CN113904819A - Safety system applied to industrial control network - Google Patents
Safety system applied to industrial control network Download PDFInfo
- Publication number
- CN113904819A CN113904819A CN202111135595.8A CN202111135595A CN113904819A CN 113904819 A CN113904819 A CN 113904819A CN 202111135595 A CN202111135595 A CN 202111135595A CN 113904819 A CN113904819 A CN 113904819A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- control network
- industrial
- module
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 claims abstract description 62
- 238000004891 communication Methods 0.000 claims abstract description 16
- 230000007123 defense Effects 0.000 claims abstract description 16
- 238000013135 deep learning Methods 0.000 claims abstract description 12
- 238000000034 method Methods 0.000 claims abstract description 11
- 230000009467 reduction Effects 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 9
- 238000007781 pre-processing Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 claims description 6
- 230000006399 behavior Effects 0.000 claims description 5
- 230000015572 biosynthetic process Effects 0.000 claims description 3
- 238000013527 convolutional neural network Methods 0.000 claims description 3
- 238000003786 synthesis reaction Methods 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000007621 cluster analysis Methods 0.000 claims description 2
- 230000002159 abnormal effect Effects 0.000 abstract description 3
- 239000011159 matrix material Substances 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000011176 pooling Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 108010064775 protein C activator peptide Proteins 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- -1 electricity Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 210000004205 output neuron Anatomy 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
- G06F18/2135—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods based on approximation criteria, e.g. principal component analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Computation (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Biomedical Technology (AREA)
- Computational Linguistics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Biophysics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a safety system applied to an industrial control network, which comprises three safety modules: the system comprises a protocol security module, an intrusion detection module and an active defense module; the protocol security module adopts an SSL-based authentication scheme to encrypt and verify a communication protocol of the industrial control network, so as to protect the integrity and confidentiality of the message; the intrusion detection module adopts a deep learning method, data is preprocessed, and then a deep learning detection model is constructed, so that abnormal data in the industrial control network can be effectively detected; the active defense module induces an attacker to attack the industrial honeypots by deploying the industrial honeypots, records attack information and takes corresponding defense measures. By utilizing the method of the invention, the corresponding safety module is deployed in the industrial control network, and the safety of the industrial control network can be effectively improved.
Description
Technical Field
The invention belongs to the technical field of industrial control safety, and particularly relates to a safety system applied to an industrial control network.
Background
Industrial control systems, consisting of software and hardware systems that monitor and control physical devices, are commonly used in critical infrastructures related to national security,
such as water, electricity, oil, gas and other industries. With the continuous development of science and technology, the development of industrial systems is greatly promoted by the fusion of the industrial control network and the IT network, and the automation of the industrial control network is changed into intellectualization.
The safety problem of the industrial control network comprises product bugs, and industrial control network equipment has a large number of bugs but is difficult to update because the equipment usually runs for many years; the vulnerability of communication protocols, which are designed to focus on practicality and timeliness, with little regard to security issues; the convergence of the two technologies also makes the industrial control network face the threat of the traditional IT network.
The safety problem of the industrial control network is becoming more and more serious, and related safety protection measures need to be taken in order to perform effective safety protection on the industrial control network. In the technical aspect, the main security technologies of the industrial control network include the following:
1. the intrusion detection technology detects information such as network behaviors, flow data, logs and the like, and identifies and processes malicious attacks on a computing system;
2. the encryption technology takes a cryptology principle as a core, and uses an encryption algorithm and a secret key to encrypt communication data, so that information cannot be directly understood, and the information safety is protected;
3. and in the digital authentication, a digital certificate is issued by an authority of a third party to perform digital signature authentication on both communication parties, so that the identity credibility of a communicator and the non-repudiation of information on a network are ensured.
Because the industrial control network environment is complex and changeable, the traditional firewall technology and antivirus software are not enough to protect the safety of the industrial control network, so that the safety system applied to the industrial control network is invented to solve various safety problems of the industrial control network.
Disclosure of Invention
The invention aims to: aiming at the defects, the invention provides a safety system applied to an industrial control network.
In order to achieve the purpose, the invention provides the following technical scheme:
a security system for use in an industrial control network, comprising: the system comprises a protocol security module, an intrusion detection module and an active defense module;
the active defense module is used for simulating basic industrial control equipment by deploying M industrial honeypots, the industrial honeypots record attack information of attackers and state information of the industrial honeypots in the process of attack in a diary mode, and the diary is transmitted to the intrusion detection module for identification; the attack information comprises attack time, attack behavior, IP, port and data packet form of an attacker;
the protocol security module carries out security authentication and encryption on a Modbus communication protocol of a real industrial control network; transmitting the flow data to an intrusion detection module for detection;
and the intrusion detection module performs anomaly detection on the industrial control network flow data through a deep learning detection model and identifies logs recorded by the industrial honeypots.
Further, the interaction between the industrial honeypot and the external industrial control network is as follows:
the industrial honeypot is in data communication with each industrial control network device and is used for acquiring real-time industrial control network related data; when the attack information of the attacker is collected by the industrial honeypot, corresponding defense measures can be taken, and the attack information is recorded.
Further, the specific deployment structure of the industrial honeypot is as follows:
respectively deploying industrial honeypot CryPLH and/or Gaspot on the external firewall of the industrial control system by using an open source tool; and deploying the low-interactivity honeypot Conpot on the industrial control network.
The industrial honeypot arranged on the fireproof wall outside the industrial control system can realize the early warning effect and is used for discovering advanced threats; and deploying low-interactivity honeypots on the industrial control network to attract attackers.
Further, the protocol security module comprises a PLC and an HMI; and the Modbus communication protocol between the PLC and the HMI adopts an SSL authentication mode to carry out encryption authentication.
Further, the intrusion detection module comprises a processor; and the processor detects and identifies the received flow data of the security protocol module and the log recorded by the active defense module.
Further, the detection and identification method of the intrusion detection module is as follows:
acquiring an original data set in an industrial control network; the original data set comprises flow data of a real industrial control network and diary data recorded by an industrial honeypot;
preprocessing an original data set of an industrial control network; the preprocessing comprises the steps of carrying out standardization processing on an original data set of the industrial control network, then carrying out dimension reduction through a PCA algorithm,
constructing a deep learning detection model based on CNN, and training and testing the deep learning detection model by using a training data set and a test data set to obtain an intrusion detection model;
detecting and classifying the preprocessed original data set by using the intrusion detection model; the detection classification result comprises a known attack class, an unknown attack class and a normal data class;
and performing cluster analysis on the detection classification result through a K-means algorithm, and then training the analysis result.
Further, the preprocessing further comprises expanding the small sample data in the original data set by adopting a synthesis few-class oversampling algorithm.
The invention has the beneficial effects that:
by using the SSL-based authentication scheme, the credibility of the communication equipment can be ensured, and the Modbus protocol can be safer; the industrial honeypot is used for recording the invasion behavior of an attacker, and corresponding defense measures can be taken; the intrusion detection model is trained by using real industrial control information data, so that the anomaly in the industrial control network can be identified more favorably.
Drawings
FIG. 1 is a system architecture diagram of a security system for an industrial control network in accordance with the present invention;
FIG. 2 is a schematic diagram of a protocol security module of a security system applied to an industrial control network according to the present invention;
FIG. 3 is an encrypted Modbus format in a protocol security module of a security system for industrial control networks according to the present invention;
FIG. 4 is a schematic diagram of an active defense module of a security system applied to an industrial control network according to the present invention;
fig. 5 is a schematic diagram of an intrusion detection module of a security system applied to an industrial control network according to the present invention.
Detailed Description
Referring to fig. 1, a security system applied to an industrial control network includes: the system comprises a protocol security module, an intrusion detection module and an active defense module;
the active defense module is provided with M industrial honeypots; the M industrial honeypots are constructed into basic industrial control equipment such as a PLC (programmable logic controller), the industrial honeypots record attack information of attackers and state information of the industrial honeypots in a log mode and transmit the recorded logs to an intrusion detection module for identification; the related data comprises behavior, time, IP, port and data packet forms of an attacker and state information of the industrial honeypot;
the protocol security module carries out security authentication and encryption on a Modbus communication protocol of the industrial control network; outputting the flow data to an intrusion detection module for detection according to the PCAP file;
and the intrusion detection module performs anomaly detection and identification on the flow data of the industrial control network and the log data recorded by the active defense module through a CNN-based deep learning detection model and a K-means algorithm.
As shown in fig. 2, in the protocol security module, the HMI serves as a Modbus client and the PLC serves as a Modbus server, and secure authentication and encryption of a Modbus communication protocol of a real industrial control network are implemented based on an SSL authentication scheme, where the secure authentication and encryption specifically include:
the HMI initiates a communication request to the PLC and sends the HMI random number to the PLC;
after receiving the request, the PLC generates a PLC random number by using a verification client of the PLC, and the certificate and the PLC public key are sent back to the HMI to be used as corresponding;
the verification server of the HMI verifies whether the signature in the certificate is valid or not, then generates a PMS, encrypts the PMS by using a PLC public key and sends the PMS back to the PLC;
the verification client and the verification server use the same algorithm, a master key MS is generated by using the HMI random number, the PLC random number and the PMS, and after the master key MS is sliced, an MAC key and an encryption key sent by the HMI to the PLC and an MAC key and an encryption key sent by the PLC to the HMI can be obtained;
generating a master key MS according to the random number PMS, a function F, PLC for generating the MS, a random number NP and an HMI random number NH; the master key MS is specifically expressed as follows:
MS=F(PMS+NP+NH)
all messages sent between the HMI and the PLC will be integrity verified with the MAC key and encrypted with the encryption key, the format of the message after encryption being shown in fig. 3. The authentication server and the authentication client can authenticate the MAC key in each message, and if the MAC keys are not consistent, communication can be interrupted;
and the flow data of the industrial control network is output to an intrusion detection module for detection and identification according to the PCAP file.
Referring to fig. 4, a security system applied to an industrial control network, wherein the active defense module is used for deploying a plurality of different kinds of industrial honeypots by existing open source tools to be simulated on a firewall and the industrial control network into basic industrial equipment such as a PLC, and the industrial honeypots comprise a Conpot, a CryPLH, a Gaspot and the like; industrial honeypot CryPLH and Gaspot are deployed on a fireproof wall outside an industrial control system, so that an early warning effect can be realized and the early warning effect can be used for discovering advanced threats; deploying a low-interactivity honeypot Conpot on an industrial control network to attract attackers; when an attacker attacks the industrial control network, the industrial honeypot induces the attacker to attack the basic industrial control equipment of the PLC simulated by the attacker, the industrial honeypots carry out information interaction through a simulation industrial control protocol, collect attack information of the attacker on the industrial control network in real time, and record the attack information of the attacker and self state information of the industrial honeypot when the industrial honeypot is attacked in a log mode; the attack information comprises important data such as attack time, IP, ports, data packet forms and the like; and the industrial honeypot outputs the log to an intrusion detection module for detection and identification by using a PCAP file.
As shown in fig. 5, the intrusion detection module includes a processor, and the processor is configured to perform anomaly detection on industrial control network traffic data and identify malicious attacks recorded by an industrial honeypot, and includes the following specific steps:
acquiring an original data set in an industrial control network; the original data set comprises flow data of an industrial control network and diary data of industrial honeypots;
preprocessing data in an original data set of an industrial control network to generate a balanced data set; the pretreatment is as follows:
firstly, carrying out data formatting on flow data of an industrial control network and diary data of an industrial honeypot; the data formatting is as follows:
the PCAP file is required to be loaded firstly, then the Scapy tool is utilized to process the flow data of the industrial control network and the diary data of the industrial honeypots, and the processed data comprises two kinds of information: layer information in the data packet and payload information in the data packet;
then, carrying out standardization processing on an original data set of the industrial control network after data formatting, and then carrying out PCA dimension reduction processing; normalizing the process ensures that the feature is located near 0; the raw data set normalization process is specifically as follows:
obtaining normalized data z according to the standard deviation sigma, the mean value mu and the original numerical value x; the normalized data z is specifically as follows:
carrying out PCA dimension reduction processing on the standardized data z; the PCA dimension reduction treatment is concretely as follows:
assuming that the normalized data are m n-dimensional data, arranging the normalized data into a matrix Z with m rows and n columns;
averaging each feature (i.e., each row) in the matrix Z; subtracting the average value from the original data in the matrix Z to obtain new centralized data;
solving a characteristic covariance matrix according to the matrix Z and a transposed matrix Z of the matrix ZTAnd the number m of the data to obtain a covariance matrix C; the covariance matrix is publicThe formula is as follows:
obtaining an eigenvalue and a corresponding eigenvector according to the covariance matrix;
arranging the eigenvectors in a descending order according to the sizes of the corresponding eigenvalues, and selecting the first g rows of characteristics to form a matrix P;
calculating a data sample Y after dimensionality reduction according to the matrix Z which is subjected to standardization processing before dimensionality reduction and the formed matrix P; the data sample Y after dimensionality reduction is specifically expressed as follows:
Y=PZ
because the flow data of the industrial control network relates to a multi-classification problem (facing various different types of attacks), the distribution of sample data is often unbalanced, and an overfitting phenomenon is easily generated during classification, so that the small sample data in the data needs to be properly expanded;
finally, expanding the small sample data in the data sample Y after dimensionality reduction by adopting a synthesis minority oversampling algorithm to obtain the expanded small sample data YNSaid expanded small sample data YNThe method comprises the following specific steps:
selecting N number of samples b among the i nearest neighbor samples foundNWherein N ═ 1, 2.; n is the multiplying power of up-sampling;
sample data a and sample number bNLinear interpolation is carried out between the two; obtaining new sample data YN;
According to a random number between 0 and 1, rand (0,1) and sample number bmAnd obtaining the extended small sample data Y by each sample data a of the minority class AN(ii) a The expanded small sample data YNThe specific expression is as follows:
YN=a+rand(0,1)·(bN-a)
expanding the small sample data YNAdding the data samples and the reduced dimension Y together to generate a balanced data set;
constructing a deep learning detection model based on CNN, and training and testing the deep learning detection model based on CNN by using a training data set and a test data set to obtain an intrusion detection model;
in the CNN stage, the input data form is a two-dimensional matrix, each matrix comprises m samples and n characteristics, wherein m is the number of industrial control data packets collected per second, and n is the extracted data characteristics;
the deep learning detection model based on the CNN is specifically constructed as follows:
the first convolution layer is connected behind the input layer, and the size of a convolution kernel is 11 multiplied by 11;
in the convolutional layer, the input features are convolved with convolutional kernels, the outputs of convolution operators are added by a deviation and then transmitted to an activation function to generate the input features of the next layer;
then, local regularization is carried out by a Relu function, and the specific formula of the Relu function is as follows:
relu(v)=max(v,0)
connecting the first pooling layer, and performing a 2 × 2 maximal pooling operation;
in the pooling layer, the resolution of the input is reduced by pooling elements from the previous layer to their local temporal neighborhood;
followed by a second convolution layer with a convolution kernel size of 5 x 5;
connecting Relu function to carry out local regularization;
connecting the second pooling layer, and performing a 2 × 2 maximal pooling operation;
finally, three full-connection layers are adopted, and a Dropout layer is added to each full-connection layer, so that the overfitting phenomenon is prevented;
the last layer of the model is output by a softmax function to obtain a final detection classification result;
outputting the balance data set to an intrusion detection model for detection, wherein when the intrusion detection model detects unknown attack classes, output neurons in a classification stage have lower output values;
marking all detection classification results with output values lower than a threshold value R as unknown attack classes; wherein 0< R <1, and the value of R needs to be set according to experimental results;
clustering unknown attack classes through a K-means algorithm; the clustering is specifically as follows:
firstly, k initial clustering centers are selected, the Euclidean distance from each class data to the k clustering centers is calculated according to the nearest neighbor principle, and the classes are divided into the nearest clusters;
then, continuously performing iterative computation and subdivision by the method to obtain a final clustering result; the final clustering result comprises a cluster normal class and a cluster abnormal class; marking the cluster normal class as a normal data class, and marking the cluster abnormal class as a new attack class;
and outputting the new attack class to a deep learning model for training, and improving the detection performance of the intrusion detection module.
While the invention has been described in terms of its preferred embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (7)
1. A security system for use in an industrial control network, comprising: the system comprises a protocol security module, an intrusion detection module and an active defense module;
the active defense module is used for simulating basic industrial control equipment by deploying M industrial honeypots; the industrial honeypot records attack information of an attacker and state information of the industrial honeypot in the form of a diary, and transmits the diary to an intrusion detection module for identification; the attack information comprises attack time, attack behavior, IP, port and data packet form of an attacker;
the protocol security module carries out security authentication and encryption on a Modbus communication protocol of a real industrial control network; transmitting the flow data to an intrusion detection module for detection;
and the intrusion detection module performs anomaly detection on real industrial control network flow data through a deep learning detection model and identifies logs recorded by the industrial honeypots.
2. The safety system applied to the industrial control network as claimed in claim 1, wherein the industrial honeypot interacts with the real industrial control network as follows:
and the industrial honeypot is in data communication with the equipment of each industrial control network and is used for acquiring real-time relevant data of equipment communication of the real industrial control network.
3. The safety system applied to the industrial control network, according to claim 1, is characterized in that the specific deployment structure of the industrial honeypot is as follows:
deploying industrial honeypot CryPLH and/or Gaspot on an external firewall of the industrial control system; and deploying the low-interactivity honeypot Conpot on the industrial control network.
4. A safety system applied to industrial control network according to claim 1, wherein the protocol safety module comprises PLC and HMI; and the Modbus communication protocol between the PLC and the HMI adopts an SSL authentication mode to carry out encryption authentication.
5. The safety system applied to the industrial control network, according to claim 1, wherein the intrusion detection module comprises a processor; and the processor detects and identifies the received flow data of the security protocol module and the log recorded by the active defense module.
6. The safety system applied to the industrial control network as claimed in claim 1, wherein the detection and identification method of the intrusion detection module is as follows:
acquiring an original data set in an industrial control network; the original data set comprises flow data of a real industrial control network and diary data recorded by an industrial honeypot;
preprocessing an original data set of an industrial control network; the preprocessing comprises the steps of carrying out standardization processing on an original data set of the industrial control network and then carrying out dimension reduction through a PCA algorithm;
constructing a deep learning detection model based on CNN, and training and testing the deep learning detection model by using a training data set and a test data set to obtain an intrusion detection model;
detecting and classifying the preprocessed original data set by using the intrusion detection model; the detection classification result comprises a known attack class, an unknown attack class and a normal data class;
and performing cluster analysis on the detection classification result through a K-means algorithm, and training the analysis result.
7. The safety system applied to the industrial control network as claimed in claim 1, wherein the preprocessing further comprises expanding the small sample data in the original data set by using a synthesis less-class oversampling algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111135595.8A CN113904819A (en) | 2021-09-27 | 2021-09-27 | Safety system applied to industrial control network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111135595.8A CN113904819A (en) | 2021-09-27 | 2021-09-27 | Safety system applied to industrial control network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113904819A true CN113904819A (en) | 2022-01-07 |
Family
ID=79029573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111135595.8A Pending CN113904819A (en) | 2021-09-27 | 2021-09-27 | Safety system applied to industrial control network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904819A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114448738A (en) * | 2022-04-11 | 2022-05-06 | 北京网藤科技有限公司 | Attack vector generation method and system for industrial control network |
| CN114760126A (en) * | 2022-04-08 | 2022-07-15 | 沈阳化工大学 | Industrial control network flow real-time intrusion detection method |
| CN115277244A (en) * | 2022-08-05 | 2022-11-01 | 四川启睿克科技有限公司 | Industrial Internet intrusion detection system and method |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317852A (en) * | 2017-06-20 | 2017-11-03 | 普奥云信息科技(北京)有限公司 | Smart machine, communication system and the method extended based on MODBUS |
| CN108900467A (en) * | 2018-05-31 | 2018-11-27 | 华东师范大学 | A method of perception is built and threatened to the automation honey jar based on Docker |
| CN109104438A (en) * | 2018-10-22 | 2018-12-28 | 杭州安恒信息技术股份有限公司 | Botnet method for early warning and device in a kind of narrowband Internet of Things |
| US20190294995A1 (en) * | 2018-03-21 | 2019-09-26 | Telefonica, S.A. | Method and system for training and validating machine learning in network environments |
| CN110619049A (en) * | 2019-09-25 | 2019-12-27 | 北京工业大学 | Message anomaly detection method based on deep learning |
| CN111125702A (en) * | 2019-12-25 | 2020-05-08 | 成都知道创宇信息技术有限公司 | Virus identification method and device |
| CN111683055A (en) * | 2020-05-14 | 2020-09-18 | 北京邮电大学 | Industrial honey pot control method and device |
| CN111818052A (en) * | 2020-07-09 | 2020-10-23 | 国网山西省电力公司信息通信分公司 | CNN-LSTM-based industrial control protocol homologous attack detection method |
| CN112054996A (en) * | 2020-08-05 | 2020-12-08 | 杭州木链物联网科技有限公司 | Attack data acquisition method and device for honeypot system |
| KR20210084204A (en) * | 2019-12-27 | 2021-07-07 | 주식회사 와이햇에이아이 | Malware Crawling Method and System |
| CN113132388A (en) * | 2021-04-21 | 2021-07-16 | 广东电网有限责任公司 | Data security interaction method and system |
| CN113132391A (en) * | 2021-04-20 | 2021-07-16 | 辽宁谛听信息科技有限公司 | Malicious behavior identification method for industrial control honeypot |
| CN113132417A (en) * | 2021-06-16 | 2021-07-16 | 国能信控互联技术有限公司 | Multi-protocol conversion encryption industrial intelligent gateway and operation method thereof |
-
2021
- 2021-09-27 CN CN202111135595.8A patent/CN113904819A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107317852A (en) * | 2017-06-20 | 2017-11-03 | 普奥云信息科技(北京)有限公司 | Smart machine, communication system and the method extended based on MODBUS |
| US20190294995A1 (en) * | 2018-03-21 | 2019-09-26 | Telefonica, S.A. | Method and system for training and validating machine learning in network environments |
| CN108900467A (en) * | 2018-05-31 | 2018-11-27 | 华东师范大学 | A method of perception is built and threatened to the automation honey jar based on Docker |
| CN109104438A (en) * | 2018-10-22 | 2018-12-28 | 杭州安恒信息技术股份有限公司 | Botnet method for early warning and device in a kind of narrowband Internet of Things |
| CN110619049A (en) * | 2019-09-25 | 2019-12-27 | 北京工业大学 | Message anomaly detection method based on deep learning |
| CN111125702A (en) * | 2019-12-25 | 2020-05-08 | 成都知道创宇信息技术有限公司 | Virus identification method and device |
| KR20210084204A (en) * | 2019-12-27 | 2021-07-07 | 주식회사 와이햇에이아이 | Malware Crawling Method and System |
| CN111683055A (en) * | 2020-05-14 | 2020-09-18 | 北京邮电大学 | Industrial honey pot control method and device |
| CN111818052A (en) * | 2020-07-09 | 2020-10-23 | 国网山西省电力公司信息通信分公司 | CNN-LSTM-based industrial control protocol homologous attack detection method |
| CN112054996A (en) * | 2020-08-05 | 2020-12-08 | 杭州木链物联网科技有限公司 | Attack data acquisition method and device for honeypot system |
| CN113132391A (en) * | 2021-04-20 | 2021-07-16 | 辽宁谛听信息科技有限公司 | Malicious behavior identification method for industrial control honeypot |
| CN113132388A (en) * | 2021-04-21 | 2021-07-16 | 广东电网有限责任公司 | Data security interaction method and system |
| CN113132417A (en) * | 2021-06-16 | 2021-07-16 | 国能信控互联技术有限公司 | Multi-protocol conversion encryption industrial intelligent gateway and operation method thereof |
Non-Patent Citations (1)
| Title |
|---|
| WEIXIN_38744153: "GasPot", 《CSDN》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114760126A (en) * | 2022-04-08 | 2022-07-15 | 沈阳化工大学 | Industrial control network flow real-time intrusion detection method |
| CN114760126B (en) * | 2022-04-08 | 2023-09-19 | 沈阳化工大学 | Industrial control network flow real-time intrusion detection method |
| CN114448738A (en) * | 2022-04-11 | 2022-05-06 | 北京网藤科技有限公司 | Attack vector generation method and system for industrial control network |
| CN115277244A (en) * | 2022-08-05 | 2022-11-01 | 四川启睿克科技有限公司 | Industrial Internet intrusion detection system and method |
| CN115277244B (en) * | 2022-08-05 | 2023-07-25 | 四川启睿克科技有限公司 | Intrusion detection system and method for industrial Internet |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bahşi et al. | Dimensionality reduction for machine learning based iot botnet detection | |
| Yang et al. | MTH-IDS: A multitiered hybrid intrusion detection system for internet of vehicles | |
| Anthi et al. | A supervised intrusion detection system for smart home IoT devices | |
| Rabbani et al. | A hybrid machine learning approach for malicious behaviour detection and recognition in cloud computing | |
| CN113904819A (en) | Safety system applied to industrial control network | |
| Siddharthan et al. | Senmqtt-set: An intelligent intrusion detection in iot-mqtt networks using ensemble multi cascade features | |
| CN111492635A (en) | Malicious software host network flow analysis system and method | |
| CN103577835B (en) | The method using the multidimensional characteristic vectors detection hidden channel of IP ID | |
| Sudharsan et al. | Edge2guard: Botnet attacks detecting offline models for resource-constrained iot devices | |
| Sherasiya et al. | Intrusion detection system for internet of things | |
| Mubarak et al. | Industrial datasets with ICS testbed and attack detection using machine learning techniques | |
| CN115865526A (en) | Industrial internet security detection method and system based on cloud edge cooperation | |
| Ozkan-Okay et al. | SABADT: hybrid intrusion detection approach for cyber attacks identification in WLAN | |
| Kotak et al. | Adversarial attacks against iot identification systems | |
| Qaddoori et al. | An efficient security model for industrial internet of things (IIoT) system based on machine learning principles | |
| Aljuhani et al. | A deep learning integrated blockchain framework for securing industrial IoT | |
| Alabdulatif et al. | Machine Learning Approach for Improvement in Kitsune NID. | |
| Das et al. | Eavesdropping Attack Detection in UAVs using Ensemble Learning | |
| Aljohani et al. | An intrusion detection system model in a local area network using different machine learning classifiers | |
| Kaur et al. | A Framework to Secure IoT Network | |
| Latha et al. | Machine Learning Approaches for DDoS Attack Detection: Naive Bayes vs Logistic Regression | |
| CN112968891A (en) | Network attack defense method and device and computer readable storage medium | |
| Abdelkhalek et al. | ML-based Alert Correlation Algorithms For DER Cyber Situational Awareness | |
| Erney et al. | A survey of intrusion detection and prevention systems | |
| Aljammal et al. | Performance Evaluation of Machine Learning Approaches in Detecting IoT-Botnet Attacks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220107 |