CN113534731B - Download data security analysis system and method based on industrial control - Google Patents

Abstract

The invention discloses a download data safety analysis system and method based on industrial control, which comprises a download process control monitoring module, a download process flow processing module, a download program model construction module and a central processing module; the downloading flow control monitoring module monitors the flow in the PLC operation control process by setting monitoring points and detecting, so as to analyze whether the flow in the control process is abnormal or not; the downloading flow processing module decomposes and analyzes the difference between the obtained monitoring point flow and the flow detected in the PLC operation control process according to the time dimension, and judges whether the flow difference contains abnormal flow; the downloading program model building module simulates a program corresponding to the detected flow difference in a model so as to analyze whether the equipment is abnormally operated; compared with the method that the program is directly put into the digital twin for simulation, the method reduces steps and complex comparison results during digital twin analysis and improves the precision of the analysis process.

Description

Download data security analysis system and method based on industrial control

Technical Field

The invention relates to the technical field of industrial control, in particular to a downloading data security analysis system and method based on industrial control.

Background

The industrial control system, the technology of the traditional control field is undergoing a revolution, and the industrial control system comprises three control systems at present, specifically PLC, DCS and FCS control system technologies; the PLC control technology is an electronic system for digital operation and is specially designed for industrial control environment, is mainly controlled by the sequence of industrial control, and is a very novel technology;

the downloading behavior of the industrial controller refers to that the collected data logs are specially modeled and monitored in real time; in the PLC control system, the downloading instruction is specifically to copy a program into equipment, and the program enters the interior of the PLC through downloading of the program, so that the equipment parts are machined; when the program runs, log data can monitor the flow consumed during downloading, and whether a plug-in program corresponding to abnormal flow runs in the program is judged, so that the abnormal execution step of the equipment is caused; because the flow rate is often present in a manner similar to the flow rate of the running program of the equipment in the log monitoring, the log data is difficult to detect the corresponding program; therefore, abnormal flow needs to be split and compared, and then simulation is carried out through digital twinning, so that the accuracy of identifying an abnormal program is improved, and the influence on equipment is reduced;

therefore, a system and a method for analyzing the safety of downloaded data based on industrial control are needed to solve the above problems.

Disclosure of Invention

The invention aims to provide a download data security analysis system and method based on industrial control, so as to solve the problems in the background technology.

In order to solve the technical problems, the invention provides the following technical scheme: a download data security analysis system based on industrial control comprises a download process control monitoring module, a download process flow processing module, a download program model building module and a central processing module;

the downloading flow control monitoring module monitors the flow in the PLC operation control process by setting monitoring points and detecting, so as to analyze whether the flow in the control process is abnormal or not;

the downloading flow processing module is used for decomposing and analyzing the difference between the obtained monitoring point flow and the flow detected in the PLC operation control process according to the time dimension and judging whether the flow difference contains abnormal flow or not;

the downloading program model building module simulates a program corresponding to the detected flow difference in a model and analyzes whether the equipment is abnormally operated;

the central processing module is used for processing the connection relation between the modules;

the output ends of the downloading flow control monitoring module, the downloading flow processing module and the downloading program model building module are connected with the input end of the central processing module.

Furthermore, the downloading process control monitoring module comprises a data storage unit, a probe monitoring unit, an active monitoring point setting unit and a data comparison unit;

the data storage unit acquires a program for running operation on the PLC and records the operation and operation of the equipment at different moments;

the detection needle monitoring unit is used for acquiring and analyzing the flow monitored by the detection needle, wherein the flow refers to the flow corresponding to different moments in the downloading step;

the active monitoring point setting unit is used for acquiring and analyzing the flow monitored by the active monitoring point, wherein the flow refers to the flow monitored by the probe and the flow consumed by the probe during monitoring;

the data comparison unit analyzes whether the difference between the flow monitored in the active monitoring point setting unit and the flow in the probe monitoring unit is equal to the flow consumed by the probe during monitoring;

the output end of the data comparison unit is connected with the input end of the data storage unit, the input end of the probe monitoring unit and the input end of the active monitoring point setting unit.

Furthermore, the downloading flow processing module comprises a data decomposition unit, a data analysis unit and a data extraction simulation unit;

the data decomposition unit is used for decomposing the flow difference according to the same time dimension when detecting that the comparison result of the data comparison unit is not equal to the electric quantity consumed by the probe in the monitoring process, obtaining the decomposed flow and storing the flow in the data storage unit;

the data analysis unit is used for analyzing the flow decomposed according to different time periods and the flow in the downloading process and judging whether the flow in the downloading process has the flow with high similarity to the flow after decomposition;

and the data extraction simulation unit extracts the program corresponding to the high flow similarity and operates in the model.

Further, the downloading program model building module comprises a downloading instruction dimension starting unit, a downloading instruction dimension ending unit, an operation step positioning unit, an equipment operation abnormity recording unit, an equipment operation influence judging unit and a data marking processing unit;

the downloading instruction dimension starting unit is used for recording the time of starting operation of the program extracted from the downloading flow processing module in the model;

the downloading instruction dimension ending unit is used for recording the time of ending the operation of the extracted program in the downloading flow processing module in the model;

the operation step positioning unit is used for acquiring each step of the equipment in the operation running process, positioning the steps and establishing a digital twin model;

the device operation abnormity recording unit is used for comparing operation steps of the device in different time periods in the digital twin model with actual operation steps and analyzing whether the operation steps are abnormal or not;

the equipment operation influence judging unit is used for judging the influence degree of the accuracy of the equipment operation step on the subsequent step and giving an early warning prompt when the abnormality of the operation step is detected;

the data marking processing unit is used for acquiring the abnormal programs and marking and recording the abnormal programs;

the input ends of the downloading instruction dimension starting unit, the downloading instruction dimension ending unit, the operation step positioning unit, the equipment operation abnormity recording unit and the equipment operation influence judging unit are connected with the output end of the data marking processing unit.

The PLC downloading process specifically comprises: program input, program compilation, program execution, and device execution.

A download data security analysis method based on industrial control specifically comprises the following steps:

step 1: monitoring the corresponding flow in the running process of the downloading instruction by using a probe;

step 2: setting monitoring points to monitor the consumed flow of the probe and the flow of the probe during monitoring;

and step 3: judging whether the absolute value of the flow difference between the step two and the step one is equal to the flow consumed by the probe; when the absolute value of the flow difference is detected to be equal to the flow consumed by the probe, the current flow is expressed as normal consumption flow; when the absolute value of the flow difference is not equal to the flow consumed by the probe, the current flow is represented as abnormal flow, and the step four is skipped;

and 4, step 4: decomposing the flow in the first step and the flow in the second step according to the flow corresponding to the same time period, and analyzing whether the flow is the same or not; when the flow after decomposition is detected to be different, changing the time length to decompose the flow; when the decomposed flows are detected to be the same, jumping to the fifth step;

and 5: acquiring equipment data, establishing a digital twin model, and respectively operating a program corresponding to the decomposed flow on the model and equipment corresponding to the PLC;

step 6: running the program corresponding to the decomposed flow on the digital twin model and the equipment respectively, and analyzing the consistency of the execution steps; when the execution steps are consistent, deleting the repeated program; and when the execution steps are detected to be inconsistent, recording and marking the program corresponding to the abnormal flow.

Further, in step 6, the consistency of the execution steps is analyzed, specifically as follows:

step 601: acquiring the starting time of the downloading execution process, and recording the starting time as t_oAcquiring the end time of the downloading execution process, and recording as t_j；

Step 602: acquiring coordinates (x, y, z) and (a, b, c) when the equipment and the model operate, wherein the coordinates (x, y, z) and (a, b, c) respectively refer to comparing steps when the equipment and the model operate based on the length, the width and the height of an operation platform;

step 603: and when the equipment operation step is consistent with the model operation step, deleting the repeated program, and when the equipment operation step is detected to be inconsistent with the model operation step, analyzing the Euclidean distance between the coordinates to judge the accuracy and the influence degree on the later-stage coordinates.

In the step 4, the loss flow of the probe monitoring downloading instruction in the operation process is Q, the flow monitored by the monitoring point is P, the difference between the loss flow Q of the probe monitoring downloading instruction in the operation process and the flow monitored by the monitoring point is set as W, and the flow P monitored by the monitoring point and the flow difference W are decomposed into two sets according to the same time period, wherein the specific set is P ═ { P ═₁,p₂,p₃，...,p_nW ═ W₁,w₂,w₃,...w_nN is time n;

monitoring the flow in the consumed flow P and the flow difference W by traversing the monitoring points in the same time period, and analyzing the condition W met by the flows in different time periods_k-p_cWhen detecting that no similar flow exists in a single period of time, further combining the time points to judge the conditions met by the flow, and analyzing the conditions met by the flow in the combined time period

[w_i+w_i+1+...+w_i+m]-[p_v+p_v+1+...+p_v+m]When the flow rate meets the condition, simulating the operation in the equipment;

wherein, w_k、w_i、w_i+1And w_i+mThe flow difference time periods k, i +1 and i + m correspond to the flow consumed in the downloading process;

p_c、p_v、p_v+1and p_v+mIt means that the monitoring points monitor the consumed flow in time periods c, v +1 and v + m.

Similar flow rates are respectively operated in the model and the actual equipment, and the coordinate set of the program operated in different time periods of the digital twin model is obtained as F { (x)₁，y₁，z₁)、(x₂，y₂，z₂)、(x₃，y₃，z₃)...(x_n，y_n，z_n) Acquiring a coordinate set of the program in different time periods in the actual equipment, wherein the coordinate set is D { (a)₁,b₁,c₁)、(a₂,b₂,c₂)、

(a₃,b₃,c₃)...(a_n,b_n,c_n)}；

Intercepting two coordinates of equipment in the same time period in the operation step;

a distance of

When the first movement distance d of the equipment is detected_F,DWhen the error is smaller than the standard error, the error does not influence the later steps;

when the first movement distance d of the equipment is detected_F,DGreater than the standard error; analyzing the influence degree of the first equipment movement on the later movement steps as

Wherein a is_iRefers to the number of times, k, that the device shifts during movement_iThe influence coefficient when the equipment moves is referred to, u is the total number of steps moved when the equipment operates, and H is the influence degree;

and marking the exception of the program corresponding to the equipment with the influence degree greater than the standard influence degree.

Compared with the prior art, the invention has the following beneficial effects:

1. monitoring the flow in the PLC operation process by setting an active monitoring point and detecting, judging the difference between the flow of the monitoring point and the flow in the PLC operation control process by detecting, comparing and analyzing the difference between the flow and the flow in the PLC operation process by detecting, and analyzing whether the flow is abnormal or not; meanwhile, the abnormal flow and the flow monitored by the probe are decomposed and compared, so that the authenticity of the abnormal flow is analyzed, the complexity of later comparison is reduced, and the change of the abnormal flow to the equipment program is prevented;

2. intercepting a program corresponding to abnormal flow according to the set digital twin model, then respectively simulating the intercepted program on the digital twin model and actual PLC equipment, analyzing the accuracy of coordinates corresponding to each step and analyzing the influence degree of the last step on the later steps, thereby obtaining the result of whether the intercepted program is abnormal.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:

FIG. 1 is a schematic diagram illustrating steps of a download data security analysis system and method based on industrial control according to the present invention;

fig. 2 is a schematic diagram of module components of a download data security analysis system and method based on industrial control according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1-2, the present invention provides the following technical solutions:

a download data security analysis system based on industrial control comprises a download process control monitoring module, a download process flow processing module, a download program model building module and a central processing module;

the downloading flow control monitoring module monitors the flow in the PLC operation control process by setting monitoring points and detecting, so as to analyze whether the flow in the control process is abnormal or not;

the downloading flow processing module is used for decomposing and analyzing the difference between the obtained monitoring point flow and the flow detected in the PLC operation control process according to the time dimension and judging whether the flow difference contains abnormal flow or not;

the downloading program model building module simulates a program corresponding to the detected flow difference in a model and analyzes whether the equipment is abnormally operated;

the central processing module is used for processing the connection relation between the modules;

the output ends of the downloading flow control monitoring module, the downloading flow processing module and the downloading program model building module are connected with the input end of the central processing module.

Furthermore, the downloading process control monitoring module comprises a data storage unit, a probe monitoring unit, an active monitoring point setting unit and a data comparison unit;

the data storage unit acquires a program for running operation on the PLC and records the operation and operation of the equipment at different moments;

the detection needle monitoring unit is used for acquiring and analyzing the flow monitored by the detection needle, wherein the flow refers to the flow corresponding to different moments in the downloading step;

the active monitoring point setting unit is used for acquiring and analyzing the flow monitored by the active monitoring point, wherein the flow refers to the flow monitored by the probe and the flow consumed by the probe during monitoring;

the data comparison unit analyzes whether the difference between the flow monitored in the active monitoring point setting unit and the flow in the probe monitoring unit is equal to the flow consumed by the probe during monitoring;

the output end of the data comparison unit is connected with the input end of the data storage unit, the input end of the probe monitoring unit and the input end of the active monitoring point setting unit.

Furthermore, the downloading flow processing module comprises a data decomposition unit, a data analysis unit and a data extraction simulation unit;

the data decomposition unit is used for decomposing the flow difference according to the same time dimension when detecting that the comparison result of the data comparison unit is not equal to the electric quantity consumed by the probe in the monitoring process, obtaining the decomposed flow and storing the flow in the data storage unit;

the data analysis unit is used for analyzing the flow decomposed according to different time periods and the flow in the downloading process and judging whether the flow in the downloading process has the flow with high similarity to the flow after decomposition;

and the data extraction simulation unit extracts the program corresponding to the high flow similarity and operates in the model.

Further, the downloading program model building module comprises a downloading instruction dimension starting unit, a downloading instruction dimension ending unit, an operation step positioning unit, an equipment operation abnormity recording unit, an equipment operation influence judging unit and a data marking processing unit;

the downloading instruction dimension starting unit is used for recording the time of starting operation of the program extracted from the downloading flow processing module in the model;

the downloading instruction dimension ending unit is used for recording the time of ending the operation of the extracted program in the downloading flow processing module in the model;

the operation step positioning unit is used for acquiring each step of the equipment in the operation running process, positioning the steps and establishing a digital twin model;

the device operation abnormity recording unit is used for comparing operation steps of the device in different time periods in the digital twin model with actual operation steps and analyzing whether the operation steps are abnormal or not;

the equipment operation influence judging unit is used for judging the influence degree of the accuracy of the equipment operation step on the subsequent step and giving an early warning prompt when the abnormality of the operation step is detected;

the data marking processing unit is used for acquiring the abnormal programs and marking and recording the abnormal programs;

the input ends of the downloading instruction dimension starting unit, the downloading instruction dimension ending unit, the operation step positioning unit, the equipment operation abnormity recording unit and the equipment operation influence judging unit are connected with the output end of the data marking processing unit.

The PLC downloading process specifically comprises: program input, program compilation, program execution, and device execution.

A download data security analysis method based on industrial control specifically comprises the following steps:

step 1: monitoring the corresponding flow in the running process of the downloading instruction by using a probe;

step 2: setting monitoring points to monitor the consumed flow of the probe and the flow of the probe during monitoring;

and step 3: judging whether the absolute value of the flow difference between the step two and the step one is equal to the flow consumed by the probe; when the absolute value of the flow difference is detected to be equal to the flow consumed by the probe, the current flow is expressed as normal consumption flow; when the absolute value of the flow difference is not equal to the flow consumed by the probe, the current flow is represented as abnormal flow, and the step four is skipped;

and 4, step 4: decomposing the flow in the first step and the flow in the second step according to the flow corresponding to the same time period, and analyzing whether the flow is the same or not; when the flow after decomposition is detected to be different, changing the time length to decompose the flow; when the decomposed flows are detected to be the same, jumping to the fifth step;

and 5: acquiring equipment data, establishing a digital twin model, and respectively operating a program corresponding to the decomposed flow on the model and equipment corresponding to the PLC;

step 6: running the program corresponding to the decomposed flow on the digital twin model and the equipment respectively, and analyzing the consistency of the execution steps; when the execution steps are consistent, deleting the repeated program; and when the execution steps are detected to be inconsistent, recording and marking the program corresponding to the abnormal flow.

Further, in step 6, the consistency of the execution steps is analyzed, specifically as follows:

step 601: acquiring the starting time of the downloading execution process, and recording the starting time as t_oAcquiring the end time of the downloading execution process, and recording as t_j；

Step 602: acquiring coordinates (x, y, z) and (a, b, c) when the equipment and the model operate, wherein the coordinates (x, y, z) and (a, b, c) respectively refer to comparing steps when the equipment and the model operate based on the length, the width and the height of an operation platform;

step 603: and when the equipment operation step is consistent with the model operation step, deleting the repeated program, and when the equipment operation step is detected to be inconsistent with the model operation step, analyzing the Euclidean distance between the coordinates to judge the accuracy and the influence degree on the later-stage coordinates.

In the step 4, the loss flow of the probe needle in the process of monitoring the operation of the downloading instruction isQ, the flow monitored by the monitoring point is P, the difference between the flow Q consumed in the operation process of monitoring the downloading instruction by the probe and the flow monitored by the monitoring point is set as W, the flow P consumed in the monitoring of the monitoring point and the flow difference W are decomposed into two sets according to the same time period, and the specific set is P ═ { P ═ P-₁,p₂,p₃，...,p_nW ═ W₁,w₂,w₃,...w_nN is time n;

monitoring the flow in the consumed flow P and the flow difference W by traversing the monitoring points in the same time period, and analyzing the condition W met by the flows in different time periods_k-p_cWhen detecting that no similar flow exists in a single period of time, further combining the time points to judge the conditions met by the flow, and analyzing the conditions met by the flow in the combined time period

[w_i+w_i+1+...+w_i+m]-[p_v+p_v+1+...+p_v+m]When the flow rate meets the condition, simulating the operation in the equipment;

wherein, w_k、w_i、w_i+1And w_i+mThe flow difference time periods k, i +1 and i + m correspond to the flow consumed in the downloading process;

p_c、p_v、p_v+1and p_v+mThe method comprises the steps that monitoring consumed flow of monitoring points in time periods c, v +1 and v + m is conducted;

w set in the process_k-p_cWhen abnormal flow exists, the condition can not be met, namely the current abnormal flow is judged, a program corresponding to the abnormal flow needs to be monitored and analyzed, and the safety in the downloading process is ensured;

set [ w_i+w_i+1+...+w_i+m]-[p_v+p_v+1+...+p_v+m]The reason is that similar flow is not queried in a single point time, so the time period needs to be expanded until the flow at different time is found;

further, the above mentioned expanding time period refers to a continuous time period, but the same applies to the method of intercepting at different time points.

Similar flow rates are respectively operated in the model and the actual equipment, and the coordinate set of the program operated in different time periods of the digital twin model is obtained as F { (x)₁，y₁，z₁)、(x₂，y₂，z₂)、(x₃，y₃，z₃)...(x_n，y_n，z_n) Acquiring a coordinate set of the program in different time periods in the actual equipment, wherein the coordinate set is D { (a)₁,b₁,c₁)、(a₂,b₂,c₂)、

(a₃,b₃,c₃)...(a_n,b_n,c_n)}；

Intercepting two coordinates of equipment in the same time period in the operation step;

a distance of

When the first movement distance d of the equipment is detected_F,DWhen the error is smaller than the standard error, the error does not influence the later steps;

when the first movement distance d of the equipment is detected_F,DGreater than the standard error; analyzing the influence degree of the first equipment movement on the later movement steps as

Wherein a is_iRefers to the number of times, k, that the device shifts during movement_iThe influence coefficient when the equipment moves is referred to, u is the total number of steps moved when the equipment operates, and H is the influence degree;

carrying out exception marking on a program corresponding to the equipment with the influence degree greater than the standard influence degree;

arranged as described above

Between two coordinates under a three-dimensional modelThe distance can be analyzed through the distance between the coordinates to determine whether the error condition is met or not and the set influence degree

Wherein a is_iRefers to the number of times that the monitoring device is shifted during the moving process, and K_iThe analyzed influence coefficients are correlated, and when the equipment generates deviation in multiple steps, the corresponding influence coefficient is higher; the degree of influence can be located quickly by this formula, but it is not as simple as this algorithm if other algorithms are used.

Example 1: similar flow rates are respectively operated in the model and the actual equipment, and the coordinate set of the program operated in different time periods of the digital twin model is obtained as F { (x)₁，y₁，z₁)、(x₂，y₂，z₂) In the following description, the coordinate sets obtained when the program is operated at different time periods in the actual equipment are D { (a) } in the case of (50, 100, 50), (100, 120, 100) }₁,b₁,c₁)、

(a₂,b₂,c₂) { (45, 85, 50), (95, 110, 80) }; the difference value of the standard is 10, and the influence degree of the standard is 3, and two coordinates in the operation step of the equipment in the same time period are intercepted;

a distance of

Detecting that a large error occurs when the equipment moves for more than 5 times in the running process;

K₁＝0.1；k₂＝1；k₃＝1.2；k₄＝1.5；k₅＝2；

wherein the degree of influence is

21.7>3 was detected; the influence degree is higher than the standard influence degree, and the corresponding program needs to be marked.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. The utility model provides a download data safety analytic system based on industry control which characterized in that: the system comprises a downloading flow control monitoring module, a downloading flow processing module, a downloading program model building module and a central processing module;

the downloading flow control monitoring module monitors the flow in the PLC operation control process by setting monitoring points and detecting, so as to analyze whether the flow in the control process is abnormal or not;

the downloading flow processing module is used for decomposing and analyzing the difference between the obtained monitoring point flow and the flow detected in the PLC operation control process according to the time dimension and judging whether the flow difference contains abnormal flow or not;

the downloading program model building module simulates a program corresponding to the detected flow difference in a model and analyzes whether the equipment operation is abnormal or not;

the central processing module is used for processing the connection relation between the modules;

the output ends of the downloading flow control monitoring module, the downloading flow processing module and the downloading program model building module are connected with the input end of the central processing module;

the downloading process control monitoring module comprises a data storage unit, a probe monitoring unit, an active monitoring point setting unit and a data comparison unit;

the data storage unit acquires a program for running operation on the PLC and records the operation and operation of the equipment at different moments;

the detection needle monitoring unit is used for acquiring and analyzing the flow monitored by the detection needle, wherein the flow refers to the flow corresponding to different moments in the downloading step;

the active monitoring point setting unit is used for acquiring and analyzing the flow monitored by the active monitoring point, wherein the flow refers to the flow monitored by the probe and the flow consumed by the probe during monitoring;

the data comparison unit analyzes whether the difference between the flow monitored in the active monitoring point setting unit and the flow in the probe monitoring unit is equal to the flow consumed by the probe during monitoring;

the output end of the data comparison unit is connected with the input end of the data storage unit, the input end of the probe monitoring unit and the input end of the active monitoring point setting unit;

the downloading flow processing module comprises a data decomposition unit, a data analysis unit and a data extraction simulation unit;

the data decomposition unit is used for decomposing the flow difference according to the same time dimension when detecting that the comparison result of the data comparison unit is not equal to the electric quantity consumed by the probe in the monitoring process, obtaining the decomposed flow and storing the flow in the data storage unit;

the data analysis unit is used for analyzing the flow decomposed according to different time periods and the flow in the downloading process and judging whether the flow in the downloading process has the flow with high similarity to the decomposed flow;

and the data extraction simulation unit extracts the program corresponding to the high flow similarity and operates in the model.

2. The industrial control-based download data security analysis system according to claim 1, wherein: the downloading program model building module comprises a downloading instruction dimension starting unit, a downloading instruction dimension ending unit, an operation step positioning unit, an equipment operation abnormity recording unit, an equipment operation influence judging unit and a data marking processing unit;

the downloading instruction dimension starting unit is used for recording the time of starting operation of the program extracted from the downloading flow processing module in the model;

the downloading instruction dimension ending unit is used for recording the time of ending the operation of the extracted program in the downloading flow processing module in the model;

the operation step positioning unit is used for acquiring each step of the equipment in the operation running process, positioning the steps and establishing a digital twin model;

the device operation abnormity recording unit is used for comparing operation steps of the device in different time periods in the digital twin model with actual operation steps and analyzing whether the operation steps are abnormal or not;

the equipment operation influence judging unit is used for judging the influence degree of the accuracy of the equipment operation step on the subsequent step and giving an early warning prompt when the abnormality of the operation step is detected;

the data marking processing unit is used for acquiring the abnormal programs and marking and recording the abnormal programs;

the input ends of the downloading instruction dimension starting unit, the downloading instruction dimension ending unit, the operation step positioning unit, the equipment operation abnormity recording unit and the equipment operation influence judging unit are connected with the output end of the data marking processing unit.

3. The industrial control-based download data security analysis system according to claim 1, wherein: the PLC downloading process specifically comprises: program input, program compilation, program execution, and device execution.

4. A download data security analysis method based on industrial control is characterized in that: the method specifically comprises the following steps:

step 1: monitoring the corresponding flow in the running process of the downloading instruction by using a probe;

step 2: setting monitoring points to monitor the consumed flow of the probe and the flow of the probe during monitoring;

and step 3: judging whether the absolute value of the flow difference between the step 2 and the step 1 is equal to the flow consumed by the probe; when the absolute value of the flow difference is detected to be equal to the flow consumed by the probe, the current flow is expressed as normal consumption flow; when the absolute value of the flow difference is not equal to the flow consumed by the probe, the current flow is represented as abnormal flow, and the step 4 is skipped;

and 4, step 4: decomposing the flow in the step 1 and the step 2 according to the flow corresponding to the same time period, and analyzing whether the flow is the same or not; when the flow after decomposition is detected to be different, changing the time length to decompose the flow; when the decomposed flow is detected to be the same, jumping to the step 5;

and 5: acquiring equipment data, establishing a digital twin model, and respectively operating a program corresponding to the decomposed flow on the model and equipment corresponding to the PLC;

step 6: running the program corresponding to the decomposed flow on the digital twin model and the equipment respectively, and analyzing the consistency of the execution steps; when the execution steps are consistent, deleting the repeated program; when detecting that the execution steps are inconsistent, recording and marking a program corresponding to the abnormal flow;

in the step 4, the loss flow of the probe monitoring downloading instruction in the operation process is Q, the flow monitored by the monitoring point is P, the difference between the loss flow Q of the probe monitoring downloading instruction in the operation process and the flow monitored by the monitoring point is set as W, the flow P monitored by the monitoring point and the flow difference W are decomposed into two sets according to the same time period,a specific set is P ═ P₁,p₂,p₃，...,p_nW ═ W₁,w₂,w₃,...w_nN is time n;

monitoring the flow in the consumed flow P and the flow difference W by traversing the monitoring points in the same time period, and analyzing the condition W met by the flows in different time periods_k-p_cWhen detecting that no similar flow exists in a single period of time, further combining the time points to judge the conditions met by the flow, and analyzing the conditions met by the flow in the combined time period [ w [ w ] ]_i+w_i+1+...+w_i+m]-[p_v+p_v+1+...+p_v+m]When the flow rate meets the condition, simulating the operation in the equipment;

wherein, w_k、w_i、w_i+1And w_i+mThe flow difference time periods k, i +1 and i + m correspond to the flow consumed in the downloading process;

p_c、p_v、p_v+1and p_v+mIt means that the monitoring points monitor the consumed flow in time periods c, v +1 and v + m.

5. The industrial control-based download data security analysis method according to claim 4, wherein: in step 6, the consistency of the execution steps is analyzed as follows:

step 601: acquiring the starting time of the downloading execution process, and recording the starting time as t_oAcquiring the end time of the downloading execution process, and recording as t_j；

Step 602: acquiring coordinates (x, y, z) and (a, b, c) when the equipment and the model operate, wherein the coordinates (x, y, z) and (a, b, c) respectively refer to comparing steps when the equipment and the model operate based on the length, the width and the height of an operation platform;

step 603: and when the equipment operation step is consistent with the model operation step, deleting the repeated program, and when the equipment operation step is detected to be inconsistent with the model operation step, analyzing the Euclidean distance between the coordinates to judge the accuracy and the influence degree on the later-stage coordinates.

6. According to the claimsSolving 4 the industrial control-based download data security analysis method is characterized in that: similar flow rates are respectively operated in the model and the actual equipment, and the coordinate set of the program operated in different time periods of the digital twin model is obtained as F { (x)₁，y₁，z₁)、(x₂，y₂，z₂)、(x₃，y₃，z₃)...(x_n，y_n，z_n) Acquiring a coordinate set of the program in different time periods in the actual equipment, wherein the coordinate set is D { (a)₁,b₁,c₁)、(a₂,b₂,c₂)、(a₃,b₃,c₃)...(a_n,b_n,c_n)}；

Intercepting two coordinates of equipment in the same time period in the operation step;

a distance of

When the first movement distance d of the equipment is detected_F,DWhen the error is smaller than the standard error, the error does not influence the later steps;

when the first movement distance d of the equipment is detected_F,DGreater than the standard error; analyzing the influence degree of the first equipment movement on the later movement steps as

Wherein a is_iRefers to the number of times, k, that the device shifts during movement_iThe influence coefficient when the equipment moves is referred to, u is the total number of steps moved when the equipment operates, and H is the influence degree;

and marking the exception of the program corresponding to the equipment with the influence degree greater than the standard influence degree.

Images