CN113656220A - PLC data baseline recovery method and device and computer storage medium - Google Patents

PLC data baseline recovery method and device and computer storage medium Download PDF

Info

Publication number
CN113656220A
CN113656220A CN202110903575.4A CN202110903575A CN113656220A CN 113656220 A CN113656220 A CN 113656220A CN 202110903575 A CN202110903575 A CN 202110903575A CN 113656220 A CN113656220 A CN 113656220A
Authority
CN
China
Prior art keywords
message
plc
baseline
downloading
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110903575.4A
Other languages
Chinese (zh)
Inventor
胡涛
范渊
吴卓群
王欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110903575.4A priority Critical patent/CN113656220A/en
Publication of CN113656220A publication Critical patent/CN113656220A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1471Saving, restoring, recovering or retrying involving logging of persistent data for recovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Programmable Controllers (AREA)

Abstract

The application relates to a PLC data baseline restoration method, a device and a computer storage medium, wherein the method comprises the following steps: capturing a configuration download mirror image message group sent from configuration software to a corresponding PLC, and extracting a configuration download message label in the mirror image message group; generating a PLC downloading rule according to the message label downloaded by the configuration; acquiring a baseline message corresponding to a baseline project which needs to be maintained currently, and generating a baseline file according to the baseline message and the PLC downloading rule; when a current message downloaded in an unauthorized time period is detected, matching the current message with the baseline file; and if the matching is successful, reading the baseline file, and downloading the data baseline according to the PLC downloading rule. The base line file is generated by capturing the message data in the mirror image message group, when illegal tampering downloading in an abnormal time period is identified, the base line file is read by the PLC, and mirror image recovery is performed according to a PLC downloading rule without being limited by brand type limitation of the PLC, so that maintenance efficiency is improved.

Description

PLC data baseline recovery method and device and computer storage medium
Technical Field
The present application relates to the field of industrial control and information security technologies, and in particular, to a PLC data baseline restoration method, apparatus, and computer storage medium.
Background
Industrial control is an important link in national industrial systems and infrastructures, and in recent years, industrial control is gradually interconnected from closed to closed, and with the high occurrence of related security events, particularly against attacks on industrial control equipment, wherein a PLC (programmable logic controller) is an important basic control equipment for realizing industrial control.
The method has important significance for maintaining national strategic safety and social production stability by timely discovering the attack safety risk aiming at the PLC in the current network environment.
However, there are numerous brands of PLC on the market, configuration software and download rules of each code block in PLC are different, and when PLC is attacked and needs to be maintained, time and effort are required to be spent in research, analysis and integration work, and due to different brand compatibility, brands need to be identified in messages and then functional operations are performed by using corresponding processing logic, so that PLC maintenance is limited by brand types, and maintenance efficiency is low.
Disclosure of Invention
The embodiment of the application provides a PLC data baseline recovery method and device and a computer storage medium, which are used for solving the technical problems that in the prior art, PLC maintenance is limited by brand types and maintenance efficiency is low.
In order to achieve the above object, in one aspect, an embodiment of the present invention provides a PLC data baseline restoration method, including the following steps:
capturing a configuration download mirror image message group sent from configuration software to a corresponding PLC, and extracting a configuration download message label in the mirror image message group;
generating a PLC downloading rule according to the message label downloaded by the configuration;
acquiring a baseline message corresponding to a baseline project which needs to be maintained currently, and generating a baseline file according to the baseline message and the PLC downloading rule;
when a current message downloaded in an unauthorized time period is detected, matching the current message with the baseline file;
and if the matching is successful, reading the baseline file, and downloading the data baseline according to the PLC downloading rule.
According to the PLC data baseline recovery method provided by the invention, a configuration download mirror image message group sent from configuration software to a corresponding PLC is captured in real time, and a configuration download message label in the mirror image message group is extracted; generating a PLC downloading rule according to the message label downloaded by the configuration; then obtaining a baseline message corresponding to a baseline project which needs to be maintained currently, generating a baseline file according to the baseline message and the PLC downloading rule, storing the baseline file, and matching the current message with the baseline file when detecting the current message downloaded in an unauthorized time period; if the matching is successful, reading the baseline file, and recovering the data baseline according to the PLC downloading rule obtained by self-learning, so that the baseline file is generated by capturing the message data in the mirror image message group and continuously learning, when the illegal tampering downloading in an abnormal time period is identified, the PLC reads the baseline file, and performs mirror image recovery according to the PLC downloading rule obtained by learning, and the method is not limited by brand type limitation of the PLC, and improves the maintenance efficiency.
As a further preferred embodiment of the present invention, the step of generating a PLC download rule according to the message tag downloaded by the configuration includes:
acquiring message labels corresponding to all functional modules in the PLC, determining download functional labels and overall download labels included in the message labels, and generating the PLC download rules.
As a further preferable aspect of the present invention, the step of generating a baseline file according to the baseline packet and the PLC download rule includes:
and acquiring a start message, an authentication message, a download message and a close message in the baseline message, and storing to generate the baseline file.
As a further preferred embodiment of the present invention, the step of matching the current packet with the baseline file includes:
judging whether the message label in the current message is in accordance with the message label corresponding to each functional module in the PLC;
and if so, judging that the current message is abnormally downloaded.
As a further preferred embodiment of the present invention, before the step of extracting the message label of the configuration download in the mirror message group, the method further includes:
extracting the authentication message in the mirror image message group;
the step of downloading the data base line according to the PLC downloading rule comprises the following steps:
detecting whether the current message has an authentication message or not;
if not, skipping the verification process of the authentication message;
and reading the baseline file and sending the baseline file to the PLC data baseline according to the downloading function label in the PLC downloading rule and the integral downloading label.
On the other hand, an embodiment of the present invention further provides a PLC data baseline restoration apparatus, including: the message capturing module is used for capturing a configuration download mirror image message group sent from the configuration software to the corresponding PLC and extracting a configuration download message label in the mirror image message group;
the first generation module is used for generating a PLC downloading rule according to the message label downloaded by the configuration;
the second generation module is used for acquiring a baseline message corresponding to the baseline project which needs to be maintained at present and generating a baseline file according to the baseline message and the PLC downloading rule;
the matching module is used for matching the current message with the baseline file when the current message downloaded in an unauthorized time period is detected;
and the recovery downloading module is used for reading the baseline file and downloading the data baseline according to the PLC downloading rule if the matching is successful.
According to the PLC data baseline restoration device provided by the invention, a configuration download mirror image message group sent from configuration software to a corresponding PLC is captured through a message capturing module, and a configuration download message label in the mirror image message group is extracted; then, a first generation module generates a PLC downloading rule according to the message label downloaded by the configuration; a second generation module acquires a baseline message corresponding to a baseline project which needs to be maintained at present, generates a baseline file according to the baseline message and the PLC downloading rule and stores the baseline file; when the matching module detects a current message downloaded in an unauthorized time period, matching the current message with the baseline file; and if the matching is successful, the recovery downloading module reads the baseline file and downloads the data baseline according to the PLC downloading rule.
As a further preferable aspect of the present invention, the first generating module specifically includes:
the first obtaining unit is used for obtaining message labels corresponding to all functional modules in the PLC, determining download functional labels and overall download labels included in the message labels, and generating the PLC download rules;
the second generation module specifically includes:
and the second acquisition unit is used for acquiring a start message, an authentication message, a download message and a close message in the baseline message, storing and generating the baseline file.
As a further preferable scheme of the present invention, the matching module specifically includes:
the judging unit is used for judging whether the message label in the current message is in accordance with the message label corresponding to each functional module in the PLC;
and the judging unit is used for judging that the current message is abnormally downloaded if the message label in the current message is in accordance with the message label corresponding to each functional module in the PLC.
As a further preferred embodiment of the present invention, the download resuming module specifically includes:
a third obtaining unit, configured to extract an authentication packet in the mirror packet group;
the detection unit is used for detecting whether the current message has an authentication message or not;
a skipping unit, configured to skip a verification process for the authentication packet if the authentication packet does not exist in the current packet;
and the downloading unit reads the baseline file and sends the baseline file to the PLC data baseline according to the downloading function label and the integral downloading label in the PLC downloading rule.
The invention also provides a computer storage medium comprising a memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the method described above. According to the computer storage medium provided by the invention, by adopting the technical scheme, the base line file is generated by capturing the message data in the mirror image message group and continuously learning, when illegal tampering downloading in an abnormal time period is identified, the PLC reads the base line file, and mirror image recovery is carried out according to the PLC downloading rule obtained by learning, so that the computer storage medium is not limited by brand type limitation of the PLC, and the maintenance efficiency is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a PLC data baseline restoration method according to a first embodiment of the present invention;
fig. 2 is a flowchart illustrating a baseline file generation phase of a PLC data baseline restoration method according to a first embodiment of the present invention;
fig. 3 is a flowchart of a detection phase of a PLC data baseline restoration method according to a first embodiment of the present invention;
fig. 4 is a flowchart of a download recovery phase of a PLC data baseline recovery method according to a first embodiment of the present invention;
fig. 5 is a block diagram illustrating a PLC data baseline restoration apparatus according to a second embodiment of the present invention;
fig. 6 is a schematic diagram of a hardware configuration of a PLC data baseline restoration apparatus according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The embodiment of the invention aims to provide a PLC data baseline recovery method which is applied to protection of industrial control and information safety. Specifically, there are two types of approaches to achieve this in the prior art: one is to recover the PLC through programming software matched by manufacturers, but the programming software cannot monitor, and the programming software is classified by brand series, so that the types are various, and the integration capability is poor; and secondly, polling monitoring and code block acquisition are carried out by acquiring a protocol corresponding to a manufacturer, so that the monitoring and downloading purposes can be realized, but the communication cost of a PLC (programmable logic controller) end is increased, and the safety of the code block is judged to be more or less leaky by a polling mode.
In order to solve the technical problems of the existing PLC data baseline recovery method, the embodiment of the invention aims to provide a method for detecting PLC safety and mirror image recovery, which can be applied to various brands and types of PLCs with network card communication, identify illegal tampering downloading in an abnormal time period in real time, improve the tampering identification rate, identify abnormity to perform mirror image recovery according to field requirements, increase the safety of code blocks and improve the safety level of an industrial network.
Specifically, the PLC data baseline restoration method according to the embodiment of the present invention includes: capturing a configuration download mirror image message group sent from configuration software to a corresponding PLC, and extracting a configuration download message label in the mirror image message group; generating a PLC downloading rule according to the message label downloaded by the configuration; acquiring a baseline message corresponding to a baseline project which needs to be maintained currently, and generating a baseline file according to the baseline message and the PLC downloading rule; when a current message downloaded in an unauthorized time period is detected, matching the current message with the baseline file; and if the matching is successful, reading the baseline file, and downloading the data baseline according to the PLC downloading rule. The method and the device have the advantages that the base line file is generated by capturing the message data in the mirror image message group and continuously learning, when illegal tampering downloading in an abnormal time period is identified, the base line file is read by the PLC, mirror image recovery is carried out according to the downloading rule of the PLC obtained through learning, brand type limitation of the PLC is avoided, and maintenance efficiency is improved.
Example one
As shown in fig. 1, the PLC data baseline restoration method of the present invention is a flowchart of a method according to a first embodiment, and the method includes the following steps:
step S101, self-learning to generate a baseline file;
specifically, the step S101 includes the following steps:
step S1011, capturing a configuration download mirror image message group sent from configuration software to a corresponding PLC, and extracting a configuration download message label in the mirror image message group;
step S1012, generating a PLC downloading rule according to the message label downloaded by the configuration;
step S1013, a baseline message corresponding to a baseline project which needs to be maintained at present is obtained, and a baseline file is generated according to the baseline message and the PLC downloading rule;
please refer to fig. 2, which is a flowchart illustrating a stage of generating a baseline file according to the present method, in step S101, the baseline file is: one "snapshot" of each artifact version in the item store over a particular period of time. It provides a formal standard upon which subsequent work is based and which can only be altered after authorization. After an initial baseline is established, recording a difference value every time the initial baseline is changed until a next baseline is established;
the PLC is as follows: a digital electronic device with microprocessor is used for automatic control of digital logic controller, which can load control instruction into internal memory at any time for storage and execution. The programmable controller is modularly assembled by an internal CPU, an instruction and data memory, an input/output unit, a power module, a digital analog unit and the like.
Specifically, in this step, the configuration software installation package edited by the genuine PLC is received from the internet PLC brand official or the manufacturer agent, and after the download authorization, it is detected whether its upload/download state is normal, and if so, it is put into use.
In the learning stage, a simpler function block project is firstly edited, for example, only one input and one output code function block content exists (the code is a PLC code which can be downloaded and verified through editing software), a configuration software target PLC mirror image message is received by using a network card and stored, message tags in the mirror image message are picked up, the message tags comprise a start message tag and an end message tag, and if an authentication message exists in the stored message tags in the downloading process, the authenticated message is stored.
Through the mode, the user can learn by himself continuously, in practical application, an independent function block project is edited according to different function blocks in the PLC, in the embodiment, a TCPDump command is adopted to capture a mirror image message downloaded by the function block projects, a downloading function label and an integral downloading label of each function block are analyzed and stored, PLC downloading rules of different function block types are obtained according to the message label, and when the PLC baseline project needs to be recovered, mirror image recovery is carried out according to the PLC downloading rules, so that the PLC-based-downloading-function-block-downloading method is not limited by brand restrictions, and time and energy spent in research, analysis and integration work are saved.
In order to make those skilled in the art better understand the technical solution of the present invention, it should be noted herein that the TCPDump can completely intercept the data packet transmitted in the network to provide analysis. It supports filtering for network layers, protocols, hosts, networks or ports and provides logical statements and, or, not, etc. to help you get rid of useless information. The network access control method has strong expandability and is a very useful tool for network maintenance and intruders. TCPDump exists in the basic FreeBSD system, and since it needs to set the network interface to promiscuous mode, the ordinary user cannot execute it normally, but the user with root authority can directly execute it to obtain information on the network.
After specific PLC downloading rules are summarized, downloading a current baseline project needing to be maintained, capturing a mirror image message of the baseline project, analyzing a start message, an authentication message, a downloading message and a closing message of the baseline project according to the PLC downloading rules, storing the messages to generate a baseline file, storing the baseline file in a memory, and enabling subsequent baseline files to be based on the standard and changing the standard only after authorization.
Step S102, when detecting a current message downloaded in an unauthorized time period, matching the current message with the baseline file;
please refer to fig. 3 for a flowchart of a detection stage of the method, specifically, in this embodiment, the TCPDump captures and receives a mirror image message pointing to the PLC direction, and when receiving a message to start downloading, a rule matching process is started, and in the matching process, if an authentication process exists, whether verification in the matching authentication process meets the content, and if no authentication exists, the authentication verification is skipped;
after authentication, extracting message labels in the mirror image message, comparing the download function labels in the message labels and the overall download label with the message labels of all the function blocks in the corresponding PLC, and finishing the matching rule when receiving the message for closing the download; it should be noted that, in this embodiment, the start packet and the close packet are also a part of rule matching, and whether the mirror packet downloaded in the unauthorized time period matches the baseline packet in each functional block in the PLC is determined, and if matching is successful, the current packet is considered to be abnormally downloaded.
And step S103, if the matching is successful, reading the baseline file, and downloading the data baseline according to the PLC downloading rule.
Please refer to fig. 4, which is a flowchart of a download recovery stage of the method, specifically, when a download recovery requirement sent by a baseline project to be maintained is received, it is first determined whether a baseline message already exists, after a download start command is sent, if it is determined that an authentication flow exists, the authentication flow is performed, a general authentication process needs to be checked and analyzed and then sent, and in an analysis stage, a check process of the general authentication process needs to be processed, and if no authentication exists, the check process is skipped; after the authentication is obtained, the base line file is sent to the PLC according to the content of each downloading function label, the whole downloading label and payload in the PLC downloading rule, then a code block is set to be issued, the setting response of the PLC is obtained, if the setting response is successful, the next packet is sent, and after the complete code block is sent, a downloading closing message is sent, and the downloading recovery is finished.
In summary, the invention receives the configuration software target PLC mirror flow data through the network card and stores the data as the baseline file, firstly analyzes the authentication message and stores the message separately; analyzing the message after authentication to generate a PLC downloading rule, and transmitting the PLC downloading rule to a mirror image flow monitoring program; when detecting the message conforming to the downloading rule, the monitoring file informs the PLC; and if the PLC needs to be recovered, reading the baseline file for authentication and data baseline downloading according to the PLC downloading rule.
According to the PLC data baseline restoration method, the message data in the mirror image message group is captured and continuously learned to generate the baseline file, when illegal tampering downloading in an abnormal time period is identified, the PLC reads the baseline file, and mirror image restoration is performed according to the PLC downloading rule obtained through learning, so that the PLC data baseline restoration method is not limited by brand type limitation of the PLC, and the maintenance efficiency is improved.
Example two
The present invention also provides a PLC data baseline restoration apparatus, as shown in fig. 5, the apparatus including:
the message capturing module 10 is configured to capture a configuration download mirror message group sent from configuration software to a corresponding PLC, and extract a message tag of configuration download in the mirror message group;
the first generating module 21 is configured to generate a PLC downloading rule according to the configuration downloaded packet tag;
the second generating module 31 is configured to obtain a baseline message corresponding to a baseline project that needs to be maintained currently, and generate a baseline file according to the baseline message and the PLC download rule;
the matching module 40 is configured to match the current packet with the baseline file when the current packet downloaded in the unauthorized time period is detected;
and the recovery downloading module 50 is used for reading the baseline file and downloading the data baseline according to the PLC downloading rule if the matching is successful.
Specifically, the first generating module 21 further includes the following units:
a first obtaining unit 22, configured to obtain a message label corresponding to each function module in the PLC, determine a download function label and an overall download label included in the message label, and generate the PLC download rule;
the second generating module 31 specifically includes:
the second obtaining unit 32 is configured to obtain a start message, an authentication message, a download message, and a close message in the baseline message, and store and generate the baseline file.
Specifically, the matching module 40 further includes the following units:
a judging unit 41, configured to judge whether a packet tag in the current packet matches a packet tag corresponding to each functional module in the PLC;
and a determining unit 42, configured to determine that the current packet is abnormally downloaded if the packet tag in the current packet matches the packet tag corresponding to each functional module in the PLC.
Specifically, the recovery downloading module 50 further includes the following units:
a third obtaining unit 51, configured to extract an authentication packet in the mirror packet group;
a detecting unit 52, configured to detect whether an authentication packet exists in the current packet;
a skipping unit 53, configured to skip a verification process for the authentication packet if the authentication packet does not exist in the current packet;
and the downloading unit 54 reads the baseline file and sends the baseline file to the PLC data baseline according to the downloading function tag and the entire downloading tag in the PLC downloading rule.
According to the PLC data baseline restoration device, a configuration download mirror image message group sent from configuration software to a corresponding PLC is captured through a message capturing module, and a configuration download message label in the mirror image message group is extracted; then, a first generation module generates a PLC downloading rule according to the message label downloaded by the configuration; a second generation module acquires a baseline message corresponding to a baseline project which needs to be maintained at present, generates a baseline file according to the baseline message and the PLC downloading rule and stores the baseline file; when the matching module detects a current message downloaded in an unauthorized time period, matching the current message with the baseline file; and if the matching is successful, the recovery downloading module reads the baseline file and downloads the data baseline according to the PLC downloading rule.
EXAMPLE III
The invention also provides a computer storage medium comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method described above when executing the program.
According to the computer storage medium and the technical scheme, the base line file is generated by capturing the message data in the mirror image message group and continuously learning, when illegal tampering downloading in an abnormal time period is identified, the PLC reads the base line file and performs mirror image recovery according to the PLC downloading rule obtained by learning, the limitation of brand type of the PLC is avoided, and the maintenance efficiency is improved.
In addition, the PLC data baseline restoration method according to the embodiment of the present application described in conjunction with fig. 1 may be implemented by a PLC data baseline restoration apparatus. Fig. 6 is a schematic hardware configuration diagram of a PLC data baseline restoration apparatus according to an embodiment of the present application.
The PLC data baseline restoration apparatus may include a processor 81 and a memory 82 having stored thereon computer program instructions.
Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.
The processor 81 reads and executes computer program instructions stored in the memory 82 to implement any one of the PLC data baseline restoration methods in the above embodiments.
In some of these embodiments, the PLC data baseline restoration device may further include a communication interface 83 and a bus 80. As shown in fig. 6, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.
The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication interface 83 may also enable communication with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 80 includes hardware, software, or both to couple the components of the PLC data baseline restoration device to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The PLC data baseline restoration apparatus may execute the PLC data baseline restoration method in the embodiment of the present application based on the acquired instruction, thereby implementing the PLC data baseline restoration method described with reference to fig. 1.
In addition, in combination with the PLC data baseline restoration method in the foregoing embodiment, the embodiment of the present application may provide a computer storage medium to implement. The computer storage medium having computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement any of the PLC data baseline restoration methods of the embodiments described above.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A PLC data baseline restoration method is characterized by comprising the following steps:
capturing a configuration download mirror image message group sent from configuration software to a corresponding PLC, and extracting a configuration download message label in the mirror image message group;
generating a PLC downloading rule according to the message label downloaded by the configuration;
acquiring a baseline message corresponding to a baseline project which needs to be maintained currently, and generating a baseline file according to the baseline message and the PLC downloading rule;
when a current message downloaded in an unauthorized time period is detected, matching the current message with the baseline file;
and if the matching is successful, reading the baseline file, and downloading the data baseline according to the PLC downloading rule.
2. The PLC data baseline restoration method of claim 1, wherein the step of generating PLC download rules according to the configuration downloaded message tags comprises:
acquiring message labels corresponding to all functional modules in the PLC, determining download functional labels and overall download labels included in the message labels, and generating the PLC download rules.
3. The PLC data baseline restoration method of claim 1,
the step of generating a baseline file according to the baseline message and the PLC downloading rule comprises:
and acquiring a start message, an authentication message, a download message and a close message in the baseline message, and storing to generate the baseline file.
4. The PLC data baseline restoration method of claim 2, wherein the step of matching the current packet with the baseline file comprises:
judging whether the message label in the current message is in accordance with the message label corresponding to each functional module in the PLC;
and if so, judging that the current message is abnormally downloaded.
5. The PLC data baseline restoration method of claim 2, wherein before the step of extracting the configuration downloaded message tags from the mirrored message group, the method further comprises:
extracting the authentication message in the mirror image message group;
the step of downloading the data base line according to the PLC downloading rule comprises the following steps:
detecting whether the current message has an authentication message or not;
if not, skipping the verification process of the authentication message;
and reading the baseline file and sending the baseline file to the PLC data baseline according to the downloading function label in the PLC downloading rule and the integral downloading label.
6. A PLC data baseline restoration apparatus, comprising:
the message capturing module is used for capturing a configuration download mirror image message group sent from the configuration software to the corresponding PLC and extracting a configuration download message label in the mirror image message group;
the first generation module is used for generating a PLC downloading rule according to the message label downloaded by the configuration;
the second generation module is used for acquiring a baseline message corresponding to the baseline project which needs to be maintained at present and generating a baseline file according to the baseline message and the PLC downloading rule;
the matching module is used for matching the current message with the baseline file when the current message downloaded in an unauthorized time period is detected;
and the recovery downloading module is used for reading the baseline file and downloading the data baseline according to the PLC downloading rule if the matching is successful.
7. The PLC data baseline restoration device of claim 6, wherein the first generation module specifically comprises:
the first obtaining unit is used for obtaining message labels corresponding to all functional modules in the PLC, determining download functional labels and overall download labels included in the message labels, and generating the PLC download rules;
the second generation module specifically includes:
and the second acquisition unit is used for acquiring a start message, an authentication message, a download message and a close message in the baseline message, storing and generating the baseline file.
8. The PLC data baseline restoration device of claim 6, wherein the matching module specifically comprises:
the judging unit is used for judging whether the message label in the current message is in accordance with the message label corresponding to each functional module in the PLC;
and the judging unit is used for judging that the current message is abnormally downloaded if the message label in the current message is in accordance with the message label corresponding to each functional module in the PLC.
9. The PLC data baseline restoration device according to claim 7, wherein the restoration downloading module specifically includes:
a third obtaining unit, configured to extract an authentication packet in the mirror packet group;
the detection unit is used for detecting whether the current message has an authentication message or not;
a skipping unit, configured to skip a verification process for the authentication packet if the authentication packet does not exist in the current packet;
and the downloading unit reads the baseline file and sends the baseline file to the PLC data baseline according to the downloading function label and the integral downloading label in the PLC downloading rule.
10. A computer storage medium comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 5 when executing the program.
CN202110903575.4A 2021-08-06 2021-08-06 PLC data baseline recovery method and device and computer storage medium Pending CN113656220A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110903575.4A CN113656220A (en) 2021-08-06 2021-08-06 PLC data baseline recovery method and device and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110903575.4A CN113656220A (en) 2021-08-06 2021-08-06 PLC data baseline recovery method and device and computer storage medium

Publications (1)

Publication Number Publication Date
CN113656220A true CN113656220A (en) 2021-11-16

Family

ID=78478599

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110903575.4A Pending CN113656220A (en) 2021-08-06 2021-08-06 PLC data baseline recovery method and device and computer storage medium

Country Status (1)

Country Link
CN (1) CN113656220A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114647233A (en) * 2022-05-18 2022-06-21 浙江国利网安科技有限公司 PLC operation configuration monitoring method and device, storage medium and electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114647233A (en) * 2022-05-18 2022-06-21 浙江国利网安科技有限公司 PLC operation configuration monitoring method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN109711171B (en) Method, device and system for positioning software bugs, storage medium and electronic device
RU2680736C1 (en) Malware files in network traffic detection server and method
US20170134162A1 (en) System and process for verifying digital media content authenticity
CN101188656B (en) Information processing apparatus and control method thereof
CN112468488A (en) Industrial anomaly monitoring method and device, computer equipment and readable storage medium
CN111611591B (en) Firmware bug detection method and device, storage medium and electronic equipment
Ding et al. DeepPower: Non-intrusive and deep learning-based detection of IoT malware using power side channels
CN111385270A (en) WAF-based network attack detection method and device
CN106713061B (en) Method, system and device for monitoring attack message
CN112134893B (en) Internet of things safety protection method and device, electronic equipment and storage medium
EP3799386A1 (en) System and method for detecting and blocking malicious attacks on a network
CN113141335B (en) Network attack detection method and device
CN113656220A (en) PLC data baseline recovery method and device and computer storage medium
Awad et al. Volatile Memory Extraction-Based Approach for Level 0‐1 CPS Forensics
CN110502423A (en) Loophole recognition methods, device, equipment and the storage medium of firmware
CN113965406A (en) Network blocking method, device, electronic device and storage medium
CN107294981B (en) Authentication method and equipment
CN116319074B (en) Method and device for detecting collapse equipment based on multi-source log and electronic equipment
CN111935104A (en) Internet of things equipment illegal access detection method and device and computer equipment
CN109936528B (en) Monitoring method, device, equipment and system
CN116049822A (en) Application program supervision method, system, electronic device and storage medium
CN103942293A (en) Self-destroying protection method based on malicious invasion of file system and device thereof
CN114417349A (en) Attack result determination method, device, electronic equipment and storage medium
CN110135152B (en) Application program attack detection method and device
CN112532586A (en) Network communication method, system, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination