CN114938300A - Industrial control system situation perception method and system based on equipment behavior analysis - Google Patents

Industrial control system situation perception method and system based on equipment behavior analysis Download PDF

Info

Publication number
CN114938300A
CN114938300A CN202210538960.8A CN202210538960A CN114938300A CN 114938300 A CN114938300 A CN 114938300A CN 202210538960 A CN202210538960 A CN 202210538960A CN 114938300 A CN114938300 A CN 114938300A
Authority
CN
China
Prior art keywords
equipment
industrial control
data
control system
analysis model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210538960.8A
Other languages
Chinese (zh)
Other versions
CN114938300B (en
Inventor
王得奕
章渠丰
马远洋
文昱博
贺伟东
张若琦
雷东琦
叶佩炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Mulian Internet Of Things Technology Co ltd
Original Assignee
Zhejiang Mulian Internet Of Things Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Mulian Internet Of Things Technology Co ltd filed Critical Zhejiang Mulian Internet Of Things Technology Co ltd
Priority to CN202210538960.8A priority Critical patent/CN114938300B/en
Publication of CN114938300A publication Critical patent/CN114938300A/en
Application granted granted Critical
Publication of CN114938300B publication Critical patent/CN114938300B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • General Factory Administration (AREA)

Abstract

The invention discloses an industrial control system situation perception method and system based on equipment behavior analysis, wherein the method comprises the following steps: acquiring industrial control system data through probe equipment deployed on a data acquisition layer, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data; deeply analyzing the data of the industrial control system according to the deep analysis and reduction capability of the industrial protocol, and storing the analysis result in a distributed manner; and analyzing the industrial control system data acquired in real time after deep analysis according to the established equipment behavior analysis model, and determining abnormal behaviors. By the technical scheme, the industrial control equipment behavior analysis can be performed, the threat can be actively sensed, the risk faced by the industrial control system is quantitatively analyzed, the analysis result is displayed to the monitoring personnel in the production area in a visual mode to perform timely coping processing, and the safe operation of the industrial control system is ensured.

Description

Industrial control system situation perception method and system based on equipment behavior analysis
Technical Field
The invention relates to the technical field of industrial control network security, in particular to an industrial control system situation perception method and system for equipment behavior analysis.
Background
With the rapid development of global digital economy, network security is fused with a plurality of scenes and technologies such as the Internet of things, industrial internet, cloud computing, 5G and the like, and the multi-level security system appearances of traditional physical security, biological security, public security, national security and the like are comprehensively and profoundly changed. In recent years, with the continuous emergence of industrial network security incidents, various national standards of regulations and regulations increase the degree of information security supervision on key information infrastructures.
In the past, the way of physical isolation in industrial systems was sufficient to provide good protection, and this is now no longer the case, and it has been found by SANS research that 35% of industrial network failure events are caused by network attacks, with industrial security impacts far exceeding business and reputation protection. Thus, key nodes and network protection of critical infrastructure such as industrial systems require a high enough level of protection to combat the growing network security threats and industrial information security efforts face unprecedented difficulties and challenges.
In the related technology, the situation awareness of the industrial control security equipment is generally performed through a blacklist and a leak library, and both the situation awareness and the situation awareness of the known security vulnerabilities cannot effectively identify industrial control protocols in the industrial automation field, cannot effectively identify unknown vulnerabilities or rules, cannot cope with more and more security threats such as 0day attack and misoperation in the current environment, and cannot meet the requirements of industrial control network security protection.
Disclosure of Invention
The invention aims to provide an industrial control system situation perception method and system based on equipment behavior analysis.
In a first aspect of the present invention, a method for sensing a situation of an industrial control system based on device behavior analysis is provided, including the following steps: acquiring industrial control system data through probe equipment deployed on a data acquisition layer, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data; according to the deep analysis and reduction capability of the industrial protocol, deep analysis is carried out on the industrial control system data, the analysis content comprises a source IP, a target IP, a source port, a target port, a source MAC, a target MAC, a protocol type, protocol content, occurrence time and an operation instruction, and the analysis result is stored in a distributed mode; and analyzing the industrial control system data acquired in real time after deep analysis according to the established equipment behavior analysis model, and determining abnormal behaviors.
In this scheme, through the probe equipment collection industrial control system data of arranging on the data acquisition layer, every node all can carry out the complete collection of universe flow, and industrial control system data includes industrial control network flow data, equipment operation log data, equipment performance state data, realizes the transparence of industrial control agreement content, breaks traditional black box form, and then through carrying out behavioral analysis to equipment, discerns the potential threat in the industrial control production environment, has improved the promptness of threat discovery. According to the industrial protocol deep analysis and reduction capability, the industrial control system data is deeply analyzed, the analysis content comprises a source IP, a target IP, a source port, a target port, a source MAC and a target MAC, the protocol type, the protocol content, the occurrence time and an operation instruction, the analysis result is stored in a distributed mode, the method is beneficial to finding out the abnormal and identifying the potential attack behaviors such as APT through the behavior characteristics of the industrial control equipment, the problems that the traditional safety equipment excessively depends on a library and a rule, a protection means can be made according to the actual production environment and the service characteristics of a user, and the problem existing in the operation period is found are solved. According to the established equipment behavior analysis model, the data of the industrial control system which is acquired in real time and subjected to deep analysis is analyzed, abnormal behaviors are determined, prediction can be carried out in time, threats are handled by reasonable and effective measures, and the problem of outburst is solved.
It is worth mentioning that industrial control systems, i.e. Industrial Control Systems (ICS): the industrial control system consists of control equipment such as DCS (distributed control system), PLC (programmable logic controller) and the like, sensors for temperature, pressure and the like and an upper host computer, and is used for monitoring and controlling the industrial production process; an industrial control protocol: communication between the field network and the control network of the industrial control system, communication between the industrial control devices of the field network, communication between the components of the control network often employ communication protocols specific to the industrial control system, typically represented as Modbus, OPC, S7, IEC104, and the like.
Preferably, the device behavior analysis model includes a device illegal operation instruction analysis model, a device illegal interconnection analysis model, a device traffic anomaly analysis model, a device package sending behavior analysis model, and a device performance behavior analysis model, and the establishment of the device behavior analysis model includes the following steps: establishing a time window by taking an equipment IP as a center, and restoring all interactive relations, operation instructions, industrial control network flow data, equipment operation logs and equipment performance states in the time window according to the deep analyzed industrial control system data collected in a normal production environment; determining a credible operation instruction set and the appearance sequence and the periodic relationship of each operation instruction, and establishing an illegal operation instruction analysis model of the equipment; determining the access relation between the trusted assets and the user list and between the trusted equipment and personnel, and establishing an illegal interconnection analysis model of the equipment; modeling clustering analysis is carried out on the uplink flow and the downlink flow in a normal production environment, baseline ranges of the uplink flow and the downlink flow are set, and an equipment flow abnormity analysis model is established; carrying out modeling clustering analysis on the package sending data in the normal production environment, setting the package sending quantity and the baseline range of the package sending frequency, and establishing an equipment package sending behavior analysis model; monitoring and quantifying the CPU and the memory, establishing a threshold reference of the CPU and the memory within a certain time range, and establishing the equipment performance behavior analysis model.
In the scheme, a time window is established by taking an equipment IP as a center, and all interactive relations, operation instructions, industrial control network flow data, equipment operation logs and equipment performance states in the time window are restored according to industrial control system data which is collected in a normal production environment and subjected to deep analysis, so that an equipment illegal operation instruction analysis model, an equipment illegal interconnection analysis model, an equipment flow abnormity analysis model, an equipment packet sending behavior analysis model and an equipment performance behavior analysis model are established, a plurality of behaviors of industrial control equipment can be analyzed, generation of equipment behavior portrayal is facilitated, and abnormal behaviors such as unauthorized access, process parameter modification, illegal attack and the like can be identified based on the equipment behavior portrayal.
Once the industrial control system is established, the industrial control devices such as the terminal device, the control device, the network device and the acquisition device cannot be changed within a long time, and the service logic is relatively fixed.
The time window is typically set to 24 h.
Preferably, according to the established equipment behavior analysis model, analyzing the industrial control system data acquired in real time after deep analysis to determine abnormal behavior, and specifically comprising the following steps: and analyzing and comparing the operation instruction acquired in real time after deep analysis with an equipment illegal operation instruction analysis model, identifying abnormal industrial control network protocols and data messages according to corresponding behavior characteristics, and determining illegal operation instruction behaviors in industrial control network traffic data.
In the scheme, the operation instruction acquired in real time after deep analysis is analyzed and compared with the equipment illegal operation instruction analysis model, illegal operation instruction behaviors such as misoperation or dangerous operation in industrial control network flow can be found in time, timeliness of threat finding is improved, and the method does not depend on a library and a rule excessively.
Preferably, according to the established equipment behavior analysis model, analyzing the industrial control system data acquired in real time after deep analysis to determine abnormal behavior, and specifically comprising the following steps: and analyzing and comparing the deeply analyzed flow information acquired in real time with the equipment illegal interconnection analysis model, identifying abnormal industrial control network protocols and data messages according to corresponding behavior characteristics, and determining asset communication records of equipment and unnecessary production relations.
According to the scheme, the flow information acquired in real time after deep analysis and the equipment illegal interconnection analysis model are analyzed and compared, illegal interconnection behaviors such as asset communication records of equipment and unnecessary production relations can be found in time, timeliness of threat finding is improved, and the method does not excessively depend on libraries and rules, is high in accuracy and strong in pertinence.
Preferably, according to the established equipment behavior analysis model, analyzing the industrial control system data acquired in real time after deep analysis to determine abnormal behaviors, and specifically comprising the following steps: performing clustering comparison on the uplink flow and the downlink flow which are acquired in real time and subjected to deep analysis and the equipment flow abnormity analysis model, and determining discrete points in the uplink flow and the downlink flow; and if the uplink flow is larger than the downlink flow and exceeds the uplink flow baseline range, determining that the equipment flow is abnormal.
In the scheme, the uplink flow and the downlink flow which are acquired in real time and subjected to deep analysis are clustered and compared with the equipment flow abnormity analysis model, so that the equipment flow abnormity behavior can be found in time, and the timeliness of threat finding is improved. Generally, when the uplink traffic is significantly increased and significantly greater than the downlink traffic, it is determined that the device traffic is abnormal, for example, the uplink traffic exceeds the uplink traffic baseline range by 20%, and exceeds the downlink traffic by 20%.
Preferably, according to the established equipment behavior analysis model, analyzing the industrial control system data acquired in real time after deep analysis to determine abnormal behavior, and specifically comprising the following steps: carrying out clustering comparison on the deeply analyzed package sending data acquired in real time and the equipment package sending behavior analysis model to determine discrete points in the package sending data; and if the packet sending frequency exceeds the baseline range of the packet sending frequency in the equipment packet sending behavior analysis model and/or the packet sending number of the industrial control host exceeds the baseline range of the packet sending number in the equipment packet sending behavior analysis model, determining that the equipment packet sending behavior is abnormal.
In the scheme, the packet sending data which are collected in real time and subjected to deep analysis are clustered and compared with the equipment packet sending behavior analysis model, abnormal behaviors of equipment packet sending behaviors can be found in time, and the timeliness of threat finding is improved. And when the packet sending frequency is suddenly increased or the packet sending quantity of the industrial control host is obviously increased, determining that the packet sending behavior of the equipment is abnormal. For example, the packet sending frequency exceeds 20% of the baseline range of the packet sending frequency, or the packet sending number of the industrial control host exceeds 20% of the baseline range of the packet sending number, or the packet sending frequency is improved by 20% within 1 s.
Preferably, according to the established equipment behavior analysis model, analyzing the industrial control system data acquired in real time after deep analysis to determine abnormal behavior, and specifically comprising the following steps: and analyzing and comparing the real-time collected equipment performance state data with the equipment performance behavior analysis model, judging the running stability condition of the equipment, and determining the abnormal behavior of the equipment performance.
In the scheme, the performance abnormal behavior of the equipment can be timely discovered by analyzing and comparing the performance state data of the equipment acquired in real time with the performance behavior analysis model of the equipment, so that the timeliness of threat discovery is improved, fault prediction can be timely performed, and the reliability and stability of industrial control equipment are improved. The performance indexes of two devices, namely a CPU and a memory, are mainly adopted, and the CPU or the memory in a certain time range exceeds 50% of a threshold reference generally, so that the abnormal behavior of the performance of the device is determined.
Preferably, the method for sensing the situation of the industrial control system based on the equipment behavior analysis further includes: according to the weight of each equipment behavior analysis model defined by a user, the equipment is integrally evaluated, an equipment behavior portrait is established, a risk value is determined, and alarm information is generated to remind the user to process abnormal behaviors, wherein the alarm information comprises attack prediction and cognition information, an attack source and related assets.
According to different user scenes, the weight of each equipment behavior analysis model is defined by a user, and then the whole equipment can be evaluated, so that the equipment behavior portrait of each industrial control equipment is taken, the abnormal behaviors such as unauthorized access, process parameter modification and illegal attack can be identified, the risk value can be determined, the alarm information is generated, the prediction and cognition can be formed on the possible attacks, the source of the attacks and related assets can be clearly checked, the assets are protected in time, the possible attacks can be eliminated, the whole alarm information is based on the equipment behaviors, the device can better adapt to different industrial environments, and compared with a blacklist, the alarm information is more comprehensive.
Preferably, the method for sensing the situation of the industrial control system based on the device behavior analysis further includes, before deep parsing the data of the industrial control system according to the deep parsing reduction capability of the industrial protocol: and carrying out data cleaning, data filtering and data standardization on the industrial control system data.
In the scheme, data cleaning, data filtering and data standardization are carried out on the industrial control system data, so that deep analysis is conveniently carried out on the industrial control system data.
In a second aspect of the present invention, an industrial control system situation awareness system based on device behavior analysis is provided, including: the data acquisition layer is internally provided with probe equipment and used for acquiring industrial control system data, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data, and is used for carrying out data cleaning, data filtering and data standardization on the industrial control system data; the storage management layer is used for deeply analyzing the industrial control system data according to the deep analysis and reduction capability of an industrial protocol, analyzing contents comprise a source IP, a target IP, a source port, a target port, a source MAC and a target MAC, and storing the analyzing result in a distributed manner, wherein the storage management layer comprises an unstructured data storage module, a structured data storage module, a semi-structured data storage module and a distributed file storage module; the behavior analysis layer is used for establishing an equipment behavior analysis model, analyzing the industrial control system data which are acquired in real time and subjected to deep analysis according to the established equipment behavior analysis model, determining abnormal behaviors, evaluating the whole equipment according to the weight of each equipment behavior analysis model defined by a user, establishing an equipment behavior portrait, determining a risk value, generating alarm information and displaying data, and comprises a model establishment module, a parallel calculation module, an alarm generation module and a data display module.
In this scheme, through the intraformational disposition probe equipment of data acquisition, every node all can carry out the complete collection of universe flow to carry out data filtering, merge, the normalization to the flow content of gathering. The industrial control protocol content is transparent, and the traditional black box form is broken through. The storage management layer is used for carrying out deep analysis distributed storage on the industrial control system data, so that a plurality of behaviors of the industrial control equipment can be analyzed respectively, the equipment behavior analysis accuracy is improved, and the equipment behavior portrait generation accuracy is improved. The establishment of an equipment behavior analysis model, the analysis of abnormal behaviors of industrial control equipment, the establishment of equipment behavior portrayal and the like are realized through a behavior analysis layer, so that the potential threats in an industrial control production environment can be identified, the timeliness of threat discovery is improved, the prediction and cognition are formed on possible attacks, the sources of the attacks and related assets can be clearly checked, the assets are protected in time, the possible attacks are eliminated, the whole alarm information is based on the equipment behaviors, the system can better adapt to different industrial environments, compared with a blacklist, the alarm information is more comprehensive, the risk facing an industrial control system can be quantitatively analyzed, the analysis result is displayed to production area monitoring personnel in a visual mode to deal with the risks in time, and the safe operation of the industrial control system is ensured.
In a third aspect of the invention, an apparatus is presented, comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a method as described in the first aspect.
In a fourth aspect of the present invention a computer-readable storage medium is presented, on which a computer program is stored, which program, when being executed by a processor, carries out the method according to the first aspect.
The method and the system for sensing the situation of the industrial control system based on the equipment behavior analysis have the following beneficial technical effects that:
(1) the invention is based on a deep analysis engine, deeply analyzes and reduces the capability according to an industrial protocol, deeply analyzes the industrial control system data, establishes an equipment behavior analysis model according to the industrial control system data which is acquired in a normal production environment and is subjected to deep analysis, is based on the stability of the industrial control system, has higher reliability, and is compared and analyzed with the equipment behavior analysis model to find whether abnormal behaviors such as abnormal communication, abnormal assets and the like exist in the industrial control system data which is subjected to deep analysis, alarms, and can detect targeted network attack, user misoperation, illegal equipment access, worm and virus propagation and the like in real time.
(2) Compared with attack analysis based on a blacklist technology in the prior art, the industrial control system situation sensing method and the system based on equipment behavior analysis, which are provided by the invention, can not only aim at known security vulnerabilities, but also cope with security threats such as 0day attack and misoperation occurring in the current environment, can actively discover various abnormal behaviors, give an alarm in real time, carry out risk quantitative analysis on the industrial control system and output risk results, and increase the identification and response capabilities to unknown threats.
(3) The method and the system for sensing the situation of the industrial control system based on the equipment behavior analysis identify potential threats in the industrial control production environment by analyzing the equipment behavior, improve the timeliness of threat discovery, discover abnormal behaviors and identify potential attack behaviors such as APT (active Power Table) and the like by behavior characteristics, solve the problem that the traditional safety equipment excessively depends on libraries and rules, can set a protection means aiming at the actual production environment and service characteristics of a user, find the problems existing in the operation period, particularly aim at the sudden problems, can utilize the equipment analysis to predict in time and utilize reasonable and effective measures to process the threats.
Drawings
FIG. 1 is a flow chart of a method for situational awareness of an industrial control system based on device behavior analysis according to an embodiment of the present invention;
FIG. 2 is a flowchart of a situation awareness method for an industrial control system based on device behavior analysis according to an embodiment of the present invention;
FIG. 3 is an architecture diagram of an industrial control system situational awareness system based on device behavior analysis according to an embodiment of the present invention;
FIG. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart illustrating a method for situational awareness of an industrial control system based on device behavior analysis according to an embodiment of the present invention.
As shown in fig. 1, the method for sensing the situation of the industrial control system based on the device behavior analysis according to the embodiment of the present invention includes the following steps:
s102, acquiring industrial control system data through probe equipment deployed on a data acquisition layer, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data;
s104, according to the deep analysis and reduction capability of the industrial protocol, deep analysis is carried out on the industrial control system data, the analysis content comprises a source IP, a target IP, a source port, a target port, a source MAC, a target MAC, a protocol type, protocol content, occurrence time and an operation instruction, and the analysis result is stored in a distributed mode;
and S106, analyzing the industrial control system data which is acquired in real time and subjected to deep analysis according to the established equipment behavior analysis model, and determining abnormal behaviors.
The industrial control system data are acquired through the probe equipment deployed on the data acquisition layer, all nodes can perform complete acquisition of global flow, the industrial control system data comprise industrial control network flow data, equipment operation log data and equipment performance state data, the transparency of industrial control protocol contents is achieved, the traditional black box form is broken, further, the potential threats in the industrial control production environment are identified through behavior analysis on the equipment, and the timeliness of threat discovery is improved. Based on the stability of the industrial control system, the deep analyzed industrial control system data is compared with the equipment behavior analysis model for analysis, whether abnormal behaviors such as abnormal communication, abnormal assets and the like exist is found, an alarm is given, and targeted network attack, user misoperation, user illegal operation, illegal equipment access, worm and virus propagation and the like can be detected in real time.
Further, the equipment behavior analysis model comprises an equipment illegal operation instruction analysis model, an equipment illegal interconnection analysis model, an equipment flow abnormity analysis model, an equipment package sending behavior analysis model and an equipment performance behavior analysis model, and the establishment of the equipment behavior analysis model comprises the following steps: establishing a time window by taking an equipment IP as a center, and restoring all interactive relations, operation instructions, industrial control network flow data, equipment operation logs and equipment performance states in the time window according to the deep analyzed industrial control system data collected in a normal production environment; determining a credible operation instruction set and the appearance sequence and the periodic relationship of each operation instruction, and establishing an equipment illegal operation instruction analysis model; determining the access relation between the trusted assets and the user list and between the trusted equipment and personnel, and establishing an equipment illegal interconnection analysis model; modeling clustering analysis is carried out on the uplink flow and the downlink flow in a normal production environment, baseline ranges of the uplink flow and the downlink flow are set, and an equipment flow abnormity analysis model is established; carrying out modeling clustering analysis on the package sending data in the normal production environment, setting the package sending quantity and the baseline range of the package sending frequency, and establishing an equipment package sending behavior analysis model; monitoring and quantifying the CPU and the memory, establishing a threshold reference of the CPU and the memory within a certain time range, and establishing an equipment performance behavior analysis model.
The method is characterized in that a time window is established based on the stability of the industrial control system by taking an equipment IP as a center, and all interactive relations, operation instructions, industrial control network flow data, equipment operation logs and equipment performance states in the time window are restored according to the industrial control system data which are collected in a normal production environment and subjected to deep analysis, so that an equipment illegal operation instruction analysis model, an equipment illegal interconnection analysis model, an equipment flow abnormity analysis model, an equipment packet sending behavior analysis model and an equipment performance behavior analysis model are established.
As shown in fig. 2, the method for sensing the situation of the industrial control system based on the device behavior analysis according to the embodiment of the present invention includes the following steps:
s202, acquiring industrial control system data through probe equipment deployed on a data acquisition layer, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data;
s204, carrying out data cleaning, data filtering and data standardization on the industrial control system data;
s206, according to the deep analysis and reduction capability of the industrial protocol, deep analysis is carried out on the industrial control system data, the analysis content comprises a source IP, a destination IP, a source port, a destination port, a source MAC, a destination MAC, a protocol type, protocol content, occurrence time and an operation instruction, and the analysis result is stored in a distributed mode;
s208, analyzing and comparing the operation instruction which is acquired in real time after deep analysis with an equipment illegal operation instruction analysis model, identifying abnormal industrial control network protocols and data messages according to corresponding behavior characteristics, and determining illegal operation instruction behaviors in industrial control network flow data;
s210, analyzing and comparing the deeply analyzed flow information acquired in real time with the equipment illegal interconnection analysis model, identifying abnormal industrial control network protocols and data messages according to corresponding behavior characteristics, and determining asset communication records of equipment and unnecessary production relations;
s212, clustering and comparing the uplink flow and the downlink flow which are acquired in real time and subjected to deep analysis with the equipment flow abnormity analysis model, and determining discrete points in the uplink flow and the downlink flow;
s214, if the uplink flow is larger than the downlink flow and the uplink flow exceeds the uplink flow baseline range, determining that the equipment flow is abnormal;
s216, clustering and comparing the deeply analyzed package sending data collected in real time with the equipment package sending behavior analysis model to determine discrete points in the package sending data;
s218, if the packet sending frequency exceeds the baseline range of the packet sending frequency in the equipment packet sending behavior analysis model and/or the packet sending number of the industrial control host exceeds the baseline range of the packet sending number in the equipment packet sending behavior analysis model, determining that the equipment packet sending behavior is abnormal;
s220, analyzing and comparing the real-time collected equipment performance state data with the equipment performance behavior analysis model, judging the running stability condition of the equipment, and determining the abnormal behavior of the equipment performance;
s222, according to the weight of each equipment behavior analysis model defined by the user, the whole equipment is evaluated, an equipment behavior portrait is established, a risk value is determined, and alarm information is generated to remind the user to process abnormal behaviors, wherein the alarm information comprises attack prediction and cognition information, attack sources and related assets.
It should be noted that steps S208, S210, S212, S216, and S220 may be performed simultaneously or sequentially, and may also be performed selectively according to the requirements of the production scenario, and after the execution is completed, step S222 is performed, the device is evaluated as a whole, a device behavior profile is established, a risk value is determined, alarm information is generated, risk quantitative analysis can be performed on the industrial control system, a risk result is output, prediction and cognition is formed on possible attacks, sources and related assets of the attacks can be clearly checked, so that the assets are protected in time, possible attacks are eliminated, the whole alarm information is based on the device behavior, and the alarm information is better adapted to different industrial environments, and is more comprehensive compared with a black list.
As shown in fig. 3, the industrial control system situation awareness system based on device behavior analysis according to the embodiment of the present invention includes: the data acquisition layer 302 comprises an industrial control network flow data acquisition module 3022, an equipment operation log data acquisition module 3024, an equipment performance state data acquisition module 3026, and a data cleaning data filtering data standardization module 3028, and probe equipment is deployed in the data acquisition layer and used for acquiring industrial control system data, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data, and equipment performance state data, and is subjected to data cleaning, data filtering, and data standardization; the storage management layer 304, the storage management layer 304 includes an unstructured data storage module 3042, a structured data storage module 3044, a semi-structured data storage module 3046, and a distributed file storage module 3048, and is configured to perform deep parsing on the industrial control system data according to the deep parsing reduction capability of the industrial protocol, where parsing contents include a source IP, a destination IP, a source port, a destination port, a source MAC, a destination MAC, a protocol type, a protocol content, occurrence time, and an operation instruction, and store parsing results in a distributed manner; the behavior analysis layer 306 and the behavior analysis layer 306 comprise a model establishing module 3062, a parallel computing module 3064, an alarm generating module 3066 and a data display module 3068, and are used for establishing an equipment behavior analysis model, analyzing the industrial control system data which is acquired in real time and subjected to deep analysis according to the established equipment behavior analysis model, determining abnormal behaviors, estimating the whole equipment according to the weight of each equipment behavior analysis model defined by a user, establishing an equipment behavior portrait, determining a risk value, generating alarm information and displaying data.
The method comprises the steps of utilizing big data and machine learning to analyze and model equipment behaviors, comprehensively analyzing the industrial control equipment behaviors, adopting a distributed deployment mode on a technical framework, collecting all areas of a terminal bypass deployment network and the side of an exchanger, obtaining network flow through an exchanger mirror image port, sending the network flow to a big data monitoring platform through the network, receiving industrial control system data from a collection terminal by the big data monitoring platform, analyzing the equipment behaviors, actively sensing security threats, quantitatively analyzing risks faced by the industrial control system, displaying analysis results to production area monitoring personnel in a visual mode to timely deal with the analysis results, and ensuring safe operation of the industrial control system.
FIG. 4 shows a schematic block diagram of an electronic device 400 that may be used to implement embodiments of the present disclosure. As shown in fig. 4, device 400 includes a Central Processing Unit (CPU)401 that may perform various appropriate actions and processes in accordance with computer program instructions stored in a Read Only Memory (ROM)402 or loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the device 400 can also be stored. The CPU 401, ROM 402, and RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408 such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processing unit 401 executes the various methods and processes described above. For example, in some embodiments, the method may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM 402 and/or the communication unit 409. When the computer program is loaded into RAM 403 and executed by CPU 401, one or more steps of the method described above may be performed. Alternatively, in other embodiments, the CPU 401 may be configured to perform the method by any other suitable means (e.g., by way of firmware).
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), an Application Specific Standard Product (ASSP), a system on a chip (SOC), a load programmable logic device (CPLD), and the like.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (10)

1. An industrial control system situation perception method based on equipment behavior analysis is characterized by comprising the following steps:
acquiring industrial control system data through probe equipment deployed on a data acquisition layer, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data;
according to the deep analysis and reduction capability of the industrial protocol, deep analysis is carried out on the industrial control system data, the analysis content comprises a source IP, a target IP, a source port, a target port, a source MAC, a target MAC, a protocol type, protocol content, occurrence time and an operation instruction, and the analysis result is stored in a distributed mode;
and analyzing the industrial control system data acquired in real time after deep analysis according to the established equipment behavior analysis model, and determining abnormal behaviors.
2. The industrial control system situation awareness method based on equipment behavior analysis according to claim 1, wherein the equipment behavior analysis model comprises an equipment illegal operation instruction analysis model, an equipment illegal interconnection analysis model, an equipment traffic anomaly analysis model, an equipment package issuing behavior analysis model and an equipment performance behavior analysis model, and the establishment of the equipment behavior analysis model comprises the following steps:
establishing a time window by taking an equipment IP as a center, and restoring all interactive relations, operation instructions, industrial control network flow data, equipment operation logs and equipment performance states in the time window according to the deep analyzed industrial control system data collected in a normal production environment;
determining a credible operating instruction set and the appearance sequence and periodic relationship of each operating instruction, and establishing an illegal operating instruction analysis model of the equipment;
determining access relations between the trusted assets and the user list and between the trusted equipment and the trusted personnel, and establishing an illegal interconnection analysis model of the equipment;
modeling and clustering analysis is carried out on the uplink flow and the downlink flow in a normal production environment, the baseline range of the uplink flow and the downlink flow is set, and an equipment flow abnormity analysis model is established;
carrying out modeling clustering analysis on the package sending data in the normal production environment, setting the package sending quantity and the baseline range of the package sending frequency, and establishing an equipment package sending behavior analysis model;
monitoring and quantifying the CPU and the memory, establishing a threshold reference of the CPU and the memory within a certain time range, and establishing the equipment performance behavior analysis model.
3. The industrial control system situation awareness method based on equipment behavior analysis according to claim 2, wherein the method comprises the following steps of analyzing deep-analyzed industrial control system data collected in real time according to the established equipment behavior analysis model, and determining abnormal behavior:
and analyzing and comparing the operation instruction acquired in real time after deep analysis with an equipment illegal operation instruction analysis model, identifying abnormal industrial control network protocols and data messages according to corresponding behavior characteristics, and determining illegal operation instruction behaviors in industrial control network traffic data.
4. The industrial control system situation awareness method based on equipment behavior analysis according to claim 2, wherein the method comprises the following steps of analyzing deep-analyzed industrial control system data collected in real time according to the established equipment behavior analysis model, and determining abnormal behaviors:
and analyzing and comparing the deeply analyzed flow information acquired in real time with the equipment illegal interconnection analysis model, identifying abnormal industrial control network protocols and data messages according to corresponding behavior characteristics, and determining asset communication records of equipment and unnecessary production relations.
5. The industrial control system situation awareness method based on equipment behavior analysis according to claim 2, wherein the method comprises the following steps of analyzing deep-analyzed industrial control system data collected in real time according to the established equipment behavior analysis model, and determining abnormal behaviors:
performing clustering comparison on the uplink flow and the downlink flow which are acquired in real time and subjected to deep analysis and the equipment flow abnormity analysis model, and determining discrete points in the uplink flow and the downlink flow;
and if the uplink flow is larger than the downlink flow and exceeds the uplink flow baseline range, determining that the equipment flow is abnormal.
6. The industrial control system situation awareness method based on equipment behavior analysis according to claim 2, wherein the method comprises the following steps of analyzing deep-analyzed industrial control system data collected in real time according to the established equipment behavior analysis model, and determining abnormal behavior:
carrying out clustering comparison on the deeply analyzed package sending data acquired in real time and the equipment package sending behavior analysis model to determine discrete points in the package sending data;
and if the packet sending frequency exceeds the baseline range of the packet sending frequency in the equipment packet sending behavior analysis model and/or the packet sending number of the industrial control host exceeds the baseline range of the packet sending number in the equipment packet sending behavior analysis model, determining that the equipment packet sending behavior is abnormal.
7. The industrial control system situation awareness method based on equipment behavior analysis according to claim 2, wherein the method comprises the following steps of analyzing deep-analyzed industrial control system data collected in real time according to the established equipment behavior analysis model, and determining abnormal behavior:
and analyzing and comparing the real-time acquired equipment performance state data with the equipment performance behavior analysis model, judging the running stability condition of the equipment, and determining the abnormal behavior of the equipment performance.
8. The method for sensing the situation of the industrial control system based on the equipment behavior analysis according to any one of claims 2 to 7, further comprising:
according to the weight of each equipment behavior analysis model defined by a user, the whole equipment is evaluated, an equipment behavior portrait is established, a risk value is determined, and alarm information is generated to remind the user to process abnormal behaviors, wherein the alarm information comprises attack prediction and cognition information, attack sources and related assets.
9. The method for sensing the situation of the industrial control system based on the equipment behavior analysis according to claim 8, wherein before deep parsing the data of the industrial control system according to the deep parsing reduction capability of the industrial protocol, the method further comprises:
and carrying out data cleaning, data filtering and data standardization on the industrial control system data.
10. An industrial control system situation awareness system based on equipment behavior analysis is characterized by comprising:
the data acquisition layer is internally provided with probe equipment and used for acquiring industrial control system data, wherein the industrial control system data comprises industrial control network flow data, equipment operation log data and equipment performance state data, and is used for carrying out data cleaning, data filtering and data standardization on the industrial control system data;
the storage management layer is used for carrying out deep analysis on the industrial control system data according to the deep analysis and reduction capability of the industrial protocol, the analysis content comprises a source IP, a target IP, a source port, a target port, a source MAC, a target MAC, a protocol type, protocol content, occurrence time and an operation instruction, and the analysis result is stored in a distributed mode, and the storage management layer comprises an unstructured data storage module, a structured data storage module, a semi-structured data storage module and a distributed file storage module;
the behavior analysis layer is used for establishing an equipment behavior analysis model, analyzing the industrial control system data which are acquired in real time and subjected to deep analysis according to the established equipment behavior analysis model, determining abnormal behaviors, evaluating the whole equipment according to the weight of each equipment behavior analysis model defined by a user, establishing an equipment behavior portrait, determining a risk value, generating alarm information and displaying data, and comprises a model establishment module, a parallel calculation module, an alarm generation module and a data display module.
CN202210538960.8A 2022-05-17 2022-05-17 Industrial control system situation awareness method and system based on equipment behavior analysis Active CN114938300B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210538960.8A CN114938300B (en) 2022-05-17 2022-05-17 Industrial control system situation awareness method and system based on equipment behavior analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210538960.8A CN114938300B (en) 2022-05-17 2022-05-17 Industrial control system situation awareness method and system based on equipment behavior analysis

Publications (2)

Publication Number Publication Date
CN114938300A true CN114938300A (en) 2022-08-23
CN114938300B CN114938300B (en) 2024-07-02

Family

ID=82864011

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210538960.8A Active CN114938300B (en) 2022-05-17 2022-05-17 Industrial control system situation awareness method and system based on equipment behavior analysis

Country Status (1)

Country Link
CN (1) CN114938300B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115550227A (en) * 2022-09-02 2022-12-30 中盈优创资讯科技有限公司 Service flow collection and monitoring guarantee method

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
US20170324761A1 (en) * 2014-08-27 2017-11-09 General Electric Company Collaborative infrastructure supporting cyber-security analytics in industrial networks
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list
KR101860395B1 (en) * 2017-06-23 2018-07-02 한국남동발전 주식회사 Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol
CN108259462A (en) * 2017-11-29 2018-07-06 国网吉林省电力有限公司信息通信公司 Big data Safety Analysis System based on mass network monitoring data
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
CN109889476A (en) * 2018-12-05 2019-06-14 国网冀北电力有限公司信息通信分公司 A kind of network safety protection method and network security protection system
WO2020096111A1 (en) * 2018-11-08 2020-05-14 전자부품연구원 Deep learning-based abnormal behavior recognition device and method
CN111565390A (en) * 2020-07-16 2020-08-21 深圳市云盾科技有限公司 Internet of things equipment risk control method and system based on equipment portrait
CN112104659A (en) * 2020-09-18 2020-12-18 宋清云 Real-time monitoring platform based on government affair application safety
CN112653678A (en) * 2020-12-14 2021-04-13 国家电网有限公司信息通信分公司 Network security situation perception analysis method and device
CN113313421A (en) * 2021-06-24 2021-08-27 国网辽宁省电力有限公司电力科学研究院 Security risk state analysis method and system for power Internet of things sensing layer
CN113486351A (en) * 2020-06-15 2021-10-08 中国民用航空局空中交通管理局 Civil aviation air traffic control network safety detection early warning platform
US11159546B1 (en) * 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection
US20210336977A1 (en) * 2020-04-23 2021-10-28 International Business Machines Corporation Deep packet analysis
US20220060497A1 (en) * 2015-10-28 2022-02-24 Qomplx, Inc. User and entity behavioral analysis with network topology enhancements

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170324761A1 (en) * 2014-08-27 2017-11-09 General Electric Company Collaborative infrastructure supporting cyber-security analytics in industrial networks
US20220060497A1 (en) * 2015-10-28 2022-02-24 Qomplx, Inc. User and entity behavioral analysis with network topology enhancements
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
KR101860395B1 (en) * 2017-06-23 2018-07-02 한국남동발전 주식회사 Apparatus and method for detecting abnormal behavior of industrial control system based on whitelist for nonstandard protocol
CN108259462A (en) * 2017-11-29 2018-07-06 国网吉林省电力有限公司信息通信公司 Big data Safety Analysis System based on mass network monitoring data
CN108055282A (en) * 2017-12-28 2018-05-18 国网浙江省电力有限公司电力科学研究院 Industry control abnormal behaviour analysis method and system based on self study white list
WO2020096111A1 (en) * 2018-11-08 2020-05-14 전자부품연구원 Deep learning-based abnormal behavior recognition device and method
CN109889476A (en) * 2018-12-05 2019-06-14 国网冀北电力有限公司信息通信分公司 A kind of network safety protection method and network security protection system
CN109474607A (en) * 2018-12-06 2019-03-15 连云港杰瑞深软科技有限公司 A kind of industrial control network safeguard protection monitoring system
US20210336977A1 (en) * 2020-04-23 2021-10-28 International Business Machines Corporation Deep packet analysis
CN113486351A (en) * 2020-06-15 2021-10-08 中国民用航空局空中交通管理局 Civil aviation air traffic control network safety detection early warning platform
CN111565390A (en) * 2020-07-16 2020-08-21 深圳市云盾科技有限公司 Internet of things equipment risk control method and system based on equipment portrait
CN112104659A (en) * 2020-09-18 2020-12-18 宋清云 Real-time monitoring platform based on government affair application safety
CN112653678A (en) * 2020-12-14 2021-04-13 国家电网有限公司信息通信分公司 Network security situation perception analysis method and device
US11159546B1 (en) * 2021-04-20 2021-10-26 Centripetal Networks, Inc. Methods and systems for efficient threat context-aware packet filtering for network protection
CN113313421A (en) * 2021-06-24 2021-08-27 国网辽宁省电力有限公司电力科学研究院 Security risk state analysis method and system for power Internet of things sensing layer

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
井柯;董黎芳;孙一桉;: "智能变电站监测预警系统研究与应用", 电力信息与通信技术, no. 11, 15 November 2015 (2015-11-15) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115550227A (en) * 2022-09-02 2022-12-30 中盈优创资讯科技有限公司 Service flow collection and monitoring guarantee method

Also Published As

Publication number Publication date
CN114938300B (en) 2024-07-02

Similar Documents

Publication Publication Date Title
CN114584405B (en) Electric power terminal safety protection method and system
CN108494810B (en) Attack-oriented network security situation prediction method, device and system
CN111262722B (en) Safety monitoring method for industrial control system network
US12120146B1 (en) Systems and methods for applying attack tree models and physics-based models for detecting cyber-physical threats
KR102225460B1 (en) Method of detecting threat based on threat hunting using multi sensor data and apparatus using the same
CA3041871A1 (en) System and method for monitoring security attack chains
CN115996146B (en) Numerical control system security situation sensing and analyzing system, method, equipment and terminal
CN113824682B (en) Modularized SCADA security situation sensing system architecture
CN117544420B (en) Fusion system safety management method and system based on data analysis
CN115935415A (en) Data safety early warning system based on industrial internet multi-factor perception
KR102592868B1 (en) Methods and electronic devices for analyzing cybersecurity threats to organizations
CN115396324A (en) Network security situation perception early warning processing system
CN114938300B (en) Industrial control system situation awareness method and system based on equipment behavior analysis
CN114125083A (en) Industrial network distributed data acquisition method and device, electronic equipment and medium
CN118381627A (en) LLM driven industrial network intrusion detection method and response system
CN111614614B (en) Safety monitoring method and device applied to Internet of things
CN115481166B (en) Data storage method and device, electronic equipment and computer storage medium
CN113987515B (en) Vulnerability threat discovery method and system based on intelligent matching
CN111565377B (en) Security monitoring method and device applied to Internet of things
CN115567258A (en) Network security situation awareness method, system, electronic device and storage medium
RU2737229C1 (en) Protection method of vehicle control systems against intrusions
Xu et al. [Retracted] Method of Cumulative Anomaly Identification for Security Database Based on Discrete Markov chain
Jiang et al. Design and practice of industrial control network security threat model
Dong et al. Design of Network Security Situation Awareness and Early Warning System Based on Big Data
Han et al. Design of Multi-Protocol Industrial Ethernet Security Monitor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant