CN114448689B - Method, device, equipment and storage medium for determining boundary equipment of industrial control network - Google Patents

Method, device, equipment and storage medium for determining boundary equipment of industrial control network Download PDF

Info

Publication number
CN114448689B
CN114448689B CN202210061097.1A CN202210061097A CN114448689B CN 114448689 B CN114448689 B CN 114448689B CN 202210061097 A CN202210061097 A CN 202210061097A CN 114448689 B CN114448689 B CN 114448689B
Authority
CN
China
Prior art keywords
network
equipment
network device
industrial control
monitoring result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210061097.1A
Other languages
Chinese (zh)
Other versions
CN114448689A (en
Inventor
周星
赵重浩
龚亮华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengtai Technology Beijing Co ltd
Original Assignee
Fengtai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengtai Technology Beijing Co ltd filed Critical Fengtai Technology Beijing Co ltd
Priority to CN202210061097.1A priority Critical patent/CN114448689B/en
Publication of CN114448689A publication Critical patent/CN114448689A/en
Application granted granted Critical
Publication of CN114448689B publication Critical patent/CN114448689B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The embodiment of the application is suitable for the technical field of information and provides a method, a device, equipment and a storage medium for determining boundary equipment of an industrial control network, wherein the method comprises the following steps: acquiring state data of a plurality of network devices in an industrial control network; identifying the state of each network device according to the state data of each network device; generating a monitoring result of each network device based on the state of each network device and the last state of each network device; calculating the equipment risk value of each network equipment according to the monitoring result of each network equipment and the history monitoring result of each network equipment; and determining boundary network equipment of the industrial control network from the plurality of network equipment according to the equipment risk value. By adopting the method, the boundary network equipment in the industrial control network can be accurately identified.

Description

Method, device, equipment and storage medium for determining boundary equipment of industrial control network
Technical Field
The application belongs to the technical field of information, and particularly relates to a method, a device, equipment and a storage medium for determining boundary equipment of an industrial control network.
Background
The industrial data communication and control network is also an industrial control network, which refers to a fully digital, bidirectional and multi-station network communication system installed in an industrial production environment, and is formed by a plurality of intelligent devices. However, with the development of the network, the information security event of the industrial control network continuously occurs, which seriously affects the stable operation of the infrastructure of the key network equipment in the industrial control network. Therefore, the industrial control network needs to be safely protected by adopting a boundary protection technology. For example, firewalls are provided in industrial control networks to shield network traffic generated by unwanted network devices.
However, the above-mentioned technology is typically deployed in a border network device of an industrial control network, forming a border protection of the industrial control network. However, with the diversification of network devices accessed in the industrial control network and the diversification of access paths of the network devices, the network boundary of the industrial control network cannot be well determined. That is, the reliable network boundary in the industrial control network is disappearing, so that the industrial control network cannot perform safety protection based on the boundary protection technology.
Disclosure of Invention
The embodiment of the application provides a boundary equipment determining method, device, terminal equipment and storage medium of an industrial control network, which can solve the problem that the network boundary of the industrial control network cannot be accurately determined.
In a first aspect, an embodiment of the present application provides a method for determining a boundary device of an industrial control network, where the method includes:
acquiring state data of a plurality of network devices in an industrial control network;
identifying the state of each network device according to the state data of each network device;
generating a monitoring result of each network device based on the state of each network device and the last state of each network device;
calculating the equipment risk value of each network equipment according to the monitoring result of each network equipment and the history monitoring result of each network equipment;
and determining boundary network equipment of the industrial control network from the plurality of network equipment according to the equipment risk value.
In a second aspect, an embodiment of the present application provides a boundary device determining apparatus of an industrial control network, where the apparatus includes:
the acquisition module is used for acquiring state data of a plurality of network devices in the industrial control network;
the identification module is used for identifying the state of each network device according to the state data of each network device;
the monitoring result generation module is used for generating a monitoring result of each network device based on the state of each network device and the last state of each network device respectively;
the calculation module is used for calculating the equipment risk value of each network equipment according to the monitoring result of each network equipment and the historical monitoring result of each network equipment;
and the boundary network equipment determining module is used for determining boundary network equipment of the industrial control network from the plurality of network equipment according to the equipment risk value.
In a third aspect, embodiments of the present application provide a terminal device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, the processor implementing a method according to the first aspect as described above when executing the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements a method as in the first aspect described above.
In a fifth aspect, embodiments of the present application provide a computer program product for causing a terminal device to perform the method of the first aspect described above when the computer program product is run on the terminal device.
Compared with the prior art, the embodiment of the application has the beneficial effects that: and identifying the state of each network device by actively acquiring the state data of each network device in the industrial control network. And then, aiming at any network device, determining a monitoring result of the network device according to the state of the network device and the last state of the network device, so as to determine whether the network device generates an abnormality. And then, further calculating the equipment risk value of the network equipment according to the monitoring result of the network equipment and the abnormal times generated in the historical monitoring result, so that the terminal equipment can determine the risk degree of the network equipment to the industrial control network based on the equipment risk value. And finally, based on the risk degree of each network device, accurately determining the boundary network device of the industrial control network from a plurality of network devices, so that the industrial control network can deploy a boundary protection technology in the boundary network device for safety protection.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of a boundary device identification system of an industrial control network according to an embodiment of the present application;
fig. 2 is a schematic application scenario diagram of a switch device in a method for determining a boundary device of an industrial control network according to an embodiment of the present application;
fig. 3 is a flowchart of an implementation of a method for determining a boundary device of an industrial control network according to an embodiment of the present application;
fig. 4 is a flowchart of an implementation of a method for determining a boundary device of an industrial control network according to another embodiment of the present application;
FIG. 5 is a schematic diagram of an implementation of S104 of a method for determining a boundary device of an industrial control network according to an embodiment of the present application;
fig. 6 is a flowchart of an implementation of a method for determining a boundary device of an industrial control network according to another embodiment of the present application;
FIG. 7 is a schematic diagram of an implementation of S105 of a method for determining a boundary device of an industrial control network according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a boundary device determining apparatus of an industrial control network according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
The method for determining the boundary equipment of the industrial control network can be applied to terminal equipment provided with the boundary equipment identification system of the industrial control network or terminal equipment with communication connection with the boundary equipment identification system of the industrial control network. Wherein the terminal device includes, but is not limited to: switch equipment, tablet computers, notebook computers, ultra-mobile personal computer (UMPC), netbooks and other equipment, the specific type of terminal equipment is not limited in the embodiment of the present application.
In this embodiment, the terminal device is explained by taking a switch device as an example. Specifically, the switch device is an industrial ethernet switch, which is a switch for performing data transmission based on ethernet. In an industrial control network, each port in an industrial ethernet switch is directly connected to each network device. And, can communicate many pairs of ports at the same time, make every pair of network equipment that communicates each other can carry on the data transmission of collision-free.
Referring to fig. 1 and 2, the boundary device identification system of the industrial control network includes a traffic introduction module, a network management protocol module (specifically, SNMP module), an alarm processing module, and a user interaction module.
The flow introducing module is used for analyzing the network flow of each network device for communication transmission to obtain the information such as protocol characteristic data, operation instructions and the like contained in the network flow. And the identification model can be trained by the protocol feature data to identify whether the network device performing the communication transmission is a newly accessed network device. And then, when the network device is determined to be the newly accessed network device, predicting other characteristic data of the newly accessed network device through the identification model. For example, the characteristic data includes, but is not limited to, manufacturer, operating system, service type, etc.
The SNMP module is used for acquiring state data such as CPU, memory, network flow and the like of the network equipment so as to determine the working state of the network equipment.
The alarm processing module is used for alarming when the monitoring result of the network equipment is determined to be an abnormal alarm result. And, can also provide the treatment suggestion of presetting to different unusual alarm results. Among these, the cases where the abnormal alarm result is generated include, but are not limited to: discovering the newly accessed network equipment, changing the state of the network equipment, abnormal state data of the network equipment, receiving or sending abnormal operation instructions by the network equipment, abnormal total network traffic quantity for communication between the network equipment and other network equipment and the like.
The user interaction module is used for displaying the monitoring result, and the display content comprises but is not limited to: device information of the network device, state of the network device, history monitoring results and the like.
The switch device is used for interacting with each module in the industrial control network safety identification system, and can judge whether an abnormal alarm result is generated or not based on the statistical result of the SNMP module on the network device, and send the abnormal alarm result to the alarm processing module when the abnormal alarm result is generated.
Referring to fig. 3, fig. 3 shows a flowchart of an implementation of a method for determining a boundary device of an industrial control network according to an embodiment of the present application, where the method includes the following steps:
s101, the switch equipment acquires state data of a plurality of network equipment in an industrial control network.
S102, the switch equipment identifies the state of each network equipment according to the state data of each network equipment.
In one embodiment, the industrial control network includes a plurality of network devices, and the plurality of network devices generally use a local area network for communication. The network device includes, but is not limited to, computers, notebook computers, printers, etc.
Specifically, the industrial control network may be a computer communication network formed by interconnecting various internal network devices, external network devices, databases, and the like. In general, an industrial control network is closed, and may be composed of two computers in an office, or may be composed of thousands of computers in a company. However, as network devices accessed in the industrial control network are diversified, and network device access paths are diversified, network devices of the industrial control network will also become more.
In one embodiment, the status data includes, but is not limited to, data for characterizing status types such as an operation status, a port status, and a power status of the network device. For example, for the running state of a certain hardware facility in the network device, the state data may be ON, OFF, etc., and the corresponding running states are working state, stop state, etc. Thus, the switch device may determine various states of the network device based on each type of state data. I.e. the status of one network device may comprise a plurality of.
In an embodiment, the switch device may acquire the status data in each network device in real time or at intervals of a first preset duration for processing, which is not limited.
Before acquiring the status data of each network device, the switch device should record the device information of each network device existing in the industrial control network, and then acquire the status data of each network device according to the device information. Specifically, referring to fig. 4, the switch device may acquire device information of the network device through the following steps S11 to S14:
s11, the exchanger equipment receives the network traffic transmitted by the first network equipment; the network traffic includes at least protocol characteristic data.
In an embodiment, the first network device may be one of a plurality of network devices in the industrial control network, or may be an external device that needs to communicate with a certain network device in the industrial control network, which is not limited.
The network traffic is communication traffic externally transmitted by the first network device, and includes, but is not limited to, information such as a source internet protocol address (Internet Protocol Address, IP), a source media access control address (Media Access Control Address, MAC), a destination IP, a destination MAC, a source port, a destination port, a communication protocol, a function code, and the like of the first network device.
The source IP is the IP of the first network equipment, and the destination IP is the IP for receiving the network traffic in the industrial network; the source MAC is the MAC of the first network equipment, and the destination MAC is the MAC of the network flow received in the industrial network; the source port is a port set for the first network device when the switch device receives the network traffic, and the destination port is a port set when the switch device forwards the network traffic to the network device corresponding to the destination MAC; the communication protocol is a data transmission protocol of network traffic; the function code is a frame of data in the network traffic, which can mark the use of a bus protocol information frame of an industrial communication system in an industrial control network.
The protocol feature data may specifically be the feature data of the source IP, the source MAC, the destination IP, the destination MAC, and the like.
S12, the switch equipment compares the protocol characteristic data with the recorded equipment table.
And S13, if the protocol characteristic data is not recorded in the device table, the switch device determines the target information of the first network device according to the source physical address in the protocol characteristic data.
S14, the switch equipment records the target information and the protocol characteristic data into an equipment table.
In an embodiment, the device table is used to record device information of the network device, for example, information of IP, MAC, etc. of the network device, and may also record manufacturer information of the device, etc. It will be appreciated that if the device table records information consistent with both IP and MAC addresses, then the first network device may be determined to be a recorded network device. I.e. the first network device belongs to one of the network devices in the industrial control network. Otherwise, determining that the first network device is an external device.
In another embodiment, when the first network device is determined to be an external device, the switch device may generate an abnormal alarm result to alert a worker.
In an embodiment, the source physical address is a MAC address, which is burned by a manufacturer, so that the manufacturer information of the first network device, that is, the target information, can be reversely deduced according to the address. The switch device may then record the target information and the protocol feature data into a device table to add a new network device to the industrial control network. At this time, the first network device may be regarded as a network device in the industrial control network.
S103, the switch equipment generates a monitoring result of each network equipment based on the state of each network equipment and the last state of each network equipment.
In an embodiment, the monitoring result includes an abnormal alarm result and a normal result. When an abnormal alarm result is generated, the network equipment can be considered to generate an alarm event.
In an embodiment, each state in the network device is typically fixed, e.g. an operating state, typically an operational state, for a certain hardware facility in the network device. Therefore, when the operation state of the network device with respect to the hardware facility is a stop state, the monitoring result of the network device can be considered as an abnormal alarm result.
It will be appreciated that the switch device typically obtains the status data of the network device in real time or once every first preset time period. Therefore, the last state is the state identified by the switch device when the switch device last acquired the state data of the network device. It should be added that when the states of the network device are multiple, if any state is inconsistent with the last state, the monitoring result of the network device can be considered as an abnormal alarm result.
Or, for the state data used for representing the state, if the state data of the network device is out of the preset range, an abnormal alarm result of the network device can also be generated. For example, when recognizing the state of the CPU in the network device, if the state data corresponding to the CPU exceeds the preset range, the state of the CPU is determined to be an abnormal state, and further an abnormal alarm result of the network device may be generated.
In an embodiment, the preset range may be set by a staff member according to actual situations, and typically, the preset ranges are different for different hardware facilities in the network device.
Based on the above description, the status data characterizing the status of the network device may be of various types. For example, status data (ON/OFF) that characterizes the operating state of the hardware facility, and status data (CPU value, or memory usage) that characterizes the operating value of the hardware facility.
It can be understood that the monitoring result is considered to be a normal result when the status data of the network device is within the preset range and/or the status of the network device is the same as the last status. I.e. no alarm event is generated for the network device.
And S104, the switch equipment calculates the equipment risk value of each network equipment according to the monitoring result of each network equipment and the historical monitoring result of each network equipment.
In one embodiment, the monitoring result is described as including that the normal result is an abnormal alarm result. The history monitoring result may be a monitoring result of a second preset duration before the current time. The current time is the time when the switch device currently acquires the state data of the network device. The second preset time period may also be set by a worker according to actual situations, which is not limited.
In this embodiment, the history monitoring result may be a monitoring result of the network device in the previous period. The switch equipment can acquire the state data of each network equipment at least once in a preset period.
In an embodiment, the device risk value is used to characterize the security level of the network device. It should be noted that, the higher the device risk value, the greater the risk of the network device. Thus, when the device risk value is greater than the preset threshold, the switch device may define the network device as a dangerous network device.
In a specific embodiment, referring to fig. 5, the switch device may calculate the device risk value of the network device through the following substeps S1041-S1042;
s1041, aiming at any network equipment, the switch equipment counts the abnormal times of the abnormal alarm result generated by the network equipment according to the monitoring result and the historical monitoring result in the target period, and event loss when the abnormal alarm result is generated each time.
S1042, the switch equipment calculates the equipment risk value of the network equipment according to the abnormal times and the event loss.
In an embodiment, the abnormal times of the abnormal alarm result are obtained by counting according to the current monitoring result and the historical monitoring result. The event loss is loss of the industrial control network caused by the network equipment when an abnormal alarm result is generated.
It will be appreciated that the switch device typically obtains the status data of the network device once every a first predetermined period of time. Therefore, after the last time the status data is acquired, if the status of a certain hardware facility in the network device is abnormal, the switch may need to be discovered after the status data is currently acquired, and an abnormal alarm result is generated. Based on this, the network device may cause a certain loss to the industrial control network within the first preset duration.
The event losses corresponding to different abnormal alarm results may be different, which is not limited.
In a specific embodiment, after obtaining the abnormal times and the event loss, the switch device may calculate the device risk value by the following risk value calculation formula:
wherein Y is risk Is a device risk value; a is that frequency Is the abnormal times; b (B) damage Loss for event; c (C) security Is a preset device safety coefficient value.
It will be appreciated that when the above formula is used to calculate the device risk value, the greater the number of anomalies in the network device and/or the greater the event loss, the higher the device risk value. I.e. the more dangerous the network device.
It is to be added that, for the preset equipment safety coefficient value, if the currently acquired monitoring result is a normal result, the equipment safety coefficient value can be kept unchanged; and if the currently acquired monitoring result is an abnormal result, the equipment safety coefficient value can be increased in the calculation process. I.e. the device risk value that indicates the final calculation of the network device will increase. Thereby further increasing the risk level of the network device.
In another embodiment, the device risk value is mainly calculated according to an abnormal alarm result of the network device, and the determining manner of the abnormal alarm result is determined based on actively acquiring the state data by the switch device. However, each network device in the industrial control network may also generate an abnormal alarm result during communication interaction with other network devices.
Specifically, the explanation will be given by taking the first network device having recorded the target information and the protocol feature data as an example. The first network device is one network device in the industrial control network, and the first network device has communication with other network devices in the industrial control network. In addition, the network traffic of the communication typically includes a destination protocol address and an operation instruction. Thus, with reference to fig. 6, for any first network device that communicates, the switch device may also generate a monitoring result for that first network device by:
s15, aiming at any first network device for communication transmission, the switch device determines a second network device for receiving network traffic in the industrial control network according to a destination protocol address in the network traffic.
In one embodiment, the communication is a transmission of network traffic from a first network device to at least one second network device. The network traffic is specifically explained in S11 above.
The destination protocol address is a destination IP, which is an IP of the second network device. In general, in an industrial control network, when network traffic is transmitted, transmission may be performed one-to-one or one-to-many. For example, the first network device may transmit network traffic to the switch device, and the switch device then determines each second network device based on each destination IP in the network traffic. Thereafter, ports for communication with each of the second network devices are established separately. Finally, the network traffic is broadcast into each port.
It will be appreciated that the protocol characteristic data of each network device in the industrial control network has been recorded in the device table, based on which the switch device can determine the second network device from the device table.
S16, if the difference between the total amount of the network traffic transmitted from the first network device to the second network device in the current period and the total amount of the network traffic transmitted from the first network device to the second network device in the previous period is larger than a preset traffic value; and/or if the operation instruction in the network flow is the same as the instruction in the preset abnormal instruction library in the second network device, the switch device generates an abnormal alarm result of the first network device.
In an embodiment, the total network traffic is the total traffic transmitted from the first network device to the second network device in the current period. Wherein the duration of each cycle can be set by a worker. The current cycle and the previous cycle are two adjacent cycles.
In addition, if the current period is the first period in which the first network device transmits to the second network device, the total network traffic in the current period may be compared with the preset total network traffic to determine whether the first network device is abnormal.
In one embodiment, the total amount of network traffic transmitted by the first network to the second network within each cycle typically varies approximately because the duration of each cycle is typically consistent. I.e. the total amount of network traffic in the current period may be slightly larger than the total amount of network traffic in the previous period. However, the difference in the total amount of network traffic should be within a normal range. I.e. the difference between the total amount of two network flows should be less than or equal to the preset flow value.
The preset flow total amount and the preset flow value can be set by staff according to actual conditions. And, the preset flow value should also be set relatively when the first network device communicates with a different second network device.
In an embodiment, the operation instruction is information corresponding to the function code recorded in S11. Specifically, according to the bus protocol of the industrial communication system in the industrial control network, if the function code in the communication flow is 01, the corresponding operation instruction is to read the coil state in the second network device; if the function code is 02, the corresponding operation instruction is to read the input state of the second network device. Wherein the function code has a plurality, so the corresponding operation instruction should also have a plurality, which includes but is not limited to: and reading instructions such as the switch state of the second network device, the data content of the register and the like.
In addition, when the second network equipment responds to the function code, if the second network equipment responds normally, the function code corresponding to the function code without errors is returned to the first network equipment; if an abnormal alarm result (namely, an abnormal event) occurs in response to the function code, the second network device returns the function code corresponding to the abnormality to the first network device. At this time, when the function code corresponding to the abnormality is returned, the function code needs to be forwarded through the switch device. Therefore, the switch can also acquire the abnormal alarm result generated by the first network device and/or the second network device during communication.
In an embodiment, the abnormal instruction library is an instruction library preset in the second network device, the abnormal instruction library generally has a plurality of instructions, and the second network device can generate an abnormal alarm result when executing any instruction in the abnormal instruction library.
Wherein it will be appreciated that for a different second network device it should have a different library of abnormal instructions.
In another embodiment, the abnormal instruction library may be stored in the second network device, and after receiving the network traffic, the second network device compares the operation instruction in the network traffic with the instruction in the abnormal instruction library, and then uploads whether the same comparison result is uploaded to the switch device. And when the switch equipment determines that the comparison result is the same result, generating an abnormal alarm result of the first network equipment.
S105, the switch equipment determines boundary network equipment of the industrial control network from the plurality of network equipment according to the equipment risk value.
In one embodiment, as illustrated in S104, the greater the device risk value, the more dangerous the network device is indicated. Based on this, referring to fig. 7, the switch device may determine a border network device from the plurality of network devices according to the following substeps S1051-S1052:
s1051, for any network device, the switch device determines a plurality of associated network devices communicatively connected to the network device.
S1052, if at least one equipment risk value of the associated network equipment is larger than a preset threshold value, the switch equipment determines that the network equipment is boundary network equipment of the industrial control network.
In an embodiment, the communication connection with the network device may be that the network device transmits network traffic to other network devices, and/or receives network traffic transmitted by other network devices, that is, the network device may be considered to have a communication connection with other network devices. Further, the other network device is determined to be the associated network device.
In an embodiment, the preset threshold may be set by a worker according to actual situations, which is not limited. The network device in the industrial control network generally has a core, and the preset threshold corresponding to the network device is generally lower than the preset threshold of other network devices not having the core. I.e. the device risk value of the network device of the core is higher, it may be determined as a dangerous network device.
It can be understood that if the device risk value of any associated network device is greater than the preset threshold, the device information of the associated network device is recorded in the device table, but the associated network device is still determined to be a dangerous network device by the industrial control network. Therefore, any network device having a communication connection with the critical network device should be provided with a border protection technique to shield network traffic generated by the detrimental critical network device.
It should be noted that, since the border network device belongs to a secure network device, a border protection technique may be set in the border network device to mask network traffic transmitted by an associated network device with a device risk value greater than a preset threshold.
In this embodiment, the status of each network device is identified by actively acquiring status data of each network device in the industrial control network. And then, aiming at any network device, determining a monitoring result of the network device according to the state of the network device and the last state of the network device, so as to determine whether the network device generates an abnormality. And then, further calculating the equipment risk value of the network equipment according to the monitoring result of the network equipment and the abnormal times generated in the historical monitoring result, so that the terminal equipment can determine the risk degree of the network equipment to the industrial control network based on the equipment risk value. And finally, based on the risk degree of each network device, accurately determining the boundary network device of the industrial control network from a plurality of network devices, so that the industrial control network can deploy a boundary protection technology in the boundary network device for safety protection.
Referring to fig. 8, fig. 8 is a block diagram of a boundary device determining apparatus of an industrial control network according to an embodiment of the present application. The boundary device determining apparatus of the industrial control network in this embodiment includes modules for executing the steps in the embodiments corresponding to fig. 3 to 7. Please refer to fig. 3 to fig. 7 and the related descriptions in the embodiments corresponding to fig. 3 to fig. 7. For convenience of explanation, only the portions related to the present embodiment are shown. Referring to fig. 8, the boundary device determining apparatus 800 of the industrial control network may include: an acquisition module 810, an identification module 820, a monitoring result generation module 830, a calculation module 840, and a border network device determination module 850, wherein:
the acquiring module 810 is configured to acquire status data of a plurality of network devices in the industrial control network.
The identifying module 820 is configured to identify a status of each network device according to the status data of each network device.
The monitoring result generating module 830 is configured to generate a monitoring result of each network device based on the state of each network device and the last state of each network device, respectively.
The calculating module 840 is configured to calculate a device risk value of each network device according to the monitoring result of each network device and the historical monitoring result of each network device.
The border network device determining module 850 is configured to determine a border network device of the industrial control network from the plurality of network devices according to the device risk value.
In an embodiment, the boundary device determining apparatus 800 of the industrial control network further includes:
the receiving module is used for receiving the network traffic transmitted by the first network equipment; the network traffic includes at least protocol characteristic data.
And the comparison module is used for comparing the protocol characteristic data with the recorded equipment table.
And the target information determining module is used for determining the target information of the first network device according to the source physical address in the protocol characteristic data if the protocol characteristic data is not recorded in the device table.
And the recording module is used for recording the target information and the protocol characteristic data into the equipment table.
In one embodiment, the network traffic further includes a destination protocol address and an operation instruction; the boundary device determining apparatus 800 of the industrial control network further includes:
the second network equipment determining module is used for determining second network equipment which receives the network traffic in the industrial control network according to the destination protocol address in the network traffic aiming at any first network equipment which carries out communication transmission;
the abnormal alarm result generation module is used for judging whether the difference between the total amount of the network flow transmitted to the second network device by the first network device in the current period and the total amount of the network flow transmitted to the second network device by the first network device in the previous period is larger than a preset flow value; and/or if the operation instruction in the network flow is the same as the instruction in the preset abnormal instruction library in the second network device, generating an abnormal alarm result of the first network device.
In one embodiment, the monitoring result includes an abnormal alarm result; the monitoring result generation module 830 is further configured to
For any network device, if the state data of the network device is out of the preset range and/or the state of the network device is different from the last state, generating an abnormal alarm result of the network device.
In one embodiment, the computing module 840 is further to:
counting the abnormal times of the abnormal alarm result generated by the network equipment according to the monitoring result and the historical monitoring result in the target period aiming at any network equipment, and event loss when the abnormal alarm result is generated each time; and calculating the equipment risk value of the network equipment according to the abnormal times and the event loss.
In one embodiment, the calculation module 840 is further configured to calculate a device risk value by the following risk value calculation formula:
wherein Y is risk Is a device risk value; a is that frequency Is the abnormal times; b (B) damage Loss for event; c (C) security Is a preset device safety coefficient value.
In an embodiment, the border network device determination module 850 is further configured to:
determining, for any one of the network devices, a plurality of associated network devices communicatively connected to the network device; if at least one equipment risk value of the associated network equipment is larger than a preset threshold value, determining that the network equipment is boundary network equipment of the industrial control network.
It should be understood that, in the block diagram of the boundary device determining apparatus of the industrial control network shown in fig. 8, each module is configured to perform each step in the embodiments corresponding to fig. 3 to 7, and each step in the embodiments corresponding to fig. 3 to 7 has been explained in detail in the above embodiments, and specific reference is made to fig. 3 to 7 and related descriptions in the embodiments corresponding to fig. 3 to 7, which are not repeated herein.
Fig. 9 is a block diagram of a terminal device according to an embodiment of the present application. As shown in fig. 9, the terminal device 900 of this embodiment includes: a processor 910, a memory 920, and a computer program 930 stored in the memory 920 and executable on the processor 910, such as a program for a boundary device determining method of an industrial control network. The processor 910, when executing the computer program 930, implements the steps in the embodiments of the boundary device determining method of each industrial control network described above, for example, S101 to S105 shown in fig. 1. Alternatively, the processor 910 may implement the functions of each module in the embodiment corresponding to fig. 8, for example, the functions of the modules 810 to 850 shown in fig. 8 when the processor 910 executes the computer program 930, and refer to the related description in the embodiment corresponding to fig. 8.
For example, the computer program 930 may be partitioned into one or more modules, and the one or more modules stored in the memory 920 and executed by the processor 910 to implement the boundary device determining method of the industrial control network provided in the embodiments of the present application. One or more of the modules may be a series of computer program instruction segments capable of performing particular functions for describing the execution of the computer program 930 in the terminal device 900. For example, the computer program 930 may implement the method for determining a boundary device of an industrial control network provided in the embodiments of the present application.
Terminal device 900 can include, but is not limited to, a processor 910, a memory 920. It will be appreciated by those skilled in the art that fig. 9 is merely an example of a terminal device 900 and is not intended to limit the terminal device 900, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., the terminal device may further include an input-output device, a network access device, a bus, etc.
The processor 910 may be a central processing unit, but may also be other general purpose processors, digital signal processors, application specific integrated circuits, off-the-shelf programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Memory 920 may be an internal storage unit of terminal device 900, such as a hard disk or memory of terminal device 900. The memory 920 may also be an external storage device of the terminal device 900, for example, a plug-in hard disk, a smart memory card, a flash memory card, etc. provided on the terminal device 900. Further, the memory 920 may also include both internal storage units and external storage devices of the terminal device 900.
The embodiment of the application provides a terminal device, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor realizes the boundary device determining method of the industrial control network in the above embodiments when executing the computer program.
The embodiments of the present application provide a computer readable storage medium, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the boundary device determining method of the industrial control network in the foregoing embodiments when executing the computer program.
The embodiments of the present application provide a computer program product, which when executed on a terminal device, causes the terminal device to execute the boundary device determining method of the industrial control network in the foregoing embodiments.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.

Claims (9)

1. A method for determining boundary equipment of an industrial control network, the method comprising:
acquiring state data of a plurality of network devices in an industrial control network; the status data includes data characterizing an operational status of the network device;
identifying the state of each network device according to the state data of each network device;
generating a monitoring result of each network device based on the state of each network device and the last state of each network device;
calculating the equipment risk value of each network equipment according to the monitoring result of each network equipment and the history monitoring result of each network equipment;
determining boundary network equipment of the industrial control network from a plurality of network equipment according to the equipment risk value;
the determining the boundary network device of the industrial control network from the plurality of network devices according to the device risk value comprises the following steps:
determining, for any one of the network devices, a plurality of associated network devices communicatively connected to the network device;
if at least one equipment risk value of the associated network equipment is larger than a preset threshold value and the equipment risk value of the network equipment is not larger than the preset threshold value, determining that the network equipment is boundary network equipment of the industrial control network.
2. The method of claim 1, further comprising, prior to said obtaining status data for a plurality of network devices in an industrial control network:
receiving network traffic transmitted by a first network device; the network traffic includes at least protocol feature data;
comparing the protocol characteristic data with a recorded device table;
if the protocol characteristic data is not recorded in the device table, determining target information of the first network device according to a source physical address in the protocol characteristic data;
and recording the target information and the protocol characteristic data into the equipment table.
3. The method of claim 2, wherein the network traffic further comprises a destination protocol address and an operation instruction;
after recording the target information and the protocol feature data into the device table, the method further comprises:
for any first network device for communication transmission, determining a second network device for receiving the network traffic in the industrial control network according to a destination protocol address in the network traffic;
if the difference between the total amount of the network traffic transmitted from the first network device to the second network device in the current period and the total amount of the network traffic transmitted from the first network device to the second network device in the previous period is greater than a preset traffic value; and/or, if the operation instruction in the network flow is the same as the instruction in the preset abnormal instruction library in the second network device, generating an abnormal alarm result of the first network device.
4. The method of claim 1, wherein the monitoring result comprises an anomaly alert result;
the generating a monitoring result of each network device based on the state of each network device and the last state of each network device respectively includes:
and aiming at any network equipment, if the state data of the network equipment is out of a preset range and/or the state of the network equipment is different from the last state, generating an abnormal alarm result of the network equipment.
5. The method according to any one of claims 1-4, wherein calculating the device risk value of each of the network devices based on the monitoring result of each of the network devices and the historical monitoring result of each of the network devices, respectively, comprises:
counting the abnormal times of the abnormal alarm result generated by the network equipment according to the monitoring result and the historical monitoring result in the target period aiming at any network equipment, and event loss when the abnormal alarm result is generated each time;
and calculating the equipment risk value of the network equipment according to the abnormal times and the event loss.
6. The method of claim 5, wherein the device risk value is calculated by a risk value calculation formula, the risk value calculation formula being as follows:
wherein Y is risk A risk value for the device; a is that frequency The abnormal times; b (B) damage Loss for the event; c (C) security Is a preset device safety coefficient value.
7. A boundary device determining apparatus for an industrial control network, the apparatus comprising:
the acquisition module is used for acquiring state data of a plurality of network devices in the industrial control network; the status data includes data characterizing an operational status of the network device;
the identification module is used for identifying the state of each network device according to the state data of each network device;
the monitoring result generation module is used for generating a monitoring result of each network device based on the state of each network device and the last state of each network device respectively;
the calculation module is used for calculating the equipment risk value of each network equipment according to the monitoring result of each network equipment and the historical monitoring result of each network equipment;
the boundary network equipment determining module is used for determining boundary network equipment of the industrial control network from a plurality of network equipment according to the equipment risk value;
the border network equipment determining module is further configured to:
determining, for any one of the network devices, a plurality of associated network devices communicatively connected to the network device; if at least one equipment risk value of the associated network equipment is larger than a preset threshold value and the equipment risk value of the network equipment is not larger than the preset threshold value, determining that the network equipment is boundary network equipment of the industrial control network.
8. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 6.
CN202210061097.1A 2022-01-19 2022-01-19 Method, device, equipment and storage medium for determining boundary equipment of industrial control network Active CN114448689B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210061097.1A CN114448689B (en) 2022-01-19 2022-01-19 Method, device, equipment and storage medium for determining boundary equipment of industrial control network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210061097.1A CN114448689B (en) 2022-01-19 2022-01-19 Method, device, equipment and storage medium for determining boundary equipment of industrial control network

Publications (2)

Publication Number Publication Date
CN114448689A CN114448689A (en) 2022-05-06
CN114448689B true CN114448689B (en) 2023-07-25

Family

ID=81368282

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210061097.1A Active CN114448689B (en) 2022-01-19 2022-01-19 Method, device, equipment and storage medium for determining boundary equipment of industrial control network

Country Status (1)

Country Link
CN (1) CN114448689B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277483A (en) * 2022-07-27 2022-11-01 西安热工研究院有限公司 Industrial control network monitoring method, device and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112230584A (en) * 2020-10-28 2021-01-15 浙江中烟工业有限责任公司 Safety monitoring visualization system and safety monitoring method applied to industrial control field

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102170372B (en) * 2011-06-09 2014-08-06 长安大学 Method for network structure monitoring and boundary inspection
US9043884B2 (en) * 2013-01-25 2015-05-26 Cisco Technology, Inc. Autonomic network protection based on neighbor discovery
US11178506B2 (en) * 2017-12-01 2021-11-16 International Business Machines Corporation Internet of Things implanted device
JP2019191990A (en) * 2018-04-26 2019-10-31 株式会社日立製作所 Maintenance and management support system and maintenance and management support method
CN108924084B (en) * 2018-05-22 2020-10-27 全球能源互联网研究院有限公司 Network equipment security assessment method and device
CN110445770B (en) * 2019-07-18 2022-07-22 平安科技(深圳)有限公司 Network attack source positioning and protecting method, electronic equipment and computer storage medium
CN111711616B (en) * 2020-05-29 2022-07-12 武汉蜘易科技有限公司 Network zone boundary safety protection system, method and equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112230584A (en) * 2020-10-28 2021-01-15 浙江中烟工业有限责任公司 Safety monitoring visualization system and safety monitoring method applied to industrial control field

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Noninvasive industrial power load monitoring based on collaboration of edge device and edge data center;JinYing Yu et al.;《 2020 IEEE International Conference on Edge Computing (EDGE)》;全文 *
基于烟草工控网络安全防护策略与应用;孟瑾 等;《网络安全技术与应用》(第12期);全文 *
高速公路业务专网边界防护的应用研究;张超;《中国学位论文全文数据库》(第1期);全文 *

Also Published As

Publication number Publication date
CN114448689A (en) 2022-05-06

Similar Documents

Publication Publication Date Title
US20150127814A1 (en) Monitoring Server Method
US10585774B2 (en) Detection of misbehaving components for large scale distributed systems
CN111262722B (en) Safety monitoring method for industrial control system network
US10579459B2 (en) Log events for root cause error diagnosis
CN110213068B (en) Message middleware monitoring method and related equipment
CN109981328B (en) Fault early warning method and device
CN108809757B (en) System alarm method, storage medium and server
CN110164101B (en) Alarm information processing method and equipment
CN106502814B (en) Method and device for recording error information of PCIE (peripheral component interface express) equipment
CN106294040B (en) Method and device for acquiring optical module state information
CN114448689B (en) Method, device, equipment and storage medium for determining boundary equipment of industrial control network
US20200314130A1 (en) Attack detection device, attack detection method, and computer readable medium
WO2019192133A1 (en) Electronic apparatus, data link risk pre-warning method, and storage medium
CN114328102A (en) Equipment state monitoring method, device, equipment and computer readable storage medium
CN114338372B (en) Network information security monitoring method and system
CN114095965A (en) Index detection model obtaining and fault positioning method, device, equipment and storage medium
CN111611097B (en) Fault detection method, device, equipment and storage medium
US11228485B2 (en) Dynamic action dashlet for real-time systems operation management
CN109743339A (en) The network security monitoring method and device of electric power plant stand, computer equipment
CN112291239B (en) Network physical model facing SCADA system and intrusion detection method thereof
CN117201188B (en) IT safe operation risk prediction method, system and medium based on big data
CN111654405B (en) Method, device, equipment and storage medium for fault node of communication link
US11652831B2 (en) Process health information to determine whether an anomaly occurred
CN111221320B (en) Data interpretation method and device, terminal and computer readable medium
US11138512B2 (en) Management of building energy systems through quantification of reliability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant