CN113285917A - Method, equipment and architecture for protecting endogenous security boundary of industrial network - Google Patents
Method, equipment and architecture for protecting endogenous security boundary of industrial network Download PDFInfo
- Publication number
- CN113285917A CN113285917A CN202110373816.9A CN202110373816A CN113285917A CN 113285917 A CN113285917 A CN 113285917A CN 202110373816 A CN202110373816 A CN 202110373816A CN 113285917 A CN113285917 A CN 113285917A
- Authority
- CN
- China
- Prior art keywords
- filtering
- examination
- data
- heterogeneous
- mimicry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000001914 filtration Methods 0.000 claims abstract description 106
- 230000002159 abnormal effect Effects 0.000 claims abstract description 27
- 238000007689 inspection Methods 0.000 claims abstract description 27
- 230000007123 defense Effects 0.000 claims abstract description 12
- 238000012216 screening Methods 0.000 claims abstract description 11
- 238000004519 manufacturing process Methods 0.000 claims abstract description 10
- 238000012544 monitoring process Methods 0.000 claims abstract description 7
- 230000008447 perception Effects 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 11
- 238000012552 review Methods 0.000 claims description 9
- 238000004140 cleaning Methods 0.000 claims description 8
- 238000013480 data collection Methods 0.000 claims description 6
- 230000008713 feedback mechanism Effects 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000007781 pre-processing Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 2
- 238000007726 management method Methods 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 abstract description 8
- 230000006870 function Effects 0.000 description 18
- 239000003795 chemical substances by application Substances 0.000 description 16
- 238000004891 communication Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 6
- 230000003068 static effect Effects 0.000 description 6
- 238000003860 storage Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002829 reductive effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000011426 transformation method Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method, a device and a system for protecting an endogenous safety boundary of an industrial network, wherein the method comprises the steps of monitoring and collecting production management network data flow through a network card, caching the data flow and distributing the data flow to a plurality of heterogeneous filtering examination executors; utilizing a filtering examination executive body to filter and examine addresses, protocols, industrial control protocols and control parameters in the data flow, and outputting examination results; and performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward data traffic to a field control network or not based on the mimicry judgment results, and screening abnormal executors to dynamically schedule the online and offline of the executors performing filtering inspection on the data traffic. Aiming at the security threat faced by the industrial network boundary protection equipment, the invention combines the mimicry defense technology to strip the filtering examination function, and relieves the uncertain threat brought by the unknown loophole or backdoor of the industrial network boundary protection equipment through heterogeneous and redundant filtering examination executors.
Description
Technical Field
The invention belongs to the technical field of industrial network boundary protection, and particularly relates to a method, equipment and a system for protecting an endogenous safety boundary of an industrial network.
Background
The industrial control system generally adopts a boundary protection means to protect the industrial control system, and under the development trend of digitalization, intellectualization and networking, boundary protection equipment such as a gateway and a firewall is directly exposed to a connection boundary. The industrial network boundary protection is an important defense line for protecting an industrial control system, provides access control and flow filtration for connection of each area in the industrial control network, and realizes isolation and information exchange of networks with different security levels. However, the vulnerability generated in the development process cannot be avoided, the backdoor reserved for strategic purposes is often difficult to detect, and the security of the industrial control system is threatened due to the characteristic that the border protection equipment is statically deployed in the industrial control system in a large scale for a long time. The self-security of the conventional industrial network boundary protection equipment depends on accurate threat characteristics, and can only be used for dealing with known risks and can not deal with unknown threats. The static property of deployment, the similarity of protection logic and the uniqueness of equipment cause the situation that the equipment is always passive in network attack and defense. Some critical infrastructure protective equipment may have unknown holes or be implanted with back doors. Due to the characteristics of large-scale long-term deployment and few changes in an industrial scene, the defense effect gain generated by some simple transformation methods can only be gradually reduced along with time, and rapid convergence cannot be achieved. The industrial network boundary protection technology mainly realizes end-to-end access control, protocol/command/control parameter examination, network abnormal behavior detection, host malicious scanning protection, DoS attack protection, man-in-the-middle deception protection and the like, and audits various security events through protection logs and management logs. The general workflow can be simplified to an "input-Process-output" model (IPO model), in which a filtering inspection processing link is defined as a function executor. The vulnerability/backdoor of the function executives may be scanned, identified and exploited by attackers to launch network attacks according to the attack links described above. The industrial network boundary protection device is positioned at the network boundary during working, and a plurality of network cards of the industrial network boundary protection device respectively monitor two different networks. Any data packet on the subnet may reach the edge guard and be passed through the protocol stack of the operating system to the filter vetter. Therefore, the industrial network boundary protection device is attack-reachable for any machine (including an upper computer, a controller and the like) on the network on two sides, and the attack surface mainly focuses on the channels of receiving, transmitting and forwarding the data packet by the operating system and the processing process of the data packet by the filtering examination program.
Because of the inherent statics of the conventional architecture and configuration method, the existing boundary protection technology mainly focuses on enhancing the static countermeasure capability, the main deficiency of the industrial network boundary protection equipment is that the equipment relies on accurate prior knowledge during defense attack, the equipment is in a definite state for a long time after deployment, an attacker can repeatedly try to attack, and once a defect is found (for example, a false and legal malicious load data packet escapes from the inspection due to filtering and examining a logic defect), the equipment can be continuously and effectively utilized; the main threat faced is the possibility of being implanted with leaks/backdoors triggered based on specific loads, such as transmitting industrial control information to the outside or delivering illegal control instructions to the internal network, etc. The static property of the industrial network boundary protection equipment causes that the loopholes/backdoors can be effectively triggered for a long time, the deployment unicity causes lack of contrast and is difficult to be perceived in time, and the similarity causes that one defense line is broken through and the whole defense line is broken through.
Disclosure of Invention
Aiming at the security threat faced by the industrial network boundary protection equipment, the filtering and examining function is stripped by combining the mimicry defense technology, and the uncertain threat brought by the unknown vulnerability of the industrial network boundary protection equipment or a backdoor is relieved through a heterogeneous and redundant filtering and examining executor.
According to the design scheme provided by the invention, the method for protecting the endogenous safety boundary of the industrial network comprises the following steps:
monitoring and collecting production management network data flow through a network card, caching the data flow and distributing the data flow to a plurality of heterogeneous filtering examination executors;
utilizing a filtering examination executive body to filter and examine addresses, protocols, industrial control protocols and control parameters in the data flow, and outputting examination results;
and performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward data traffic to a field control network or not based on the mimicry judgment results, and screening abnormal executors to dynamically schedule the online and offline of the executors performing filtering inspection on the data traffic.
As the protection method for the endogenous security boundary of the industrial network, a plurality of heterogeneous filtering examination executors are isolated from each other and independently execute filtering examination on received data flow.
As the method for protecting the endogenous security boundary of the industrial network, further, in the filtering examination of the data traffic by the filtering examination executive body, the data traffic is preprocessed by adopting a hash algorithm, and then a source and destination IP, a port number, an MAC address, a universal protocol analysis, an industrial control protocol identification and a control parameter in the data traffic are checked.
As the method for protecting the endogenous security boundary of the industrial network, further, the filtering examination further comprises the following steps: and selecting whether to reconstruct the data packet according to the current network condition aiming at the data flow passing through the inspection so as to realize the data transmission with the field control network.
As the endogenous security boundary protection of the industrial network, further, the data packet reconstruction includes: and modifying the negotiation MTU of the TCP handshake packet in the data flow, recalculating the checksum and filling the data.
As the protection of the endogenous safety boundary of the industrial network, the method further comprises the steps of firstly carrying out normalization processing on the examination result output by the filtering examination execution body and acquiring examination result data with consistent formats; and then, performing mimicry judgment on the consistent examination result data by adopting a majority-number-of-multiple-judgment or dynamic weight mode, determining whether to forward a final voting result of the data to the field control network, and screening an abnormal execution body.
As the protection of the endogenous safety boundary of the industrial network, a plurality of functionally equivalent heterogeneous filtering examination executives are further formed by using different versions of physical machines and different operating systems, and the functionally equivalent heterogeneous filtering examination executives are placed in a heterogeneous execution body pool; and dynamically selecting a plurality of heterogeneous filtering examination executives for online filtering examination of data flow from the heterogeneous execution body pool, and cleaning the offline abnormal executives and defending the heterogeneous execution body pool again.
Further, the present invention also provides an endogenous security boundary protection system in an industrial network, comprising: a data collection module, a filtering review module and a mimicry arbitration module, wherein,
the data collection module is used for monitoring and collecting the production management network data flow through the network card, caching the data flow and distributing the data flow to a plurality of heterogeneous filtering examination executors;
the filtering examination module is used for utilizing the filtering examination execution body to filter and examine the address, the protocol, the industrial control protocol and the control parameter in the data flow and outputting an examination result;
and the mimicry judging module is used for performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward the data traffic to the field control network or not based on the mimicry judging result and screening the abnormal executors to dynamically schedule the execution bodies for performing filtering inspection on the data traffic on and off the line.
Further, the present invention provides an endogenous security border protection architecture for an industrial network, comprising: a pseudo plug-in layer disposed between an operating system and an upper layer application, the pseudo plug-in layer comprising: a proxy plug-in unit, a mimicry voting unit, a dynamic scheduling unit and a perception decision unit, wherein,
the agent plug-in unit is used as a first gateway for the data traffic to come in and go out, distributes the received external data packets to a plurality of heterogeneous filtering examination executives, and feeds the output of the heterogeneous filtering examination executives back to the mimicry voting unit; and the data traffic determined by the mimicry voting unit is output outwards;
the mimicry voting unit performs mimicry judgment by comparing output results of the plurality of heterogeneous filtering review executives, and feeds the judgment result back to the proxy plug-in unit and the perception decision unit;
the dynamic scheduling unit dynamically manages the execution body for online filtering examination in the heterogeneous execution pool through a preset execution body scheduling strategy;
and the perception decision unit is used for carrying out environment perception by collecting abnormal state information in the operation process, discriminating the abnormal execution body according to the judgment result and feeding back the data of the abnormal execution body to the dynamic scheduling unit through a negative feedback mechanism.
As an endogenous security boundary protection architecture of the industrial network, further, the dynamic scheduling unit comprises a controller connected with the agent plug-in unit and the mimicry voting unit, and a scheduler connected with the controller; the controller selects a corresponding executive scheduling strategy according to the feedback data and performs dynamic scheduling operation on the online filtering examination executive through a scheduler, wherein the executive scheduling strategy at least comprises the following steps: and performing a re-initialization strategy and an off-line cleaning strategy of the abnormal execution body according to the life cycle.
The invention has the beneficial effects that:
the invention solves the problem of self safety of the network boundary protection equipment deployed for a long time in a large scale in an industrial scene, changes the static, similar and single characteristics of the traditional boundary protection technology into the passive mode into the active mode, provides dynamic performance through scheduling on the basis of not changing the original function, improves the accuracy of data packet filtering examination through a heterogeneous and redundant filtering examination executive body, relieves the uncertain threat caused by the unknown loophole or backdoor of the industrial network boundary protection equipment, and has better application prospect.
Description of the drawings:
FIG. 1 is a schematic flow chart of an embodiment of a method for protecting an endogenous security boundary of an industrial network;
FIG. 2 is a schematic flow chart of data processing based on the DHR architecture in the embodiment;
FIG. 3 is a schematic diagram of an embodiment of an endogenous security border protection architecture for an industrial network;
fig. 4 is a schematic diagram of a workflow of an endogenous security border protection architecture of an industrial network according to an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
An embodiment of the present invention provides a method for protecting an endogenous security boundary in an industrial network, which is shown in fig. 1 and includes the following contents:
s101, monitoring and collecting production management network data traffic through a network card, caching the data traffic and distributing the data traffic to a plurality of heterogeneous filtering examination executors;
s102, filtering and examining an address, a protocol, an industrial control protocol and a control parameter in data flow by using a filtering and examining executive body, and outputting an examining result;
s103, performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward data traffic to the field control network or not based on the mimicry judgment results, and screening abnormal executors to dynamically schedule the online and offline of the executors performing filtering inspection on the data traffic.
Aiming at the security threat faced by the industrial network boundary protection equipment, a mimicry defense technology is combined, a filtering examination function is separated, a functional structure model of the industrial network boundary protection equipment is combined with a DHR (dynamic heterogeneous redundancy) framework of the mimicry defense, the problem of the self security of the large-scale long-term deployed network boundary protection equipment in an industrial scene is solved, access control and flow filtering are provided for the connection of each area in an industrial control network, and the isolation and information exchange of networks with different security levels are realized.
As an embodiment of the method for protecting the endogenous security boundary of the industrial network, further, a plurality of heterogeneous filtering examination executors are mutually isolated and independently execute filtering examination on received data traffic. Further, in the filtering examination of the data traffic by the filtering examination executive body, the data traffic is preprocessed by adopting a hash algorithm, and then a source and destination IP, a port number, an MAC address, a universal protocol analysis, an industrial control protocol identification and a control parameter in the data traffic are checked. Further, the filtering review further comprises: and selecting whether to reconstruct the data packet according to the current network condition aiming at the data flow passing through the inspection so as to realize the data transmission with the field control network. Further, the packet reconstruction includes: and modifying the negotiation MTU of the TCP handshake packet in the data flow, recalculating the checksum and filling the data. Furthermore, the examination result output by the filtering examination execution body is firstly normalized to obtain examination result data with consistent format; and then, performing mimicry judgment on the consistent examination result data by adopting a majority-number-of-multiple-judgment or dynamic weight mode, determining whether to forward a final voting result of the data to the field control network, and screening an abnormal execution body. Further, a plurality of heterogeneous filtering examination executives with equivalent functions are formed by using physical machines with different versions and different operating systems, and the heterogeneous filtering examination executives with equivalent functions are placed in a heterogeneous execution body pool; and dynamically selecting a plurality of heterogeneous filtering examination executives for online filtering examination of data flow from the heterogeneous execution body pool, and cleaning the offline abnormal executives and defending the heterogeneous execution body pool again.
Referring to fig. 2, data traffic received from the production management network is first distributed to the executors in the runtime executors pool through the input/output module of the mimicry plug-in, and after being subjected to basic preprocessing, the data traffic is distributed through the replication distribution unit. The filtering examination executors analyze the data packet contents according to the self security rules, then the results are returned to the voting units of the mimicry plug-in units, and the voting units compare the return values of the executors. And obtaining a final result by adopting a mode of majority decision or dynamic weight, and selecting whether to forward the data packet to the field control network F by the output agent unit according to the final voting result.
Further, based on the foregoing method, an embodiment of the present invention further provides an endogenous security boundary protection system in an industrial network, including: a data collection module, a filtering review module and a mimicry arbitration module, wherein,
the data collection module is used for monitoring and collecting the production management network data flow through the network card, caching the data flow and distributing the data flow to a plurality of heterogeneous filtering examination executors;
the filtering examination module is used for utilizing the filtering examination execution body to filter and examine the address, the protocol, the industrial control protocol and the control parameter in the data flow and outputting an examination result;
and the mimicry judging module is used for performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward the data traffic to the field control network or not based on the mimicry judging result and screening the abnormal executors to dynamically schedule the execution bodies for performing filtering inspection on the data traffic on and off the line.
Further, based on the foregoing method, an embodiment of the present invention further provides an endogenous security border protection architecture in an industrial network, including: a pseudo plug-in layer disposed between an operating system and an upper layer application, the pseudo plug-in layer comprising: a proxy plug-in unit, a mimicry voting unit, a dynamic scheduling unit and a perception decision unit, wherein,
the agent plug-in unit is used as a first gateway for the data traffic to come in and go out, distributes the received external data packets to a plurality of heterogeneous filtering examination executives, and feeds the output of the heterogeneous filtering examination executives back to the mimicry voting unit; and the data traffic determined by the mimicry voting unit is output outwards;
the mimicry voting unit performs mimicry judgment by comparing output results of the plurality of heterogeneous filtering review executives, and feeds the judgment result back to the proxy plug-in unit and the perception decision unit;
the dynamic scheduling unit dynamically manages the execution body for online filtering examination in the heterogeneous execution pool through a preset execution body scheduling strategy;
and the perception decision unit is used for carrying out environment perception by collecting abnormal state information in the operation process, discriminating the abnormal execution body according to the judgment result and feeding back the data of the abnormal execution body to the dynamic scheduling unit through a negative feedback mechanism.
Referring to fig. 3, two layers are applied to the upper layer of the operating system and the industrial network boundary protection device for construction. The physical machine operating system is Ubuntu 20.04, the virtualization software is VMware workbench Pro, and the Ubuntu 16.04, Ubuntu 20.04, CentoS 7 and Manjaro 18.04 are adopted as the execution body operating system virtualized on the x86 physical machine adopted in the method. The application programs of the boundary protection equipment of the industrial network with different upper layers are written by C, C + +, Python and other languages, and are also different in filtering examination logic. The input/output module, the mimicry arbitration module and other mimicry plug-in sets are also realized by combining the virtualization technology and run on the Ubuntu 20.04 operating system. Thus, the endogenous safety boundary protection equipment of the industrial network with 4 functionally equivalent heterogeneous executors is constructed. On the basis of a DHR framework, heterogeneous redundant filtering and inspecting execution bodies are introduced in a filtering and inspecting link, meanwhile, an input agent is introduced to distribute data packets, a mimicry decision is introduced to decide output results, the mimicry decision results are fed back to a dynamic scheduling module through a negative feedback controller, dynamic scheduling of each execution body and cleaning and recovery of the execution bodies are realized, and an output agent is introduced to complete final output.
The mimicry plug-in comprises an input distribution and output unit, a mimicry voting unit, a dynamic scheduling unit and a perception decision unit. The input and output unit is responsible for direct communication with the networks at two ends, receives and forwards data packets needing to be ferred to the opposite side through the network card, and simultaneously develops a buffer queue to relieve DoS attacks. The mimicry voting unit only receives the output from each executive body, and because each executive body operates independently and has different processing speeds, the voting unit needs to establish a communication channel isolated from each executive body, create a cache for each channel and report the voting result of each time to the decision control unit. And the perception decision unit records and analyzes the voting result of the mimicry voter and triggers a corresponding decision action according to a set strategy. The dynamic scheduler schedules changes, flushes and restores the execution pool by changing the flow of data distribution and the up-down instructions.
The mimicry plug-in comprises an input distribution and output unit, a mimicry voting unit, a dynamic scheduling unit and a perception decision unit. The input and output unit is responsible for direct communication with the networks at two ends, receives and forwards data packets needing to be ferred to the opposite side through the network card, and simultaneously develops a buffer queue to relieve DoS attacks. The mimicry voting unit only receives the output from each executive body, and because each executive body operates independently and has different processing speeds, the voting unit needs to establish a communication channel isolated from each executive body, create a cache for each channel and report the voting result of each time to the decision control unit. And the perception decision unit records and analyzes the voting result of the mimicry voter and triggers a corresponding decision action according to a set strategy. The dynamic scheduler schedules changes, flushes and restores the execution pool by changing the flow of data distribution and the up-down instructions.
The industrial network boundary guard device, in which the heterogeneous filtering review executable may connect two different subnets, is generally required to be divided into two modules S1 and S2 in processing logic. The S1 module is connected with the production management network M, and the S2 module is connected with the field control network F. For the data packet received from the production management network M, it first goes through the filtering examination of S1, and the examination includes but is not limited to the source and destination IP, port number, MAC address, generic protocol resolution, industrial control protocol identification, control parameter examination, etc. If the check is passed, the data packet is sent to the S2 module for processing after being cleaned, and S2 selects whether to reconstruct the data packet according to the current network conditions, for example, the negotiated MTU of the TCP protocol handshake packet is modified, and the data packet is forwarded to the field control network F after recalculating the checksum and padding.
In order to match the mechanism of the mimicry voting, the processing logic of the conventional industrial network boundary protection device needs to be properly modified, so that the result of the filtering examination is transmitted to the mimicry voter in a normalized manner, rather than just selecting forwarding or discarding. The emphasis of the modification is on the processing of packets that do not meet the security rules, since the default case is to choose to discard, which results in no input from the mimicry voter and no voting. When the modified filtering examination executive body processes the data packets which do not accord with the safety rules, the reformed filtering examination executive body also reports necessary information to the voter and provides the basis for judgment. For the filtering examination executive body constructed by the virtual machine, the data can be flexibly checked, the structural logic sequence of the check can be adjusted, and only the unified input and output interface and the consistent report information format are required to be kept with other executive bodies.
As an embodiment of the invention, the internal security boundary protection architecture of the industrial network further includes a controller connected to the agent plug-in unit and the mimicry voting unit, and a scheduler connected to the controller; the controller selects a corresponding executive scheduling strategy according to the feedback data and performs dynamic scheduling operation on the online filtering examination executive through a scheduler, wherein the executive scheduling strategy at least comprises the following steps: and performing a re-initialization strategy and an off-line cleaning strategy of the abnormal execution body according to the life cycle.
In the embodiment of the scheme, referring to fig. 4, an input agent advances basic DoS protection and caches a data packet monitored by a network card to distribute the data packet to a selected heterogeneous executive body; each executive body filters and examines the received data packet and outputs an examination result; the multiple outputs are selected to be discarded or sent out through an output agent unit after being subjected to mimicry arbitration processing; and the quasi-state arbitration result informs a scheduling control component through a negative feedback mechanism to realize the operation state perception of the execution bodies so as to carry out scheduling operation on each execution body according to a given scheduling strategy. The input/output agent unit is an entrance of a data packet entering system, and the function of the input/output agent unit is mainly embodied in the following aspects: 1) the DoS attack resisting surface of the executive body is moved forward, the input agent plug-in is used as a first gateway for a data packet to enter a system, and the DoS attack resisting surface of the executive body can be moved forward. On one hand, malicious DoS flow can be blocked, and the threat and performance overhead suffered by an internal function executive body are reduced; on the other hand, early warning can be achieved through statistical analysis. 2) And the input agent unit is responsible for distributing the received external data packet processing to a plurality of heterogeneous function executors for processing. The communication between the input/output agent and each function execution body is isolated from each other, so that no communication channel exists between the execution bodies, and the independence of the processing action of each execution body is ensured. 3) And normalizing the output data packet, judging the passing data packet by the mimicry judging unit, and outputting the data packet after the output agent performs necessary processing on the passing data packet. The mimicry judging unit takes output vectors of a plurality of heterogeneous executives as input, performs mimicry judging by comparing output contents, senses the abnormality of the internal function executives of the system, and triggers a corresponding processing flow through a negative feedback mechanism if necessary. The data packets received by the industrial network boundary protection device can be very long and should not be modified in principle in the process of filtering examination, so that the data packet information is preprocessed (for example, the MD5 code is calculated) by adopting a hash algorithm, so that the arbitration can reduce the performance overhead when the data packet is output to each execution body. The dynamic scheduling unit has the main functions of managing the heterogeneous executive body pool, and scheduling the executive body to perform the operations of online and offline cleaning, reinitialization and the like according to the scheduling strategy specified by the decision unit. Dynamic scheduling of executives may be achieved by controlling the termination of the initiation of filtering audit executives and the communication channel between them and the input output unit. The heterogeneous executive pool is a functionally equivalent set of heterogeneous executors, referred to in the patent as a set of filtering inspection executors of the industrial network border guard. The diversity of heterogeneous executables enables industrial network border guard devices to have strong intrusion tolerance capabilities. The heterogeneous executors are isolated from each other and cannot communicate with each other, so that the independence of the working process of the heterogeneous executors is enhanced. The perception decision control unit may define a pre-processing mechanism of the input and output agent, a data packet distribution method, an arbitration algorithm, a policy scheduling method, and the like. The system is responsible for collecting various abnormal and state information in the system operation process from multiple aspects, sensing the system environment, on the basis, screening an abnormal execution body based on a mimicry judgment result, and realizing active defense through a negative feedback mechanism. Based on the scheme, the problem of self safety of the network boundary protection equipment deployed in an industrial scene for a large time can be solved, the static, similar and single characteristics of the traditional boundary protection technology are changed into the active mode, the dynamic performance is provided through scheduling on the basis of not changing the original function, the correctness is improved through a heterogeneous and redundant filtering audit executive body, the uncertain threat caused by the unknown loophole or backdoor of the industrial network boundary protection equipment is relieved, and the safety of an industrial control system is improved.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing system, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the system, the embodiment of the invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the system embodiment, and for the sake of brief description, reference may be made to the corresponding content in the system embodiment for the part where the device embodiment is not mentioned.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing system embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and system may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the system according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. An endogenous security boundary protection method for an industrial network is characterized by comprising the following steps:
monitoring and collecting production management network data flow through a network card, caching the data flow and distributing the data flow to a plurality of heterogeneous filtering examination executors;
utilizing a filtering examination executive body to filter and examine addresses, protocols, industrial control protocols and control parameters in the data flow, and outputting examination results;
and performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward data traffic to a field control network or not based on the mimicry judgment results, and screening abnormal executors to dynamically schedule the online and offline of the executors performing filtering inspection on the data traffic.
2. An endogenous security boundary protection method of an industrial network according to claim 1, characterized in that a plurality of heterogeneous filtering examination executives are isolated from each other, and independently execute filtering examination of received data traffic.
3. The method according to claim 1, wherein in filtering and examining the data traffic, a filtering and examining executor performs preprocessing on the data traffic by using a hash algorithm, and then checks a source and destination IP, a port number, an MAC address, a generic protocol parsing, an industrial control protocol identification, and a control parameter in the data traffic.
4. The endogenous security boundary defense method of the industrial network of claim 1 or 3, wherein filtering review further comprises: and selecting whether to reconstruct the data packet according to the current network condition aiming at the data flow passing through the inspection so as to realize the data transmission with the field control network.
5. The method according to claim 4, wherein the packet reconstruction comprises: and modifying the negotiation MTU of the TCP handshake packet in the data flow, recalculating the checksum and filling the data.
6. The method for protecting the endogenous security boundary of the industrial network according to claim 4, wherein the method comprises the steps of firstly carrying out normalization processing on the examination result output by the filtering examination execution body to obtain examination result data with a consistent format; and then, performing mimicry judgment on the consistent examination result data by adopting a majority-number-of-multiple-judgment or dynamic weight mode, determining whether to forward a final voting result of the data to the field control network, and screening an abnormal execution body.
7. The endogenous security boundary protection method of the industrial network according to claim 1, characterized in that a plurality of functionally equivalent heterogeneous filtering censoring executors are formed by using different versions of physical machines and different operating systems, and the plurality of functionally equivalent heterogeneous filtering censoring executors are placed in a heterogeneous execution pool; and dynamically selecting a plurality of heterogeneous filtering examination executives for online filtering examination of data flow from the heterogeneous execution body pool, and cleaning the offline abnormal executives and defending the heterogeneous execution body pool again.
8. An endogenous security border guard of an industrial network, comprising: a data collection module, a filtering review module and a mimicry arbitration module, wherein,
the data collection module is used for monitoring and collecting the production management network data flow through the network card, caching the data flow and distributing the data flow to a plurality of heterogeneous filtering examination executors;
the filtering examination module is used for utilizing the filtering examination execution body to filter and examine the address, the protocol, the industrial control protocol and the control parameter in the data flow and outputting an examination result;
and the mimicry judging module is used for performing mimicry judgment on the inspection results output by the heterogeneous filtering inspection executors, determining whether to forward the data traffic to the field control network or not based on the mimicry judging result and screening the abnormal executors to dynamically schedule the execution bodies for performing filtering inspection on the data traffic on and off the line.
9. An endogenous security border guard architecture for an industrial network, comprising: a pseudo plug-in layer disposed between an operating system and an upper layer application, the pseudo plug-in layer comprising: a proxy plug-in unit, a mimicry voting unit, a dynamic scheduling unit and a perception decision unit, wherein,
the agent plug-in unit is used as a first gateway for the data traffic to come in and go out, distributes the received external data packets to a plurality of heterogeneous filtering examination executives, and feeds the output of the heterogeneous filtering examination executives back to the mimicry voting unit; and the data traffic determined by the mimicry voting unit is output outwards;
the mimicry voting unit performs mimicry judgment by comparing output results of the plurality of heterogeneous filtering review executives, and feeds the judgment result back to the proxy plug-in unit and the perception decision unit;
the dynamic scheduling unit dynamically manages the execution body for online filtering examination in the heterogeneous execution pool through a preset execution body scheduling strategy;
and the perception decision unit is used for carrying out environment perception by collecting abnormal state information in the operation process, discriminating the abnormal execution body according to the judgment result and feeding back the data of the abnormal execution body to the dynamic scheduling unit through a negative feedback mechanism.
10. An endogenous security boundary guard architecture of an industrial network according to claim 9, characterized in that the dynamic scheduling unit comprises a controller connected to a proxy plug-in unit and a mimicry voting unit, and a scheduler connected to the controller; the controller selects a corresponding executive scheduling strategy according to the feedback data and performs dynamic scheduling operation on the online filtering examination executive through a scheduler, wherein the executive scheduling strategy at least comprises the following steps: and performing a re-initialization strategy and an off-line cleaning strategy of the abnormal execution body according to the life cycle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110373816.9A CN113285917A (en) | 2021-04-07 | 2021-04-07 | Method, equipment and architecture for protecting endogenous security boundary of industrial network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110373816.9A CN113285917A (en) | 2021-04-07 | 2021-04-07 | Method, equipment and architecture for protecting endogenous security boundary of industrial network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113285917A true CN113285917A (en) | 2021-08-20 |
Family
ID=77276402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110373816.9A Pending CN113285917A (en) | 2021-04-07 | 2021-04-07 | Method, equipment and architecture for protecting endogenous security boundary of industrial network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113285917A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363048A (en) * | 2021-12-31 | 2022-04-15 | 河南信大网御科技有限公司 | Mimicry unknown threat discovery system |
| CN114363051A (en) * | 2021-12-31 | 2022-04-15 | 河南信大网御科技有限公司 | Mimic switch and mimic system internal one-way communication method |
| CN114915450A (en) * | 2022-04-06 | 2022-08-16 | 中国人民解放军战略支援部队信息工程大学 | Stream type mimicry judging device and method |
| CN115225311A (en) * | 2022-05-20 | 2022-10-21 | 中国人民解放军战略支援部队信息工程大学 | Mimic bracket ciphertext proxy method and system based on openSSL transformation |
| CN115720182A (en) * | 2022-11-18 | 2023-02-28 | 国网江苏省电力有限公司信息通信分公司 | Mimicry transformation method, device and system of Ethernet gateway |
| CN116455654A (en) * | 2023-04-26 | 2023-07-18 | 之江奇安科技有限公司 | Security reinforcement method and device for business information system based on endophytic security |
| CN116880905A (en) * | 2023-09-08 | 2023-10-13 | 之江实验室 | Data storage method and device, storage medium and electronic equipment |
| CN117221014A (en) * | 2023-11-08 | 2023-12-12 | 之江实验室 | Network node operating system configuration data endogenous safety protection method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170201548A1 (en) * | 2016-01-08 | 2017-07-13 | Secureworks Holding Corporation | Systems and Methods for Security Configuration |
| CN109587168A (en) * | 2018-12-29 | 2019-04-05 | 河南信大网御科技有限公司 | Network function dispositions method based on mimicry defence in software defined network |
| CN111181926A (en) * | 2019-12-13 | 2020-05-19 | 中国人民解放军战略支援部队信息工程大学 | Security device based on mimicry defense idea and operation method thereof |
| CN111478970A (en) * | 2020-04-13 | 2020-07-31 | 国网福建省电力有限公司 | Power grid Web application mimicry defense system |
| CN111628979A (en) * | 2020-05-21 | 2020-09-04 | 河南信大网御科技有限公司 | Protocol-state-free ring mimicry architecture, defense method and readable storage medium |
| CN112019557A (en) * | 2020-09-02 | 2020-12-01 | 北京天融信网络安全技术有限公司 | Data processing method and device |
| CN112242923A (en) * | 2020-09-15 | 2021-01-19 | 中国人民解放军战略支援部队信息工程大学 | System and method for realizing unified data management network function based on mimicry defense |
-
2021
- 2021-04-07 CN CN202110373816.9A patent/CN113285917A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170201548A1 (en) * | 2016-01-08 | 2017-07-13 | Secureworks Holding Corporation | Systems and Methods for Security Configuration |
| CN109587168A (en) * | 2018-12-29 | 2019-04-05 | 河南信大网御科技有限公司 | Network function dispositions method based on mimicry defence in software defined network |
| CN111181926A (en) * | 2019-12-13 | 2020-05-19 | 中国人民解放军战略支援部队信息工程大学 | Security device based on mimicry defense idea and operation method thereof |
| CN111478970A (en) * | 2020-04-13 | 2020-07-31 | 国网福建省电力有限公司 | Power grid Web application mimicry defense system |
| CN111628979A (en) * | 2020-05-21 | 2020-09-04 | 河南信大网御科技有限公司 | Protocol-state-free ring mimicry architecture, defense method and readable storage medium |
| CN112019557A (en) * | 2020-09-02 | 2020-12-01 | 北京天融信网络安全技术有限公司 | Data processing method and device |
| CN112242923A (en) * | 2020-09-15 | 2021-01-19 | 中国人民解放军战略支援部队信息工程大学 | System and method for realizing unified data management network function based on mimicry defense |
Non-Patent Citations (4)
| Title |
|---|
| 何意等: "车联网拟态防御系统研究", 《信息安全研究》 * |
| 扈红超,陈福才,王禛鹏: "拟态防御DHR模型若干问题探讨和性能评估", 《信息安全学报》 * |
| 马卫局: "网络空间安全进入动态防御时代", 《现代军事》 * |
| 马海龙等: "基于动态异构冗余机制的路由器拟态防御体系结构", 《信息安全学报》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363051B (en) * | 2021-12-31 | 2023-07-21 | 河南信大网御科技有限公司 | Mimicry switch and mimicry system internal one-way communication method |
| CN114363051A (en) * | 2021-12-31 | 2022-04-15 | 河南信大网御科技有限公司 | Mimic switch and mimic system internal one-way communication method |
| CN114363048A (en) * | 2021-12-31 | 2022-04-15 | 河南信大网御科技有限公司 | Mimicry unknown threat discovery system |
| CN114915450A (en) * | 2022-04-06 | 2022-08-16 | 中国人民解放军战略支援部队信息工程大学 | Stream type mimicry judging device and method |
| CN114915450B (en) * | 2022-04-06 | 2023-06-02 | 中国人民解放军战略支援部队信息工程大学 | Stream mimicry judging device and method |
| CN115225311A (en) * | 2022-05-20 | 2022-10-21 | 中国人民解放军战略支援部队信息工程大学 | Mimic bracket ciphertext proxy method and system based on openSSL transformation |
| CN115225311B (en) * | 2022-05-20 | 2023-07-21 | 中国人民解放军战略支援部队信息工程大学 | Pseudo bracket ciphertext proxy method and system based on openSSL transformation |
| CN115720182A (en) * | 2022-11-18 | 2023-02-28 | 国网江苏省电力有限公司信息通信分公司 | Mimicry transformation method, device and system of Ethernet gateway |
| CN116455654A (en) * | 2023-04-26 | 2023-07-18 | 之江奇安科技有限公司 | Security reinforcement method and device for business information system based on endophytic security |
| CN116455654B (en) * | 2023-04-26 | 2024-05-28 | 之江奇安科技有限公司 | Security reinforcement method, device and equipment for business information system based on endophytic security and readable storage medium |
| CN116880905A (en) * | 2023-09-08 | 2023-10-13 | 之江实验室 | Data storage method and device, storage medium and electronic equipment |
| CN116880905B (en) * | 2023-09-08 | 2024-01-09 | 之江实验室 | Data storage method and device, storage medium and electronic equipment |
| CN117221014A (en) * | 2023-11-08 | 2023-12-12 | 之江实验室 | Network node operating system configuration data endogenous safety protection method |
| CN117221014B (en) * | 2023-11-08 | 2024-01-26 | 之江实验室 | Network node operating system configuration data endogenous safety protection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113285917A (en) | Method, equipment and architecture for protecting endogenous security boundary of industrial network | |
| JP3968724B2 (en) | Network security system and operation method thereof | |
| US11902303B2 (en) | System and method for detecting lateral movement and data exfiltration | |
| US7596809B2 (en) | System security approaches using multiple processing units | |
| EP3111330B1 (en) | System and method for verifying and detecting malware | |
| US7444679B2 (en) | Network, method and computer readable medium for distributing security updates to select nodes on a network | |
| US10389760B2 (en) | Adaptive network security policies | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| US20070056038A1 (en) | Fusion instrusion protection system | |
| US20030084329A1 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
| US20030097557A1 (en) | Method, node and computer readable medium for performing multiple signature matching in an intrusion prevention system | |
| AU2011271157A1 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
| EP3374870B1 (en) | Threat risk scoring of security threats | |
| US10652259B2 (en) | Information processing apparatus, method and medium for classifying unauthorized activity | |
| US11909761B2 (en) | Mitigating malware impact by utilizing sandbox insights | |
| EP3783857A1 (en) | System and method for detecting lateral movement and data exfiltration | |
| US7836503B2 (en) | Node, method and computer readable medium for optimizing performance of signature rule matching in a network | |
| KR20220081145A (en) | AI-based mysterious symptom intrusion detection and system | |
| CN113709132A (en) | Security detection method and system for reducing cloud computing requirements | |
| Sepczuk | Dynamic web application firewall detection supported by cyber mimic defense approach | |
| CN114205105A (en) | Network malicious behavior detection method and switching system using same | |
| US10831887B2 (en) | System and method for monitoring the integrity of a component delivered to a client system by a server system | |
| US20230231857A1 (en) | Deep learning pipeline to detect malicious command and control traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210820 |