CN114760100A - Industrial control host flow bandwidth abnormity detection device - Google Patents
Industrial control host flow bandwidth abnormity detection device Download PDFInfo
- Publication number
- CN114760100A CN114760100A CN202210262848.6A CN202210262848A CN114760100A CN 114760100 A CN114760100 A CN 114760100A CN 202210262848 A CN202210262848 A CN 202210262848A CN 114760100 A CN114760100 A CN 114760100A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- control host
- bandwidth
- detection device
- abnormity detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0823—Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
Abstract
The invention provides an industrial control host flow bandwidth abnormity detection device, which relates to the technical field of safety analysis of industrial control systems.
Description
Technical Field
The invention belongs to the technical field of safety analysis of industrial control systems, and particularly relates to a flow acquisition device supporting industrial control protocol application layer filtering rules.
Background
With the rapid development of deep integration of industrialization and informatization, the threats faced by industrial control systems are gradually increasing. Due to the importance of the devices in the industrial control network, the host traffic in the industrial control network needs to be monitored in real time, so that the abnormal situation of the host traffic can be effectively detected, and the alarm information is hoped to inform an industrial control network security manager, so that the network attack behavior or the host abnormality can be perceived earlier, and further corresponding measures can be taken to solve the abnormality of the network host, and further illegal intrusion attack can be avoided.
As shown in fig. 1, in the existing industrial control network, a security manager installs a host protection system on an industrial control host, deploys a traffic bandwidth anomaly detection rule on the host, and the host security protection system performs anomaly detection on traffic bandwidth and reports alarm information to a centralized management platform. According to the scheme, a host protection system is required to be deployed on each industrial control host, a traffic bandwidth abnormity detection rule is required to be configured, and host resources are required to be occupied for traffic bandwidth abnormity detection. The method has the problems of scattered configuration, low efficiency and occupation of host system resources.
Disclosure of Invention
The invention aims to provide a device for detecting the traffic bandwidth abnormality of an industrial control host, which solves the problems of dispersed configuration, low efficiency and occupation of host system resources in the conventional industrial control network.
The invention provides an industrial control host flow bandwidth abnormity detection device, which comprises
The industrial control host traffic bandwidth anomaly detection rule configuration module records configuration information of industrial control host traffic bandwidth anomaly detection rules configured by management personnel and stores the detection rules into a database;
and the industrial control host flow bandwidth abnormity detection module reads and loads the industrial control host flow bandwidth abnormity detection rule and performs industrial control host flow bandwidth abnormity detection on the exchanger mirror flow.
And the database module is used for recording the traffic bandwidth abnormity detection rule and the alarm of the industrial control host.
Preferably, if the abnormality is detected, an industrial control host traffic bandwidth abnormality alarm is generated.
Preferably, the system further comprises a configuration station, which is used for configuring the detection rule of the industrial control host traffic bandwidth abnormality detection device.
Preferably, the industrial control host traffic bandwidth anomaly detection device loads the rule.
The invention also provides a method for detecting the traffic bandwidth abnormality of the industrial control host by adopting the device, which comprises the following steps:
step one, carrying out detection rule configuration on an industrial control host flow bandwidth abnormity detection device through a configuration station, and loading the rule by the industrial control host flow bandwidth abnormity detection device;
and step two, the industrial control host traffic bandwidth abnormity detection device detects the industrial control host traffic bandwidth based on the industrial control host traffic bandwidth abnormity detection rule, and generates an alarm event when the industrial control host traffic bandwidth abnormity event is found.
The invention has the following beneficial effects:
1. the industrial control host traffic bandwidth abnormality detection device provided by the invention accesses an industrial control network where a server is located by adopting a bypass mode, and monitors the host traffic in the network. The safety manager can configure the abnormal detection rule of the flow bandwidth of the industrial control host in the network on the device, and generates the abnormal alarm of the flow bandwidth of the industrial control host after detecting the abnormality to inform the safety manager of the industrial control network to take corresponding measures, thereby solving the problems of configuration dispersion, low efficiency and occupation of host system resources caused by the arrangement of a host protection system on the industrial control host and the arrangement of the abnormal detection rule of the flow bandwidth on the host protection system.
Drawings
Fig. 1 is a diagram illustrating a host deployment structure of an industrial control network in the prior art.
Fig. 2 is a configuration diagram of the industrial control host traffic bandwidth abnormality detection apparatus according to the present invention.
Fig. 3 is a flow chart of detecting traffic bandwidth abnormality of the industrial control host according to the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides an industrial control host flow bandwidth abnormity detection device, which is mainly used for solving the problems of scattered configuration, low efficiency and occupation of host system resources in the first scheme.
As shown in fig. 2, the apparatus for detecting bandwidth abnormality of industrial control host traffic includes the following module structures:
1. industrial control host traffic bandwidth anomaly detection rule configuration module
The module is responsible for recording configuration information of the industrial control host flow bandwidth abnormity detection rule configured by management personnel and storing the detection rule to a database.
2. Industrial control host traffic bandwidth abnormity detection module
The module is responsible for reading and loading the bandwidth abnormality detection rule of the industrial control host flow and carrying out the bandwidth abnormality detection of the industrial control host flow on the mirror flow of the switch. And if the abnormality is detected, generating an alarm for the traffic bandwidth abnormality of the industrial control host.
3. Database module
The module can record the detection rule and the alarm of the abnormal bandwidth of the flow of the industrial control host.
In other embodiments of the present invention, as shown in fig. 3, a method for detecting traffic bandwidth abnormality of an industrial control host is further provided, which includes the following steps:
step one, carrying out detection rule configuration on the industrial control host traffic bandwidth abnormality detection device through a configuration station, and loading the rule by the industrial control host traffic bandwidth abnormality detection device.
And step two, the industrial control host traffic bandwidth abnormity detection device detects the industrial control host traffic bandwidth based on the industrial control host traffic bandwidth abnormity detection rule, and generates an alarm event when the industrial control host traffic bandwidth abnormity event is found.
The foregoing is merely exemplary and illustrative of the present invention and various modifications, additions and substitutions may be made by those skilled in the art to the specific embodiments described without departing from the scope of the invention as defined in the following claims.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (5)
1. An industrial control host traffic bandwidth abnormity detection device is characterized by comprising
The industrial control host flow bandwidth abnormity detection rule configuration module records configuration information of industrial control host flow bandwidth abnormity detection rules configured by management personnel and stores the detection rules to a database;
and the industrial control host flow bandwidth abnormity detection module reads and loads the industrial control host flow bandwidth abnormity detection rule and performs industrial control host flow bandwidth abnormity detection on the switch mirror flow.
And the database module is used for recording the traffic bandwidth abnormity detection rule and the alarm of the industrial control host.
2. The industrial control host traffic bandwidth abnormality detection device according to claim 1, wherein if an abnormality is detected, an industrial control host traffic bandwidth abnormality alarm is generated.
3. The industrial control host traffic bandwidth anomaly detection device according to claim 1, further comprising a configuration station configured to perform detection rule configuration on the industrial control host traffic bandwidth anomaly detection device.
4. The industrial control host traffic bandwidth anomaly detection device according to claim 3, wherein the industrial control host traffic bandwidth anomaly detection device loads the rule.
5. The method for detecting the traffic bandwidth abnormality of the industrial control host by adopting the device of any one of claims 1 to 4 is characterized by comprising the following steps:
step one, carrying out detection rule configuration on an industrial control host flow bandwidth abnormity detection device through a configuration station, and loading the rule by the industrial control host flow bandwidth abnormity detection device;
and step two, the industrial control host traffic bandwidth abnormity detection device detects the industrial control host traffic bandwidth based on the industrial control host traffic bandwidth abnormity detection rule, and generates an alarm event when the industrial control host traffic bandwidth abnormity event is found.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210262848.6A CN114760100A (en) | 2022-03-17 | 2022-03-17 | Industrial control host flow bandwidth abnormity detection device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210262848.6A CN114760100A (en) | 2022-03-17 | 2022-03-17 | Industrial control host flow bandwidth abnormity detection device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114760100A true CN114760100A (en) | 2022-07-15 |
Family
ID=82326482
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210262848.6A Pending CN114760100A (en) | 2022-03-17 | 2022-03-17 | Industrial control host flow bandwidth abnormity detection device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760100A (en) |
-
2022
- 2022-03-17 CN CN202210262848.6A patent/CN114760100A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104901838B (en) | Enterprise network security event management system and its method | |
| US10057285B2 (en) | System and method for auditing governance, risk, and compliance using a pluggable correlation architecture | |
| CA2454223A1 (en) | An airborne security manager | |
| CN101300566A (en) | Risk driven compliance management | |
| CN105138920A (en) | Implementation method for safely managing intranet terminal | |
| CN104570822A (en) | Protection system, protection method and security composition device for an automate process control system (APCS) | |
| CN110351277A (en) | Electric power monitoring system security protection alarm method | |
| US8649270B2 (en) | Dynamic network configuration | |
| WO2023216641A1 (en) | Security protection method and system for power terminal | |
| CN102014020A (en) | Equipment for performing network monitoring on network equipment and method thereof | |
| CN106339629A (en) | Application management method and device | |
| CN107563713A (en) | A kind of electronic document system and its method for operation monitoring | |
| CN106961428A (en) | A kind of centralized intruding detection system based on privately owned cloud platform | |
| CN103581951A (en) | Base station detection method and device | |
| CN114625074A (en) | Safety protection system and method for DCS (distributed control System) of thermal power generating unit | |
| CN114629677A (en) | Safety protection system and method for thermal power generating unit electric quantity charging system | |
| CN104734896B (en) | The acquisition methods and system of service sub-system operating condition | |
| CN114760100A (en) | Industrial control host flow bandwidth abnormity detection device | |
| CN115550068B (en) | Safety auditing method for log information of host | |
| CN115567258A (en) | Network security situation awareness method, system, electronic device and storage medium | |
| KR101973728B1 (en) | Integration security anomaly symptom monitoring system | |
| CN107104853B (en) | Test bed system and test method for terminal safety management software | |
| CN111917697A (en) | Active detection online violation external connection technology based on non-client mode | |
| CN110825542A (en) | Method, device and system for detecting fault disk in distributed system | |
| CN115333791A (en) | Cloud-based vehicle safety protection method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |