CN114417328A - Abnormal attack behavior detection method for industrial control system - Google Patents
Abnormal attack behavior detection method for industrial control system Download PDFInfo
- Publication number
- CN114417328A CN114417328A CN202210057162.3A CN202210057162A CN114417328A CN 114417328 A CN114417328 A CN 114417328A CN 202210057162 A CN202210057162 A CN 202210057162A CN 114417328 A CN114417328 A CN 114417328A
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal
- abnormal attack
- industrial control
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an abnormal attack behavior detection method of an industrial control system, which comprises S1, S2, S3 and S4. According to the invention, the operation of the whole industrial control system is monitored in real time by the abnormal behavior detection method, the abnormal attack behavior data is filtered, analyzed, isolated and cleared, and a response is made in time according to the analysis of the system abnormal attack behavior data, so that the influence of the abnormal attack behavior data on the industrial control system is greatly degraded.
Description
Technical Field
The invention relates to the technical field of industrial control system anomaly detection, in particular to an anomaly attack behavior detection method of an industrial control system.
Background
Industrial control refers to industrial automation control and is mainly realized by combining electronics, electricity, machinery and software. I.e., industrial control, or factory automation. The computer is a general name of a tool which adopts a bus structure to detect and control the production process, electromechanical equipment and process equipment thereof. The industrial personal computer has important computer attributes and characteristics, such as a computer CPU, a hard disk, a memory, peripherals and interfaces, a real-time operating system, a control network, a protocol, computing power, a human-computer interface and the like.
When the industrial control system is used, an abnormal attack behavior detection system is lacked, effective response cannot be made to the abnormal attack behavior, and a large economic loss may be caused to a factory.
Disclosure of Invention
Therefore, the invention aims to provide an abnormal attack behavior detection method of an industrial control system, which is used for monitoring the operation of the whole industrial control system in real time, filtering, analyzing, isolating and clearing abnormal attack behavior data, responding in time according to the analysis of the abnormal attack behavior data of the system and greatly degrading the influence of the abnormal attack behavior data on the industrial control system.
To solve the above technical problem, according to an aspect of the present invention, the present invention provides the following technical solutions:
an abnormal attack behavior detection method for an industrial control system comprises the following steps:
s1: firstly, detecting the running state of an industrial control system through a detection module, classifying detected data into a storage module, storing analyzed data, uploading the stored analyzed data to a sample filtering system in real time, filtering the detected data by the sample filtering system, directly screening abnormal attack data, and counting;
s2: the abnormal data are directly transmitted to a chart drawing system, the abnormal attack data are subjected to chart drawing and displaying to form an abnormal attack detection report, the abnormal attack detection report is transmitted to the computer terminal and the mobile terminal in real time through a signal transmission module, the data are refreshed in real time every 1-3 minutes, and a detection result is displayed in time;
s3: when system detection is carried out, a firewall of the industrial control system runs all the time to protect, and when abnormal attack data is detected, a software antivirus system is directly triggered to isolate and clean the abnormal data, and when the abnormal data is detected, a backup module is triggered to backup and upload the industrial control system data to prevent data loss;
s4: when the abnormal attack data are directly blocked by the firewall or the abnormal attack data are cleared by the antivirus system, the whole system keeps normal operation, and when the abnormal attack data cannot be cleared and are detected to invade the industrial control system to influence the normal operation of the industrial control system, the interruption module is directly triggered to interrupt the industrial control system in time, so that great economic loss is prevented.
As a preferable scheme of the method for detecting the abnormal attack behavior of the industrial control system, in the step S1, the sample filtering system filters and counts the abnormal attack data, stores and counts the abnormal attack data, and counts the number of abnormal attacks, so that a user can conveniently determine the attack frequency of the abnormal attack system.
As a preferable scheme of the abnormal attack behavior detection method of the industrial control system, in the step S2, the graph drawing system further draws different abnormal attack data into a graph, so that a user can compare, analyze and judge the abnormal attack behavior data conveniently.
As a preferred scheme of the abnormal attack behavior detection method of the industrial control system, the chart drawing system is directly connected with the printing module, so that when a paper material is needed, the printing module is directly triggered, the abnormal attack behavior data sheet can be printed, and the method is convenient to use.
As a preferable scheme of the abnormal attack behavior detection method for the industrial control system, in the step S2, after data is refreshed each time, historical data is directly stored, and the latest data is displayed in real time.
As a preferable scheme of the abnormal attack behavior detection method for the industrial control system, in the step S3, the antivirus software directly isolates the abnormal attack behavior data to form a security space, so as to prevent the abnormal attack behavior data from affecting the operation of the system.
As a preferable scheme of the method for detecting abnormal attack behavior of the industrial control system, in the step S4, the interrupt module can be directly controlled by a user in a remote manner and a manual manner, which is convenient for the user to select freely.
Compared with the prior art, the invention has the beneficial effects that: the operation of the whole industrial control system is monitored in real time through an abnormal behavior detection method, abnormal attack behavior data is filtered, analyzed, isolated and eliminated, a response is made in time according to the analysis of the system abnormal attack behavior data, the influence of the abnormal attack behavior data on the industrial control system is greatly degraded, when the system is used specifically, the operation state of the industrial control system is detected through a detection module, the detected data is classified into a storage module, the analyzed data is stored and uploaded to a sample filtering system in real time, the sample filtering system filters the detected data, abnormal attack data is directly screened out and counted, the sample filtering system screens and counts the abnormal attack data, the abnormal attack data is stored and counted, the number of times of abnormal attacks is counted, a user can conveniently judge the attack frequency of the abnormal attack system, and the abnormal data is directly transmitted to a chart drawing system, the abnormal attack data is subjected to chart drawing and displaying to form an abnormal attack detection report, the abnormal detection report is transmitted to a computer terminal and a mobile terminal in real time through a signal transmission module, the data is refreshed in real time every 1-3 minutes to display the detection result in time, different abnormal attack data are drawn into a chart by a chart drawing system to facilitate the comparison, analysis and judgment of the abnormal attack data by a user, the chart drawing system is directly connected with a printing module, so that when a paper material is needed, the printing module is directly triggered to print the abnormal attack data table, the use is convenient, when the system detection is carried out, a firewall of an industrial control system is always operated to carry out protection, and when the abnormal attack data are detected, a software antivirus system is directly triggered to isolate and clean the abnormal data, when abnormal data are detected, the backup module is triggered simultaneously to backup and upload industrial control system data, data loss is prevented, the antivirus software directly isolates the abnormal attack behavior data to form a safe space, the abnormal attack behavior data are prevented from influencing system operation, when the abnormal attack behavior data are directly blocked by a firewall or the abnormal attack behavior data are cleared by the antivirus system, the whole system keeps normal operation, when the abnormal attack behavior data cannot be cleared and are detected to invade the industrial control system, the interruption module is directly triggered to influence the normal operation of the industrial control system, the industrial control system is immediately interrupted, and great economic loss is prevented.
Detailed Description
The present invention will be described in detail with reference to the following embodiments in order to make the aforementioned objects, features and advantages of the invention more comprehensible.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described herein, and it will be apparent to those of ordinary skill in the art that the present invention may be practiced without departing from the spirit and scope of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
The invention provides an abnormal attack behavior detection method of an industrial control system, which is used for monitoring the operation of the whole industrial control system in real time, filtering, analyzing, isolating and clearing abnormal attack behavior data, and responding in time according to the analysis of the abnormal attack behavior data of the system, thereby greatly degrading the influence of the abnormal attack behavior data on the industrial control system.
The invention relates to an abnormal attack behavior detection method of an industrial control system, which comprises the following main body parts: s1, S2, S3 and S4.
An abnormal attack behavior detection method for an industrial control system comprises the following steps:
s1: firstly, detecting the running state of an industrial control system through a detection module, classifying detected data into a storage module, storing analyzed data, uploading the stored analyzed data to a sample filtering system in real time, filtering the detected data by the sample filtering system, directly screening abnormal attack data, and counting;
s2: the abnormal data are directly transmitted to a chart drawing system, the abnormal attack data are subjected to chart drawing and displaying to form an abnormal attack detection report, the abnormal attack detection report is transmitted to the computer terminal and the mobile terminal in real time through a signal transmission module, the data are refreshed in real time every 1-3 minutes, and a detection result is displayed in time;
s3: when system detection is carried out, a firewall of the industrial control system runs all the time to protect, and when abnormal attack data is detected, a software antivirus system is directly triggered to isolate and clean the abnormal data, and when the abnormal data is detected, a backup module is triggered to backup and upload the industrial control system data to prevent data loss;
s4: when the abnormal attack data are directly blocked by the firewall or the abnormal attack data are cleared by the antivirus system, the whole system keeps normal operation, and when the abnormal attack data cannot be cleared and are detected to invade the industrial control system to influence the normal operation of the industrial control system, the interruption module is directly triggered to interrupt the industrial control system in time, so that great economic loss is prevented.
In the specific use process, firstly, the operation state of the industrial control system is detected through the detection module, the detected data is classified into the storage module, the analysis data is stored and uploaded to the sample filtering system in real time, the sample filtering system filters the detected data, abnormal attack data is directly screened out and counted, the sample filtering system screens and counts the abnormal attack data, the abnormal attack data is stored and counted, the frequency of abnormal attacks is counted, a user can conveniently judge the attack frequency of the abnormal attack system, the abnormal data is directly transmitted to the chart drawing system, the abnormal attack data is subjected to chart drawing display to form an abnormal attack detection report, and the abnormal attack detection report is transmitted to the computer terminal and the mobile terminal through the signal transmission module in real time, the data is refreshed in real time every 1-3 minutes, the detection result is displayed in time, the chart drawing system also draws different abnormal attack data into a chart, a user can conveniently compare, analyze and judge the abnormal attack behavior data, the chart drawing system is directly connected with the printing module, thus when paper materials are needed, the printing module is directly triggered, the abnormal attack behavior data table can be printed out for convenient use, when the system is detected, a firewall of the industrial control system is always operated for protection, and when the abnormal attack data are detected, the software antivirus system is directly triggered to isolate and clear the abnormal data, the backup module is triggered simultaneously when the abnormal data are detected, the industrial control system data are backed up and uploaded to prevent data loss, and the antivirus software directly isolates the abnormal attack behavior data, forming a safety space to prevent the abnormal attack data from influencing the system operation, when the abnormal attack data is directly blocked by the firewall or the abnormal attack data is cleared by the antivirus system, the whole system keeps normal operation, when the abnormal attack data can not be cleared, and the detected intrusion into the industrial control system affects the normal operation of the industrial control system, directly triggers the interrupt module to interrupt the industrial control system in time so as to prevent larger economic loss, the operation of the whole industrial control system is monitored in real time, abnormal attack behavior data is filtered, analyzed, isolated and cleared, the interrupt module can be directly controlled by a user in a remote way and a manual way, the user can select the interrupt module freely, and according to the analysis of the abnormal attack behavior data of the system, a response is made in time, and the influence of the abnormal attack behavior data on the industrial control system is greatly degraded.
While the invention has been described above with reference to an embodiment, various modifications may be made and equivalents may be substituted for elements thereof without departing from the scope of the invention. In particular, the various features of the disclosed embodiments of the invention may be used in any combination, provided that no structural conflict exists, and the combinations are not exhaustively described in this specification merely for the sake of brevity and resource conservation. Therefore, it is intended that the invention not be limited to the particular embodiments disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (7)
1. An abnormal attack behavior detection method of an industrial control system is characterized by comprising the following steps:
s1: firstly, detecting the running state of an industrial control system through a detection module, classifying detected data into a storage module, storing analyzed data, uploading the stored analyzed data to a sample filtering system in real time, filtering the detected data by the sample filtering system, directly screening abnormal attack data, and counting;
s2: the abnormal data are directly transmitted to a chart drawing system, the abnormal attack data are subjected to chart drawing and displaying to form an abnormal attack detection report, the abnormal attack detection report is transmitted to the computer terminal and the mobile terminal in real time through a signal transmission module, the data are refreshed in real time every 1-3 minutes, and a detection result is displayed in time;
s3: when system detection is carried out, a firewall of the industrial control system runs all the time to protect, and when abnormal attack data is detected, a software antivirus system is directly triggered to isolate and clean the abnormal data, and when the abnormal data is detected, a backup module is triggered to backup and upload the industrial control system data to prevent data loss;
s4: when the abnormal attack data are directly blocked by the firewall or the abnormal attack data are cleared by the antivirus system, the whole system keeps normal operation, and when the abnormal attack data cannot be cleared and are detected to invade the industrial control system to influence the normal operation of the industrial control system, the interruption module is directly triggered to interrupt the industrial control system in time, so that great economic loss is prevented.
2. The method for detecting the abnormal attack behavior of the industrial control system as claimed in claim 1, wherein in the step S1, the sample filtering system filters and counts the abnormal attack data, stores and counts the abnormal attack data, counts the number of abnormal attacks, and facilitates a user to determine the attack frequency of the abnormal attack system.
3. The method for detecting the abnormal attack behavior of the industrial control system as claimed in claim 2, wherein in the step S2, the graph drawing system further draws different abnormal attack data into a graph, so as to facilitate a user to compare, analyze and judge the abnormal attack behavior data.
4. The method for detecting the abnormal attack behavior of the industrial control system as claimed in claim 3, wherein the chart drawing system is directly connected with the printing module, so that when the paper material is needed, the printing module is directly triggered, the abnormal attack behavior data sheet can be printed out, and the method is convenient to use.
5. The method as claimed in claim 4, wherein in step S2, after each data refresh, the historical data is directly stored, and the latest data is displayed in real time.
6. The method according to claim 5, wherein in the step S3, the antivirus software directly isolates the abnormal attack behavior data to form a secure space, so as to prevent the abnormal attack behavior data from affecting system operation.
7. The method as claimed in claim 6, wherein in the step S4, the interrupt module can be directly controlled by a user through remote control and manual control, which is convenient for the user to select freely.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210057162.3A CN114417328A (en) | 2022-01-19 | 2022-01-19 | Abnormal attack behavior detection method for industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210057162.3A CN114417328A (en) | 2022-01-19 | 2022-01-19 | Abnormal attack behavior detection method for industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114417328A true CN114417328A (en) | 2022-04-29 |
Family
ID=81273008
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210057162.3A Pending CN114417328A (en) | 2022-01-19 | 2022-01-19 | Abnormal attack behavior detection method for industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114417328A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800511A (en) * | 2023-07-06 | 2023-09-22 | 广东网安科技有限公司 | Industrial control system network safety protection capability checking and evaluating system |
-
2022
- 2022-01-19 CN CN202210057162.3A patent/CN114417328A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800511A (en) * | 2023-07-06 | 2023-09-22 | 广东网安科技有限公司 | Industrial control system network safety protection capability checking and evaluating system |
| CN116800511B (en) * | 2023-07-06 | 2024-04-02 | 释空(上海)品牌策划有限公司 | Industrial control system network safety protection capability checking and evaluating system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10013866B2 (en) | Production equipment monitoring method and system | |
| US8326974B2 (en) | Typicality filtering of event indicators for information technology resources | |
| WO2013027970A1 (en) | Method and apparatus for anomaly-based intrusion detection in network | |
| CN106371986A (en) | Log treatment operation and maintenance monitoring system | |
| CN110300100A (en) | The association analysis method and system of log audit | |
| CN112799358B (en) | Industrial control safety defense system | |
| CN103744389A (en) | Operating state early-warning method of oil and gas production equipment | |
| CN114417328A (en) | Abnormal attack behavior detection method for industrial control system | |
| CN202975775U (en) | Security management platform | |
| CN112910921B (en) | Industrial control boundary network safety protection method | |
| CN111078455A (en) | Abnormal behavior sequence correlation processing method and device based on time axis, equipment and storage medium | |
| CN111238559A (en) | State monitoring system for on-line detection equipment of rolling and packing workshop | |
| CN112840616A (en) | Hybrid unsupervised machine learning framework for industrial control system intrusion detection | |
| KR101281456B1 (en) | Apparatus and method for anomaly detection in SCADA network using self-similarity | |
| CN117477774A (en) | Intelligent early warning system and method for multifunctional power distribution cabinet | |
| CN112671767A (en) | Security event early warning method and device based on alarm data analysis | |
| EP3055975A1 (en) | Method and device for detecting autonomous, self-propagating software | |
| CN106250764A (en) | A kind of terminal control system | |
| CN106330975A (en) | Method for periodic exception detection based on SCADA system | |
| CN115550034A (en) | Service flow monitoring method and device for distribution network power monitoring system | |
| CN115174189A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN115306692A (en) | Method and control device for temperature alarm of compressor | |
| CN114172702A (en) | Network safety monitoring method and system for power grid industrial control system | |
| CN113904920A (en) | Network security defense method, device and system based on lost equipment | |
| KR20180073273A (en) | Method and apparatus for reducing false alarm based on statics analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |