, or perform two or more method steps/operations.
It will be appreciated by those of ordinary skill in the art that the method steps of the present invention may be directed to associated hardware, such as a computer device or processor, for performing the steps of the present invention by a computer program, which may be stored in a non-transitory computer readable storage medium, which when executed causes the steps of the present invention to be performed. Any reference herein to memory, storage, databases, or other media may include non-volatile and/or volatile memory, as appropriate. Examples of non-volatile memory include read-only memory (ROM), programmable ROM (prom), electrically programmable ROM (eprom), electrically erasable programmable ROM (eeprom), flash memory, magnetic tape, floppy disk, magneto-optical data storage device, hard disk, solid state disk, and the like. Examples of volatile memory include Random Access Memory (RAM), external cache memory, and the like.
The respective technical features described above may be arbitrarily combined. Although not all possible combinations of features are described, any combination of features should be considered to be covered by the present specification as long as there is no contradiction between such combinations.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. An anomaly detection method for an S7comm protocol, said method comprising:
collecting S7comm flow data of the PLC equipment in a first time period;
extracting operation command data in the S7comm flow data;
establishing an abnormal instruction detection model according to the operation command data;
and carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period.
2. The method of claim 1, wherein prior to collecting S7comm flow data for a first time period PLC device, the method comprises:
collecting running state data of the PLC equipment in the first time period;
and judging that the PLC equipment normally operates in the first time period based on the operating state data.
3. The method of claim 1, wherein the first time period is M days, M being greater than or equal to 1, and wherein establishing an abnormal instruction detection model according to the operation command data comprises:
dividing each day into N intervals according to a preset time interval, wherein N is more than or equal to 1;
determining M pieces of operation command data occurring in each of the N intervals on the M days;
generating a two-dimensional array from the M pieces of operation command data corresponding to each interval;
and processing the two-dimensional array corresponding to each interval by adopting an isolated forest algorithm to generate the abnormal instruction detection model of a plurality of unit intervals.
4. The method of claim 3, wherein the abnormal detection of the S7comm traffic data of the PLC device over the second time period by the abnormal command detection model comprises:
determining operation command data of an L interval of the second time period;
and inputting the operation command data of the L interval of the second time period into the abnormal instruction detection model to generate an abnormal detection result.
5. The method according to claim 1, wherein after extracting the operation command data in the S7comm traffic data, the method further comprises:
and receiving standard working parameters of a user, and correcting the operation command data in the S7comm flow data according to the standard working parameters.
6. An anomaly detection apparatus for an S7comm protocol, said apparatus comprising:
the first acquisition unit is used for acquiring S7comm flow data of the PLC equipment in a first time period;
an extracting unit for extracting the operation command data in the S7comm flow data;
the establishing unit is used for establishing an abnormal instruction detection model according to the operation command data;
and the detection unit is used for carrying out abnormity detection on the S7comm flow data of the PLC equipment in a second time period through the abnormity instruction detection model, wherein the second time period is later than the first time period.
7. The apparatus of claim 6, further comprising:
the second acquisition unit is used for acquiring the running state data of the PLC equipment in the first time period;
and the judging unit is used for judging that the PLC equipment normally operates in the first time period based on the operating state data.
8. The apparatus of claim 6, wherein the first time period is M days, M is greater than or equal to 1, and wherein the establishing unit comprises:
the device comprises a dividing module, a judging module and a judging module, wherein the dividing module is used for dividing each day into N intervals according to a preset time interval, and N is more than or equal to 1;
a first determining module, configured to determine M pieces of operation command data occurring in each of the N intervals on the M days;
a first generating module, configured to generate a two-dimensional array from the M pieces of operation command data corresponding to each interval;
and the second generation module is used for processing the two-dimensional array corresponding to each interval by adopting an isolated forest algorithm to generate the abnormal instruction detection model of a plurality of unit intervals.
9. The apparatus of claim 8, wherein the detection unit comprises:
the second determining module is used for determining the operation command data of the L interval of the second time period;
and the detection module is used for inputting the operation command data of the L interval of the second time period into the abnormal instruction detection model and generating an abnormal detection result.
10. The apparatus of claim 6, further comprising:
and the correcting unit is used for receiving standard working parameters of a user and correcting the operation command data in the S7comm flow data according to the standard working parameters.
CN202110760845.0A 2021-07-06 2021-07-06 S7comm protocol anomaly detection method and device Pending CN113259396A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110760845.0A CN113259396A (en) 2021-07-06 2021-07-06 S7comm protocol anomaly detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110760845.0A CN113259396A (en) 2021-07-06 2021-07-06 S7comm protocol anomaly detection method and device

Publications (1)

Publication Number Publication Date
CN113259396A true CN113259396A (en) 2021-08-13

Family

ID=77190779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110760845.0A Pending CN113259396A (en) 2021-07-06 2021-07-06 S7comm protocol anomaly detection method and device

Country Status (1)

Country Link
CN (1) CN113259396A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114189395A (en) * 2022-02-15 2022-03-15 北京安帝科技有限公司 Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767640A (en) * 2015-03-25 2015-07-08 亚信科技(南京)有限公司 Early-warning method and system
US20180292792A1 (en) * 2017-04-07 2018-10-11 Fanuc Corporation Controller
CN109743339A (en) * 2019-03-22 2019-05-10 中国南方电网有限责任公司 The network security monitoring method and device of electric power plant stand, computer equipment
CN110456765A (en) * 2019-07-29 2019-11-15 北京威努特技术有限公司 Temporal model generation method, device and its detection method of industry control instruction, device
CN113055375A (en) * 2021-03-10 2021-06-29 华能国际电力股份有限公司 Power station industrial control system physical network oriented attack process visualization method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767640A (en) * 2015-03-25 2015-07-08 亚信科技(南京)有限公司 Early-warning method and system
US20180292792A1 (en) * 2017-04-07 2018-10-11 Fanuc Corporation Controller
CN109743339A (en) * 2019-03-22 2019-05-10 中国南方电网有限责任公司 The network security monitoring method and device of electric power plant stand, computer equipment
CN110456765A (en) * 2019-07-29 2019-11-15 北京威努特技术有限公司 Temporal model generation method, device and its detection method of industry control instruction, device
CN113055375A (en) * 2021-03-10 2021-06-29 华能国际电力股份有限公司 Power station industrial control system physical network oriented attack process visualization method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114189395A (en) * 2022-02-15 2022-03-15 北京安帝科技有限公司 Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop
CN114189395B (en) * 2022-02-15 2022-06-28 北京安帝科技有限公司 Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop

Similar Documents

Publication Publication Date Title
CN111881452B (en) Safety test system for industrial control equipment and working method thereof
WO2018217191A1 (en) Collection of plc indicators of compromise and forensic data
Awad et al. Tools, techniques, and methodologies: A survey of digital forensics for scada systems
CN110336808B (en) Attack tracing method and system for power industrial control network
CN109005162B (en) Industrial control system security audit method and device
CN111885210A (en) Cloud computing network monitoring system based on end user environment
CN111049827A (en) Network system safety protection method, device and related equipment
CN112612680A (en) Message warning method, system, computer equipment and storage medium
CN113114690A (en) Threat event identification method, device, equipment and storage medium
CN113259396A (en) S7comm protocol anomaly detection method and device
CN109743339B (en) Network security monitoring method and device for power plant station and computer equipment
CN117290803B (en) Energy storage inverter remote fault diagnosis method, system and medium
CN113645215A (en) Method, device, equipment and storage medium for detecting abnormal network traffic data
CN112565232B (en) Log analysis method and system based on template and flow state
CN111885064B (en) Security event analysis method and device based on multi-source data, electronic device and storage medium
CN115865630B (en) Network equipment fault diagnosis method and system based on deep learning
CN116723136A (en) Network data detection method applying FCM clustering algorithm
CN115618353A (en) Identification system and method for industrial production safety
CN116032581A (en) Network equipment security management method and electronic equipment
CN113010375B (en) Equipment alarm method and related equipment
CN114137894A (en) VPN-based PLC remote diagnosis system and technology
CN112416896A (en) Data abnormity warning method and device, storage medium and electronic device
Meng et al. SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network Traffic
CN117852893A (en) Engineering security risk detection method and system based on artificial intelligence technology
WO2024007615A1 (en) Model training method and apparatus, and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210813