CN115412376B - Attack mode verification method and system based on intelligent feature matching - Google Patents

Attack mode verification method and system based on intelligent feature matching Download PDF

Info

Publication number
CN115412376B
CN115412376B CN202211359312.2A CN202211359312A CN115412376B CN 115412376 B CN115412376 B CN 115412376B CN 202211359312 A CN202211359312 A CN 202211359312A CN 115412376 B CN115412376 B CN 115412376B
Authority
CN
China
Prior art keywords
industrial system
remote control
state
control instruction
industrial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211359312.2A
Other languages
Chinese (zh)
Other versions
CN115412376A (en
Inventor
刘华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wangteng Technology Co ltd
Original Assignee
Beijing Wangteng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wangteng Technology Co ltd filed Critical Beijing Wangteng Technology Co ltd
Priority to CN202211359312.2A priority Critical patent/CN115412376B/en
Publication of CN115412376A publication Critical patent/CN115412376A/en
Application granted granted Critical
Publication of CN115412376B publication Critical patent/CN115412376B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The application discloses an attack mode verification method and system based on intelligent feature matching, wherein a state expected value caused by a remote control instruction to an industrial system is obtained by analyzing the remote control instruction transmitted by an industrial control network, and the state expected value and an actual state value of the industrial system are fused based on intelligent matching of characteristics of the industrial system, so that whether the remote control instruction exists in an attack of the industrial system and an attack mode of the attack mode is verified. The method can deeply verify the remote control instruction of the industrial control network by simulating the response of a real industrial system in a mode of industrial system state fitting, and is suitable for mining and discriminating the attack behavior disguised as a normal instruction.

Description

Attack mode verification method and system based on intelligent feature matching
Technical Field
The application relates to the technical field of industrial control system safety, in particular to an attack mode verification method and system based on intelligent feature matching.
Background
At present, along with the popularization of ideas such as intelligent manufacturing and industrial 4.0, more and more industrial systems build industrial control networks by relying on various network technologies such as field buses, wireless internet of things and industrial Ethernet, and accordingly all components of the industrial systems are networked. Furthermore, based on the industrial control network, the real-time acquisition, monitoring, storage and analysis of industrial system data can be realized, and remote real-time transmission of various control instructions can be carried out.
With the gradual deepening of the application of the industrial control network in the industrial system and the increasing abundance of functions, a new way is brought to network attack, and a hacker can operate the industrial system by invading the industrial control network and illegally issuing a control instruction, so that the aim of hijacking and even destroying the industrial system is fulfilled.
At present, in the prior art, the prevention measure against network attacks is to perform necessary authentication and limitation on the authority of a sender of a control instruction, screen an effective field in the control instruction, and verify whether the operation of an industrial system caused by the control instruction is within an allowable range. However, at present, many hackers can bypass or break through the authority authentication mechanism of the control instruction sender, and encrypt or disguise the effective field of the control instruction for network attack, so that the industrial control network cannot identify the illegal control instruction. Moreover, the control command for network attack gradually adjusts the operation of the industrial system through batch-wise attack modes, and the change of the operation state of the industrial system caused by each step of adjustment does not exceed a limited range, so that the operation state cannot be effectively verified and restricted.
Disclosure of Invention
Object of the application
Based on the above, the application discloses an attack pattern verification method and system based on intelligent feature matching.
(II) technical scheme
The application discloses an attack mode verification method based on intelligent feature matching, which is characterized by comprising the following steps:
the method comprises the steps of remote control instruction analysis, wherein the remote control instruction transmitted by an industrial control network is obtained, an effective field of the remote control instruction is identified, the effective field is analyzed according to a control protocol, and a state expected value caused by the remote control instruction to an industrial system is formed according to a response mechanism of the industrial system to the effective field;
an industrial system state fitting step, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and a verification step, namely verifying whether the remote control instruction has an attack on the industrial system and an attack mode thereof according to the state value of the industrial system under the influence of the remote control instruction.
Preferably, in the step of analyzing the remote control instruction, the payload of the remote control instruction is split layer by layer according to the rule definition of the industrial control protocol, the field name and the field value in each layer of payload are determined, and the effective field in the remote control instruction is selected according to the field name and the field value.
Preferably, in the step of analyzing the remote control command, the valid field is analyzed according to a control protocol and a state expected value caused by the remote control command to the industrial system is formed according to a response mechanism of the industrial system to the valid field.
Preferably, in the industrial system state fitting step, the industrial system state fitting model is represented as:
Figure 100002_DEST_PATH_IMAGE002
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE003
indicating the length of the fitting window, i.e. the succession simulated by the model starting from the k-th control cycle
Figure 250726DEST_PATH_IMAGE003
In the control period, the control unit is used for controlling the control period,
Figure 270766DEST_PATH_IMAGE004
to fit the window length
Figure 40008DEST_PATH_IMAGE003
An industrial system state value of a kth control period under the condition;
Figure DEST_PATH_IMAGE005
and
Figure 794600DEST_PATH_IMAGE006
is the kth, the
Figure DEST_PATH_IMAGE007
State expected values under each control cycle;
Figure 763781DEST_PATH_IMAGE008
is as follows
Figure 949911DEST_PATH_IMAGE007
Actual state values of the industrial system under each control period;
Figure 594782DEST_PATH_IMAGE010
are fusion coefficients.
Preferably, in the industrial system state fitting step, the fusion coefficients are determined by fitting
Figure 554778DEST_PATH_IMAGE010
Optimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can be obtained
Figure 176253DEST_PATH_IMAGE008
Figure 515092DEST_PATH_IMAGE006
Figure 563820DEST_PATH_IMAGE005
The specific gravity is fused in the model, and the fitted industrial system state value is finally obtained
Figure 904057DEST_PATH_IMAGE004
On the other hand, the application discloses attack pattern verification system based on intelligent feature matching, which is characterized by comprising:
the remote control instruction analysis module is used for acquiring a remote control instruction transmitted by an industrial control network, identifying an effective field of the remote control instruction, analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to an industrial system according to a response mechanism of the industrial system to the effective field;
the industrial system state fitting module is used for inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of an industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and the verification module is used for verifying whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the state value of the industrial system under the influence of the remote control instruction.
Preferably, the remote control instruction parsing module is configured to split the payload of the remote control instruction layer by layer according to a rule definition of an industrial control protocol, determine a field name and a field value in each layer of the payload, and select an effective field in the remote control instruction according to the field name and the field value.
Preferably, the remote control instruction parsing module is configured to parse the valid field according to a control protocol and form a state expected value caused by the remote control instruction to the industrial system according to a response mechanism of the industrial system to the valid field.
Preferably, in the industrial system state fitting module, the industrial system state fitting model is represented as:
Figure 876692DEST_PATH_IMAGE012
wherein the content of the first and second substances,
Figure 256989DEST_PATH_IMAGE003
indicating the length of the fitting window, i.e. the succession simulated by the model starting from the k-th control cycle
Figure 742197DEST_PATH_IMAGE003
In the control period, the control unit is used for controlling the control period,
Figure 224256DEST_PATH_IMAGE004
to fit the window length
Figure 515429DEST_PATH_IMAGE003
An industrial system state value of a kth control period under the condition;
Figure 546970DEST_PATH_IMAGE005
and with
Figure 32441DEST_PATH_IMAGE006
Is the kth, the
Figure 844539DEST_PATH_IMAGE007
State expected values under each control cycle;
Figure 204982DEST_PATH_IMAGE008
is as follows
Figure 153346DEST_PATH_IMAGE007
Actual state values of the industrial system under each control period;
Figure 662913DEST_PATH_IMAGE014
are fusion coefficients.
Preferably, the industrial system state fitting module is configured to fit the industrial system state by fitting fusion coefficients
Figure 385144DEST_PATH_IMAGE014
Optimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can be obtained
Figure 752540DEST_PATH_IMAGE008
Figure 181509DEST_PATH_IMAGE006
Figure 913842DEST_PATH_IMAGE005
The proportion is fused in the model, and finally the fitted industrial system state value is obtained
Figure 310319DEST_PATH_IMAGE004
(III) advantageous effects
In summary, the present invention obtains the state expected value caused by the remote control instruction to the industrial system by analyzing the remote control instruction transmitted by the industrial control network, and fuses the state expected value and the actual state value of the industrial system based on the intelligent matching of the characteristics of the industrial system, thereby verifying whether the remote control instruction has an attack and an attack mode on the industrial system. The method can deeply verify the remote control instruction of the industrial control network by simulating the response of a real industrial system in a mode of industrial system state fitting, and is suitable for mining and discriminating the attack behavior disguised as a normal instruction.
Drawings
The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining and illustrating the present application and should not be construed as limiting the scope of the present application.
Fig. 1 is a flowchart of a method for deep parsing and verifying a modular industrial control protocol packet disclosed in the present application;
fig. 2 is a block diagram of a modular industrial control protocol packet deep parsing verification system disclosed in the present application.
Detailed Description
In order to make the implementation objects, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the drawings in the embodiments of the present application.
The application discloses an attack mode verification method and system based on intelligent feature matching. According to the method and the device, the remote control instruction transmitted by the industrial control network is analyzed to obtain the state expected value caused by the remote control instruction to the industrial system, and the state expected value and the actual state value of the industrial system are fused based on intelligent matching of characteristics of the industrial system, so that whether the remote control instruction exists or not is verified, and the attack mode of the industrial system is verified.
Referring to fig. 1, the application discloses an attack pattern verification method based on intelligent feature matching, comprising the following steps:
the method comprises the steps of remote control instruction analysis, wherein the remote control instruction transmitted by an industrial control network is obtained, an effective field of the remote control instruction is identified, the effective field is analyzed according to a control protocol, and a state expected value caused by the remote control instruction to an industrial system is formed according to a response mechanism of the industrial system to the effective field;
an industrial system state fitting step, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and a verification step, namely verifying whether the remote control instruction has an attack on the industrial system and an attack mode thereof according to the industrial system state under the influence of the remote control instruction.
Specifically, for a remote control instruction transmitted by an industrial control network, a control target of the remote control instruction in an industrial system is determined firstly, and then an analysis rule, an industrial system state fitting model and a verification rule matched with the control target are adopted subsequently to realize attack verification of the remote control instruction.
In the step of analyzing the remote control instruction, according to the rule definition of the industrial control protocol, the effective load of the remote control instruction is split layer by layer, the field name and the field value in each layer of effective load are determined, and the effective field in the remote control instruction is selected according to the field name and the field value. For the remote control instruction, the industrial control protocol name and the version thereof supported by the remote control instruction can be identified through the frame header of the instruction frame. Furthermore, according to the name and version of the industrial control protocol, the hierarchical structure of the instruction frame can be determined, the hierarchy of the general industrial control protocol can be divided into a data link layer, a network layer, a transmission layer and an application layer from bottom to top, and each layer is added with the field name and field value belonging to the layer, necessary check information, filling information and the like on the basis of the lower layer instruction frame. Therefore, in this step, the instruction frame of the remote control instruction can be split layer by layer with reference to the definition of the industrial control protocol name and the version thereof, the check information and the filling information are removed, the field name and the field value in the payload split from each layer are further analyzed, and the effective field name and the field value such as the address information, the state information, the operation code, the operation register number and the register value are extracted.
Furthermore, in the remote control instruction analyzing step, the effective field is analyzed according to the control protocol, and a state expected value caused by the remote control instruction to the industrial system is formed according to a response mechanism of the industrial system to the effective field. Specifically, the effective field name and field value selected from remote control instruction are adopted according to industryAnd determining the control change type and the control change quantity formed by the control target responding to the effective field according to the response rule of the control target in the system to the effective field, and further forming a state expected value caused by the remote control instruction to the industrial system. The expected value of the state is expressed as
Figure 649116DEST_PATH_IMAGE005
(ii) a Wherein k represents the kth control period, the
Figure 447439DEST_PATH_IMAGE005
Is the expected value of the state caused by the remote control command to the industrial system in the k control period.
And fitting the state of the industrial system, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and the actual state value of the industrial system through the industrial system state fitting model, and determining the state value of the industrial system under the influence of the remote control instruction through the coefficient optimization and updating of the industrial system state fitting model.
Wherein the industrial system state fitting model is represented as:
Figure 616252DEST_PATH_IMAGE016
wherein the content of the first and second substances,
Figure 172129DEST_PATH_IMAGE003
representing the length of the fitting window, i.e. the succession simulated by the model starting from the kth control cycle
Figure 851635DEST_PATH_IMAGE003
In the control period, the control unit is used for controlling the control period,
Figure 81628DEST_PATH_IMAGE004
to fit the window length
Figure 182527DEST_PATH_IMAGE003
Industrial system of k control period under conditionA system state value;
Figure 68443DEST_PATH_IMAGE005
and
Figure 817219DEST_PATH_IMAGE006
is the kth, the
Figure 167298DEST_PATH_IMAGE007
State expected values under each control cycle;
Figure 490963DEST_PATH_IMAGE008
is as follows
Figure 693536DEST_PATH_IMAGE007
Actual state values of the industrial system in each control period;
Figure 213379DEST_PATH_IMAGE018
for fusing the coefficients, by matching the fused coefficients
Figure 919429DEST_PATH_IMAGE018
Optimized updating based on intelligent matching with characteristics of industrial system can be achieved
Figure 663263DEST_PATH_IMAGE008
Figure 71242DEST_PATH_IMAGE006
Figure 241715DEST_PATH_IMAGE005
The proportion is fused in the model, and finally the fitted industrial system state value is obtained
Figure 35227DEST_PATH_IMAGE004
Following fusion coefficients
Figure 700695DEST_PATH_IMAGE018
Optimization updating tool based on intelligent matching with industrial system characteristicsAnd (4) body description.
Firstly, calling in a reference quantity matrix matched with characteristics of the industrial system
Figure 409019DEST_PATH_IMAGE020
Wherein
Figure DEST_PATH_IMAGE021
Representing a reference quantity
Figure DEST_PATH_IMAGE023
The number of the (c) is,
Figure 631184DEST_PATH_IMAGE024
representing a reference quantity
Figure 357832DEST_PATH_IMAGE026
The number of (2); each reference in the above reference matrix
Figure 443468DEST_PATH_IMAGE023
And
Figure 311193DEST_PATH_IMAGE026
the method is obtained by intelligently matching an industrial system state fitting model with an actual industrial system, namely, on the basis of preset values of the industrial system state fitting model for each reference quantity, the industrial system state fitting model is matched with the actual industrial system through actual measurement and appropriate parameter adjustment. And further, performing multiple iterations in the following manner, and performing optimization updating on the fusion coefficient of the industrial system state fitting model:
(1) To pair
Figure 773267DEST_PATH_IMAGE028
And (3) updating is executed:
setting initial conditions:
Figure 557683DEST_PATH_IMAGE030
assigning values according to initial conditions
Figure DEST_PATH_IMAGE032
(ii) a Further, the following iterations are initiated:
for j=2,…,
Figure 700040DEST_PATH_IMAGE003
do
for i=1,…,p do
Figure DEST_PATH_IMAGE034
end for
end for
wherein
Figure DEST_PATH_IMAGE036
The specific calculation of (A) is as follows:
Figure DEST_PATH_IMAGE038
(2) To pair
Figure DEST_PATH_IMAGE040
And (3) updating is executed:
setting initial conditions:
Figure DEST_PATH_IMAGE042
assigning values according to initial conditions
Figure DEST_PATH_IMAGE044
(ii) a Further, the following iterations are initiated:
for j=2,…,
Figure 133688DEST_PATH_IMAGE003
do
for i=1,…,p do
Figure DEST_PATH_IMAGE046
end for
end for
wherein for
Figure DEST_PATH_IMAGE048
The specific calculation of (A) is as follows:
Figure DEST_PATH_IMAGE050
(3) For is to
Figure 645791DEST_PATH_IMAGE052
And (3) updating is executed:
setting initial conditions:
Figure 81452DEST_PATH_IMAGE054
assigning values according to initial conditions
Figure 977733DEST_PATH_IMAGE056
(ii) a Further, the following iterations are initiated:
for i=1,…,
Figure 820049DEST_PATH_IMAGE003
do
Figure 155084DEST_PATH_IMAGE058
end for
wherein, for
Figure 133667DEST_PATH_IMAGE060
The specific calculation of (A) is as follows:
Figure 217160DEST_PATH_IMAGE062
in the verification step, according to the remote control fingerOrder the state value of the affected industrial system
Figure 107625DEST_PATH_IMAGE004
And judging the degree of the state value of the industrial system exceeding the allowable state range caused by the remote control instruction, thereby verifying whether the remote control instruction attacks the industrial system. And determining the attack mode of the remote control instruction according to the value of the industrial system state value exceeding the allowable state range.
The application further discloses an attack mode verification system based on intelligent feature matching, which comprises:
the remote control instruction analysis module is used for acquiring a remote control instruction transmitted by an industrial control network, identifying an effective field of the remote control instruction, analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to an industrial system according to a response mechanism of the industrial system to the effective field;
the industrial system state fitting module is used for inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of an industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and the verification module is used for verifying whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the state value of the industrial system under the influence of the remote control instruction.
Specifically, for a remote control instruction transmitted by an industrial control network, a control target of the remote control instruction in an industrial system is determined firstly, and then an analysis rule, an industrial system state fitting model and a verification rule matched with the control target are adopted subsequently to realize attack verification of the remote control instruction.
The remote control instruction analysis module is used for splitting the effective load of the remote control instruction layer by layer according to the rule definition of the industrial control protocol, determining the field name and the field value in each layer of effective load, and selecting the effective field in the remote control instruction according to the field name and the field value. For the remote control instruction, the industrial control protocol name and the version thereof supported by the remote control instruction can be identified through the frame header of the instruction frame. Furthermore, according to the name and version of the industrial control protocol, the hierarchical structure of the instruction frame can be determined, the hierarchy of the general industrial control protocol can be divided into a data link layer, a network layer, a transmission layer and an application layer from bottom to top, and each layer is added with a field name and a field value belonging to the layer, necessary check information, filling information and the like on the basis of the instruction frame of the lower layer. Therefore, in the module, the instruction frame of the remote control instruction can be split layer by layer according to the definition of the industrial control protocol name and the version thereof, the check information and the filling information are removed, the field name and the field value in the payload split from each layer are further analyzed, and effective field names and field values such as address information, state information, operation codes, operation register numbers and register values are extracted.
The remote control instruction analysis module is used for analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to the industrial system according to a response mechanism of the industrial system to the effective field. Specifically, according to the effective field name and field value selected from the remote control instruction, the control change type and the control change quantity formed by the control target responding to the effective field are determined according to the response rule of the control target in the industrial system to the effective field, and further the state expected value caused by the remote control instruction to the industrial system is formed. The expected value of the state is expressed as
Figure 888761DEST_PATH_IMAGE005
(ii) a Wherein k represents the kth control period, the
Figure 751544DEST_PATH_IMAGE005
Is the expected value of the state caused by the remote control command to the industrial system in the k control period.
And the industrial system state fitting module is used for inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization and updating of the industrial system state fitting model.
Wherein the industrial system state fitting model is represented as:
Figure 750812DEST_PATH_IMAGE064
wherein the content of the first and second substances,
Figure 82567DEST_PATH_IMAGE003
representing the length of the fitting window, i.e. the succession simulated by the model starting from the kth control cycle
Figure 697088DEST_PATH_IMAGE003
In the control period, the control unit is used for controlling the control period,
Figure 181421DEST_PATH_IMAGE004
to fit the window length
Figure 669035DEST_PATH_IMAGE003
An industrial system state value of a kth control period under the condition;
Figure 268512DEST_PATH_IMAGE005
and
Figure 922610DEST_PATH_IMAGE006
is the kth, the
Figure 307455DEST_PATH_IMAGE007
State expected values under each control cycle;
Figure 152920DEST_PATH_IMAGE008
is as follows
Figure 210000DEST_PATH_IMAGE007
Actual state values of the industrial system under each control period;
Figure 713793DEST_PATH_IMAGE066
for fusing the coefficients, by matching the fused coefficients
Figure 202412DEST_PATH_IMAGE066
Optimized updating based on intelligent matching with industrial system characteristics can be obtained
Figure 969511DEST_PATH_IMAGE008
Figure 328203DEST_PATH_IMAGE006
Figure 370108DEST_PATH_IMAGE005
The specific gravity is fused in the model, and the fitted industrial system state value is finally obtained
Figure 713234DEST_PATH_IMAGE004
Fitting Module pairs fusion coefficients to Industrial System State
Figure 401966DEST_PATH_IMAGE066
And performing specific description on optimization updating based on intelligent matching with the characteristics of the industrial system.
First, the reference quantity matrix matched with the characteristics of the industrial system is called
Figure DEST_PATH_IMAGE068
In which
Figure 135436DEST_PATH_IMAGE021
Representing a reference quantity
Figure DEST_PATH_IMAGE070
The number of the (c) is,
Figure 138289DEST_PATH_IMAGE024
representing a reference quantity
Figure DEST_PATH_IMAGE072
The number of (2); each of the above reference quantity matrices
Figure 742446DEST_PATH_IMAGE070
And
Figure 867659DEST_PATH_IMAGE072
the method is obtained by intelligently matching the industrial system state fitting model with an actual industrial system. And then, performing multiple iterations according to the following mode to perform optimization updating on the fusion coefficient of the industrial system state fitting model:
(1) For is to
Figure DEST_PATH_IMAGE074
And (3) updating is executed:
setting initial conditions:
Figure DEST_PATH_IMAGE076
assigning values according to initial conditions
Figure DEST_PATH_IMAGE078
(ii) a Further, the following iterations are initiated:
for j=2,…,
Figure 364456DEST_PATH_IMAGE003
do
for i=1,…,p do
Figure DEST_PATH_IMAGE080
end for
end for
wherein
Figure DEST_PATH_IMAGE082
The specific calculation of (A) is as follows:
Figure DEST_PATH_IMAGE084
(2) For is to
Figure DEST_PATH_IMAGE086
And (3) updating is executed:
setting initial conditions:
Figure DEST_PATH_IMAGE088
assigning values according to initial conditions
Figure DEST_PATH_IMAGE090
(ii) a Further, the following iterations are initiated:
for j=2,…,
Figure 203624DEST_PATH_IMAGE003
do
for i=1,…,p do
Figure DEST_PATH_IMAGE092
end for
end for
wherein for
Figure DEST_PATH_IMAGE094
The specific calculation of (A) is as follows:
Figure DEST_PATH_IMAGE096
(3) For is to
Figure DEST_PATH_IMAGE098
And (3) updating is executed:
setting initial conditions:
Figure DEST_PATH_IMAGE100
according to the initial conditionsValuation
Figure DEST_PATH_IMAGE102
(ii) a Further, the following iterations are initiated:
for i=1,…,
Figure 95576DEST_PATH_IMAGE003
do
Figure DEST_PATH_IMAGE104
end for
wherein for
Figure DEST_PATH_IMAGE106
The specific calculation of (A) is as follows:
Figure DEST_PATH_IMAGE108
the verification module is used for verifying the state value of the industrial system under the influence of the remote control instruction
Figure 939160DEST_PATH_IMAGE004
And judging the degree of the state value of the industrial system exceeding the allowable state range caused by the remote control instruction, thereby verifying whether the remote control instruction attacks the industrial system. And determining the attack mode of the remote control instruction according to the value of the industrial system state value exceeding the allowable state range.
The method obtains the state expected value caused by the remote control instruction to the industrial system by analyzing the remote control instruction transmitted by the industrial control network, and fuses the state expected value and the actual state value of the industrial system based on intelligent matching of the characteristics of the industrial system, thereby verifying whether the remote control instruction exists in the attack of the industrial system and the attack mode thereof. The method can deeply verify the remote control instruction of the industrial control network by simulating the response of a real industrial system in a mode of industrial system state fitting, and is suitable for mining and discriminating the attack behavior disguised as a normal instruction.
The division of modules, units or components herein is merely a logical division, and other divisions may be possible in an actual implementation, for example, a plurality of modules and/or units may be combined or integrated in another system. Modules, units, assemblies described as separate parts may or may not be physically separate. The components displayed as cells may or may not be physical cells, and may be located in a specific place or distributed in grid cells. Therefore, some or all of the units can be selected according to actual needs to implement the scheme of the embodiment.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (6)

1. The attack mode verification method based on intelligent feature matching is characterized by comprising the following steps:
the method comprises the steps of remote control instruction analysis, wherein the remote control instruction transmitted by an industrial control network is obtained, an effective field of the remote control instruction is identified, the effective field is analyzed according to a control protocol, and a state expected value caused by the remote control instruction to an industrial system is formed according to a response mechanism of the industrial system to the effective field;
an industrial system state fitting step, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model; the industrial system state fitting model is represented as:
Figure DEST_PATH_IMAGE002
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE004
representing the length of the fitting window, i.e. the succession simulated by the model starting from the kth control cycle
Figure DEST_PATH_IMAGE004A
In one control period, the control unit is used for controlling the power supply,
Figure DEST_PATH_IMAGE006
to fit the window length
Figure DEST_PATH_IMAGE004AA
An industrial system state value of a kth control period under the condition;
Figure DEST_PATH_IMAGE008
and with
Figure DEST_PATH_IMAGE010
Is the kth, the
Figure DEST_PATH_IMAGE012
State expected values under each control cycle;
Figure DEST_PATH_IMAGE014
is as follows
Figure DEST_PATH_IMAGE012A
Actual state values of the industrial system in each control period;
Figure DEST_PATH_IMAGE016
is a fusion coefficient; the above-mentioned
Figure DEST_PATH_IMAGE018
Figure DEST_PATH_IMAGE020
Respectively representing the number of reference quantities in a reference quantity matrix which is called into the industrial system characteristic matching; and, by fitting the fusion coefficient
Figure DEST_PATH_IMAGE016A
Optimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can obtain
Figure DEST_PATH_IMAGE014A
Figure DEST_PATH_IMAGE010A
Figure DEST_PATH_IMAGE008A
The proportion is fused in the model, and finally the fitted industrial system state value is obtained
Figure DEST_PATH_IMAGE006A
And a verification step, namely verifying whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the industrial system state value under the influence of the remote control instruction.
2. The attack mode verification method based on intelligent feature matching according to claim 1, wherein in the step of analyzing the remote control instruction, the payload of the remote control instruction is split layer by layer according to the rule definition of an industrial control protocol, the field name and the field value in each layer of payload are determined, and the effective field in the remote control instruction is selected according to the field name and the field value.
3. The attack pattern verification method based on intelligent feature matching according to claim 2, wherein in the step of analyzing the remote control command, the valid field is analyzed according to a control protocol and a state expected value caused by the remote control command to the industrial system is formed according to a response mechanism of the industrial system to the valid field.
4. Attack pattern verification system based on intelligent feature matching is characterized by comprising:
the remote control instruction analysis module is used for obtaining a remote control instruction transmitted by an industrial control network, identifying an effective field of the remote control instruction, analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to an industrial system according to a response mechanism of the industrial system to the effective field;
the industrial system state fitting module inputs the state expected value into an industrial system state fitting model, fuses the state expected value and an actual state value of an industrial system through the industrial system state fitting model, and determines the state value of the industrial system under the influence of the remote control instruction through the coefficient optimization and updating of the industrial system state fitting model; the industrial system state fitting model is represented as:
Figure DEST_PATH_IMAGE002A
wherein, the first and the second end of the pipe are connected with each other,
Figure DEST_PATH_IMAGE004AAA
indicating the length of the fitting window, i.e. the succession simulated by the model starting from the k-th control cycle
Figure DEST_PATH_IMAGE004AAAA
In the control period, the control unit is used for controlling the control period,
Figure DEST_PATH_IMAGE006AA
to fit the window length
Figure DEST_PATH_IMAGE004_5A
An industrial system state value of a kth control period under the condition;
Figure DEST_PATH_IMAGE008AA
and with
Figure DEST_PATH_IMAGE010AA
Is the kth, the
Figure DEST_PATH_IMAGE012AA
State expected values in each control period;
Figure DEST_PATH_IMAGE014AA
is as follows
Figure DEST_PATH_IMAGE012AAA
Actual state values of the industrial system in each control period;
Figure DEST_PATH_IMAGE016AA
is a fusion coefficient; the described
Figure DEST_PATH_IMAGE018A
Figure DEST_PATH_IMAGE020A
Respectively representing the number of reference quantities in a reference quantity matrix which is called into the industrial system characteristic matching; and, by fitting the fusion coefficients
Figure DEST_PATH_IMAGE016AAA
Optimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can obtain
Figure DEST_PATH_IMAGE014AAA
Figure DEST_PATH_IMAGE010AAA
Figure DEST_PATH_IMAGE008AAA
Fusion in the modelThe combined weight finally obtains the state value of the fitted industrial system
Figure DEST_PATH_IMAGE006AAA
And the verification module verifies whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the industrial system state value under the influence of the remote control instruction.
5. The attack pattern verification system based on intelligent feature matching according to claim 4, wherein the remote control instruction parsing module is configured to split the payload of the remote control instruction layer by layer according to a rule definition of an industrial control protocol, determine a field name and a field value in each layer of the payload, and select an effective field in the remote control instruction according to the field name and the field value.
6. The attack pattern verification system based on intelligent feature matching as claimed in claim 5, wherein the remote control command parsing module is configured to parse the valid field according to a control protocol and form a state expected value caused by the remote control command to the industrial system according to a response mechanism of the industrial system to the valid field.
CN202211359312.2A 2022-11-02 2022-11-02 Attack mode verification method and system based on intelligent feature matching Active CN115412376B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211359312.2A CN115412376B (en) 2022-11-02 2022-11-02 Attack mode verification method and system based on intelligent feature matching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211359312.2A CN115412376B (en) 2022-11-02 2022-11-02 Attack mode verification method and system based on intelligent feature matching

Publications (2)

Publication Number Publication Date
CN115412376A CN115412376A (en) 2022-11-29
CN115412376B true CN115412376B (en) 2023-02-14

Family

ID=84169382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211359312.2A Active CN115412376B (en) 2022-11-02 2022-11-02 Attack mode verification method and system based on intelligent feature matching

Country Status (1)

Country Link
CN (1) CN115412376B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106502234A (en) * 2016-10-17 2017-03-15 重庆邮电大学 Industrial control system method for detecting abnormality based on double skeleton patterns
CN107862108A (en) * 2017-10-12 2018-03-30 成都阜特科技股份有限公司 A kind of industrial machinery health status analysis and Forecasting Methodology and its system
CN114679291A (en) * 2021-05-31 2022-06-28 北京网藤科技有限公司 System for monitoring industrial network intrusion

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3794491B2 (en) * 2002-08-20 2006-07-05 日本電気株式会社 Attack defense system and attack defense method
AU2011200413B1 (en) * 2011-02-01 2011-09-15 Symbiotic Technologies Pty Ltd Methods and Systems to Detect Attacks on Internet Transactions
JP6173541B2 (en) * 2015-10-09 2017-08-02 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Security device, attack detection method and program
DE102017218134B3 (en) * 2017-10-11 2019-02-14 Volkswagen Aktiengesellschaft A method and apparatus for transmitting a message sequence over a data bus and method and apparatus for detecting an attack on a message sequence thus transmitted
CN112395603B (en) * 2019-08-15 2023-09-05 奇安信安全技术(珠海)有限公司 Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment
CN110740143B (en) * 2019-11-22 2020-11-17 南京邮电大学 Network attack emergency coping method based on attack tracing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106502234A (en) * 2016-10-17 2017-03-15 重庆邮电大学 Industrial control system method for detecting abnormality based on double skeleton patterns
CN107862108A (en) * 2017-10-12 2018-03-30 成都阜特科技股份有限公司 A kind of industrial machinery health status analysis and Forecasting Methodology and its system
CN114679291A (en) * 2021-05-31 2022-06-28 北京网藤科技有限公司 System for monitoring industrial network intrusion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于可信计算技术构建电力监测控制系统网络安全免疫系统;高昆仑 等;《工程科学与技术》;20170331;第49卷(第2期);全文 *

Also Published As

Publication number Publication date
CN115412376A (en) 2022-11-29

Similar Documents

Publication Publication Date Title
CN109902709B (en) Method for generating malicious sample of industrial control system based on counterstudy
Chandia et al. Security strategies for SCADA networks
US20170126711A1 (en) In-vehicle network attack detection method and apparatus
CN102823195B (en) The system and method for the FTP client FTP in the software test remote maintenance electric network that utilization is carried out by virtual machine
US20150127192A1 (en) Wireless vehicle control system
US20170169623A1 (en) Apparatus for providing data to a harware-in-the-loop simulator
US8078692B2 (en) Method of loading files from a client to a target server and device for implementing the method
CN103905450B (en) Intelligent grid embedded device network check and evaluation system and check and evaluation method
CN107992321A (en) ECU software update method, device, vehicle-mounted T-BOX and vehicle
CN112422557B (en) Attack testing method and device for industrial control network
CN110326268A (en) Transparent fireproof wall for the equipment that keeps the scene intact
Xiong et al. Threat Modeling and Attack Simulations of Connected Vehicles: A Research Outlook.
CN107395666A (en) A kind of method and device of operating numerical control lathe upgrading data packet
CN115412376B (en) Attack mode verification method and system based on intelligent feature matching
CN105049403A (en) Power distribution network control system safety protection method and system
CN108847983B (en) Intrusion detection method based on MQTT protocol
CN102469107B (en) For the secure connection system and method for vehicle
CN116662184B (en) Industrial control protocol fuzzy test case screening method and system based on Bert
US11232190B2 (en) Device attestation techniques
CN107968764B (en) Authentication method and device
US11606366B2 (en) Using CRC for sender authentication in a serial network
US10051004B2 (en) Evaluation system
Siddavatam et al. Testing and validation of Modbus/TCP protocol for secure SCADA communication in CPS using formal methods
JP2020166583A (en) Computational unit and determination method
KR101759893B1 (en) Virtual device management apparatus based on scenario for distributed energy resources

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant