CN113671909A - Safety monitoring system and method for steel industrial control equipment - Google Patents
Safety monitoring system and method for steel industrial control equipment Download PDFInfo
- Publication number
- CN113671909A CN113671909A CN202110741867.2A CN202110741867A CN113671909A CN 113671909 A CN113671909 A CN 113671909A CN 202110741867 A CN202110741867 A CN 202110741867A CN 113671909 A CN113671909 A CN 113671909A
- Authority
- CN
- China
- Prior art keywords
- information
- module
- time
- state
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 title claims abstract description 33
- 229910000831 Steel Inorganic materials 0.000 title claims abstract description 21
- 239000010959 steel Substances 0.000 title claims abstract description 21
- 238000004458 analytical method Methods 0.000 claims abstract description 42
- 230000036541 health Effects 0.000 claims abstract description 37
- 239000000523 sample Substances 0.000 claims description 63
- 238000012545 processing Methods 0.000 claims description 17
- 238000011156 evaluation Methods 0.000 claims description 13
- 238000013079 data visualisation Methods 0.000 claims description 6
- 238000007726 management method Methods 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 238000005457 optimization Methods 0.000 claims description 5
- 238000013500 data storage Methods 0.000 claims description 4
- 230000007704 transition Effects 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 3
- 230000002776 aggregation Effects 0.000 abstract description 3
- 238000004220 aggregation Methods 0.000 abstract description 3
- 238000003860 storage Methods 0.000 description 11
- 230000008569 process Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- XEEYBQQBJWHFJM-UHFFFAOYSA-N Iron Chemical compound [Fe] XEEYBQQBJWHFJM-UHFFFAOYSA-N 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 238000012937 correction Methods 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 229910052742 iron Inorganic materials 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
- G05B19/41865—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by job scheduling, process planning, material flow
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/32—Operator till task planning
- G05B2219/32247—Real time scheduler
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention belongs to a safety monitoring system and a method for steel industrial control equipment, wherein the system comprises a collector and a processor; the collector collects data for the processor to store and analyze; the processor comprises a log data deduplication module, a timing module, a running time analysis module and a health degree analysis module. The invention combines a plurality of means, and the safety monitoring tool for the real-time data aggregation and analysis of industrial control equipment in the steel industry conforms to the existing safety strategy of the industrial enterprise, can find the safety trend and situation in the whole industrial enterprise, collects and analyzes safety events from a plurality of events and safety logs with context information, has an important function for improving the management efficiency and the safety supervision of the steel enterprise, can realize the forward movement of a gateway of safety guarantee, and prevents the occurrence of accidents in the bud.
Description
Technical Field
The invention relates to the field of information safety, in particular to a safety monitoring system and a method for steel industrial control equipment.
Background
The industrial equipment and the system are the cornerstones produced by iron and steel manufacturing enterprises, and along with the accelerated fusion of new-generation information technologies such as cloud computing, big data, artificial intelligence, Internet of things and the like and manufacturing technologies, the industrial equipment and the system are independently opened from original closure, interconnected from a single machine and intelligentized from automation. While industrial enterprises obtain huge development kinetic energy, a great deal of potential safety hazards also appear. The security threat faced by industrial equipment and systems is a common problem facing the world, and the high-risk loopholes, backdoors, industrial network viruses, advanced persistent threats of industrial equipment and the risks brought by wireless technology application bring huge challenges to the security protection of industrial equipment and systems. The method comprises the steps that an engineer station, an operator station, a history station, control equipment, exchange equipment, an industrial control safety evaluation device, an industrial control threat sensing system, an industrial control firewall, an industrial isolation device and other protection evaluation equipment are acquired through a remote acquisition device, an industrial control network probe and a host acquisition device, asset information, safety information, state information, alarm information and fault information of the protection evaluation equipment are acquired, the acquired information is subjected to unified normalization processing by means of big data and AI modeling analysis technology, monitoring management such as equipment monitoring, interconnection monitoring and alarm monitoring is carried out, and meanwhile trend monitoring of a safety index, a health index and a protection index is formed by monitoring KPI indexes.
Disclosure of Invention
The industrial control equipment is a foundation stone produced by iron and steel enterprises and is very important for the safety production of the enterprises. The problem of how to gather asset information, safety information, state information, alarm information and the fault information of industrial control equipment to carry out analysis and processing to the information of gathering, grasp the health condition of enterprise industrial control equipment directly perceived in real time, alarm information, in order to reach the purpose of safety monitoring is solved.
The invention provides a safety monitoring system and a method for steel industrial control equipment, which mainly comprise data acquisition, data processing and data visualization.
The technical scheme of the invention is as follows:
a safety monitoring system for steel industrial control equipment comprises a collector and a processor; the collector collects data for the processor to store and analyze;
the processor comprises a log data duplicate removal module, a timing module, a running time analysis module and a health degree analysis module;
the log data deduplication module compares the timestamp and the abstract of the currently acquired log in sequence until the last acquired log is matched, or an updated log of the last acquired log is found;
the time correcting module calculates the time of the real log:
PT2=PT1+delta1=PT1+PLCT2-PLCT1;
PLCT1 is the current time of PLC collected by the PLC probe at PT1 moment; PLCT2 is the current time of PLC collected by the PLC probe at PT2 moment;
the operation time analysis module judges whether the heartbeat is normal or not in the heartbeat time window; the heartbeat value is online within the specified value range of the time window, and is offline when the heartbeat is over the specified value range of the time window and is not over the specified value range of the time window;
the health degree analysis module calculates the asset health assessment score according to the following steps:
wherein, Wi is the frequency of the alarm item in the evaluation period, and Ci is the weight score of the alarm item;
wherein Ai represents the frequency of the alarm item of the assets, Ci represents the corresponding weight score of the item, Ui represents whether the score of the item is calculated, n percent represents a model experience value, the experience value obtains a reasonable value according to the analysis of historical alarm information, and the iterative optimization is continuously carried out in the alarm monitoring process.
Furthermore, the collector comprises an industrial control network probe, an industrial control equipment information collection module and an industrial control host information collection module;
the industrial control network probe extracts important information in the network flow to form log data and reports the log data; the industrial control equipment information acquisition module acquires field control equipment information;
the industrial control host information acquisition module acquires industrial control host data information including data of a field engineer station, an operator station and a server.
The system further comprises a data visualization module, which comprises an equipment monitoring module, an interconnection monitoring module and an alarm monitoring module;
the equipment monitoring module displays the health score and the state information of the industrial control equipment in a large-screen mode according to the results calculated by the health degree analysis module and the online state model;
the interconnection monitoring module acquires network interconnection relations among the assets, wherein the network interconnection relations include access relations, connection frequency and threat information; the relation among the assets is classified into a compliance permission white list, a grey list unknown access, a threat access and a black list forbidden access; and the alarm monitoring is used for displaying the abnormal information of the system.
Further, the timing module corrects at intervals, and calculates the clock frequency deviation ratio:
M=(PLCT4-PLCT1)/(PT4-PT1);
PLCT4 is the current time of PLC collected by the PLC probe at PT4 moment;
delta1=PLCT2-PLCT1;
the time at which the log occurred after PT4 was calculated as:
PTN=PT4+delta1/M;
and recalculating M when the next time deviation synchronization point occurs, and ensuring that the next acquired event occurrence time is as close to the real time as possible.
Further, the processor also comprises an online state analysis module which judges whether the equipment is in an online state, an offline state or an off-line state through the heartbeat of the equipment carried by the probe;
the log information collected by the probe comprises the state information of the equipment, and the equipment is on-line or off-line;
when one device is managed by only one probe, the state of the device is based on the state carried by the probe; when a device is not monitored by any probe, the device is in an offline state, namely in a non-probe management state; when a plurality of control needles manage a device, the state of the device is determined by a model of a high-low online state protection period, and the specific method comprises the following steps: the heartbeat information of the equipment is carried by the probes, and each probe reflects three states of the same equipment, namely online state, offline state and offline state; from front to back, the state transition priority is decremented and the back to front priority is incremented.
The invention also relates to a safety monitoring method of the steel industrial control equipment, which comprises the following processes:
removing duplicate of log data, and sequentially comparing the timestamp and the abstract of the currently acquired log until the last acquired log is matched, or finding an updated log of the last acquired log;
calculating the time of occurrence of the real log:
PT2=PT1+delta1=PT1+PLCT2-PLCT1;
PLCT1 is the current time of PLC collected by the PLC probe at PT1 moment; PLCT2 is the current time of PLC collected by the PLC probe at PT2 moment;
analyzing the running time, and judging whether the heartbeat is normal or not in the heartbeat time window; the heartbeat value is online within the specified value range of the time window, and is offline when the heartbeat is over the specified value range of the time window and is not over the specified value range of the time window;
and (3) analyzing the health degree, and calculating a asset health assessment score according to the following steps:
wherein, Wi is the frequency of the alarm item in the evaluation period, and Ci is the weight score of the alarm item;
wherein Ai represents the frequency of the alarm item of the assets, Ci represents the corresponding weight score of the item, Ui represents whether the score of the item is calculated, n percent represents a model experience value, the experience value obtains a reasonable value according to the analysis of historical alarm information, and the iterative optimization is continuously carried out in the alarm monitoring process.
Further, extracting important information in the network flow to form log data and reporting the log data; the acquisition module acquires information of the field control equipment;
the acquisition module acquires data information of the industrial control host, including data of a field engineer station, an operator station and a server.
Further, still include:
displaying the health score and the state information of the industrial control equipment in a large-screen mode according to the results calculated by the health degree analysis module and the online state model;
acquiring network interconnection relations among assets, including access relations, connection frequency and threat information; the relationships among the assets are classified into compliance permission white list, grey list unknown access, threat access and black list forbidding access.
Further, correction is performed at intervals, and a clock frequency deviation ratio is calculated:
M=(PLCT4-PLCT1)/(PT4-PT1);
PLCT4 is the current time of PLC collected by the PLC probe at PT4 moment;
delta1=PLCT2-PLCT1;
the time at which the log occurred after PT4 was calculated as:
PTN=PT4+delta1/M;
and recalculating M when the next time deviation synchronization point occurs, and ensuring that the next acquired event occurrence time is as close to the real time as possible.
Further, the heartbeat of the equipment carried by the probe is used for judging that the equipment is in an online state, an offline state or a pipe disconnection state; the collected log information includes the status information of the equipment, online/offline.
Compared with the prior art, the invention has the following beneficial effects:
the invention combines a plurality of means, and the safety monitoring tool for the real-time data aggregation and analysis of industrial control equipment in the steel industry conforms to the existing safety strategy of the industrial enterprise, can find the safety trend and situation in the whole industrial enterprise, collects and analyzes safety events from a plurality of events and safety logs with context information, has an important function for improving the management efficiency and the safety supervision of the steel enterprise, can realize the forward movement of a gateway of safety guarantee, and prevents the occurrence of accidents in the bud.
Drawings
FIG. 1 is a block diagram of the architecture of the system of the present invention;
FIG. 2 is a diagram of a log data deduplication model of the present invention;
FIG. 3 is a diagram of a timing model according to the present invention;
FIG. 4 is a diagram of a runtime analysis model of the present invention;
FIG. 5 is a model diagram of a health analysis of the present invention;
FIG. 6 is a diagram of an online state analysis model according to the present invention.
Detailed Description
The technical solutions in the embodiments will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the examples without making any creative effort, shall fall within the protection scope of the present invention.
Unless otherwise defined, technical or scientific terms used in the embodiments of the present application should have the ordinary meaning as understood by those having ordinary skill in the art. The use of "first," "second," and similar terms in the present embodiments does not denote any order, quantity, or importance, but rather the terms are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. "mounted," "connected," and "coupled" are to be construed broadly and may, for example, be fixedly coupled, detachably coupled, or integrally coupled; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. "Upper," "lower," "left," "right," "lateral," "vertical," and the like are used solely in relation to the orientation of the components in the figures, and these directional terms are relative terms that are used for descriptive and clarity purposes and that can vary accordingly depending on the orientation in which the components in the figures are placed.
As shown in fig. 1, the safety monitoring system for steel industrial control equipment of the embodiment includes a collector, a processor and a visualization module.
The visualization module 300 dynamically displays the dynamic information of the industrial control equipment in the whole plant area. And dynamically embodying a protection information log and an alarm log. The method comprises the following steps:
and (5) equipment monitoring, namely, carrying out safety assessment on the industrial control equipment item by item, and finally giving a score. Referring to the protection guideline evaluation engine, the data is obtained from the uploaded information of the workshop-level monitoring terminal.
Interconnection monitoring: the networking relationships between the monitored logical areas are presented and may be decided upon based on statistical information as either blacklisted (prohibited) access or whitelisted (allowed) access.
And alarm monitoring, namely summarizing alarm conditions of various factories and forming a trend distribution graph, wherein group managers can master the change trend of the safety state of various factories.
TABLE 1
The data acquisition module 100 is used for acquiring various information such as network flow, control equipment information, host information and the like of the field industrial equipment, storing, calculating and modeling the acquired information by the data center 200, and then displaying information such as monitoring, alarming and the like in various forms such as a report form, a large screen, a mobile APP and the like as a user through the data visualization module 300.
The data acquisition module 100 is used as the basic capability of the inter-vehicle monitoring terminal, and acquires information of various devices such as an industrial control host, a network, a controller, safety equipment and the like in the industrial control system through the industrial control network probe 110, the industrial control equipment information acquisition module 120 and the industrial control host information acquisition module 130, and the acquired information of various devices is shown in table 1.
The collector as a data collection module 100 collects asset information, safety information, state information, alarm information and fault information of protection evaluation equipment such as an engineer station, an operator station, a history station, control equipment, exchange equipment, an industrial control safety evaluation device, an industrial control threat sensing system, an industrial control firewall, an industrial isolation device and the like through an industrial control network probe, an industrial control equipment information collection module and an industrial control host information collection module. Mainly comprises three types of acquisition devices: the industrial control network probe, the industrial control equipment information acquisition module and the industrial control host information acquisition module.
The industrial control network probe 110 is used for acquiring industrial network data in the steel industry control system, supporting the capturing and analyzing of industrial protocol traffic of S7, Modbus and the like, characteristic codes and function codes thereof, supporting the analysis of Http traffic, and supporting protocols of Mysql, SSH, Telnet, Http, Rdp, Ethernt/IP, DNP3, ftp and the like; the network bypass mirror flow is led into the network probe, and the network probe extracts important information in the network flow to form log data for reporting.
The industrial control network probe 110 loads the probe configuration and the dangerous instruction rule when initializing, then loads the black and white list rule synchronized by the platform, and enters the process of acquiring and capturing the network data packet and processing the data packet after successfully completing the process. And entering TCP layer processing, if the connection is newly established, establishing connection tracking and tracking subsequent data interaction of the session. And in addition, whether the name list is a black and white list is detected according to the black and white list rule, and a log is provided for the data platform. The supported application layer analyzes the operation command, and reports the abnormal operation command and the context to the data center module 200.
The industrial control equipment information acquisition module 120 is used for realizing information acquisition of field control equipment and supporting acquisition of information of PLC or DCS equipment of not less than 5 brands such as Siemens, ohm dragon, Schneider, Honeyville and the river; the system is deployed on special hardware and acquires data of control equipment such as PLC/DCS and the like through a network.
The industrial control equipment information collection module 130 is used for realizing data collection of a field engineer station, an operator station, a server and the like, and supporting collection of system state information, log information and the like of the industrial server, the engineer station, the operator station, and the like, and a collectable operation system includes win 2000, xp, win7, win10, server2003, server2008 and the like. The industrial control information acquisition software is mainly installed on a host PC and is used for acquiring relevant information such as the production running state, faults, user operation behaviors, system configuration, bugs and patches, network connection, network service, network communication, safety protection state and the like of an operating system of the host.
The data center 200 is used to store and calculate data uploaded by the data acquisition module 100. The data storage module 210 is implemented by a distributed Hadoop system big data platform, supports structured, semi-structured and unstructured offline and real-time data storage, realizes safe storage of data through multiple pairs of local mechanisms, and realizes efficient and low-cost storage of data through a compression technology. The Hadoop system big data platform is a mature and complete commercial platform and does not belong to the description and protection content of the invention. The data modeling module 220 obtains finally required safety monitoring data through modeling and calculation, and the finally required safety monitoring data comprises a log data duplicate removal module, a time correction module, an operation time analysis module, a health degree analysis module and an online state analysis module.
The data visualization module 300 is configured to generate corresponding reports, large screens, mobile APPs and the like from result data obtained after calculation processing of each model of the data center module 200 through a visualization tool, so that a user can intuitively and conveniently master safety state information of the industrial equipment. Mainly comprises an equipment monitoring module 310, an interconnection monitoring module 320 and an alarm monitoring module 330.
The equipment monitoring module 310 displays the health score and the state information of the industrial control equipment in a large screen mode according to the results calculated by the health degree analysis module and the online state analysis model.
The interconnection monitoring module 320 acquires the network interconnection relationship between the assets, including access relationship (direction), connection frequency and threat information, according to the data processed by the log data deduplication module and the running time module. The relationships among the assets are classified into compliance permission white list, grey list unknown access, threat access and black list forbidding access. The interconnection monitoring board is divided into green according to interconnection relation to indicate that the access is allowed by the specification, grey indicates that no threat access is found, yellow indicates that dangerous instruction operation (program is put down, register is written, and the like) occurs, and red indicates that access prohibition operation occurs. In the embodiment, the interconnection frequency is represented by using a line thickness, and the direction relationship between the requester and the requester is represented by using an arrow line.
The alarm monitoring module 330 is used for displaying the abnormal information of the system. And according to the data processed by the log data duplicate removal module, the running time analysis module and the timing module, the data are subjected to data aggregation processing, and meanwhile, time elements are considered, so that the latest triggered alarm sequencing is kept in front. But only after confirmation the alarm disappears. The alarm log is associated with the triggered summary and detail of the audit log. Alarm lists and trend distribution graphs are formed by the configurable alarm rules and summarizing alarm information of all areas.
As shown in fig. 2, the log deduplication module proceeds as follows:
due to limited conditions, PLC log collection cannot determine that the currently acquired logs have been collected historically in many scenarios. It is necessary to keep a log of the last time, i.e. the PT2(PLCT2) time log e2 of the sample graph, on the event queue reported by the target acquisition. The collector compares the log timestamp and the summary which are currently obtained in turn until the last collected log (PLCTn 2 and en 2) is matched, or finds that the last collected log in the past PLCTn > PLCT2 updates the log.
As shown in fig. 3, the timing module proceeds as follows:
industrial assets tend to run for long periods of time without configuration updates and maintenance for many years, and their system time tends to differ significantly from the current time. However, the collected logs need to have high time reference, so the occurrence time of the time elements carried in the collected data of the terminal, especially the fault logs which similarly occur, needs to be corrected and synchronized according to the data platform. The problem also exists in other data acquisition processes, and other acquisition targets are conventional IT assets in relatively small time relative error.
In general, the running PLC device cannot perform time synchronization or has no implementation condition for time setting, and the collector collects logs with periodicity and hysteresis, and often does not have a condition for frequent short-period collection, and a long interval period is generally defined for safety considerations, so that the time collected by the collector cannot be used as the occurrence time point of an event, and therefore, the occurrence time of the data center/probe corresponding to the e event can only be determined by using a derivation method.
As shown in fig. 3, the PLCT1 is the alignment time of the target acquisition device PLC, i.e., relative alignment with the PT1 of the data center/probe, and is relative coordinates assuming that the PLC probe acquired the then-current time of the PLC, i.e., the PLCT1, at the time of the PT 1. When the logs generated by the PLC are collected, the time carried by the logs is PLCT 2. In general terms, delta 1-PLCT 2-PLCT1 can be calculated, and the time when the true log occurs can be calculated to be PT 2-PT 1+ delta 1-PT 1+ PLCT2-PLCT 1.
But this is not necessarily so ideal in practice because the clocks at the PLC terminals may not operate as expected or may be exactly at the same frequency, and may even be subject to large deviations, i.e. in practice correspond to delta 2-PT 3-PT 1. Therefore, the time synchronization calculation point which needs to be set by the probe at intervals needs to be corrected to calculate the clock frequency deviation ratio:
M=(PLCT4-PLCT1)/(PT4-PT1)
and the time of log occurrence that occurs after PT4 should be calculated as:
PTN=PT4+delta1/M
and recalculating M when the next time deviation synchronization point occurs, thereby ensuring that the next acquired event occurrence time is as close as possible to the real time.
As shown in fig. 4, the runtime analysis module proceeds as follows:
the running time of the PLC is difficult to estimate accurately because there is no directly acquired channel or an existing channel cannot be implemented in a real environment.
As shown in fig. 4, whether normal heartbeat occurs in the heartbeat time window and whether a log in the observation window exists is adopted as a standard cumulative loss time window until an offline time window threshold value set by triggering is reached. The device is considered to have lost contact and the device is considered to have failed and the running time running total is reset.
The equipment running time evaluation method comprises the following steps:
if the heartbeat monitoring of the equipment is normal in the time window, the running time of the equipment is the original running time T1 of the equipment, the disconnection time is 0, and T1 is increased according to the original rule. If the heartbeat in the continuous time window is judged to be disconnected or disconnected, the equipment operation time T1 is unchanged in the time window of the first 1-2 continuous disconnected or disconnected time windows, the increase is stopped, the disconnection time is 1-2 time windows, if the equipment is still disconnected in the 3 rd starting continuous time window, the operation time is reset to 0, the disconnection time is 1 time window, namely the time window number is-2, for example, the disconnection is still in the 6 th continuous time window, the operation time is 0, the disconnection time is 4 time windows, if the equipment starts to operate in the 4 th starting continuous time window, the heartbeat is normal, the operation time is 1 time window, the disconnection time is reset to 0, and the operation time is increased according to the original rule.
As shown in fig. 5, the health degree analysis module specifically performs the following:
the health degree analysis module is used for evaluating the health state of the assets, and the health degree is classified into health, overload and loss of connection. The health state is self-evident, indicating that the asset is operating well. The overload condition represents that the assets are overloaded and the system is potentially threatened to continue to operate. An outage represents an asset having failed to obtain any information about the asset based on having been in an unreachable state. The health degree model provided by the method integrates evaluation items of various dimensions, is subjected to reality verification, and has certain realistic referential significance. The assessed asset health is substantially close to actual awareness.
Wherein, Wi is the frequency of the alarm item generated in the evaluation period (see table 2 in detail), Ci is the weight score of the alarm item (common: 0.5 score, important: 1 score, danger: 1.5 score, urgent: 2.5 score);
wherein A1 represents the frequency of alarm items of the assets, Ci represents the corresponding weight score of the item (common: 0.5 score, important: 1 score, dangerous: 1.5 score, urgent: 2.5 score), U1 represents whether the score of the item is calculated (n or 0 respectively represents calculation or not), n% represents a model experience value (see Table 3 in detail), the experience value is analyzed according to historical alarm information to obtain a reasonable value, and the optimization is continuously iterated in the alarm monitoring process.
The process is as follows:
and (3) generating a state alarm log in the asset period, merging alarm types, evaluating the health score according to the formula, judging whether the asset is in an offline state or not, if so, judging whether the asset is in an offline state or not, otherwise, further judging whether the asset is higher than a health threshold of the type of asset, if so, judging that the asset is in an overload state or otherwise, judging that the asset is in a health state.
And the alarm items and the weights are configurable and maintained through alarm rules. The configurable alarm rules are mainly as listed in table 2.
TABLE 2 alarm rule configuration Table
TABLE 3 asset health threshold model empirical values
| Asset classes | Model empirical value n% (unit%) |
| Production system | 15 |
| Security device | 15 |
| Industrial host | 10 |
| Network device | 15 |
| PLC | 10 |
| Others | 30 |
As shown in fig. 6, the online status analysis module proceeds as follows:
there are several general implementation models for online status monitoring of a system: one is periodic scanning or detection; secondly, the state of the equipment is updated through the received log analysis; the two models are placed in an industrial environment, and have certain defects, the network bandwidth is consumed for a period of time by periodic scanning or detection, and the fragile protocol stack and processing capability of an industrial terminal, even simple ICMP or SYN detection can cause the fault of the industrial terminal to cause accidents. And the log analysis is used for updating the state of the equipment, which is an M x N level low-efficiency analysis and influences the overall reduction of the performance. And the scheme that the asset state is carried by the probes directly can lead to inconsistent and disordered states when one asset is managed by a plurality of probes, thereby further causing misjudgment of some abnormal analysis models.
In the embodiment, the probe carries the equipment heartbeat, and the equipment is divided into an online asset state, an offline asset state and an offline asset state, which respectively represent that the equipment is online and offline and belongs to a non-probe management state.
From front to back, the state transition priority is decremented and the back to front priority is incremented. It is ensured that any one probe can evaluate a more factual-like state when managing the asset for a certain window of protection.
The log information collected by the probe comprises the state information (on-line/off-line) of the equipment, and when one piece of equipment is managed by only one probe, the state of the equipment is based on the state carried by the probe; when a device is not monitored by any probe, the device is in an offline state, namely in a non-probe management state; when a plurality of control needles manage a device, the state of the device is determined by a model of a high-low online state protection period, and the specific method comprises the following steps: the heartbeat information of the equipment is carried by the probes, and each probe reflects three states of the same equipment, namely online state, offline state and offline state. From front to back, the state transition priority is decremented and the back to front priority is incremented. It is ensured that any one probe can evaluate a more factual-like state when managing the asset for a certain window of protection. For example: and reporting the online state of the m assets by the B probe and reporting the offline state of the m assets by the C probe in the time window A, wherein the online state is considered to be superior to the offline state by the model regardless of the sequence, the online state is taken as the current state of the equipment, and the online state enters an online state protection period. After which there is no more information for the m assets and the online state protection period has passed, the current state settings are successively lowered and the state protection period is entered. Until there is a more preferred asset status.
It should be noted that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware.
The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), among others. For another example, when some of the above modules are implemented in the form of a processing element scheduler code, the processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor that can call program code. As another example, these modules may be integrated together, implemented in the form of a system-on-a-chip (SOC).
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a readable storage medium or transmitted from one readable storage medium to another readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means.
The readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more available media integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
Optionally, an embodiment of the present application further provides a storage medium, where instructions are stored, and when the storage medium is run on a computer, the storage medium causes the computer to execute the method according to the embodiment described above.
Optionally, an embodiment of the present application further provides a chip for executing the instruction, where the chip is configured to execute the method in the foregoing illustrated embodiment.
The embodiments of the present application also provide a program product, where the program product includes a computer program, where the computer program is stored in a storage medium, and at least one processor can read the computer program from the storage medium, and when the at least one processor executes the computer program, the at least one processor can implement the method of the above-mentioned embodiments. It is to be understood that the various numerical references referred to in the embodiments of the present application are merely for descriptive convenience and are not intended to limit the scope of the embodiments of the present application.
It should be understood that, in the embodiment of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiment of the present application.
Claims (10)
1. The utility model provides a steel industry control equipment safety monitoring system which characterized in that: comprises a collector and a processor; the collector collects data for the processor to store and analyze;
the processor comprises a log data duplicate removal module, a timing module, a running time analysis module and a health degree analysis module;
the log data deduplication module compares the timestamp and the abstract of the currently acquired log in sequence until the last acquired log is matched, or an updated log of the last acquired log is found;
the time correcting module calculates the time of the real log:
PT2=PT1+delta1=PT1+PLCT2-PLCT1;
PLCT1 is the current time of PLC collected by the PLC probe at PT1 moment; PLCT2 is the current time of PLC collected by the PLC probe at PT2 moment;
the operation time analysis module judges whether the heartbeat is normal or not in the heartbeat time window; the heartbeat value is online within the specified value range of the time window, and is offline when the heartbeat is over the specified value range of the time window and is not over the specified value range of the time window;
the health degree analysis module calculates the asset health assessment score according to the following steps:
wherein, Wi is the frequency of the alarm item in the evaluation period, and Ci is the weight score of the alarm item;
wherein Ai represents the frequency of the alarm item of the assets, Ci represents the corresponding weight score of the item, Ui represents whether the score of the item is calculated, n percent represents a model experience value, the experience value obtains a reasonable value according to the analysis of historical alarm information, and the iterative optimization is continuously carried out in the alarm monitoring process.
2. The safety monitoring system for steel industrial control equipment according to claim 1, characterized in that:
the collector comprises an industrial control network probe, an industrial control equipment information acquisition module and an industrial control host information acquisition module;
the industrial control network probe extracts important information in the network flow to form log data and reports the log data; the industrial control equipment information acquisition module acquires field control equipment information;
the industrial control host information acquisition module acquires industrial control host data information including data of a field engineer station, an operator station and a server.
3. The safety monitoring system for steel industrial control equipment according to claim 1, characterized in that: the system also comprises a data visualization module, a data storage module and a data processing module, wherein the data visualization module comprises an equipment monitoring module, an interconnection monitoring module and an alarm monitoring module;
the equipment monitoring module displays the health score and the state information of the industrial control equipment in a large-screen mode according to the results calculated by the health degree analysis module and the online state model;
the interconnection monitoring module acquires network interconnection relations among the assets, wherein the network interconnection relations include access relations, connection frequency and threat information; the relation among the assets is classified into a compliance permission white list, a grey list unknown access, a threat access and a black list forbidden access; and the alarm monitoring is used for displaying the abnormal information of the system.
4. The safety monitoring system for steel industrial control equipment according to claim 1, characterized in that: the time correcting module corrects at intervals and calculates the clock frequency deviation ratio:
M=(PLCT4-PLCT1)/(PT4-PT1);
PLCT4 is the current time of PLC collected by the PLC probe at PT4 moment;
delta1=PLCT2-PLCT1;
the time at which the log occurred after PT4 was calculated as:
PTN=PT4+delta1/M;
and recalculating M when the next time deviation synchronization point occurs, and ensuring that the next acquired event occurrence time is as close to the real time as possible.
5. The safety monitoring system for steel industrial control equipment according to claim 1, characterized in that: the processor also comprises an online state analysis module which judges whether the equipment is in an online state, an offline state or an off-line state by means of heartbeat of the equipment carried by the probe;
the log information collected by the probe comprises the state information of the equipment, and the equipment is on-line or off-line;
when one device is managed by only one probe, the state of the device is based on the state carried by the probe; when a device is not monitored by any probe, the device is in an offline state, namely in a non-probe management state; when a plurality of control needles manage a device, the state of the device is determined by a model of a high-low online state protection period, and the specific method comprises the following steps: the heartbeat information of the equipment is carried by the probes, and each probe reflects three states of the same equipment, namely online state, offline state and offline state; from front to back, the state transition priority is decremented and the back to front priority is incremented.
6. A safety monitoring method for steel industrial control equipment is characterized by comprising the following steps: the method comprises the following steps:
removing duplicate of log data, and sequentially comparing the timestamp and the abstract of the currently acquired log until the last acquired log is matched, or finding an updated log of the last acquired log;
calculating the time of occurrence of the real log:
PT2=PT1+delta1=PT1+PLCT2-PLCT1;
PLCT1 is the current time of PLC collected by the PLC probe at PT1 moment; PLCT2 is the current time of PLC collected by the PLC probe at PT2 moment;
analyzing the running time, and judging whether the heartbeat is normal or not in the heartbeat time window; the heartbeat value is online within the specified value range of the time window, and is offline when the heartbeat is over the specified value range of the time window and is not over the specified value range of the time window;
and (3) analyzing the health degree, and calculating a asset health assessment score according to the following steps:
wherein, Wi is the frequency of the alarm item in the evaluation period, and Ci is the weight score of the alarm item;
wherein Ai represents the frequency of the alarm item of the assets, Ci represents the corresponding weight score of the item, Ui represents whether the score of the item is calculated, n percent represents a model experience value, the experience value obtains a reasonable value according to the analysis of historical alarm information, and the iterative optimization is continuously carried out in the alarm monitoring process.
7. The method of claim 6, wherein: extracting important information in network flow to form log data and reporting; the acquisition module acquires information of the field control equipment;
the acquisition module acquires data information of the industrial control host, including data of a field engineer station, an operator station and a server.
8. The method of claim 6, wherein: further comprising:
displaying the health score and the state information of the industrial control equipment in a large-screen mode according to the results calculated by the health degree analysis module and the online state model;
acquiring network interconnection relations among assets, including access relations, connection frequency and threat information; the relationships among the assets are classified into compliance permission white list, grey list unknown access, threat access and black list forbidding access.
9. The method of claim 6, wherein: correcting at intervals, and calculating a clock frequency deviation ratio:
M=(PLCT4-PLCT1)/(PT4-PT1);
PLCT4 is the current time of PLC collected by the PLC probe at PT4 moment;
delta1=PLCT2-PLCT1;
the time at which the log occurred after PT4 was calculated as:
PTN=PT4+delta1/M;
and recalculating M when the next time deviation synchronization point occurs, and ensuring that the next acquired event occurrence time is as close to the real time as possible.
10. The method of claim 1, wherein: the heartbeat of the equipment carried by the probe is used for judging that the equipment is in an online state, an offline state or an off-line state; the collected log information includes the status information of the equipment, online/offline.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110741867.2A CN113671909A (en) | 2021-06-30 | 2021-06-30 | Safety monitoring system and method for steel industrial control equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110741867.2A CN113671909A (en) | 2021-06-30 | 2021-06-30 | Safety monitoring system and method for steel industrial control equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113671909A true CN113671909A (en) | 2021-11-19 |
Family
ID=78538540
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110741867.2A Pending CN113671909A (en) | 2021-06-30 | 2021-06-30 | Safety monitoring system and method for steel industrial control equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113671909A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710416A (en) * | 2022-02-23 | 2022-07-05 | 沈阳化工大学 | Real-time data acquisition method based on process flow and network flow |
| CN114879622A (en) * | 2022-07-12 | 2022-08-09 | 珠海市鸿瑞信息技术股份有限公司 | Industrial control log auditing system and method based on multi-source data |
| CN116414097A (en) * | 2023-05-15 | 2023-07-11 | 广东思创智联科技股份有限公司 | Alarm management method and system based on industrial equipment data |
| CN116743503A (en) * | 2023-08-11 | 2023-09-12 | 浙江国利网安科技有限公司 | Health evaluation method based on industrial control asset |
| CN117236705A (en) * | 2023-11-16 | 2023-12-15 | 中钢集团武汉安全环保研究院有限公司 | Safety monitoring and alarming method and device for steel production process parameters |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107169617A (en) * | 2016-03-07 | 2017-09-15 | 中国电力科学研究院 | A kind of controller switching equipment state evaluation system |
| CN107451402A (en) * | 2017-07-13 | 2017-12-08 | 北京交通大学 | A kind of equipment health degree appraisal procedure and device based on alarm data analysis |
| CN109150869A (en) * | 2018-08-14 | 2019-01-04 | 南瑞集团有限公司 | A kind of exchanger information acquisition analysis system and method |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN109962891A (en) * | 2017-12-25 | 2019-07-02 | 中国移动通信集团安徽有限公司 | Monitor method, apparatus, equipment and the computer storage medium of cloud security |
| CN110456725A (en) * | 2019-07-04 | 2019-11-15 | 烽台科技(北京)有限公司 | A kind of monitoring method of PLC device, device and intelligent terminal |
| CN111176202A (en) * | 2019-12-31 | 2020-05-19 | 成都烽创科技有限公司 | Safety management method, device, terminal equipment and medium for industrial control network |
| US20200274782A1 (en) * | 2019-02-25 | 2020-08-27 | Zscaler, Inc. | Systems and methods for alerting administrators of a monitored digital user experience |
| CN112507027A (en) * | 2020-12-16 | 2021-03-16 | 平安科技(深圳)有限公司 | Incremental data synchronization method, device, equipment and medium based on Kafka |
| CN112597138A (en) * | 2020-12-10 | 2021-04-02 | 浙江岩华文化科技有限公司 | Data deduplication method and device, computer equipment and computer-readable storage medium |
-
2021
- 2021-06-30 CN CN202110741867.2A patent/CN113671909A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107169617A (en) * | 2016-03-07 | 2017-09-15 | 中国电力科学研究院 | A kind of controller switching equipment state evaluation system |
| CN107451402A (en) * | 2017-07-13 | 2017-12-08 | 北京交通大学 | A kind of equipment health degree appraisal procedure and device based on alarm data analysis |
| CN109962891A (en) * | 2017-12-25 | 2019-07-02 | 中国移动通信集团安徽有限公司 | Monitor method, apparatus, equipment and the computer storage medium of cloud security |
| CN109150869A (en) * | 2018-08-14 | 2019-01-04 | 南瑞集团有限公司 | A kind of exchanger information acquisition analysis system and method |
| US20200274782A1 (en) * | 2019-02-25 | 2020-08-27 | Zscaler, Inc. | Systems and methods for alerting administrators of a monitored digital user experience |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110456725A (en) * | 2019-07-04 | 2019-11-15 | 烽台科技(北京)有限公司 | A kind of monitoring method of PLC device, device and intelligent terminal |
| CN111176202A (en) * | 2019-12-31 | 2020-05-19 | 成都烽创科技有限公司 | Safety management method, device, terminal equipment and medium for industrial control network |
| CN112597138A (en) * | 2020-12-10 | 2021-04-02 | 浙江岩华文化科技有限公司 | Data deduplication method and device, computer equipment and computer-readable storage medium |
| CN112507027A (en) * | 2020-12-16 | 2021-03-16 | 平安科技(深圳)有限公司 | Incremental data synchronization method, device, equipment and medium based on Kafka |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114710416A (en) * | 2022-02-23 | 2022-07-05 | 沈阳化工大学 | Real-time data acquisition method based on process flow and network flow |
| CN114710416B (en) * | 2022-02-23 | 2023-11-03 | 沈阳化工大学 | Network flow real-time data acquisition method based on process flow |
| CN114879622A (en) * | 2022-07-12 | 2022-08-09 | 珠海市鸿瑞信息技术股份有限公司 | Industrial control log auditing system and method based on multi-source data |
| CN116414097A (en) * | 2023-05-15 | 2023-07-11 | 广东思创智联科技股份有限公司 | Alarm management method and system based on industrial equipment data |
| CN116414097B (en) * | 2023-05-15 | 2023-09-29 | 广东思创智联科技股份有限公司 | Alarm management method and system based on industrial equipment data |
| CN116743503A (en) * | 2023-08-11 | 2023-09-12 | 浙江国利网安科技有限公司 | Health evaluation method based on industrial control asset |
| CN116743503B (en) * | 2023-08-11 | 2023-11-07 | 浙江国利网安科技有限公司 | Health evaluation method based on industrial control asset |
| CN117236705A (en) * | 2023-11-16 | 2023-12-15 | 中钢集团武汉安全环保研究院有限公司 | Safety monitoring and alarming method and device for steel production process parameters |
| CN117236705B (en) * | 2023-11-16 | 2024-02-06 | 中钢集团武汉安全环保研究院有限公司 | Safety monitoring and alarming method and device for steel production process parameters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113671909A (en) | Safety monitoring system and method for steel industrial control equipment | |
| CN112651006B (en) | Power grid security situation sensing system | |
| CN107566163B (en) | Alarm method and device for user behavior analysis association | |
| CN107241224B (en) | Network risk monitoring method and system for transformer substation | |
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| US10015188B2 (en) | Method for mitigation of cyber attacks on industrial control systems | |
| CN110868425A (en) | Industrial control information safety monitoring system adopting black and white list for analysis | |
| CA2926603A1 (en) | Event correlation across heterogeneous operations | |
| CN104052730A (en) | Intelligent Cyberphysical Intrusion Detection And Prevention Systems And Methods For Industrial Control Systems | |
| CN108810034A (en) | A kind of safety protecting method of industrial control system information assets | |
| CN107547228B (en) | Implementation architecture of safe operation and maintenance management platform based on big data | |
| JP6711710B2 (en) | Monitoring device, monitoring method, and monitoring program | |
| CN112799358A (en) | Industrial control safety defense system | |
| Kaouk et al. | A review of intrusion detection systems for industrial control systems | |
| CN112416872A (en) | Cloud platform log management system based on big data | |
| CN107517205A (en) | Intelligent substation exception flow of network detection model construction method based on probability | |
| KR101281456B1 (en) | Apparatus and method for anomaly detection in SCADA network using self-similarity | |
| CN114641736A (en) | System and method for enhancing data origin by recording kernel-level events | |
| CN115529595A (en) | Method, device, equipment and medium for detecting abnormity of log data | |
| CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN107809321B (en) | Method for realizing safety risk evaluation and alarm generation | |
| CN115561546A (en) | Abnormity detection and alarm system for power system | |
| CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
| CN114125083A (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| Pan et al. | Anomaly behavior analysis for building automation systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |