CN113852623B - Virus industrial control behavior detection method and device - Google Patents

Abstract

The invention discloses a virus industrial control behavior detection method and a device, which can send a target virus program to a virtual host through a monitoring program arranged in an operating system of the virtual host, wherein the virtual host is in communication connection with an industrial control system, the target virus program is instructed to start to run in the virtual host through the monitoring program, network flow data between the virtual host and the industrial control system are mirrored in the running process of the target virus program to obtain target flow data, industrial control behavior analysis is carried out on the target flow data, and industrial control behavior information after analysis is obtained. The invention detects the industrial control behavior information of the target virus program by using the created virtual running environment which is almost the same as the real running environment, can realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to the real machine and the real operating system, and can effectively ensure the detection accuracy.

Description

Virus industrial control behavior detection method and device

Technical Field

The invention relates to the technical field of computers, in particular to a method and a device for detecting virus industrial control behaviors.

Background

With the development of computer technology, the control technology of industrial control systems is continuously improved.

The industrial control system may be a business process control system for automated operation, process control and monitoring of industrial infrastructure.

Currently, industrial control systems are at risk of computer virus infection. It should be noted that, in the prior art, when a computer virus specific to an industrial control system is discovered, an industrial control action possibly generated by the computer virus needs to be analyzed in time to determine the operation and the influence of the computer virus on the industrial control system. After the industrial control behavior characteristics of the computer viruses are analyzed, the industrial control system can be correspondingly defended and repaired according to the industrial control behavior characteristics in the prior art, and corresponding system protection tools are designed to protect the industrial control system.

However, the prior art cannot effectively analyze the industrial control behaviors of the computer viruses.

Disclosure of Invention

In view of the above problems, the present invention provides a method and an apparatus for detecting virus industrial control behaviors, which overcome or at least partially solve the above problems, and the technical solution is as follows:

a method for detecting virus industrial control behaviors, comprising:

the method comprises the steps that a target virus program is sent to a virtual host through a monitoring program arranged in an operating system of the virtual host, and the virtual host is in communication connection with an industrial control system;

The target virus program is instructed to start running in the virtual host through the monitoring program;

in the running process of the target virus program, mirroring the network flow data between the virtual host and the industrial control system to obtain target flow data;

And carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

Optionally, the performing industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information includes:

identifying a protocol type of at least one message in the target flow data;

Respectively searching a message protocol library corresponding to the protocol type of each message;

And respectively analyzing the messages of the corresponding protocol types by using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Optionally, the identifying the protocol type of at least one message in the target traffic data includes:

And identifying the protocol type of each message based on the message port and the message header of each message in the target flow data.

Optionally, the performing industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information includes:

the target flow data is sent to an industrial control behavior auditing system for industrial control behavior auditing;

And determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

Optionally, the method further comprises:

And carrying out static analysis on the target virus program, determining whether the target virus program is an executable program, and if so, executing a step of sending the target virus program to the virtual host through a monitoring program arranged in an operating system of the virtual host.

Optionally, the method further comprises:

And in the running process of the target virus program, obtaining the operation behavior information of the target virus program in the virtual host through the monitoring program.

A virus industrial control behavior detection device, comprising: the system comprises a first sending unit, an instruction unit, a mirror image unit and a first analysis unit; wherein:

the first sending unit is used for sending the target virus program to the virtual host through a monitoring program arranged in an operating system of the virtual host, and the virtual host is in communication connection with the industrial control system;

The instruction unit is used for instructing the target virus program to start running in the virtual host through the monitoring program;

The mirror image unit is used for mirroring the network flow data between the virtual host and the industrial control system in the running process of the target virus program to obtain target flow data;

The first analysis unit is used for carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information.

Optionally, the first parsing unit includes: the device comprises an identification unit, a searching unit and a second analyzing unit; wherein:

The identifying unit is used for identifying the protocol type of at least one message in the target flow data;

the searching unit is used for searching the message protocol library corresponding to the protocol type of each message respectively;

The second analyzing unit is configured to analyze the messages of the corresponding protocol types by using the found message protocol libraries respectively, so as to obtain analyzed industrial control behavior information.

Optionally, the first identifying unit is configured to identify a protocol type of each packet based on a packet port and a packet header of each packet in the target traffic data.

Optionally, the first parsing unit includes: a second transmitting unit and a determining unit, wherein:

the second sending unit is used for sending the target flow data to an industrial control behavior auditing system to audit the industrial control behavior;

and the determining unit is used for determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

According to the virus industrial control behavior detection method and device, the target virus program can be sent to the virtual host through the monitoring program arranged in the operating system of the virtual host, the virtual host is in communication connection with the industrial control system, the target virus program is instructed to start to run in the virtual host through the monitoring program, network flow data between the virtual host and the industrial control system are mirrored in the running process of the target virus program, target flow data are obtained, industrial control behavior analysis is conducted on the target flow data, and industrial control behavior information after analysis is obtained. The invention detects the industrial control behavior information of the target virus program by using the created virtual operation environment which is almost the same as the real operation environment, can realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to the real machine and the real operation system, can effectively ensure the detection accuracy rate while realizing the detection of the industrial control behavior information of the target virus program, does not need to manually analyze the industrial control behavior characteristics of the target virus program, can effectively reduce the consumption of manpower resources and improve the detection efficiency of the industrial control behavior of the target virus program.

The foregoing description is only an overview of the present invention, and is intended to provide a more clear understanding of the technical means of the present invention, as well as to provide a more clear understanding of the above and other objects, features and advantages of the present invention, as exemplified by the following detailed description.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1 shows a flowchart of a first method for detecting virus industrial control behaviors according to an embodiment of the present invention;

Fig. 2 is a schematic diagram of communication connection between a target electronic device, a virtual host, and an industrial control device according to an embodiment of the present invention;

FIG. 3 is a flowchart of a second method for detecting virus industrial control actions according to an embodiment of the present invention;

Fig. 4 is a schematic structural diagram of a first virus industrial control behavior detection device according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

As shown in fig. 1, this embodiment proposes a first method for detecting virus industrial control behaviors, which may include the following steps:

S101, a target virus program is sent to a virtual host through a monitoring program arranged in an operating system of the virtual host, and the virtual host is in communication connection with an industrial control system;

It should be noted that the present invention may be applied to a target electronic device. The device type of the target electronic device is not limited, for example, the target electronic device may be a cloud computing server, a desktop computer, a tablet computer, and the like.

The virtual host may be a virtual host created in the target electronic device, or may be a virtual host created by the target electronic device on other electronic devices (such as an electronic device on site for controlling an industrial control system and displaying an operation index related to the industrial control system) through a cloud computing platform virtualization technology (the target electronic device may be a cloud computing server at this time), which is not limited in the present invention.

Specifically, the virtual host may be communicatively coupled to the target electronic device via a monitor.

Specifically, the virtual host may be an upper computer provided with control software of an industrial control system, and industrial control equipment in the industrial control system may be a lower computer. The industrial control system can be an industrial control system. The industrial control devices may be embedded control devices in an industrial control system, such as programmable controllers (Programmable Logic Controller, PLCs) and Remote terminal units (Remote TerminalUnit, RTU). Alternatively, the virtual host may be communicatively connected to an industrial control device in the industrial control system through a switch. Specifically, the virtual host may send a manipulation instruction to the industrial control device through a communication link with the industrial control system.

The operating system in the virtual host may be a virtual operating system. It should be noted that the virtual operating system may be an operating system that is virtualized on the basis of the real operating system, and the virtual operating system and the real operating system may have the same operating environment and operating function. It will be appreciated that the virtual operating system may be isolated from the real operating system, and that activities in the virtual operating system do not affect or alter the real operating system. Specifically, when a computer virus runs in a virtual operating system, the computer virus cannot attack the real operating system.

It should be noted that, the target electronic device may communicate with the virtual host through a monitor installed in the virtual operating system.

The monitoring program can be an application program installed in a virtual operating system of the virtual host machine and used for monitoring the behavior activity of the target virus program in the running process.

Alternatively, the monitor program may receive an instruction sent by the target electronic device, and control the running state of the target virus program, for example, control the start of running of the target virus program.

The target virus program may be a computer virus to be subjected to detection industrial control actions.

Optionally, in the process of establishing a communication link between the virtual host and the industrial control system, the present invention may first use a cloud computing platform virtualization technology (the target electronic device may be a cloud computing server at this time), create a virtual host on other electronic devices, then install a virtual operating system in the virtual host, and establish a network connection between the virtual host and the industrial control system.

Specifically, in the process of installing the virtual operating system in the virtual host, the monitoring program can be implanted in the corresponding real operating system in advance, then the real operating system with the monitoring program installed can be packaged into a mirror image through cloud computing to obtain the virtual operating system, and then the obtained virtual operating system is installed in the virtual host.

Specifically, the present invention may obtain the target virus program (for example, the target virus program may be manually input by a technician or may be transmitted by other electronic devices), and then send the target virus program to the virtual host through the monitoring program.

Alternatively, the number of the virtual hosts may be multiple, and each virtual host may have a virtual operating system with an embedded monitor installed thereon. At this time, each virtual host can be respectively connected with the target electronic device in a communication way through a monitoring program in the virtual operating system; each virtual host can be respectively in communication connection with the industrial control system.

In order to better illustrate the communication connection relationship among the target electronic device, the virtual host and the industrial control device, the invention proposes and is illustrated by combining with the network topology diagram shown in fig. 2.

In fig. 2, the first engineer station, the second engineer station, the third engineer station and the fourth engineer station may be electronic devices for controlling and monitoring the industrial control system by an engineer on site, each of the engineer stations may be created with a virtual host, and each of the engineer stations may be installed with a virtual operating system in which a monitoring program has been implanted. The target electronic device may be respectively in communication connection with the virtual hosts in the engineer stations, and the virtual hosts in the engineer stations may be respectively in communication connection with the industrial control device through the switch. Specifically, the virtual host in the first engineer station may be in communication connection with the first industrial control device through the first switch, the virtual host in the second engineer station may be in communication connection with the second industrial control device through the second switch, the virtual host in the third engineer station may be in communication connection with the third industrial control device through the third switch, and the virtual host in the fourth engineer station may be in communication connection with the fourth industrial control device through the fourth switch.

It can be understood that the invention adopts a virtual-real combination mode of the virtualized environment and the physical device (industrial control equipment) to detect the industrial control behavior characteristics of the target virus program, thereby effectively enhancing the reduction degree of the target virus program running in the real environment.

It should be noted that, in the network topology, different industrial control devices may be connected to the same three-layer switch, and may be logically isolated by vlan technology. When the target electronic device is a cloud computing server, a virtual host can be created on the target electronic device, at this time, the connection mode between the target electronic device and the switch port can be a Trunk mode, and the target electronic device can realize communication connection between the virtual host and the industrial control device by controlling the vlan of the virtual host network to be consistent with the designated industrial control device.

S102, a target virus program is instructed to start running in a virtual host through a monitoring program;

Specifically, the invention can control the target virus program to start running in the virtual host through the monitoring program after the target virus program is sent to the virtual host.

It can be understood that the invention can utilize the virtual host computer with the installed virtual operating system to provide a virtual operating environment which is similar to a sandbox and is almost the same as a real operating environment, control the target virus program to start running in the virtual operating environment, monitor the behavior activity of the target virus program in the running process by the monitoring program, analyze the industrial control behavior information of the target virus program, realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to the real machine and the real operating system, and effectively ensure the detection accuracy while realizing the detection of the industrial control behavior information.

S103, mirroring the network flow data between the virtual host and the industrial control system in the running process of the target virus program to obtain target flow data;

The network traffic data may be communication data between the virtual host and the industrial control system.

Specifically, the invention can mirror the network traffic data between the virtual host and the industrial control system, namely, the network traffic data between the virtual host and the industrial control system is copied, and the copied data can be the target traffic data.

S104, carrying out industrial control behavior analysis on the target flow data to obtain industrial control behavior information after analysis.

The analyzed industrial control behavior information can comprise at least one piece of operation behavior information of the target virus program on the industrial control system. The operation behavior information can include the device identifier of a specific operation object (such as a certain industrial control device) and specific operation types, such as operations of variable reading and writing, point location reading and writing, configuration uploading and downloading.

Optionally, step S104 may include:

identifying a protocol type of at least one message in the target flow data;

Respectively searching a message protocol library corresponding to the protocol type of each message;

and respectively analyzing the messages of the corresponding protocol types by using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Specifically, the invention can determine the protocol type used by each message in the target flow data from the message protocol layer, then respectively find out the message protocol library corresponding to each protocol type in a plurality of message protocol libraries configured in advance, respectively use each found out message protocol library, convert the message of the corresponding protocol type into readable form data, and respectively determine the operation behavior information of the target virus program carried in each message from each readable form data.

For example, for a first message and a second message in the target flow data, the invention can identify a first protocol type used by the first message and a second protocol type used by the second message in advance, and then search a first message protocol library corresponding to the first protocol type and a second message protocol library corresponding to the second protocol type in a plurality of message protocol libraries configured in advance; the invention can use the searched first message protocol library to convert the first message using the first protocol type into the first readable form data, determine the operation behavior information of the target virus program carried by the first message from the first readable form data, and use the searched second message protocol library to convert the second message using the second protocol type into the second readable form data, and determine the operation behavior information of the target virus program carried by the second message from the second readable form data.

It should be noted that the message protocol library may be an existing message protocol library, or may be a message protocol library set by a technician according to an actual working condition, which is not limited in the present invention.

Optionally, the identifying the protocol type of the at least one message in the target traffic data may include:

based on message port and message header of each message in the target flow data, identifying protocol type of each message.

Specifically, the invention can determine the protocol type used by a message through the message port and the message header of the message.

Optionally, step S104 may include:

The target flow data is sent to an industrial control behavior auditing system for industrial control behavior auditing;

And determining the industrial control behavior audit information output by the industrial control behavior audit system as analyzed industrial control behavior information.

Specifically, after the target flow data is obtained, the target flow data can be sent to the industrial control behavior auditing system, and the industrial control behavior auditing system analyzes each message in the target flow data and outputs the analyzed industrial control behavior information.

It should be noted that, a plurality of pre-configured message protocol libraries may be stored in the industrial control behavior auditing system.

Specifically, the industrial control behavior auditing system can determine the protocol type used by each message in the target flow data, then respectively find out the message protocol library corresponding to each protocol type in a plurality of message protocol libraries configured in advance, respectively analyze the message of the corresponding protocol type by using each found out message protocol library, and output the analyzed industrial control behavior information. For example, the industrial control behavior auditing system may include a modbus protocol library, and the industrial control behavior auditing system may analyze a modbus protocol message in the target flow data by using the modbus protocol library, and determine an operation object and an operation type of the current operation of the target virus program from the modbus protocol message.

Optionally, after the analyzed industrial control behavior information is obtained, the analyzed industrial control behavior information is sent to a target database to be stored, then the analyzed industrial control behavior information is filled into a preset PDF template, a corresponding target virus program industrial control behavior characteristic report is generated, and the report is fed back to a technician or a user.

It should be noted that, the analysis of computer viruses of an industrial control system is basically performed by manual analysis, which has low efficiency, and the time cost and the labor cost for separately analyzing one computer virus are extremely high, so that the consumption of manpower resources is high. The method can control the target virus program to run in the virtual running environment which is almost the same as the real running environment through the steps shown in the figure 1, mirror the network flow data between the virtual host and the industrial control system in the running process of the target virus program, and analyze the industrial control behaviors of the mirrored target flow data to obtain the analyzed industrial control behavior information. The invention can determine the industrial control behavior characteristics of the target virus program according to the analyzed industrial control behavior information, determine various abnormal messages, abnormal network behaviors, illegal invasion, abnormal flow and the like from the analyzed industrial control behavior information, determine the possible modification and damage caused by the target virus program to the industrial control system, realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to a real machine and a real operating system, realize the detection of the industrial control behavior information of the target virus program, and effectively ensure the detection accuracy at the same time of realizing the detection of the industrial network security risk, realize the prevention in advance and the finding in advance, and provide holographic audit records for the post response and the tracing. The industrial control behavior characteristics of the target virus program are not needed to be analyzed manually, so that the manpower resource consumption can be effectively reduced, and the detection efficiency of the industrial control behavior of the target virus program can be improved.

According to the virus industrial control behavior detection method, the target virus program can be sent to the virtual host through the monitoring program arranged in the operating system of the virtual host, the virtual host is in communication connection with the industrial control system, the target virus program is instructed to start running in the virtual host through the monitoring program, network flow data between the virtual host and the industrial control system are mirrored in the running process of the target virus program, the target flow data are obtained, industrial control behavior analysis is carried out on the target flow data, and industrial control behavior information after analysis is obtained. The invention detects the industrial control behavior information of the target virus program by using the created virtual operation environment which is almost the same as the real operation environment, can realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to the real machine and the real operation system, can effectively ensure the detection accuracy rate while realizing the detection of the industrial control behavior information of the target virus program, does not need to manually analyze the industrial control behavior characteristics of the target virus program, can effectively reduce the consumption of manpower resources and improve the detection efficiency of the industrial control behavior of the target virus program.

Based on the steps shown in fig. 1, this embodiment proposes a second method for detecting the industrial control behavior of a virus, which may further include the following steps:

s201, in the running process of the target virus program, the operation behavior information of the target virus program in the virtual host is obtained through the monitoring program.

Specifically, the monitoring program can monitor the process information of the target virus program running in the virtual host computer, call the API of the virtual operating system, read-write content of the file, generated network traffic and the like in the running process of the target virus program. And, the monitor may return the monitored data to the target electronic device.

Optionally, the monitor may also record screenshots generated during the running of the target virus program.

It can be understood that the method and the device can detect the damage to the operating system, the virtual host and the physical machine, which may be caused by the target virus program, from the monitoring data returned by the monitoring program, detect the damage to the industrial control system control software installed in the virtual host, which may be caused by the target virus program, and realize the detection of the process behavior, the network behavior and the file behavior of the target virus program, thereby further realizing the detection of the industrial control behavior characteristics of the target virus program and improving the detection effect.

According to the virus industrial control behavior detection method, the harm to an operating system, a virtual host and a physical machine, which is possibly caused by a target virus program, can be detected from the monitoring data returned by the monitoring program, and the harm to industrial control system control software installed in the virtual host, which is possibly caused by the target virus program, is detected, so that the detection of the industrial control behavior characteristics of the target virus program can be further realized, and the detection effect is improved.

Based on the steps shown in fig. 1 and based on the steps shown in fig. 3, a third method for detecting the industrial control behavior of the virus is provided, and the method may further include the following steps:

s301, carrying out static analysis on a target virus program, determining whether the target virus program is an executable program, and if so, executing the step S101; otherwise, the execution of step S101 is prohibited, avoiding unnecessary resource consumption.

Specifically, after the target virus program is obtained, static analysis can be performed on the target virus program in advance, and whether the target virus program is an executable file or not can be determined.

Specifically, in the process of carrying out static analysis on the target virus program, the invention can determine whether the target virus program is an executable file through the file suffix and the file header of the target virus program. Optionally, if the target virus program is an exe, msi, bat, etc. type file, the present invention may determine that the target virus program is an executable file.

Optionally, if it is determined that the target virus program is an executable file, step S101 may be executed to start detecting the industrial control behavior feature of the target virus program.

Optionally, if it is determined that the target virus program is an unexecutable file, the method may prohibit execution of step S101, that is, prohibit sending the target virus program to the virtual host for operation, that is, prohibit detecting the industrial control behavior feature of the target virus program, thereby avoiding unnecessary resource consumption.

According to the virus industrial control behavior detection method, static analysis can be performed on the target virus program, the industrial control behavior characteristics of the target virus program are detected under the condition that the target virus program is determined to be an executable file, and the industrial control behavior characteristics of the target virus program can be forbidden to be detected under the condition that the target virus program is determined to be an unexecutable file, so that unnecessary consumption of resources is avoided.

Corresponding to the steps shown in fig. 1, as shown in fig. 4, this embodiment proposes a first device for detecting virus industrial control behaviors, which may include: a first sending unit 101, an instruction unit 102, a mirroring unit 103 and a first parsing unit 104; wherein:

A first sending unit 101, configured to send, through a monitor program set in an operating system of a virtual host, a target virus program to the virtual host, where the virtual host is communicatively connected to an industrial control system;

It should be noted that the present invention may be applied to a target electronic device. The device type of the target electronic device is not limited, for example, the target electronic device may be a cloud computing server, a desktop computer, a tablet computer, and the like.

The virtual host may be a virtual host created in the target electronic device, or may be a virtual host created by the target electronic device on other electronic devices (such as an electronic device on site for controlling an industrial control system and displaying an operation index related to the industrial control system) through a cloud computing platform virtualization technology (the target electronic device may be a cloud computing server at this time), which is not limited in the present invention.

Specifically, the virtual host may be communicatively coupled to the target electronic device via a monitor.

Specifically, the virtual host may be an upper computer provided with control software of an industrial control system, and industrial control equipment in the industrial control system may be a lower computer. The industrial control system can be an industrial control system. The industrial control device can be an embedded control device in an industrial control system, such as a PLC and an RTU. Alternatively, the virtual host may be communicatively connected to an industrial control device in the industrial control system through a switch. Specifically, the virtual host may send a manipulation instruction to the industrial control device through a communication link with the industrial control system.

The operating system in the virtual host may be a virtual operating system. It should be noted that the virtual operating system may be an operating system that is virtualized on the basis of the real operating system, and the virtual operating system and the real operating system may have the same operating environment and operating function. It will be appreciated that the virtual operating system may be isolated from the real operating system, and that activities in the virtual operating system do not affect or alter the real operating system. Specifically, when a computer virus runs in a virtual operating system, the computer virus cannot attack the real operating system.

It should be noted that, the target electronic device may communicate with the virtual host through a monitor installed in the virtual operating system.

The monitoring program can be an application program installed in a virtual operating system of the virtual host machine and used for monitoring the behavior activity of the target virus program in the running process.

Alternatively, the monitor program may receive an instruction sent by the target electronic device, and control the running state of the target virus program, for example, control the start of running of the target virus program.

The target virus program may be a computer virus to be subjected to detection industrial control actions.

Optionally, in the process of establishing a communication link between the virtual host and the industrial control system, the present invention may first use a cloud computing platform virtualization technology (the target electronic device may be a cloud computing server at this time), create a virtual host on other electronic devices, then install a virtual operating system in the virtual host, and establish a network connection between the virtual host and the industrial control system.

Specifically, in the process of installing the virtual operating system in the virtual host, the monitoring program can be implanted in the corresponding real operating system in advance, then the real operating system with the monitoring program installed can be packaged into a mirror image through cloud computing to obtain the virtual operating system, and then the obtained virtual operating system is installed in the virtual host.

Specifically, the present invention may obtain the target virus program (for example, the target virus program may be manually input by a technician or may be transmitted by other electronic devices), and then send the target virus program to the virtual host through the monitoring program.

Alternatively, the number of the virtual hosts may be multiple, and each virtual host may have a virtual operating system with an embedded monitor installed thereon. At this time, each virtual host can be respectively connected with the target electronic device in a communication way through a monitoring program in the virtual operating system; each virtual host can be respectively in communication connection with the industrial control system.

It can be understood that the invention adopts a virtual-real combination mode of the virtualized environment and the physical device (industrial control equipment) to detect the industrial control behavior characteristics of the target virus program, thereby effectively enhancing the reduction degree of the target virus program running in the real environment.

It should be noted that, in the network topology, different industrial control devices may be connected to the same three-layer switch, and may be logically isolated by vlan technology. When the target electronic device is a cloud computing server, a virtual host can be created on the target electronic device, at this time, the connection mode between the target electronic device and the switch port can be a Trunk mode, and the target electronic device can realize communication connection between the virtual host and the industrial control device by controlling the vlan of the virtual host network to be consistent with the designated industrial control device.

An instruction unit 102, configured to instruct, by using the monitor program, the target virus program to start running in the virtual host;

Specifically, the invention can control the target virus program to start running in the virtual host through the monitoring program after the target virus program is sent to the virtual host.

It can be understood that the invention can utilize the virtual host computer with the installed virtual operating system to provide a virtual operating environment which is similar to a sandbox and is almost the same as a real operating environment, control the target virus program to start running in the virtual operating environment, monitor the behavior activity of the target virus program in the running process by the monitoring program, analyze the industrial control behavior information of the target virus program, realize the detection of the industrial control behavior information of the target virus program under the condition of avoiding the damage of the target virus program to the real machine and the real operating system, and effectively ensure the detection accuracy while realizing the detection of the industrial control behavior information.

The mirror image unit 103 is configured to mirror network traffic data between the virtual host and the industrial control system during the running process of the target virus program, so as to obtain target traffic data;

The network traffic data may be communication data between the virtual host and the industrial control system.

Specifically, the invention can mirror the network traffic data between the virtual host and the industrial control system, namely, the network traffic data between the virtual host and the industrial control system is copied, and the copied data can be the target traffic data.

The first analyzing unit 104 is configured to analyze the target flow data in terms of industrial control behaviors, and obtain analyzed industrial control behavior information.

The analyzed industrial control behavior information can comprise at least one piece of operation behavior information of the target virus program on the industrial control system. The operation behavior information can include the device identifier of a specific operation object (such as a certain industrial control device) and specific operation types, such as operations of variable reading and writing, point location reading and writing, configuration uploading and downloading.

Optionally, the first parsing unit 104 includes: the device comprises an identification unit, a searching unit and a second analyzing unit; wherein:

the identification unit is used for identifying the protocol type of at least one message in the target flow data;

the searching unit is used for searching the message protocol library corresponding to the protocol type of each message respectively;

The second analysis unit is used for respectively analyzing the messages of the corresponding protocol types by using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

Specifically, the invention can determine the protocol type used by each message in the target flow data from the message protocol layer, then respectively find out the message protocol library corresponding to each protocol type in a plurality of message protocol libraries configured in advance, respectively use each found out message protocol library, convert the message of the corresponding protocol type into readable form data, and respectively determine the operation behavior information of the target virus program carried in each message from each readable form data.

It should be noted that the message protocol library may be an existing message protocol library, or may be a message protocol library set by a technician according to an actual working condition, which is not limited in the present invention.

Optionally, the first identifying unit is configured to identify a protocol type of each message based on a message port and a message header of each message in the target traffic data.

Specifically, the invention can determine the protocol type used by a message through the message port and the message header of the message.

Optionally, the first parsing unit 104 includes: a second transmitting unit and a determining unit, wherein:

The second sending unit is used for sending the target flow data to an industrial control behavior auditing system to audit the industrial control behavior;

And the determining unit is used for determining the industrial control behavior audit information output by the industrial control behavior audit system as analyzed industrial control behavior information.

Specifically, after the target flow data is obtained, the target flow data can be sent to the industrial control behavior auditing system, and the industrial control behavior auditing system analyzes each message in the target flow data and outputs the analyzed industrial control behavior information.

It should be noted that, a plurality of pre-configured message protocol libraries may be stored in the industrial control behavior auditing system.

Specifically, the industrial control behavior auditing system can determine the protocol type used by each message in the target flow data, then respectively find out the message protocol library corresponding to each protocol type in a plurality of message protocol libraries configured in advance, respectively analyze the message of the corresponding protocol type by using each found out message protocol library, and output the analyzed industrial control behavior information.

Optionally, after the analyzed industrial control behavior information is obtained, the analyzed industrial control behavior information is sent to a target database to be stored, then the analyzed industrial control behavior information is filled into a preset PDF template, a corresponding target virus program industrial control behavior characteristic report is generated, and the report is fed back to a technician or a user.

The virus industrial control behavior detection device provided by the embodiment detects the industrial control behavior information of the target virus program by utilizing the created virtual operation environment which is almost the same as the real operation environment, can detect the industrial control behavior information of the target virus program under the condition that the target virus program is prevented from damaging the real machine and the real operation system, can effectively ensure the detection accuracy while detecting the industrial control behavior information of the target virus program, does not need to manually analyze the industrial control behavior characteristics of the target virus program, can effectively reduce the consumption of human resources, and improves the detection efficiency of the industrial control behavior of the target virus program.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims (9)

1. The method for detecting the virus industrial control behaviors is characterized by comprising the following steps of:

The method comprises the steps that a target virus program is sent to a virtual host through a monitoring program arranged in an operating system of the virtual host, the virtual host is in communication connection with target electronic equipment through the monitoring program, the virtual host is in communication connection with an industrial control system, the virtual host is an upper computer provided with industrial control system control software, industrial control equipment in the industrial control system is a lower computer, and the virtual host is in communication connection with the industrial control equipment through a switch;

The target virus program is instructed to start running in the virtual host through the monitoring program;

in the running process of the target virus program, mirroring the network flow data between the virtual host and the industrial control system to obtain target flow data;

Performing industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information, wherein the analyzed industrial control behavior information comprises at least one piece of operation behavior information of a target virus program on an industrial control system;

And in the running process of the target virus program, monitoring the process information of the target virus program running in a virtual host, the call of a virtual operating system API, file read-write content and generated network traffic through the monitoring program, obtaining the operation behavior information of the target virus program in the virtual host, and returning the monitored data to the target electronic equipment.

2. The method of claim 1, wherein the performing industrial control action analysis on the target flow data to obtain analyzed industrial control action information includes:

identifying a protocol type of at least one message in the target flow data;

Respectively searching a message protocol library corresponding to the protocol type of each message;

And respectively analyzing the messages of the corresponding protocol types by using the searched message protocol libraries to obtain the analyzed industrial control behavior information.

3. The method of claim 2, wherein the identifying the protocol type of the at least one message in the target traffic data comprises:

And identifying the protocol type of each message based on the message port and the message header of each message in the target flow data.

4. The method of claim 1, wherein the performing industrial control action analysis on the target flow data to obtain analyzed industrial control action information includes:

the target flow data is sent to an industrial control behavior auditing system for industrial control behavior auditing;

And determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.

5. The method according to claim 1, wherein the method further comprises:

And carrying out static analysis on the target virus program, determining whether the target virus program is an executable program, and if so, executing a step of sending the target virus program to the virtual host through a monitoring program arranged in an operating system of the virtual host.

6. A virus industrial control action detection device, characterized by comprising: the system comprises a first sending unit, an instruction unit, a mirror image unit and a first analysis unit; wherein:

The first sending unit is used for sending a target virus program to the virtual host through a monitoring program arranged in an operating system of the virtual host, the virtual host is in communication connection with target electronic equipment through the monitoring program, the virtual host is in communication connection with an industrial control system, the virtual host is an upper computer provided with industrial control system control software, industrial control equipment in the industrial control system is a lower computer, and the virtual host is in communication connection with the industrial control equipment through a switch;

The instruction unit is used for instructing the target virus program to start running in the virtual host through the monitoring program;

The mirror image unit is used for mirroring the network flow data between the virtual host and the industrial control system in the running process of the target virus program to obtain target flow data;

the first analysis unit is used for carrying out industrial control behavior analysis on the target flow data to obtain analyzed industrial control behavior information;

And in the running process of the target virus program, monitoring the process information of the target virus program running in a virtual host, the call of a virtual operating system API, file read-write content and generated network traffic through the monitoring program, obtaining the operation behavior information of the target virus program in the virtual host, and returning the monitored data to the target electronic equipment.

7. The apparatus of claim 6, wherein the first parsing unit comprises: the device comprises an identification unit, a searching unit and a second analyzing unit; wherein:

The identifying unit is used for identifying the protocol type of at least one message in the target flow data;

the searching unit is used for searching the message protocol library corresponding to the protocol type of each message respectively;

The second analyzing unit is configured to analyze the messages of the corresponding protocol types by using the found message protocol libraries respectively, so as to obtain analyzed industrial control behavior information.

8. The apparatus of claim 7, wherein the identifying unit is configured to identify a protocol type of each message based on a message port and a message header of each message in the target traffic data.

9. The apparatus of claim 6, wherein the first parsing unit comprises: a second transmitting unit and a determining unit, wherein:

the second sending unit is used for sending the target flow data to an industrial control behavior auditing system to audit the industrial control behavior;

and the determining unit is used for determining the industrial control behavior audit information output by the industrial control behavior audit system as the analyzed industrial control behavior information.