CN115150197A - Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment - Google Patents

Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment Download PDF

Info

Publication number
CN115150197A
CN115150197A CN202211059710.2A CN202211059710A CN115150197A CN 115150197 A CN115150197 A CN 115150197A CN 202211059710 A CN202211059710 A CN 202211059710A CN 115150197 A CN115150197 A CN 115150197A
Authority
CN
China
Prior art keywords
data
instruction data
harmful
service request
analyzed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211059710.2A
Other languages
Chinese (zh)
Other versions
CN115150197B (en
Inventor
廖梦菁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Deep Top Technology Beijing Co ltd
Original Assignee
Deep Top Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Deep Top Technology Beijing Co ltd filed Critical Deep Top Technology Beijing Co ltd
Priority to CN202211059710.2A priority Critical patent/CN115150197B/en
Publication of CN115150197A publication Critical patent/CN115150197A/en
Application granted granted Critical
Publication of CN115150197B publication Critical patent/CN115150197B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Air Conditioning Control Device (AREA)

Abstract

The invention relates to a method and a system for defending instruction attack of UPS (uninterrupted Power supply) air conditioning equipment, wherein the method comprises the following steps: acquiring communication transmission service request data and service response data between the UPS air conditioning equipment and the upper computer; during operation and debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed; judging the service request data according to a white list to generate safety instruction data and harmful instruction data; processing the safety instruction data and the harmful instruction data; and analyzing the harmful instruction data record report. The service request data is judged by establishing the white list, the harmful instruction data is intercepted, the attack to the UPS air conditioning equipment is prevented, the harmful instruction is intercepted before the harmful instruction data is transmitted to the UPS air conditioning equipment, the harmful instruction attack is recognized in advance, and the safety is improved.

Description

Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment
Technical Field
The invention relates to the field of data processing, in particular to a method and a system for defending instruction attack of UPS (uninterrupted Power supply) air conditioning equipment.
Background
In the remote monitoring field of UPS air conditioning equipment, protocols such as SNMP, MODBUS are used to the host computer, data interaction is carried out with equipment through interfaces such as RS232, RS485, and when an attacker sends high-risk instructions to the equipment through modes such as holding the host computer, bypassing authority authentication, equipment abnormity, downtime and damage are caused, so in the key field of production data protection, the independent processing of industrial control equipment and intelligent power supply equipment is very important.
The patent with application number 201810637089.0 discloses an instruction security defense method, which comprises the following steps: step S1, response action information of target object equipment after the target object equipment executes a received target instruction is obtained; s2, judging whether the response action information meets a safety response rule corresponding to the target instruction or not, and judging whether the response action information meets a threat detection rule corresponding to the target instruction or not; if the response action information meets the safety response rule, executing a step S3; if the response action information is judged to meet the threat detection rule, executing a step S4; s3, sending prompt information to the target object equipment to prompt that the target instruction received by the target object equipment and the response of the target instruction are safe; step S4, sending reminding information to the target object equipment so that the target object equipment can isolate the target instruction from the self response action; the method further comprises the following steps: step S01, collecting the response information of each object device receiving the target instruction in the intranet in real time, wherein the response information comprises: response actions made by each object device receiving the target instruction; step S02a, aiming at each response action in the response information, screening out the response action which is a safety response to form the safety information of the target instruction; step S03a, according to the predetermined importance level of the target instruction in the intranet, determining the optimization updating period of the safety response rule corresponding to the target instruction, wherein the higher the importance level of the target instruction is, the shorter the optimization updating period is; step S04a, according to the safety information of the target instruction, optimizing and updating the safety response rule corresponding to the target instruction according to the optimization and updating period; after the step S01, the method further comprises: s02b, aiming at each response action in the response information, screening out the response action which is a threat response to form threat information of the target instruction; and S03b, optimizing and updating the threat detection rule corresponding to the target instruction according to the threat intelligence information of the target instruction and a preset period.
In the prior art, whether a target instruction is safe or not is judged by response action information of the target object equipment after the target instruction is executed by the target object equipment, equipment is possibly abnormal or damaged, harmful instruction attack cannot be recognized in advance, and the safety is low.
Disclosure of Invention
Therefore, the invention provides a method and a system for preventing command attacks of UPS (uninterrupted power supply) air conditioning equipment, which can solve the problems that harmful command attacks cannot be recognized in advance and the safety is low.
In order to achieve the above object, the present invention provides a method for protecting a UPS air conditioning device against command attacks, the method comprising:
the method comprises the steps that service data transmitted by communication between the UPS air conditioning equipment and an upper computer are obtained, the service data comprise service request data and service response data, the service request data are the service data sent to the UPS air conditioning equipment by the upper computer and comprise a plurality of instruction data, and the service response data are the service data which are received by the UPS air conditioning equipment and fed back to the upper computer;
during operation and debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;
judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;
processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data, and generating a harmful instruction data recording report;
and analyzing the harmful instruction data record report to obtain an analysis result, marking suspicious instruction data on the service request data before judging the service request data according to the analysis result, and preferentially judging the service request data marked as the suspicious instruction data according to a white list.
Further, when the white list is created, during operation debugging, receiving service request data to be analyzed sent to the UPS air conditioning equipment by the upper computer within preset time T1 and allowing the service request data to be analyzed to pass, recording sending time of the service request data to be analyzed, receiving service response data to be analyzed corresponding to the service request data to be analyzed within preset time T1, recording returning time of the service response data to be analyzed, simultaneously performing exhaustive sequence on response actions of the normally-operated UPS air conditioning equipment, and completing the white list according to the exhaustive response actions.
Further, recording the sending time T1 of the service request data to be analyzed, recording the returning time T2 of the service response data to be analyzed, wherein T2 is more than T1, calculating the time delta T of the UPS air conditioning equipment for executing the service request data to be analyzed, wherein delta T = T2-T1, comparing the execution time with the preset execution time T, wherein T is less than T1,
if T is less than delta T and less than T1, the time for executing the service request data to be analyzed by the UPS air conditioner exceeds the preset execution time, and the UPS air conditioner runs abnormally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be harmful service request data;
if the delta t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air conditioning equipment does not exceed the preset execution time, and the UPS air conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data.
Further, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data.
Further, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is carried out according to the safety instruction data identifier to obtain an actual safety instruction data classification item, meanwhile, the exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication removal is carried out on the actual safety instruction data classification item and the exhaustive safety instruction data classification item, and a white list is generated.
Further, when the service request data is judged according to the white list, a plurality of instruction data identifications of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with the safe instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safe instruction data, and if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data.
Further, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, and harmful instruction data classification items, harmful instruction data identifiers, harmful instruction data sending time and harmful instruction data sending end addresses of the harmful instruction data are recorded, so that a harmful instruction data recording report is generated.
Further, when the harmful instruction data recording report is analyzed, the harmful instruction data is analyzed according to the harmful instruction data sending time and the harmful instruction data sending end address in the harmful instruction data recording report within the preset time T2,
when analyzing the transmission time of the harmful instruction data, the 24-hour day is divided into four time periods, 00:00:00-05:59: 59. 06:00:00-11:59: 59. 12:00:00-17:59:59 and 18:00:00-23:59:59, respectively labeled: in the morning, in the afternoon and in the evening, calculating the sending frequency of harmful instruction data in four time periods according to the sending time of the harmful instruction data to obtain a sending peak time and a sending peak time of the harmful instruction data, if M harmful instruction data are in total in a harmful instruction data recording report and N harmful instruction data exist in any time period, the sending frequency in any time period is f = N/M, the preset sending frequency f0 in any time period is judged, if f is more than f0, the any time period is judged to be the sending peak time of the harmful instruction data, and if f is not less than 0 and not more than f0, the any time period is judged to be the sending peak time of the harmful instruction data;
when harmful instruction data sending end addresses are analyzed, calculating the occurrence frequency of each harmful instruction data sending end address in a harmful instruction data recording report to obtain whether each harmful instruction data sending end address is a risk address, if the total number of the harmful instruction data sending end addresses in a preset time T2 is L, and the number of any harmful instruction data sending end address is Y, determining the occurrence frequency K = Y/L of any harmful instruction data sending end address, and the preset occurrence frequency K0 of any harmful instruction data sending end address, if K is more than K0, determining that any harmful instruction data sending end address is a risk address, and if K is more than 0 and less than or equal to K0, determining that any harmful instruction data sending end address is a safe address;
the analysis result is obtained that any time period is a harmful instruction data sending peak period, any harmful instruction data sending end address is a risk address and any harmful instruction data sending end address is a safe address, according to the analysis result, before judging a plurality of instruction data in the service request data, the plurality of instruction data in any time period in the peak period or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, otherwise, the suspicious instruction data and the normal instruction data are not marked, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, and the safe instruction data and the harmful instruction data are generated.
Further, the invention also provides a system for defending the UPS air conditioning equipment against command attacks, which comprises:
the acquisition module is used for acquiring service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, wherein the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, and the service response data is the service data which is received by the UPS air-conditioning equipment and fed back to the upper computer;
the generating module is used for receiving service request data to be analyzed and service response data to be analyzed within preset time during operation and debugging, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;
the judging module is used for judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;
the first processing module is used for processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data and generating a harmful instruction data recording report;
and the second processing module is used for analyzing the harmful instruction data record report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, and preferentially judging the service request data marked with the suspicious instruction data according to a white list.
The generation module is a module for autonomously generating a white list, and during the operation and debugging period, receives the service request data to be analyzed within the preset time and allows all the service request data to be analyzed to pass through, receives the service response data to be analyzed corresponding to the service request data to be analyzed, and analyzes the service request data to be analyzed and the service response data to be analyzed to obtain the actual safety instruction data classification items.
Compared with the prior art, the invention has the advantages that the service data transmitted by the communication between the UPS air-conditioning equipment and the upper computer is obtained, the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, the service response data is the service data received by the UPS air-conditioning equipment and fed back to the upper computer, then the service request data to be analyzed and the service response data to be analyzed in the preset time are received during the operation debugging period, a white list is generated according to the service request data to be analyzed and the service response data to be analyzed, the white list comprises safety instruction data classification items, then the service request data is judged according to the safety instruction data classification items in the white list, and safety instruction data and harmful instruction data are generated, processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data and recording the harmful instruction data to generate a harmful instruction data recording report, finally analyzing the harmful instruction data recording report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, preferentially judging the service request data marked with the suspicious instruction data according to a white list, judging the service request data according to the safety instruction data classification items in the white list by establishing the white list, intercepting the judged harmful instruction data so as to prevent the attack to the UPS air conditioning equipment, and intercepting the harmful instruction data before transmitting the harmful instruction data to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.
Particularly, when a white list is created, during the operation and debugging period, receiving service request data to be analyzed sent to the UPS air conditioning equipment by an upper computer within a preset time T1 and allowing the service request data to be analyzed to pass, recording the sending time of the service request data to be analyzed, receiving service response data to be analyzed corresponding to the service request data to be analyzed within the preset time T1, recording the returning time of the service response data to be analyzed, analyzing whether the operation of the UPS air conditioning equipment is abnormal or not according to the returning time of the returned service response data to be analyzed corresponding to the service request data to be analyzed by analyzing all the service request data to be analyzed within the preset time T1, further judging harmful service request data, sequentially exhausting the response actions of the UPS air conditioning equipment which normally operates, and preventing the white list from being incomplete due to the fact that the safe instruction data which may not appear during the debugging period is unsuccessful and preventing the harmful instruction data from being defensive according to the exhaustive response action.
Particularly, the sending time T1 of the service request data to be analyzed is recorded, the returning time T2 of the service response data to be analyzed is recorded, T2 is more than T1, the time delta T of the UPS air conditioning equipment for executing the service request data to be analyzed is calculated, delta T = T2-T1, the execution time is compared with the preset execution time T, if T is less than delta T and less than T1, the time of the UPS air conditioning equipment for executing the service request data to be analyzed exceeds the preset execution time, the UPS air conditioning equipment runs abnormally, and the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be harmful service request data; if t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air-conditioning equipment does not exceed the preset execution time, and the UPS air-conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data, whether the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data or not is judged according to the return time of the service response data to be analyzed, and then the white list is established.
Particularly, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data, and the judgment of the harmful service request data and the safe service request data is more accurate by analyzing that the service response data to be analyzed is not received all the time.
Particularly, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is carried out according to the safety instruction data identifier to obtain an actual safety instruction data classification item, the exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication elimination is carried out on the actual safety instruction data classification item and the exhaustive safety instruction data classification item to generate a white list, the harmful instruction data can be effectively intercepted through setting the white list, the potential safety hazard of the UPS air conditioning equipment is further reduced, the actual safety instruction data classification item and the exhaustive safety instruction data classification item are subjected to duplication elimination, and the white list is completed according to the exhaustive response action to prevent the harmful instruction data which may not appear during debugging from causing incomplete white list and causing harmful instruction data defense.
Particularly, when the service request data is judged according to the white list, a plurality of instruction data identifications of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safety instruction data, if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data, whether the instruction data are the safety instruction data or not is judged by matching the instruction data classification entries obtained from the service request data with the safety instruction data entries in the white list, the harmful instruction data are intercepted in time, the UPS air conditioning equipment is prevented from being damaged in time, and the safety is improved.
Particularly, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, harmful instruction data classification items, harmful instruction data identifiers, harmful instruction data sending time and harmful instruction data sending end addresses of the harmful instruction data are recorded, a harmful instruction data recording report is generated, the harmful instruction data are intercepted, the harmful instruction data are effectively prevented from attacking the UPS air conditioning equipment, a white list is utilized for intercepting, and the safety is effectively improved.
Particularly, when the harmful instruction data recording report is analyzed, a harmful instruction data sending time and a harmful instruction data sending end address in the harmful instruction data recording report are analyzed within a preset time T2 to obtain a harmful instruction data sending peak period and a risk address of the harmful instruction data sending end address, before a plurality of instruction data in service request data are judged, the plurality of instruction data in any time period of the peak period or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, the service request data marked as the suspicious instruction data are judged preferentially, the efficiency of identifying the harmful instruction data is improved, and the harmful instruction data are identified more accurately.
Particularly, the acquiring module acquires service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, the service response data is the service data received by the UPS air-conditioning equipment and fed back to the upper computer, the generating module receives the service request data to be analyzed and the service response data to be analyzed within a preset time during operation and debugging, a white list is generated according to the service request data to be analyzed and the service response data to be analyzed, the white list comprises safety instruction data classification items, the judging module judges the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data, the first processing module processes the safety instruction data and the harmful instruction data, the safety instruction data are passed through, the harmful instruction data are intercepted and recorded, a harmful instruction data recording report is generated, the second processing module analyzes the harmful instruction data recording report to obtain an analysis result, suspicious instruction data marking is carried out on the service request data before the service request data are judged according to the analysis result, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, the service request data are judged according to the classified items of the safety instruction data in the white list by establishing the white list, the judged harmful instruction data are intercepted, further, the attack to the UPS air conditioning equipment is prevented, and the harmful instruction data are intercepted before being transmitted to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.
The generation module is a module for automatically generating a white list, receives service request data to be analyzed within preset time and allows all the service request data to pass through during operation and debugging, receives service response data to be analyzed corresponding to the service request data to be analyzed, analyzes the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and comprises a receiving unit and a white list generation unit, wherein the receiving unit is used for receiving the service request data to be analyzed and the service response data to be analyzed within the preset time during operation and debugging, the white list generation unit is used for analyzing the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and simultaneously analyzes the exhaustive response actions to obtain safety instruction data classification items corresponding to the exhaustive response actions, and de-duplicates the actual safety instruction data classification items and the exhaustive safety instruction data classification items, the generated white list is generated during early operation through the generation module, so that harmful instruction data can be effectively intercepted according to the white list, thereby reducing the safety hazard of the air conditioning equipment, and preventing the potential safety instruction data classification items from being completely eliminated during operation and avoiding the occurrence of the harmful instructions.
Drawings
Fig. 1 is an application scenario of a method for protecting a UPS air conditioning device from command attacks according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a method for defending against command attacks of the UPS air conditioning equipment according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a system for protecting against command attacks of the UPS air conditioning equipment according to the embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for protecting a UPS air conditioning device from command attacks according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a single-chip microcomputer device operated by an apparatus for protecting a UPS air conditioner against command attacks according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principles of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Referring to fig. 1, an application scenario of the method for protecting the UPS air conditioning equipment from command attacks according to the embodiment of the present invention includes a UPS air conditioning equipment 101, a security filtering equipment 102, and an upper computer 103, where the UPS air conditioning equipment and the security filtering equipment communicate with each other, the security filtering equipment and the upper computer communicate with each other, the UPS air conditioning equipment and the security filtering equipment communicate with each other in a wired communication manner by connecting a serial port line, the security filtering equipment and the upper computer communicate with each other in a wired communication manner or in a mobile communication manner, the wired communication manner communicates with each other by connecting a network line, and the mobile communication manner communicates with each other in a 4G or 5G manner;
the UPS air conditioning equipment is used for receiving service request data and sending a device terminal of service response data, the service request data comprise harmful instruction data, the safety filter device is a processing device for the UPS air conditioning equipment to defend against the attack of the harmful instruction data, the safety filter device receives the service request data sent by the upper computer to process and then sends the processed data to the UPS air conditioning equipment, the safety filter device further transmits the received service response data sent by the UPS air conditioning equipment to the upper computer, the upper computer refers to a terminal device or a server which is responsible for sending the service request data, and the server is a local server or a cloud server.
Referring to fig. 2, a method for defending against command attacks of a UPS air conditioning device according to an embodiment of the present invention includes:
step 110, acquiring service data transmitted by communication between the UPS air conditioning equipment and the upper computer, wherein the service data comprises service request data and service response data, the service request data is service data sent to the UPS air conditioning equipment by the upper computer and comprises a plurality of instruction data, and the service response data is service data which is received by the UPS air conditioning equipment and fed back to the upper computer;
step 120, during the operation and debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;
step 130, judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;
step 140, processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data, and generating a harmful instruction data recording report;
step 150, analyzing the harmful instruction data record report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, and preferentially judging the service request data marked with suspicious instruction data according to a white list.
Specifically, the embodiment of the present invention obtains service data transmitted by communication between the UPS air conditioning equipment and the upper computer, where the service data includes service request data and service response data, the service request data is the service data sent to the UPS air conditioning equipment by the upper computer and includes a plurality of instruction data, the service response data is the service data received by the UPS air conditioning equipment and fed back to the upper computer, then during operation and debugging, the service request data to be analyzed and the service response data to be analyzed within a preset time are received, a white list is generated according to the service request data to be analyzed and the service response data to be analyzed, the white list includes safety instruction data classification entries, and then the service request data is judged according to the safety instruction data classification entries in the white list to generate safety instruction data and harmful instruction data, processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data and recording the harmful instruction data to generate a harmful instruction data recording report, finally analyzing the harmful instruction data recording report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, preferentially judging the service request data marked with the suspicious instruction data according to a white list, judging the service request data according to the safety instruction data classification items in the white list by establishing the white list, intercepting the judged harmful instruction data so as to prevent the attack to the UPS air conditioning equipment, and intercepting the harmful instruction data before transmitting the harmful instruction data to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.
Specifically, when a white list is created, during operation and debugging, to-be-analyzed service request data sent to the UPS air conditioning equipment by an upper computer within preset time T1 is received, the to-be-analyzed service request data is allowed to pass through, the sending time of the to-be-analyzed service request data is recorded, to-be-analyzed service response data corresponding to the to-be-analyzed service request data is received within preset time T1, the returning time of the to-be-analyzed service response data is recorded, meanwhile, response actions of the normally-operated UPS air conditioning equipment are sequentially exhausted, and the white list is completed according to the exhausted response actions.
Specifically, the operation debugging is carried out in the early stage of operating the upper computer and the UPS air conditioning equipment, and a white list is established in the operation debugging period so as to carry out harmful instruction data defense according to the white list in the later-stage formal operation.
Specifically, when a white list is created, during operation and debugging, to-be-analyzed service request data sent to the UPS air conditioning equipment by an upper computer within a preset time T1 is received, the to-be-analyzed service request data is allowed to pass, the sending time of the to-be-analyzed service request data is recorded, to-be-analyzed service response data corresponding to the to-be-analyzed service request data is received within the preset time T1, the returning time of the to-be-analyzed service response data is recorded, all the passing through to-be-analyzed service request data within the preset time T1 are analyzed, whether the operation of the UPS air conditioning equipment is abnormal or not is analyzed according to the returning time of the to-be-analyzed service response data corresponding to the to-be-analyzed service request data, and then harmful service request data is judged, response actions of the normally-operated UPS air conditioning equipment are sequentially exhausted, and the white list is completed according to exhaustive response actions, so that the white list is prevented from being incomplete due to the fact that harmful instruction data defense is unsuccessful.
Specifically, the sending time T1 of the service request data to be analyzed is recorded, the returning time T2 of the service response data to be analyzed is recorded, T2 is more than T1, the time delta T of the UPS air conditioning equipment for executing the service request data to be analyzed is calculated, wherein delta T = T2-T1, the execution time is compared with the preset execution time T, wherein T is less than T1,
if T is less than delta T and less than T1, the time for executing the service request data to be analyzed by the UPS air conditioning equipment exceeds the preset execution time, and the operation of the UPS air conditioning equipment is abnormal, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be harmful service request data;
if the delta t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air conditioning equipment does not exceed the preset execution time, and the UPS air conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data.
Specifically, the embodiment of the present invention records the sending time T1 of the service request data to be analyzed, records the returning time T2 of the service response data to be analyzed, where T2 is greater than T1, calculates the time Δ T for the UPS air conditioning equipment to execute the service request data to be analyzed, where Δ T = T2-T1, compares the execution time with the preset execution time T, and if T is less than Δ T and less than T1, it indicates that the time for the UPS air conditioning equipment to execute the service request data to be analyzed exceeds the preset execution time, and the UPS air conditioning equipment runs abnormally, and determines that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data; if t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air-conditioning equipment does not exceed the preset execution time, and the UPS air-conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data, whether the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data or not is judged according to the return time of the service response data to be analyzed, and then the white list is established.
Specifically, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data.
Specifically, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data, and by analyzing that the service response data to be analyzed is not received all the time, the determination of the harmful service request data and the safe service request data is more accurate.
Specifically, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is carried out according to the safety instruction data identifier to obtain an actual safety instruction data classification item, meanwhile, the exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication removal is carried out on the actual safety instruction data classification item and the exhaustive safety instruction data classification item, and a white list is generated.
Specifically, if the safety instruction data identifier of any safety instruction data in the safety service request data is Q1< cr >, the safety instruction data identifier is classified as a query instruction according to the safety instruction data identifier, and the safety instruction data classified items in the white list are the query instruction.
Specifically, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is performed according to the safety instruction data identifier to obtain an actual safety instruction data classification item, meanwhile, an exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication removal is performed on the actual safety instruction data classification item and the exhaustive safety instruction data classification item to generate a white list, the harmful instruction data can be effectively intercepted through setting the white list, the potential safety hazard of the air conditioning equipment is further reduced, duplication removal is performed on the actual safety instruction data classification item and the exhaustive safety instruction data classification item, and the situation that the white list is incomplete due to the safety instruction data which may not appear during debugging is prevented according to the exhaustive response action soundness white list, and the harmful instruction data defense is not successful is further.
Specifically, when the service request data is judged according to the white list, a plurality of instruction data identifiers of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safety instruction data, and if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data.
Specifically, in the service request data, if the instruction data of the instruction data are identified as Q1< cr >, S < n > < cr > and TL < cr >, wherein < cr > is identified as an instruction, Q1, S and TL are query, shutdown and test, classification is performed according to the instruction data identification to obtain instruction data classification entries as a query instruction, a shutdown instruction and a test instruction, the instruction data entry is matched with the safe instruction data entry in the white list, the instruction data of the shutdown instruction and the test instruction which are not matched are determined as harmful instruction data, and the instruction data of the matched query instruction are determined as safe instruction data.
Specifically, when the service request data is judged according to the white list, a plurality of instruction data identifiers of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safety instruction data, if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data, whether the instruction data are the safety instruction data or not is judged by matching the instruction data classification entries obtained in the service request data with the safety instruction data entries in the white list, the harmful instruction data are intercepted in time, the UPS air conditioning equipment is prevented from being damaged in time, and the safety is improved.
Specifically, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through, the safety instruction data are continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, harmful instruction data classification items, harmful instruction data identifications, harmful instruction data sending time and harmful instruction data sending end addresses of the harmful instruction data are recorded, and a harmful instruction data recording report is generated.
Specifically, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, the harmful instruction data classification items, the harmful instruction data identification, the harmful instruction data sending time and the harmful instruction data sending end address of the harmful instruction data are recorded, a harmful instruction data recording report is generated, the harmful instruction data are intercepted, the harmful instruction data are effectively prevented from attacking the UPS air conditioning equipment, a white list is utilized for intercepting, and the safety is effectively improved.
Specifically, when the harmful instruction data recording report is analyzed, the harmful instruction data is analyzed according to the sending time of the harmful instruction data and the sending address of the harmful instruction data in the harmful instruction data recording report within the preset time T2,
when analyzing the transmission time of the harmful instruction data, the 24-hour day is divided into four time periods, 00:00:00-05:59: 59. 06:00:00-11:59: 59. 12:00:00-17:59:59 and 18:00:00-23:59:59, labeled respectively as: in the morning, in the afternoon and in the evening, calculating the sending frequency of harmful instruction data in four time periods according to the sending time of the harmful instruction data to obtain a sending peak time and a sending peak time of the harmful instruction data, if M harmful instruction data are in total in a harmful instruction data recording report and N harmful instruction data exist in any time period, the sending frequency in any time period is f = N/M, the preset sending frequency f0 in any time period is judged, if f is more than f0, the any time period is judged to be the sending peak time of the harmful instruction data, and if f is not less than 0 and not more than f0, the any time period is judged to be the sending peak time of the harmful instruction data;
when harmful instruction data sending end addresses are analyzed, calculating the occurrence frequency of each harmful instruction data sending end address in a harmful instruction data recording report to obtain whether each harmful instruction data sending end address is a risk address, if the total number of the harmful instruction data sending end addresses in a preset time T2 is L, and the number of any harmful instruction data sending end address is Y, determining the occurrence frequency K = Y/L of any harmful instruction data sending end address, and the preset occurrence frequency K0 of any harmful instruction data sending end address, if K is more than K0, determining that any harmful instruction data sending end address is a risk address, and if K is more than 0 and less than or equal to K0, determining that any harmful instruction data sending end address is a safe address;
the analysis result is obtained that any time period is a harmful instruction data sending peak period, any harmful instruction data sending end address is a risk address and any harmful instruction data sending end address is a safe address, according to the analysis result, before judging a plurality of instruction data in the service request data, the plurality of instruction data in any time period in the peak period or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, otherwise, the suspicious instruction data and the normal instruction data are not marked, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, and the safe instruction data and the harmful instruction data are generated.
Specifically, when the harmful instruction data record report is analyzed, the harmful instruction data sending time and the harmful instruction data sending end address in the harmful instruction data record report are analyzed within the preset time T2 to obtain the harmful instruction data sending peak and the risk address of the harmful instruction data sending end address, before the plurality of instruction data in the service request data are judged, the plurality of instruction data in any time period of the peak or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, and the service request data marked as suspicious instruction data are judged preferentially, so that the efficiency of identifying the harmful instruction data is improved, and the harmful instruction data are identified more accurately.
Referring to fig. 3, an embodiment of the present invention further provides a system for protecting a UPS air conditioning device from command attacks, where the system includes:
the acquiring module 210 is configured to acquire service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, where the service data includes service request data and service response data, the service request data is service data sent by the upper computer to the UPS air-conditioning equipment and includes a plurality of instruction data, and the service response data is service data received by the UPS air-conditioning equipment and fed back to the upper computer;
the generating module 220 is configured to receive service request data to be analyzed and service response data to be analyzed within a preset time during operation and debugging, and generate a white list according to the service request data to be analyzed and the service response data to be analyzed, where the white list includes safety instruction data classification items;
the judging module 230 is configured to judge the service request data according to the safety instruction data classification entries in the white list, and generate safety instruction data and harmful instruction data;
the first processing module 240 is configured to process the safety instruction data and the harmful instruction data, pass the safety instruction data, intercept the harmful instruction data, record the harmful instruction data, and generate a harmful instruction data record report;
the second processing module 250 is configured to analyze the harmful instruction data record report to obtain an analysis result, mark suspicious instruction data on the service request data before determining the service request data according to the analysis result, and preferentially determine the service request data marked as the suspicious instruction data according to a white list.
Specifically, the system is applied to safety filter equipment between UPS air conditioning equipment and an upper computer, the upper computer sends service request data to intercept harmful instruction data through the safety filter equipment, the service request data of the safety instruction data are transmitted to the UPS air conditioning equipment, and the UPS air conditioning equipment receives the service request data, returns service response data to the safety filter equipment and transmits the service response data to the upper computer.
Specifically, in the embodiment of the present invention, an obtaining module obtains service data transmitted by communication between a UPS air conditioning device and an upper computer, where the service data includes service request data and service response data, the service request data is service data sent to the UPS air conditioning device by the upper computer and includes a plurality of instruction data, the service response data is service data received by the UPS air conditioning device and fed back to the upper computer, a generating module receives service request data to be analyzed and service response data to be analyzed within a preset time during a running and debugging period, and generates a white list according to the service request data to be analyzed and the service response data to be analyzed, where the white list includes safety instruction data classification items, and a determining module determines the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data, the first processing module processes the safety instruction data and the harmful instruction data, the safety instruction data are passed through, the harmful instruction data are intercepted and recorded, a harmful instruction data recording report is generated, the second processing module analyzes the harmful instruction data recording report to obtain an analysis result, suspicious instruction data marking is carried out on the service request data before the service request data are judged according to the analysis result, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, the service request data are judged according to the classified items of the safety instruction data in the white list by establishing the white list, the judged harmful instruction data are intercepted, further, the attack to the UPS air conditioning equipment is prevented, and the harmful instruction data are intercepted before being transmitted to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.
Specifically, the generation module is a module for autonomously generating a white list, receives service request data to be analyzed within preset time and allows all the service request data to be analyzed to pass through during operation and debugging, receives service response data to be analyzed corresponding to the service request data to be analyzed, analyzes the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and includes a receiving unit and a white list generation unit, wherein the receiving unit is used for receiving the service request data to be analyzed and the service response data to be analyzed within preset time during operation and debugging, the white list generation unit is used for analyzing the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and simultaneously analyzes the exhaustive response actions to obtain safety instruction data classification items corresponding to the exhaustive response actions, and deduplicates the actual safety instruction data classification items and the exhaustive safety instruction data classification items to generate the white list.
Specifically, in the embodiment of the present invention, the generation module is a module for autonomously generating a white list, during the operation and debugging period, receiving service request data to be analyzed within a preset time and allowing all of the received service request data to pass through, receiving service response data to be analyzed corresponding to the service request data to be analyzed, analyzing the service request data to be analyzed and the service response data to be analyzed within the preset time to obtain an actual safety instruction data classification entry, and during the operation and debugging period, the reception unit is configured to receive the service request data to be analyzed and the service response data to be analyzed within the preset time, the white list generation unit is configured to analyze the service request data to be analyzed and the service response data to be analyzed to obtain an actual safety instruction data classification entry, and simultaneously analyze the exhaustive response action to obtain a safety instruction data classification entry corresponding to the exhaustive response action, perform deduplication on the actual safety instruction data classification entry and the exhaustive safety instruction data classification entry, generate the white list, and generate the white list during the previous operation period through the generation module, so that the safety instruction data classification entry and the hazardous data classification entry of the UPS are intercepted effectively according to the white list, thereby preventing the hazardous data from the hazardous condition of the safety instruction data during the operation, and the hazardous condition of the healthy instruction data classification entry, and the hazardous condition of the healthy instruction during the healthy list during the normal operation.
The application field of the method for defending the UPS air conditioning equipment against the command attack provided by the embodiment of the invention is briefly introduced as follows:
in the field of remote monitoring of UPS air-conditioning equipment, an attacker usually bypasses authority verification by using bugs of some equipment, systems and protocols, carries attack instructions in service request data to form an attack, is limited by the size and performance limitations of edge-side terminal equipment, cannot establish a complete firewall to resist malicious attacks, and has increasingly strong requirements for remote monitoring along with rapid development of cloud computing technology and internet of things technology, and also puts higher requirements on robustness of UPS air-conditioning equipment.
In order to defend against harmful instruction attacks in the field of remote monitoring of UPS air conditioning equipment, the application provides a defense method which obtains all communication data, classifies all instructions according to a preset white list, intercepts and records the recognized harmful instruction data, and passes other safe instruction data.
The command for the upper computer to communicate with the UPS air conditioner can be various, and three of the commands are taken as an example for introduction:
query instructions for a certain type of UPS: q1< cr >, UPS return: (208.4.140.0.208.4 034.9.2.05.35.0 00110000 is constructed as cr >, which means that the input voltage is 208.4V, the input voltage error threshold is 140.0V, the output voltage is 208.4V, the output current (load) is 34%, the input frequency is 59.9 HZ, the cell voltage of the battery is 2.05V, the temperature is 35.0 ℃, the UPS is online, the UPS is in a fault state, a bypass state and a shutdown state, and the instruction is used for inquiring and obtaining the operation parameters of the UPS, which generally does not bring about potential safety hazard.
Shutdown instructions for a certain type of UPS: s < n > < cr >, the UPS performs the actions of: the UPS is powered off in the period of < n > minutes, and even if commercial power is still input, the command can force the UPS to be powered off, so that potential safety hazards exist.
Test instructions of a certain type of UPS: TL < cr >, UPS performs the actions: the battery low-voltage state is automatically tested, then the battery is recovered to a normal commercial power state, the self-test is that the UPS is switched to supply power for the battery to carry out power supply test, the battery can be discharged through the instruction, the system cannot reach the expected backup time, and potential safety hazards exist.
It should be noted that the service request data is not limited to the above three instructions, and the instructions are divided into harmful instruction data and harmless instruction data by establishing a white list, so as to intercept and record the harmful instruction data and protect the system security.
The application scenario of the processing method for preventing the UPS air-conditioning equipment from the harmful instruction attack is explained as follows: the scene comprises UPS air conditioning equipment, safety filtering equipment and an upper computer,
the UPS air conditioning equipment and the safety filter equipment can be communicated, the safety filter equipment and the upper computer can be communicated, the precision air conditioning equipment and the safety filter equipment can be communicated in a wired communication mode through a connecting serial port line, and the safety filter equipment and the upper computer can be communicated in a wired communication mode, for example, the safety filter equipment and the upper computer can be communicated in a connecting network line or in a mobile communication mode, wherein the mobile communication mode is communication in a 4G,5G mode.
The UPS air conditioning equipment is used for receiving service request data and sending equipment terminals of service response data, the safety filtering equipment is a processing device for defending the UPS air conditioning equipment against harmful instruction attacks, the upper computer is terminal equipment or a server and the like which are responsible for processing and analyzing in the monitoring of the UPS air conditioner, and the server can be a local server or a cloud server and the like.
The method for defending the UPS air conditioning equipment against command attack provided by the embodiment of the invention comprises the following steps:
step S201, obtaining each data communicated between the UPS air conditioner and the upper computer, wherein the data comprises service request data and service response data, and the service request data carries data associated with an attack instruction;
specifically, each data of communication between the UPS air conditioners and the upper computers is obtained, specifically, the data sent by all the upper computers are monitored, the service request data are obtained, the data sent by all the UPS air conditioners are monitored, and the service response data are obtained.
Step S202, a white list is established according to preset classification conditions, all service request data are classified, and a safety instruction data classification set and a harmful instruction data classification set are obtained, wherein the preset classification conditions are generated by one of the following modes: manually presetting a white list; normally working for a period of time in a safe environment, recording all service request data, and generating a white list according to all the appeared service request data;
and step S203, distinguishing the safety instruction data and the harmful instruction data according to the white list, respectively processing, intercepting and recording the harmful instruction data, and allowing the safety instruction data to pass through and normally communicating.
Specifically, the preset white list classification condition in the embodiment of the invention is that from the perspective of a UPS air conditioning equipment manufacturer, instructions which are dangerous and interfering with the normal operation of the equipment are intercepted and filtered, so that the client can be ensured to safely and normally use the remote monitoring function of the equipment; the security filtering is carried out on a transmission layer, the security filtering is superior to an application layer, the network layer authority level and the system level protection, in the field of UPS air conditioner remote monitoring, attackers usually utilize certain equipment, system and protocol bugs to bypass authority verification, attack instructions are carried in service request data to form attacks, the attacks are limited by the size of edge side terminal equipment, performance limitation is caused, a complete firewall cannot be established to resist malicious attacks, the security filtering is carried out by utilizing a white list mechanism on the transmission layer, the system security is improved to a certain extent, meanwhile, the intervention surface is small, and the cost and the efficiency are better.
Based on the application scene of the processing method for preventing the UPS air conditioning equipment from the harmful instruction attack, the interaction process among the equipment is illustrated as follows:
the upper computer sends service request data to the UPS air conditioning equipment, the service request data are acquired by the safety filter card, the safety filter card classifies the service request data, harmful instruction data are intercepted and recorded, the harmful instruction data are identified to be that the harmful instruction data cannot reach the UPS air conditioning equipment, damage to a system is avoided, communication is allowed for the safety instruction data, the safety instruction data are sent to the UPS air conditioning equipment, and services are normally processed.
The UPS air conditioning equipment sends service response data to the upper computer, the service response data are acquired by the security filter card, the security filter card allows communication of the service response data, the service response data are sent to the upper computer, and the service is processed normally.
The data interaction process among the UPS air conditioning equipment, the safety filter card and the upper computer in the embodiment of the invention mainly comprises the following steps:
step S21, the upper computer sends service request data to the UPS air conditioning equipment;
specifically, when the upper computer is in program control or manual operation, the upper computer sends service request data to the UPS air conditioning equipment, including querying an operation state parameter, controlling an operation state of the equipment, and the like.
Step S22, the security filter card acquires the data;
specifically, when the upper computer sends service request data to the UPS air conditioning equipment, the security filter card acquires the data.
And S23, classifying the service request data by the security filter card according to the white list.
Specifically, after acquiring service request data sent by an upper computer to the UPS air conditioning equipment, the security filter card filters the service request data, where the service request data includes three examples and other similar instructions, and a query instruction: q1< cr >, shutdown command: s < n > < cr >, test instruction: TL < cr >, the safety filter card determines whether the request data is in the safety white list according to the white list, namely, whether the request data belongs to harmful instruction data is judged, such as forced shutdown, bypass switching and the like, and the white list is established by adopting the manual input and automatic learning generation modes.
And step S24, for harmful instruction data, the safety filter card intercepts the instruction and generates a harmful instruction data record report.
Specifically, after classifying service request data sent by an upper computer to the UPS air conditioning equipment, the safety filter card intercepts and records harmful instruction data to generate a harmful instruction data recording report, and instructions intercepted by the safety filter card cannot reach the UPS air conditioning equipment any more.
The embodiment of the application provides a processing device for preventing command attack of UPS air-conditioning equipment, which is equivalent to a safety filter card and realizes the corresponding function of a method for preventing command attack of UPS air-conditioning equipment. Referring to fig. 4, the apparatus includes a power control module 301, a program programming and debugging control module 302, an obtaining module 303, a white list resetting control module 304, a white list autonomous learning control module 305, a processing module 306, and a bypass module 307, wherein,
the power supply control module controls a 9V direct-current power supply to be used as the power supply input of the device;
the program programming and debugging control module is used for accessing an upper computer to control manual white list creation, device firmware updating and device debugging, the module only allows physical direct connection, and does not access a network, so that the device is prevented from becoming another potential safety hazard point;
the acquisition module is used for acquiring service request data transmitted to the UPS air conditioning equipment by the upper computer and acquiring service response data transmitted to the upper computer by the UPS air conditioning equipment;
the white list resetting control module is used for erasing and resetting the white list which is manually created or generated by self-learning and applying the white list to the condition of wrong entry of the white list;
the white list autonomous learning control module is used for recording all service request data during the period when the device normally works in a safe environment for a period of time and generating a safe white list according to all the appeared service request data;
specifically, the white list autonomous learning control module works normally in a safe environment for a period of time, the autonomous learning module records all service request data during the period, and generates a safe white list according to all the appeared service request data, so that inconvenience in manual white list entry is avoided, the labor cost is reduced, and the applicability of the device is improved.
A processing module, for the data acquired by the acquisition module, the processing module being configured to:
for service request data, respectively determining whether each service request is in a safe white list;
service requests which are not in the white list are marked as harmful instruction data, interception is carried out, and harmful instructions are prevented from reaching the UPS air conditioning equipment end;
and recording the intercepted harmful instructions, including the data type of the harmful instructions, the sending time and the address of a sending end, regularly carrying out health examination by combining data records, judging the risk level of the system and probing weak links of the system.
A bypass module, the bypass module specifically configured to:
switching to another data transmission line that allows all traffic response data to pass through for traffic request data in special cases, including: and the processing module intercepts the function abnormity and needs debugging.
Referring to fig. 5, an embodiment of the present invention further provides a one-chip microcomputer apparatus,
the processing device for protecting the UPS air conditioner against command attacks is operated on a single-chip microcomputer device 400, a processing program for protecting the UPS air conditioner against command attacks can be installed on the single-chip microcomputer device, the single-chip microcomputer device comprises a processor 460, a memory 420 and a display unit 430, the display unit 430 comprises an LED signal lamp for displaying a power state, a communication state, a fault state,
a processor for reading the computer program and executing the method defined by the computer program;
specifically, for example, the processor reads a processing program of the UPS air conditioner for defending against command attacks, reads service request data, service response data, and the like.
The storage comprises an extended data output memory (SDRAM), a Static Random Access Memory (SRAM), a ferroelectric memory (FRAM), the storage is used for storing a computer program and other data, the computer program comprises a processing program for protecting the UPS air-conditioning equipment from command attacks, a watchdog program and the like, the other data can comprise data generated after an application program is operated, the data comprises system data (such as configuration parameters) and user data, the program command is stored in the storage, and the processor executes the stored program command to realize the method for protecting the UPS air-conditioning equipment from command attacks;
a display unit for outputting signals related to the operation state resulting from the function control of the one-chip microcomputer device, the display unit including an LED signal lamp 431 for outputting different signals.
In addition to the above, the single-chip microcomputer device further includes a power supply 410 for supplying power, an RS232 communication control module 440, and an rs485 communication control module 450.
In particular, the processor and the memory may be in a coupled arrangement or may be relatively independent arrangements.
Specifically, the processor in fig. 5 may be configured to implement the functions of the power control module, the program programming and debugging control module, the processing module, the obtaining module, the bypass module, the white list resetting control module, and the white list self-learning control module in fig. 4.
In particular, the processor in fig. 5 may be configured to implement the corresponding functions of the security filter card device.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of the present invention is obviously not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can be within the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for defending UPS air conditioning equipment against command attacks is characterized by comprising the following steps:
the method comprises the steps that service data transmitted by communication between the UPS air-conditioning equipment and an upper computer are obtained, wherein the service data comprise service request data and service response data, the service request data are the service data sent to the UPS air-conditioning equipment by the upper computer and comprise a plurality of instruction data, and the service response data are the service data which are received by the UPS air-conditioning equipment and fed back to the upper computer;
during operation and debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;
judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;
processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data, and generating a harmful instruction data recording report;
and analyzing the harmful instruction data record report to obtain an analysis result, marking suspicious instruction data on the service request data before judging the service request data according to the analysis result, and preferentially judging the service request data marked as the suspicious instruction data according to a white list.
2. The method for defending the UPS air conditioning equipment against the instruction attack according to claim 1, wherein when the white list is created, during the operation debugging, the method receives the service request data to be analyzed sent to the UPS air conditioning equipment by the upper computer within the preset time T1 and allows the service request data to be analyzed to pass through, records the sending time of the service request data to be analyzed, receives the service response data to be analyzed corresponding to the service request data to be analyzed within the preset time T1, records the returning time of the service response data to be analyzed, meanwhile, sequentially exhaustively exhausts the response actions of the normally operated UPS air conditioning equipment, and completes the white list according to the exhausted response actions.
3. The method for protecting UPS air conditioner against command attacks as claimed in claim 2, wherein the sending time T1 of the service request data to be analyzed is recorded, the returning time T2 of the service response data to be analyzed is recorded, T2 > T1, the time Δ T of the UPS air conditioner executing the service request data to be analyzed is calculated, wherein Δ T = T2-T1, the executing time is compared with the preset executing time T, wherein T < T1,
if T is less than delta T and less than T1, the time for executing the service request data to be analyzed by the UPS air conditioning equipment exceeds the preset execution time, and the operation of the UPS air conditioning equipment is abnormal, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be harmful service request data;
if t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air conditioning equipment does not exceed the preset execution time, and the UPS air conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data.
4. The method for protecting the UPS air-conditioning equipment from the command attack as claimed in claim 3, wherein when the time for returning the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air-conditioning equipment is abnormal in operation when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data.
5. The UPS air conditioning equipment instruction attack defense method according to claim 4, wherein after safe service request data and harmful service request data are judged, the safe service request data comprise a plurality of safe instruction data, any safe instruction data comprise a safe instruction data identification, a safe instruction data sending time and a safe instruction data sending end address, classification is carried out according to the safe instruction data identification to obtain actual safe instruction data classification items, meanwhile, the exhaustive response action is analyzed to obtain safe instruction data classification items corresponding to the exhaustive response action, and the actual safe instruction data classification items and the exhaustive safe instruction data classification items are subjected to duplication elimination to generate a white list.
6. The method for defending the UPS air conditioning equipment against the instruction attack according to claim 5, wherein when the business request data is judged according to the white list, the instruction data identifications of the instruction data in the business request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with the safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged as safety instruction data, and if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged as harmful instruction data.
7. The method for defending UPS air conditioners against instruction attacks according to claim 6, wherein when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed, and are continuously transmitted to the UPS air conditioners, the harmful instruction data are intercepted, the transmission to the UPS air conditioners is stopped, and harmful instruction data classification items, harmful instruction data identifications, harmful instruction data sending times and harmful instruction data sending addresses of the harmful instruction data are recorded, and harmful instruction data recording reports are generated.
8. The method for protecting UPS air conditioning equipment against instruction attacks according to claim 7, wherein when the harmful instruction data record report is analyzed, the analysis is performed within a preset time T2 according to the sending time of the harmful instruction data and the sending address of the harmful instruction data in the harmful instruction data record report,
when analyzing the transmission time of the harmful instruction data, the 24-hour day is divided into four time periods, 00:00:00-05:59: 59. 06:00:00-11:59: 59. 12:00:00-17:59:59 and 18:00:00-23:59:59, respectively labeled: in the morning, in the afternoon and in the evening, calculating the sending frequency of harmful instruction data in four time periods according to the sending time of the harmful instruction data to obtain a harmful instruction data sending peak period and a harmful instruction data sending peak period, if M harmful instruction data are totally recorded in a harmful instruction data recording report, N harmful instruction data exist in any time period, the sending frequency in any time period is f = N/M, the preset sending frequency f0 in any time period, if f is more than f0, the time period is judged to be the harmful instruction data sending peak period, and if f is not less than 0 and not more than f0, the time period is judged to be the harmful instruction data sending peak period;
when harmful instruction data sending end addresses are analyzed, calculating the occurrence frequency of each harmful instruction data sending end address in a harmful instruction data recording report to obtain whether each harmful instruction data sending end address is a risk address, if the total number of the harmful instruction data sending end addresses in a preset time T2 is L, the number of any harmful instruction data sending end addresses is Y, the occurrence frequency of any harmful instruction data sending end address is K = Y/L, the preset occurrence frequency of any harmful instruction data sending end address is K0, if K is larger than K0, the any harmful instruction data sending end address is judged to be a risk address, and if K is larger than 0 and smaller than or equal to K0, the any harmful instruction data sending end address is judged to be a safe address;
the analysis result is obtained that any time period is a harmful instruction data sending peak period, any harmful instruction data sending end address is a risk address and any harmful instruction data sending end address is a safe address, according to the analysis result, before judging a plurality of instruction data in the service request data, the plurality of instruction data in any time period in the peak period or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, otherwise, the suspicious instruction data and the normal instruction data are not marked, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, and the safe instruction data and the harmful instruction data are generated.
9. A system for protecting a UPS air conditioner against command attacks, which applies the method for protecting a UPS air conditioner against command attacks according to any one of claims 1 to 8, comprising:
the acquisition module is used for acquiring service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, wherein the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, and the service response data is the service data which is received by the UPS air-conditioning equipment and fed back to the upper computer;
the generating module is used for receiving service request data to be analyzed and service response data to be analyzed within preset time during operation and debugging, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;
the judging module is used for judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;
the first processing module is used for processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data and generating a harmful instruction data recording report;
and the second processing module is used for analyzing the harmful instruction data record report to obtain an analysis result, marking suspicious instruction data on the service request data before judging the service request data according to the analysis result, and preferentially judging the service request data marked as the suspicious instruction data according to a white list.
10. The system for protecting against command attacks of the UPS air conditioning equipment according to claim 9, wherein the generating module is a module that autonomously generates a white list, receives service request data to be analyzed within a preset time and allows all of the service request data to pass through during operation and debugging, receives service response data to be analyzed corresponding to the service request data to be analyzed, and analyzes the service request data to be analyzed and the service response data to be analyzed to obtain an actual safety command data classification entry, and the generating module includes a receiving unit and a white list generating unit, the receiving unit is configured to receive the service request data to be analyzed and the service response data to be analyzed within the preset time during operation and debugging, and the white list generating unit is configured to analyze the service request data to be analyzed and the service response data to be analyzed to obtain an actual safety command data classification entry, and analyze an exhaustive response action to obtain an exhaustive safety command data classification entry, and deduplicate the actual safety command data classification entry and the exhaustive safety command data classification entry to generate the white list.
CN202211059710.2A 2022-08-31 2022-08-31 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment Active CN115150197B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211059710.2A CN115150197B (en) 2022-08-31 2022-08-31 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211059710.2A CN115150197B (en) 2022-08-31 2022-08-31 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment

Publications (2)

Publication Number Publication Date
CN115150197A true CN115150197A (en) 2022-10-04
CN115150197B CN115150197B (en) 2022-11-15

Family

ID=83415813

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211059710.2A Active CN115150197B (en) 2022-08-31 2022-08-31 Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment

Country Status (1)

Country Link
CN (1) CN115150197B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318993A (en) * 2023-03-16 2023-06-23 北京宏志国际科技有限公司 Method and system for defending network harmful instruction attack by Internet of things product

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017101729A1 (en) * 2015-12-18 2017-06-22 阿里巴巴集团控股有限公司 Internet of things-based device operation method and server
CN110661680A (en) * 2019-09-11 2020-01-07 深圳市永达电子信息股份有限公司 Method and system for detecting data stream white list based on regular expression
CN112069137A (en) * 2020-09-02 2020-12-11 北京百度网讯科技有限公司 Method and device for generating information, electronic equipment and computer readable storage medium
CN113819602A (en) * 2021-09-06 2021-12-21 青岛海尔空调器有限总公司 Air conditioner control method and system
CN114095210A (en) * 2021-10-28 2022-02-25 北京天融信网络安全技术有限公司 Method, system and storage medium for defending external connection based on security gateway
CN114137934A (en) * 2021-11-23 2022-03-04 国网江西省电力有限公司电力科学研究院 Industrial control system with intrusion detection function and detection method
CN114666156A (en) * 2022-04-11 2022-06-24 中国南方电网有限责任公司 Data security protection system, method, device, computer equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017101729A1 (en) * 2015-12-18 2017-06-22 阿里巴巴集团控股有限公司 Internet of things-based device operation method and server
CN110661680A (en) * 2019-09-11 2020-01-07 深圳市永达电子信息股份有限公司 Method and system for detecting data stream white list based on regular expression
CN112069137A (en) * 2020-09-02 2020-12-11 北京百度网讯科技有限公司 Method and device for generating information, electronic equipment and computer readable storage medium
CN113819602A (en) * 2021-09-06 2021-12-21 青岛海尔空调器有限总公司 Air conditioner control method and system
CN114095210A (en) * 2021-10-28 2022-02-25 北京天融信网络安全技术有限公司 Method, system and storage medium for defending external connection based on security gateway
CN114137934A (en) * 2021-11-23 2022-03-04 国网江西省电力有限公司电力科学研究院 Industrial control system with intrusion detection function and detection method
CN114666156A (en) * 2022-04-11 2022-06-24 中国南方电网有限责任公司 Data security protection system, method, device, computer equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318993A (en) * 2023-03-16 2023-06-23 北京宏志国际科技有限公司 Method and system for defending network harmful instruction attack by Internet of things product
CN116318993B (en) * 2023-03-16 2023-10-27 北京宏志国际科技有限公司 Method and system for defending network harmful instruction attack by Internet of things product

Also Published As

Publication number Publication date
CN115150197B (en) 2022-11-15

Similar Documents

Publication Publication Date Title
CN107995049B (en) Cross-region synchronous fault monitoring method, device and system for power safety region
JP5926491B2 (en) Method for security maintenance in a network and computer readable medium having computer readable instructions of a computer program causing a processor to perform the method for security maintenance
CN111431864A (en) Internet of vehicles monitoring system, method and device and readable storage medium
US20230396634A1 (en) Universal intrusion detection and prevention for vehicle networks
CN109413642B (en) Terminal safety detection and monitoring systematization method
CN112799358B (en) Industrial control safety defense system
CN115150197B (en) Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment
CN104850093A (en) Method for monitoring security in an automation network, and automation network
CN109334590B (en) Unmanned vehicle chassis control method, device, equipment and storage medium
WO2023059938A1 (en) Universal intrusion detection and prevention for vehicle networks
CN113328996B (en) Intelligent security policy configuration method based on target perception
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN112565278A (en) Attack capturing method and honeypot system
RU2630415C2 (en) Method for detecting anomalous work of network server (options)
CN114625074A (en) Safety protection system and method for DCS (distributed control System) of thermal power generating unit
CN117873040A (en) Remote monitoring and fault diagnosis method for industrial control main board and related equipment
CN112383417B (en) Terminal security external connection detection method, system, equipment and readable storage medium
CN116962049B (en) Zero-day vulnerability attack prevention and control method and system for comprehensive monitoring and active defense
CN114629677A (en) Safety protection system and method for thermal power generating unit electric quantity charging system
US10701088B2 (en) Method for transmitting data
CN116950882A (en) Remote management system of digital energy air compression station
CN114401103B (en) SMB remote transmission file detection method and device, electronic equipment and storage medium
CN212322081U (en) Intelligent cabinet environment monitoring system
JP7150425B2 (en) COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM
CN113704066A (en) Machine room equipment monitoring and management method, storage medium and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant