CN114374528A - Data security detection method and device, electronic equipment and medium - Google Patents
Data security detection method and device, electronic equipment and medium Download PDFInfo
- Publication number
- CN114374528A CN114374528A CN202111403128.9A CN202111403128A CN114374528A CN 114374528 A CN114374528 A CN 114374528A CN 202111403128 A CN202111403128 A CN 202111403128A CN 114374528 A CN114374528 A CN 114374528A
- Authority
- CN
- China
- Prior art keywords
- internet
- industrial
- attack
- data
- feature library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 69
- 238000000034 method Methods 0.000 claims abstract description 27
- 230000006855 networking Effects 0.000 claims abstract description 14
- 241000700605 Viruses Species 0.000 claims description 29
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 8
- 238000010276 construction Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 230000002155 anti-virotic effect Effects 0.000 description 19
- 238000012544 monitoring process Methods 0.000 description 10
- 230000006854 communication Effects 0.000 description 7
- 238000004519 manufacturing process Methods 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 241000283086 Equidae Species 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- VNWKTOKETHGBQD-UHFFFAOYSA-N methane Chemical compound C VNWKTOKETHGBQD-UHFFFAOYSA-N 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 239000000779 smoke Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000003345 natural gas Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000003892 spreading Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application provides a data security detection method, a data security detection device, electronic equipment and a medium, which are suitable for industrial internet; the method comprises the following steps: constructing a networking attack feature library, wherein the networking attack feature library comprises various industrial feature libraries and various Internet feature libraries; capturing data streams in the industrial Internet, and matching the captured data streams with an Internet of things attack feature library to obtain a matching result; judging whether data matched with the Internet of things attack feature library exists in the captured data stream according to the matching result; and if so, judging that the industrial Internet is attacked, and generating attack warning information aiming at the data with the industrial attack characteristics or the Internet attack characteristics. The method and the device can detect the potential safety hazard in the industrial network interconnected with the Internet, and ensure the information safety in the industrial network.
Description
Technical Field
The present application relates to the field of information technology security technologies, and in particular, to a data security detection method, apparatus, electronic device, and medium.
Background
With the development of computer and network technologies, particularly the deep integration of informatization and industrial industry and the rapid development of internet of things, industrial control system products are more and more accessed to networks, face to the complex ecological environment on the internet, are connected with public networks such as the internet in various ways, threats such as viruses and trojans are spreading to industrial control systems, and the problem of information security of the industrial control systems is increasingly prominent.
The existing data security detection method mainly aims at the internet and can detect threats such as intrusion and viruses aiming at the internet, and the existing industrial network is connected with the internet, so that the industrial network exposes the industrial network on the internet through network interconnection and bears the risk of being attacked, but a perfect security detection mechanism does not exist.
Disclosure of Invention
In view of this, an object of the present application is to provide a data security detection method, apparatus, electronic device and medium, which detect a security risk in an industrial network interconnected with the internet and ensure information security in the industrial network.
The data security detection method provided by the embodiment of the application is suitable for the industrial internet; the method comprises the following steps:
constructing a networking attack feature library, wherein the networking attack feature library comprises various industrial feature libraries and various Internet feature libraries;
capturing data streams in the industrial Internet, and matching the captured data streams with the Internet of things attack feature library to obtain a matching result;
judging whether data matched with the Internet of things attack feature library exists in the captured data stream according to the matching result;
and if so, judging that the industrial Internet is attacked, and generating attack warning information aiming at the data with the industrial attack characteristics or the Internet attack characteristics.
In some embodiments, after the attack feature library is constructed, the method further includes;
detecting whether industrial attack characteristics or internet attack characteristics are updated in an external security database in real time;
and if so, updating the industrial feature library or the internet feature library corresponding to the updated industrial attack feature or internet attack feature in real time according to the updated industrial attack feature or internet attack feature.
In some embodiments, the data security detection method, the type of the industrial feature library and the type of the internet feature library each include at least one of: intrusion feature library, virus feature library, application feature library, Trojan feature library, webmail feature library, and junk mail feature library.
In some embodiments, in the data security detection method, the application feature library defines, for an application that meets a preset condition, a security policy of the application.
In some embodiments, in the data security detection method, the constructed internet of things attack feature library further includes an industrial protocol white list;
after the capturing the data stream in the industrial internet, the method further comprises the following steps:
matching the industrial protocol carried by the data in the data stream captured in the industrial internet with the industrial protocol white list to obtain a matching result;
if the matching result meets the preset releasing condition, releasing the data in the data stream;
and if the matching result does not meet the preset release condition, performing exception processing on the data.
In some embodiments, there is also provided an industrial internet-based security detection apparatus, including:
the system comprises a construction module, a configuration module and a management module, wherein the construction module is used for constructing a networking attack feature library, and the networking attack feature library comprises various industrial feature libraries and various Internet feature libraries;
the capturing module is used for capturing data streams in the industrial internet and matching the captured data streams with the internet of things attack feature library to obtain a matching result;
the judging module is used for judging whether data matched with the Internet of things attack feature library exists in the captured data stream according to the matching result;
and the generating module is used for judging that the industrial internet is attacked when the captured data stream contains data matched with the internet of things attack feature library, and generating attack warning information aiming at the data with the industrial attack features or the internet attack features.
In some embodiments, the industrial internet-based security detection apparatus further includes:
the detection module is used for detecting whether the industrial attack characteristics or the internet attack characteristics are updated in an external security database in real time;
and the updating module is used for updating the industrial feature library or the internet feature library corresponding to the updated industrial attack feature or internet attack feature in real time according to the updated industrial attack feature or internet attack feature when the detection module detects that the industrial attack feature or the internet attack feature is updated.
In some embodiments, the industrial internet-based security detection apparatus further includes:
the matching module is used for matching the industrial protocol carried by the data in the data stream captured in the industrial internet with the industrial protocol white list to obtain a matching result;
the releasing module is used for releasing the data in the data stream when the matching result meets the preset releasing condition;
and the processing module is used for performing exception processing on the data when the matching result does not meet the preset release condition.
In some embodiments, there is also provided an electronic device, including a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions being executed by the processor to perform the steps of the data security detection method.
In some embodiments, a computer-readable storage medium is also provided, on which a computer program is stored, which, when being executed by a processor, performs the steps of the data security detection method.
The method comprises the steps that whether data of the industrial network are safe or not is detected from two aspects of Internet dry threat and threat specially aiming at the industrial network through an Internet of things attack characteristic library which is constructed by an Internet characteristic library and an industrial network characteristic library; the Internet feature library and the industrial network feature library comprise multiple types, and feature libraries such as a Trojan library, webmail, junk mail and the like are added on the basis of the traditional intrusion detection, virus detection and application feature library so as to detect whether data are safe or not from multiple dimensions.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a flowchart illustrating a method of a data security detection method according to an embodiment of the present application;
FIG. 2 is a flow chart of another method for data security detection according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating an industrial internet-based security detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram illustrating another industrial internet-based security detection apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram illustrating another industrial internet-based security detection apparatus according to an embodiment of the present application;
fig. 6 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it should be understood that the drawings in the present application are for illustrative and descriptive purposes only and are not used to limit the scope of protection of the present application. Additionally, it should be understood that the schematic drawings are not necessarily drawn to scale. The flowcharts used in this application illustrate operations implemented according to some embodiments of the present application. It should be understood that the operations of the flow diagrams may be performed out of order, and steps without logical context may be performed in reverse order or simultaneously. One skilled in the art, under the guidance of this application, may add one or more other operations to, or remove one or more operations from, the flowchart.
In addition, the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that in the embodiments of the present application, the term "comprising" is used to indicate the presence of the features stated hereinafter, but does not exclude the addition of further features.
The traditional "old three" in the field of information security are firewalls, Intrusion Detection Systems (IDS) and antivirus software.
A firewall refers to a protection barrier which is composed of software and hardware devices and is constructed on the interfaces between an internal network and an external network and between a private network and a public network, is a visual expression for obtaining Security method, and is a combination of computer hardware and software, so that a Security Gateway (Security Gateway) is established between Internet and Intranet, thereby protecting the internal network from being invaded by illegal users, and mainly comprises 4 parts of service access rules, authentication tools, packet filtering and application gateways, and the firewall is software or hardware positioned between a computer and a network connected with the firewall. All network traffic and data packets flowing into and out of the computer pass through the firewall.
In a network, a "firewall" refers to a method of separating an intranet from a public access network (e.g., the Internet), which is actually an isolation technique. A firewall is an access control metric implemented when two networks communicate, which allows you "agree" people and data to enter your network, and also rejects you "disagree" people and data to the outside, maximally preventing hackers in the network from accessing your network. In other words, without passing through a firewall, a person inside the company cannot access the Internet, and a person on the Internet cannot communicate with a person inside the company.
Intrusion Detection System (IDS) intrusion detection is a combination of software and hardware, a reasonable complement to firewalls, and a second pass security gate behind a firewall. Unlike firewalls, an IDS intrusion detection system is a listening device, and the IDS is attached to a link through which all traffic of interest must flow. Herein, the "traffic of interest" refers to access traffic from a high-risk network area and network messages that need to be counted and monitored. Therefore, the location of an IDS in a switched network is generally chosen to be as close as possible to the source of the attack or to the protected resource. For example: on the switches of the server area; a first switch behind the Internet access router; the local area network switch of the network segment is mainly protected.
Intrusion Detection Systems (IDS) are classified according to the technology employed: 1) abnormality detection: the assumption of anomaly detection is that the activity of an intruder is abnormal to that of a normal subject, and an "activity profile" of the normal activity is established, and when the activity of the current subject violates the statistical rule, the behavior is considered to be possible intrusion. 2) And (3) feature detection: feature detection assumes that intruder activity can be represented by patterns, and the goal of the system is to detect whether subject activity conforms to these patterns.
Antivirus software, also known as antivirus software or antivirus software, is a type of software used to eliminate computer threats such as computer viruses, trojan horses, and malware.
Antivirus software usually integrates functions of monitoring and identifying, virus scanning and clearing, automatic upgrading, active defense and the like, some antivirus software also has functions of data recovery, hacker intrusion prevention, network flow control and the like, and is an important component of a computer defense system (comprising antivirus software, a firewall, a program for searching and killing trojan horses and malicious software, an intrusion prevention system and the like).
Antivirus software is a program tool that can clean all known program codes harmful to computers, such as viruses, trojans and the like. The task of the antivirus software is to monitor and scan the disks in real time. Part of the antivirus software is launched into the system by adding a driver to the system and is started with the operating system. Most antivirus software also has firewall functionality. The real-time monitoring mode of antivirus software varies from software to software. Some antivirus software divides a part of space in a memory, compares data flowing through the memory in a computer with a feature code of a virus library (including virus definitions) carried by the antivirus software to judge whether the data is a virus. And other antivirus software virtually executes programs submitted by a system or a user in the divided memory space and makes judgment according to the behaviors or results of the programs.
The firewall, antivirus software and Intrusion Detection System (IDS) all need to make certain monitoring strategies, and whether the data is safe or not is detected by detecting whether the data meets the detection strategies or not. However, with the development of computer and network technologies, along with the trend of "industry 4.0", "two-way fusion" and "internet +", the traditional industrial control system exposes itself on the internet through network interconnection, so that the system itself is easily attacked by viruses, trojans and hackers from enterprise management networks or the internet, the attacks are usually directed at the characteristics of the industrial network, the monitoring strategies in the existing firewall, antivirus software and Intrusion Detection Systems (IDS) are directed at the internet, and the attack feature libraries (the firewall, antivirus software and Intrusion Detection Systems (IDS)) are all internet feature libraries. Therefore, the existing internet data security detection method cannot effectively detect the attack to the industrial internet in the data, and huge security risks and hidden dangers exist in key infrastructure, important systems and the like controlled by an industrial control system.
Based on the above, the application provides a data security detection method, which is suitable for industrial internet; as shown in fig. 1, the method comprises the steps of:
s101, constructing a networking attack feature library, wherein the networking attack feature library comprises various industrial feature libraries and various Internet feature libraries;
s102, capturing data streams in the industrial Internet, and matching the captured data streams with the Internet of things attack feature library to obtain a matching result;
s103, judging whether data matched with the Internet of things attack feature library exists in the captured data stream according to the matching result;
and S104, if the industrial internet exists, judging that the industrial internet is attacked, and generating attack warning information aiming at the data with the industrial attack characteristics or the internet attack characteristics.
In step S101, the type of the industrial feature library and the type of the internet feature library both include at least one of the following types: intrusion feature library, virus feature library, application feature library, Trojan feature library, webmail feature library, and junk mail feature library.
The system comprises an intrusion feature library, a virus feature library, an application feature library, a Trojan feature library, a webmail feature library and a junk mail feature library, wherein the intrusion feature library, the virus feature library, the application feature library, the Trojan feature library, the webmail feature library and the junk mail feature library belong to an industrial feature library, and the established detection strategies are all directed at the industrial network.
The industrial network, also called an industrial control system, comprises three layers, namely an information decision layer, a process monitoring layer and a field device layer. Data between layers interact with each other.
The information decision layer is applied to daily office work of staff, enterprise information publishing, establishment and maintenance of an enterprise information database, report submission, query and other functions. The intranet can coexist with the external internet for use, and some isolation control strategies are adopted, such as administrator authorization and the like; in the communication process between the intranet and the extranet, enterprises also use safety protection products, such as a safety gatekeeper and the like. The establishment of the enterprise information network completes the two-way communication of the industrial production side data network and opens a gate to the Internet for the production network. Hackers have a better chance to collect information such as identity authentication, access addresses and the like of the enterprise information management system and log in the office system according to the obtained information.
The process monitoring layer is connected with the information network and the production site, and in order to ensure that local area networks of all parts can communicate smoothly, an industrial Ethernet protocol is generally adopted for realizing data transmission, and the openness of the industrial network is further enhanced. The process monitoring layer can acquire real-time production data of the field device in real time and send a production instruction to the field device.
The field device layer is used for connecting controllers such as a PLC and the like with bottom devices such as a sensor and the like.
Therefore, the attack against the industrial network includes an internet attack against the information decision layer, for example, an attack against the intranet to obtain enterprise information; attacks against industrial control systems are also included, such as sending incorrect production instructions to field devices, implanting an intrusion program on a PLC, etc.
Therefore, the internet of things attack feature library constructed by the method not only comprises the internet feature library, but also comprises the industrial network feature library, so that whether the data of the industrial network is safe or not is comprehensively detected. The internet feature library and the industrial network feature library respectively comprise multiple types so as to detect whether data are safe or not from multiple dimensions.
In the step S102, the captured data stream is matched with the internet of things attack feature library to obtain a matching result, which specifically includes a plurality of different matching modes.
For example, in some embodiments, the operation state, the operation parameters and the real-time production data of the devices in the processing field device layer are collected in real time, and the attack behavior for the industrial network is identified through the change condition of the field devices.
The identification of the attack behavior on the industrial network by the change of the field device can be achieved by various methods, such as model-based detection and machine learning-based detection.
For example, for a virus feature library and a Trojan horse feature library belonging to an industrial feature library, various 'appearance features' of industrial network viruses and Trojan horses are recorded in the virus feature library and the Trojan horse feature library, so that the similarity of data in the industrial network and the industrial network viruses and Trojan horses is detected as a matching result.
In the step S103, it is determined whether data matched with the internet of things attack feature library exists in the captured data stream according to the matching result, for example, when the similarity between the data in the industrial network and the viruses and trojans in the industrial network reaches a preset threshold, it is determined that the data is viruses and trojans.
Since the industrial network is attacked, the equipment may be shut down, economic losses are caused to enterprises, and in the case of industrial networks such as power supply networks and natural gas networks, more social losses are caused, so that more cautious judgment is needed to determine whether the attack characteristics exist in the data. For single detection of data, multiple security policies are often required to be matched, and if the matching result of the data and any one security policy meets a preset matching condition, the data is judged to be abnormal data.
In step S104, generating attack warning information for the data with the industrial attack characteristic or the internet attack characteristic, specifically including:
according to the judgment result, two behavior modes are preset aiming at the data: release and warning;
and if the matching result of the data and the internet of things attack feature library meets a preset releasing condition, releasing the data so as to realize the mutual communication between different levels in the industrial network and ensure the normal production of the industrial control system.
And if the matching result of the data and the internet of things attack feature library does not meet the preset release condition, generating warning information aiming at the data.
For the industrial internet, the warning information includes information of relevant field devices, if the relevant field devices are: the field device through which the data with the industrial attack characteristic or the internet attack characteristic passes exists. The information of the field device includes a number, a location, an interface, and the like.
For example, after data abnormality is detected, the data is acquired in real time by a smoke sensor with an interface of 1xxxx and an IC identification chip with a serial number of 2xxx, is analyzed and repackaged by a PLC with a location of 3xxx, and is sent to a monitoring host with a serial number of 4xxx in an equipment monitoring layer, and the monitoring host forwards the data to an enterprise information network.
Based on this, the warning message may be a popup, and the popup message includes information about a specific field device. For example, the data sent by the smoke sensor 1xxxx is abnormal, and the abnormal data is xxx and is required to be processed in time.
In some embodiments, after generating the warning information for the data, the data security detection method further comprises: the industrial network reacts to the data to switch transmission of the data in the industrial network.
Specifically, the industrial network reacts to the data, including: the industrial network reflects against the data according to user-defined actions.
The internet of things attack feature library can be more accurately detected whether the data in the industrial network is safe or not by continuously updating.
Taking a virus database as an example, the virus database is generally updated by the conventional antivirus software every few days, but due to the sharp increase of the number of computer viruses, the updating speed of the external virus database is even calculated by hours.
Based on the above, the data security detection method further comprises the steps of after the attack feature library is constructed;
detecting whether industrial attack characteristics or internet attack characteristics are updated in an external security database in real time;
and if so, updating the industrial feature library or the internet feature library corresponding to the updated industrial attack feature or internet attack feature in real time according to the updated industrial attack feature or internet attack feature.
The external security database comprises an intrusion feature library, a virus feature library, an application feature library, a Trojan feature library, a webmail feature library, junk mails under the internet classification, and an intrusion feature library, a virus feature library, an application feature library, a Trojan feature library, a webmail feature library and a junk mail related database under the industrial network classification.
Detecting whether the industrial attack characteristics or the internet attack characteristics are updated in an external security database in real time, and specifically comprising the following steps:
the internet of things attack feature library is in communication connection with databases such as an invasion feature library, a virus feature library, an application feature library, a Trojan feature library, a webmail feature library and junk mails classified by the internet and databases such as an invasion feature library, a virus feature library, an application feature library, a Trojan feature library, a webmail feature library and junk mails classified by the industrial network;
and when the attack feature library of the Internet of things receives the updating information of any database, updating the feature library corresponding to the database.
In this embodiment, when the internet of things attack feature library receives update information of any one database, the feature library corresponding to the database is updated according to the received update operation.
For example, when the internet of things attack feature library receives update information of any database, whether the database is updated or not is popped up on the host of the user, and if the user selects yes, the feature library corresponding to the database is immediately updated. If the user selects not, the feature library corresponding to the database is not updated temporarily, and after a preset time period, the prompt of 'whether to update' is popped up again.
In the real-time example, in the data security detection method, the application feature library defines the security policy of the application for the application meeting the preset condition.
Nowadays, the PC side and the mobile side are countless in each type of application, and new applications are still emerging. As more and more applications become identifiable, each application updates more and more quickly, two problems tend to arise: firstly, aiming at the problem that the existing application security strategy cannot meet the identification requirement of the emerging application; instead, existing security policies cannot meet the identification requirements of the updated application for the installed application.
Therefore, the security policy of the application is customized for the application meeting the preset condition, so as to improve the efficiency and accuracy of matching the application feature library.
For example, for an application satisfying a preset condition, the method may include: applications that have been installed, applications added in the white list, applications with high risk levels, applications added in the black list.
For the installed applications, the data of the applications added in the white list, a relatively loose security policy is adopted.
For applications with high risk level, data of applications added in the black list, a relatively strict security policy is adopted.
In the data security detection method, the constructed internet of things attack feature library further comprises an industrial protocol white list;
after capturing the data stream in the industrial internet, as shown in fig. 2, the method further includes the following steps:
s201, matching an industrial protocol carried by data in data stream captured in the industrial Internet with the industrial protocol white list to obtain a matching result;
s202, if the matching result meets the preset releasing condition, releasing the data in the data stream;
and S203, if the matching result does not meet the preset release condition, performing exception handling on the data.
Industrial networks typically communicate using a single industrial protocol, such as Modbus TCP, OPC, IEC-104, and the like. Therefore, the industrial protocol white list can eliminate a large amount of abnormal data aiming at the industrial network by matching the protocol characteristics in the industrial flow and releasing the protocol rules in the white list to perform abnormal processing on the data outside the white list.
The user can customize the industrial protocol white list according to the industrial protocol adopted in the enterprise industrial network and modify the industrial protocol white list.
An embodiment of the present application further provides a security detection apparatus based on an industrial internet, as shown in fig. 3, including:
the building module 301 is used for building a networking attack feature library, wherein the networking attack feature library comprises multiple types of industrial feature libraries and multiple types of internet feature libraries;
the capturing module 302 is configured to capture a data stream in the industrial internet, and match the captured data stream with the internet of things attack feature library to obtain a matching result;
the judging module 303 is configured to judge whether data matched with the internet of things attack feature library exists in the captured data stream according to the matching result;
a generating module 304, configured to determine that the industrial internet is attacked when data matching the internet of things attack feature library exists in the captured data stream, and generate attack warning information for the data with the industrial attack feature or the internet attack feature.
The industrial internet-based security detection device according to the embodiment of the present application, as shown in fig. 4, further includes:
the detection module 401 is configured to detect whether an industrial attack feature or an internet attack feature is updated in an external security database in real time;
an updating module 402, configured to update, in real time, an industrial feature library or an internet feature library corresponding to the updated industrial attack feature or internet attack feature according to the updated industrial attack feature or internet attack feature when the detection module detects that the industrial attack feature or internet attack feature is updated.
The industrial internet-based security detection device according to the embodiment of the present application, as shown in fig. 5, further includes:
a matching module 501, configured to match an industrial protocol carried by data in a data stream captured in the industrial internet with the industrial protocol white list to obtain a matching result;
a releasing module 502, configured to release the data in the data stream if the matching result meets a preset releasing condition;
and the processing module 503 is configured to perform exception handling on the data when the matching result does not meet the preset release condition.
The embodiment of the application discloses industrial internet-based security detection device, the construction module comprises: and the self-defining module is used for self-defining the safety strategy of the application aiming at the application meeting the preset conditions in the application characteristic library.
An electronic device is further provided, as shown in fig. 6, and includes a processor 601, a memory 602, and a bus 603, where the memory 602 stores machine-readable instructions executable by the processor 601, when the electronic device runs, the processor 601 and the memory 602 communicate via the bus 603, and the machine-readable instructions are executed by the processor 601 to perform the steps of the data security detection method.
The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the steps of the data security detection method are executed.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to corresponding processes in the method embodiments, and are not described in detail in this application. In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and there may be other divisions in actual implementation, and for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or modules through some communication interfaces, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a platform server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A data security detection method is characterized by being applicable to industrial Internet; the method comprises the following steps:
constructing a networking attack feature library, wherein the networking attack feature library comprises various industrial feature libraries and various Internet feature libraries;
capturing data streams in the industrial Internet, and matching the captured data streams with the Internet of things attack feature library to obtain a matching result;
judging whether data matched with the Internet of things attack feature library exists in the captured data stream according to the matching result;
and if so, judging that the industrial Internet is attacked, and generating attack warning information aiming at the data with the industrial attack characteristics or the Internet attack characteristics.
2. The data security detection method according to claim 1, wherein after the attack signature library is constructed, the method further comprises;
detecting whether industrial attack characteristics or internet attack characteristics are updated in an external security database in real time;
and if so, updating the industrial feature library or the internet feature library corresponding to the updated industrial attack feature or internet attack feature in real time according to the updated industrial attack feature or internet attack feature.
3. The data security detection method according to claim 1,
the type of the industrial feature library and the type of the internet feature library at least comprise one of the following types: intrusion feature library, virus feature library, application feature library, Trojan feature library, webmail feature library, and junk mail feature library.
4. The data security detection method according to claim 3, wherein the application feature library is configured to customize the security policy of the application for the application satisfying a preset condition.
5. The data security detection method according to claim 1,
the constructed internet of things attack feature library also comprises an industrial protocol white list;
after the capturing the data stream in the industrial internet, the method further comprises the following steps:
matching the industrial protocol carried by the data in the data stream captured in the industrial internet with the industrial protocol white list to obtain a matching result;
if the matching result meets the preset releasing condition, releasing the data in the data stream;
and if the matching result does not meet the preset release condition, performing exception processing on the data.
6. A safety detection device based on industrial Internet, characterized by comprising:
the system comprises a construction module, a configuration module and a management module, wherein the construction module is used for constructing a networking attack feature library, and the networking attack feature library comprises various industrial feature libraries and various Internet feature libraries;
the capturing module is used for capturing data streams in the industrial internet and matching the captured data streams with the internet of things attack feature library to obtain a matching result;
the judging module is used for judging whether data matched with the Internet of things attack feature library exists in the captured data stream according to the matching result;
and the generating module is used for judging that the industrial internet is attacked when the captured data stream contains data matched with the internet of things attack feature library, and generating attack warning information aiming at the data with the industrial attack features or the internet attack features.
7. The industrial internet-based security detection apparatus of claim 6, further comprising:
the detection module is used for detecting whether the industrial attack characteristics or the internet attack characteristics are updated in an external security database in real time;
and the updating module is used for updating the industrial feature library or the internet feature library corresponding to the updated industrial attack feature or internet attack feature in real time according to the updated industrial attack feature or internet attack feature when the detection module detects that the industrial attack feature or the internet attack feature is updated.
8. The industrial internet-based security detection apparatus of claim 6, further comprising:
the matching module is used for matching the industrial protocol carried by the data in the data stream captured in the industrial internet with the industrial protocol white list to obtain a matching result;
the releasing module is used for releasing the data in the data stream when the matching result meets the preset releasing condition;
and the processing module is used for performing exception processing on the data when the matching result does not meet the preset release condition.
9. An electronic device comprising a processor, a memory and a bus, wherein the memory stores machine-readable instructions executable by the processor, the processor and the memory communicate via the bus when the electronic device is running, and the machine-readable instructions, when executed by the processor, perform the steps of the data security detection method according to any one of claims 1 to 5.
10. A computer-readable storage medium, characterized in that the storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the data security detection method according to one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111403128.9A CN114374528A (en) | 2021-11-24 | 2021-11-24 | Data security detection method and device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111403128.9A CN114374528A (en) | 2021-11-24 | 2021-11-24 | Data security detection method and device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114374528A true CN114374528A (en) | 2022-04-19 |
Family
ID=81138105
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111403128.9A Pending CN114374528A (en) | 2021-11-24 | 2021-11-24 | Data security detection method and device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114374528A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065552A (en) * | 2022-07-27 | 2022-09-16 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110288692A1 (en) * | 2010-05-20 | 2011-11-24 | Accenture Global Services Gmbh | Malicious attack detection and analysis |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN106209870A (en) * | 2016-07-18 | 2016-12-07 | 北京科技大学 | A kind of Network Intrusion Detection System for distributed industrial control system |
| US20160359825A1 (en) * | 2015-06-02 | 2016-12-08 | Rockwell Automation Technologies, Inc. | Active Response Security System for Industrial Control Infrastructure |
| CN106982235A (en) * | 2017-06-08 | 2017-07-25 | 江苏省电力试验研究院有限公司 | A kind of power industry control network inbreak detection method and system based on IEC 61850 |
| CN106997435A (en) * | 2017-04-14 | 2017-08-01 | 广东浪潮大数据研究有限公司 | A kind of method of operating system security prevention and control, apparatus and system |
| US9928359B1 (en) * | 2015-07-15 | 2018-03-27 | Security Together Corporation | System and methods for providing security to an endpoint device |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN112333211A (en) * | 2021-01-05 | 2021-02-05 | 博智安全科技股份有限公司 | Industrial control behavior detection method and system based on machine learning |
| CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
-
2021
- 2021-11-24 CN CN202111403128.9A patent/CN114374528A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110288692A1 (en) * | 2010-05-20 | 2011-11-24 | Accenture Global Services Gmbh | Malicious attack detection and analysis |
| CN103500305A (en) * | 2013-09-04 | 2014-01-08 | 中国航天科工集团第二研究院七〇六所 | System and method for malicious code analysis based on cloud computing |
| US20160359825A1 (en) * | 2015-06-02 | 2016-12-08 | Rockwell Automation Technologies, Inc. | Active Response Security System for Industrial Control Infrastructure |
| US9928359B1 (en) * | 2015-07-15 | 2018-03-27 | Security Together Corporation | System and methods for providing security to an endpoint device |
| CN105978897A (en) * | 2016-06-28 | 2016-09-28 | 南京南瑞继保电气有限公司 | Detection method of electricity secondary system botnet |
| CN106209870A (en) * | 2016-07-18 | 2016-12-07 | 北京科技大学 | A kind of Network Intrusion Detection System for distributed industrial control system |
| CN106997435A (en) * | 2017-04-14 | 2017-08-01 | 广东浪潮大数据研究有限公司 | A kind of method of operating system security prevention and control, apparatus and system |
| CN106982235A (en) * | 2017-06-08 | 2017-07-25 | 江苏省电力试验研究院有限公司 | A kind of power industry control network inbreak detection method and system based on IEC 61850 |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN112333211A (en) * | 2021-01-05 | 2021-02-05 | 博智安全科技股份有限公司 | Industrial control behavior detection method and system based on machine learning |
| CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115065552A (en) * | 2022-07-27 | 2022-09-16 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
| CN115065552B (en) * | 2022-07-27 | 2023-01-10 | 北京六方云信息技术有限公司 | Industrial communication protection method, device, terminal equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110495138B (en) | Industrial control system and monitoring method for network security thereof | |
| JP5248612B2 (en) | Intrusion detection method and system | |
| JP6104149B2 (en) | Log analysis apparatus, log analysis method, and log analysis program | |
| US11930022B2 (en) | Cloud-based orchestration of incident response using multi-feed security event classifications | |
| EP3786823A1 (en) | An endpoint agent extension of a machine learning cyber defense system for email | |
| WO2000054458A1 (en) | Intrusion detection system | |
| KR101744631B1 (en) | Network security system and a method thereof | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| US20230179617A1 (en) | Leveraging user-behavior analytics for improved security event classification | |
| KR20220081145A (en) | AI-based mysterious symptom intrusion detection and system | |
| CN116827675A (en) | Network information security analysis system | |
| CN114374528A (en) | Data security detection method and device, electronic equipment and medium | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| KR20020075319A (en) | Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same | |
| Ioniţă et al. | An agent-based approach for building an intrusion detection system | |
| Kumar et al. | Security patterns for intrusion detection systems | |
| Pranggono et al. | Intrusion detection systems for critical infrastructure | |
| Saini et al. | Vulnerability and Attack Detection Techniques: Intrusion Detection System | |
| CN112417434A (en) | Program white list protection method combined with UEBA mechanism | |
| CN111541644A (en) | Illegal IP scanning prevention technology realized based on dynamic host configuration protocol | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| Ali et al. | Intrusion detection and prevention against cyber attacks for an energy management system | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| Hilker | Next challenges in bringing artificial immune systems to production in network security | |
| Hart et al. | An introduction to automated intrusion detection approaches |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |