CN115145230A - Industrial control network order abnormity detection method and device, electronic equipment and storage medium - Google Patents
Industrial control network order abnormity detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115145230A CN115145230A CN202210772314.8A CN202210772314A CN115145230A CN 115145230 A CN115145230 A CN 115145230A CN 202210772314 A CN202210772314 A CN 202210772314A CN 115145230 A CN115145230 A CN 115145230A
- Authority
- CN
- China
- Prior art keywords
- process flow
- rule
- instruction
- matched
- control instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
- G05B19/41865—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by job scheduling, process planning, material flow
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/32—Operator till task planning
- G05B2219/32252—Scheduling production, machining, job shop
Abstract
The application provides an industrial control network order abnormity detection method, an industrial control network order abnormity detection device, electronic equipment and a storage medium. The method comprises the following steps: receiving a control instruction, wherein the control instruction comprises a production process identifier and instruction parameters; acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises standard parameters corresponding to the nodes needing to be executed currently in the target process flow; matching the instruction parameters with the rules to be matched to obtain a matching result; and determining whether the industrial control network order is abnormal or not according to the matching result. According to the method and the device, the received control instruction is matched with the standard parameter of the current node needing to be executed of the target process flow, so that whether the control instruction is used for controlling the current node needing to be executed can be judged, the control instruction can be executed according to the normal process flow, and the detection of the order of the industrial control network is integrally realized.
Description
Technical Field
The application relates to the technical field of industrial control, in particular to a method and a device for detecting abnormal order of an industrial control network, electronic equipment and a storage medium.
Background
With the increase of the openness of industrial networks, the information security risk continuously spreads to the industrial field, and the security protection system of an Industrial Control System (ICS) faces huge security threats.
Although products such as industrial control firewalls and industrial control gatekeepers are also proposed in the industry at present, the products implement protection on a single execution node and cannot be considered from the whole. According to some research results in the market, the user needs to perform one-by-one deep protection, and secondly, needs to perform integral protection. However, at present, no overall detection method for the production line exists.
Disclosure of Invention
An embodiment of the present application provides a method and an apparatus for detecting an abnormality in an industrial control network order, an electronic device, and a storage medium, so as to implement abnormality detection of an overall process in industrial control.
In a first aspect, an embodiment of the present application provides an industrial control network order anomaly detection method, including: receiving a control instruction, wherein the control instruction comprises a production process identifier and instruction parameters; acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises standard parameters corresponding to the nodes needing to be executed currently in the target process flow; matching the instruction parameters with the rules to be matched to obtain a matching result; determining industrial control according to matching result whether the network order is abnormal.
According to the method and the device, the received control instruction is matched with the standard parameters of the current nodes needing to be executed of the target process flow, so that whether the control instruction is used for controlling the current nodes needing to be executed can be judged, the control instruction can be executed according to the normal process flow, and the detection of the industrial control network order is integrally realized.
In any embodiment, the obtaining the rule to be matched of the corresponding target process flow according to the production process identifier includes: acquiring a corresponding target process flow template according to the production process identifier, and determining a current node to be executed according to the target process flow template; and acquiring a rule to be matched corresponding to the current node to be executed.
In the embodiment of the application, the execution sequence of each node is already set in the process flow template, so that after the control instruction is received, whether the control instruction is used for controlling the current node to be executed can be determined according to the process flow template, and the execution sequence of the process and the corresponding execution node can be detected as a whole.
In any embodiment, after determining whether the industrial control network order is abnormal according to the matching result, the method further includes: and if the matching result represents that the order of the industrial control network is abnormal, blocking the control instruction.
According to the embodiment of the application, the abnormal control instruction is blocked, so that the abnormal control instruction is prevented from maliciously controlling the production line, and the production safety of the production line is ensured.
In any embodiment, after determining whether the industrial control network order is abnormal according to the matching result, the method further includes: and if the matching result represents that the industrial control network order is normal, sending a control instruction to production line equipment corresponding to the target process flow.
According to the method and the device, the control instruction is sent to the production line equipment corresponding to the target process flow only when the control instruction is determined to be a legal instruction, so that the production line equipment can control the execution equipment corresponding to the production line to work, and the normal work of the production line is ensured.
In any embodiment, after sending the control instruction to the production line device corresponding to the target process flow, the method further includes: and generating a log corresponding to the control instruction, and sending the log to the monitoring equipment.
According to the method and the device, the log when the legal control instruction is executed is sent to the control instruction, log alarms generated by other network devices are filtered, and therefore workers can quickly know the current execution progress of a production line through the log.
In any embodiment, after sending the log to the monitoring device, the method further comprises: and receiving a response message fed back by the monitoring equipment, and taking the next execution node as the current execution node.
According to the embodiment of the application, the next execution node is switched after the response message fed back by the monitoring equipment is received, so that the closed loop of the process is realized.
In any embodiment, the method further comprises: receiving manufacturing process parameters sent by an operation station; sending manufacturing process parameters to corresponding process flow equipment; extracting key parameters from the manufacturing process parameters; generating a corresponding matching rule according to the key parameters; and generating a process flow template according to the matching rule and the receiving time of the manufacturing process parameters corresponding to the matching rule.
According to the method and the device, the whole process flow is controlled to be sequentially executed through the process flow template, single-point detection is not needed, and the process flow of a production line is controlled more comprehensively.
In a second aspect, an embodiment of the present application provides an industrial control network order abnormality detection apparatus, including: the instruction receiving module is used for receiving a control instruction, and the control instruction comprises a production process identifier and an instruction parameter; the rule obtaining module is used for obtaining a rule to be matched of the corresponding target process flow according to the production process identification; the rule to be matched is used for representing standard parameters corresponding to the nodes needing to be executed currently in the target process flow; the rule matching module is used for matching the instruction parameters with the rule to be matched to obtain a matching result; and the abnormity judgment module is used for determining whether the industrial control network order is abnormal according to the matching result.
In a third aspect, an embodiment of the present application provides an electronic device, including: the system comprises a processor, a memory and a bus, wherein the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of the first aspect.
In a fourth aspect, an embodiment of the present application provides a non-transitory computer-readable storage medium, including: a non-transitory computer readable storage medium stores computer instructions which cause a computer to perform the method of the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for detecting a rank order anomaly in an industrial control network according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an operation provided by an embodiment of the present application;
FIG. 3 is a schematic flow chart diagram illustrating a method for generating a process flow template according to an embodiment of the present disclosure;
fig. 4 is a schematic flowchart of another method for detecting a rank order anomaly in an industrial control network according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an industrial control network order anomaly detection apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only used to illustrate the technical solutions of the present application more clearly, and therefore are only used as examples, and the protection scope of the present application is not limited thereby.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions.
In the description of the embodiments of the present application, the technical terms "first", "second", and the like are used only for distinguishing different objects, and are not to be construed as indicating or implying relative importance or to implicitly indicate the number, specific order, or primary-secondary relationship of the technical features indicated. In the description of the embodiments of the present application, "a plurality" means two or more unless specifically defined otherwise.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In the description of the embodiments of the present application, the term "and/or" is only one kind of association relationship describing the association object, and means that three relationships may exist, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In the description of the embodiments of the present application, the term "plurality" refers to two or more (including two), and similarly, "plural sets" refers to two or more (including two), and "plural pieces" refers to two or more (including two).
In the description of the embodiments of the present application, the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", "clockwise", "counterclockwise", "axial", "radial", "circumferential", and the like, indicate the directions or positional relationships indicated in the drawings, and are only for convenience of description of the embodiments of the present application and for simplicity of description, but do not indicate or imply that the referred device or element must have a specific direction, be constructed and operated in a specific direction, and thus, should not be construed as limiting the embodiments of the present application.
In the description of the embodiments of the present application, unless otherwise explicitly stated or limited, the terms "mounted," "connected," "fixed," and the like are used in a broad sense, and for example, may be fixedly connected, detachably connected, or integrated; mechanical connection or electrical connection is also possible; either directly or indirectly through intervening media, either internally or in any other relationship. Specific meanings of the above terms in the embodiments of the present application can be understood by those of ordinary skill in the art according to specific situations.
At present, the development of enterprises such as mechanical equipment, electronic production, petrochemical industry, light industry textile, diet, medicine, military manufacturing, automobile industry and the like does not leave the leading and supporting functions of an automatic production line, and the automatic production line is a life line of modern industry. The automatic production line is developed on the basis of continuous improvement of the automatic special machine. The automatic special machine is a single automatic device, can complete a single certain process in the production process of products, and has limited functions. After a certain process is finished, the finished semi-finished product needs to be manually transferred to other special machine equipment to continue the next production process, and the whole production can be finished only by a series of special machines with different functions and manual participation, so that the field utilization rate is reduced, production staff and equipment are increased, the production cost is invisibly increased, and the improvement of the product efficiency and the quality is not facilitated.
The inventor researches and discovers that the user needs to control the whole production line and detect the whole flow, and at present, no method for detecting whether the whole production line is abnormal or not exists. Therefore, the inventor provides an industrial control network order abnormity detection method, the method arranges a series of different automatic special machines required by product production according to the sequence of production processes, and all the special machines can be connected through an automatic conveying system, so that the manual participation process among the special machines can be omitted. Similarly, the network detection also protects the whole production process according to the sequence arrangement of the production processes, and avoids the economic loss problems such as equipment damage caused by disordered processes.
In the embodiment of the present application, an execution main body for executing the method for detecting the order abnormality of the industrial control network may be an electronic device such as an industrial control firewall, an industrial control gatekeeper, or the like.
Fig. 1 is a schematic flowchart of a method for detecting a rank order anomaly in an industrial control network according to an embodiment of the present application, and as shown in fig. 1, the method includes the following steps:
step 101: receiving a control instruction, wherein the control instruction comprises a production process identifier and an instruction parameter;
step 102: acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises standard parameters corresponding to the nodes needing to be executed currently in the target process flow;
step 103: matching the instruction parameters with the rules to be matched to obtain a matching result;
step 104: and determining whether the industrial control network order is abnormal or not according to the matching result.
In step 101, the control instruction refers to an instruction for controlling the production process to execute a corresponding action, which may be an attack message sent by an attacker to the electronic device, may also be a legal message sent by a normal operation station, and may also be a legal message sent by a preset automation execution program to the electronic device. The operator station may be understood as a terminal communicating with the electronic device, through which the operator may send the control instructions to the electronic device.
The production process identifier is used for representing the uniqueness of the production process, and can be represented by binary numbers, decimal numbers, ASC codes and the like. The production process that the control command wants to control can be determined through the production process identification. It is understood that the production process may be a steel production process, a metallurgical production process, or the like. The corresponding process flows of different production processes are different, and taking the steelmaking production process as an example, the process flows comprise the execution nodes of discharging raw materials, smelting in an electric furnace, refining in a steel ladle, pouring steel ingots, refining walls of the steel ingots, inspecting and warehousing and the like. If the production process identifier contained in the control command is a steel-making production process, the control command controls one execution node in the steel-making production process. The instruction parameter refers to a parameter required for controlling a certain execution node in the corresponding production process.
In step 102, the electronic device stores the current execution progress of each process flow, that is, stores node information that each process flow needs to be executed at the current time. After receiving the control instruction, the electronic device determines a target process flow according to the production process identification in the control instruction, and acquires a rule to be matched corresponding to a node to be executed currently in the target process flow. The rule to be matched refers to a standard parameter corresponding to a current node to be executed of the target process flow. Still taking the execution node of discharging raw materials in the steel-making production process as an example, the corresponding standard parameters comprise: the protocol is as follows: modubs; the function code is: placing raw materials; the function code sequence combination is as follows: x1, x2, x3; the interval time is as follows: 10s; the operation frequency is as follows: 2; the occurrence time period is as follows: 2; whether concurrence can be found is as follows: yes/no, etc. Therefore, the standard parameter is a parameter that is consistent with the standard parameter in the corresponding control instruction if the current node to be executed needs to execute normally.
In step 103, after acquiring the rule to be matched, the electronic device matches the instruction parameter with the rule to be matched to obtain a matching result. The following table is a standard parameter table corresponding to each execution node of the steelmaking production process provided by the embodiment of the application, and is shown as follows:
taking the execution node of the discharging material in the steel-making production process as an example, judging whether the protocol in the instruction parameter is Modubs or not, and judging whether the sequence combination of the function codes is x1, x2 and x3 or not; judging whether the interval time is 10s, wherein the interval time is the time interval between the electronic equipment and the last control instruction; determining frequency of operation whether or not it is 2; determine whether the control command is issued at 2. And determining a matching result according to the judgment result. For example: if the instruction parameters are completely matched with the standard parameters in the rule to be matched, the matching is successful; if at least one item does not match, the matching fails. It should be noted that the values corresponding to the standard parameters are examples, and the execution nodes included in the process flow and the standard parameters corresponding to the execution nodes are not specifically limited in the embodiment of the present application.
In step 104, the electronic device may determine whether the control command is legal according to the matching result, and if not, determine that the industrial control network order is abnormal, and if so, indicate that the industrial control network order is normal.
It should be noted that if the rule to be matched is not pre-stored in the electronic device, the communication may be performed according to conventional access control, for example: when the electronic device is a firewall, the firewall itself has default access control logic, for example: and the control is carried out by judging whether the source IP address is matched with the destination IP address, so that the safety and smooth execution of the production line are ensured.
According to the method and the device, the received control instruction is matched with the standard parameters of the current nodes needing to be executed of the target process flow, so that whether the control instruction is used for controlling the current nodes needing to be executed can be judged, the control instruction can be executed according to the normal process flow, and the detection of the industrial control network order is integrally realized.
On the basis of the above embodiment, obtaining the rule to be matched of the corresponding target process flow according to the production process identifier includes:
acquiring a corresponding target process flow template according to the production process identifier, and determining a current node to be executed according to the target process flow template;
and acquiring a rule to be matched corresponding to the current node to be executed.
In a specific implementation process, a process flow template corresponding to each production process is stored in the electronic device in advance, and the process flow template is associated with the production process identifier. Therefore, the electronic equipment can obtain the corresponding target process flow template according to the production process identification. It is understood that the target process flow template includes each execution node of the production process, the execution sequence between each execution node, and the standard parameters corresponding to each execution node.
The electronic equipment records execution progress corresponding to each production process, and the execution progress is used for representing which execution node has completed the task. After the electronic device acquires the target process flow template, and determining the current nodes needing to be executed by the electronic equipment from the target process flow template according to the execution progress. For example: for the steel-making production process, if the finished node recorded in the electronic equipment is refined in a steel ladle, the next execution node can be known to be a steel ingot finish wall through a process flow template corresponding to the steel-making production process, namely, the execution node of the steel ingot finish wall is the current execution node required to be executed. And the electronic equipment takes a matching rule corresponding to the execution node of the steel ingot fine wall as a rule to be matched.
In the embodiment of the application, the execution sequence of each node has been set in the target process flow template, so that after receiving the control instruction, whether the control instruction is for controlling the current node to be executed can be determined according to the target process flow template, and the execution sequence of the process and the corresponding execution node can be detected as a whole.
Based on the above embodiments, for an attacker who wants to control the execution of a certain production process, a control instruction may be randomly sent, and the control instruction may be for any execution node of the production process, and therefore, the control instruction may not be consistent with a current node to be executed in a target process flow. In another case, although the control instruction is for the current node to be executed in the target process flow, instruction parameters in the control instruction may be different from the standard parameters, and if the electronic device issues the control instruction to the production line device, an error may be caused in the execution process of the current node to be executed.
Therefore, after the abnormal order of the industrial control network is determined according to the matching result, the control instruction is indicated to be an illegal instruction, and the electronic equipment can block the control instruction in order to avoid the illegal instruction from controlling the execution of the target process flow.
According to the embodiment of the application, the abnormal control instruction is blocked, so that the abnormal control instruction is prevented from maliciously controlling the production line, and the production safety of the production line is ensured.
In another embodiment, the control instruction received by the electronic device and sent by the legal operation station can be successfully matched with the standard parameter, so that after the electronic device determines that the industrial control network order is normal according to the matching result, the control instruction is a legal instruction, and the electronic device issues the legal instruction to the production line equipment corresponding to the target process flow, so that the execution mechanism corresponding to the control of the production line equipment executes the corresponding action according to the control instruction.
In addition, if the electronic device receives a control instruction sent by an illegal person, but the control instruction is successfully matched with the rule to be matched, the electronic device can also regard the control instruction as a legal control instruction and issue the control instruction to the production line device. Because the control instruction does not cause the operation of the production line equipment to be abnormal, in the actual operation process, the electronic equipment does not pay attention to who sends the control instruction, and only pays attention to whether the control instruction is matched with the rule to be matched.
Fig. 2 is a working schematic diagram provided in this embodiment of the present application, and as shown in fig. 2, the monitoring station is in communication connection with the firewall through the router, the console is also in communication connection with the firewall, the console can send a control instruction to the firewall, and the firewall issues the control instruction to the production line device of the steel-making production line after determining that the control instruction is a legal instruction. It will be appreciated that each execution node in the steelmaking line may correspond to a line device, each line device having its own protocol for communicating with the firewall. For example: the production line equipment for discharging raw materials is communicated with a firewall through a Modbus protocol, the production line equipment for electric furnace smelting is communicated with the firewall through an S7 protocol, the production line equipment for ladle refining is communicated with the firewall through a Dnp3 protocol, the production line equipment for steel ingot pouring is communicated with the firewall through an Mms protocol, the production line equipment for steel ingot fine walls is communicated with the firewall through an Ops protocol, and the production line equipment for checking and warehousing is communicated with the firewall through a Fins protocol. It can be understood that the communication protocol between each production line device and the firewall is only an example, and in practical applications, an appropriate communication protocol may be selected for communication, which is not specifically limited in this embodiment of the present application.
According to the embodiment of the application, the control instruction is sent to the production line equipment corresponding to the target process flow only when the control instruction is determined to be a legal instruction, so that the production line equipment can control the execution equipment corresponding to the production line to work, and the normal work of the production line is ensured.
On the basis of the foregoing embodiment, after sending the control instruction to the production line device corresponding to the target process flow, the method further includes:
and generating a log corresponding to the control instruction, and sending the log to the monitoring equipment.
In a specific implementation process, after the electronic device sends the control instruction to the production line device, a log corresponding to the control instruction can be recorded, and the log displays the current task progress and details. Details are for example: operation time, operation times, operation actions, operation frequency, next action and the like. The information required by the user can be analyzed and displayed. The log is sent to the monitoring device by the electronic device, a corresponding application program runs in the monitoring device, the application program is directly downloaded and installed by logging in the electronic device (such as a firewall), and the application program can be communicated with the electronic device and particularly can be communicated through a socket. The monitoring personnel can view the log by logging into the application program.
Therefore, all the logs received in the monitoring equipment are logs corresponding to legal control instructions, various false alarms generated in a large number of complex environments can be shielded, which execution node the target process flow is currently executed to can be known through the received logs, and if the next node is not executed for a long time, the next execution node is indicated to have a problem, so that the problem can be quickly and accurately positioned, and the resource occupation is reduced.
On the basis of the above embodiment, after sending the log to the monitoring device, the method further includes:
and receiving a response message fed back by the monitoring equipment, and taking the next execution node as the current execution node.
In a specific implementation process, the electronic device may receive a response packet fed back by the monitoring device, where the response packet may be used to instruct the electronic device to switch the next execution node, so as to form a closed loop. And the step does not need to be restored into an application layer message, so that the memory and CPU resources are saved.
For example, in the steel making process, electric furnace smelting should be performed first, and then ladle refining should be performed, but due to an instruction issuing error or some malicious attacks, the instruction issuing error can cause an error in the whole smelting process, and cause huge loss and irreversible. The electronic equipment sends the log to the monitoring station when detecting no abnormity, the monitoring APP running in the monitoring station receives the log, analyzes and displays the progress of the current task, and what the next operation is, and is more visual and controllable, and sends the response information, the electronic equipment switches to the next rule after receiving the response information, continues to match the message, and continues to produce only when the current message instruction is matched with the current rule to be matched. The control is simple and efficient, the error rate is low, and system resources are saved.
On the basis of the above embodiment, the method further includes a method of generating a process flow template, as shown in fig. 3, the method including:
step 301: receiving manufacturing process parameters sent by an operation station; it can be understood that, for a process flow template of a certain production process not stored in the firewall, the electronic device may receive, in the template learning mode, a manufacturing process parameter sent by the operation station, where the manufacturing process parameter may be understood as legal and is used to control a corresponding process flow device to perform a parameter of a corresponding action;
step 302: sending the manufacturing process parameters to corresponding process flow equipment; after receiving the manufacturing process parameters, the electronic equipment sends the manufacturing process parameters to corresponding process flow equipment, so that the process flow equipment executes corresponding actions according to the manufacturing process parameters.
Step 303: extracting key parameters from the manufacturing process parameters; the step and the step 302 may be performed simultaneously, or the step 303 may be performed first, and then the step 302 is performed, and the execution order of the two steps is not limited in the embodiment of the present application. After receiving the manufacturing process parameters, the electronic device extracts key parameters from the manufacturing process parameters, for example: source IP address, destination IP address, function code, frequency, interval time, generation time period and other information.
Step 304: generating a corresponding matching rule according to the key parameters; and the electronic equipment generates a corresponding matching rule according to the extracted key parameters, wherein the matching rule can be stored in a josn format or other formats.
Step 305: and generating the process flow template according to the matching rule and the receiving time of the manufacturing process parameters corresponding to the matching rule. The electronic equipment combines the matching rules according to the receiving time of the manufacturing process parameters, so that a process flow template is formed.
Therefore, when the process flow template of a certain production process is not stored in the electronic equipment, the corresponding process flow template can be automatically generated according to the production line flow, namely, the corresponding process flow template can be generated after one-time process production is completed. In the process flow template, detailed procedures in the process flow, such as discharging materials, are described, and actually, communication is performed through a Modbus protocol, the sequence of control codes is x1, x2 and x3, the operation frequency (discharging materials may need to be placed for multiple times due to the limitation of the size of a container), the time interval, and the like, so as to obtain detailed information. And then carrying out the next procedure, smelting in an electric furnace, recording detailed information, and so on to generate a corresponding process flow template.
For the generated process flow template, an operator can also manually modify the standard parameters in the template, for example, the frequency of placing the raw material can be changed from twice to three times. The purpose of manual modification is to save time and space to the maximum extent so as to achieve the purpose of making the best use of things.
The process flow template is generated in an automatic learning mode, the workload of operators can be effectively reduced, the step of self-defining the template is omitted, and the template can be modified as required after learning.
According to the method and the device, the whole process flow is controlled to be sequentially executed through the process flow template, single-point detection is not needed, and the process flow of a production line is controlled more comprehensively.
Fig. 4 is a schematic flowchart of another method for detecting a rank order anomaly in an industrial control network according to an embodiment of the present application, and as shown in fig. 4, the method includes:
Step 407B: and returning to execute the next response message, and sending the response message to the electronic equipment by the monitoring APP, wherein the purpose of the response message is to enable the electronic equipment to use the next execution node in the process flow as the current execution node.
It should be noted that the execution of steps 401B-409B does not necessarily have to follow steps 401A-403A, if the target process flow template is already stored in the electronic device, the steps 401B to 409B may be directly performed.
According to the embodiment of the application, a set of production templates is generated or customized through learning, so that the production line flow safety coefficient is improved, single-point protection is moved to integral protection, and assets are protected from being damaged; in addition, the change of related parameters in the manufacturing process is more controllable, and the production flow can be optimized through a series of template parameters, so that the process is improved to a certain extent; meanwhile, more visual engineering progress information and positioning problem points are brought to an operator.
Fig. 5 is a schematic structural diagram of an apparatus for detecting an abnormal order in an industrial control network according to an embodiment of the present disclosure, where the apparatus may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus corresponds to the above-mentioned embodiment of the method in fig. 1, and can perform various steps related to the embodiment of the method in fig. 1, and the specific functions of the apparatus can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy. The device comprises: an instruction receiving module 501, a rule obtaining module 502, a rule matching module 503 and an exception judging module 504, wherein:
the instruction receiving module 501 is configured to receive a control instruction, where the control instruction includes a production process identifier and an instruction parameter; the rule obtaining module 502 is configured to obtain a rule to be matched of a corresponding target process flow according to the production process identifier; the rule to be matched comprises a standard parameter corresponding to a node which needs to be executed currently in the target process flow; the rule matching module 503 is configured to match the instruction parameter with the rule to be matched, and obtain a matching result; the anomaly determination module 504 is configured to determine whether the industrial control network order is abnormal according to the matching result.
On the basis of the foregoing embodiment, the rule obtaining module 502 is specifically configured to:
acquiring a corresponding process flow template according to the production process identifier, and determining a current node to be executed according to the target process flow template;
and acquiring the rule to be matched corresponding to the current node to be executed.
On the basis of the above embodiment, the apparatus further includes a first processing module configured to:
and if the matching result represents that the order of the industrial control network is abnormal, blocking the control instruction.
On the basis of the above embodiment, the apparatus further includes a second processing module, configured to:
and if the matching result represents that the industrial control network is normal in order, sending the control instruction to production line equipment corresponding to the target process flow.
On the basis of the above embodiment, the apparatus further includes a log sending module, configured to:
and generating a log corresponding to the control instruction, and sending the log to the monitoring equipment.
On the basis of the above embodiment, the apparatus further includes a message receiving module, configured to:
and receiving a response message fed back by the monitoring equipment, and taking the next execution node as the current node to be executed.
On the basis of the above embodiment, the apparatus further includes a template generation module configured to:
receiving manufacturing process parameters sent by an operation station;
sending the manufacturing process parameters to corresponding process flow equipment;
extracting key parameters from the manufacturing process parameters;
generating a corresponding matching rule according to the key parameters;
and generating the process flow template according to the matching rule and the receiving time of the manufacturing process parameters corresponding to the matching rule.
Fig. 6 is a schematic structural diagram of an entity of an electronic device provided in an embodiment of the present application, and as shown in fig. 6, the electronic device includes: a processor (processor) 601, a memory (memory) 602, and a bus 603; wherein the content of the first and second substances,
the processor 601 and the memory 602 communicate with each other through the bus 603;
the processor 601 is configured to call the program instructions in the memory 602 to execute the methods provided by the above method embodiments, for example, including: receiving a control instruction, wherein the control instruction comprises a production process identifier and instruction parameters; acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises a standard parameter corresponding to a node which needs to be executed currently in the target process flow; matching the instruction parameters with the rule to be matched to obtain a matching result; and determining whether the industrial control network order is abnormal or not according to the matching result.
The processor 601 may be an integrated circuit chip having signal processing capabilities. The Processor 601 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 602 may include, but is not limited to, random Access Memory (RAM), read Only Memory (ROM), programmable Read Only Memory (PROM), erasable Read Only Memory (EPROM), electrically Erasable Read Only Memory (EEPROM), and the like.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above-mentioned method embodiments, for example, comprising: receiving a control instruction, wherein the control instruction comprises a production process identifier and an instruction parameter; acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises a standard parameter corresponding to a node which needs to be executed currently in the target process flow; matching the instruction parameters with the rule to be matched to obtain a matching result; and determining whether the industrial control network order is abnormal or not according to the matching result.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the above method embodiments, for example, including: receiving a control instruction, wherein the control instruction comprises a production process identifier and an instruction parameter; acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises a standard parameter corresponding to a node which needs to be executed currently in the target process flow; matching the instruction parameters with the rule to be matched to obtain a matching result; and determining whether the industrial control network order is abnormal or not according to the matching result.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units into only one type of logical function may be implemented in other ways, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. An industrial control network order abnormity detection method is characterized by comprising the following steps:
receiving a control instruction, wherein the control instruction comprises a production process identifier and instruction parameters;
acquiring a rule to be matched of a corresponding target process flow according to the production process identification; the rule to be matched comprises a standard parameter corresponding to a node which needs to be executed currently in the target process flow;
matching the instruction parameters with the rules to be matched to obtain matching results;
and determining whether the industrial control network order is abnormal or not according to the matching result.
2. The method according to claim 1, wherein the obtaining the rule to be matched of the corresponding target process flow according to the production process identifier comprises:
acquiring a corresponding target process flow template according to the production process identification, and determining a current node to be executed according to the target process flow template;
and acquiring the rule to be matched corresponding to the current node to be executed.
3. The method of claim 1, wherein after determining whether the industrial control network order is abnormal based on the matching result, the method further comprises:
and if the matching result represents that the order of the industrial control network is abnormal, blocking the control instruction.
4. The method of claim 1 or 2, wherein after determining whether the industrial control network order is abnormal according to the matching result, the method further comprises:
and if the matching result represents that the industrial control network is normal in order, sending the control instruction to production line equipment corresponding to the target process flow.
5. The method of claim 4, wherein after sending the control command to the in-line equipment corresponding to the target process flow, the method further comprises:
and generating a log corresponding to the control instruction, and sending the log to the monitoring equipment.
6. The method of claim 5, wherein after sending the log to a monitoring device, the method further comprises:
and receiving a response message fed back by the monitoring equipment, and taking the next execution node as the current node to be executed.
7. The method of claim 2, further comprising:
receiving manufacturing process parameters sent by an operation station;
sending the manufacturing process parameters to corresponding process flow equipment;
extracting key parameters from the manufacturing process parameters;
generating a corresponding matching rule according to the key parameters;
and generating the process flow template according to the matching rule and the receiving time of the manufacturing process parameters corresponding to the matching rule.
8. An industrial control network order abnormity detection device is characterized by comprising:
the instruction receiving module is used for receiving a control instruction, and the control instruction comprises a production process identifier and an instruction parameter;
the rule obtaining module is used for obtaining a rule to be matched of the corresponding target process flow according to the production process identification; the rule to be matched comprises a standard parameter corresponding to a node which needs to be executed currently in the target process flow;
the rule matching module is used for matching the instruction parameters with the rule to be matched to obtain a matching result;
and the abnormity judgment module is used for determining whether the industrial control network order is abnormal according to the matching result.
9. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any one of claims 1-7.
10. A non-transitory computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210772314.8A CN115145230A (en) | 2022-06-30 | 2022-06-30 | Industrial control network order abnormity detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210772314.8A CN115145230A (en) | 2022-06-30 | 2022-06-30 | Industrial control network order abnormity detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115145230A true CN115145230A (en) | 2022-10-04 |
Family
ID=83410748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210772314.8A Pending CN115145230A (en) | 2022-06-30 | 2022-06-30 | Industrial control network order abnormity detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115145230A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116449037A (en) * | 2023-06-16 | 2023-07-18 | 成都瀚辰光翼生物工程有限公司 | Flow state control method and device for biological detection |
-
2022
- 2022-06-30 CN CN202210772314.8A patent/CN115145230A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116449037A (en) * | 2023-06-16 | 2023-07-18 | 成都瀚辰光翼生物工程有限公司 | Flow state control method and device for biological detection |
| CN116449037B (en) * | 2023-06-16 | 2023-09-12 | 成都瀚辰光翼生物工程有限公司 | Flow state control method and device for biological detection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7538664B2 (en) | Customized industrial alarms | |
| CN105337986A (en) | Credible protocol conversion method and credible protocol conversion system | |
| CN110912927A (en) | Method and device for detecting control message in industrial control system | |
| CN111869189A (en) | Network probe and method for processing message | |
| CN115145230A (en) | Industrial control network order abnormity detection method and device, electronic equipment and storage medium | |
| CN111600863B (en) | Network intrusion detection method, device, system and storage medium | |
| CN109450893B (en) | Network protection software method and system based on linux kernel | |
| CN109634813A (en) | Electronic device, cloud platform exception confirmation method and storage medium | |
| WO2019026310A1 (en) | Information processing device, information processing method, and information processing program | |
| CN104901833B (en) | A kind of method and device for the equipment that notes abnormalities | |
| US20220100179A1 (en) | Malware detection system | |
| CN110808962B (en) | Malformed data packet detection method and device | |
| US20200183340A1 (en) | Detecting an undefined action in an industrial system | |
| CN111427307B (en) | Industrial control abnormity detection method, device and equipment | |
| JPWO2015011827A1 (en) | Information processing apparatus, filtering system, filtering method, and filtering program | |
| TWM596496U (en) | Anomaly detection device and system of industrial control network with self-learning function | |
| JP2018006583A (en) | Component mounting machine and component mounting system | |
| WO2016038662A1 (en) | Information processing device, information processing method and program | |
| JP2020135346A (en) | Plant monitoring control system | |
| JP2003256036A (en) | Monitoring controller | |
| JP2019129412A (en) | Abnormal factor determination device, control system, and abnormal factor determination method | |
| EP4307146A1 (en) | Systems and methods for automatic security enforcement for industrial automation devices | |
| CN103310147B (en) | Factory's security control apparatus and management method | |
| CN113438231B (en) | Industrial protocol decoding method and device, electronic equipment and storage medium | |
| JP2008003873A (en) | Security monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |