CN114500247A - Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium - Google Patents

Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN114500247A
CN114500247A CN202210187356.5A CN202210187356A CN114500247A CN 114500247 A CN114500247 A CN 114500247A CN 202210187356 A CN202210187356 A CN 202210187356A CN 114500247 A CN114500247 A CN 114500247A
Authority
CN
China
Prior art keywords
network
data
industrial control
abnormal
network communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210187356.5A
Other languages
Chinese (zh)
Other versions
CN114500247B (en
Inventor
周峰
林昕
姜亚光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Software Evaluation Center
Original Assignee
China Software Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Software Evaluation Center filed Critical China Software Evaluation Center
Priority to CN202210187356.5A priority Critical patent/CN114500247B/en
Publication of CN114500247A publication Critical patent/CN114500247A/en
Application granted granted Critical
Publication of CN114500247B publication Critical patent/CN114500247B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application discloses a method and a device for diagnosing industrial control network faults, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: acquiring network communication data of an industrial control network; determining whether network abnormality exists according to the network communication data; when the network is abnormal, acquiring log data of the industrial control host and state data of the network equipment; correlating the log data with the state data, and determining whether an abnormal network communication behavior exists according to the correlated log data and the state data; and when the abnormal network communication behavior exists, determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network. Therefore, the method and the device for diagnosing the industrial control network faults perform the industrial control network fault diagnosis according to the network communication data, the log data of the industrial control host, the state data of the network equipment and other multidimensional data, are suitable for complex scenes of the industrial control network, and are high in accuracy and efficiency of the industrial control network fault diagnosis.

Description

Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium
Technical Field
The present application belongs to the technical field of industrial control networks, and in particular, to a method and an apparatus for diagnosing industrial control network faults, an electronic device, and a computer-readable storage medium.
Background
With the continuous popularization and deep promotion of industrial internet, the structure of the industrial control network is increasingly complex, and the types of network equipment of the industrial control network are increasingly diversified. Compared with an IT network, the industrial control network has more related network devices and more complex network communication protocols, and brings great challenges to network fault diagnosis of the industrial control network.
At present, the conventional network fault diagnosis is based on information collection of current network equipment, focuses on statistical information such as monitoring network flow and the like, cannot cope with complex scene application such as unmanageable current switch equipment in an industrial field, and has low accuracy and efficiency of network fault diagnosis due to simple dimension of diagnosis basis information.
Disclosure of Invention
The embodiment of the application provides an industrial control network fault diagnosis method, an industrial control network fault diagnosis device, electronic equipment and a computer readable storage medium, and can solve the problems of low accuracy and efficiency of the existing industrial control network fault diagnosis.
In a first aspect, an embodiment of the present application provides an industrial control network fault diagnosis method, including:
acquiring network communication data of an industrial control network, wherein the industrial control network comprises an industrial control host and network equipment;
determining whether network abnormality exists according to the network communication data;
when the network is abnormal, acquiring log data of the industrial control host and state data of the network equipment;
correlating the log data with the state data, and determining whether an abnormal network communication behavior exists according to the correlated log data and the state data;
and when the abnormal network communication behavior exists, determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network.
Therefore, whether the network is abnormal or not is judged according to the network communication data, if the network is abnormal, whether abnormal network communication behaviors exist or not is further determined according to the log data of the industrial control host and the state data of the network equipment, and the network nodes and the network links related to the abnormal network communication behaviors are further determined.
In some possible implementation manners of the first aspect, after determining, according to the network topology information of the industrial control network, a target device and a network link associated with the abnormal network communication behavior, the method further includes:
and setting the display color of the node corresponding to the target device as a first color, and setting the display color of the network link as a second color.
In some possible implementations of the first aspect, after obtaining the log data of the industrial control host and the status data of the network device, the method further includes:
and constructing a data portrait according to the log data, the state data and the network communication data, and displaying the data portrait.
In some possible implementation manners of the first aspect, after determining, according to the network topology information of the industrial control network, a target device and a network link associated with the abnormal network communication behavior, the method further includes:
acquiring a click instruction aiming at a node corresponding to target equipment;
and responding to the click instruction, and displaying the data image corresponding to the target equipment.
In some possible implementations of the first aspect, determining whether a network anomaly exists according to the network communication data includes:
analyzing the network communication data to obtain a communication packet protocol characteristic value;
matching the communication protocol characteristic value with a preset characteristic value to obtain a matching result;
and determining whether the network abnormity exists according to the matching result.
In some possible implementations of the first aspect, the log data includes an operating state of the industrial control host, a process, an industrial control software log, a system configuration, and an operation log, and the state data includes an operating state and a network state of the network device.
In a second aspect, an embodiment of the present application provides an industrial control network fault diagnosis device, including:
the flow data acquisition module is used for acquiring network communication data of an industrial control network, and the industrial control network comprises an industrial control host and network equipment;
the network anomaly judging module is used for determining whether network anomaly exists according to the network communication data;
the data acquisition module is used for acquiring log data of the industrial control host and state data of the network equipment when network abnormality exists;
the abnormal communication behavior judgment module is used for correlating the log data with the state data and determining whether the abnormal network communication behavior exists or not according to the correlated log data and the state data;
and the determining module is used for determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network when the abnormal network communication behavior exists.
In some possible implementations of the second aspect, the apparatus further comprises:
and the abnormal state display module is used for setting the display color of the node corresponding to the target equipment to be a first color and setting the display color of the network link to be a second color.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the method according to any one of the first aspect is implemented.
In a fourth aspect, the present application provides a computer-readable storage medium, in which a computer program is stored, and the computer program is executed by a processor to implement the method according to any one of the above first aspects.
In a fifth aspect, embodiments of the present application provide a computer program product, which, when run on an electronic device, causes the electronic device to perform the method of any one of the above first aspects.
It is understood that the beneficial effects of the second aspect to the fifth aspect can be referred to the related description of the first aspect, and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for diagnosing a fault of an industrial control network according to an embodiment of the present application;
fig. 2 is a schematic block diagram of a structure of an industrial control network fault diagnosis device provided in an embodiment of the present application;
fig. 3 is a schematic block diagram of an industrial control network fault diagnosis system provided in an embodiment of the present application;
fig. 4 is a block diagram schematically illustrating a structure of an electronic device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to" determining "or" in response to detecting ". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Furthermore, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
The industrial control network fault diagnosis method provided by the embodiment of the application can be applied to electronic equipment such as monitoring nodes. The industrial control network includes multiple types of devices, for example, an industrial control host, a security device, an industrial control device, a network device, and the like, and the network device may include a switch, a router, a gateway, and the like. And deploying a plurality of monitoring nodes in the industrial control network. The embodiment of the application does not limit the specific type of the electronic equipment applied to the industrial control network fault diagnosis method.
Referring to fig. 1, a schematic flow chart of a method for diagnosing an industrial control network fault provided in an embodiment of the present application is shown, where the method may include the following steps:
step S101, network communication data of an industrial control network are obtained, and the industrial control network comprises an industrial control host and network equipment.
In a specific application, the network communication data can be acquired by the flow probe assembly, and the acquired network communication data can include information such as a communication protocol abnormal operation instruction and a protocol function code.
And S102, determining whether network abnormality exists according to the network communication data.
In some embodiments, the collected network communication data may be analyzed to obtain a communication packet protocol characteristic value, where the communication packet protocol characteristic value may include, for example, the communication protocol abnormal operation instruction and the protocol function code; then, matching the communication protocol characteristic value obtained by analysis with a preset characteristic value to obtain a matching result; and determining whether the network abnormity exists according to the matching result.
And after determining that the network is abnormal according to the network communication data, further acquiring the abnormal communication behavior, and the network link and the network node related to the abnormal communication behavior. And if the network abnormality does not occur, continuing to judge the network abnormality according to the acquired network communication data.
And step S103, when the network is abnormal, acquiring log data of the industrial control host and state data of the network equipment.
The log data includes but is not limited to the running state, the process, the industrial control software log, the system configuration and the operation log of the industrial control host. The status data includes, but is not limited to, the operating status and the network status of the network device.
In specific application, the log data of the industrial control host can be collected by the industrial control host probe assembly, and the industrial control host probe assembly collects running state information of the industrial control host, such as CPU utilization rate, memory utilization rate, disk utilization rate and the like, and information of running processes, system configuration, error logs and operation logs of a Window/Linux system and the like.
The network state data of the network equipment can be collected by a remote probe assembly of the network equipment, and information such as the running state of the equipment and the network state is collected by management protocols SNMP, SSH, TELNET and the like supported by the remote probe assembly, the network equipment and the safety equipment.
And step S104, correlating the log data with the state data, and determining whether abnormal network communication behaviors exist or not according to the correlated log data and the state data.
Specifically, running states such as a CPU, a memory, a network port rate and the like and real-time port states in log data are associated with an industrial control host port MAC address according to the port MAC address of the network equipment, so that the log data and the state data are associated. After the association is successful, whether abnormal network communication behaviors exist is judged according to the network communication behaviors generated by the industrial control host, for example, behaviors of accessing 445, 3389 and other high-risk ports exist, and if the behaviors exist, the abnormal network communication behaviors are considered to exist.
And S105, when the abnormal network communication behavior exists, determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network.
It is to be understood that the network topology information may be embodied as a network topology map of the industrial control network, which includes related information such as each network node in the industrial control network, and network links between each network node.
After the abnormal network communication behavior of the village is determined, the abnormal target equipment and the network link related to the target equipment can be determined through the communication link relation between the nodes in the network topological graph. The target device refers to a device with an abnormal network communication behavior in the industrial control network, and may be an industrial control host or a network device.
Therefore, whether the network is abnormal or not is judged according to the network communication data, if the network is abnormal, whether abnormal network communication behaviors exist or not is further determined according to the log data of the industrial control host and the state data of the network equipment, and the network nodes and the network links related to the abnormal network communication behaviors are further determined.
In some possible implementation manners, after the target device and the network link associated with the abnormal network communication behavior are determined according to the network topology information of the industrial control network, the display color of the node corresponding to the target device may be set to be a first color, and the display color of the network link may be set to be a second color.
Wherein the first color and the second color may be the same, e.g., both may be red; of course, may be different. The node corresponding to the target device and the associated network link can be displayed as an abnormal state through the first color and the second color, so that a user can know which node and which network link are abnormal through the colors.
Illustratively, the display color status of a network node may be: green represents normal; grey represents equipment offline; red for abnormalities; yellow represents failure. And carrying out timing fault diagnosis detection on each network node according to the industrial control network fault diagnosis method to obtain a diagnosis result, and setting the display states of the network nodes and the network links to be corresponding colors according to the diagnosis result.
It can be seen that, in the embodiments of the present application, the display color of the associated node and network link is set to be a specific color, so that a user can intuitively know an abnormal condition in the network.
In some possible implementation manners, after the log data of the industrial control host and the state data of the network equipment are acquired, a data portrait can be constructed and displayed according to the log data, the state data and the network communication data.
It is worth pointing out that after data of each device is collected through the industrial control host probe assembly, the flow probe assembly and the remote probe assembly, the data is normalized according to a data analysis normalization rule, the normalized data is associated with actual device assets, and then the normalized data is stored in a database.
The data analysis normalization rule is used for unifying the formats of the data and marking unique equipment identification on each data so as to associate the data with the equipment.
To better present the real-time status of the industrial control network to the user, a data representation of the individual devices in the network can be constructed based on the data of the individual devices stored in the database.
The data image can show the data image of the industrial control host reported by the industrial control host probe assembly: real-time and historical running state information, system operation logs, error log information and the like, wherein the running state information comprises CPU (central processing unit), memory, magnetic disks, network uplink and downlink and process monitoring information and the like; the real-time historical running state information and port state change information of network equipment (such as switches, routers, protection equipment and the like) reported by the remote probe assembly can also be presented; and network communication data information reported by the flow probe assembly can be presented.
Further, after the target device and the network link associated with the abnormal network communication behavior are determined according to the network topology information of the industrial control network, the click instruction for the node corresponding to the target device can be obtained; and responding to the click instruction, and displaying the data image corresponding to the target equipment. That is, the user may view the data representation of the respective device by clicking on the node icon. The data image is displayed according to different types of equipment.
Of course, the user may click and view the operation state information, the abnormal event information, the failure event summary and other information of the node as required.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Fig. 2 is a schematic block diagram of the structure of the industrial control network fault diagnosis device provided in the embodiment of the present application, and only the parts related to the embodiment of the present application are shown for convenience of description.
Referring to fig. 2, the apparatus includes:
the flow data acquisition module 21 is configured to acquire network communication data of an industrial control network, where the industrial control network includes an industrial control host and network equipment;
the network anomaly judging module 22 is used for determining whether network anomaly exists according to the network communication data;
the data acquisition module 23 is configured to acquire log data of the industrial control host and status data of the network device when a network anomaly exists;
the abnormal communication behavior judgment module 24 is configured to associate the log data with the state data, and determine whether an abnormal network communication behavior exists according to the associated log data and state data;
and the determining module is used for determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network when the abnormal network communication behavior exists.
In some possible implementations, the apparatus further includes: and the abnormal state display module is used for setting the display color of the node corresponding to the target equipment to be a first color and setting the display color of the network link to be a second color.
In some possible implementations, the apparatus may further include a data representation construction module to construct a data representation based on the log data, the status data, and the network communication data, and to display the data representation.
In some possible implementation manners, the apparatus may further include a data representation display module, configured to obtain a click instruction for a node corresponding to the target device; and responding to the click instruction, and displaying the data image corresponding to the target equipment.
In some possible implementation manners, the network anomaly determination module is specifically configured to: analyzing the network communication data to obtain a communication packet protocol characteristic value; matching the communication protocol characteristic value with a preset characteristic value to obtain a matching result; and determining whether the network abnormity exists according to the matching result.
In some possible implementations, the log data includes an operating state, a process, an industrial control software log, a system configuration and an operation log of the industrial control host, and the state data includes an operating state and a network state of the network device.
Referring to fig. 3, a schematic block diagram of an industrial control network fault diagnosis system provided in the embodiment of the present application may include an industrial control host probe assembly module 31, a flow probe assembly module 32, a remote probe assembly module 33, a data processing module 34, a storage module 35, a knowledge base 36, a network topology module 37, a data imaging module 38, and a diagnosis analysis module 39.
The industrial control host probe assembly module 31 is configured to collect log information of an industrial control host, where the log information may include, but is not limited to, relevant information such as an operating system production running state, fault information, user operation behavior, system configuration, operating system bugs and patches, network connections, network services, network communications, and a security protection state of the host.
The flow probe assembly module 32 is used for collecting communication data of the network based on industrial control proprietary protocol.
The remote probe assembly module 33 is used for collecting status data such as network status and operation status of the switch, firewall, router, etc. through SNMP, SSH, TELNET, etc.
The data processing module 34 is used for carrying out data normalization on data collected by the industrial control host probe assembly module 31, the flow probe assembly module 32 and the remote probe assembly module 33, associating each data with a corresponding equipment asset and storing the data in the storage module 35.
The storage module 35 is used for managing and maintaining a database, and stores data including: normalized data and device asset data.
The knowledge base 36 contains data normalization rules and diagnostic analysis rules, etc. for the data processing modules.
The network topology module 37 is configured to record and edit network topology information, perform logical association on equipment assets, provide basic network relationship data to the diagnostic analysis module, and provide editable nodes including an industrial control host model, a switch, a router, a firewall, a control device, an industrial control device, a collection gateway, and other devices. According to different equipment types, selecting all asset equipment under the current area associated by the area, selecting one asset, and automatically associating the parameters of the current asset such as the asset IP, the asset type and the like.
The data imaging module 38 is used for presenting corresponding device information based on the device type, that is, presenting data collected by the industrial control host probe assembly module 31, the flow probe assembly module 32 and the remote probe assembly module 33.
The diagnosis and analysis module 39 is configured to perform fault diagnosis according to data collected by the industrial control host probe assembly module 31, the flow probe assembly module 32, and the remote probe assembly module 33 based on the network topology map, and determine whether each node in the network is abnormal and a network link related to the abnormality.
It should be noted that, for the information interaction, execution process, and other contents between the above-mentioned devices/units, the specific functions and technical effects thereof are based on the same concept as those of the method embodiment in the embodiment of the present application, which may be referred to in the method embodiment section specifically, and are not described herein again.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 4, the electronic apparatus 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the processor 40 implementing the steps in any of the various object tracking method embodiments described above when executing the computer program 42.
The electronic device 4 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The electronic device may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is merely an example of the electronic device 4, and does not constitute a limitation of the electronic device 4, and may include more or less components than those shown, or combine some of the components, or different components, such as an input-output device, a network access device, etc.
The Processor 40 may be a Central Processing Unit (CPU), and the Processor 40 may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may in some embodiments be an internal storage unit of the electronic device 4, such as a hard disk or a memory of the electronic device 4. The memory 41 may also be an external storage device of the electronic device 4 in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, provided on the electronic device 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the electronic device 4. The memory 41 is used for storing an operating system, an application program, a BootLoader (BootLoader), data, and other programs, such as program codes of the computer programs. The memory 41 may also be used to temporarily store data that has been output or is to be output.
It should be clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional units and modules is only used for illustration, and in practical applications, the above function distribution may be performed by different functional units and modules as needed, that is, the internal structure of the apparatus may be divided into different functional units or modules to perform all or part of the above described functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
An embodiment of the present application further provides an electronic device, including: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, the processor implementing the steps of any of the various method embodiments described above when executing the computer program.
The embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps in the above-mentioned method embodiments.
The embodiments of the present application provide a computer program product, which when running on an electronic device, enables the electronic device to implement the steps in the above method embodiments when executed.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing apparatus/terminal apparatus, a recording medium, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), an electrical carrier signal, a telecommunications signal, and a software distribution medium. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. For example, the above-described apparatus/electronic device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. A method for diagnosing industrial control network faults is characterized by comprising the following steps:
acquiring network communication data of an industrial control network, wherein the industrial control network comprises an industrial control host and network equipment;
determining whether network abnormality exists according to the network communication data;
when the network is abnormal, acquiring log data of the industrial control host and state data of the network equipment;
correlating the log data with the state data, and determining whether an abnormal network communication behavior exists according to the correlated log data and the state data;
and when the abnormal network communication behavior exists, determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network.
2. The method of claim 1, wherein after determining the target device and the network link associated with the abnormal network communication behavior according to the network topology information of the industrial control network, the method further comprises:
and setting the display color of the node corresponding to the target device as a first color, and setting the display color of the network link as a second color.
3. The method of claim 1, wherein after obtaining log data of the industrial control host and status data of the network device, the method further comprises:
and constructing a data portrait according to the log data, the state data and the network communication data, and displaying the data portrait.
4. The method of claim 3, wherein after determining the target device and the network link associated with the abnormal network communication behavior based on the network topology information of the industrial control network, the method further comprises:
acquiring a click instruction aiming at a node corresponding to the target equipment;
and responding to the click instruction, and displaying the data image corresponding to the target equipment.
5. The method of claim 1, wherein determining whether a network anomaly exists based on the network communication data comprises:
analyzing the network communication data to obtain a communication packet protocol characteristic value;
matching the communication protocol characteristic value with a preset characteristic value to obtain a matching result;
and determining whether network abnormality exists according to the matching result.
6. The method of claim 1, wherein the log data comprises an operational state of the industrial control host, a process, an industrial control software log, a system configuration, and an operational log, and wherein the state data comprises an operational state and a network state of the network device.
7. An industrial control network fault diagnosis device is characterized by comprising:
the system comprises a flow data acquisition module, a flow data acquisition module and a flow data acquisition module, wherein the flow data acquisition module is used for acquiring network communication data of an industrial control network, and the industrial control network comprises an industrial control host and network equipment;
the network anomaly judging module is used for determining whether network anomaly exists according to the network communication data;
the data acquisition module is used for acquiring log data of the industrial control host and state data of the network equipment when network abnormality exists;
the abnormal communication behavior judgment module is used for correlating the log data with the state data and determining whether abnormal network communication behaviors exist or not according to the correlated log data and the state data;
and the determining module is used for determining the target equipment and the network link related to the abnormal network communication behavior according to the network topology information of the industrial control network when the abnormal network communication behavior exists.
8. The apparatus of claim 7, wherein the apparatus further comprises:
and the abnormal state display module is used for setting the display color of the node corresponding to the target equipment to be a first color and setting the display color of the network link to be a second color.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 6.
CN202210187356.5A 2022-02-28 2022-02-28 Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium Active CN114500247B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210187356.5A CN114500247B (en) 2022-02-28 2022-02-28 Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210187356.5A CN114500247B (en) 2022-02-28 2022-02-28 Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN114500247A true CN114500247A (en) 2022-05-13
CN114500247B CN114500247B (en) 2023-08-15

Family

ID=81484837

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210187356.5A Active CN114500247B (en) 2022-02-28 2022-02-28 Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN114500247B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277485A (en) * 2022-07-25 2022-11-01 绿盟科技集团股份有限公司 Network data control method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160065603A1 (en) * 2014-08-27 2016-03-03 General Electric Company Collaborative infrastructure supporting cyber-security analytics in industrial networks
CN107171819A (en) * 2016-03-07 2017-09-15 北京华为数字技术有限公司 A kind of network fault diagnosis method and device
CN110380907A (en) * 2019-07-26 2019-10-25 京信通信系统(中国)有限公司 A kind of network fault diagnosis method, device, the network equipment and storage medium
CN111176202A (en) * 2019-12-31 2020-05-19 成都烽创科技有限公司 Safety management method, device, terminal equipment and medium for industrial control network
CN112351035A (en) * 2020-11-06 2021-02-09 杭州安恒信息技术股份有限公司 Industrial control security situation sensing method, device and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160065603A1 (en) * 2014-08-27 2016-03-03 General Electric Company Collaborative infrastructure supporting cyber-security analytics in industrial networks
CN107171819A (en) * 2016-03-07 2017-09-15 北京华为数字技术有限公司 A kind of network fault diagnosis method and device
CN110380907A (en) * 2019-07-26 2019-10-25 京信通信系统(中国)有限公司 A kind of network fault diagnosis method, device, the network equipment and storage medium
CN111176202A (en) * 2019-12-31 2020-05-19 成都烽创科技有限公司 Safety management method, device, terminal equipment and medium for industrial control network
CN112351035A (en) * 2020-11-06 2021-02-09 杭州安恒信息技术股份有限公司 Industrial control security situation sensing method, device and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277485A (en) * 2022-07-25 2022-11-01 绿盟科技集团股份有限公司 Network data control method and device and electronic equipment
CN115277485B (en) * 2022-07-25 2023-09-26 绿盟科技集团股份有限公司 Control method and device for network data and electronic equipment

Also Published As

Publication number Publication date
CN114500247B (en) 2023-08-15

Similar Documents

Publication Publication Date Title
US20190279098A1 (en) Behavior Analysis and Visualization for a Computer Infrastructure
CN111935172B (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
JP6821800B2 (en) Systems and methods for interactive network analytics platforms
US20220050765A1 (en) Method for processing logs in a computer system for events identified as abnormal and revealing solutions, electronic device, and cloud server
US9015794B2 (en) Determining several security indicators of different types for each gathering item in a computer system
WO2006028808A2 (en) Method and apparatus for assessing performance and health of an information processing network
US10341182B2 (en) Method and system for detecting network upgrades
CN112822053B (en) SNMP-based link layer network topology structure discovery method and system
CN114363151A (en) Fault detection method and device, electronic equipment and storage medium
CN114598506B (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN112910696A (en) Automatic modeling analysis method for network topology
CN114138771B (en) Abnormal data processing method and device and electronic equipment
CN114500247B (en) Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium
CN116204386B (en) Method, system, medium and equipment for automatically identifying and monitoring application service relationship
CN111654405A (en) Method, device, equipment and storage medium for fault node of communication link
CN111131325A (en) Data protocol anomaly identification system and method
CN111176950A (en) Method and equipment for monitoring network card of server cluster
CN114553546B (en) Message grabbing method and device based on network application
CN111261271B (en) Service availability diagnosis method and device for video monitoring environment
CN115426326A (en) Method, apparatus, device, medium and program product for identifying uplink relay port
CN111988172B (en) Network information management platform, device and security management method
US7126964B1 (en) Method and apparatus for network analysis, such as analyzing and correlating identifiers of frame relay circuits in a network
CN113783755A (en) Network monitoring method, network monitoring device, storage medium and electronic device
CN109688142B (en) Threat management method and system in industrial control system network
CN116680098B (en) Industrial robot safety monitoring method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant