CN114296406A - Network attack and defense display system, method and device and computer readable storage medium - Google Patents
Network attack and defense display system, method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN114296406A CN114296406A CN202111410072.XA CN202111410072A CN114296406A CN 114296406 A CN114296406 A CN 114296406A CN 202111410072 A CN202111410072 A CN 202111410072A CN 114296406 A CN114296406 A CN 114296406A
- Authority
- CN
- China
- Prior art keywords
- attack
- unit
- defense
- network
- penetration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007123 defense Effects 0.000 title claims abstract description 112
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000003860 storage Methods 0.000 title claims abstract description 15
- 238000004088 simulation Methods 0.000 claims abstract description 129
- 230000035515 penetration Effects 0.000 claims abstract description 110
- 230000008569 process Effects 0.000 claims abstract description 79
- 230000002159 abnormal effect Effects 0.000 claims abstract description 57
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 239000004576 sand Substances 0.000 claims description 35
- 238000002347 injection Methods 0.000 claims description 5
- 239000007924 injection Substances 0.000 claims description 5
- 230000006399 behavior Effects 0.000 description 14
- 230000000694 effects Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 10
- 230000008859 change Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 238000012550 audit Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000009776 industrial production Methods 0.000 description 2
- 230000008595 infiltration Effects 0.000 description 2
- 238000001764 infiltration Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 239000000126 substance Substances 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000001447 compensatory effect Effects 0.000 description 1
- 238000009833 condensation Methods 0.000 description 1
- 230000005494 condensation Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Testing And Monitoring For Control Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network attack and defense display system, a method and a device and a computer readable storage medium, wherein the network attack and defense display system comprises an attack penetration unit, a target industrial control unit, a physical simulation unit, a digital twin unit and a safety protection unit, wherein the attack penetration unit is used for carrying out attack penetration on the target industrial control unit; the target industrial control unit is used for sending an abnormal control signal to the physical simulation unit and the digital twinning unit when the target industrial control unit is attacked and infiltrated; the physical simulation unit is used for receiving equipment faults caused by abnormal control signals and displaying the faults and process results; the digital twin unit is used for receiving an abnormal control signal and microscopically displaying a detailed fault process and a detailed fault result; the safety protection unit is used for monitoring the attack process of the attack penetration and performing defense on the attack penetration process according to the treatment command of personnel. The method can visually and dynamically display the attack and defense process of the industrial network and the influence on the industry.
Description
Technical Field
The invention relates to the field of network security, in particular to a network attack and defense display system, method and device and a computer readable storage medium.
Background
The industrial control system is an important component of national infrastructure, is also the core of industrial infrastructure, is widely used in the fields of oil refining, chemical industry, electric power, power grids, water plants, traffic, water conservancy and the like, has high requirements on availability and real-time performance, has long system life cycle, and is a key attack target of information war.
At present, China is in a rapid development stage in related fields such as industrial control system network security technology research and industrial development, protection capability and emergency handling capability are relatively low, particularly, industrial control systems at key parts use foreign products in a large quantity, the security of the key systems is controlled by people, and industrial control systems of important infrastructures become targets of external penetration attack, so that the construction of an industrial control network attack and defense display simulation system, the exploration of typical industrial control network defense means and the improvement of the industrial internet system fault emergency response technical level are particularly important.
The existing network defense and attack display system mostly adopts a virtualization technology, and a network security test is developed in a virtual machine by running a code, so that the network defense and attack process cannot be dynamically and visually displayed.
Disclosure of Invention
The invention mainly aims to provide a network attack and defense display system, a network attack and defense display method, a network attack and defense display device and a computer readable storage medium, and aims to solve the technical problem that the existing industrial network attack and defense display scheme cannot visually and dynamically display the network attack and defense process.
In order to achieve the above object, an embodiment of the present invention provides a network attack and defense display system, where the network attack and defense display system includes an attack penetration unit, a target industrial control unit, a physical simulation unit, a digital twin unit, and a safety protection unit, and the attack penetration unit is configured to perform attack penetration on the target industrial control unit; the target industrial control unit is used for sending an abnormal control signal to the physical simulation unit and the digital twin unit when the target industrial control unit is attacked and infiltrated; the physical simulation unit is used for receiving the abnormal control signal, causing equipment failure according to the abnormal control signal and displaying a failure result; the digital twin unit is used for receiving the abnormal control signal and displaying a microscopic fault process according to the abnormal control signal; the safety protection unit is used for monitoring the attack process of the attack penetration and defending the attack penetration process according to the handling command of the user.
Optionally, the physical simulation unit includes a sand table model and a simulation panel, the sand table model is used for simulating an industrial physical environment, the simulation panel is used for integrating a network topology structure, and the physical simulation unit is used for driving the sand table model and the simulation panel to cause equipment failure according to the abnormal control signal and displaying a failure result.
Optionally, the digital twin unit is configured to construct a digital twin plant according to the physical simulation unit, and to show a microscopic fault process based on the digital twin plant and the abnormal control signal.
Optionally, the attack penetration unit, the target industrial control unit, the physical simulation unit, the digital twin unit and the safety protection unit are independent from each other.
Optionally, the attack penetration unit is configured to integrate a plurality of attack schemes, where the attack schemes include at least one of an industrial fingerprint sniffing, a man-in-the-middle spoofing attack, an instruction injection attack, and a exploit attack.
In addition, the invention also provides a network attack and defense display method, which is applied to the network attack and defense display system, and comprises the following steps:
carrying out physical simulation on an industrial physical environment and a network topological structure to obtain a physical simulation model;
constructing a digital twin plant based on the physical simulation model;
and performing network attack and defense display according to the physical simulation model and the digital twin factory.
Optionally, the step of performing network attack and defense exhibition according to the physical simulation model and the digital twin plant includes:
acquiring a target attack scheme, and carrying out attack penetration on target industrial control according to the target attack scheme;
displaying the fault result of the attack penetration based on the physical simulation model, and displaying the microscopic fault process of the attack penetration based on the digital twin plant;
and if the target industrial control is monitored to have attack penetration, defending the attack penetration.
Optionally, the step of displaying the fault result of the attack penetration based on the physical simulation model and displaying the micro fault process of the attack penetration based on the digital twin factory includes:
receiving an abnormal control signal sent by a preset target industrial control unit;
and driving the physical simulation model to display the fault result according to the abnormal control signal, and driving the digital twin factory to display the microscopic fault process according to the abnormal control signal.
In addition, in order to achieve the above object, the present invention further provides a network attack and defense display apparatus, where the network attack and defense display apparatus includes a memory, a processor, and a network attack and defense display program stored in the memory and capable of running on the processor, and when the network attack and defense display program is executed by the processor, the steps of the network attack and defense display method are implemented.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, where a network attack and defense display program is stored on the computer readable storage medium, and when the network attack and defense display program is executed by a processor, the steps of the network attack and defense display method are implemented.
The invention provides a network attack and defense display system, a method, a device and a computer readable storage medium, wherein a physical simulation model is obtained by carrying out physical simulation on an industrial physical environment and a network topological structure, a real industrial production field environment and a network topological structure are presented by using the physical simulation model, resources of an industrial field control system are restored from a physical layer, a digital twin plant is further constructed based on the physical simulation model, real data in the physical simulation model is merged into the simulated digital twin plant, network attack and defense display is carried out according to the physical simulation model and the digital twin plant, the whole process display of the digital twin plant is added on the basis of the physical simulation model display, and the industrial field space and the data space are merged, so that the network attack and defense situation is more visually and dynamically displayed, and the network attack and defense design is carried out for network safety, Network risk assessment, etc. provides a complete data environment and object system.
Drawings
FIG. 1 is a schematic diagram of an industrial Internet attack and defense display system architecture according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a network defense and attack display method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a hardware operating environment according to a method of an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a network attack and defense display system, in one embodiment of the network attack and defense display system, the network attack and defense display system comprises an attack penetration unit, a target industrial control unit, a physical simulation unit, a digital twin unit and a safety protection unit, wherein the attack penetration unit is used for performing attack penetration on the target industrial control unit; the target industrial control unit is used for sending an abnormal control signal to the physical simulation unit and the digital twin unit when the target industrial control unit is attacked and infiltrated; the physical simulation unit is used for receiving the abnormal control signal, causing equipment failure according to the abnormal control signal and displaying a failure result; the digital twin unit is used for receiving the abnormal control signal and displaying a microscopic fault process according to the abnormal control signal; the safety protection unit is used for monitoring the attack process of the attack penetration and defending the attack penetration process according to the handling command of the user.
Furthermore, the physical simulation unit comprises a sand table model and a simulation display board, the sand table model is used for simulating an industrial physical environment, the simulation display board is used for integrating a network topology structure, and the physical simulation unit is used for driving the sand table model and the simulation display board to cause equipment faults according to the abnormal control signals and displaying fault results.
Further, the digital twin unit is used for constructing a digital twin factory according to the physical simulation unit and displaying a microscopic fault process based on the digital twin factory and the abnormal control signal.
Furthermore, the attack penetration unit, the target industrial control unit, the physical simulation unit, the digital twin unit and the safety protection unit are mutually independent.
Further, the attack penetration unit is used for integrating a plurality of attack schemes, and the attack schemes comprise at least one of industrial fingerprint sniffing, man-in-the-middle spoofing attack, instruction injection attack and vulnerability attack.
In the embodiment, the network attack and defense display system can be used for simulating and demonstrating the network attack and protection scenes of the industrial internet, and can also be used for scientific research, safety evaluation, effect display and the like. The network attack and defense display system in the embodiment is composed of an attack penetration unit, a target industrial control unit, a physical simulation unit, a digital twin unit and a safety protection unit, namely the network attack and defense display system is specifically divided into the 5 units, attack and defense display is specifically divided into a complete attack and defense display system, and more detailed local attack and defense display can be performed during attack and defense demonstration. The attack penetration unit, the target industrial control unit, the physical simulation unit, the digital twin unit and the safety protection unit are independent from each other, namely different functions are realized by the units independently from each other, and meanwhile, the phenomenon that other units are influenced when hardware or software in any unit breaks down can be avoided. Wherein, the attack penetration unit performs attack penetration on the target industrial control unit, when the target industrial control unit is attacked and penetrated, the control of the target industrial control unit can be disordered, at the moment, the target industrial control unit sends an abnormal control signal to the physical simulation unit and the digital twin unit, the physical simulation unit receives the abnormal control signal and drives the industrial equipment to break down according to the abnormal control signal, namely, equipment failure accident caused by the attack penetration occurs, and displays failure results (such as failure results of equipment stopping working and the like), the accident effect after the industrial network is attacked can be visually displayed through the physical simulation unit, the digital twin unit receives the abnormal control signal and displays the microscopic failure process and the failure result according to the abnormal control signal, the failure process can be the occurrence process of the failure result, such as a physical change process or a chemical change process, and the principle change of the failure accident can be displayed through the digital twin unit, the safety protection unit monitors an attack process of the attack penetration unit for carrying out attack penetration on the target industrial control unit, and when the attack penetration is detected, the attack penetration process is defended according to the treatment command of personnel, specifically, the attack penetration behavior can be defended according to a preset protection system in the safety protection unit, and the safety protection unit is also used for displaying the attack process of the attack penetration through a display screen and the defense process of the defense by the safety protection unit.
The attack penetration unit is used for performing attack penetration on the target industrial control unit, in this embodiment, a plurality of attack schemes are integrated in the independent attack penetration unit, the attack schemes may preferably be at least one of industrial fingerprint sniffing, man-in-the-middle spoofing attack, instruction injection attack, and vulnerability exploitation attack, the attack penetration unit may also be integrated with 0day vulnerability self-defined verification, and of course, other attack schemes may also be included. Specifically, the industrial fingerprint sniffing can accurately identify the characteristics of equipment by using a large amount of mastered industrial fingerprint technologies, run an attack script, accurately attack the equipment, and stop the operation of the specified equipment through abnormal communication protocol data; man-in-the-middle spoofing attacks can monitor the flow and tamper data of a designated operator station, an application station, a controller, a robot system and the like; the instruction injection attack causes information leakage or function damage by inputting malicious code data; the software and firmware of the vulnerability exploitation and utilization equipment are known to have vulnerability deployment and attack actions, so that an attacked operating station is paralyzed and normal communication cannot be realized; and (3) carrying out self-defining verification on the intrusion characteristics of the 0day bug of the target industrial control unit by the 0day bug self-defining verification. In the embodiment, rich attack schemes are integrated in the independent attack penetration unit, and a new attack mode can be quickly integrated into the system by constructing the attack architecture system of the attack penetration unit without modifying the original code. It should be noted that, in a specific usage scenario, different attack schemes may be selected according to actual requirements and integrated in the attack penetration unit, the attack penetration unit in this embodiment may further include an attack platform, the attack platform is loaded into the industrial internet, and a control signal may be sent to the attack platform through the terminal device to trigger an attack instruction, so that attack penetration is performed on the target industrial control unit according to the attack instruction, a new attack scheme may be written into the attack platform through the terminal device to perform attack penetration on the plant device, and the terminal device may be a mobile phone or a tablet computer. In addition, the attack penetration unit is independently arranged in the embodiment, so that the 0day vulnerability can be quickly reproduced.
The target industrial control unit integrates system resources of a typical industrial multilayer network topology, and is used for highly restoring the system resources in an industrial field network, namely the target industrial control unit integrates an engineering system and a control system in the industrial field network, wherein the engineering system and the control system comprise an MES (manufacturing execution system), a remote IO (input output) module, a controller, an engineer station, an operator station, an application station and the like, and are target attack protection objects of attack penetration and safety protection. The remote IO (input/output) module is used for acquiring and processing industrial field remote signals; the controller samples on-site IO data, processes, logics, arithmetic, timing and counting control are carried out, and the real-time data sampling and control process of the whole industrial site is completed; the engineer station is used for creating a process flow system, configuring and maintaining a database, editing, downloading and uploading software and hardware information; the operator station is used for controlling the industrial field equipment in real time, inquiring historical data and giving an event alarm; the application station can be divided into a history server and an alarm event server, and an operator station can inquire history data and an alarm event log. Meanwhile, the system can also be used as an OPC server to configure an external interface; the MES system and other layers of equipment form the industrial Internet together. In the embodiment, target hardware and software for attack penetration and safety protection are divided into one type and integrated in the target industrial control unit, so that the hardware independence of attack and defense display system resources is ensured. It should be noted that, in an actual scene, different attack protection objects can be selected according to different industrial requirements and integrated in the target industrial control unit. When the target industrial control unit is attacked and infiltrated, the target industrial control unit sends an abnormal control signal to the physical simulation unit and the digital twin unit.
The physical simulation unit is used for driving the corresponding equipment to generate faults according to the abnormal control signals and displaying fault results, namely the physical simulation unit is used for displaying the fault results generated by the attack penetration unit to the target industrial control unit, the physical simulation unit comprises a sand table model and a simulation display board, the sand table model is used for simulating a real industrial physical environment, the simulation display board is used for integrating a network topology structure, and resources of the industrial field control system are simulated through the sand table model, and specifically, the simulation can be performed on all resources in a field equipment layer, a field control layer, a process monitoring layer and an enterprise resource layer, such as working modes of a motor, a valve, a sensor and a robot, a PLC (programmable logic controller) control device, a configuration picture, an HMI (Human Machine Interface), an MES (manufacturing execution system), An ERP system (Enterprise Resource Planning system) and the like, which completely displays a physical operating environment of an industrial field, when an attack penetration unit performs attack penetration to a target industrial control unit, the target industrial control unit sends an abnormal control signal to a physical simulation unit, the physical simulation unit drives a sand table model to break down according to the abnormal control signal, and displays a corresponding failure result, wherein the failure result can be a failure result state (such as equipment stopping rotating) or a failure process state (such as equipment gradually stopping rotating), namely the sand table model correspondingly executes a corresponding equipment malfunction, such as indication light flashing, an alarm of the sand table alarm and the like. The simulation display board integrates the industrial network topological structure, and simultaneously displays the running and attack conditions of the current network among all hardware devices through the lamp belt. After the physical unit receives the abnormal control signal, the simulation display board is driven according to the abnormal control signal to display a fault result, and if the simulation display board drives the corresponding lamp strip to display a warning color, the simulation display board alarm gives an alarm. In this embodiment, the sand table model and the simulation panel are used to restore and display the actual physical environment and the network topology, and resources of the industrial field control system are highly restored from the physical level. The physical simulation unit can also comprise acousto-optic equipment, a display screen and the like for auxiliary display. Compared with the simulation by running codes in a virtual machine, the sand table model and the simulation display board are adopted to restore the real industrial field, and the attack fault effect is displayed through the sand table model and the simulation display board, so that the display result is more visual, and the guidance of the simulation effect is enhanced.
The digital twin unit is used for being matched with the physical simulation unit to display the microscopic fault process of attack penetration, and specifically, the digital twin unit constructs a digital twin factory according to the physical simulation unit and displays the microscopic fault process based on the digital twin factory. In this embodiment, a digital twin plant may be constructed on the basis of the physical simulation unit, a mechanism model may be established for the physical simulation unit, unit data of the physical simulation unit may be obtained, and a corresponding digital twin plant and network system control may be constructed according to the unit data. When the target industrial control is attacked, an abnormal control signal is sent to the digital twin unit, the digital twin unit displays a microscopic fault process of attack penetration according to the abnormal control signal, and the digital twin unit can also display a microscopic fault result.
As another embodiment, the digital twin unit can directly acquire operation data of a real industrial physical environment, establish a mechanism model, and use a 3D modeling technology to construct a virtual digital twin plant, wherein at present, effect display in a virtual machine is mostly performed by displaying an attacked state through a process flow equipment icon on an upper computer, the display effect is not abundant and vivid enough, in this embodiment, the attacked change process is displayed through the digital twin unit, and the 3D display is driven according to an algorithm model preset in the digital twin unit, so that the attacked fault state and the micro-change process of the fault can be displayed, and the display effect is more intuitive and vivid. Wherein the digital twin factory can be built by VR technology and also by 3D television.
The safety protection unit is used for monitoring the attack process of attack penetration and expanding defense on the attack penetration process according to the treatment command of personnel, the safety protection unit comprises a preset protection system in the embodiment, defense on the attack penetration behavior is carried out according to the preset protection system, and the preset protection system can be industrial audit, industrial firewall, supervision system, industrial host guard, industrial situation perception and the like in the embodiment. In this embodiment, the industrial audit can be used for monitoring an attack penetration behavior, the industrial firewall can be used for defending the attack penetration behavior, and the industrial situation awareness system can show an attack process of the attack penetration, such as showing attack penetration, man-in-the-middle spoofing attack, data tampering and other attack processes, and if the attack behavior is detected, the firewall can be started to defend the attack behavior. The industrial firewall supports various industrial control protocols, has the throughput of 30000PPS, and has the following adaptive temperature: -40-85 ℃, humidity: 5% -95% of the solution is free of condensation; the industrial host guard protects the white list of the host, monitors the state of the host process and the host interface, and prevents the running of malicious programs and the use of unauthorized host interface equipment; the industrial audit records and stores the operation behaviors of the engineer station. The monitoring system is used for monitoring the communication flow and the security event of the network and analyzing the security threat in the network; managing and controlling the access of the intranet equipment; the industrial situation perception classifies the security events of all dimensions through the high-efficiency aggregation of the big data engine, and the visual, controllable and manageable threat of the industrial control network and the industrial control system security is realized. The safety protection unit monitors and defends the software and hardware behaviors of the abnormal network attack target industrial control unit, and verifies the effectiveness of the protection measures. In the embodiment, the whole state of the current defense system is observed by loading open or unpublished bugs, worms, backdoors and 0-Day attacks of various industrial equipment in the attack and defense simulation system, so that the safety and the security of the current network protection scheme are verified, and the network protection strategy in the real environment is adjusted in time.
In addition, in this embodiment, as shown in fig. 1, fig. 1 shows an architecture of an industrial internet attack and defense display system of this embodiment, which includes a target industrial control unit, an attack penetration unit that attacks the target industrial control unit, a physical simulation unit, a digital twin unit, and a security protection unit. The attack and defense display process in the embodiment is as follows: starting an attack penetration unit, selecting an attack scheme in the attack penetration unit, developing attack penetration on a target industrial control unit, when the target industrial control unit is attacked, sending an abnormal control signal to a physical simulation unit and a digital twin unit by the target industrial control unit, driving the physical simulation unit to display a fault result according to the abnormal control signal, driving the digital twin unit to display a microscopic fault process according to the abnormal control signal, developing and starting a safety protection unit to detect the attack process of the attack penetration in real time according to a handling command of a person if a protection effect needs to be displayed, and defending the attack penetration according to a preset protection system. While the security unit exhibits attack and defense processes. For example, the attack penetration unit is started, a man-in-the-middle cheating attack is selected to attack a controller in the target industrial control unit, after the controller in the target industrial control unit is attacked, an abnormal control signal is sent to the physical simulation unit and the digital twin unit, a corresponding indicator lamp in the physical simulation unit is driven to be turned off, or corresponding equipment stops working, and the like, so that fault result display is achieved, and the digital twin unit displays a corresponding microscopic fault change process, such as an attacked internal principle change of the controller. When the safety protection function needs to be demonstrated, the safety protection unit is started, the software and hardware behaviors of the abnormal network attack target industrial control unit are comprehensively monitored and defended, and the effectiveness of the protection measures is verified.
The invention also provides a network attack and defense display method, and referring to fig. 2, fig. 2 is a flow diagram of an embodiment of the network attack and defense display method.
In this embodiment, the network attack and defense display method is applied to the network attack and defense display system of the above embodiment.
The network attack and defense display method comprises the following steps:
step S10, carrying out physical simulation on the industrial physical environment and the network topological structure to obtain a physical simulation model;
step S20, constructing a digital twin plant based on the physical simulation model;
and step S30, performing network attack and defense display according to the physical simulation model and the digital twin plant.
In the embodiment, a physical simulation model is obtained by performing physical simulation on an industrial physical environment and a network topological structure, the physical simulation model in the embodiment is a sand table model and a simulation display board, the actual industrial physical environment is simulated by using a physical sand table technology to obtain the sand table model, the network topological structure is physically simulated by using the display board to obtain the simulation display board, the sand table model is used for restoring the industrial physical environment, the simulation display board is used for restoring the network topological structure, and then a digital twin plant is constructed based on the sand table model and the simulation display board, virtual simulation is carried out on the basis of a sand table model and a simulation display board, a virtual operation and monitoring module is constructed by model data in a physical simulation model according to a preset proportion (such as 1:1), so as to construct a digital twin factory, and further carry out network attack and defense exhibition according to the sand table model, the simulation exhibition board and the digital twin factory.
In the embodiment, on the basis of physical sand table simulation, digital twin system simulation is added, so that high information fusion of virtual data in a digital twin is realized, and a complete data environment and object system is provided for network security attack and defense design, network risk assessment and the like.
Further, in the step S30, the step of performing network defense and attack demonstration according to the physical simulation model and the digital twin plant includes:
step A, obtaining a target attack scheme, and carrying out attack penetration on target industrial control according to the target attack scheme;
in this embodiment, a plurality of attack schemes are integrated in a preset attack penetration unit, when attack and defense display is performed, the attack penetration unit is started first, the attack scheme is selected, the selected attack scheme is used as a target attack scheme, the target attack scheme is obtained, attack and penetration are performed on target industrial control according to the target attack scheme, meanwhile, a preset safety protection unit is started, attack and penetration behaviors are monitored and defended, an attack process of attack and penetration and a defense process of attack and penetration are displayed, and the attack process and the defense process can be displayed visually. In the embodiment, the attack simulation is carried out on the target industrial control by selecting the preset attack scheme, so that the attack path of the real industrial field is restored. The specific attack scheme can include the attack scheme in the network attack and defense exhibition system in the embodiment.
B, displaying the fault result of the attack penetration based on the physical simulation model, and displaying the microscopic fault process of the attack penetration based on the digital twin factory;
in this embodiment, the attack penetration fault result is displayed based on the physical simulation model, the attack penetration fault result can be displayed specifically through a sand table model and a simulation panel in the physical simulation model, and the attack penetration micro fault process is displayed based on the digital twin plant, and the micro fault process can be a fault change process, a fault occurrence principle and the like.
Specifically, the step B of displaying the fault result of the attack penetration based on the physical simulation model and displaying the microscopic fault process of the attack penetration based on the digital twin plant includes:
step b1, receiving an abnormal control signal sent by a preset target industrial control unit;
and b2, driving the physical simulation model to display the fault result according to the abnormal control signal, and driving the digital twin factory to display the microscopic fault process according to the abnormal control signal.
In this embodiment, the process of displaying the attack penetration fault result and the microscopic fault process specifically includes: after the target industrial control is attacked, the abnormal control signal sent by the preset target industrial control unit is received, the sand table model and the simulation display board in the physical simulation model are driven to display the fault result according to the abnormal control signal, the digital twin factory is driven to display the microscopic fault process according to the abnormal control signal, and by constructing the attack and defense simulation system environment of the physical simulation model and the digital twin factory, the three-dimensional, all-dimensional and full-life-cycle industrial field environment is restored to the maximum extent under the condition of not interrupting real field service, relevant personnel can evaluate the stability of the operation condition of the current industrial control field at any time, and the attack and defense result and the process display effect are improved.
Attack and defense exhibition can not simulate the physical environment of real industrial field in the virtual machine, and simulation effect guidance is not strong, and the final exhibition mostly is the state after host computer process flow equipment icon shows being attacked, and the bandwagon effect is single, and this embodiment demonstrates the attack result of attack infiltration based on sand table model and simulation panel to show the attack process of attack infiltration based on digital twin factory, can show local network attack and defense process more directly perceivedly.
And C, if the attack penetration of the target industrial control is monitored, defending the attack penetration.
The industrial physical environment can not modify the network strategy at any time, once the network problem occurs, great influence can be generated, the network problem found in the simulation environment can be applied to a production scene timely and effectively by researching a related compensatory technical scheme, and the safe operation of the production environment can be protected in all directions. When the attack penetration of the target industrial control is monitored, the preset safety protection unit is started to perform safety protection, the industrial safety situation analysis, the industrial invasion feature protection, the host white list protection and the like can be performed, the software and hardware behaviors of the abnormal network attack target industrial control unit are comprehensively monitored and defended, the effectiveness of protection measures is verified, the network safety decision-making capability is improved, and the enterprise is helped to improve the comprehensive protection capability. In this embodiment, attack penetration behavior may be detected by a preset safety protection unit, and if it is monitored that the target industrial control is attacked and penetrated, the attack penetration is defended. Attack penetration behavior can also be defended when other attack penetration behaviors are detected. In the embodiment, an industrial firewall, industrial audit and host guard are used as network probes, network data are uploaded to a security analysis brain in real time, the industrial controller and the industrial host are monitored in real time and are linked with security equipment to realize security strategy cooperative protection, intelligent combing is carried out on complex industrial network assets, security events of all dimensions are classified in a high-efficiency aggregation mode through a big data engine, the data are changed into security which can be understood by a user in a large screen mode, and visual, controllable and manageable threats to the security of an industrial control network and an industrial control system are further realized.
In the embodiment, the industrial physical environment and the network topological structure are physically simulated to obtain the sand table model and the simulation display board, the sand table model is used for presenting a real industrial production site environment, the simulation display board is used for presenting the network topological structure, resources of an industrial site control system are highly reduced from a physical layer, a digital twin plant is further constructed based on the sand table model and the simulation display board, real data in the sand table model and the simulation display board are merged into the simulation digital twin plant, an industrial site space and a data space are merged, and therefore the network attack and defense situation is more visually and dynamically presented. The method comprises the steps of obtaining a target attack scheme, carrying out attack penetration on target industrial control according to the target attack scheme, displaying a fault result of the attack penetration based on a sand table model and a simulation display board, displaying a microscopic fault process of the attack penetration based on a digital twin factory, adding a digital twin system overall process display on the basis of physical sand table display, and providing a complete data environment and an object system for network security attack and defense design, network risk assessment and the like. Meanwhile, if a protection starting instruction is received, attack penetration is monitored and protected, and the effect of safety protection can be shown.
Referring to fig. 3, fig. 3 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The network attack and defense display device in the embodiment of the invention can be a PC, and can also be a terminal device such as a tablet computer, a portable computer and the like.
As shown in fig. 3, the network defense and attack display device may include: a processor 1001, such as a CPU (Central Processing Unit), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the network defense and attack display device may further include a target user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like. The target user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the selectable target user interfaces may also include standard wired interfaces, wireless interfaces. The network interface optionally may include a standard wired interface, a wireless interface (e.g., WI-FI interface).
Those skilled in the art will appreciate that the network attack and defense display structure shown in FIG. 3 does not constitute a limitation of the network attack and defense display, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 3, a memory 1005, which is a kind of computer storage medium, may include an operating system, a network communication module, and a network attack and defense exhibition program. The operating system is a program for managing and controlling hardware and software resources of the network attack and defense display device and supports the operation of the network attack and defense display program and other software and/or programs. The network communication module is used for realizing communication among the components in the memory 1005 and communication with other hardware and software in the network defense and attack display device.
In the network defense and attack display device shown in fig. 3, the processor 1001 is configured to execute the network defense and attack display program stored in the memory 1005, so as to implement the steps of the network defense and attack display method described in any one of the above.
The specific implementation of the network attack and defense display device of the invention is basically the same as that of each embodiment of the network attack and defense display method, and the details are not repeated herein.
The present invention further provides a computer-readable storage medium, on which a network attack and defense display program is stored, and when being executed by a processor, the network attack and defense display program implements the steps of the network attack and defense display method according to any one of the above embodiments.
The specific embodiment of the computer-readable storage medium of the present invention is substantially the same as the embodiments of the network attack and defense display method described above, and details are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. The network attack and defense display system is characterized by comprising an attack penetration unit, a target industrial control unit, a physical simulation unit, a digital twin unit and a safety protection unit, wherein the attack penetration unit is used for performing attack penetration on the target industrial control unit; the target industrial control unit is used for sending an abnormal control signal to the physical simulation unit and the digital twin unit when the target industrial control unit is attacked and infiltrated; the physical simulation unit is used for receiving the abnormal control signal, causing equipment failure according to the abnormal control signal and displaying a failure result; the digital twin unit is used for receiving the abnormal control signal and displaying a microscopic fault process according to the abnormal control signal; the safety protection unit is used for monitoring the attack process of the attack penetration and defending the attack penetration process according to the handling command of the user.
2. The network defense and attack display system according to claim 1, wherein the physical simulation unit comprises a sand table model and a simulation display board, the sand table model is used for simulating an industrial physical environment, the simulation display board is used for integrating a network topology, and the physical simulation unit is used for driving the sand table model and the simulation display board to cause equipment failure according to the abnormal control signal and displaying a failure result.
3. The network defense and attack demonstration system according to claim 1, wherein the digital twin unit is used for constructing a digital twin factory according to the physical simulation unit and demonstrating a microscopic fault process based on the digital twin factory and the abnormal control signal.
4. The network defense and attack display system according to claim 1, wherein the attack penetration unit, the target industrial control unit, the physical simulation unit, the digital twin unit and the safety protection unit are independent of each other.
5. The network defense presentation system of claim 1, wherein the attack penetration unit is configured to integrate a plurality of attack scenarios, the attack scenarios comprising at least one of an industrial fingerprint sniffing, a man-in-the-middle spoofing attack, an instruction injection attack, and a exploit attack.
6. The network attack and defense display method is applied to the network attack and defense display system of claim 1, and comprises the following steps:
carrying out physical simulation on an industrial physical environment and a network topological structure to obtain a physical simulation model;
constructing a digital twin plant based on the physical simulation model;
and performing network attack and defense display according to the physical simulation model and the digital twin factory.
7. The network defense and attack demonstration method according to claim 6, wherein the step of performing network defense and attack demonstration according to the physical simulation model and the digital twin factory comprises the following steps:
acquiring a target attack scheme, and carrying out attack penetration on target industrial control according to the target attack scheme;
displaying the fault result of the attack penetration based on the physical simulation model, and displaying the microscopic fault process of the attack penetration based on the digital twin plant;
and if the target industrial control is monitored to have attack penetration, defending the attack penetration.
8. The network defense and attack demonstration method according to claim 7, wherein the step of demonstrating the fault result of the attack penetration based on the physical simulation model and demonstrating the microscopic fault process of the attack penetration based on the digital twin plant comprises:
receiving an abnormal control signal sent by a preset target industrial control unit;
and driving the physical simulation model to display the fault result according to the abnormal control signal, and driving the digital twin factory to display the microscopic fault process according to the abnormal control signal.
9. A network attack and defense demonstration device, characterized in that the network attack and defense demonstration device comprises a memory, a processor and a network attack and defense demonstration program stored on the memory and capable of running on the processor, wherein the network attack and defense demonstration program when executed by the processor realizes the steps of the network attack and defense demonstration method according to any one of claims 6 to 8.
10. A computer-readable storage medium, wherein a network attack and defense demonstration program is stored on the computer-readable storage medium, and when being executed by a processor, the network attack and defense demonstration program realizes the steps of the network attack and defense demonstration method according to any one of claims 6 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111410072.XA CN114296406B (en) | 2021-11-24 | 2021-11-24 | Network attack and defense display system, method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111410072.XA CN114296406B (en) | 2021-11-24 | 2021-11-24 | Network attack and defense display system, method and device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114296406A true CN114296406A (en) | 2022-04-08 |
| CN114296406B CN114296406B (en) | 2024-01-19 |
Family
ID=80965213
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111410072.XA Active CN114296406B (en) | 2021-11-24 | 2021-11-24 | Network attack and defense display system, method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114296406B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115292704A (en) * | 2022-10-08 | 2022-11-04 | 北京六方云信息技术有限公司 | Attack and defense testing method and device for power dispatching network, terminal equipment and storage medium |
| CN115484175A (en) * | 2022-10-27 | 2022-12-16 | 北京六方云信息技术有限公司 | Intelligent manufacturing network attack and defense display method, device and system and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009155469A2 (en) * | 2008-06-18 | 2009-12-23 | Eads Na Defense Security And Systems Solutions, Inc. | Systems and methods for a simulated network environment and operation thereof |
| CN108040070A (en) * | 2017-12-29 | 2018-05-15 | 北京奇虎科技有限公司 | A kind of network security test platform and method |
| CN110098951A (en) * | 2019-03-04 | 2019-08-06 | 西安电子科技大学 | A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system |
| CN111727432A (en) * | 2018-02-20 | 2020-09-29 | 通用电气公司 | Network attack detection, localization and neutralization for drones |
| CN112052607A (en) * | 2020-09-29 | 2020-12-08 | 国网青海省电力公司电力科学研究院 | Intelligent penetration testing method and device for power grid equipment and system |
| CN112118272A (en) * | 2020-11-18 | 2020-12-22 | 中国人民解放军国防科技大学 | Network attack and defense deduction platform based on simulation experiment design |
| CN112615836A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息技术股份有限公司 | Industrial control network safety protection simulation system |
| CN113572660A (en) * | 2021-07-27 | 2021-10-29 | 哈尔滨工大天创电子有限公司 | Demonstration method, device, terminal and storage medium based on network attack and defense simulation |
-
2021
- 2021-11-24 CN CN202111410072.XA patent/CN114296406B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009155469A2 (en) * | 2008-06-18 | 2009-12-23 | Eads Na Defense Security And Systems Solutions, Inc. | Systems and methods for a simulated network environment and operation thereof |
| CN108040070A (en) * | 2017-12-29 | 2018-05-15 | 北京奇虎科技有限公司 | A kind of network security test platform and method |
| CN111727432A (en) * | 2018-02-20 | 2020-09-29 | 通用电气公司 | Network attack detection, localization and neutralization for drones |
| CN110098951A (en) * | 2019-03-04 | 2019-08-06 | 西安电子科技大学 | A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system |
| CN112052607A (en) * | 2020-09-29 | 2020-12-08 | 国网青海省电力公司电力科学研究院 | Intelligent penetration testing method and device for power grid equipment and system |
| CN112118272A (en) * | 2020-11-18 | 2020-12-22 | 中国人民解放军国防科技大学 | Network attack and defense deduction platform based on simulation experiment design |
| CN112615836A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息技术股份有限公司 | Industrial control network safety protection simulation system |
| CN113572660A (en) * | 2021-07-27 | 2021-10-29 | 哈尔滨工大天创电子有限公司 | Demonstration method, device, terminal and storage medium based on network attack and defense simulation |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115292704A (en) * | 2022-10-08 | 2022-11-04 | 北京六方云信息技术有限公司 | Attack and defense testing method and device for power dispatching network, terminal equipment and storage medium |
| CN115484175A (en) * | 2022-10-27 | 2022-12-16 | 北京六方云信息技术有限公司 | Intelligent manufacturing network attack and defense display method, device and system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114296406B (en) | 2024-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109818985B (en) | Industrial control system vulnerability trend analysis and early warning method and system | |
| CN114296406B (en) | Network attack and defense display system, method and device and computer readable storage medium | |
| CN106506202B (en) | Towards the half visual illustration verification platform and method of industrial control system protecting information safety | |
| EP2279465B1 (en) | Method and system for cyber security management of industrial control systems | |
| Green et al. | On the significance of process comprehension for conducting targeted ICS attacks | |
| Alves et al. | Virtualization of industrial control system testbeds for cybersecurity | |
| CN113055375B (en) | Power station industrial control system physical network oriented attack process visualization method | |
| CN107222515B (en) | Honeypot deployment method and device and cloud server | |
| CN105320854A (en) | Protection against signature matching program manipulation for an automation component | |
| CN113554318A (en) | Three-dimensional visual risk intelligent management and control integrated system and method for chemical industry park | |
| CN113924570A (en) | User behavior analysis for security anomaly detection in industrial control systems | |
| CN111679590A (en) | Semi-physical simulation platform and method suitable for industrial control safety test | |
| CN113489728A (en) | Safety evaluation system and method for industrial internet | |
| Kim et al. | STRIDE‐based threat modeling and DREAD evaluation for the distributed control system in the oil refinery | |
| CN113489152A (en) | Method for constructing compliance model of hydroelectric power plant | |
| CN115776668A (en) | Vehicle network security monitoring system and monitoring method thereof | |
| Redwood et al. | A symbolic honeynet framework for scada system threat intelligence | |
| US20200183340A1 (en) | Detecting an undefined action in an industrial system | |
| CN115484175A (en) | Intelligent manufacturing network attack and defense display method, device and system and storage medium | |
| CN116827811A (en) | Three-dimensional visual management method, system and equipment for network security assets | |
| JP5267839B2 (en) | Distant monitoring and control device simulation device and power system monitoring and control system | |
| CN115499327A (en) | Method, apparatus, medium, and program product for three-dimensional visualization data center management | |
| CN111404917B (en) | Industrial control simulation equipment-based threat information analysis and detection method and system | |
| CN114157493A (en) | Industrial control system network security simulation test platform and computer equipment | |
| CN114257522A (en) | Network security attack and defense demonstration system, method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |