CN114584497A - Passive industrial control system asset identification method and device - Google Patents

Passive industrial control system asset identification method and device Download PDF

Info

Publication number
CN114584497A
CN114584497A CN202210479357.7A CN202210479357A CN114584497A CN 114584497 A CN114584497 A CN 114584497A CN 202210479357 A CN202210479357 A CN 202210479357A CN 114584497 A CN114584497 A CN 114584497A
Authority
CN
China
Prior art keywords
decision tree
fingerprint
industrial control
data set
asset identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210479357.7A
Other languages
Chinese (zh)
Inventor
齐营磊
张大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unita Information Technology Co ltd
Original Assignee
Beijing Unita Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unita Information Technology Co ltd filed Critical Beijing Unita Information Technology Co ltd
Priority to CN202210479357.7A priority Critical patent/CN114584497A/en
Publication of CN114584497A publication Critical patent/CN114584497A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The invention discloses an asset identification method and device of a passive industrial control system, wherein the method comprises the following steps: s1) acquiring the industrial control network flow; s2) analyzing and extracting the protocol stack fingerprint in the industrial control network flow acquired in the step S1); s3) performing fingerprint database collision by using the protocol stack fingerprint attribute extracted in the step S2) and the fingerprint database, outputting the asset name corresponding to the hit fingerprint when the fingerprint in the fingerprint database is hit, and otherwise, outputting the corresponding asset name after the classification is performed by the asset identification decision tree classifier. The method solves the technical problems that the active acquisition of the industrial control network flow generates interference on the industrial control network, the NAT routing asset detection difficulty is high and the like through the method of passively acquiring the industrial control network flow.

Description

Passive industrial control system asset identification method and device
Technical Field
The invention relates to the field of asset identification of industrial control networks, in particular to an asset identification method and device of a passive industrial control system.
Background
Because the industrial control system is generally lack of safety design at the beginning of design, the industrial asset detection is carried out in the industrial field by adopting the modes of active detection and the like commonly used in the traditional IT system, part of sensitive industrial control equipment can be influenced and even damaged, and meanwhile, the industrial control system plays a vital role in industrial production, so the industrial control asset detection is usually not allowed to be carried out in the industrial field by adopting the active mode. In addition, the existing asset detection technology based on the TCP/IP protocol stack fingerprint feature library also has the problems of low unknown asset identification efficiency and accuracy.
Disclosure of Invention
Therefore, the technical problems to be solved by the present invention are to provide a method and an apparatus for identifying assets of a passive industrial control system, wherein the technical problems that actively acquiring industrial control network traffic interferes with an industrial control network, NAT routing assets are difficult to detect, and the like are solved by a method for passively acquiring industrial control network traffic.
In order to solve the technical problems, the invention provides the following technical scheme:
a passive industrial control system asset identification method comprises the following steps:
s1) acquiring the industrial control network flow;
s2) analyzing and extracting the protocol stack fingerprint in the industrial control network flow acquired in the step S1);
s3) performing fingerprint database collision by using the protocol stack fingerprint attribute extracted in the step S2) and the fingerprint database, outputting the asset name corresponding to the hit fingerprint when the fingerprint in the fingerprint database is hit, and otherwise, outputting the corresponding asset name after the classification is performed by the asset identification decision tree classifier.
In the above passive industrial control system asset identification method, in step S3), the decision tree construction step in the asset identification decision tree classifier is as follows:
a) preprocessing fingerprints of a decision tree training data set S;
b) constructing a decision tree by using the decision training data set S preprocessed in the step a);
c) pruning the decision tree constructed in step b) by using a test data set.
In the passive industrial control system asset identification method, in the step a), the fingerprint preprocessing of the decision tree training data set S comprises protocol stack attribute feature extraction, commonality value taking, classification and marking.
In the above-mentioned passive industrial control system asset identification method, in step a), the fingerprint attribute selectable items are discretely processed, and each fingerprint attribute selectable item is marked as an independent attribute.
In the asset identification method of the passive industrial control system, in the step b), the training samples in the decision tree training data set S are divided into k types to obtain a decision tree training data subset
Figure DEST_PATH_IMAGE001
Is composed of
Figure 633032DEST_PATH_IMAGE002
Calculating the information entropy of the decision tree training data set S
Figure DEST_PATH_IMAGE003
The method comprises the following steps:
Figure 568627DEST_PATH_IMAGE004
in the formula (I), the compound is shown in the specification,
Figure DEST_PATH_IMAGE005
belonging to a subset of decision tree training data in a set S of decision tree training data
Figure 214372DEST_PATH_IMAGE006
The ratio of (a) to (b),
Figure 729667DEST_PATH_IMAGE006
belongs to the class-k when training samples in the training data set S for the decision tree are classified into the class-k
Figure 544302DEST_PATH_IMAGE007
Training a data subset of the class decision tree;
to test the attribute AjTraining the preprocessed decision treeDividing the attribute set A of the data set S to generate v branch nodes, and calculating A by the following formulajGain of the preprocessed decision tree training data set S:
Figure 322902DEST_PATH_IMAGE009
in the formula (I), the compound is shown in the specification,
Figure 659205DEST_PATH_IMAGE011
for testing the property AjThe range of values of (a) to (b),
Figure 40508DEST_PATH_IMAGE013
testing attribute A at the vth branch node for decision tree training data set SjUp value is
Figure DEST_PATH_IMAGE015
Training a data set of the decision tree;
the splitting information of the decision tree training data set S after preprocessing in the process of constructing the decision tree is as follows:
Figure 614709DEST_PATH_IMAGE017
Ajinformation gain ratio of (2):
Figure 423265DEST_PATH_IMAGE019
in the asset identification method of the passive industrial control system, in the step c), the mode of pruning the decision tree constructed in the step b) by using the test data set is a post-pruning mode.
In the above passive industrial control system asset identification method, in step c), the confidence α of the misclassification rate after all the non-leaf nodes are cut is calculated from the root node:
Figure 184547DEST_PATH_IMAGE021
where N is the total number of sample instances,
Figure 307224DEST_PATH_IMAGE023
an upper bound is estimated for the interval of error rates, f is the observed misclassification rate, and q is the true misclassification rate.
In the asset identification method of the passive industrial control system, in the step c), whether pruning is needed or not is determined according to the change of e before and after pruning;
Figure 329407DEST_PATH_IMAGE025
wherein z is the standard deviation of the confidence coefficient alpha, and z =1-U1-α
In the passive industrial control system asset identification method, in the step c), after the decision tree pruning is completed, the corresponding industrial control system asset identification rule is directly extracted from the decision tree.
The system for identifying the system assets by utilizing the passive industrial control system asset identification method comprises the following steps:
the flow acquisition module is used for receiving the industrial control network flow in a switch mirror image mode;
the protocol stack fingerprint analysis module is used for extracting a protocol stack fingerprint required by asset identification from a data packet during TCP connection establishment;
the known fingerprint storage module is used for storing the known asset fingerprint characteristics and matching the known flow;
the decision tree classifier module is used for performing asset prediction on the unknown asset fingerprint characteristics according to the decision tree rules; an asset identification decision tree classifier is arranged in the decision tree classifier module;
the identification result display module is used for displaying the asset identification result;
the flow acquisition module is in communication connection with the protocol stack fingerprint analysis module, the protocol stack fingerprint analysis module is in communication connection with the known fingerprint storage module, the known fingerprint storage module is in communication connection with the decision tree classifier module and the identification result display module respectively, and the decision tree classifier module is in communication connection with the identification result display module.
The technical scheme of the invention achieves the following beneficial technical effects:
the method for acquiring the industrial control network flow in a passive mode solves the technical problems that the industrial control network flow is actively acquired to generate interference on the industrial control network, NAT routing asset detection difficulty is high and the like; meanwhile, by the decision tree modeling method, only attribute comparison is performed when the fingerprint sample of the operating system to be detected is processed, the processing is simple, obvious performance advantages are achieved when the fingerprint sample is processed in a large scale, and the technical problem that the identification rate of protocol fingerprints which are not accurately matched is low is solved.
Drawings
Fig. 1 is a schematic diagram of the working principle of the system of the present invention.
FIG. 2 is a schematic flow chart of a passive industrial control system asset identification method of the present invention.
Detailed Description
As shown in fig. 1, the system for identifying system assets in the present invention includes a traffic acquisition module, a protocol stack fingerprint analysis module, a known fingerprint storage module, a decision tree classifier module, and an identification result display module, wherein the traffic acquisition module is in communication with the protocol stack fingerprint analysis module, the protocol stack fingerprint analysis module is in communication with the known fingerprint storage module, the known fingerprint storage module is in communication with the decision tree classifier module and the identification result display module, respectively, and the decision tree classifier module is in communication with the identification result display module. The flow acquisition module is used for receiving the industrial control network flow in a switch mirror image mode; the protocol stack fingerprint analysis module is used for extracting a protocol stack fingerprint required by asset identification from a data packet during TCP connection establishment; the known fingerprint storage module is used for storing the known asset fingerprint characteristics and matching the known flow; the decision tree classifier module is used for performing asset prediction on unknown asset fingerprint characteristics according to decision tree rules, and an asset identification decision tree classifier is arranged in the decision tree classifier module; and the identification result display module is used for displaying the asset identification result.
The decision tree in the decision tree classifier module is constructed by the following steps:
a) preprocessing fingerprints of a decision tree training data set S, wherein the preprocessing of the fingerprints of the decision tree training data set S comprises protocol stack attribute feature extraction, commonality value taking, classification and marking, and discrete processing is performed on fingerprint attribute selectable items, and each fingerprint attribute selectable item is used as an independent attribute to be marked; examples of industrial control network asset attribute features to be processed include: LEN, WIN, DF, TTL, OPT options;
b) constructing a decision tree by using the decision training data set S preprocessed in the step a);
c) pruning the decision tree constructed in the step b) by using the test data set, namely correcting and checking rules generated by the decision tree by using the test data set, and pruning tree branches influencing the accuracy, wherein the pruning mode is post-pruning, so that some useful and non-generated tree nodes can be prevented from being pruned by mistake, and post-pruning is adopted, namely, the decision tree is allowed to excessively fit data, and pruning is performed after the decision tree is generated; and after the pruning of the decision tree is finished, directly extracting the corresponding asset identification rule of the industrial control system from the decision tree. The following are several examples of rules:
1.linux2.9'LEN=52'and'WIN=6144'and'DF=0'and'TTL=64'and'MSS=1460'and'OPT=MNWST'
2.windowsNT'LEN=52'and'WIN=8192'and'DF=1'and'TTL=64'and'MSS=1460'and'OPT=MNWST'
3.windowsXP'LEN=64'and'WIN=65535'
in step b), training samples in the decision tree training data set S are divided into k types to obtain a decision tree training data subset
Figure 449810DEST_PATH_IMAGE027
Is composed of
Figure 760705DEST_PATH_IMAGE029
Calculating the information entropy of the decision tree training data set S
Figure 454117DEST_PATH_IMAGE031
The method comprises the following steps:
Figure 268489DEST_PATH_IMAGE033
in the formula (I), the compound is shown in the specification,
Figure 950006DEST_PATH_IMAGE035
belonging to a subset of decision tree training data in a set S of decision tree training data
Figure 420302DEST_PATH_IMAGE037
The ratio of (a) to (b),
Figure 884781DEST_PATH_IMAGE038
belongs to the class-k when training samples in the training data set S for the decision tree are classified into the class-k
Figure 881556DEST_PATH_IMAGE040
Training a subset of data for the decision tree of the class;
to test the attribute AjDividing attribute set A of the preprocessed decision tree training data set S to generate v branch nodes, and calculating A through the following formulajAnd (3) gain of the preprocessed decision tree training data set S:
Figure 609341DEST_PATH_IMAGE041
in the formula (I), the compound is shown in the specification,
Figure 957146DEST_PATH_IMAGE042
for testing the property AjValue range of (i.e. 1)
Figure DEST_PATH_IMAGE044
Figure 162999DEST_PATH_IMAGE045
Testing attribute A at the vth branch node for decision tree training data set SjUp value of
Figure DEST_PATH_IMAGE046
The decision tree training dataset of (1) contains all the in-test attributes A in the decision tree training dataset SjUp value is
Figure DEST_PATH_IMAGE047
The sample of (1); the attribute set A is
Figure DEST_PATH_IMAGE049
Figure DEST_PATH_IMAGE051
The number of elements of the data set is trained for the decision tree,
Figure DEST_PATH_IMAGE053
training the test attributes A in the data set S for a decision treejThe number of subset elements with a value of v;
according to the formula
Figure DEST_PATH_IMAGE054
Information entropy of
Figure DEST_PATH_IMAGE056
Considering different training sample numbers contained in different branch nodes, weights are given to the branch nodes
Figure DEST_PATH_IMAGE058
I.e. the effect of branch nodes with a larger number of training samples, is larger, the useful test attribute A can be calculatedjObtaining information gain by dividing the decision tree training data set S;
the splitting information of the decision tree training data set S after preprocessing in the process of constructing the decision tree is as follows:
Figure 968275DEST_PATH_IMAGE017
Ajinformation gain ratio of (1):
Figure 601382DEST_PATH_IMAGE019
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE060
regardless of the class of the training sample.
In step c), the confidence α of the misclassification rate of all non-leaf nodes after being cut is calculated from the root node:
Figure DEST_PATH_IMAGE062
where N is the total number of sample instances,
Figure DEST_PATH_IMAGE063
an upper limit is estimated for the interval of error rates, f is the observed misclassification rate, and q is the true misclassification rate. For example, let E be the number of misclassifications in N sample instances, and then f = E/N.
In the step c), determining whether pruning is needed or not according to the change of e before and after pruning;
Figure DEST_PATH_IMAGE065
wherein z is the standard deviation of the confidence coefficient alpha, and z =1-U1-α
The system is used for identifying the assets of the industrial control system, and comprises the following specific steps:
s1), acquiring the industrial control network flow, specifically, receiving the industrial control network flow in a switch mirror image mode;
s2) analyzing and extracting the attribute of the protocol stack fingerprint in the industrial control network traffic acquired in step S1), specifically, extracting the protocol stack fingerprint required for asset identification from the data packet during TCP connection establishment;
s3) performing fingerprint database collision by using the protocol stack fingerprint attribute extracted in the step S2) and the fingerprint database, outputting the asset name corresponding to the hit fingerprint when the fingerprint in the fingerprint database is hit, and otherwise, outputting the corresponding asset name after the classification is performed by the asset identification decision tree classifier. Specifically, a protocol stack fingerprint acquired from a data packet of industrial control network flow is compared with a fingerprint in a fingerprint library, if the protocol stack fingerprint is completely matched with the fingerprint in the fingerprint library, a corresponding asset name is output, and if the protocol stack fingerprint is not completely matched with the fingerprint in the fingerprint library, an asset identification decision tree classifier is used for accurately predicting according to an attribute field extracted from a message.
In step S2), specifically, the example of the extracted asset fingerprint features is shown in table 1.
TABLE 1 extracted asset fingerprinting features
Assets LEN WIN DF TTL MSS OPT
Linux2.9 52 6144 0 64 1460 MNWST
Windows NT 52 8192 1 64 1460 MNWST
Windows XP 64 65535 1 128 1460 MNWSNT
By identifying and testing the unknown assets in the industrial control network, the identification efficiency of the unknown assets is up to 100%, and the highest accuracy can be up to 96%.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications are possible which remain within the scope of the appended claims.

Claims (10)

1. A passive industrial control system asset identification method is characterized by comprising the following steps:
s1) acquiring the industrial control network flow;
s2) analyzing and extracting the protocol stack fingerprint in the industrial control network flow acquired in the step S1);
s3) performing fingerprint database collision by using the protocol stack fingerprint attribute extracted in the step S2) and the fingerprint database, outputting the asset name corresponding to the hit fingerprint when the fingerprint in the fingerprint database is hit, and otherwise, outputting the corresponding asset name after the classification is performed by the asset identification decision tree classifier.
2. The passive industrial control system asset identification method according to claim 1, wherein in step S3), the decision tree in the asset identification decision tree classifier is constructed by the following steps:
a) preprocessing fingerprints of a decision tree training data set S;
b) constructing a decision tree by using the decision training data set S preprocessed in the step a);
c) pruning the decision tree constructed in step b) by using a test data set.
3. The passive industrial control system asset identification method according to claim 2, wherein in step a), the fingerprint preprocessing of the decision tree training data set S comprises protocol stack fingerprint attribute feature extraction, commonality value taking, classification and labeling.
4. A passive industrial control system asset identification method according to claim 3, wherein in step a) fingerprint attribute alternatives are discretely processed, each fingerprint attribute alternative being marked as an individual attribute.
5. The asset identification method of the passive industrial control system according to claim 4, wherein in the step b), the training samples in the training data set S of the decision tree are divided into k classes, and the entropy of the information of the training data set S of the decision tree is calculated
Figure 803078DEST_PATH_IMAGE001
The method comprises the following steps:
Figure 88566DEST_PATH_IMAGE002
in the formula (I), the compound is shown in the specification,
Figure 481370DEST_PATH_IMAGE003
belonging to a subset of decision tree training data in a set S of decision tree training data
Figure 535913DEST_PATH_IMAGE004
The ratio of (a) to (b),
Figure 372282DEST_PATH_IMAGE004
belongs to the class-k when training samples in the training data set S for the decision tree are classified into the class-k
Figure 145066DEST_PATH_IMAGE005
Training a subset of data for the decision tree of the class;
to test attribute AjDividing attribute set A of the preprocessed decision tree training data set S to generate v branch nodes, and calculating A through the following formulajGain of the preprocessed decision tree training data set S:
Figure 577447DEST_PATH_IMAGE006
in the formula (I), the compound is shown in the specification,
Figure 955339DEST_PATH_IMAGE007
for testing the property AjThe range of values of (a) to (b),
Figure 821663DEST_PATH_IMAGE008
testing attribute A at the vth branch node for decision tree training data set SjUp value of
Figure 222689DEST_PATH_IMAGE009
Training a data set of the decision tree;
the splitting information of the decision tree training data set S after preprocessing in the process of constructing the decision tree is as follows:
Figure 832662DEST_PATH_IMAGE010
Ajinformation gain ratio of (1):
Figure 65060DEST_PATH_IMAGE011
6. the passive industrial control system asset identification method according to claim 2, wherein in step c), the mode of pruning the decision tree constructed in step b) with the test data set is a post-pruning mode.
7. The passive industrial control system asset identification method according to claim 2, wherein in step c), the confidence α of the misclassification rate after all non-leaf nodes are cut is calculated for the pair of nodes starting from the root node:
Figure 492499DEST_PATH_IMAGE012
where N is the total number of sample instances,
Figure 239875DEST_PATH_IMAGE013
an upper bound is estimated for the interval of error rates, f is the observed misclassification rate, and q is the true misclassification rate.
8. The passive industrial control system asset identification method according to claim 7, wherein in step c), it is determined whether pruning is required according to the change of e before and after pruning;
Figure 528905DEST_PATH_IMAGE014
wherein z is the standard deviation of the confidence coefficient alpha, and z =1-U1-α
9. The passive industrial control system asset identification method according to claim 2, wherein in step c), after the decision tree pruning is completed, the corresponding industrial control system asset identification rule is directly extracted from the decision tree.
10. A system for identifying system assets using the passive industrial control system asset identification method according to any one of claims 1 to 9, comprising:
the flow acquisition module is used for receiving the industrial control network flow in a switch mirror image mode;
the protocol stack fingerprint analysis module is used for extracting a protocol stack fingerprint required by asset identification from a data packet during TCP connection establishment;
the known fingerprint storage module is used for storing the known asset fingerprint characteristics and matching the known flow;
the decision tree classifier module is used for performing asset prediction on the unknown asset fingerprint characteristics according to the decision tree rules; an asset identification decision tree classifier is arranged in the decision tree classifier module;
the identification result display module is used for displaying the asset identification result;
the flow acquisition module is in communication connection with the protocol stack fingerprint analysis module, the protocol stack fingerprint analysis module is in communication connection with the known fingerprint storage module, the known fingerprint storage module is in communication connection with the decision tree classifier module and the identification result display module respectively, and the decision tree classifier module is in communication connection with the identification result display module.
CN202210479357.7A 2022-05-05 2022-05-05 Passive industrial control system asset identification method and device Withdrawn CN114584497A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210479357.7A CN114584497A (en) 2022-05-05 2022-05-05 Passive industrial control system asset identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210479357.7A CN114584497A (en) 2022-05-05 2022-05-05 Passive industrial control system asset identification method and device

Publications (1)

Publication Number Publication Date
CN114584497A true CN114584497A (en) 2022-06-03

Family

ID=81777903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210479357.7A Withdrawn CN114584497A (en) 2022-05-05 2022-05-05 Passive industrial control system asset identification method and device

Country Status (1)

Country Link
CN (1) CN114584497A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955522A (en) * 2022-11-30 2023-04-11 绿盟科技集团股份有限公司 Asset fingerprint identification method, device, equipment and medium
CN117633666A (en) * 2024-01-26 2024-03-01 远江盛邦(北京)网络安全科技股份有限公司 Network asset identification method, device, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868404A (en) * 2019-11-05 2020-03-06 北京航空航天大学 Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN113973059A (en) * 2021-10-21 2022-01-25 浙江大学 Passive industrial internet asset identification method and device based on network protocol fingerprint

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868404A (en) * 2019-11-05 2020-03-06 北京航空航天大学 Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN113973059A (en) * 2021-10-21 2022-01-25 浙江大学 Passive industrial internet asset identification method and device based on network protocol fingerprint

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GOVINDA M. G. BEZERRA等: "A Precise Flow Representation for Autonomous IoT-Devices Reconnaissance", 《2022 25TH CONFERENCE ON INNOVATION IN CLOUDS, INTERNET AND NETWORKS AND WORKSHOPS (ICIN)》 *
卢志伟: "数据挖掘技术在人力资源管理中的运用", 《中国优秀硕士学位论文全文数据库》 *
朱振显: "基于决策树和被动监听的操作系统识别方法研究", 《中国优秀硕士学位论文全文数据库》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115955522A (en) * 2022-11-30 2023-04-11 绿盟科技集团股份有限公司 Asset fingerprint identification method, device, equipment and medium
CN117633666A (en) * 2024-01-26 2024-03-01 远江盛邦(北京)网络安全科技股份有限公司 Network asset identification method, device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN114584497A (en) Passive industrial control system asset identification method and device
CN110351301B (en) HTTP request double-layer progressive anomaly detection method
CN111833172A (en) Consumption credit fraud detection method and system based on isolated forest
CN111475680A (en) Method, device, equipment and storage medium for detecting abnormal high-density subgraph
CN111798312A (en) Financial transaction system abnormity identification method based on isolated forest algorithm
CN110222791A (en) Sample labeling information auditing method and device
CN109711424B (en) Behavior rule acquisition method, device and equipment based on decision tree
CN114553983B (en) Deep learning-based high-efficiency industrial control protocol analysis method
CN109635564A (en) A kind of method, apparatus, medium and equipment detecting Brute Force behavior
WO2021174812A1 (en) Data cleaning method and apparatus for profile, and medium and electronic device
CN114553591B (en) Training method of random forest model, abnormal flow detection method and device
CN110427375B (en) Method and device for identifying field type
CN113706100B (en) Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network
CN112202718B (en) XGboost algorithm-based operating system identification method, storage medium and device
CN108920677A (en) Questionnaire method, investigating system and electronic equipment
CN113822366A (en) Service index abnormality detection method and device, electronic equipment and storage medium
CN115294615A (en) Radio frequency fingerprint identification method based on machine learning
CN113806343B (en) Evaluation method and system for Internet of vehicles data quality
CN113645182B (en) Denial of service attack random forest detection method based on secondary feature screening
CN111105041B (en) Machine learning method and device for intelligent data collision
CN112199388A (en) Strange call identification method and device, electronic equipment and storage medium
CN111754352A (en) Method, device, equipment and storage medium for judging correctness of viewpoint statement
CN113535458B (en) Abnormal false alarm processing method and device, storage medium and terminal
CN116126807A (en) Log analysis method and related device
CN115622926A (en) Industrial control protocol reverse analysis method based on network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20220603

WW01 Invention patent application withdrawn after publication