CN115150197B

CN115150197B - Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment

Info

Publication number: CN115150197B
Application number: CN202211059710.2A
Authority: CN
Inventors: 廖梦菁
Original assignee: Deep Top Technology Beijing Co ltd
Current assignee: Deep Top Technology Beijing Co ltd
Priority date: 2022-08-31
Filing date: 2022-08-31
Publication date: 2022-11-15
Anticipated expiration: 2042-08-31
Also published as: CN115150197A

Abstract

The invention relates to a method and a system for defending instruction attack of UPS air conditioning equipment, wherein the method comprises the following steps: acquiring communication transmission service request data and service response data between the UPS air conditioning equipment and the upper computer; during operation debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed; judging the service request data according to a white list to generate safety instruction data and harmful instruction data; processing the safety instruction data and the harmful instruction data; and analyzing the harmful instruction data record report. The white list is established to judge the service request data, the harmful instruction data are intercepted, the UPS air conditioning equipment is prevented from being attacked, the harmful instruction is intercepted before the harmful instruction data are transmitted to the UPS air conditioning equipment, the harmful instruction attack is recognized in advance, and the safety is improved.

Description

Method and system for preventing command attack of UPS (uninterrupted Power supply) air conditioning equipment

Technical Field

The invention relates to the field of data processing, in particular to a method and a system for defending instruction attack of UPS (uninterrupted Power supply) air conditioning equipment.

Background

In the remote monitoring field of UPS air conditioning equipment, an upper computer uses protocols such as SNMP, MODBUS and the like, data interaction is carried out with the equipment through interfaces such as RS232 and RS485, and when an attacker sends high-risk instructions to the equipment in modes such as clamping the upper computer and bypassing authority authentication, the equipment is abnormal, crashed and damaged, so that in the key field of production data protection, the independent processing of industrial control equipment and intelligent power supply equipment is very important.

The patent with application number 201810637089.0 discloses an instruction security defense method, which comprises the following steps: step S1, response action information of target object equipment after the target object equipment executes a received target instruction is obtained; s2, judging whether the response action information meets a safety response rule corresponding to the target instruction or not, and judging whether the response action information meets a threat detection rule corresponding to the target instruction or not; if the response action information is judged to meet the safety response rule, executing the step S3; if the response action information is judged to meet the threat detection rule, executing a step S4; s3, sending prompt information to the target object equipment to prompt that the target instruction received by the target object equipment and the response of the target object equipment are safe; step S4, sending reminding information to the target object equipment so that the target object equipment can isolate the target instruction from the self response action; the method further comprises the following steps: step S01, collecting the response information of each object device receiving the target instruction in the intranet in real time, wherein the response information comprises: response actions made by each object device receiving the target instruction; s02a, screening out response actions which are safe responses aiming at each response action in the response information to form the safety information of the target instruction; step S03a, according to the predetermined importance level of the target instruction in the intranet, determining the optimization updating period of the safety response rule corresponding to the target instruction, wherein the higher the importance level of the target instruction is, the shorter the optimization updating period is; step S04a, according to the safety information of the target instruction, optimizing and updating the safety response rule corresponding to the target instruction according to the optimization and updating period; after the step S01, the method further comprises: step S02b, aiming at each response action in the response information, screening out the response action which is a threat response to form the threat information of the target instruction; and S03b, optimizing and updating the threat detection rule corresponding to the target instruction according to the threat intelligence information of the target instruction and a preset period.

In the prior art, whether a target instruction is safe or not is judged by response action information of the target object equipment after the target instruction is executed by the target object equipment, equipment is possibly abnormal or damaged, harmful instruction attack cannot be recognized in advance, and the safety is low.

Disclosure of Invention

Therefore, the invention provides a method and a system for defending UPS air conditioning equipment against command attacks, which can solve the problems that harmful command attacks cannot be recognized in advance and the safety is low.

In order to achieve the above object, the present invention provides a method for protecting a UPS air conditioning device against command attacks, the method comprising:

the method comprises the steps that service data transmitted by communication between the UPS air-conditioning equipment and an upper computer are obtained, wherein the service data comprise service request data and service response data, the service request data are the service data sent to the UPS air-conditioning equipment by the upper computer and comprise a plurality of instruction data, and the service response data are the service data which are received by the UPS air-conditioning equipment and fed back to the upper computer;

during operation and debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;

judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;

processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data, and generating a harmful instruction data recording report;

analyzing the harmful instruction data record report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, and preferentially judging the service request data marked with the suspicious instruction data according to a white list.

Further, when the white list is created, during the operation and debugging period, receiving the service request data to be analyzed sent to the UPS air conditioning equipment by the upper computer within the preset time T1, allowing the service request data to be analyzed to pass, recording the sending time of the service request data to be analyzed, receiving the service response data to be analyzed corresponding to the service request data to be analyzed within the preset time T1, recording the returning time of the service response data to be analyzed, simultaneously performing sequential exhaustion on response actions of the normally operated UPS air conditioning equipment, and completing the white list according to the exhausted response actions.

Further, recording the sending time T1 of the service request data to be analyzed, recording the returning time T2 of the service response data to be analyzed, wherein T2 is more than T1, calculating the time delta T of the UPS air conditioning equipment for executing the service request data to be analyzed, wherein delta T = T2-T1, comparing the execution time with the preset execution time T, wherein T is less than T1,

if T is less than delta T and less than T1, the time for executing the service request data to be analyzed by the UPS air conditioning equipment exceeds the preset execution time, and the operation of the UPS air conditioning equipment is abnormal, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be harmful service request data;

if t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air conditioning equipment does not exceed the preset execution time, and the UPS air conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data.

Further, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the operation of the UPS air conditioning equipment is abnormal when the service request data to be analyzed is executed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data.

Further, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is carried out according to the safety instruction data identifier to obtain an actual safety instruction data classification item, meanwhile, the exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication removal is carried out on the actual safety instruction data classification item and the exhaustive safety instruction data classification item, and a white list is generated.

Further, when the service request data is judged according to the white list, a plurality of instruction data identifications of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with the safe instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safe instruction data, and if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data.

Further, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS, the harmful instruction data are intercepted, transmission to the UPS is stopped, harmful instruction data classification items, harmful instruction data identifications, harmful instruction data sending time and harmful instruction data sending end addresses of the harmful instruction data are recorded, and a harmful instruction data recording report is generated.

Further, when the harmful instruction data record report is analyzed, the harmful instruction data record report is analyzed according to the harmful instruction data sending time and the harmful instruction data sending end address in the harmful instruction data record report within the preset time T2,

when analyzing the transmission time of the harmful instruction data, the 24-hour day is divided into four time periods, 00:00:00-05:59: 59. 06:00:00-11:59: 59. 12:00:00-17:59:59 and 18:00:00-23:59:59, respectively labeled: in the morning, in the afternoon and in the evening, calculating the sending frequency of harmful instruction data in four time periods according to the sending time of the harmful instruction data to obtain a harmful instruction data sending peak period and a harmful instruction data sending peak period, if M harmful instruction data are totally recorded in a harmful instruction data recording report, N harmful instruction data exist in any time period, the sending frequency in any time period is f = N/M, the preset sending frequency f0 in any time period, if f is more than f0, the time period is judged to be the harmful instruction data sending peak period, and if f is not less than 0 and not more than f0, the time period is judged to be the harmful instruction data sending peak period;

when harmful instruction data sending end addresses are analyzed, calculating the occurrence frequency of each harmful instruction data sending end address in a harmful instruction data recording report to obtain whether each harmful instruction data sending end address is a risk address, if the total number of the harmful instruction data sending end addresses in a preset time T2 is L, the number of any harmful instruction data sending end addresses is Y, the occurrence frequency of any harmful instruction data sending end address is K = Y/L, the preset occurrence frequency of any harmful instruction data sending end address is K0, if K is larger than K0, the any harmful instruction data sending end address is judged to be a risk address, and if K is larger than 0 and smaller than or equal to K0, the any harmful instruction data sending end address is judged to be a safe address;

the analysis result is obtained that any time period is a harmful instruction data sending peak period, any harmful instruction data sending end address is a risk address and any harmful instruction data sending end address is a safe address, according to the analysis result, before judging a plurality of instruction data in the service request data, the plurality of instruction data in any time period in the peak period or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, otherwise, the suspicious instruction data and the normal instruction data are not marked, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, and the safe instruction data and the harmful instruction data are generated.

Further, the invention also provides a system for defending the UPS air conditioning equipment against command attacks, which comprises:

the acquisition module is used for acquiring service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, wherein the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, and the service response data is the service data which is received by the UPS air-conditioning equipment and fed back to the upper computer;

the generating module is used for receiving service request data to be analyzed and service response data to be analyzed within preset time during operation and debugging, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;

the judging module is used for judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;

the first processing module is used for processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data and generating a harmful instruction data recording report;

and the second processing module is used for analyzing the harmful instruction data record report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, and preferentially judging the service request data marked with the suspicious instruction data according to a white list.

Furthermore, the generation module is a module for autonomously generating a white list, and during operation and debugging, receives service request data to be analyzed within a preset time and allows all the service request data to be analyzed to pass through, and receives service response data to be analyzed corresponding to the service request data to be analyzed, and the service request data to be analyzed and the service response data to be analyzed are analyzed to obtain actual safety instruction data classification items.

Compared with the prior art, the invention has the advantages that the service data transmitted by the communication between the UPS air-conditioning equipment and the upper computer is obtained, the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, the service response data is the service data received by the UPS air-conditioning equipment and fed back to the upper computer, then the service request data to be analyzed and the service response data to be analyzed in the preset time are received during the operation debugging period, a white list is generated according to the service request data to be analyzed and the service response data to be analyzed, the white list comprises safety instruction data classification items, then the service request data is judged according to the safety instruction data classification items in the white list, and safety instruction data and harmful instruction data are generated, processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data and recording the harmful instruction data to generate a harmful instruction data recording report, finally analyzing the harmful instruction data recording report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, preferentially judging the service request data marked with the suspicious instruction data according to a white list, judging the service request data according to the safety instruction data classification items in the white list by establishing the white list, intercepting the judged harmful instruction data so as to prevent the attack to the UPS air conditioning equipment, and intercepting the harmful instruction data before transmitting the harmful instruction data to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.

Particularly, when a white list is created, during the operation and debugging period, receiving service request data to be analyzed sent to the UPS air conditioning equipment by an upper computer within a preset time T1 and allowing the service request data to be analyzed to pass, recording the sending time of the service request data to be analyzed, receiving service response data to be analyzed corresponding to the service request data to be analyzed within the preset time T1, recording the returning time of the service response data to be analyzed, analyzing whether the operation of the UPS air conditioning equipment is abnormal or not according to the returning time of the returned service response data to be analyzed corresponding to the service request data to be analyzed by analyzing all the service request data to be analyzed within the preset time T1, further judging harmful service request data, sequentially exhausting the response actions of the UPS air conditioning equipment which normally operates, and preventing the white list from being incomplete due to the fact that the safe instruction data which may not appear during the debugging period is unsuccessful and preventing the harmful instruction data from being defensive according to the exhaustive response action.

Particularly, the sending time T1 of the service request data to be analyzed is recorded, the returning time T2 of the service response data to be analyzed is recorded, T2 is more than T1, the time delta T of the UPS air conditioner for executing the service request data to be analyzed is calculated, wherein delta T = T2-T1, the execution time is compared with the preset execution time T, if T is less than delta T and less than T1, the time of the UPS air conditioner for executing the service request data to be analyzed exceeds the preset execution time, the UPS air conditioner runs abnormally, and the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be harmful service request data; if t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air-conditioning equipment does not exceed the preset execution time, and the UPS air-conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data, whether the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data or not is judged according to the return time of the service response data to be analyzed, and then the white list is established.

Particularly, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data, and by analyzing that the service response data to be analyzed is not received all the time, the determination of the harmful service request data and the safe service request data is more accurate.

Particularly, after the safe service request data and the harmful service request data are judged, the safe service request data comprise a plurality of safe instruction data, any safe instruction data comprise a safe instruction data identifier, safe instruction data sending time and a safe instruction data sending end address, classification is carried out according to the safe instruction data identifier to obtain an actual safe instruction data classification item, the exhaustive response action is analyzed to obtain a safe instruction data classification item corresponding to the exhaustive response action, duplication elimination is carried out on the actual safe instruction data classification item and the exhaustive safe instruction data classification item to generate a white list, the harmful instruction data can be effectively intercepted by setting the white list, the potential safety hazard of the UPS air conditioning equipment is further reduced, duplication elimination is carried out on the actual safe instruction data classification item and the exhaustive safe instruction data classification item, and the white list is healthy according to the exhaustive response action to prevent that the white list is not healthy and not successful defense of the harmful instruction data caused by the safe instruction data which may not appear during debugging.

Particularly, when the service request data is judged according to the white list, a plurality of instruction data identifications of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safety instruction data, if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data, whether the instruction data are the safety instruction data or not is judged by matching the instruction data classification entries obtained from the service request data with the safety instruction data entries in the white list, the harmful instruction data are intercepted in time, further, the UPS air conditioning equipment is prevented from being damaged in time, and the safety is improved.

Particularly, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, harmful instruction data classification items, harmful instruction data identifiers, harmful instruction data sending time and harmful instruction data sending end addresses of the harmful instruction data are recorded, a harmful instruction data recording report is generated, the harmful instruction data are intercepted, the harmful instruction data are effectively prevented from attacking the UPS air conditioning equipment, a white list is utilized for intercepting, and the safety is effectively improved.

Particularly, when the harmful instruction data record report is analyzed, the harmful instruction data sending time and the harmful instruction data sending end address in the harmful instruction data record report are analyzed within the preset time T2 to obtain the harmful instruction data sending peak and the risk address of the harmful instruction data sending end address, before judging the plurality of instruction data in the service request data, the plurality of instruction data in any time period of the peak or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, the service request data marked as the suspicious instruction data are judged preferentially, the efficiency of identifying the harmful instruction data is improved, and the harmful instruction data are identified more accurately.

Particularly, the acquiring module acquires service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, the service response data is the service data received by the UPS air-conditioning equipment and fed back to the upper computer, the generating module receives the service request data to be analyzed and the service response data to be analyzed within a preset time during operation and debugging, a white list is generated according to the service request data to be analyzed and the service response data to be analyzed, the white list comprises safety instruction data classification items, the judging module judges the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data, the first processing module processes the safety instruction data and the harmful instruction data, the safety instruction data are passed through, the harmful instruction data are intercepted and recorded, a harmful instruction data recording report is generated, the second processing module analyzes the harmful instruction data recording report to obtain an analysis result, suspicious instruction data marking is carried out on the service request data before the service request data are judged according to the analysis result, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, the service request data are judged according to the classified items of the safety instruction data in the white list by establishing the white list, the judged harmful instruction data are intercepted, further, the attack to the UPS air conditioning equipment is prevented, and the harmful instruction data are intercepted before being transmitted to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.

The generation module is a module for automatically generating a white list, receives service request data to be analyzed within preset time and allows all the service request data to pass through during operation and debugging, receives service response data to be analyzed corresponding to the service request data to be analyzed, analyzes the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and comprises a receiving unit and a white list generation unit, wherein the receiving unit is used for receiving the service request data to be analyzed and the service response data to be analyzed within preset time during operation and debugging, the white list generation unit is used for analyzing the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and analyzes the exhaustive response actions to obtain safety instruction data classification items corresponding to the exhaustive response actions, and de-duplicates the actual safety instruction data classification items and the exhaustive safety instruction data classification items, and the white list generation module generates the white list during early operation, so that harmful instruction data are effectively intercepted according to the white list, thereby reducing the safety hazard of the air-conditioning equipment, and the white list is prevented from generating the healthy instruction data classification items and the non-exhaustion and non-failure harmful instruction data in the operation.

Drawings

Fig. 1 is an application scenario of a method for protecting a UPS air conditioning device from command attacks according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a method for defending against command attacks of the UPS air conditioning equipment according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a system for protecting against command attacks of the UPS air conditioning equipment according to the embodiment of the present invention;

fig. 4 is a schematic structural diagram of an apparatus for protecting a UPS air conditioning device from command attacks according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of a single-chip microcomputer device operated by the device for protecting the UPS air conditioning equipment from command attacks according to the embodiment of the present invention.

Detailed Description

In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and do not limit the scope of the present invention.

It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.

Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.

Please refer to fig. 1, an application scenario of the method for preventing the command attack for the UPS air conditioner according to the embodiment of the present invention includes a UPS air conditioner 101, a security filtering device 102, and an upper computer 103, where the UPS air conditioner and the security filtering device communicate with each other, the security filtering device and the upper computer communicate with each other, the UPS air conditioner and the security filtering device communicate with each other by connecting serial lines in a wired communication manner, the security filtering device and the upper computer communicate with each other in a wired communication manner or in a mobile communication manner, the wired communication manner communicates with each other by connecting network lines, and the mobile communication manner communicates with each other by 4G or 5G;

the UPS air conditioning equipment is used for receiving service request data and sending a device terminal of service response data, the service request data comprise harmful instruction data, the safety filter device is a processing device for the UPS air conditioning equipment to defend against the attack of the harmful instruction data, the safety filter device receives the service request data sent by the upper computer to process and then sends the processed data to the UPS air conditioning equipment, the safety filter device further transmits the received service response data sent by the UPS air conditioning equipment to the upper computer, the upper computer refers to a terminal device or a server which is responsible for sending the service request data, and the server is a local server or a cloud server.

Referring to fig. 2, a method for protecting against command attacks of a UPS air conditioning device according to an embodiment of the present invention includes:

step 110, acquiring service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, wherein the service data comprises service request data and service response data, the service request data is the service data sent to the UPS air-conditioning equipment by the upper computer and comprises a plurality of instruction data, and the service response data is the service data which is received by the UPS air-conditioning equipment and fed back to the upper computer;

step 120, during the operation and debugging, receiving service request data to be analyzed and service response data to be analyzed within preset time, and generating a white list according to the service request data to be analyzed and the service response data to be analyzed, wherein the white list comprises safety instruction data classification items;

step 130, judging the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data;

step 140, processing the safety instruction data and the harmful instruction data, passing the safety instruction data, intercepting the harmful instruction data, recording the harmful instruction data, and generating a harmful instruction data recording report;

step 150, analyzing the harmful instruction data record report to obtain an analysis result, marking the service request data with suspicious instruction data before judging the service request data according to the analysis result, and preferentially judging the service request data marked with suspicious instruction data according to a white list.

Specifically, the embodiment of the invention obtains service data transmitted by communication between the UPS air conditioning equipment and the upper computer, the service data comprises service request data and service response data, the service request data is the service data transmitted to the UPS air conditioning equipment by the upper computer and comprises a plurality of instruction data, the service response data is the service data received by the UPS air conditioning equipment and fed back to the upper computer, then during operation and debugging, the service request data to be analyzed and the service response data to be analyzed in a preset time are received, a white list is generated according to the service request data to be analyzed and the service response data to be analyzed, the white list comprises classified items of safety instruction data, then the service request data is judged according to the classified items of the safety instruction data in the white list, safety instruction data and harmful instruction data are generated, the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed, the harmful instruction data are intercepted and the harmful instruction data are recorded, a harmful instruction data recording report is generated, finally the harmful instruction data recording report is analyzed to obtain an analysis result, the service request data is intercepted according to the service request data before the service request data is judged, the suspicious white list is marked, the harmful instruction data is judged to be the harmful instruction data, the harmful instruction data is judged to be the air conditioning equipment, the suspicious air conditioning data, the harmful instruction data is judged to be preferentially, the harmful instruction data, the suspicious air conditioning equipment is judged according to be attacked by the harmful instruction data, the suspicious air conditioning equipment is judged by the suspicious air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.

Specifically, when a white list is created, during operation debugging, service request data to be analyzed sent to the UPS air conditioning equipment by an upper computer within preset time T1 are received, the service request data to be analyzed are allowed to pass, the sending time of the service request data to be analyzed is recorded, service response data to be analyzed corresponding to the service request data to be analyzed are received within preset time T1, the returning time of the service response data to be analyzed is recorded, meanwhile, response actions of the normally-operated UPS air conditioning equipment are exhausted in sequence, and the white list is completed according to the exhausted response actions.

Specifically, operation debugging is carried out at the early stage of operation of the upper computer and the UPS air conditioning equipment, and a white list is established during the operation debugging so as to defend harmful instruction data according to the white list during later-stage formal operation.

Specifically, when a white list is created, during operation and debugging, to-be-analyzed service request data sent to the UPS air conditioning equipment by an upper computer within a preset time T1 is received, the to-be-analyzed service request data is allowed to pass, the sending time of the to-be-analyzed service request data is recorded, to-be-analyzed service response data corresponding to the to-be-analyzed service request data is received within the preset time T1, the returning time of the to-be-analyzed service response data is recorded, all the passing through to-be-analyzed service request data within the preset time T1 are analyzed, whether the operation of the UPS air conditioning equipment is abnormal or not is analyzed according to the returning time of the to-be-analyzed service response data corresponding to the to-be-analyzed service request data, and then harmful service request data is judged, response actions of the normally-operated UPS air conditioning equipment are sequentially exhausted, and the white list is completed according to exhaustive response actions, so that the white list is prevented from being incomplete due to the fact that harmful instruction data defense is unsuccessful.

Specifically, the sending time T1 of the service request data to be analyzed is recorded, the returning time T2 of the service response data to be analyzed is recorded, T2 is more than T1, the time delta T of the UPS air conditioning equipment for executing the service request data to be analyzed is calculated, wherein delta T = T2-T1, the execution time is compared with the preset execution time T, wherein T is less than T1,

Specifically, the embodiment of the present invention records the sending time T1 of the service request data to be analyzed, records the returning time T2 of the service response data to be analyzed, where T2 is greater than T1, calculates the time Δ T for the UPS air conditioning equipment to execute the service request data to be analyzed, where Δ T = T2-T1, compares the execution time with the preset execution time T, and if T is less than Δ T and less than T1, it indicates that the time for the UPS air conditioning equipment to execute the service request data to be analyzed exceeds the preset execution time, and the UPS air conditioning equipment runs abnormally, and determines that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data; if t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air-conditioning equipment does not exceed the preset execution time, and the UPS air-conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data, whether the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data or not is judged according to the return time of the service response data to be analyzed, and then the white list is established.

Specifically, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data.

Specifically, when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received within the preset time T1, which indicates that the UPS air conditioning equipment is abnormal in operation when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data, and the harmful service request data and the safe service request data are more accurately determined by analyzing that the service response data to be analyzed is not received all the time.

Specifically, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is carried out according to the safety instruction data identifier to obtain an actual safety instruction data classification item, meanwhile, the exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication removal is carried out on the actual safety instruction data classification item and the exhaustive safety instruction data classification item, and a white list is generated.

Specifically, if the safety instruction data identifier of any safety instruction data in the safety service request data is Q1< cr >, the safety instruction data identifier is classified as a query instruction according to the safety instruction data identifier, and the safety instruction data classified items in the white list are the query instruction.

Specifically, after the safety service request data and the harmful service request data are judged, the safety service request data comprise a plurality of safety instruction data, any safety instruction data comprise a safety instruction data identifier, safety instruction data sending time and a safety instruction data sending end address, classification is performed according to the safety instruction data identifier to obtain an actual safety instruction data classification item, meanwhile, an exhaustive response action is analyzed to obtain a safety instruction data classification item corresponding to the exhaustive response action, duplication removal is performed on the actual safety instruction data classification item and the exhaustive safety instruction data classification item to generate a white list, the harmful instruction data can be effectively intercepted through setting the white list, the potential safety hazard of the air conditioning equipment is further reduced, duplication removal is performed on the actual safety instruction data classification item and the exhaustive safety instruction data classification item, and the situation that the white list is incomplete due to the safety instruction data which may not appear during debugging is prevented according to the exhaustive response action soundness white list, and the harmful instruction data defense is not successful is further.

Specifically, when the service request data is judged according to the white list, a plurality of instruction data identifications of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged as safety instruction data, and if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged as harmful instruction data.

Specifically, in the service request data, if the instruction data of the instruction data are identified as Q1< cr >, S < n > < cr > and TL < cr >, wherein < cr > is identified as an instruction, Q1, S and TL are query, shutdown and test, classification is performed according to the instruction data identification to obtain instruction data classification entries as a query instruction, a shutdown instruction and a test instruction, the instruction data entries are matched with the safety instruction data entries in the white list, the instruction data of the shutdown instruction and the test instruction which are not matched are determined as harmful instruction data, and the instruction data of the matched query instruction are determined as safety instruction data.

Specifically, when the service request data is judged according to the white list, a plurality of instruction data identifiers of a plurality of instruction data in the service request data are classified to obtain instruction data classification entries, the instruction data classification entries are matched with safety instruction data entries in the white list, if the matching is successful, the instruction data corresponding to the successfully matched instruction data classification entries are judged to be safety instruction data, if the matching is failed, the instruction data corresponding to the unsuccessfully matched instruction data classification entries are judged to be harmful instruction data, whether the instruction data are the safety instruction data or not is judged by matching the instruction data classification entries obtained in the service request data with the safety instruction data entries in the white list, the harmful instruction data are intercepted in time, the UPS air conditioning equipment is prevented from being damaged in time, and the safety is improved.

Specifically, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, and a harmful instruction data classification entry, a harmful instruction data identifier, a harmful instruction data sending time and a harmful instruction data sending end address of the harmful instruction data are recorded, so that a harmful instruction data recording report is generated.

Specifically, when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed through and continuously transmitted to the UPS air conditioning equipment, the harmful instruction data are intercepted, the transmission to the UPS air conditioning equipment is stopped, the harmful instruction data classification items, the harmful instruction data identification, the harmful instruction data sending time and the harmful instruction data sending end address of the harmful instruction data are recorded, a harmful instruction data recording report is generated, the harmful instruction data are intercepted, the harmful instruction data are effectively prevented from attacking the UPS air conditioning equipment, a white list is utilized for intercepting, and the safety is effectively improved.

Specifically, when the harmful instruction data record report is analyzed, the harmful instruction data is analyzed according to the harmful instruction data sending time and the harmful instruction data sending end address in the harmful instruction data record report within the preset time T2,

when analyzing the transmission time of the harmful instruction data, the 24-hour day is divided into four time periods, 00:00:00-05:59: 59. 06:00:00-11:59: 59. 12:00:00-17:59:59 and 18:00:00-23:59:59, respectively labeled: in the morning, in the afternoon and in the evening, calculating the sending frequency of harmful instruction data in four time periods according to the sending time of the harmful instruction data to obtain a sending peak time and a sending peak time of the harmful instruction data, if M harmful instruction data are in total in a harmful instruction data recording report and N harmful instruction data exist in any time period, the sending frequency in any time period is f = N/M, the preset sending frequency f0 in any time period is judged, if f is more than f0, the any time period is judged to be the sending peak time of the harmful instruction data, and if f is not less than 0 and not more than f0, the any time period is judged to be the sending peak time of the harmful instruction data;

Specifically, when the harmful instruction data record report is analyzed, the harmful instruction data sending time and the harmful instruction data sending end address in the harmful instruction data record report are analyzed within the preset time T2 to obtain the harmful instruction data sending peak and the risk address of the harmful instruction data sending end address, before the plurality of instruction data in the service request data are judged, the plurality of instruction data in any time period of the peak or the plurality of instruction data with the instruction data sending end address as the risk address are marked as suspicious instruction data, and the service request data marked as suspicious instruction data are judged preferentially, so that the efficiency of identifying the harmful instruction data is improved, and the harmful instruction data are identified more accurately.

Referring to fig. 3, an embodiment of the present invention further provides a system for protecting a UPS air conditioning device from command attacks, where the system includes:

the acquiring module 210 is configured to acquire service data transmitted by communication between the UPS air-conditioning equipment and the upper computer, where the service data includes service request data and service response data, the service request data is service data sent by the upper computer to the UPS air-conditioning equipment and includes a plurality of instruction data, and the service response data is service data received by the UPS air-conditioning equipment and fed back to the upper computer;

the generating module 220 is configured to receive service request data to be analyzed and service response data to be analyzed within a preset time during operation and debugging, and generate a white list according to the service request data to be analyzed and the service response data to be analyzed, where the white list includes safety instruction data classification items;

the judging module 230 is configured to judge the service request data according to the safety instruction data classification entries in the white list, and generate safety instruction data and harmful instruction data;

the first processing module 240 is configured to process the safety instruction data and the harmful instruction data, pass the safety instruction data, intercept the harmful instruction data, record the harmful instruction data, and generate a harmful instruction data record report;

the second processing module 250 is configured to analyze the harmful instruction data record report to obtain an analysis result, mark suspicious instruction data on the service request data before determining the service request data according to the analysis result, and preferentially determine the service request data marked as the suspicious instruction data according to a white list.

Specifically, the system is applied to safety filter equipment between UPS air conditioning equipment and an upper computer, the upper computer sends service request data to intercept harmful instruction data through the safety filter equipment, the service request data of the safety instruction data are transmitted to the UPS air conditioning equipment, and the UPS air conditioning equipment receives the service request data, returns service response data to the safety filter equipment and transmits the service response data to the upper computer.

Specifically, in the embodiment of the present invention, an acquisition module acquires service data transmitted by communication between a UPS air conditioning device and an upper computer, where the service data includes service request data and service response data, the service request data is service data sent to the UPS air conditioning device by the upper computer and includes a plurality of instruction data, the service response data is service data received by the UPS air conditioning device and fed back to the upper computer, a generation module receives service request data to be analyzed and service response data to be analyzed within a preset time during operation and debugging, and generates a white list according to the service request data to be analyzed and the service response data to be analyzed, where the white list includes safety instruction data classification items, and a judgment module judges the service request data according to the safety instruction data classification items in the white list to generate safety instruction data and harmful instruction data, the first processing module processes the safety instruction data and the harmful instruction data, the safety instruction data are passed through, the harmful instruction data are intercepted and recorded, a harmful instruction data recording report is generated, the second processing module analyzes the harmful instruction data recording report to obtain an analysis result, suspicious instruction data marking is carried out on the service request data before the service request data are judged according to the analysis result, the service request data marked as the suspicious instruction data are judged preferentially according to a white list, the service request data are judged according to the classified items of the safety instruction data in the white list by establishing the white list, the judged harmful instruction data are intercepted, further, the attack to the UPS air conditioning equipment is prevented, and the harmful instruction data are intercepted before being transmitted to the UPS air conditioning equipment, the attack of harmful instructions is recognized in advance, and the safety is improved.

Specifically, the generation module is a module for autonomously generating a white list, receives service request data to be analyzed within preset time and allows all the service request data to be analyzed to pass through during operation and debugging, receives service response data to be analyzed corresponding to the service request data to be analyzed, analyzes the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and includes a receiving unit and a white list generation unit, wherein the receiving unit is used for receiving the service request data to be analyzed and the service response data to be analyzed within preset time during operation and debugging, the white list generation unit is used for analyzing the service request data to be analyzed and the service response data to be analyzed to obtain actual safety instruction data classification items, and simultaneously analyzes the exhaustive response actions to obtain safety instruction data classification items corresponding to the exhaustive response actions, and deduplicates the actual safety instruction data classification items and the exhaustive safety instruction data classification items to generate the white list.

Specifically, in the embodiment of the present invention, the generation module is a module for autonomously generating a white list, during the operation and debugging period, receiving service request data to be analyzed within a preset time and allowing all of the received service request data to pass through, receiving service response data to be analyzed corresponding to the service request data to be analyzed, analyzing the service request data to be analyzed and the service response data to be analyzed within the preset time to obtain an actual safety instruction data classification entry, and during the operation and debugging period, the reception unit is configured to receive the service request data to be analyzed and the service response data to be analyzed within the preset time, the white list generation unit is configured to analyze the service request data to be analyzed and the service response data to be analyzed to obtain an actual safety instruction data classification entry, and simultaneously analyze the exhaustive response action to obtain a safety instruction data classification entry corresponding to the exhaustive response action, perform deduplication on the actual safety instruction data classification entry and the exhaustive safety instruction data classification entry, generate the white list, and generate the white list during the previous operation period through the generation module, so that the safety instruction data classification entry and the hazardous data classification entry of the UPS are intercepted effectively according to the white list, thereby preventing the hazardous data from the hazardous condition of the safety instruction data during the operation, and the hazardous condition of the healthy instruction data classification entry, and the hazardous condition of the healthy instruction during the healthy list during the normal operation.

The application field of the method for defending the UPS air conditioning equipment against the command attack provided by the embodiment of the invention is briefly introduced as follows:

in the field of remote monitoring of UPS air-conditioning equipment, an attacker usually bypasses authority verification by using bugs of some equipment, systems and protocols, carries attack instructions in service request data to form an attack, is limited by the size and performance limitations of edge-side terminal equipment, cannot establish a complete firewall to resist malicious attacks, and has increasingly strong requirements for remote monitoring along with rapid development of cloud computing technology and internet of things technology, and also puts higher requirements on robustness of UPS air-conditioning equipment.

In order to defend against the attack of harmful instructions in the field of remote monitoring of UPS air conditioning equipment, the application provides a defense method, the method obtains all communication data, classifies all instructions according to a preset white list, intercepts and records the data identified as the harmful instructions, and passes other safety instruction data.

The command of the upper computer for communicating with the UPS air conditioning equipment can be various, and three of the commands are introduced as an example:

inquiry command of a certain type UPS: q1< cr >, UPS return: (208.4.140.0.208.4 034.9.2.05.35.0 00110000 is constructed as cr >, which means that the input voltage is 208.4V, the input voltage error threshold is 140.0V, the output voltage is 208.4V, the output current (load) is 34%, the input frequency is 59.9 HZ, the cell voltage of the battery is 2.05V, the temperature is 35.0 ℃, the UPS is online, the UPS is in a fault state, a bypass state and a shutdown state, and the instruction is used for inquiring and obtaining the operation parameters of the UPS, which generally does not bring about potential safety hazard.

Shutdown instructions for a certain type of UPS: s < n > < cr >, the UPS performs the actions of: the output of the UPS is closed in < n > minutes, and even if the commercial power is still input, the instruction can force the UPS to be shut down, so that potential safety hazards exist.

Test instructions of a certain type of UPS: TL < cr >, UPS performs the actions: the battery low-voltage state is automatically tested and then the battery is recovered to the normal commercial power state, the self-test, namely the UPS, is switched to supply power for the battery for power supply test, the battery can be discharged through the instruction, the system cannot reach the expected backup time, and potential safety hazards exist.

It should be noted that the service request data is not limited to the above three instructions, and the instructions are divided into harmful instruction data and harmless instruction data by establishing a white list, so as to intercept and record the harmful instruction data and protect the system security.

The application scenario of the processing method for preventing the UPS air-conditioning equipment from the harmful instruction attack is explained as follows: the scene comprises UPS air conditioning equipment, safety filtering equipment and an upper computer,

the UPS air conditioner and the safety filter device can be communicated, the safety filter device and the upper computer can be communicated, the precision air conditioner and the safety filter device can be communicated in a wired communication mode through a connecting serial port line, the safety filter device and the upper computer can be communicated in a wired communication mode, for example, the safety filter device and the upper computer can be communicated in a connecting network line, and the safety filter device and the upper computer can also be communicated in a mobile communication mode, wherein the mobile communication mode is a 4G and 5G mode.

The UPS air conditioning equipment is used for receiving service request data and sending equipment terminals of service response data, the safety filtering equipment is a processing device for defending the UPS air conditioning equipment against harmful instruction attacks, the upper computer is terminal equipment or a server and the like which are responsible for processing and analyzing in the monitoring of the UPS air conditioner, and the server can be a local server or a cloud server and the like.

The method for defending the UPS air conditioning equipment against command attack provided by the embodiment of the invention comprises the following steps:

step S201, obtaining each data communicated between the UPS air conditioner and the upper computer, wherein the data comprises service request data and service response data, and the service request data carries data associated with an attack instruction;

specifically, each data of communication between the UPS air conditioners and the upper computers is obtained, specifically, the data sent by all the upper computers are monitored, the service request data are obtained, the data sent by all the UPS air conditioners are monitored, and the service response data are obtained.

Step S202, a white list is established according to preset classification conditions, all service request data are classified, and a safety instruction data classification set and a harmful instruction data classification set are obtained, wherein the preset classification conditions are generated by one of the following modes: manually presetting a white list; normally working for a period of time in a safe environment, recording all service request data, and generating a white list according to all the appeared service request data;

and step S203, distinguishing the safety instruction data and the harmful instruction data according to the white list, respectively processing, intercepting and recording the harmful instruction data, and allowing the safety instruction data to pass through and normally communicating.

Specifically, the preset white list classification condition in the embodiment of the invention is that from the perspective of a UPS air conditioning equipment manufacturer, instructions which are dangerous and interfering with the normal operation of the equipment are intercepted and filtered, so that the client can be ensured to safely and normally use the remote monitoring function of the equipment; the security filtering is carried out on a transmission layer, the security filtering is superior to an application layer, the network layer authority level and the system level protection, in the field of UPS air conditioner remote monitoring, attackers usually utilize certain equipment, system and protocol bugs to bypass authority verification, attack instructions are carried in service request data to form attacks, the attacks are limited by the size of edge side terminal equipment, performance limitation is caused, a complete firewall cannot be established to resist malicious attacks, the security filtering is carried out by utilizing a white list mechanism on the transmission layer, the system security is improved to a certain extent, meanwhile, the intervention surface is small, and the cost and the efficiency are better.

Based on the application scene of the processing method for preventing the UPS air conditioning equipment from the harmful instruction attack, the interaction process among the equipment is illustrated as follows:

the upper computer sends service request data to the UPS air conditioning equipment, the service request data are acquired by the safety filter card, the safety filter card classifies the service request data, harmful instruction data are intercepted and recorded, the harmful instruction data are identified to be that the harmful instruction data cannot reach the UPS air conditioning equipment, damage to a system is avoided, communication is allowed for the safety instruction data, the safety instruction data are sent to the UPS air conditioning equipment, and services are normally processed.

The UPS air conditioning equipment sends service response data to the upper computer, the service response data are acquired by the safety filter card, the safety filter card allows communication of the service response data, and the service response data are sent to the upper computer to normally process services.

The data interaction process among the UPS air conditioning equipment, the safety filter card and the upper computer in the embodiment of the invention mainly comprises the following steps:

step S21, the upper computer sends service request data to the UPS air conditioning equipment;

specifically, when the upper computer is in program control or manual operation, the upper computer sends service request data to the UPS air conditioning equipment, including querying an operation state parameter, controlling an operation state of the equipment, and the like.

Step S22, the security filter card acquires the data;

specifically, when the upper computer sends service request data to the UPS air conditioning equipment, the security filter card acquires the data.

And S23, classifying the service request data by the security filter card according to the white list.

Specifically, after acquiring service request data sent by an upper computer to the UPS air conditioning equipment, the security filter card filters the service request data, where the service request data includes three examples and other similar instructions, and a query instruction: q1< cr >, shutdown command: s < n > < cr >, test instruction: the TL < cr >, the security filter card determines whether the request data is in the security white list according to the white list, that is, whether the request data belongs to the harmful instruction data is judged, for example, forced shutdown, bypass switching and the like, and the white list is established by the manual entry and the automatic learning generation.

And step S24, for harmful instruction data, the safety filter card intercepts the instruction and generates a harmful instruction data record report.

Specifically, after classifying service request data sent by an upper computer to the UPS air conditioning equipment, the safety filter card intercepts and records harmful instruction data to generate a harmful instruction data recording report, and the instructions intercepted by the safety filter card cannot reach the UPS air conditioning equipment any more.

The embodiment of the application provides a processing device for preventing command attack of UPS air-conditioning equipment, which is equivalent to a safety filter card and realizes the corresponding function of a method for preventing command attack of UPS air-conditioning equipment. Referring to fig. 4, the apparatus includes a power control module 301, a program programming and debugging control module 302, an obtaining module 303, a white list resetting control module 304, a white list autonomous learning control module 305, a processing module 306, and a bypass module 307, wherein,

the power supply control module controls a 9V direct-current power supply to be used as the power supply input of the device;

the program programming and debugging control module is used for accessing an upper computer to control manual white list creation, device firmware updating and device debugging, the module only allows physical direct connection and does not access a network, and the device is prevented from becoming another potential safety hazard point;

the acquisition module acquires service request data transmitted to the UPS air conditioning equipment by the upper computer and acquires service response data transmitted to the upper computer by the UPS air conditioning equipment;

the white list resetting control module is used for erasing and resetting the white list which is manually created or generated by self-learning and applying the white list to the condition of wrong entry of the white list;

the white list autonomous learning control module is used for recording all service request data during the period when the device normally works in a safe environment for a period of time and generating a safe white list according to all the appeared service request data;

specifically, the white list autonomous learning control module works normally in a safe environment for a period of time, the autonomous learning module records all service request data during the period, and generates a safe white list according to all the appeared service request data, so that inconvenience in manual white list entry is avoided, the labor cost is reduced, and the applicability of the device is improved.

A processing module, for the data acquired by the acquisition module, the processing module being configured to:

for service request data, respectively determining whether each service request is in a safe white list;

service requests which are not in the white list are marked as harmful instruction data, interception is carried out, and harmful instructions are prevented from reaching the UPS air conditioning equipment end;

and recording the intercepted harmful instructions, including the data type of the harmful instructions, the sending time and the address of a sending end, regularly carrying out health examination by combining data records, judging the risk level of the system and probing weak links of the system.

A bypass module, the bypass module specifically configured to:

switching to another data transmission line that allows all traffic response data to pass through for traffic request data in special cases, including: and the processing module intercepts the function abnormity and needs debugging.

Referring to fig. 5, an embodiment of the present invention further provides a one-chip microcomputer apparatus,

the processing device for protecting the UPS air conditioner against command attacks is operated on a single-chip microcomputer device 400, a processing program for protecting the UPS air conditioner against command attacks can be installed on the single-chip microcomputer device, the single-chip microcomputer device comprises a processor 460, a memory 420 and a display unit 430, the display unit 430 comprises an LED signal lamp for displaying a power state, a communication state, a fault state,

a processor for reading the computer program and executing the method defined by the computer program;

specifically, for example, the processor reads a processing program of the UPS air conditioner for defending against command attacks, reads service request data, service response data, and the like.

The storage comprises an extended data output memory (SDRAM), a Static Random Access Memory (SRAM), a ferroelectric memory (FRAM), the storage is used for storing a computer program and other data, the computer program comprises a processing program for protecting the UPS air-conditioning equipment from command attacks, a watchdog program and the like, the other data can comprise data generated after an application program is operated, the data comprises system data (such as configuration parameters) and user data, the program command is stored in the storage, and the processor executes the stored program command to realize the method for protecting the UPS air-conditioning equipment from command attacks;

a display unit for outputting signals related to the operation state resulting from the function control of the one-chip microcomputer device, the display unit including an LED signal lamp 431 for outputting different signals.

In addition to the above, the single-chip microcomputer device further includes a power supply 410 for supplying power, an RS232 communication control module 440, and an rs485 communication control module 450.

In particular, the processor and the memory may be in a coupled arrangement or may be relatively independent arrangements.

Specifically, the processor in fig. 5 may be configured to implement the functions of the power control module, the program programming and debugging control module, the processing module, the obtaining module, the bypass module, the white list resetting control module, and the white list self-learning control module in fig. 4.

In particular, the processor in fig. 5 may be configured to implement the corresponding functions of the security filter card device.

So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of the present invention is obviously not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.

The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A method for defending UPS air conditioning equipment against command attacks is characterized by comprising the following steps:

2. The method for defending the UPS air conditioning equipment against the instruction attack according to claim 1, wherein when the white list is created, during the operation debugging, the method receives the service request data to be analyzed sent to the UPS air conditioning equipment by the upper computer within the preset time T1 and allows the service request data to be analyzed to pass through, records the sending time of the service request data to be analyzed, receives the service response data to be analyzed corresponding to the service request data to be analyzed within the preset time T1, records the returning time of the service response data to be analyzed, meanwhile, sequentially exhaustively exhausts the response actions of the normally operated UPS air conditioning equipment, and completes the white list according to the exhausted response actions.

3. The method for protecting UPS air conditioner against command attacks as claimed in claim 2, wherein the sending time T1 of the service request data to be analyzed is recorded, the returning time T2 of the service response data to be analyzed is recorded, T2 > T1, the time Δ T of the UPS air conditioner executing the service request data to be analyzed is calculated, wherein Δ T = T2-T1, the executing time is compared with the preset executing time T, wherein T < T1,

if the delta t is more than 0 and less than or equal to t, the time for executing the service request data to be analyzed by the UPS air conditioning equipment does not exceed the preset execution time, and the UPS air conditioning equipment runs normally, the service request data to be analyzed corresponding to the service response data to be analyzed is judged to be safe service request data.

4. The method for defending against command attacks of UPS air conditioners according to claim 3, wherein when the return time of the service response data to be analyzed is recorded, if the service response data to be analyzed is not received at the preset time T1, which indicates that the UPS air conditioners are abnormally operated when executing the service request data to be analyzed, it is determined that the service request data to be analyzed corresponding to the service response data to be analyzed is harmful service request data.

5. The method for defending UPS air conditioning equipment against instruction attacks according to claim 4, wherein after the safe service request data and the harmful service request data are judged, the safe service request data comprise a plurality of safe instruction data, any safe instruction data comprise a safe instruction data identifier, a safe instruction data sending time and a safe instruction data sending end address, classification is performed according to the safe instruction data identifier to obtain an actual safe instruction data classification item, the exhaustive response action is analyzed to obtain a safe instruction data classification item corresponding to the exhaustive response action, and the actual safe instruction data classification item and the exhaustive safe instruction data classification item are deduplicated to generate a white list.

6. The method for defending against command attacks of UPS air conditioning equipment as recited in claim 5, wherein when the business request data is judged according to the white list, a plurality of command data identifications of a plurality of command data in the business request data are classified to obtain command data classification entries, the command data classification entries are matched with the safety command data entries in the white list, if the matching is successful, the command data corresponding to the successfully matched command data classification entries are judged as safety command data, and if the matching is failed, the command data corresponding to the unsuccessfully matched command data classification entries are judged as harmful command data.

7. The method for defending UPS air conditioners against instruction attacks according to claim 6, wherein when the safety instruction data and the harmful instruction data are processed, the safety instruction data are passed, and are continuously transmitted to the UPS air conditioners, the harmful instruction data are intercepted, the transmission to the UPS air conditioners is stopped, and harmful instruction data classification items, harmful instruction data identifications, harmful instruction data sending times and harmful instruction data sending addresses of the harmful instruction data are recorded, and harmful instruction data recording reports are generated.

8. The method for protecting UPS air conditioning equipment against instruction attacks according to claim 7, wherein when the harmful instruction data record report is analyzed, the analysis is performed within a preset time T2 according to the sending time of the harmful instruction data and the sending address of the harmful instruction data in the harmful instruction data record report,

and obtaining analysis results that any time period is a harmful instruction data sending peak period, any harmful instruction data sending terminal address is a risk address and any harmful instruction data sending terminal address is a safe address, marking a plurality of instruction data in any time period in the peak period or a plurality of instruction data with the instruction data sending terminal address as the risk address as suspicious instruction data before judging a plurality of instruction data in the service request data according to the analysis results, otherwise not marking the suspicious instruction data and the normal instruction data, judging the suspicious instruction data and the normal instruction data according to a white list, and preferentially judging the service request data marked as the suspicious instruction data to generate the safe instruction data and the harmful instruction data.

9. A system for protecting a UPS air conditioner against command attacks, applying the method for protecting a UPS air conditioner against command attacks according to any one of claims 1 to 8, comprising:

and the second processing module is used for analyzing the harmful instruction data record report to obtain an analysis result, marking suspicious instruction data on the service request data before judging the service request data according to the analysis result, and preferentially judging the service request data marked as the suspicious instruction data according to a white list.

10. The system for protecting against command attacks of the UPS air conditioning equipment according to claim 9, wherein the generating module is a module that autonomously generates a white list, receives service request data to be analyzed within a preset time and allows all of the service request data to pass through during operation and debugging, receives service response data to be analyzed corresponding to the service request data to be analyzed, and analyzes the service request data to be analyzed and the service response data to be analyzed to obtain an actual safety command data classification entry, and the generating module includes a receiving unit and a white list generating unit, the receiving unit is configured to receive the service request data to be analyzed and the service response data to be analyzed within the preset time during operation and debugging, and the white list generating unit is configured to analyze the service request data to be analyzed and the service response data to be analyzed to obtain an actual safety command data classification entry, and analyze an exhaustive response action to obtain an exhaustive safety command data classification entry, and deduplicate the actual safety command data classification entry and the exhaustive safety command data classification entry to generate the white list.