CN113852623A - Virus industrial control behavior detection method and device - Google Patents

Abstract

The invention discloses a virus industrial control behavior detection method and a device, wherein a target virus program can be sent to a virtual host through a monitoring program arranged in an operating system of the virtual host, the virtual host is in communication connection with an industrial control system, the target virus program is instructed to start running in the virtual host through the monitoring program, network flow data between the virtual host and the industrial control system is mirrored in the running process of the target virus program to obtain target flow data, and the target flow data is subjected to industrial control behavior analysis to obtain analyzed industrial control behavior information. The invention detects the industrial control behavior information of the target virus program by utilizing the created virtual running environment which is almost the same as the real running environment, can realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the target virus program from damaging a real machine and a real operating system, and can effectively ensure the detection accuracy.

Description

Virus industrial control behavior detection method and device

Technical Field

The invention relates to the technical field of computers, in particular to a virus industrial control behavior detection method and device.

Background

With the development of computer technology, the control technology of industrial control systems is continuously improved.

The industrial control system may be a business process management and control system for automating operations, process control, and monitoring of industrial infrastructure.

Currently, industrial control systems are at risk of computer virus infection. It should be noted that, in the prior art, when a computer virus for an industrial control system is found, an industrial control behavior possibly generated by the computer virus needs to be analyzed in time to determine an influence of the computer virus on operations and generation of the industrial control system. After the industrial control behavior characteristics of the computer virus are analyzed, the prior art can correspondingly defend and repair the industrial control system according to the industrial control behavior characteristics, and design a corresponding system protection tool to protect the industrial control system.

However, the prior art cannot effectively analyze the industrial control behavior of the computer virus.

Disclosure of Invention

In view of the above problems, the present invention provides a method and an apparatus for detecting industrial control behavior of a virus, which overcome the above problems or at least partially solve the above problems, and the technical solution is as follows:

a virus industrial control behavior detection method comprises the following steps:

sending a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, wherein the virtual host is in communication connection with an industrial control system;

instructing, by the monitor, the target virus program to start running in the virtual host;

in the running process of the target virus program, mirroring is carried out on network flow data between the virtual host and the industrial control system, and target flow data are obtained;

and carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

Optionally, the analyzing the industrial control behavior of the target traffic data to obtain analyzed industrial control behavior information includes:

identifying the protocol type of at least one message in the target flow data;

respectively searching a message protocol library corresponding to the protocol type of each message;

and analyzing the messages of the corresponding protocol types by respectively using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Optionally, the identifying a protocol type of at least one packet in the target traffic data includes:

and identifying the protocol type of each message based on the message port and the message header of each message in the target flow data.

Optionally, the analyzing the industrial control behavior of the target traffic data to obtain analyzed industrial control behavior information includes:

sending the target flow data to an industrial control behavior auditing system for industrial control behavior auditing;

and determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

Optionally, the method further includes:

and performing static analysis on the target virus program, determining whether the target virus program is an executable program, and if so, executing a monitoring program arranged in an operating system of the virtual host to send the target virus program to the virtual host.

Optionally, the method further includes:

and in the running process of the target virus program, obtaining the operation behavior information of the target virus program in the virtual host through the monitoring program.

A virus industrial control behavior detection device comprises: the system comprises a first sending unit, an instruction unit, a mirror image unit and a first analysis unit; wherein:

the first sending unit is used for sending a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, and the virtual host is in communication connection with an industrial control system;

the instruction unit is used for instructing the target virus program to start running in the virtual host through the monitoring program;

the mirroring unit is used for mirroring the network traffic data between the virtual host and the industrial control system in the running process of the target virus program to obtain target traffic data;

and the first analysis unit is used for carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

Optionally, the first parsing unit includes: the device comprises an identification unit, a search unit and a second analysis unit; wherein:

the identification unit is used for identifying the protocol type of at least one message in the target flow data;

the searching unit is used for respectively searching a message protocol library corresponding to the protocol type of each message;

and the second analysis unit is used for analyzing the messages of the corresponding protocol types by respectively using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Optionally, the first identifying unit is configured to identify a protocol type of each packet based on a packet port and a packet header of each packet in the target traffic data.

Optionally, the first parsing unit includes: a second transmitting unit and a determining unit, wherein:

the second sending unit is used for sending the target flow data to an industrial control behavior auditing system for industrial control behavior auditing;

and the determining unit is used for determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

According to the method and the device for detecting the industrial control behaviors of the viruses, the target virus program can be sent to the virtual host through the monitoring program arranged in the operating system of the virtual host, the virtual host is in communication connection with the industrial control system, the target virus program is instructed to start to run in the virtual host through the monitoring program, network flow data between the virtual host and the industrial control system are mirrored in the running process of the target virus program to obtain target flow data, the industrial control behaviors of the target flow data are analyzed, and the analyzed industrial control behavior information is obtained. The invention detects the industrial control behavior information of the target virus program by utilizing the created virtual operating environment which is almost the same as the real operating environment, can realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to a real machine and a real operating system, can effectively ensure the detection accuracy while realizing the detection of the industrial control behavior information, does not need to manually analyze the industrial control behavior characteristics of the target virus program, can effectively reduce the consumption of human resources and improve the detection efficiency of the industrial control behavior of the target virus program.

The foregoing description is only an overview of the technical solutions of the present invention, and the following detailed description of the present invention is provided to enable the technical means of the present invention to be more clearly understood, and to enable the above and other objects, features, and advantages of the present invention to be more clearly understood.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

Fig. 1 is a flowchart illustrating a first method for detecting industrial control virus behaviors, provided by an embodiment of the present invention;

fig. 2 is a schematic diagram illustrating communication connections of a target electronic device, a virtual host and an industrial control device according to an embodiment of the present invention;

FIG. 3 is a flowchart illustrating a second method for detecting industrial control behaviors of viruses according to an embodiment of the present invention;

fig. 4 shows a schematic structural diagram of a first virus industrial control behavior detection device provided in an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

As shown in fig. 1, this embodiment proposes a first method for detecting industrial virus control behavior, which may include the following steps:

s101, sending a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, wherein the virtual host is in communication connection with an industrial control system;

it should be noted that the present invention can be applied to a target electronic device. The device type of the target electronic device is not limited in the present invention, for example, the target electronic device may be a cloud computing server, a desktop computer, a tablet computer, and the like.

The virtual host may be a virtual host created in the target electronic device, or a virtual host created by the target electronic device on other electronic devices (for example, an electronic device used for controlling the industrial control system and displaying related operation indexes of the industrial control system on site) through a cloud computing platform virtualization technology (at this time, the target electronic device may be a cloud computing server), which is not limited in the present invention.

Specifically, the virtual host may be in communication connection with the target electronic device through the monitoring program.

Specifically, the virtual host may be an upper computer on which control software of the industrial control system is installed, and the industrial control device in the industrial control system may be a lower computer. Wherein, the industrial control system can be an industrial control system. The industrial control device may be an embedded control device in an industrial control system, such as a Programmable Logic Controller (PLC) and a Remote Terminal Unit (RTU). Optionally, the virtual host may be in communication connection with the industrial control device in the industrial control system through the switch. Specifically, the virtual host may send the control instruction to the industrial control device through a communication link with the industrial control system.

The operating system in the virtual host may be a virtual operating system. It should be noted that the virtual operating system may be an operating system that is virtualized on the basis of a real operating system, and the virtual operating system and the real operating system may have the same running environment and running function. It will be appreciated that the virtual operating system may be isolated from the real operating system, and that activities in the virtual operating system do not affect and alter the real operating system. Specifically, when a computer virus runs in a virtual operating system, the computer virus cannot infringe a real operating system.

It should be noted that the target electronic device may communicate with the virtual host through a monitor installed in the virtual operating system.

The monitoring program may be an application program installed in a virtual operating system of the virtual host and used for monitoring behavior activities of a target virus program in a running process.

Optionally, the monitoring program may receive an instruction sent by the target electronic device, and control an operation state of the target virus program, for example, control the target virus program to start operating.

The target virus program can be a computer virus to be subjected to industrial control behavior detection.

Optionally, in the process of establishing the communication link between the virtual host and the industrial control system, a cloud computing platform virtualization technology (at this time, the target electronic device may be a cloud computing server) may be used in advance to create the virtual host on the other electronic devices, and then the virtual operating system is installed in the virtual host, and a network connection is established between the virtual host and the industrial control system.

Specifically, in the process of installing the virtual operating system in the virtual host, the monitoring program may be implanted in the corresponding real operating system in advance, and then the real operating system with the monitoring program installed therein may be packaged into a mirror image through cloud computing to obtain the virtual operating system, and then the obtained virtual operating system is installed in the virtual host.

Specifically, the present invention may first obtain the target virus program (for example, the target virus program may be manually input by a technician or may be obtained by transmission from other electronic devices), and then send the target virus program to the virtual host through the monitoring program.

Optionally, the number of the virtual hosts may be multiple, and each virtual host may be installed with a virtual operating system in which a monitor program is embedded. At this time, each virtual host can be in communication connection with the target electronic device through the monitoring program in the virtual operating system; each virtual host can be respectively connected with the industrial control system in a communication mode.

In order to better explain the communication connection relationship among the target electronic device, the virtual host and the industrial control device, the invention provides and explains the communication connection relationship with a network topology diagram shown in fig. 2.

In fig. 2, the first engineer station, the second engineer station, the third engineer station, and the fourth engineer station may all be electronic devices on site for an engineer to control and monitor a process of the industrial control system, a virtual host may be created on each engineer station, and a virtual operating system in which a monitoring program is implanted may be installed on each engineer station. The target electronic device can be respectively in communication connection with the virtual hosts in the engineer stations, and the virtual hosts in the engineer stations can be respectively in communication connection with the industrial control device through the switch. Specifically, the virtual host in the first engineer station can be in communication connection with the first industrial control equipment through the first switch, the virtual host in the second engineer station can be in communication connection with the second industrial control equipment through the second switch, the virtual host in the third engineer station can be in communication connection with the third industrial control equipment through the third switch, and the virtual host in the fourth engineer station can be in communication connection with the fourth industrial control equipment through the fourth switch.

It can be understood that the invention adopts a virtual-real combination mode of a virtualization environment and an entity device (industrial control equipment) to detect the industrial control behavior characteristics of the target virus program, and can effectively enhance the reduction degree of the target virus program in the real environment.

It should be noted that, in a network topology, different industrial control devices may be connected to the same three-layer switch, and may be logically isolated by the vlan technology. When the target electronic device is a cloud computing server, a virtual host can be created on the target electronic device, at this time, the connection mode between the target electronic device and the switch port can be a Trunk mode, and the target electronic device can realize communication connection between the virtual host and the industrial control device by controlling the vlan of the virtual host network to be consistent with the designated industrial control device.

S102, instructing a target virus program to start running in a virtual host through a monitoring program;

specifically, the method and the device can control the target virus program to start and run in the virtual host through the monitoring program after the target virus program is sent to the virtual host.

It can be understood that, the invention can provide a virtual running environment similar to a sandbox and almost identical to a real running environment by using a virtual host installed with a virtual operating system, control a target virus program to start running in the virtual running environment, monitor behavior activities of the target virus program in the running process by a monitoring program, analyze industrial control behavior information of the target virus program, can realize detection of the industrial control behavior information of the target virus program under the condition of avoiding the target virus program from damaging a real machine and the real operating system, and can effectively guarantee detection accuracy while realizing detection of the industrial control behavior information.

S103, in the running process of the target virus program, mirroring network flow data between the virtual host and the industrial control system to obtain target flow data;

the network traffic data can be communication data between the virtual host and the industrial control system.

Specifically, the network traffic data between the virtual host and the industrial control system can be mirrored, that is, the network traffic data between the virtual host and the industrial control system is copied, and the copied data can be the target traffic data.

And S104, carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

The analyzed industrial control behavior information may include at least one piece of operation behavior information performed by the target virus program on the industrial control system. Each piece of operation behavior information may include an equipment identifier of a specific operation object (such as a certain industrial control equipment) and a specific operation type, such as variable read-write, point read-write, configuration upload and download, and other operations.

Optionally, step S104 may include:

identifying a protocol type of at least one message in the target flow data;

respectively searching a message protocol library corresponding to the protocol type of each message;

and analyzing the messages of the corresponding protocol types by respectively using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Specifically, the present invention may determine, in advance, a protocol type used by each packet in the target traffic data from a packet protocol layer, then respectively find out, in a plurality of pre-configured packet protocol libraries, a packet protocol library corresponding to each protocol type, respectively convert, using each found packet protocol library, a packet of the corresponding protocol type into readable form data, and respectively determine, from each readable form data, operation behavior information of a target virus program carried in each packet.

For example, for a first packet and a second packet in the target traffic data, the present invention may first identify a first protocol type used by the first packet and a second protocol type used by the second packet, then search a first packet protocol library corresponding to the first protocol type and search a second packet protocol library corresponding to the second protocol type in a plurality of pre-configured packet protocol libraries; then, the invention can use the found first message protocol library to convert the first message using the first protocol type into the first readable form data, determine the operation behavior information of the target virus program carried by the first message from the first readable form data, can use the found second message protocol library to convert the second message using the second protocol type into the second readable form data, and determine the operation behavior information of the target virus program carried by the second message from the second readable form data.

It should be noted that the message protocol library may be an existing message protocol library, or may be a message protocol library set by a technician according to an actual working condition, which is not limited in the present invention.

Optionally, the identifying a protocol type of at least one packet in the target traffic data may include:

and identifying the protocol type of each message based on the message port and the message header of each message in the target flow data.

Specifically, the present invention can determine the protocol type used by a packet through the packet port and the packet header of the packet.

Optionally, step S104 may include:

sending the target flow data to an industrial control behavior auditing system for industrial control behavior auditing;

and determining the industrial control behavior audit information output by the industrial control behavior audit system as analyzed industrial control behavior information.

Specifically, after the target flow data is obtained, the target flow data is sent to the industrial control behavior auditing system, and the industrial control behavior auditing system analyzes each message in the target flow data and outputs analyzed industrial control behavior information.

It should be noted that a plurality of preconfigured message protocol libraries may be stored in the industrial control behavior auditing system.

Specifically, the industrial control behavior auditing system can determine the protocol type used by each message in the target flow data, then respectively find out the message protocol libraries corresponding to each protocol type from a plurality of message protocol libraries configured in advance, respectively analyze the messages of the corresponding protocol types by using the found message protocol libraries, and output the analyzed industrial control behavior information. For example, the industrial control behavior auditing system may include a modbus protocol library, and the industrial control behavior auditing system may analyze a modbus protocol packet in the target traffic data using the modbus protocol library, and determine an operation object and an operation type of the current operation of the target virus program from the modbus protocol packet.

Optionally, after the analyzed industrial control behavior information is obtained, the analyzed industrial control behavior information is sent to a target database for storage, and then the analyzed industrial control behavior information is filled into a preset PDF template to generate a corresponding industrial control behavior characteristic report of the target virus program and feed the report back to a technician or a user.

It should be noted that, the analysis performed on the computer viruses of the industrial control system at present basically depends on manual analysis, the efficiency is low, and the time cost and the labor cost for analyzing one computer virus individually are extremely high, and the consumption of human resources is large. In the invention, through the steps shown in fig. 1, the target virus program is controlled to run in the created virtual running environment which is almost the same as the real running environment, in the running process of the target virus program, network traffic data between the virtual host and the industrial control system is mirrored, and industrial control behavior analysis is performed on the mirrored target traffic data to obtain analyzed industrial control behavior information. The invention can determine the industrial control behavior characteristics of the target virus program according to the analyzed industrial control behavior information, determine various abnormal messages, abnormal network behaviors, illegal invasion, abnormal flow and the like from the analyzed industrial control behavior information, determine the possible modification and damage of the target virus program to the industrial control system, realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to a real machine and a real operating system, effectively ensure the detection accuracy while realizing the detection of the industrial control behavior information, further realize the advance prevention and the in-situ discovery of the industrial network safety risk and provide holographic audit records for the after-event response and the tracing. The characteristics of the industrial control behaviors of the target virus program do not need to be analyzed manually, so that the consumption of human resources can be effectively reduced, and the detection efficiency of the industrial control behaviors of the target virus program is improved.

According to the virus industrial control behavior detection method provided by the embodiment, a target virus program can be sent to a virtual host through a monitoring program arranged in an operating system of the virtual host, the virtual host is in communication connection with the industrial control system, the target virus program is instructed to start running in the virtual host through the monitoring program, network flow data between the virtual host and the industrial control system is mirrored in the running process of the target virus program, target flow data is obtained, industrial control behavior analysis is performed on the target flow data, and analyzed industrial control behavior information is obtained. The invention detects the industrial control behavior information of the target virus program by utilizing the created virtual operating environment which is almost the same as the real operating environment, can realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to a real machine and a real operating system, can effectively ensure the detection accuracy while realizing the detection of the industrial control behavior information, does not need to manually analyze the industrial control behavior characteristics of the target virus program, can effectively reduce the consumption of human resources and improve the detection efficiency of the industrial control behavior of the target virus program.

Based on the steps shown in fig. 1, this embodiment proposes a second method for detecting virus industrial control behavior, and the method may further include the following steps:

s201, in the running process of the target virus program, obtaining the operation behavior information of the target virus program in the virtual host through the monitoring program.

Specifically, the monitoring program may monitor process information of the target virus program running in the virtual host, call of the virtual operating system API, file read-write content, generated network traffic, and the like, in the running process of the target virus program. And, the monitoring program may return the monitored data to the target electronic device.

Optionally, the monitoring program may further record a screenshot generated in the running process of the target virus program.

It can be understood that the invention can detect the damage to the operating system, the virtual host and the physical machine possibly caused by the target virus program from the monitoring data returned by the monitoring program, detect the damage to the industrial control system control software installed in the virtual host possibly caused by the target virus program, and can realize the detection of the process behavior, the network behavior and the file behavior of the target virus program, thereby further realizing the detection of the industrial control behavior characteristics of the target virus program and improving the detection effect.

The virus industrial control behavior detection method provided by this embodiment can detect the damage to the operating system, the virtual host and the physical machine, which may be caused by the target virus program, from the monitoring data returned by the monitoring program, and detect the damage to the industrial control system control software installed in the virtual host, which may be caused by the target virus program, so that the detection of the industrial control behavior characteristics of the target virus program can be further realized, and the detection effect is improved.

Based on the steps shown in fig. 1 and based on fig. 3, the present embodiment provides a third method for detecting an industrial control behavior of a virus, where the method may further include the following steps:

s301, performing static analysis on the target virus program, determining whether the target virus program is an executable program, and if so, executing the step S101; otherwise, the step S101 is prohibited to avoid the consumption of unnecessary resources.

Specifically, after the target virus program is obtained, the static analysis of the target virus program is performed to determine whether the target virus program is an executable file.

Specifically, in the process of performing static analysis on the target virus program, whether the target virus program is an executable file can be determined by a file suffix and a file header of the target virus program. Alternatively, if the target virus program is a file of exe, msi, bat, etc., the present invention may determine that the target virus program is an executable file.

Optionally, in the present invention, if it is determined that the target virus program is an executable file, step S101 may be executed to start detecting the industrial control behavior characteristic of the target virus program.

Optionally, if it is determined that the target virus program is an unexecutable file, the step S101 may be prohibited from being executed, that is, the target virus program is prohibited from being sent to the virtual host to run, that is, the industrial control behavior characteristics of the target virus program are prohibited from being detected, so as to avoid the consumption of unnecessary resources.

The virus industrial control behavior detection method provided by this embodiment may perform static analysis on the target virus program, detect the industrial control behavior characteristic of the target virus program when the target virus program is determined to be an executable file, and prohibit the industrial control behavior characteristic of the target virus program from being detected when the target virus program is determined to be an unexecutable file, thereby avoiding the consumption of unnecessary resources.

Corresponding to the steps shown in fig. 1, as shown in fig. 4, the present embodiment provides a first virus industrial control behavior detection apparatus, which may include: a first sending unit 101, an instruction unit 102, a mirroring unit 103 and a first parsing unit 104; wherein:

the first sending unit 101 is configured to send a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, and the virtual host is in communication connection with the industrial control system;

it should be noted that the present invention can be applied to a target electronic device. The device type of the target electronic device is not limited in the present invention, for example, the target electronic device may be a cloud computing server, a desktop computer, a tablet computer, and the like.

The virtual host may be a virtual host created in the target electronic device, or a virtual host created by the target electronic device on other electronic devices (for example, an electronic device used for controlling the industrial control system and displaying related operation indexes of the industrial control system on site) through a cloud computing platform virtualization technology (at this time, the target electronic device may be a cloud computing server), which is not limited in the present invention.

Specifically, the virtual host may be in communication connection with the target electronic device through the monitoring program.

Specifically, the virtual host may be an upper computer on which control software of the industrial control system is installed, and the industrial control device in the industrial control system may be a lower computer. Wherein, the industrial control system can be an industrial control system. The industrial control equipment can be embedded control equipment in the industrial control system, such as a PLC and an RTU. Optionally, the virtual host may be in communication connection with the industrial control device in the industrial control system through the switch. Specifically, the virtual host may send the control instruction to the industrial control device through a communication link with the industrial control system.

The operating system in the virtual host may be a virtual operating system. It should be noted that the virtual operating system may be an operating system that is virtualized on the basis of a real operating system, and the virtual operating system and the real operating system may have the same running environment and running function. It will be appreciated that the virtual operating system may be isolated from the real operating system, and that activities in the virtual operating system do not affect and alter the real operating system. Specifically, when a computer virus runs in a virtual operating system, the computer virus cannot infringe a real operating system.

It should be noted that the target electronic device may communicate with the virtual host through a monitor installed in the virtual operating system.

The monitoring program may be an application program installed in a virtual operating system of the virtual host and used for monitoring behavior activities of a target virus program in a running process.

Optionally, the monitoring program may receive an instruction sent by the target electronic device, and control an operation state of the target virus program, for example, control the target virus program to start operating.

The target virus program can be a computer virus to be subjected to industrial control behavior detection.

Optionally, in the process of establishing the communication link between the virtual host and the industrial control system, a cloud computing platform virtualization technology (at this time, the target electronic device may be a cloud computing server) may be used in advance to create the virtual host on the other electronic devices, and then the virtual operating system is installed in the virtual host, and a network connection is established between the virtual host and the industrial control system.

Specifically, in the process of installing the virtual operating system in the virtual host, the monitoring program may be implanted in the corresponding real operating system in advance, and then the real operating system with the monitoring program installed therein may be packaged into a mirror image through cloud computing to obtain the virtual operating system, and then the obtained virtual operating system is installed in the virtual host.

Specifically, the present invention may first obtain the target virus program (for example, the target virus program may be manually input by a technician or may be obtained by transmission from other electronic devices), and then send the target virus program to the virtual host through the monitoring program.

Optionally, the number of the virtual hosts may be multiple, and each virtual host may be installed with a virtual operating system in which a monitor program is embedded. At this time, each virtual host can be in communication connection with the target electronic device through the monitoring program in the virtual operating system; each virtual host can be respectively connected with the industrial control system in a communication mode.

It can be understood that the invention adopts a virtual-real combination mode of a virtualization environment and an entity device (industrial control equipment) to detect the industrial control behavior characteristics of the target virus program, and can effectively enhance the reduction degree of the target virus program in the real environment.

It should be noted that, in a network topology, different industrial control devices may be connected to the same three-layer switch, and may be logically isolated by the vlan technology. When the target electronic device is a cloud computing server, a virtual host can be created on the target electronic device, at this time, the connection mode between the target electronic device and the switch port can be a Trunk mode, and the target electronic device can realize communication connection between the virtual host and the industrial control device by controlling the vlan of the virtual host network to be consistent with the designated industrial control device.

The instruction unit 102 is configured to instruct, through the monitoring program, a target virus program to start running in the virtual host;

specifically, the method and the device can control the target virus program to start and run in the virtual host through the monitoring program after the target virus program is sent to the virtual host.

It can be understood that, the invention can provide a virtual running environment similar to a sandbox and almost identical to a real running environment by using a virtual host installed with a virtual operating system, control a target virus program to start running in the virtual running environment, monitor behavior activities of the target virus program in the running process by a monitoring program, analyze industrial control behavior information of the target virus program, can realize detection of the industrial control behavior information of the target virus program under the condition of avoiding the target virus program from damaging a real machine and the real operating system, and can effectively guarantee detection accuracy while realizing detection of the industrial control behavior information.

The mirroring unit 103 is configured to mirror network traffic data between the virtual host and the industrial control system in the running process of the target virus program, so as to obtain target traffic data;

the network traffic data can be communication data between the virtual host and the industrial control system.

Specifically, the network traffic data between the virtual host and the industrial control system can be mirrored, that is, the network traffic data between the virtual host and the industrial control system is copied, and the copied data can be the target traffic data.

And the first analysis unit 104 is configured to perform industrial control behavior analysis on the target traffic data to obtain analyzed industrial control behavior information.

The analyzed industrial control behavior information may include at least one piece of operation behavior information performed by the target virus program on the industrial control system. Each piece of operation behavior information may include an equipment identifier of a specific operation object (such as a certain industrial control equipment) and a specific operation type, such as variable read-write, point read-write, configuration upload and download, and other operations.

Optionally, the first parsing unit 104 includes: the device comprises an identification unit, a search unit and a second analysis unit; wherein:

the identification unit is used for identifying the protocol type of at least one message in the target flow data;

the searching unit is used for respectively searching a message protocol library corresponding to the protocol type of each message;

and the second analysis unit is used for analyzing the messages of the corresponding protocol types by respectively using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Specifically, the present invention may determine, in advance, a protocol type used by each packet in the target traffic data from a packet protocol layer, then respectively find out, in a plurality of pre-configured packet protocol libraries, a packet protocol library corresponding to each protocol type, respectively convert, using each found packet protocol library, a packet of the corresponding protocol type into readable form data, and respectively determine, from each readable form data, operation behavior information of a target virus program carried in each packet.

It should be noted that the message protocol library may be an existing message protocol library, or may be a message protocol library set by a technician according to an actual working condition, which is not limited in the present invention.

Optionally, the first identifying unit is configured to identify a protocol type of each packet based on a packet port and a packet header of each packet in the target traffic data.

Specifically, the present invention can determine the protocol type used by a packet through the packet port and the packet header of the packet.

Optionally, the first parsing unit 104 includes: a second transmitting unit and a determining unit, wherein:

the second sending unit is used for sending the target flow data to the industrial control behavior auditing system for industrial control behavior auditing;

and the determining unit is used for determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

Specifically, after the target flow data is obtained, the target flow data is sent to the industrial control behavior auditing system, and the industrial control behavior auditing system analyzes each message in the target flow data and outputs analyzed industrial control behavior information.

It should be noted that a plurality of preconfigured message protocol libraries may be stored in the industrial control behavior auditing system.

Specifically, the industrial control behavior auditing system can determine the protocol type used by each message in the target flow data, then respectively find out the message protocol libraries corresponding to each protocol type from a plurality of message protocol libraries configured in advance, respectively analyze the messages of the corresponding protocol types by using the found message protocol libraries, and output the analyzed industrial control behavior information.

Optionally, after the analyzed industrial control behavior information is obtained, the analyzed industrial control behavior information is sent to a target database for storage, and then the analyzed industrial control behavior information is filled into a preset PDF template to generate a corresponding industrial control behavior characteristic report of the target virus program and feed the report back to a technician or a user.

The virus industrial control behavior detection device provided by the embodiment detects industrial control behavior information of a target virus program by utilizing a created virtual operating environment which is almost the same as a real operating environment, can realize detection of the industrial control behavior information of the target virus program under the condition of avoiding the target virus program from damaging a real machine and a real operating system, can effectively guarantee detection accuracy while realizing detection of the industrial control behavior information, does not need to manually analyze the industrial control behavior characteristics of the target virus program, can effectively reduce human resource consumption, and improves the detection efficiency of the industrial control behavior of the target virus program.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.

The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A virus industrial control behavior detection method is characterized by comprising the following steps:

sending a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, wherein the virtual host is in communication connection with an industrial control system;

instructing, by the monitor, the target virus program to start running in the virtual host;

in the running process of the target virus program, mirroring is carried out on network flow data between the virtual host and the industrial control system, and target flow data are obtained;

and carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

2. The method according to claim 1, wherein the analyzing the industrial control behavior of the target traffic data to obtain analyzed industrial control behavior information includes:

identifying the protocol type of at least one message in the target flow data;

respectively searching a message protocol library corresponding to the protocol type of each message;

and analyzing the messages of the corresponding protocol types by respectively using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

3. The method of claim 2, wherein the identifying a protocol type of at least one packet in the target traffic data comprises:

and identifying the protocol type of each message based on the message port and the message header of each message in the target flow data.

4. The method according to claim 1, wherein the analyzing the industrial control behavior of the target traffic data to obtain analyzed industrial control behavior information includes:

sending the target flow data to an industrial control behavior auditing system for industrial control behavior auditing;

and determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

5. The method of claim 1, further comprising:

and performing static analysis on the target virus program, determining whether the target virus program is an executable program, and if so, executing a monitoring program arranged in an operating system of the virtual host to send the target virus program to the virtual host.

6. The method of claim 1, further comprising:

and in the running process of the target virus program, obtaining the operation behavior information of the target virus program in the virtual host through the monitoring program.

7. The utility model provides a virus industrial control action detection device which characterized in that includes: the system comprises a first sending unit, an instruction unit, a mirror image unit and a first analysis unit; wherein:

the first sending unit is used for sending a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, and the virtual host is in communication connection with an industrial control system;

the instruction unit is used for instructing the target virus program to start running in the virtual host through the monitoring program;

the mirroring unit is used for mirroring the network traffic data between the virtual host and the industrial control system in the running process of the target virus program to obtain target traffic data;

and the first analysis unit is used for carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

8. The apparatus of claim 7, wherein the first parsing unit comprises: the device comprises an identification unit, a search unit and a second analysis unit; wherein:

the identification unit is used for identifying the protocol type of at least one message in the target flow data;

the searching unit is used for respectively searching a message protocol library corresponding to the protocol type of each message;

and the second analysis unit is used for analyzing the messages of the corresponding protocol types by respectively using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

9. The apparatus according to claim 8, wherein the first identifying unit is configured to identify a protocol type of each packet based on a packet port and a packet header of each packet in the target traffic data.

10. The apparatus of claim 7, wherein the first parsing unit comprises: a second transmitting unit and a determining unit, wherein:

the second sending unit is used for sending the target flow data to an industrial control behavior auditing system for industrial control behavior auditing;

and the determining unit is used for determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

Images