CN114745197A - Method and system for monitoring industrial control network intrusion in real time - Google Patents
Method and system for monitoring industrial control network intrusion in real time Download PDFInfo
- Publication number
- CN114745197A CN114745197A CN202210457091.6A CN202210457091A CN114745197A CN 114745197 A CN114745197 A CN 114745197A CN 202210457091 A CN202210457091 A CN 202210457091A CN 114745197 A CN114745197 A CN 114745197A
- Authority
- CN
- China
- Prior art keywords
- equipment
- icons
- industrial control
- control network
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention discloses a method and a system for monitoring industrial control network intrusion in real time, wherein the system comprises a message capturing module, a message processing module, a white list comparison module, a communication calculation module and a graph drawing module, and the method comprises the following steps: a: analyzing a bottom layer original message in the industrial control network; b: judging whether the equipment is legal equipment or not according to the address information; c: respectively adopting icons to represent legal equipment and illegal equipment, and respectively adding the icons representing the legal equipment and the illegal equipment into a safe area and a non-safe area; d: and setting the rotation speed of the corresponding icon according to the broadcast message rate of each device, connecting the icons of the devices which are in communication, and monitoring the industrial control network by combining the rotation speed of the icons and the connection condition. The invention can monitor the normal and abnormal communication conditions of all equipment in the industrial control network, and can timely find and visually display the communication and propagation conditions of each equipment in the industrial control network at the early stage of virus or Trojan horse outbreak.
Description
Technical Field
The invention belongs to the technical field of industrial automation control, and particularly relates to a method and a system for monitoring industrial control network intrusion in real time.
Background
The importance of network security to national security is self-evident in that network attacks against industrial control systems are not only aimed at gaining economic benefits, but also exhibit a trend towards destroying the national infrastructure and energy supply. The targeted damage attack activity is developed through an industrial control system which continuously permeates or is hidden in the fields of electric power, railways, coal, chemical engineering, metallurgy, intelligent manufacturing and the like. The safety of an industrial control system network system which is relied on by national key foundations such as electric power, energy, traffic and the like is the key of national economic stable operation, and the result of attack is extremely serious, so that the problem of information safety of the industrial control network is solved vigorously.
At present, the monitoring of communication states among devices in an industrial control network in the prior art is to protect fixed industrial control devices, and as disclosed in patent document with publication number CN106998326A, the principle of the monitoring technology for industrial control network behavior is to obtain a network packet in the industrial control network by connecting to a device bypass in the network, then perform industrial protocol identification on the network packet to obtain industrial protocol behavior data therein, and compare with a calculated credible range to determine whether the industrial protocol behavior data is abnormal, so as to determine whether an attack has occurred. Although this technique is capable of monitoring in real time whether there is abnormal behavior in the industrial control network, it is merely monitoring and is not capable of dynamically displaying the overall situation of the devices in the industrial control network being protected.
In addition, the extraction processing of the quintuple information in the prior art only stays at the network level and does not go deep into the control system level. For example, patent document CN112019523A discloses a method and an apparatus for network auditing of an industrial control system, which extract a source IP, a destination port, an industrial protocol and an industrial protocol function code, and match them with a white list rule to calculate a corresponding threat value. However, the user can only see whether the corresponding IP is an intranet IP or an extranet IP, and whether the asset is a known asset or an unknown asset, without knowing that the IP belongs to a specific device of the industrial control system.
For the foregoing reasons, there is still a need for further improvements in monitoring techniques for industrial control networks.
Disclosure of Invention
The invention aims to solve the problems in the prior art and provides a method and a system for monitoring industrial control network intrusion in real time.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a method for monitoring industrial control network intrusion in real time is characterized by comprising the following steps:
step A: acquiring and analyzing bottom layer original messages in an industrial control network to obtain address information of each bottom layer original message;
and B: comparing the address information with a preset white list database, and judging whether the equipment corresponding to the address information is legal equipment or illegal equipment;
and C: presetting a display area comprising a safe area and a non-safe area, representing legal equipment and illegal equipment by adopting icons respectively, adding the icons representing the legal equipment into the safe area, and adding the icons representing the illegal equipment into the non-safe area;
step D: calculating the broadcast message rate of each device, setting the rotating speed of the corresponding icon according to the broadcast message rate of each device, connecting the icons of the devices which are in communication, and monitoring the industrial control network by combining the rotating speed of the icons and the connecting condition.
The method for monitoring the industrial control network intrusion in real time carries out monitoring according to the updating time of data, firstly erases the icons and the connecting lines generated by the monitoring when the data is updated next time, and then repeats the step A, B, C, D for monitoring.
The address information in step a includes, but is not limited to, a source MAC address, a destination MAC address, a source IP address, and a destination IP address.
And B, pre-storing the comparison information of all legal devices in the industrial control network in the white list database, if the compared address information is in the white list database, judging that the corresponding device is a legal device, and otherwise, judging that the corresponding device is an illegal device.
And C, respectively adopting different icons to represent legal devices of different types and illegal devices of different types, and marking the names of the corresponding devices beside the icons.
And C, the icons in the safe area and the non-safe area can be moved randomly.
The method for calculating the broadcast message rate of the device in the step D comprises the following steps: the number of the broadcast messages is counted, the number of the broadcast messages sent outwards by the equipment within 10 seconds is calculated, and then the average value of the number of the broadcast messages per second is obtained, so that the broadcast message rate of the equipment is obtained.
The setting rule of the icon rotation speed in the step D is as follows: when the broadcast message rate of the equipment is 1-50 pieces/second, the corresponding icon rotates at the speed of 45 degrees/second; when the broadcast message rate of the equipment is 51-100 pieces/second, the corresponding icon rotates at the speed of 90 degrees/second; when the broadcast message rate of the device is greater than 100 pieces/second, the corresponding icon rotates at a speed of 180 degrees/second.
The specific connection rule in the step D is as follows: the colors of the two end points of the line are represented by the colors of the corresponding devices, and the middle color of the line is represented by the gradual change colors of the two end point colors.
A system for monitoring industrial control network intrusion in real time, comprising:
a message capturing module: the method comprises the steps of obtaining a bottom layer original message in the industrial control network;
a message processing module: the MAC address and the IP address are used for analyzing the bottom layer original message;
and a white list comparison module: the device is used for judging whether the corresponding device is legal or illegal according to the analyzed MAC address and the analyzed IP address;
the communication calculation module: the method comprises the steps of calculating the broadcast message rate of each device;
a graph drawing module: the device is used for drawing a safe area and a non-safe area in a man-machine interface, drawing legal equipment and illegal equipment into the safe area and the non-safe area respectively in the form of icons, setting the rotating speed of the corresponding icons according to the broadcast message rate of the equipment, and connecting the icons of the equipment which is in communication.
The graph drawing module respectively adopts different icons to represent legal devices of different types and illegal devices of different types, and marks the names of the corresponding devices beside the icons.
When the graph drawing module is connected, the colors of two end points of the line are represented by the colors of the corresponding equipment, and the middle color of the line is represented by the gradient colors of the two end point colors.
By adopting the technical scheme, the invention has the beneficial technical effects that:
1. the invention can accurately judge whether the equipment which is communicated in the industrial control network is legal equipment or illegal equipment according to the address information of the bottom layer original message, and can monitor the normal and abnormal communication conditions of all the equipment in the industrial control network and display the communication condition of the invading equipment by respectively displaying the legal equipment and the illegal equipment in a partition mode in an icon mode and rotating and connecting the icons of the equipment which is communicated, thereby achieving the aim of effectively protecting the industrial control network. Compared with the prior art, the monitoring method has deeper and more comprehensive monitoring hierarchy and better monitoring effect.
2. The invention can monitor repeatedly in turn according to the updating time of the data, thereby improving the timeliness and the accuracy of monitoring.
3. The invention analyzes the source MAC address, the target MAC address, the source IP address and the target IP address through the bottom layer original message, and is favorable for accurately finding out equipment which is communicated in the industrial control network.
4. The invention respectively adopts different icons to represent legal devices of different types and illegal devices of different types, marks the names of the corresponding devices beside the icons, and has the advantage of more intuitively displaying all the devices in the industrial control network.
5. According to the invention, the icons in the safe area and the non-safe area are set to be movable at will, so that the situation that the connection lines are shielded to influence the observation when the icons are too many can be prevented.
6. The average value of the number of the broadcast messages sent outwards within 10 seconds is calculated to be used as the broadcast message rate of the equipment, and the method has the advantages of less system resources occupied by calculation, small fluctuation of processing results, small error of obtained data, timely data updating and accordance with the actual situation of an industrial control system.
7. The invention sets the corresponding rotation rule for the rotation speed of the icon, and has the advantages of performing data analysis on the speed of the broadcast message, linearly converting the broadcast speed into the rotation speed, and displaying the data in a graphical mode.
8. The invention connects the communication equipment by adopting the lines of the color and the gradual change color of the corresponding equipment respectively, can intuitively display whether the industrial control network is invaded, and has better statistical and observation effects compared with the existing data statistical method.
9. The monitoring system comprises a message capturing module, a message processing module, a white list comparison module, a communication calculation module and a graph drawing module, and can monitor normal and abnormal communication conditions of all equipment in an industrial control network in a graph display mode. And by combining the icons with different rotating speeds and the connection condition among the icons, whether the devices are invaded or not can be further visually and accurately judged, and the invaded devices and related information can be accurately found out when the devices are invaded. The monitoring is more accurate, faster and more effective.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a schematic block diagram of step C of the present invention;
fig. 3 is a block diagram of the system of the present invention.
Detailed Description
Example 1
As a preferred embodiment of the present invention, the present embodiment discloses a method for monitoring industrial control network intrusion in real time, as shown in fig. 1, which includes the following steps:
step A: the method comprises the steps of obtaining and analyzing bottom layer original messages in the industrial control network to obtain address information of each bottom layer original message, wherein the analyzed address information comprises but is not limited to a source MAC address, a destination MAC address, a source IP address and a destination IP address.
It should be noted that, obtaining and analyzing the bottom layer original packet all belong to conventional technical means in the art, for example, the packet at the mirror port may be copied to the observation port through the port mirror function of the switch, and the original packet is collected from the observation port by using the library function, which is not described herein again.
And B: a white list database is preset, the white list database is pre-stored with comparison information of all legal devices in the industrial control network, the comparison information is mainly MAC information and IP information of all legal devices, and of course, the comparison information in the white list database can also be manually set according to requirements. And B, comparing the address information of each bottom layer original message obtained by analyzing in the step A with the comparison information in the white list database, if the compared address information is in the white list database, judging that the equipment corresponding to the address information is legal equipment, and if the compared address information cannot be completely corresponding to the address information in the white list database, judging that the equipment corresponding to the address information is illegal equipment.
And C: a display area is preset in the human-computer interface, and a safety area and a non-safety area shown in fig. 2 are divided in the display area, and the divided safety area and the divided non-safety area can be arranged vertically or horizontally. Then, the icons are respectively adopted to represent legal equipment and illegal equipment, the icons representing the legal equipment are added into the safe area, and the icons representing the illegal equipment are added into the non-safe area. In order to avoid the influence of the excessive number of devices on the display, the icons in the secure area and the icons in the non-secure area can be moved arbitrarily in the embodiment.
It should be noted that, since there are various types of legal devices and illegal devices, in order to more intuitively display the monitoring status, it is preferable that different icons represent different types of legal devices and different types of illegal devices, and names of the corresponding devices are marked beside the icons. As shown in fig. 2, legal devices of the security zone include an operator station (OPS), an engineer station (EMS), a historian station (HIS), a controller (DPU), and a Switch (SW). The operator station can be displayed by using a four-pointed star icon, the engineer station can be displayed by using a five-pointed star icon, the history station can be displayed by using a pentagonal icon, the controller can be displayed by using a gear icon, and the switch can be displayed by using a circular icon. Illegal devices in the unsecure area may include added temporary devices (i.e., unsecure area devices authorized to access the industrial control network), intruder devices (i.e., unknown devices and attempting to access known devices), and abnormal devices (i.e., unknown devices and being accessed by known devices in one direction). The temporary equipment can be displayed by using diamond icons, the invasive equipment can be displayed by using square icons, and the abnormal equipment can be displayed by using triangular icons.
Step D: judging whether each device is communicated, if yes, calculating the broadcast message rate of each device, setting the rotating speed of the corresponding icon according to the broadcast message rate of each device, connecting the icons of the devices which are communicated, and monitoring the industrial control network security situation in real time by combining the rotating speed of the icon and the connecting condition.
It should be noted that the method for calculating the broadcast message rate of the device includes: the number of the broadcast messages is counted, the number of the broadcast messages sent outwards by the equipment within 10 seconds is calculated, and then the average value of the number of the broadcast messages per second is obtained, so that the broadcast message rate of the equipment is obtained.
The setting rule of the icon rotation speed is as follows: when the broadcast message rate of the equipment is 1-50 pieces/second, the corresponding icon rotates at the speed of 45 degrees/second; when the broadcast message rate of the equipment is 51-100 pieces/second, the corresponding icon rotates at the speed of 90 degrees/second; when the broadcast message rate of the device is greater than 100 pieces/second, the corresponding icon rotates at a speed of 180 degrees/second.
After the icon is rotationally set in the step, the equipment which is communicated is connected according to the preset connection parameters, and graphical display of data is achieved.
In addition, the method for monitoring the industrial control network intrusion in real time monitors according to the data updating time, when the data is updated next time, the icons and the connecting lines generated by the monitoring are erased, and then the step A, B, C, D is repeated to monitor. Where the data is updated by default once every 10 seconds, but can be configured according to different industrial control systems. Accordingly, the rotation speed of the icon can be set according to the requirement.
It should be noted that, in the actual monitoring process, if there is a device that performs communication, the icon of the corresponding device will rotate and connect with the line, and if the broadcast message rate of the device is high, it indicates that the packet sending speed of the device at that time is faster, and the data is more. And then the connection line is combined to visually obtain whether the equipment in communication belongs to normal communication, abnormal communication or intrusion communication. In addition, the connection method of the icons of the devices generating communication is not limited in this embodiment, and the icons may be connected in an appropriate manner as needed.
Example 2
As the most preferred embodiment of the intrusion monitoring method of the present invention, this embodiment discloses a method for monitoring industrial control network intrusion in real time, and on the basis of embodiment 1, this embodiment further defines the specific connection rule of step D as follows:
the colors of the two end points of the line are represented by the colors of the corresponding devices, and the middle color of the line is represented by the gradual change colors of the two end point colors. Specifically, if the devices in communication are all legal devices in the security zone, the normal communication is determined, and the line connection icon with the two ends in the colors corresponding to the communication devices and gradually changed colors is adopted. If the devices which are communicated are all illegal devices in the unsafe area, the line connection icon with the corresponding communication device color and the gradually changed color at the two ends is adopted, and the line is obviously displayed as a line with the red or yellow and the gradually changed color at one end according to the representation rule that the invasive device is red and the abnormal device is yellow. If the communication equipment is legal equipment and abnormal equipment, the line connecting icon with the color gradually changed corresponding to the color of the communication equipment at two ends is adopted, and the line is obviously displayed as a yellow gradually changed line at one end according to the rule that the abnormal equipment is represented by yellow. Of course, the color of the connecting line can be modified correspondingly according to the requirement.
After the connection is performed by adopting the above rule, the monitoring condition of the industrial control network can be further visually displayed.
Example 3
As a preferred embodiment of the present invention, the present embodiment discloses a system for monitoring industrial control network intrusion in real time, as shown in fig. 3, including:
a message capturing module: the method is used for acquiring the bottom layer original message in the industrial control network.
A message processing module: and the method is used for analyzing the MAC address and the IP address of the bottom layer original message.
And a white list comparison module: and the device is used for judging whether the corresponding device is a legal device or an illegal device according to the analyzed MAC address and the analyzed IP address.
The communication calculation module: for calculating the broadcast message rate of each device.
A graph drawing module: the method mainly comprises an icon, an icon rotation drawing part and an icon connection drawing part, is used for drawing a safe area and an unsafe area in a human-computer interface, is used for drawing legal equipment and illegal equipment into the safe area and the unsafe area in the form of the icon respectively, is used for setting the rotation speed of the corresponding icon according to the broadcast message rate of the equipment, and is used for connecting the icons of the equipment which is in communication.
The specific flow of the graph drawing module is as follows: after receiving the broadcast message rate calculated by the communication calculation module, the graph drawing module positions the corresponding icon of the device, and sets the rotation parameters of the icon through the icon in the graph drawing module and the icon rotation drawing module, wherein the rotation parameters comprise the rotation direction and the rotation rate, so that the control of the icon rotation is realized. Then after receiving the mutual communication state of the devices obtained by the communication calculation module, the graph drawing module positions the icons corresponding to the two devices which are in communication, and sets the parameters of the connecting line through the connecting line drawing module in the graph drawing module, wherein the parameters comprise the initial position and the end position of the connecting line, the width and the color of the connecting line, thereby realizing the connecting line function of the graph.
It should be noted that, since there are various legal devices and illegal devices, in order to more intuitively display the monitoring status, in this embodiment, it is preferable that the graphic drawing module respectively adopts different icons to represent different types of legal devices and different types of illegal devices, and marks names of corresponding devices beside the icons. For example, legitimate devices in an industrial control network include operator stations (OPS), engineer stations (EMS), historian stations (HIS), controllers (DPU), Switches (SW), and the like. For this reason, the operator station may employ a four-pointed star icon display, the engineer station may employ a five-pointed star icon display, the history station may employ a five-pointed star icon display, the controller may employ a gear icon display, and the switch may employ a circular icon display. Illegal devices include temporary devices that have been added, hacking devices (i.e., devices that are not known and that attempt to access known devices), anomalous devices (i.e., devices that are not known and that are accessed unidirectionally by known devices). The temporary equipment can be displayed by using diamond icons, the invasive equipment can be displayed by using square icons, and the abnormal equipment can be displayed by using triangular icons.
In addition, the method for calculating the broadcast packet rate, the method for controlling the icon rotation, and the connection rule related in this embodiment can all refer to embodiment 1, and are not described herein again.
Example 4
As the most preferable implementation manner of monitoring an intrusion system of the present invention, this embodiment discloses a system for monitoring industrial control network intrusion in real time, and on the basis of embodiment 3, this embodiment further defines a specific connection process of a graph drawing module, as follows:
when the graph drawing module is connected, the colors of two end points of the line are represented by the colors of the corresponding equipment, and the middle color of the line is represented by the gradient colors of the two end point colors. Specifically, if the communication equipment is legal, judging normal communication and adopting line connection icons with two ends of the line connection icons corresponding to the communication equipment colors and gradually changing colors; if the devices which are communicated are all illegal devices, connecting the icons by using red lines; if the legal equipment accesses the illegal equipment, judging that the communication is abnormal, and adopting a line connection icon with one end being red or yellow and the other end being in non-equipment color and gradually changing; and if the intrusion device accesses the legal device, judging the intrusion communication and adopting a line connecting icon with red one end and corresponding color of the legal device and gradual change. Of course, the color of the connecting line can be modified correspondingly according to the requirement. And after the lines with different colors are used for connection, the monitoring condition of the industrial control network can be further visually displayed.
While the invention has been described with reference to specific embodiments, any feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise; all of the disclosed features, or all of the method or process steps, may be combined in any combination, except mutually exclusive features and/or steps.
Claims (10)
1. A method for monitoring industrial control network intrusion in real time is characterized by comprising the following steps:
step A: acquiring and analyzing bottom layer original messages in an industrial control network to obtain address information of each bottom layer original message;
and B: comparing the address information with a preset white list database, and judging whether the equipment corresponding to the address information is legal equipment or illegal equipment;
and C: presetting a display area comprising a safe area and a non-safe area, respectively representing legal equipment and illegal equipment by using icons, adding the icons representing the legal equipment into the safe area, and adding the icons representing the illegal equipment into the non-safe area;
step D: calculating the broadcast message rate of each device, setting the rotating speed of the corresponding icon according to the broadcast message rate of each device, connecting the icons of the devices which are in communication, and monitoring the industrial control network by combining the rotating speed of the icons and the connecting condition.
2. The method for monitoring industrial control network intrusion in real time according to claim 1, wherein: the method for monitoring the industrial control network intrusion in real time monitors according to the data updating time, when the data is updated next time, the icons and the connecting lines generated by the monitoring are firstly erased, and then the step A, B, C, D is repeated for monitoring.
3. The method of claim 1, wherein the method comprises the following steps: and C, respectively adopting different icons to represent legal equipment of different types and illegal equipment of different types, and marking the names of the corresponding equipment beside the icons.
4. The method of claim 1, wherein the method comprises the following steps: and C, the icons in the safe area and the non-safe area can be moved randomly.
5. The method for monitoring industrial control network intrusion in real time according to any one of claims 1 to 4, wherein: the method for calculating the broadcast message rate of the device in the step D comprises the following steps: the number of the broadcast messages is counted, the number of the broadcast messages sent outwards by the equipment within 10 seconds is calculated, and then the average value of the number of the broadcast messages per second is taken, so that the broadcast message rate of the equipment is obtained.
6. The method of claim 1, wherein the method comprises the following steps: the setting rule of the icon rotation speed in the step D is as follows: when the broadcast message rate of the equipment is 1-50 pieces/second, the corresponding icon rotates at the speed of 45 degrees/second; when the broadcast message rate of the equipment is 51-100 pieces/second, the corresponding icon rotates at the speed of 90 degrees/second; when the broadcast message rate of the device is greater than 100 pieces/second, the corresponding icon rotates at a speed of 180 degrees/second.
7. The method for monitoring industrial control network intrusion in real time according to claim 1, wherein: the specific connection rule in the step D is as follows: the colors of the two end points of the line are represented by the colors of the corresponding devices, and the middle color of the line is represented by the gradual change colors of the two end point colors.
8. A system for monitoring industrial control network intrusion in real time, comprising:
a message capturing module: the method comprises the steps of obtaining a bottom layer original message in the industrial control network;
a message processing module: the MAC address and the IP address are used for analyzing the bottom layer original message;
and a white list comparison module: the device is used for judging whether the corresponding device is legal or illegal according to the analyzed MAC address and IP address;
the communication calculation module: the method comprises the steps of calculating the broadcast message rate of each device;
a graph drawing module: the device is used for drawing a safe area and a non-safe area in a man-machine interface, drawing legal equipment and illegal equipment into the safe area and the non-safe area respectively in the form of icons, setting the rotating speed of the corresponding icons according to the broadcast message rate of the equipment, and connecting the icons of the equipment which is in communication.
9. The system according to claim 8, wherein the system comprises: the graph drawing module respectively adopts different icons to represent legal devices of different types and illegal devices of different types, and marks the names of the corresponding devices beside the icons.
10. The system for monitoring industrial control network intrusion in real time according to claim 8, wherein: when the graph drawing module is connected, the colors of two end points of the line are represented by the colors of the corresponding equipment, and the middle color of the line is represented by the gradient colors of the two end point colors.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210457091.6A CN114745197B (en) | 2022-04-28 | 2022-04-28 | Method and system for monitoring industrial control network intrusion in real time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210457091.6A CN114745197B (en) | 2022-04-28 | 2022-04-28 | Method and system for monitoring industrial control network intrusion in real time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114745197A true CN114745197A (en) | 2022-07-12 |
| CN114745197B CN114745197B (en) | 2023-01-31 |
Family
ID=82283138
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210457091.6A Active CN114745197B (en) | 2022-04-28 | 2022-04-28 | Method and system for monitoring industrial control network intrusion in real time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745197B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110066409A1 (en) * | 2009-09-15 | 2011-03-17 | Lockheed Martin Corporation | Network attack visualization and response through intelligent icons |
| CN105208018A (en) * | 2015-09-09 | 2015-12-30 | 上海三零卫士信息安全有限公司 | Industrial control network information security monitoring method based on funnel type white list |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN106998326A (en) * | 2017-03-22 | 2017-08-01 | 北京匡恩网络科技有限责任公司 | Industrial control network behavior monitoring method, device and system |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN110868425A (en) * | 2019-11-27 | 2020-03-06 | 上海三零卫士信息安全有限公司 | Industrial control information safety monitoring system adopting black and white list for analysis |
-
2022
- 2022-04-28 CN CN202210457091.6A patent/CN114745197B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110066409A1 (en) * | 2009-09-15 | 2011-03-17 | Lockheed Martin Corporation | Network attack visualization and response through intelligent icons |
| CN105208018A (en) * | 2015-09-09 | 2015-12-30 | 上海三零卫士信息安全有限公司 | Industrial control network information security monitoring method based on funnel type white list |
| CN106506486A (en) * | 2016-11-03 | 2017-03-15 | 上海三零卫士信息安全有限公司 | A kind of intelligent industrial-control network information security monitoring method based on white list matrix |
| CN106998326A (en) * | 2017-03-22 | 2017-08-01 | 北京匡恩网络科技有限责任公司 | Industrial control network behavior monitoring method, device and system |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN110868425A (en) * | 2019-11-27 | 2020-03-06 | 上海三零卫士信息安全有限公司 | Industrial control information safety monitoring system adopting black and white list for analysis |
Non-Patent Citations (1)
| Title |
|---|
| 龚俭等: "面向入侵检测的网络安全监测实现模型", 《小型微型计算机系统》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114745197B (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11818098B2 (en) | Security system, device, and method for protecting control systems | |
| KR101761737B1 (en) | System and Method for Detecting Abnormal Behavior of Control System | |
| CN109995796B (en) | Industrial control system terminal safety protection method | |
| CN109976239B (en) | Industrial control system terminal safety protection system | |
| CN113055375B (en) | Power station industrial control system physical network oriented attack process visualization method | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| CN106789982B (en) | Safety protection method and system applied to industrial control system | |
| AbuEmera et al. | Security framework for identifying threats in smart manufacturing systems using STRIDE approach | |
| CN113438249A (en) | Attack tracing method based on strategy | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Toker et al. | Mitre ics attack simulation and detection on ethercat based drinking water system | |
| CN114296406B (en) | Network attack and defense display system, method and device and computer readable storage medium | |
| CN114745197B (en) | Method and system for monitoring industrial control network intrusion in real time | |
| Tamura et al. | Improvement of anomaly detection performance using packet flow regularity in industrial control networks | |
| CN110493200B (en) | Industrial control system risk quantitative analysis method based on threat map | |
| Liebl et al. | Threat analysis of industrial internet of things devices | |
| CN107579993A (en) | The security processing and device of a kind of network data flow | |
| CN113411296B (en) | Situation awareness virtual link defense method, device and system | |
| CN116132989A (en) | Industrial Internet security situation awareness system and method | |
| CN111404917B (en) | Industrial control simulation equipment-based threat information analysis and detection method and system | |
| Patel et al. | Analysis of SCADA Security models | |
| CN113422776A (en) | Active defense method and system for information network security | |
| CN113836564A (en) | Block chain-based networked automobile information safety system | |
| Gao et al. | A new Detection Approach against attack/intrusion in Measurement and Control System with Fins protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |