CN115314286A

CN115314286A - Safety guarantee system

Info

Publication number: CN115314286A
Application number: CN202210939396.0A
Authority: CN
Inventors: 贺绍府; 周景锋; 张鹏; 陈会; 孙俊卫; 高晓强; 王延芳
Original assignee: ZYNP Corp
Current assignee: ZYNP Corp
Priority date: 2022-08-05
Filing date: 2022-08-05
Publication date: 2022-11-08

Abstract

The application discloses safety guarantee system includes: the edge side security module is used for carrying out white list authentication on edge side equipment in the industrial internet, and the edge side equipment passing the white list authentication can be connected with the host; the system is also used for carrying out safety protection on industrial communication between the edge side equipment in the local area network and carrying out safety protection on communication between the edge side equipment and the external network; and the platform security module is used for carrying out security protection on the platform in the industrial Internet from the physical facility, boundary, host, application, authentication, data and management level. According to the technical scheme, the edge side safety module achieves safety protection on edge side equipment and an edge side network in the industrial internet, the platform safety module achieves safety protection on a platform in the industrial internet, namely safety maintenance is conducted on the industrial internet from the edge side safety and the platform safety, and therefore safety of the industrial internet is effectively guaranteed, and further the industrial safety is guaranteed.

Description

Safety guarantee system

Technical Field

The application relates to the technical field of industrial internet, in particular to a safety guarantee system.

Background

The industrial internet is a novel infrastructure, an application mode and an industrial ecology deeply integrated by a new generation of information communication technology and industrial economy, and a brand new manufacturing and service system covering a whole industrial chain and a whole value chain is constructed by comprehensively connecting people, machines, objects, systems and the like, so that a realization way is provided for the industrial and even industrial digital, networked and intelligent development. In order to enable the industrial internet to work reliably and stably, how to ensure the safety of the industrial internet becomes a key point of attention of people.

In summary, how to ensure the security of the industrial internet is a technical problem to be urgently solved by those skilled in the art.

Disclosure of Invention

In view of the above, an object of the present application is to provide a security system for securing the security of the industrial internet.

In order to achieve the above purpose, the present application provides the following technical solutions:

a security system comprising:

the system comprises an edge side security module, a host and an edge side equipment, wherein the edge side security module is used for carrying out white list authentication on edge side equipment in the industrial internet, and the edge side equipment which passes the white list authentication can be connected with the host; the edge side equipment is also used for carrying out safety protection on industrial communication between the edge side equipment in a local area network and carrying out safety protection on communication between the edge side equipment and an external network;

and the platform security module is used for carrying out security protection on the platform in the industrial Internet from a physical facility level, a boundary level, a host level, an application level, an authentication level, a data level and a management level.

Preferably, the edge side security module includes a traffic audit probe deployed in an edge side network;

the flow audit probe is used for generating an industrial protocol feature library by learning an industrial protocol in industrial network data flow; recording protocol messages between hosts, and analyzing the protocol messages according to the industrial protocol feature library; and detecting whether an intrusion attack exists according to the analysis result, analyzing the protocol message when the intrusion attack exists, positioning the geographical position of an attacker, acquiring the attack characteristic information of the attacker, and making a corresponding security strategy according to the geographical position and the attack characteristic information.

Preferably, the flow audit probe is further configured to use supervised learning, extract features and classifications of the protocol messages by using a multidimensional clustering algorithm, and determine learning convergence according to the fact that no new protocol message classification exists within a preset time; and abstracting variable quantity and non-variable quantity in the industrial network protocol according to the classified protocol messages, and converting the variable quantity and the non-variable quantity into a matrix vector model with dimension larger than a preset dimension.

Preferably, the platform security module includes a physical facility security unit, a boundary security protection unit, a host security unit, an application security unit, an authentication security unit, a data security unit, and a security management unit, wherein:

the physical facility unit is used for realizing the data center environment, physical access control and safety protection of a facility level through an access control system, a video monitoring system and an environment monitoring system;

the boundary safety protection unit is used for performing safety domain division, network virus protection, network intrusion detection and response, performing boundary safety isolation between a plant area network and a core network through an industrial firewall, performing boundary safety isolation between the core network and an application system network through an industrial gatekeeper, and performing flow cleaning and Web filtering;

the host security unit is used for scanning system bugs, reinforcing a system, detecting and responding system intrusion, controlling host access and carrying out centralized authentication;

the application security unit is used for carrying out vulnerability scanning and carrying out Web security protection and mail security protection;

the authentication security unit is used for providing a uniform security authentication system so as to ensure the authentication security of the network collaborative application;

the data security unit is used for isolating from a storage network, protecting the residual data and encrypting the data, and performing all-around audit on the behavior of accessing the database server by using a database audit system;

the security management unit is used for managing security information and event management, security compliance management and vulnerability management.

Preferably, the application security unit performs Web security protection by using an LTD model.

Preferably, the data security unit includes an industrial network gate, the industrial network gate includes an internal network processing unit, an external network processing unit and a security data exchange unit, and the security data exchange unit performs the ferrying of the security data between the internal network host and the external network host according to a specified period.

The application provides a safety guarantee system, includes: the edge side security module is used for carrying out white list authentication on edge side equipment in the industrial internet, wherein the edge side equipment passing the white list authentication can be connected with the host; the system is also used for carrying out safety protection on industrial communication between the edge side equipment in the local area network and carrying out safety protection on communication between the edge side equipment and the external network; and the platform security module is used for carrying out security protection on the platform in the industrial Internet from a physical facility level, a boundary level, a host level, an application level, an authentication level, a data level and a management level.

The above technical scheme that the application discloses, including edge side safety module and platform safety module in the safety guarantee system, wherein, edge side safety module is arranged in carrying out the white list authentication to the edge side equipment in the industry internet, only the edge side equipment that passes through the white list authentication can just be connected with the host computer, thereby realize the safety protection to edge side equipment, and edge side safety module still is used for carrying out safety protection to the industrial communication at the LAN between the edge side equipment, and carry out safety protection to the communication of edge side equipment and extranet, with the safety protection to edge side network of realization, platform safety module is used for following the physical facility aspect, the boundary layer, the host computer aspect, the application aspect, the authentication aspect, the platform of these several aspects of data aspect and management aspect in the industry internet carries out safety protection, with the security of the platform that links to each other with edge side equipment in the assurance industry internet. According to the method and the device, the industrial internet is safely maintained particularly from two aspects of edge side safety and platform safety, so that the safety of the industrial internet is effectively guaranteed, and the industrial safety is guaranteed.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a security and safety system according to an embodiment of the present disclosure;

fig. 2 is a schematic diagram of intrusion detection on Web security by using an LTD model according to an embodiment of the present disclosure.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

Referring to fig. 1, which shows a schematic structural diagram of a security system provided in an embodiment of the present application, a security system provided in an embodiment of the present application may include:

the edge side security module is used for carrying out white list authentication on edge side equipment in the industrial internet, wherein the edge side equipment passing the white list authentication can be connected with the host; the system is also used for carrying out safety protection on industrial communication between the edge side equipment in the local area network and carrying out safety protection on communication between the edge side equipment and the external network;

and the platform security module is used for carrying out security protection on the platform in the industrial Internet from a physical facility layer, a boundary layer, a host layer, an application layer, an authentication layer, a data layer and a management layer.

The safety guarantee system provided by the application can comprise an edge side safety module and a platform safety module, wherein the edge side safety module is mainly used for carrying out white list authentication on edge side equipment in the industrial internet, and the edge side equipment passing the white list authentication can be connected with a host; still be used for carrying out safety protection between the edge side equipment at LAN's industrial communication, and carry out safety protection to the communication of edge side equipment and outer net. The Platform security module is mainly used for performing security protection on a Platform in an industrial internet, wherein the Platform in the industrial internet is connected with an edge side device through an edge side network, and the Platform in the industrial internet can be generally divided into three layers, i.e., iaaS (Infrastructure-as-a-Service), paaS (Platform-as-a-Service), and SaaS (software as-Service).

For the edge side equipment, in the industrial internet, the operation of the edge side equipment must be safe, stable and reliable, and the anti-interference capability is strong. Therefore, the safety requirements of the equipment are researched from the aspects of hardware electromagnetic compatibility requirements, environmental requirements, vibration requirements, software reliability and the like. Specifically, the edge side security module provided by the present application may include an edge side device security unit, where the edge side device security unit is configured to perform white list authentication on an edge side device, and the edge side device authenticated through the white list may be connected to the host (that is, only the edge side device in the white list is allowed to be connected to the host). Specifically, white list software is installed on an operating host in a workshop, white list authentication is performed on peripheral devices such as a USB (universal serial bus), a network card, a floppy drive, and an optical drive, and only the peripheral devices in the white list are allowed to be connected with the host. In addition, read-write, read-only and forbidden modes can be set for the USB equipment. The matched professional safety USB flash disk guarantees ferry safety of industrial control host data, prevents host poisoning caused by poison brought by peripheral equipment such as a USB and the like, and meanwhile guarantees that key data, files and the like of the host are not illegally exported.

The protection strength on the Lesox virus and the mining virus is enhanced from the aspects of virus propagation path, virus detection, virus operation action, virus execution, data protection and the like through rich peripheral management and control strategies, white list filtering strategies, data tamper-proof strategies, illegal external connection management and control strategies, port management strategies, sensitive action management strategies and the like, and the industrial control host is effectively protected from the Lesox virus and the mining virus.

For the edge side network security, the industrial communication security of local area networks among edge side devices is mainly researched, and the consistency and the interoperability security of industrial communication protocols are emphasized; the real-time performance, the effectiveness, the integrity and the confidentiality of the data are safe; and security protection of communication with the external network, such as identity authentication, access control, security audit, malicious code prevention, intrusion prevention, and the like. Accordingly, the edge side security module provided by the present application may include an edge side network security unit, where the edge side network unit is mainly configured to perform security protection on industrial communication between edge side devices in a local area network (mainly emphasizing on consistency and interoperability security protection of an industrial communication protocol), and perform security protection on communication between the edge side device and an external network, and specifically perform security protection on communication with the external network from the aspects of identity authentication, access control, security audit, malicious code prevention, intrusion prevention, and the like.

For the platform in the industrial internet, the method takes a plurality of safety aspects such as network isolation, attack protection, transmission safety, application safety, management safety and the like into consideration, and starts from the ideas of layering and deep defense, the method is divided into the physical facility safety, boundary safety, host safety, application safety, authentication safety, data safety, safety management and the like according to the layers, and various safety threats are defended from the layers, namely the platform in the industrial internet is safely protected from the physical facility layer, the boundary layer, the host layer, the application layer, the authentication layer, the data layer and the management layer. It should be noted that the above-mentioned hierarchy may further include virtualization security, that is, security protection may also be performed on the industrial internet platform from the virtualization layer (that is, security protection may be performed on the platform in the industrial internet from the physical facility, boundary, host, virtualization, application, authentication, data and management layer), where the virtualization security includes a threat generated by a vulnerability of the Hypervisor (which is an intermediate software layer running between the physical server and the operating system), a security risk generated by a virtual machine attacking the Hypervisor, an attack and sniffing between virtual machines, a virus trojan implantation and a mis-configuration, and the like.

According to the safety guarantee system, the industrial safety and information safety guarantee system of the test environment is implemented through the two aspects of edge side safety and platform safety, the edge side safety comprises edge side equipment safety and edge side network safety, the edge side equipment safety effectively protects the industrial control host from the Lesoh virus and the mine digging virus, and the edge side network safety realizes communication safety; the platform can safely and effectively defend various security threats, effectively realize the construction of a three-level security protection and layer protection security protection system of equipment, network, data, industrial APP and users of an enterprise, ensure the data access security, the platform security and the access security, and provide guarantee for the safe and reliable operation of a platform test bed, the industrial APP and an industrial mechanism model library; from a plurality of safety aspects of network isolation, attack protection, transmission safety, application safety and management safety and the like, a domain-divided trusted access and layered active defense system of upstream users, enterprises and downstream suppliers in a supply chain is built.

In the security assurance system provided by the embodiment of the application, the edge side security module may include a flow audit probe deployed in an edge side network;

the flow audit probe is used for generating an industrial protocol feature library by learning an industrial protocol in industrial network data flow; recording protocol messages between hosts, and analyzing the protocol messages according to an industrial protocol feature library; and detecting whether the intrusion attack exists according to the analysis result, analyzing the protocol message when the intrusion attack exists, positioning the geographical position of the attacker, acquiring the attack characteristic information of the attacker, and establishing a corresponding security strategy according to the geographical position and the attack characteristic information.

In this application, the edge side security module (specifically, the edge side network security unit included in the edge side security module) may include a traffic audit probe deployed in the edge side network, where the traffic audit probe generates a specific industrial protocol feature library by learning an industrial protocol in the industrial network data traffic, where the specific industrial protocol feature library includes a source IP, a destination IP, a protocol name, and detailed protocol data in the network data. The flow audit probe records a protocol message between the host and the host on the basis of analyzing the communication data of the service, deeply analyzes an industrial protocol, converts the protocol message into service information on a human-computer interface, and if the host 1 writes some register into the host 2, the register is used as a basis for auditing afterwards. The flow audit is to record the trend of flow rate through multiple dimensions, including the flow rate trend based on the host and the protocol, and provide data analysis for analyzing network attacks, if a certain protocol message of a certain host exceeds a set upper and lower threshold, the abnormal business can be suspected, that is, the flow audit probe can detect whether intrusion attacks exist according to the analysis result of the industrial protocol.

When an intrusion attack is detected, the matched original data packet of the attack message can be retained, and corresponds to the data packet through a Security Identifier (SID). By analyzing the attack message, the geographic position (specifically, the approximate geographic position) of the attacker is located, the attack characteristic information (specifically, the habit, the characteristics and other characteristic information of the attacker) of the attacker is obtained, and a more targeted security strategy is formulated according to the geographic position and the attack characteristic information of the attacker to protect the service system, so that the security is ensured.

The safety guarantee system provided by the embodiment of the application is characterized in that the flow audit probe is also used for using supervised learning, extracting characteristics and classification of protocol messages by using a multidimensional clustering algorithm, and determining learning convergence according to the condition that no new protocol message classification exists within preset time; and abstracting variable quantity and non-variable quantity in the industrial network protocol according to the classified protocol messages, and converting the variable quantity and the non-variable quantity into a matrix vector model with dimension larger than a preset dimension.

In the application, the flow audit probe included in the edge side network security unit can also use supervised learning at the same time, automatically extract features and classification of protocol messages by using a multidimensional clustering algorithm, determine learning convergence according to the fact that no new protocol message is classified within preset time (such as 12 hours), abstract variable and non-variable in the industrial network protocol according to the classified protocol messages, convert the protocol messages into a matrix vector model with dimensionality greater than the preset dimensionality (namely, high dimensionality), and use the obtained high dimensionality matrix vector model as the basis for the next-stage detection.

And detecting according to the matrix vector model learned in the previous stage, predicting the abnormal possibility, identifying the industrial protocol message exceeding the preset threshold as abnormal, adjusting the model through three parameters of the correlation degree, the sensitivity and the threshold in the matrix vector model, and identifying unknown network attack and threat.

In addition, a management platform can be deployed in the edge side network to realize the following functions:

1. the method monitors the state of the safety protection managed currently in real time, and visually presents the real-time states of various assets managed and controlled in the current network, including the display of real-time data of added assets, newly discovered assets, online assets, offline assets and the like.

2. The statistical display is carried out on the real-time risk log of the edge side protection product, historical data tracing is supported, and a user can be helped to check the risk trend condition in the recent period of time and the type distribution condition of the risk event.

3. The method supports the platform to remotely configure the edge side protection product, ensures the confidentiality of the communication process in an encrypted communication mode, supports the version upgrade of the protection software in batches, concentrates the security event log of the protection product and supports the regular generation of a log report.

4. The management platform supports centralized strategy configuration management aiming at edge side protection products, supports data backup on strategies of various safety protection products at regular time, supports batch strategy issuing, strategy copying and strategy increment issuing on a plurality of safety protection products, simplifies maintenance cost of a user for managing a plurality of devices, and improves maintenance efficiency.

The embodiment of the application provides a safety guarantee system, platform security module can include physical facility security unit, border safety protection unit, host computer security unit, application security unit, authentication security unit, data security unit and safety control unit, wherein:

the boundary safety protection unit is used for performing safety domain division, performing network virus protection, network intrusion detection and response, performing boundary safety isolation between a factory area network and a core network through an industrial firewall, performing boundary safety isolation between the core network and an application system network through an industrial gatekeeper, and performing flow cleaning and Web filtering;

the application security unit is used for scanning vulnerabilities and performing Web security protection and mail security protection;

the authentication security unit is used for providing a uniform security authentication system so as to ensure the authentication security of the network cooperative application;

and the safety management unit is used for managing safety information and event management, safety compliance management and vulnerability management.

In this application, for the platform in the industrial internet, the platform security module specifically:

(1) For the safety of the physical facilities, physical facility units can be correspondingly arranged, and the physical facility units realize the safety of the environment, the physical access control and the facility level of the data center through an access control system, a video monitoring system, an environment monitoring system and the like. Wherein, the construction of the physical security infrastructure meets the following requirements for equal insurance:

selecting the physical position of the machine room: the machine room is built on the second floor of the office building and has the physical conditions of wind resistance, water resistance and moisture resistance.

Physical access control: the machine room access is responsible for information department specialists, access records need to be registered, and access personnel can be controlled and recorded.

Theft and damage prevention: a) Machine room equipment or main components are fixed, and obvious marks which are difficult to remove are arranged; b) The communication cable is laid under the floor, so that the hidden safety is realized; c) The machine room is provided with a video monitoring system on duty by a special person.

Lightning protection: various cabinets, facilities, equipment and the like of the machine room are safely grounded through the grounding system.

And (3) antistatic: the machine room adopts an anti-static floor and necessary grounding measures, and has an anti-static function.

Electromagnetic protection: the power line and the communication cable of the machine room are laid in an isolation mode, and mutual interference can be avoided.

(2) For the boundary security protection, a boundary security protection unit can be correspondingly arranged, and the boundary security protection unit is used for performing security domain division, performing network virus protection, network intrusion detection and response, performing boundary security isolation between a factory area network and a core network through a firewall, performing boundary security isolation between the core network and an application system network through an industrial gatekeeper, and performing flow cleaning and Web filtering. Specifically, with the continuous expansion of the service scale and the network scale of the data center, the problem of unclear network boundaries exists, which results in complex network structure, unclear hierarchy, difficult system management and maintenance, and low network effectiveness and stability. Therefore, the security domain division can be carried out, a clear, concise and stable central networking framework is formed through the security domain division, the secure interconnection of strict access control among systems is realized, and the security problem of a complex system is better solved. In addition, the method also comprises network virus protection, network intrusion detection and response, a firewall, flow cleaning, web filtering and the like.

An industrial firewall is used between a factory network and a core network for boundary safety isolation, the boundary of the factory network and the core network is defined, and the following safety boundary protection functions are realized by utilizing the firewall boundary protection function and the safety strategy configuration:

basic functions: a) The industrial firewall comprises the main functions of the traditional firewall, and develops industrial protection characteristic functions such as safety filtering of industrial protocols, fine filtering of industrial instructions and accurate protection of industrial software and equipment bugs according to the communication scene of an industrial scene; b) An industrial communication protocol analysis engine is arranged in an industrial firewall security operating system, and a protection engine of the operating system is combined to support identification and management and control of various industrial protocols, such as Modbus TCP (an industrial field bus protocol standard), OPC-DA (OPC real-time data access specification), OPC-UA (OPC unified architecture-based time-sensitive network technology), IEC-104, S7, GE-SRTP and other industrial protocols. The deep packet detection technology and the application layer communication tracking technology are adopted for the industrial protocol, and the functions of protecting a key controller are achieved for the blocking of illegal instructions and the interception of non-industrial control protocols of instruction layers analyzed by Modbus TCP and OPC protocols; c) Industrial network security events such as industrial white list events, industrial intrusion characteristic defense events and the like are recorded and displayed by professional terms of industrial industries, operation and maintenance personnel can conveniently and visually understand the security events, and operation and maintenance difficulty is reduced.

And (3) access control: a) An application access control list of the industrial firewall is responsible for matching data flow, and determines how a service processes a message through permit and deny parameters, and the specific operation after matching is defined and executed by a module which refers to the ACL; b) Each application access control list of the industrial firewall supports the definition of detailed matching rules of layers 2 to 7, and can define the information of an outgoing/incoming interface, effective time, users and the like of a flow.

Protection of industrial intrusion characteristics: the industrial intrusion characteristics comprise attack behaviors aiming at industrial vulnerabilities and general intrusion attacks. The method can not only protect general intrusion characteristic attacks, but also accurately protect the attack behaviors aiming at industrial vulnerabilities, comprehensively protect an industrial control system and avoid known network attacks.

AI (Artificial Intelligence) behavior analysis: a) By using supervised learning, utilizing a multidimensional clustering algorithm to automatically extract features and classify messages, determining learning convergence according to the fact that no new message is classified within a certain time (such as 12 hours), abstracting variable and non-variable quantities in an industrial network protocol, converting the variable quantities and the non-variable quantities into a high-dimensional matrix vector model, and using the matrix vector model as a basis for next-stage detection; b) And detecting according to the matrix vector model learned in the previous stage, predicting the possibility of abnormality, identifying the industrial protocol message exceeding a preset threshold as abnormal, adjusting the model according to three parameters of the correlation degree, the sensitivity and the threshold in the matrix vector model, and identifying unknown network attack and threat.

The industrial gatekeeper is used for carrying out boundary security isolation between the core network and the application system network, the boundary of the core network and the application system network is defined, and the following security boundary protection functions are realized by utilizing the physical isolation function and the security policy configuration of the industrial gatekeeper:

and (3) safety isolation between networks: the multi-machine system structure is adopted, and the direct connection between the internal network and the external network is effectively isolated in a mode of combining software and hardware, so that the unlimited exchange of information is prevented.

Protocol terminal, information landing: the internal/external terminal is the end point of the respective general protocol (i.e. TCP/IP protocol) of the internal/external network, one network protocol can not extend to the other, and all the past application layer information is stripped from the TCP/IP protocol packet and is restored into the application layer information.

Controlled information exchange: all information exchange activities between the connected internal and external networks are carried out on pre-established effective security channels, and the protocol channels are controlled by means of strict security strategies, so that malicious attacks and sensitive information leakage can be prevented.

User-based access control: between the internal and external networks, only specific information exchange activities of legitimate users are allowed through. The establishment, communication and disconnection of the protocol channel are all carried out under strict user-based access control.

Preventing network attack and information leakage: by means of user access control, establishment of a security protocol channel and setting of a security policy, the industrial gatekeeper can discover, filter and block various known and unknown attacks, particularly various attack means based on application, such as malicious codes of Web script attacks, viruses, worms and the like, and effectively protect the security of an internal network system. At the same time, with strict content control, leakage of internally sensitive information can also be prevented.

(3) For the host security, a host security unit may be correspondingly configured, and the host security unit is configured to perform system vulnerability scanning, system consolidation, system intrusion detection and response, host access control, and centralized authentication. Specifically, the industrial host computer is subjected to safety protection by using industrial guard software in the host computer safety protection system, the industrial host computer guard software is subjected to unified detection and control by using the supervision platform system, the unified management of operation, maintenance and safety protection of the industrial host computer is realized, and the host computer safety protection is realized by matching with safety strategy configuration.

Peripheral protection: the industrial guard supports the control of industrial control host peripherals such as USB, network cards, floppy drives, CD-ROM drives, bluetooth, infrared and the like. Only authorized USB, network cards, floppy drives and optical drives can operate on the host. Thereby preventing the poison carried by the peripheral from causing the host poisoning. In addition, the user can flexibly set the 'readable, writable, read-only and inaccessible' permission of the common U disk according to the requirement.

Host system reinforcement: the industrial guard software can perform security reinforcement on the host from multiple aspects, improve the security of the system and prevent the operating system from being damaged by malicious programs. The industrial guard can automatically acquire all ports called by the currently running program, and can block or release the corresponding ports in the port state part. The industrial guard also supports registry and sensitive action protection, one-key opening of enhanced protection against Lesovirus, worm virus and mining virus can block virus propagation from multiple ways such as registry, sensitive action and ports.

Virus protection: the industrial sentry software strengthens the protection force on the Lesoxhlet virus and the mining virus from the aspects of virus propagation ways, virus detection, virus operation actions, virus execution, data protection and the like through rich peripheral management and control strategies, white list filtering strategies, data tamper-proof strategies, illegal external management and control strategies, port management strategies, sensitive action management strategies and the like, and effectively protects the industrial control host from the Lesoxhlet virus and the mining virus.

In addition, a flow probe and a probe can be used in a core network area to take charge of the security events of the whole network, and the flow probe and the probe are matched with an industrial host guard to respond to the security events in time.

System intrusion detection and response: the spy product adopts a five-engine linkage detection system with an AI behavior engine as a main part and an AI file engine, an AI threat engine, AI intrusion and an AI association engine as auxiliary parts, effectively improves the threat detection capability, realizes intelligent analysis and mining based on unstructured data, and discovers suspected APT, brute force cracking, worm viruses, abnormal login, DDoS attack and other high-level threats and unknown threats.

(4) For application security, an application security unit may be correspondingly set, and the application security unit is configured to perform vulnerability scanning, and perform Web security protection and mail security protection. Specifically, a flow audit probe may be deployed, vulnerability scanning realizes deep analysis of industrial flow in an industrial Control network through the flow audit probe, and audit industrial Control equipment includes communication data between a PLC (Programmable Logic Controller), an RTU (REMOTE TERMINAL), a DCS (Distributed Control System) detector and the like and a detection layer, including production operation, data reading, flow trend and the like. The flow audit type probe can be specifically deployed at a switch image port of a detector connected with an upper computer, and by configuring a security strategy, characteristic attacks aiming at specific detector bugs are audited, whether industrial control protocol data access is legal or not and whether the host flow is abnormal or not are analyzed. The method is characterized in that the method organically integrates the detection of the protocol behavior of OT (Operation Technology) and IT (Information Technology) and the vulnerability detection Technology of industrial control equipment by combining with the known intrusion characteristic rule base, not only can detect the traditional intrusion behavior, but also can identify the behavior aiming at the vulnerability attack of the industrial equipment, and the interior and the boundary of the industrial control network can be monitored without dead angles. Meanwhile, a flow audit probe is deployed at the office network side, an intrusion detection module is arranged in the flow audit probe, attack behaviors in various network protocols can be detected, the attack behaviors comprise more than ten common attacks such as sql (Structured Query Language) injection, web scanning, worm virus, trojan attack, xss attack, remote access attack, denial of service scanning and buffer overflow attack, and an attack alarm log is uploaded to an analysis platform for correlation analysis, so that the detection accuracy of the system is further improved.

(5) For the authentication security, an authentication security unit may be correspondingly configured, and the authentication security unit is configured to provide a unified security authentication system, so as to ensure the authentication security of the network cooperative application. Specifically, 1, when the operation and maintenance authority of a third party to equipment such as an exchanger and a server is controlled, the complexity of a password is insufficient, so that the operation and maintenance management and audit system is used, and login authentication of the exchanger and the server can be achieved while operation and maintenance audit is conducted. Diversified authentication: the operation and maintenance management and auditing system provides services such as certificate authentication, mobile phone dynamic token, media Access Control (MAC) address authentication, AD domain authentication and the like, and can also be combined with a third party CA, a dynamic token and the like. And random combination authentication is supported, and the access security is improved. 2. The industrial firewall used at the boundary has an ipsec VPN (Internet Protocol Security Virtual Private Network) function, so that the authentication Security of remote office personnel can be ensured, and the remote connection can be encrypted and authenticated. IPSec VPN: the IPSec VPN is a VPN technology based on an IPSec protocol, the IPSEC of the hexagonal cloud industrial firewall supports ESP and AH protocols, an encryption algorithm supports 3DES, DES and AES, an authentication algorithm supports MD5, SHA1 and SHA256, and an encapsulation mode supports a tunnel mode and a transmission mode.

(6) For data security, a data security unit can be correspondingly arranged, and the data security unit is used for isolating from a storage network, protecting residual data and encrypting data to protect the data, and performing all-round audit on the behavior of accessing a database server by using a database audit system.

(7) For safety management, a safety management unit can be correspondingly arranged, the safety management unit is used for managing an online customized offline collaborative control cloud platform, and the technical means is mainly enhanced from safety information and event management, safety compliance management and vulnerability management to ensure safe and stable operation of the platform.

It should be noted that, if an item includes virtualization, a virtualization security unit is correspondingly included to perform security protection on a virtualization operation.

According to the safety guarantee system provided by the embodiment of the application, the Web safety protection is performed by using the LTD model by using the safety unit.

In the present application, the security unit is applied to perform Web security protection using LTD (Locate-then-detect) model. And detecting the attack types such as SQLi, XSS, command injection, file inclusion and the like. The LTD model is divided into three phases: preprocessing, payload positioning network (PLN), payload Classification Network (PCN). Specifically, reference may be made to fig. 2, which shows a schematic diagram of intrusion detection of Web security by using the LTD model provided in the embodiment of the present application. And through massive sample data, the multilayer neural network carries out sample labeling and model establishment, unknown and variant web attacks are detected in real time, and the problem of old feature library does not exist.

According to the safety guarantee system provided by the embodiment of the application, the data safety unit can comprise an industrial network gate, the industrial network gate can comprise an internal network processing unit, an external network processing unit and a safety data exchange unit, and the safety data exchange unit carries out safety data ferrying between internal and external network hosts according to a specified period.

In the present application, the data security unit may include an industrial gatekeeper, which is composed of an intranet processing unit, an extranet processing unit, and a security data exchange unit. The safety data exchange unit carries out safety data ferrying between the internal network host and the external network host according to a specified period, so that reliable and efficient safety data exchange is realized under the condition of ensuring the isolation of the internal network and the external network, all complex operations are automatically completed by an isolation system, and a user only needs to customize a proper safety strategy according to the characteristics of an industrial control network of the user, so that the safety data communication of the internal network and the external network can be realized. The safe and controlled data exchange between the two networks is realized. The data exchange is realized by connecting the initiator with the industrial gatekeeper by the client identity, and then establishing connection between the industrial gatekeeper and the other party of the data exchange by the client identity. The data exchange service in the system can be flexibly configured and quickly customized, and the data exchange can be unidirectional or bidirectional. The industrial gatekeeper does not provide any external services except for application-specific channels that must be opened for data exchange. In addition, the unique structural design and the supported dual-computer hot standby function ensure the safety and reliability of information exchange between network systems to a great extent.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Furthermore, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include elements inherent in the list. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A security system, comprising:

the edge side security module is used for carrying out white list authentication on edge side equipment in the industrial internet, wherein the edge side equipment passing the white list authentication can be connected with the host; the edge side equipment is also used for carrying out safety protection on industrial communication in a local area network between the edge side equipment and carrying out safety protection on communication between the edge side equipment and an external network;

2. The security and safety system of claim 1, wherein the edge-side security module comprises a traffic audit probe deployed in an edge-side network;

the flow audit probe is used for generating an industrial protocol feature library by learning an industrial protocol in industrial network data flow; recording protocol messages between hosts, and analyzing the protocol messages according to the industrial protocol feature library; and detecting whether intrusion attack exists according to the analysis result, analyzing the protocol message when the intrusion attack exists, positioning the geographic position of an attacker, acquiring the attack characteristic information of the attacker, and formulating a corresponding security strategy according to the geographic position and the attack characteristic information.

3. The security system of claim 2, wherein the flow audit probe is further configured to use supervised learning to extract features and classifications from the protocol packets using a multidimensional clustering algorithm, and determine learning convergence according to the absence of new protocol packet classifications within a predetermined time; and abstracting variable quantity and non-variable quantity in the industrial network protocol according to the classified protocol messages, and converting the variable quantity and the non-variable quantity into a matrix vector model with dimension larger than a preset dimension.

4. The security and safety system of claim 1, wherein the platform security module comprises a physical facility security unit, a boundary security protection unit, a host security unit, an application security unit, an authentication security unit, a data security unit, and a security management unit, wherein:

the physical facility unit is used for realizing data center environment, physical access control and safety protection of a facility level through an access control system, a video monitoring system and an environment monitoring system;

5. The security system of claim 4, wherein the application security unit employs an LTD model for Web security.

6. The safety and security system according to claim 4, wherein the data security unit comprises an industrial network gate, the industrial network gate comprises an internal network processing unit, an external network processing unit and a security data exchange unit, and the security data exchange unit performs secure data ferrying between internal and external network hosts according to a specified period.