CN114205126A - Method, device and medium for attack detection in industrial system - Google Patents
Method, device and medium for attack detection in industrial system Download PDFInfo
- Publication number
- CN114205126A CN114205126A CN202111410027.4A CN202111410027A CN114205126A CN 114205126 A CN114205126 A CN 114205126A CN 202111410027 A CN202111410027 A CN 202111410027A CN 114205126 A CN114205126 A CN 114205126A
- Authority
- CN
- China
- Prior art keywords
- detection
- industrial
- attack
- protocol
- attack detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 73
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000002085 persistent effect Effects 0.000 claims abstract description 3
- 238000004590 computer program Methods 0.000 claims description 12
- 241001501944 Suricata Species 0.000 claims description 4
- 230000006870 function Effects 0.000 claims description 4
- 230000002688 persistence Effects 0.000 claims description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 1
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 1
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 1
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method, a device and a medium for detecting attacks in an industrial system, wherein the method comprises the following steps: s1: collecting industrial control network messages; s2: analyzing the industrial control network message to obtain protocol analysis data; s3: matching the protocol analysis data with the rules to obtain a matching result, analyzing the protocol analysis data by using a detection code to obtain an analysis result, and collectively referring to the matching result and the analysis result as a detection result; s4: reporting the detection result to kafka, extracting the detection result from the kafka by middleware and persisting the detection result to a database to form an attack detection log; s5: and (4) sending the attack detection log to a third-party system through the Syslog for uniform analysis and processing. The method and the system utilize the rules and the codes to detect the network attacks of the industrial system, improve the accuracy and the efficiency of attack detection, and send the attack detection data to a third-party system through syslog for further analysis, thereby improving the utilization rate of the attack data.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, and a medium for attack detection in an industrial system.
Background
In recent years, network attack events are frequent, and trojan horse, worm and lasso software on the internet are layered endlessly, which poses a serious threat to network security.
With the improvement of the informatization degree of the industrial control system and the deep integration of industrialization and informatization, the security problem from the information network gradually threatens the industrial control system, such as Trojan horse, virus and the like, and the attack aiming at the industrial control network becomes a normal state. Attack detection in the related art currently focuses on solving the network security problem of the internet. At present, the existing industrial network attack detection method mainly depends on an intrusion detection system, cannot be completely suitable for an industrial control system, and has high false alarm rate and low detection efficiency. And attack data are detected and only stored in the detection system, so that the data utilization rate is low.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method, device and medium for detecting an attack in an industrial system, which can improve the accuracy and efficiency of the attack detection.
The technical scheme adopted by the invention is as follows:
a method of attack detection in an industrial system, comprising the steps of:
s1: collecting industrial control network messages;
s2: analyzing the industrial control network message to obtain protocol analysis data;
s3: matching the protocol analysis data with rules to obtain a matching result, analyzing the protocol analysis data by using a detection code to obtain an analysis result, and collectively referring to the matching result and the analysis result as a detection result;
s4: reporting the detection result to kafka, extracting the detection result from the kafka by middleware and persisting the detection result to a database to form an attack detection log;
s5: and (4) sending the attack detection log to a third-party system through the Syslog for uniform analysis and processing.
Further, in step S1, all hosts in the industrial control network are connected to the industrial switch through the industrial ethernet protocol, and the industrial control network message is collected through the mirror message of the industrial switch.
Further, in step S2, analyzing the industrial control network packet by the protocol deep parsing engine, including: and analyzing the protocol type and the protocol characteristic value, analyzing the size of each protocol flow, and extracting source and destination IP, source and destination MAC and port information.
Further, the rules in step S3 include industrial control protocol vulnerability rules, industrial control system vulnerability rules, and common network attack rules, and are matched by Suricata.
Further, the detection code in step S3 refers to detection components written according to attack features, including DOS/DDOCS attack detection and port scan detection.
Further, kafka in step S4 is one of message middleware, and is a zookeeper-based coordinated distributed log system; the middleware is a business processing function module developed by java, reads messages from kafka and performs operations of persistence to a database.
Further, the attack detection log in step S4 includes the occurrence time, the event packet length, the source-destination IP, the source-destination MAC, the attack content, and the protocol information.
Further, the third-party system in step S5, including the situation awareness system and the security management platform, can perform unified analysis on the data, and make an early warning action.
A computer arrangement comprising a memory storing a computer program and a processor implementing the steps of the method of attack detection in an industrial system when executing the computer program.
A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method of attack detection in an industrial system.
The invention has the beneficial effects that:
the method and the system utilize the rules and the codes to detect the network attacks of the industrial system, improve the accuracy and the efficiency of attack detection, send attack detection data to a situation perception system or a security management platform through syslog to perform further analysis, perform actions such as early warning and the like, and improve the utilization rate of the attack data.
Drawings
Fig. 1 is a flowchart of a method for detecting an attack in an industrial system according to embodiment 1 of the present invention.
Fig. 2 is a flowchart of analyzing an industrial control message according to embodiment 1 of the present invention.
Fig. 3 is a flow chart of rule matching and code detection in embodiment 1 of the present invention.
Detailed Description
In order to more clearly understand the technical features, objects, and effects of the present invention, specific embodiments of the present invention will now be described. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
As shown in fig. 1, the present embodiment provides a method for detecting an attack in an industrial system, which includes the following steps:
s101, collecting messages of the industrial control system.
And acquiring the message of the mirror image port of the industrial switch through the system. Specifically, the system is deployed in a bypass mode, a service port is connected to the industrial image switch to receive image messages of the industrial image switch, and all hosts in the industrial control network are connected to the switch through an industrial Ethernet protocol.
S102, analyzing the industrial control system message (as shown in figure 2).
And analyzing the industrial control system message through a depth detection engine. And analyzing an IP protocol network packet in the industrial control system message, and extracting host request information and host response information corresponding to the host request information from the IP protocol network packet, wherein the host request information comprises a source IP address and a source MAC address, and the host response information comprises a destination IP address and a destination MAC address.
Specifically, after capturing the data packet, performing deep inspection engine analysis, including the following steps:
1) firstly, decoding an IP message, including IPV4 and IPV6, and storing an IP node to a memory;
2) initializing flow data of each protocol, carrying out IP/MAC detection, and judging whether unknown equipment exists or not;
3) judging the type of a transport layer protocol, if the type of the transport layer protocol is a TCP message, judging whether the message is segmented or not, and recombining the segmented message;
4) and carrying out deep analysis on the application layer protocol. Protocols that have been supported so far include HTTP, FTP, POP3, SMTP, Telnet, SNMP, Modbus, OPCDA, S7, DNP3, IEC104, MMS, Profinetio, Pnrtdcp, Goose, SV, EnipTcp, eniprudp, enidolo, and OPCUA;
5) after the analysis is finished, obtaining an analysis result which comprises information such as the type, the characteristic value, the flow size of the protocol, a source and destination IP (Internet protocol), a source and destination MAC (media access control) and the like;
6) and updating the flow data of each protocol.
S103, matching rules and code detection are carried out (as shown in figure 3).
Specifically, the embodiment of the invention performs attack detection by two methods, namely rule matching and code detection.
And the rule matching generates a rule file by configuring a black list rule and a white list rule, and a multi-mode matching algorithm is adopted to obtain matching data.
The white list rules are generated by users through system configuration industrial protocol rules, and currently supported industrial control protocols include Modbus, OPCDA, S7, DNP3, IEC104, MMS, Profinetio, Pnrtdcp, Goose, SV, EnipTcp, EnipUdp, EnipIo and OPCUA;
the blacklist rule is compiled according to industrial control protocol bugs, industrial control system bugs and network bugs;
the rules are industrial network and traditional internet vulnerability descriptions written according to the Suricata rules, and the attack detection efficiency and accuracy are improved by using the characteristics of high performance and multithreading of the Suricata.
The code detection is to detect protocol analysis data by adopting a code detection module to acquire DOS/DDOS and port scanning attack data, and mainly comprises ICMP _ Flood, UDP _ Flood, SYN _ Flood, Land attack, Smurf attack, WinNuke attack, PingOfDeath, Broadcast _ Flood, Arp _ Flood, Multicast _ Flood, IGMP _ Flood, LLDP _ Flood, ETH _ Flood, TCP port scanning, UDP port scanning and other attacks.
And S104, reporting the detection result and warehousing.
Specifically, the detection result is output to kafka, and middleware (business function processing module) performs conversion processing on the extracted detection result from kafka, and persists data to a database.
The kafka is a kind of message middleware, which is a distributed, partitioned, multi-copy, multi-subscriber, zookeeper-based coordinated distributed log system.
The middleware is a business processing function module developed by java, reads messages from kafka and performs operations of persistence to a database.
The detection result mainly comprises information such as source and destination IP, source and destination MAC, protocol details, application layer protocol, attack type and matched vulnerability.
And S105, reporting the data to a third-party platform through the syslog.
Through system configuration syslog, a plurality of IPs can be configured, and detection data are sent to a third-party platform, such as a situation awareness platform, a security management platform and the like. And analyzing the detection data through a third-party platform, performing unified formatting processing on the information, analyzing the security situation, realizing security alarm and performing early warning.
It should be noted that, for the sake of simplicity, the present embodiment is described as a series of acts, but those skilled in the art should understand that the present application is not limited by the described order of acts, because some steps may be performed in other orders or simultaneously according to the present application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Example 2
This example is based on example 1:
the present embodiment provides a computer device comprising a memory storing a computer program and a processor implementing the steps of the method of attack detection in an industrial system of embodiment 1 when executing the computer program. The computer program may be in the form of source code, object code, an executable file or some intermediate form, among others.
Example 3
This example is based on example 1:
the present embodiment provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method of attack detection in an industrial system of embodiment 1. The computer program may be in the form of source code, object code, an executable file or some intermediate form, among others. The storage medium includes: any entity or device capable of carrying computer program code, recording medium, computer memory, Read Only Memory (ROM), Random Access Memory (RAM), electrical carrier signals, telecommunications signals, software distribution medium, and the like. It should be noted that the storage medium may include contents that are appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction, for example, in some jurisdictions, the storage medium does not include electrical carrier signals and telecommunication signals according to legislation and patent practice.
Claims (10)
1. A method of attack detection in an industrial system, comprising the steps of:
s1: collecting industrial control network messages;
s2: analyzing the industrial control network message to obtain protocol analysis data;
s3: matching the protocol analysis data with rules to obtain a matching result, analyzing the protocol analysis data by using a detection code to obtain an analysis result, and collectively referring to the matching result and the analysis result as a detection result;
s4: reporting the detection result to kafka, extracting the detection result from the kafka by middleware and persisting the detection result to a database to form an attack detection log;
s5: and (4) sending the attack detection log to a third-party system through the Syslog for uniform analysis and processing.
2. The method for attack detection in an industrial system according to claim 1, wherein in step S1, all hosts in the industrial control network are connected to the industrial switch through an industrial ethernet protocol, and the industrial control network message is collected through a mirror message of the industrial switch.
3. The method for attack detection in an industrial system according to claim 1, wherein in step S2, analyzing the industrial control network packet by the protocol deep parsing engine includes: and analyzing the protocol type and the protocol characteristic value, analyzing the size of each protocol flow, and extracting source and destination IP, source and destination MAC and port information.
4. The method for detecting the attack in the industrial system according to claim 1, wherein the rules in the step S3 include industrial control protocol vulnerability rules, industrial control system vulnerability rules, common network attack rules, and are matched by Suricata.
5. The method for attack detection in industrial system according to claim 1, wherein the detection code in step S3 refers to detection components written according to attack features, including DOS/DDOCS attack detection and port scan detection.
6. The method for attack detection in an industrial system according to claim 1, wherein kafka in step S4 is one of message middleware, and is a distributed log system based on zookeeper coordination; the middleware is a business processing function module developed by java, reads messages from kafka and performs operations of persistence to a database.
7. The method for attack detection in industrial system according to claim 1, wherein the attack detection log in step S4 includes occurrence time, event packet length, source destination IP, source destination MAC, attack content and protocol information.
8. The method for attack detection in an industrial system according to claim 1, wherein the third party system in step S5, including the situation awareness system and the security management platform, can perform unified analysis on the data and perform an early warning action.
9. A computer arrangement comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, carries out the steps of the method of attack detection in an industrial system according to any of claims 1-8.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method for attack detection in an industrial system according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111410027.4A CN114205126A (en) | 2021-11-25 | 2021-11-25 | Method, device and medium for attack detection in industrial system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111410027.4A CN114205126A (en) | 2021-11-25 | 2021-11-25 | Method, device and medium for attack detection in industrial system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114205126A true CN114205126A (en) | 2022-03-18 |
Family
ID=80648861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111410027.4A Pending CN114205126A (en) | 2021-11-25 | 2021-11-25 | Method, device and medium for attack detection in industrial system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205126A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844721A (en) * | 2022-06-06 | 2022-08-02 | 广州小鹏汽车科技有限公司 | Attack detection method and system, vehicle and computer readable storage medium |
| CN115277244A (en) * | 2022-08-05 | 2022-11-01 | 四川启睿克科技有限公司 | Industrial Internet intrusion detection system and method |
| CN115442276A (en) * | 2022-08-23 | 2022-12-06 | 华能吉林发电有限公司长春热电厂 | Method for passively acquiring industrial control equipment logs |
| CN115622963A (en) * | 2022-12-01 | 2023-01-17 | 北京安帝科技有限公司 | Message detection method, device, equipment and medium based on industrial switch |
| CN115622754A (en) * | 2022-09-29 | 2023-01-17 | 四川启睿克科技有限公司 | Method, system and device for detecting and preventing MQTT vulnerability |
| CN115632883A (en) * | 2022-12-20 | 2023-01-20 | 武汉大学 | Industrial control network flow analysis safety detection system and method based on bypass technology |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190020667A1 (en) * | 2017-07-14 | 2019-01-17 | Guavus, Inc. | Non-rule based security risk detection |
| WO2019148576A1 (en) * | 2018-02-05 | 2019-08-08 | 重庆邮电大学 | Ddos attack detection and mitigation method for industrial sdn network |
| CN110535881A (en) * | 2019-09-27 | 2019-12-03 | 杭州九略智能科技有限公司 | Industrial network attack traffic detection method and server |
| US20200021560A1 (en) * | 2018-07-13 | 2020-01-16 | Raytheon Company | Policy engine for cyber anomaly detection |
| CN111193738A (en) * | 2019-12-30 | 2020-05-22 | 南京联成科技发展股份有限公司 | Intrusion detection method of industrial control system |
| CN111953638A (en) * | 2019-05-17 | 2020-11-17 | 北京京东尚科信息技术有限公司 | Network attack behavior detection method and device and readable storage medium |
| CN112532642A (en) * | 2020-12-07 | 2021-03-19 | 河北工业大学 | Industrial control system network intrusion detection method based on improved Suricata engine |
| CN112822151A (en) * | 2020-11-06 | 2021-05-18 | 浙江中烟工业有限责任公司 | Multilayer accurate active network attack detection method and system for control network industrial computer |
| KR102280845B1 (en) * | 2020-11-24 | 2021-07-22 | 한국인터넷진흥원 | Method and apparatus for detecting abnormal behavior in network |
| CN113315771A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Safety event warning device and method based on industrial control system |
| CN113486351A (en) * | 2020-06-15 | 2021-10-08 | 中国民用航空局空中交通管理局 | Civil aviation air traffic control network safety detection early warning platform |
-
2021
- 2021-11-25 CN CN202111410027.4A patent/CN114205126A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190020667A1 (en) * | 2017-07-14 | 2019-01-17 | Guavus, Inc. | Non-rule based security risk detection |
| WO2019148576A1 (en) * | 2018-02-05 | 2019-08-08 | 重庆邮电大学 | Ddos attack detection and mitigation method for industrial sdn network |
| US20200021560A1 (en) * | 2018-07-13 | 2020-01-16 | Raytheon Company | Policy engine for cyber anomaly detection |
| CN111953638A (en) * | 2019-05-17 | 2020-11-17 | 北京京东尚科信息技术有限公司 | Network attack behavior detection method and device and readable storage medium |
| CN110535881A (en) * | 2019-09-27 | 2019-12-03 | 杭州九略智能科技有限公司 | Industrial network attack traffic detection method and server |
| CN111193738A (en) * | 2019-12-30 | 2020-05-22 | 南京联成科技发展股份有限公司 | Intrusion detection method of industrial control system |
| CN113486351A (en) * | 2020-06-15 | 2021-10-08 | 中国民用航空局空中交通管理局 | Civil aviation air traffic control network safety detection early warning platform |
| CN112822151A (en) * | 2020-11-06 | 2021-05-18 | 浙江中烟工业有限责任公司 | Multilayer accurate active network attack detection method and system for control network industrial computer |
| KR102280845B1 (en) * | 2020-11-24 | 2021-07-22 | 한국인터넷진흥원 | Method and apparatus for detecting abnormal behavior in network |
| CN112532642A (en) * | 2020-12-07 | 2021-03-19 | 河北工业大学 | Industrial control system network intrusion detection method based on improved Suricata engine |
| CN113315771A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Safety event warning device and method based on industrial control system |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844721A (en) * | 2022-06-06 | 2022-08-02 | 广州小鹏汽车科技有限公司 | Attack detection method and system, vehicle and computer readable storage medium |
| CN114844721B (en) * | 2022-06-06 | 2023-12-29 | 肇庆小鹏新能源投资有限公司广州分公司 | Attack detection method and system, vehicle and computer readable storage medium |
| CN115277244A (en) * | 2022-08-05 | 2022-11-01 | 四川启睿克科技有限公司 | Industrial Internet intrusion detection system and method |
| CN115277244B (en) * | 2022-08-05 | 2023-07-25 | 四川启睿克科技有限公司 | Intrusion detection system and method for industrial Internet |
| CN115442276A (en) * | 2022-08-23 | 2022-12-06 | 华能吉林发电有限公司长春热电厂 | Method for passively acquiring industrial control equipment logs |
| CN115622754A (en) * | 2022-09-29 | 2023-01-17 | 四川启睿克科技有限公司 | Method, system and device for detecting and preventing MQTT vulnerability |
| CN115622754B (en) * | 2022-09-29 | 2024-05-14 | 四川启睿克科技有限公司 | Method, system and device for detecting and preventing MQTT loopholes |
| CN115622963A (en) * | 2022-12-01 | 2023-01-17 | 北京安帝科技有限公司 | Message detection method, device, equipment and medium based on industrial switch |
| CN115632883A (en) * | 2022-12-20 | 2023-01-20 | 武汉大学 | Industrial control network flow analysis safety detection system and method based on bypass technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114205126A (en) | Method, device and medium for attack detection in industrial system | |
| US20180367566A1 (en) | Prevention and control method, apparatus and system for network attack | |
| US9544273B2 (en) | Network traffic processing system | |
| US7562390B1 (en) | System and method for ARP anti-spoofing security | |
| US9130982B2 (en) | System and method for real-time reporting of anomalous internet protocol attacks | |
| Al-Duwairi et al. | SIEM-based detection and mitigation of IoT-botnet DDoS attacks | |
| CN109831461B (en) | Distributed denial of service (DDoS) attack defense method and device | |
| US11743153B2 (en) | Apparatus and process for monitoring network behaviour of Internet-of-things (IoT) devices | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| Kaushik et al. | Detection of attacks in an intrusion detection system | |
| Haddadi et al. | DoS-DDoS: taxonomies of attacks, countermeasures, and well-known defense mechanisms in cloud environment | |
| RU2679219C1 (en) | Method of protection of service server from ddos attack | |
| CN111641951A (en) | 5G network APT attack tracing method and system based on SA architecture | |
| Dzurenda et al. | Network protection against DDoS attacks | |
| Satrya et al. | The detection of ddos flooding attack using hybrid analysis in ipv6 networks | |
| CN114938308B (en) | Method and device for detecting IPv6 network attack based on address entropy self-adaptive threshold | |
| CN111683063B (en) | Message processing method, system, device, storage medium and processor | |
| CN114553513A (en) | Communication detection method, device and equipment | |
| Farooqi et al. | Intrusion detection system for IP multimedia subsystem using K-nearest neighbor classifier | |
| Song et al. | Collaborative defense mechanism using statistical detection method against DDoS attacks | |
| CN110730165A (en) | Data processing method and device | |
| CN115314252B (en) | Protection method, system, terminal and storage medium applied to industrial firewall | |
| Bou-Harb et al. | On detecting and clustering distributed cyber scanning | |
| RU2704741C2 (en) | Method of protection against ddos-attack on basis of traffic classification | |
| CN118139052A (en) | Enhanced network security protection method and device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220318 |