CN113965368A - Network anomaly detection method based on communication protocol - Google Patents
Network anomaly detection method based on communication protocol Download PDFInfo
- Publication number
- CN113965368A CN113965368A CN202111212410.9A CN202111212410A CN113965368A CN 113965368 A CN113965368 A CN 113965368A CN 202111212410 A CN202111212410 A CN 202111212410A CN 113965368 A CN113965368 A CN 113965368A
- Authority
- CN
- China
- Prior art keywords
- data packet
- response
- request
- master device
- master
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 80
- 230000006854 communication Effects 0.000 title claims abstract description 55
- 238000004891 communication Methods 0.000 title claims abstract description 51
- 230000004044 response Effects 0.000 claims abstract description 76
- 238000000034 method Methods 0.000 claims abstract description 13
- 230000009471 action Effects 0.000 claims description 3
- 238000013499 data model Methods 0.000 claims description 3
- 230000002457 bidirectional effect Effects 0.000 abstract description 6
- 230000007246 mechanism Effects 0.000 abstract description 6
- 230000007175 bidirectional communication Effects 0.000 abstract description 4
- 230000005540 biological transmission Effects 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 10
- 238000004458 analytical method Methods 0.000 description 8
- 238000007689 inspection Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000007488 abnormal function Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40228—Modbus
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network anomaly detection method based on a communication protocol, which can effectively improve the security of ModbusTCP, introduces anomaly detection of function code bidirectional communication based on a ModbusTCP bidirectional access mechanism and protocol content, and can detect four anomaly conditions: 1. the object marks in the headers of the request data packet and the response data packet are not matched; 2. the main device sends a request data packet, but receives two response data packets within a certain time; 3. the master device receives the response data packet but does not send the request data packet; 4. the master device sends a request data packet, but does not receive a response data packet sent by the slave device within a certain time. The method and the device can effectively detect the communication abnormity of the network, improve the safety of the ModbusTCP and ensure the safety and reliability of data packet transmission.
Description
Technical Field
The invention relates to the field of protocol communication, in particular to a network anomaly detection method based on a communication protocol.
Background
Industrial control systems were relatively closed and independent at the earliest designs and were generally not or only rarely threatened by information security aspects. With the continuous promotion of industrialization degree, intelligent production with close integration of informatization and industrialization becomes a development trend, so that the openness of an industrial network is stronger and stronger. The work of information security of the industrial control system in China is started late, and the problems of an imperfect standard system, poor emergency treatment capability, low safety protection capability and the like exist. For this reason, the Ministry of industry and government issued notification on strengthening the information security management of the industrial control system (Ministry of industry and government [ 2011 ] 451) in 9 months 2011.
The Modbus tcp (network communication protocol) protocol is a new member of the Modbus protocol family, is listed as one of the standards of the industrial network by china, can realize the transparent connection of the PLC, the I/O module and other control devices by the support of the ethernet, and is widely applied to the industrial control system. However, due to the close connection between ModbusTCP and ethernet, it is vulnerable to trojan and virus attacks, which may result in the damage of industrial control equipment, paralysis of monitoring system, and other serious consequences, even casualties, and may cause serious threats to production and security. Therefore, the communication security of the ModbusTCP protocol is ensured.
Modbus is a request/response protocol, and FIG. 1 depicts the Modbus request response model. The main equipment is an active side and is a controller side in the actual industrial control system environment to send a control instruction; the slave device is a passive side, and is an actuator or a sensor in the actual industrial control system environment, executes the control instruction of the controller and returns a detection value to the controller.
As fig. 2 depicts the format of the ModbusTCP protocol, the ModbusTCP frame includes an MBAP header, functional code and data portions.
Firstly, an MBAP message header: including transaction identifiers, protocol identifiers, lengths, and unit identifiers.
II, function codes: the key to the master device sending control instructions to the slave devices is that specific function codes represent different control execution operations.
Thirdly, data: there are four basic data types, discrete magnitude input, coil, input register, and holding register.
The Modbus tcp protocol is primarily used in industrial control networks that are isolated from other networks, and currently Modbus management organizations do not add any security features to the protocol. Meanwhile, the ModbusTCP protocol bottom layer is based on the TCP/IP technology, so the bottom layer protocol defects of the standard Ethernet are inherited. The security defects of the current ModbusTCP protocol mainly include the following types: 1) lack of authentication protection; 2) lack of authorization protection; 3) there is a lack of encryption protection.
The Modbus protocol communication mode has two types: one is a response mechanism, in which a Modbus master sends a request (such as a control command) to a slave (such as an actuator) for a certain operation, and then the slave sends a response to the master; in the other form, the master sends a broadcast to all slaves, and the slaves perform certain operations without sending a response packet to the master. In addition, the Modbus protocol does not have any safety protection mechanism, and has loopholes for command authorization, information confidentiality and communication integrity, so that there are 3 attacks against the industrial control system:
the first is an attack initiated without an authentication and authorization mechanism aiming at a protocol, and the slave device executes an unauthorized instruction for clearing a counter, a diagnosis register and the like by modifying a control instruction sent by the master device, so that the fault of an industrial control system is caused;
the second method is to aim at the confidentiality attack, firstly, a communication master/slave device is obtained in a scanning mode, and then a control instruction sent by the master device to the slave device or measurement data sent by the slave device to the master device are obtained;
and the third is to modify a response data packet and the like sent to the master device by the slave device aiming at the attack of the question-answer communication mechanism of the ModbusTCP, so that the control end acquires wrong detection data to execute wrong control instructions, and the control system is abnormal.
Disclosure of Invention
In order to overcome the security defect of the ModbusTCP protocol, the invention provides a network anomaly detection method based on a communication protocol, which adopts anomaly detection of function code bidirectional communication and can ensure the communication security of the ModbusTCP protocol in the aspect of anomaly detection of intrusion detection.
The technical scheme for realizing the purpose of the invention is as follows: a network anomaly detection method based on a communication protocol comprises the following steps:
step 3, a detection device arranged at the sending end of the industrial control system main equipment obtains a source port number and a function code of the response data packet after receiving the response data packet;
and 4, matching the request data packet and the response data packet through the object identifier in the MBAP data packet head of the Modbus TCP protocol, wherein after the matching is successful, the function code of the request data packet is not equal to the function code of the response data packet, and the detection device considers that an attack action occurs at the moment.
Further, according to the request/response data model of the industrial control system described in step 1, an attacker can also destroy a communication loop of the master device/the slave device of the industrial control system by intercepting a request data packet sent by the master device to the slave device or a response data packet sent by the slave device to the master device.
Further, the function code of the response packet in step 2 is a function code that has been maliciously modified.
Further, when the master device and the slave device of the industrial control system communication protocol Modbus TCP in step 2 communicate with each other, for the same request, the master device receives two or more response packets, the master device may select to receive only the first response packet, and for the later received packets, the master device may select to discard the later received packets.
Further, in the attack behavior described in step 4, when the detection device at the sending end of the master device detects that only the response packet but not the request packet is detected, an alarm is selected.
Further, in the attack behavior described in step 4, when the detection device at the outlet of the master device detects that the request packet sent by the master device to the slave device is not received within a certain time period, the detection device considers that an attack has occurred and gives an alarm.
Compared with the prior art, the invention has the following beneficial effects: (1) when the function code of the request data packet is modified, the detection of the one-way function code is non-real-time detection; the detection based on the bidirectional function codes of the master/slave equipment can be detected only by acquiring a request/response data packet, and the real-time performance is strong. (2) When a plurality of response data packets exist, the detection of the one-way function code cannot be detected; and detection based on the master/slave device bidirectional function code can detect in real time and can select to alarm or discard abnormal data packets. (3) The request data packet is not generated, and when the response data packet exists, the one-way function code detection cannot be detected; and detection based on the master/slave device bidirectional function code can detect in real time and can select to alarm or discard abnormal data packets. (4) If the request data packet exists and no response data packet exists, the one-way function code detection cannot be detected; and detection based on the master/slave device bidirectional function code can detect in real time and can select to alarm or discard abnormal data packets.
Drawings
FIG. 1 is a Modbus request/response model;
FIG. 2 is a frame of Modbus over TCP/IP;
FIG. 3 is a protective structure view;
FIG. 4 is a ModbusTCP protection flow diagram;
FIG. 5 is a diagram of ModbusTCP data communication process;
fig. 6 is a diagram of a bidirectional function code detection model.
Detailed Description
As can be seen from the analysis of the Modbus tcp protocol, the Modbus is based on the industrial control protocol between the master and the slave, and the communication is performed in a request/response manner. The safety protection of the ModbusTCP protocol generally adopts a hardware protection module method, and the hardware protection module is connected in series between the master and the slave, as shown in fig. 3.
Protection of ModbusTCP generally adopts an intrusion detection method, and intrusion detection can be divided into two modes according to behaviors: misuse detection and anomaly detection. The misuse detection is to summarize all possible intrusion behaviors and establish a model, and if the behavior initiated by the visitor conforms to the model, the behavior is judged to be intrusion; the abnormal detection is to establish a normal access behavior model, and if the access does not conform to the behavior of the model, the intrusion is judged.
Modbus TCP belongs to a communication protocol of an application layer, common access control cannot provide detection and identification capabilities of the application layer, and safety protection needs to be provided for Modbus of the application layer by means of a deep packet inspection technology. And the deep packet inspection technology is applied to intrusion inspection, so that the comprehensive protection of the ModbusTCP protocol is realized. The protection flow diagram is shown in fig. 4, where ModbusTCP data is subjected to deep packet parsing, deep packet filtering, and anomaly detection, respectively. The invention designs a safety protection method of the ModbusTCP protocol according to the process:
deep packet analysis, deep packet filtering and anomaly detection all belong to the category of deep packet detection technology, and through the protection scheme, the application layer is deeply penetrated to protect the ModbusTCP: deep packet filtering can be used for known attacks to prevent attack behaviors, and anomaly detection is used for unknown attacks to find and protect the unknown attacks in time. The scheme makes comprehensive safety protection on the communication of the ModbusTCP protocol through a deep packet inspection technology.
In order to overcome the security defect of the ModbusTCP protocol, the invention provides a network anomaly detection based on a communication protocol.
The ModbusTCP communication protocol has a lot of key information and characteristics from a network layer to an application layer, and different characteristics can be selected to carry out statistics on communication rules to carry out anomaly detection.
TABLE 1 optional characteristics for Modbus anomaly detection
For the exception detection of ModbusTCP, different features in the protocol content are usually selected for statistical detection. Among them, function codes are used more for research because of their important role in the overall instruction. When selecting the features, a single feature can be selected, multiple features or different feature combinations can be selected, and different emphasis points can be selected according to actual requirements.
Besides the content of the protocol, the characteristics of the communication mode of the protocol can be selected for detection. For example, Modbus is a request and response communication protocol, has the attribute of bidirectional communication, and contains many important characteristic information in data communication with one question and one answer. The information of the function code, the unit identifier and the like has high consistency in the data packets of the request and the response, namely, the function code and the unit identifier in the data packets of the question and the answer are the same and do not change in normal communication.
The Modbus TCP protocol is an industrial control protocol based on bidirectional communication of the TCP protocol, and as shown in fig. 5, a complete Modbus request and response process mainly includes the following steps:
(1) establishing a connection
The Master terminal and the Slave terminal are connected through a three-way handshake signal. Firstly, a master terminal initiates a connection request to a slave terminal 502 port, and sends out a SYN data packet. And the Slave uses a 502 port of the TCP to intercept Modbus service, and sends out a data packet containing SYN + ACK information after receiving the SYN data packet. And finally, the Master checks whether the acknumber is correct, namely X +1 sent for the first time, if so, the Master sends the acknumber to be (Y +1), and the Slave receives the ACK value and then successfully establishes the connection.
(2) Data exchange
And the Master terminal initiates a Modbus request to the Slave terminal, and the Slave performs related operations after receiving the request and returns the result to the Master.
Fig. 5 is a schematic diagram of a ModbusTCP data communication process.
(3) Closing the connection
The Master terminal initiates a request for closing the connection to the Slave terminal, sends a FIN data packet, and after the Slave receives the FIN message, sends an ACK data packet to inform the Master that the connection is closed. The connection closing can also be initiated from the Slave end to the Master end.
In the communication process of ModbusTCP, the function codes in the request data packet and the corresponding response data packet are the same. The function codes are key for the master device to send control instructions to the slave device, each specific function code represents different control execution operations, and once the function codes are maliciously modified, the actuator can be subjected to wrong control instructions to execute wrong operations.
Analysis on the ModbusTCP protocol can find that the function codes play an important role in the communication process, in an actual industrial control environment, the function codes directly determine the operation of the actuator, if the function codes of the request data packet are maliciously modified by an attacker, the change of the controller behavior can be directly caused, and therefore the function codes are guaranteed not to be maliciously modified, which is particularly important. According to the position of ModbusTCP in the TCP/IP protocol stack, it can be seen that ModbusTCP is an application layer protocol, so that analysis and research on ModbusTCP function codes require analysis of the application layer protocol, data and the like, that is, deep packet analysis is required.
An exception detection method for ModbusTCP function codes comprises the following steps:
according to the method, the anomaly detection of the ModbusTCP function code of the industrial control system communication protocol can be realized only by analyzing two data packets, namely a request data packet sent to the slave equipment by the master equipment and a response data packet sent to the master equipment by the slave equipment. In addition, the anomaly detection for the ModbusTCP function code of the industrial control system proposed in this section can realize the detection of the function code within the legal range:
designing a first mode: increased detection of transaction identifier mismatch in MBAP data packet headers over ModbusTCP protocol
Since the industrial control system communication protocol ModbusTCP does not have any authentication mechanism, an attacker can easily implement an attack by using the communication characteristics of the industrial control system communication protocol ModbusTCP. For example, an attacker first monitors communication between a master device and a slave device of an industrial control system, obtains a legal function code range of the communication between the master device and the slave device of the industrial control system, and when the master device sends a control instruction (request data packet) to the slave device, the attacker can intercept the control instruction, modify the function code into other legal function codes, and send the control instruction to the slave device (actuator).
The anomaly detection algorithm based on deep packet analysis can effectively realize the identification of the attacks. The detection device sets a detection point at a sending end of the industrial control system main equipment, the detection point can obtain a legal and normal request data packet and obtain a source port number and a function code thereof, if the request data packet is maliciously modified by an attacker in a communication line sent by the main equipment to the slave equipment, the slave equipment returns a response data packet after executing wrong operation, at the moment, the function code of the response data packet is maliciously modified, the detection device set at the sending end of the industrial control system main equipment obtains the source port number and the function code thereof after receiving the response data packet, as the matching of the request data packet and the response data packet is matched through an identifier in an MBAP data packet header of a ModbusTCP protocol, and after the matching is successful, the detection device finds that the function code of the request data packet is not equal to the function code of the response data packet, at this time, the detection device considers that the attack action occurs, and then an alarm is given.
Designing two: after the main equipment sends the request data packet, the detection of the condition that two response data packets are received within a certain time is added
When the communication is carried out between the master device and the slave device of the industrial control system communication protocol ModbusTCP, aiming at the same request, the master device receives two or more response data packets, the master device can only select to receive the first response data packet, and for the later received data packets, the master device can select to discard. Based on the communication characteristics, an attacker can choose to listen to the communication between the master device and the slave device of the industrial control system first, because after the master device sends a control command to the slave device, the slave device sends a response data packet to the master device after executing a certain operation, that is, after the master device sends a request data packet, a period of time elapses between the time when the master device receives the response data packet. After the attacker listens the interval, the attacker sends a malicious response packet before the legitimate response packet is sent, so that the legitimate response packet is discarded by the master device. The anomaly detection algorithm provided by the invention detects that the main equipment sends a request data packet at the sending end of the industrial control system, receives two response data packets within a certain time range, and the detection device can consider that the industrial control system is attacked and give an alarm.
Designing three steps: increased detection of a master having a response packet without a request packet
The industrial control system communication protocol ModbusTCP master device and the slave device adopt a request/response model when in communication. An attacker can utilize the normal response model to write data and send a response data packet to the main equipment when the main equipment of the industrial control system does not send the request response data packet, so that the abnormality of the main equipment is caused. The anomaly detection algorithm based on deep packet analysis can realize the protection function on the attacks. The alarm is selected when the detection means at the transmitting end of the master device detects that only response packets and no request packets are present.
Designing four: after the main equipment sends the request data packet, the detection of the condition that the response data packet is not received within a certain time is added
Aiming at a request/response data model of the industrial control system, an attacker can also realize the damage to a communication loop of the master device/the slave device of the industrial control system by intercepting a request data packet sent by the master device to the slave device or a response data packet sent by the slave device to the master device. The anomaly detection algorithm provided by the invention can realize anomaly detection on the attack. When the detection device at the outlet of the main device detects that a request data packet sent to the slave device by the main device is not received within a certain time, the response data packet sent to the main device by the slave device is not received, and the detection device considers that an attack occurs and gives an alarm.
Fig. 6 illustrates a ModbusTCP packet inspection model, and the inspection method based on deep packet parsing according to the present invention may respond differently according to different kinds of communication anomalies.
According to the characteristics of the abnormity, the abnormity is classified into four types:
the first type of abnormity is that the detection device does not detect a request data packet sent by the master device to the slave device, but receives a response data packet sent by the slave device to the master device, and the detection device selects to alarm after detecting the abnormity;
the second type of abnormity is that the detection device receives more than one response data packet within a certain time range after detecting a request data packet sent to the slave equipment by the master equipment, and the detection device also selects to alarm after detecting the abnormity;
the third type of abnormity is that the detection device can not receive a response data packet within a certain time range after detecting the request data packet, and the detection device can select to alarm or resend the data packet after detecting the abnormity;
the fourth type of exception is a mismatch between the source port and the function code of the request data sent by the master device to the slave device and the corresponding data packet sent by the slave device to the master device, which is represented by: the source port of the response packet is not 502; the response data packet is a normal function code within the range of 1-127, but the function code of the request data packet is inconsistent with the function code of the response data packet; the function code of the corresponding data packet is an abnormal function code of 128-255.
Claims (6)
1. A network anomaly detection method based on a communication protocol is characterized by comprising the following steps:
step 1, when an industrial control system communication protocol Modbus TCP master device and a slave device communicate by adopting a request/response model; setting a detection point at a sending end of the industrial control system main equipment, and obtaining a legal and normal request data packet and a source port number and a function code thereof;
step 2, if the request data packet is maliciously modified by an attacker in a communication line sent to the slave equipment by the master equipment, the slave equipment returns a response data packet after executing wrong operation;
step 3, a detection device arranged at the sending end of the industrial control system main equipment obtains a source port number and a function code of the response data packet after receiving the response data packet;
and 4, matching the request data packet and the response data packet through the object identifier in the MBAP data packet head of the Modbus TCP protocol, wherein after the matching is successful, the function code of the request data packet is not equal to the function code of the response data packet, and the detection device considers that an attack action occurs at the moment.
2. The method for detecting network anomaly based on communication protocol according to claim 1, wherein in the request/response data model for the industrial control system in step 1, an attacker can also destroy the communication loop of the master/slave device of the industrial control system by intercepting the request data packet sent by the master device to the slave device or the response data packet sent by the slave device to the master device.
3. The method according to claim 1, wherein the function code of the response packet in step 2 is a function code modified maliciously.
4. The method according to claim 1, wherein when communication is performed between the master device and the slave device of the industrial control system communication protocol Modbus TCP in step 2, the master device receives two or more response packets for the same request, the master device selects to receive only the first response packet, and the master device selects to discard the later received packets.
5. The method according to claim 1, wherein the attack behavior of step 4 is that an alarm is selected when the detection device at the sending end of the master device detects that only the response packet but not the request packet.
6. The method according to claim 1, wherein in the attack behavior of step 4, when the detection device at the exit of the master device detects that the request packet sent by the master device to the slave device is not received within a certain time period after the response packet sent by the slave device to the master device is detected, the detection device considers that an attack has occurred and gives an alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111212410.9A CN113965368A (en) | 2021-10-18 | 2021-10-18 | Network anomaly detection method based on communication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111212410.9A CN113965368A (en) | 2021-10-18 | 2021-10-18 | Network anomaly detection method based on communication protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113965368A true CN113965368A (en) | 2022-01-21 |
Family
ID=79464379
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111212410.9A Withdrawn CN113965368A (en) | 2021-10-18 | 2021-10-18 | Network anomaly detection method based on communication protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965368A (en) |
-
2021
- 2021-10-18 CN CN202111212410.9A patent/CN113965368A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Yang et al. | Intrusion detection system for IEC 60870-5-104 based SCADA networks | |
| Lee et al. | A data mining and CIDF based approach for detecting novel and distributed intrusions | |
| Morris et al. | A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems | |
| US6792546B1 (en) | Intrusion detection signature analysis using regular expressions and logical operators | |
| US7444679B2 (en) | Network, method and computer readable medium for distributing security updates to select nodes on a network | |
| US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| US20030084321A1 (en) | Node and mobile device for a mobile telecommunications network providing intrusion detection | |
| CN111510436B (en) | Network security system | |
| KR100947211B1 (en) | System for active security surveillance | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| JP2007006054A (en) | Packet repeater and packet repeating system | |
| CN110113336B (en) | Network flow abnormity analysis and identification method for transformer substation network environment | |
| Kang et al. | Cyber threats and defence approaches in SCADA systems | |
| Shitharth et al. | A comparative analysis between two countermeasure techniques to detect DDoS with sniffers in a SCADA network | |
| GB2381722A (en) | intrusion detection (id) system which uses signature and squelch values to prevent bandwidth (flood) attacks on a server | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| JP2001034553A (en) | Network access control method and device therefor | |
| Alsabbagh et al. | A fully-blind false data injection on PROFINET I/O systems | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| CN112671781A (en) | RASP-based firewall system | |
| Pranggono et al. | Intrusion detection systems for critical infrastructure | |
| CN113965368A (en) | Network anomaly detection method based on communication protocol | |
| Maynard et al. | Towards understanding man-on-the-side attacks (MotS) in SCADA networks | |
| CN101222498A (en) | Method for improving network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220121 |
|
| WW01 | Invention patent application withdrawn after publication |