CN113965414B - Network monitoring method and device, electronic equipment and storage medium - Google Patents

Network monitoring method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113965414B
CN113965414B CN202111412825.0A CN202111412825A CN113965414B CN 113965414 B CN113965414 B CN 113965414B CN 202111412825 A CN202111412825 A CN 202111412825A CN 113965414 B CN113965414 B CN 113965414B
Authority
CN
China
Prior art keywords
request message
message
function code
request
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111412825.0A
Other languages
Chinese (zh)
Other versions
CN113965414A (en
Inventor
刘丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111412825.0A priority Critical patent/CN113965414B/en
Publication of CN113965414A publication Critical patent/CN113965414A/en
Application granted granted Critical
Publication of CN113965414B publication Critical patent/CN113965414B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The embodiment of the application provides a network monitoring method, electronic equipment and a storage medium, wherein the method comprises the following steps: obtaining a message; if the message is a request message, storing information of the request message in a pre-initialized protocol request table, and matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitoring risk level table according to the first matching result; and if the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result. By implementing the embodiment of the application, the automatic monitoring of the network based on the upper computer system and the lower computer system is realized.

Description

Network monitoring method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network monitoring method, a device, an electronic apparatus, and a computer readable storage medium.
Background
In today's industry, host computer systems are typically used based on the remote host computer system of ethernet management, however, such interactive access may lead to serious dangerous events for the industrial field devices, such as: the method has the advantages that the fatal modification command is sent to the equipment server side or the server returns to be abnormal and the like due to the sent command, and the large-area paralysis of equipment in an industrial field can be possibly caused, so that the safety supervision of the interactive operation behavior is particularly important, and the phenomenon of large-area destruction of the field equipment can be prevented. In the existing network monitoring method, human intervention is needed, and automatic monitoring cannot be realized.
Disclosure of Invention
An object of an embodiment of the present application is to provide a network monitoring method, a device, an electronic apparatus, and a computer readable storage medium, which can automatically monitor a network in a communication system based on an upper computer and a lower computer.
In a first aspect, an embodiment of the present application provides a network monitoring method, where the method includes:
obtaining a message;
if the message is a request message, storing information of the request message in a pre-initialized protocol request table, and matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitoring risk level table according to the first matching result;
and if the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result.
In the implementation process, the request message is stored in a protocol request table, the request message is matched with a known dangerous grade table, and the information of the request message is stored in a monitoring dangerous grade table according to the matching result; considering that under normal conditions, each request message has a response message matched with the request message, so that each time the response message is acquired, the information of the request message in the protocol request table is stored in the monitoring danger level table according to the matching result of the response message and the request message in the protocol request table. And determining the dangerous degree of the information in the request message by utilizing the matching result of the request message and the known dangerous level table and the matching result of the request message and the response message, thereby realizing the automatic monitoring of the communication network based on the upper computer system and the lower computer system.
Further, the information of the request message includes: the function code related to the industrial control protocol in the request message;
after the step of obtaining the message, the method further comprises:
acquiring a function code related to an industrial control protocol in the message;
the step of matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitored risk level table according to the first matching result comprises the following steps:
acquiring the risk level of the function code from the known risk level table according to the function code;
and if the risk level of the function code is acquired from the known risk level table, storing the request message in the monitoring risk level table according to the risk level.
In the implementation process, the information in the request message includes the function code in the industrial control protocol, and the function code is information for identifying what operation the equipment of the lower computer should perform, so that the danger level corresponding to the function code can be obtained from the known danger level table according to the function code; and if the dangerous level of the function code is obtained from the dangerous level table, storing the request message in the monitoring dangerous level table according to the dangerous level.
Further, the information of the request message further includes: matching variables of the request message;
after the step of obtaining the function code related to the industrial control protocol in the request message, the method further comprises the following steps:
acquiring a depth analysis function corresponding to the function code from the pre-initialized instruction processing table according to the function code;
obtaining a matching variable of the message according to the function code and a depth analysis function corresponding to the function code, wherein the matching variable is used for identifying a request message and a response message which are matched with each other;
the step of matching the response message with the request message in the protocol request table to obtain a second matching result comprises the following steps:
and acquiring a request message matched with the response message from the protocol request table according to the matching variable of the response message and the matching variable of the request message, and obtaining the second matching result.
In the implementation process, the information of the request message comprises the matching variable of the request message, after the industrial control protocol of the function code is acquired, a deep analysis function related to the function code is acquired in a pre-initialized instruction processing table, and the matching variable in the request message can be acquired according to the deep analysis function; when the acquired message is a response message, the response message is also analyzed by utilizing a deep analysis function, a matching variable of the response message is acquired, a request message matched with the response message is acquired in a protocol request table according to the matching variable of the response message, and the second matching result is acquired.
Further, the information of the request message includes: abnormal function codes related to the industrial control protocol in the message;
after the step of obtaining the depth analysis function corresponding to the function code in the pre-initialized instruction processing table according to the function code, the method further comprises the following steps:
and acquiring the abnormal function code related to the industrial control protocol in the message according to the function code and the depth analysis function corresponding to the function code.
In the implementation process, the abnormal function code in the message identifies the abnormal operation in the lower computer, acquires the abnormal function code and stores the abnormal function code in the monitoring danger level table, so that the subsequent analysis is facilitated.
Further, the information of the request message further includes: the operation attribute of the function code;
after the step of obtaining the depth analysis function corresponding to the function code in the pre-initialized instruction processing table according to the function code, the method further comprises the following steps:
acquiring the operation attribute of the function code according to the function code and a depth analysis function corresponding to the function code;
the step of storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result includes:
and if the second matching result is successful, storing the information of the request message matched with the response message in the monitoring danger level table according to the operation attribute of the function code in the request message matched with the response message.
In the implementation process, the function code represents the action executed by the lower computer, and according to the operation attribute corresponding to the function code in the response message, the dangerous level of the request message can be further distinguished, and the request message is further stored in the monitoring dangerous level table.
Further, the method further comprises:
and storing the information of the request message matched with the response message in the monitoring danger level table at preset time intervals according to the operation attribute of the function code in the request message.
In the implementation process, if a response message matching with the request message in the protocol request table is not received within a period of time, the request is indicated to have abnormal operation, so that the information of the request message matching with the response message needs to be stored in the monitoring danger level table according to the operation attribute of the function code in the request message.
Further, the method further comprises:
and responding to an instruction that the number of the protocol request tables reaches a preset threshold value, and storing the information of the request messages in the protocol request tables in the monitoring danger level table according to the operation attribute of the function codes in the request messages in the protocol request tables.
In the implementation process, when the number in the protocol request table reaches a preset threshold, it is indicated that no response message corresponding to the request message in the protocol request table is acquired at this time, and at this time, the request message in the protocol request table is stored in the monitoring danger level table according to the operation attribute of the function code in the request message.
In a second aspect, the present application provides a network monitoring apparatus, including:
the acquisition module is used for acquiring the message;
the matching module is used for storing the information of the request message in a pre-initialized protocol request table when the message is the request message, matching the request message with an initialized known risk level table to obtain a first matching result, and storing the information of the request message in the risk level table according to the first matching result; and when the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result.
In a third aspect, an electronic device provided in an embodiment of the present application includes: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where instructions are stored, which when executed on a computer, cause the computer to perform the method according to any one of the first aspects.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network monitoring method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a network monitoring device according to an embodiment of the present application;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Example 1
An embodiment of the present application provides a network monitoring method, as shown in fig. 1, including:
s1: obtaining a message;
s2: if the message is a request message, storing information of the request message in a pre-initialized protocol request table, and matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitoring risk level table according to the first matching result;
s3: and if the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result.
In the above embodiment, the request message is stored in the protocol request table, the request message is matched with the known risk level table, and the information of the request message is stored in the monitoring risk level table according to the matching result; considering that under normal conditions, each request message is required to have a response message matched with the request message, each time the response message is acquired, and according to the matching result of the response message and the request message in the protocol request table, the information of the request message in the protocol request table is stored in the monitoring danger level table. And determining the dangerous degree of the information in the request message by utilizing the matching result of the request message and the known dangerous level table and the matching result of the request message and the response message, thereby realizing the automatic monitoring of the communication network based on the upper computer system and the lower computer system.
In one possible implementation, the information of the request message includes: a function code related to an industrial control protocol in the request message;
after the message is acquired, the method further comprises the following steps:
acquiring a function code related to an industrial control protocol in a message;
matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitoring risk level table according to the first matching result, wherein the step comprises the following steps:
acquiring the dangerous level of the function code from a known dangerous level table according to the function code;
and if the risk level of the function code is obtained from the known risk level table, storing the request message in the monitoring risk level table according to the risk level.
The information in the request message comprises a function code in an industrial control protocol, wherein the function code is a number for identifying what operation the equipment of the lower computer should perform, so that the danger level corresponding to the function code can be obtained from a known danger level table according to the function code; and if the dangerous level of the function code is obtained from the dangerous level table, storing the request message in the monitoring dangerous level table according to the dangerous level.
In an embodiment of the present application, monitoring the risk level table includes: high-risk level table, medium-risk level table and low-risk level table. Each entry in the known risk level table includes each function code, the risk level to which each function code corresponds.
Illustratively, if the risk level of the modbus protocol function code 90 is high risk as queried in the known risk level table, the information of the request message is stored in the high risk level table.
In one possible implementation, the information of the request message further includes: matching variables of the request message;
after the step of obtaining the function code related to the industrial control protocol in the request message, the method further comprises the following steps:
acquiring a depth analysis function corresponding to the function code from a pre-initialized instruction processing table according to the function code;
obtaining a matching variable of the message according to the function code and a depth analysis function corresponding to the function code, wherein the matching variable is used for identifying a request message and a response message which are matched with each other;
matching the response message with the request message in the protocol request table to obtain a second matching result, including:
and acquiring the request message matched with the response message from the protocol request table according to the matching variable of the response message and the matching variable of the request message, so as to obtain a second matching result.
In the embodiment of the application, the depth analysis function is a preset analysis function aiming at different protocols, the function codes in the message are different, the parameters contained in the message are also different, and the parameters comprise matching variables and the like.
Illustratively, in the protocol request table, the stored information includes a function code, an exception function code, a matching variable in each message. In addition, the event profile corresponding to the function code can be included.
In the above embodiment, the information of the request message includes the matching variable of the request message, after the industrial control protocol of the function code is obtained, the deep analysis function about the function code is obtained in the pre-initialized instruction processing table, and the matching variable in the request message can be obtained according to the deep analysis function; when the acquired message is a response message, the response message is also analyzed by utilizing a deep analysis function, a matching variable of the response message is acquired, a request message matched with the response message is acquired in a protocol request table according to the matching variable of the response message, and a second matching result is acquired.
In one possible implementation, the information of the request message includes: abnormal function codes related to industrial control protocol in the message;
after the step of obtaining the depth analysis function corresponding to the function code in the pre-initialized instruction processing table according to the function code, the method further comprises the following steps:
and acquiring the abnormal function code related to the industrial control protocol in the message according to the function code and the depth analysis function corresponding to the function code.
In the above embodiment, the abnormal function code in the message identifies the abnormal operation in the lower computer, obtains the abnormal function code, and stores the abnormal function code in the risk level table, which is beneficial to subsequent analysis.
Illustratively, in the protocol request table and the monitoring risk level table, the stored information includes a function code, an abnormal function code, and a matching variable in each message. In addition, the event profile corresponding to the function code can be included.
In one possible implementation, the information of the request message further includes: the operational properties of the function code;
after the step of obtaining the depth analysis function corresponding to the function code in the pre-initialized instruction processing table according to the function code, the method further comprises the following steps:
acquiring the operation attribute of the function code according to the function code and the depth analysis function corresponding to the function code;
in one possible embodiment, S3 includes: and if the second matching result is successful, storing the information of the request message matched with the response message in a monitoring danger level table according to the operation attribute of the function code in the request message matched with the response message.
The function code represents the action executed by the lower computer, and according to the operation attribute corresponding to the function code in the response message, the dangerous grade of the request message can be further distinguished, and the request message is further stored in the monitoring dangerous grade table.
In one possible implementation, the operation attributes include a read attribute and a write attribute, based on the examples of the high-risk level table, the medium-risk level table, and the low-risk level table described above. The embodiment of the application provides a method for storing a request message in a monitoring danger level table according to the operation attribute of a function code in the request message matched with a response message under the condition that the request message matched with the response message exists in a protocol request table (namely, a second matching result is successful), for example:
and if the attribute of the function code is a read operation attribute, the function code is put into a low-risk level table, and if the attribute of the function code is a write operation attribute, the function code is put into a high-risk level table.
In one possible embodiment, the method further comprises:
and storing the information of the request message matched with the response message in a monitoring danger level table at intervals of preset time according to the operation attribute of the function code in the request message.
In the implementation process, if a response message matching with the request message in the protocol request table is not received within a period of time, the request is indicated to have abnormal operation, so that the information of the request message matching with the response message needs to be stored in the monitoring danger level table according to the operation attribute of the function code in the request message.
In one possible implementation, in response to an instruction that the number of protocol request tables reaches a preset threshold, information of the request messages in the protocol request tables is stored in the monitoring risk level table according to operation attributes of the function codes in the request messages in the protocol request tables.
In the implementation process, when the number in the protocol request table reaches a preset threshold, it is indicated that no response message corresponding to the request message in the protocol request table is acquired at this time, and at this time, the request message in the protocol request table is stored in the monitoring danger level table according to the operation attribute of the function code in the request message.
In one possible implementation, the operation attributes include a read attribute and a write attribute, based on the examples of the high-risk level table, the medium-risk level table, and the low-risk level table described above. The application provides a method for storing a request message in a monitoring danger level table according to the attribute of a function code in the request message in a protocol request table under the condition that the request message in the protocol request table has no matched response message, for example:
if the attribute of the function code in the request message is the read operation attribute, the information of the request message is put into the low-risk level table, and if the attribute of the function code in the request message is the write operation attribute, the information of the request message is put into the medium-risk level table.
In one possible implementation manner, after the function code of the request message is acquired, the method further includes:
and inquiring a scheme document path for solving the industrial control protocol function code in a pre-initialized simulator use scheme comparison table according to the function code.
It can be appreciated that, based on the above embodiment, the information of the request message includes: matching variable of the request message, function code of the request message, abnormal function code of the request message and use document path of the request message.
In one possible implementation, when the session of the upper computer system and the lower computer system is finished, traversing the risk level table, forming a security analysis report according to the risk level table, and displaying the security analysis report on the operation supervision management interface.
The embodiment of the application also provides an initialization method of the protocol request table, the instruction processing table, the monitoring danger level table and the simulator use scheme comparison table.
The method for initializing the instruction processing table is as follows: the function code or instruction in the industrial control protocol (the function code is an action identifier for operating a real device, for example, the function code 1 in modbus represents reading a coil state value, the function code 15 represents writing a plurality of coil values and the like) is respectively initialized in a circulating manner, and mainly the function code (or instruction) is bound with respective deep analysis processing functions and the attribute of the function code (or instruction) belongs to a read operation attribute or a write operation attribute. For example: function code 2 in the modbus protocol indicates a read-in discrete quantity, function code 3 indicates reading a plurality of registers, all of which belong to a read operation; function code 5 writes to a single coil and function code 6 writes to a single register, which belongs to the write operation.
The initialization method of the protocol request table is as follows: the linked list is created to initialize, and the structural variable of each node mainly comprises a matching variable, depth analysis information (function code, abnormal function code, matching variable and the like) and a next node pointer and the like.
The method for initializing the known risk level table is as follows: the function code or instruction of known risk level is stored in this table by circulation, and each entry mainly includes the function code (or instruction name), risk level (mainly divided into high-risk, medium-risk and low-risk) and threat behavior description, potential hazard description, and the like.
The method for initializing the simulator use scheme comparison table is as follows: and circularly reading the path of the use scheme document of each industrial control protocol simulator and the name of the simulator to form an index table.
Example 2
An embodiment of the present application provides a device for network monitoring, as shown in fig. 2, where the device includes:
the acquisition module 1 is used for acquiring the message;
the matching module 2 is configured to store information of the request message in a pre-initialized protocol request table if the message is the request message, match the request message with a known risk level table, obtain a first matching result, and store the information of the request message in a monitoring risk level table according to the first matching result; and if the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result.
In one possible implementation, the information of the request message includes: a function code related to an industrial control protocol in the request message; the acquisition module 1 is further used for acquiring a function code related to an industrial control protocol in the message; the matching module 2 is further used for acquiring the risk level of the function code from a known risk level table according to the function code; and if the risk level of the function code is obtained from the known risk level table, storing the request message in the monitoring risk level table according to the risk level.
In one possible implementation, the information of the request message further includes: matching variables of the request message; the acquisition module 1 is further used for acquiring a depth analysis function corresponding to the function code in a pre-initialized instruction processing table according to the function code, and acquiring a matching variable of the message according to the function code and the depth analysis function corresponding to the function code, wherein the matching variable is used for identifying a request message and a response message which are matched with each other;
the acquisition module 1 is further used for acquiring a depth analysis function corresponding to the function code in a pre-initialized instruction processing table according to the function code, and acquiring a matching variable of the message according to the function code and the depth analysis function corresponding to the function code, wherein the matching variable is used for identifying a request message and a response message which are matched with each other; the matching module 2 is further configured to obtain a request packet matching with the response packet in the protocol request table according to the matching variable of the response packet and the matching variable of the request packet, so as to obtain a second matching result.
In one possible implementation, the information of the request message includes: abnormal function codes related to industrial control protocol in the message; the obtaining module 1 is further configured to obtain an abnormal function code related to the industrial control protocol in the message according to the function code and a deep parsing function corresponding to the function code.
In one possible implementation, the information of the request message further includes: the operational properties of the function code; the acquisition module 1 is also used for acquiring the operation attribute of the function code according to the function code and the depth analysis function corresponding to the function code; and the matching module 2 is further used for storing the information of the request message matched with the response message in the monitoring danger level table according to the operation attribute of the function code in the request message matched with the response message when the second matching result is successful.
In one possible embodiment, the apparatus further comprises: the execution module is used for storing the information of the request message matched with the response message in the monitoring danger level table at intervals of preset time according to the operation attribute of the function code in the request message; and responding to an instruction that the number of the protocol request tables reaches a preset threshold value, and storing the information of the request messages in the protocol request tables in a monitoring danger level table according to the operation attribute of the function codes in the request messages in the protocol request tables.
Example 3
As shown in fig. 3, embodiments of the present application also provide an electronic device that may include a processor 31, a communication interface 32, a memory 33, and at least one communication bus 34. Wherein the communication bus 34 is used to enable direct connection communication of these components. The communication interface 32 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 31 may be an integrated circuit chip with signal processing capabilities.
The processor 31 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. The general purpose processor may be a microprocessor or the processor 31 may be any conventional processor or the like.
The Memory 33 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 33 has stored therein computer readable instructions which, when executed by the processor 31, can cause the apparatus to perform the steps involved in the method embodiments.
Optionally, the electronic device may further include a storage controller, an input-output unit. The memory 33, the memory controller, the processor 31, the peripheral interface, and the input/output unit are electrically connected directly or indirectly to each other, so as to realize data transmission or interaction. For example, the components may be electrically coupled to each other via one or more communication buses 34. The processor 31 is arranged to execute executable modules stored in the memory 33, such as software functional modules or computer programs comprised by the device.
The input-output unit is used for providing the user with the creation task and creating the starting selectable period or the preset execution time for the task so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 3 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 3, or have a different configuration than shown in fig. 3. The components shown in fig. 3 may be implemented in hardware, software, or a combination thereof.
The embodiment of the application also provides a storage medium, on which instructions are stored, which when executed on a computer, implement the method of the method embodiment when the computer program is executed by a processor, and in order to avoid repetition, the description is omitted here.
The application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiment.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored on a computer readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (9)

1. A method for monitoring a network, comprising:
obtaining a message;
if the message is a request message, storing information of the request message in a pre-initialized protocol request table, and matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitoring risk level table according to the first matching result;
if the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result;
the information of the request message comprises: the function code related to the industrial control protocol in the request message;
after the step of obtaining the message, the method further comprises:
acquiring a function code related to an industrial control protocol in the message;
the step of matching the request message with a known risk level table to obtain a first matching result, and storing the information of the request message in a monitored risk level table according to the first matching result comprises the following steps:
acquiring the risk level of the function code from the known risk level table according to the function code;
and if the risk level of the function code is acquired from the known risk level table, storing the request message in the monitoring risk level table according to the risk level.
2. The network monitoring method of claim 1, wherein,
the information of the request message further comprises: matching variables of the request message;
after the step of obtaining the function code related to the industrial control protocol in the request message, the method further comprises the following steps:
acquiring a depth analysis function corresponding to the function code from the pre-initialized instruction processing table according to the function code;
obtaining a matching variable of the message according to the function code and a depth analysis function corresponding to the function code, wherein the matching variable is used for identifying a request message and a response message which are matched with each other;
the step of matching the response message with the request message in the protocol request table to obtain a second matching result comprises the following steps:
and acquiring a request message matched with the response message from the protocol request table according to the matching variable of the response message and the matching variable of the request message, and obtaining the second matching result.
3. The network monitoring method of claim 1, wherein,
the information of the request message comprises: abnormal function codes related to the industrial control protocol in the message;
after the step of obtaining the depth analysis function corresponding to the function code in the pre-initialized instruction processing table according to the function code, the method further comprises the following steps:
and acquiring the abnormal function code related to the industrial control protocol in the message according to the function code and the depth analysis function corresponding to the function code.
4. The network monitoring method of claim 3, wherein,
the information of the request message further comprises: the operation attribute of the function code;
after the step of obtaining the depth analysis function corresponding to the function code in the pre-initialized instruction processing table according to the function code, the method further comprises the following steps:
acquiring the operation attribute of the function code according to the function code and a depth analysis function corresponding to the function code;
the step of storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result includes:
and if the second matching result is successful, storing the information of the request message matched with the response message in the monitoring danger level table according to the operation attribute of the function code in the request message matched with the response message.
5. The network monitoring method of claim 1, wherein the method further comprises:
and storing the information of the request message matched with the response message in the monitoring danger level table at preset time intervals according to the operation attribute of the function code in the request message.
6. The network monitoring method of claim 5, further comprising:
and responding to an instruction that the number of the protocol request tables reaches a preset threshold value, and storing the information of the request messages in the protocol request tables in the monitoring danger level table according to the operation attribute of the function codes in the request messages in the protocol request tables.
7. A network monitoring device, comprising:
the acquisition module is used for acquiring the message;
the matching module is used for storing the information of the request message in a pre-initialized protocol request table if the message is the request message, matching the request message with a known dangerous grade table to obtain a first matching result, and storing the information of the request message in a monitoring dangerous grade table according to the first matching result;
if the message is a response message, matching the response message with the request message in the protocol request table to obtain a second matching result, and storing the information of the request message in the protocol request table in the monitoring danger level table according to the second matching result;
the information of the request message comprises: a function code related to an industrial control protocol in the request message; the acquisition module is also used for acquiring the function code related to the industrial control protocol in the message; the matching module is also used for acquiring the risk level of the function code from the known risk level table according to the function code; and if the risk level of the function code is obtained from the known risk level table, storing the request message in the monitoring risk level table according to the risk level.
8. An electronic device, comprising: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the network monitoring method according to any one of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium having instructions stored thereon which, when run on a computer, cause the computer to perform the network monitoring method of any of claims 1 to 6.
CN202111412825.0A 2021-11-25 2021-11-25 Network monitoring method and device, electronic equipment and storage medium Active CN113965414B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111412825.0A CN113965414B (en) 2021-11-25 2021-11-25 Network monitoring method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111412825.0A CN113965414B (en) 2021-11-25 2021-11-25 Network monitoring method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113965414A CN113965414A (en) 2022-01-21
CN113965414B true CN113965414B (en) 2023-10-13

Family

ID=79472031

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111412825.0A Active CN113965414B (en) 2021-11-25 2021-11-25 Network monitoring method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113965414B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468497A (en) * 2014-08-19 2015-03-25 北京绿叶丰谷科技发展有限公司 Data isolation method and device of monitoring system
KR20180096335A (en) * 2017-02-21 2018-08-29 아주대학교산학협력단 Method and apparatus for visualizing anomaly detection in network forensics
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
CN111371913A (en) * 2020-02-21 2020-07-03 深圳震有科技股份有限公司 Method for acquiring media IP MAC address and intelligent terminal
CN111683055A (en) * 2020-05-14 2020-09-18 北京邮电大学 Industrial honey pot control method and device
CN112995133A (en) * 2021-02-02 2021-06-18 深圳市科陆电子科技股份有限公司 Analysis method, device and system based on modbus protocol

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7155512B2 (en) * 2001-05-23 2006-12-26 Tekelec Methods and systems for automatically configuring network monitoring system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468497A (en) * 2014-08-19 2015-03-25 北京绿叶丰谷科技发展有限公司 Data isolation method and device of monitoring system
KR20180096335A (en) * 2017-02-21 2018-08-29 아주대학교산학협력단 Method and apparatus for visualizing anomaly detection in network forensics
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
CN111371913A (en) * 2020-02-21 2020-07-03 深圳震有科技股份有限公司 Method for acquiring media IP MAC address and intelligent terminal
CN111683055A (en) * 2020-05-14 2020-09-18 北京邮电大学 Industrial honey pot control method and device
CN112995133A (en) * 2021-02-02 2021-06-18 深圳市科陆电子科技股份有限公司 Analysis method, device and system based on modbus protocol

Also Published As

Publication number Publication date
CN113965414A (en) 2022-01-21

Similar Documents

Publication Publication Date Title
CN108881294B (en) Attack source IP portrait generation method and device based on network attack behaviors
CN107943949B (en) Method and server for determining web crawler
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN109325193B (en) WAF normal flow modeling method and device based on machine learning
CN112416728A (en) Buried point data acquisition method and device, client device and readable storage medium
CN113726780B (en) Network monitoring method and device based on situation awareness and electronic equipment
CN113992431B (en) Linkage blocking method and device, electronic equipment and storage medium
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN114020735A (en) Method, device and equipment for reducing noise of safety alarm log and storage medium
WO2018184130A1 (en) Alarm and notification generation devices, methods, and systems
CN113965414B (en) Network monitoring method and device, electronic equipment and storage medium
CN104219219A (en) Method, server and system for handling data
AU2017417179B2 (en) Alarm processing devices, methods, and systems
CN113312671A (en) Digital business operation safety processing method and system applied to big data mining
CN113609111A (en) Big data testing method and system
CN113204476A (en) User behavior data security detection method
WO2023223445A1 (en) Attack detection device, attack detection method, and attack detection program
CN116028481B (en) Data quality detection method, device, equipment and storage medium
CN114328121A (en) Safety warning method and safety warning system of terminal equipment
CN109063206B (en) Article monitoring method and device
JP2018198000A (en) Monitoring program, monitoring method and information processing device
CN114036028A (en) Multi-data-source monitoring method and device, electronic equipment and storage medium
CN107547751B (en) Media resource saving method, media resource saving device and terminal equipment
CN114860605A (en) Software testing method and device, electronic equipment and storage medium
CN114003914A (en) File security detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant