CN115412376B - Attack mode verification method and system based on intelligent feature matching - Google Patents
Attack mode verification method and system based on intelligent feature matching Download PDFInfo
- Publication number
- CN115412376B CN115412376B CN202211359312.2A CN202211359312A CN115412376B CN 115412376 B CN115412376 B CN 115412376B CN 202211359312 A CN202211359312 A CN 202211359312A CN 115412376 B CN115412376 B CN 115412376B
- Authority
- CN
- China
- Prior art keywords
- industrial system
- remote control
- state
- control instruction
- industrial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The application discloses an attack mode verification method and system based on intelligent feature matching, wherein a state expected value caused by a remote control instruction to an industrial system is obtained by analyzing the remote control instruction transmitted by an industrial control network, and the state expected value and an actual state value of the industrial system are fused based on intelligent matching of characteristics of the industrial system, so that whether the remote control instruction exists in an attack of the industrial system and an attack mode of the attack mode is verified. The method can deeply verify the remote control instruction of the industrial control network by simulating the response of a real industrial system in a mode of industrial system state fitting, and is suitable for mining and discriminating the attack behavior disguised as a normal instruction.
Description
Technical Field
The application relates to the technical field of industrial control system safety, in particular to an attack mode verification method and system based on intelligent feature matching.
Background
At present, along with the popularization of ideas such as intelligent manufacturing and industrial 4.0, more and more industrial systems build industrial control networks by relying on various network technologies such as field buses, wireless internet of things and industrial Ethernet, and accordingly all components of the industrial systems are networked. Furthermore, based on the industrial control network, the real-time acquisition, monitoring, storage and analysis of industrial system data can be realized, and remote real-time transmission of various control instructions can be carried out.
With the gradual deepening of the application of the industrial control network in the industrial system and the increasing abundance of functions, a new way is brought to network attack, and a hacker can operate the industrial system by invading the industrial control network and illegally issuing a control instruction, so that the aim of hijacking and even destroying the industrial system is fulfilled.
At present, in the prior art, the prevention measure against network attacks is to perform necessary authentication and limitation on the authority of a sender of a control instruction, screen an effective field in the control instruction, and verify whether the operation of an industrial system caused by the control instruction is within an allowable range. However, at present, many hackers can bypass or break through the authority authentication mechanism of the control instruction sender, and encrypt or disguise the effective field of the control instruction for network attack, so that the industrial control network cannot identify the illegal control instruction. Moreover, the control command for network attack gradually adjusts the operation of the industrial system through batch-wise attack modes, and the change of the operation state of the industrial system caused by each step of adjustment does not exceed a limited range, so that the operation state cannot be effectively verified and restricted.
Disclosure of Invention
Object of the application
Based on the above, the application discloses an attack pattern verification method and system based on intelligent feature matching.
(II) technical scheme
The application discloses an attack mode verification method based on intelligent feature matching, which is characterized by comprising the following steps:
the method comprises the steps of remote control instruction analysis, wherein the remote control instruction transmitted by an industrial control network is obtained, an effective field of the remote control instruction is identified, the effective field is analyzed according to a control protocol, and a state expected value caused by the remote control instruction to an industrial system is formed according to a response mechanism of the industrial system to the effective field;
an industrial system state fitting step, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and a verification step, namely verifying whether the remote control instruction has an attack on the industrial system and an attack mode thereof according to the state value of the industrial system under the influence of the remote control instruction.
Preferably, in the step of analyzing the remote control instruction, the payload of the remote control instruction is split layer by layer according to the rule definition of the industrial control protocol, the field name and the field value in each layer of payload are determined, and the effective field in the remote control instruction is selected according to the field name and the field value.
Preferably, in the step of analyzing the remote control command, the valid field is analyzed according to a control protocol and a state expected value caused by the remote control command to the industrial system is formed according to a response mechanism of the industrial system to the valid field.
Preferably, in the industrial system state fitting step, the industrial system state fitting model is represented as:
wherein the content of the first and second substances,indicating the length of the fitting window, i.e. the succession simulated by the model starting from the k-th control cycleIn the control period, the control unit is used for controlling the control period,to fit the window lengthAn industrial system state value of a kth control period under the condition;andis the kth, theState expected values under each control cycle;is as followsActual state values of the industrial system under each control period;are fusion coefficients.
Preferably, in the industrial system state fitting step, the fusion coefficients are determined by fittingOptimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can be obtained、、The specific gravity is fused in the model, and the fitted industrial system state value is finally obtained。
On the other hand, the application discloses attack pattern verification system based on intelligent feature matching, which is characterized by comprising:
the remote control instruction analysis module is used for acquiring a remote control instruction transmitted by an industrial control network, identifying an effective field of the remote control instruction, analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to an industrial system according to a response mechanism of the industrial system to the effective field;
the industrial system state fitting module is used for inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of an industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and the verification module is used for verifying whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the state value of the industrial system under the influence of the remote control instruction.
Preferably, the remote control instruction parsing module is configured to split the payload of the remote control instruction layer by layer according to a rule definition of an industrial control protocol, determine a field name and a field value in each layer of the payload, and select an effective field in the remote control instruction according to the field name and the field value.
Preferably, the remote control instruction parsing module is configured to parse the valid field according to a control protocol and form a state expected value caused by the remote control instruction to the industrial system according to a response mechanism of the industrial system to the valid field.
Preferably, in the industrial system state fitting module, the industrial system state fitting model is represented as:
wherein the content of the first and second substances,indicating the length of the fitting window, i.e. the succession simulated by the model starting from the k-th control cycleIn the control period, the control unit is used for controlling the control period,to fit the window lengthAn industrial system state value of a kth control period under the condition;and withIs the kth, theState expected values under each control cycle;is as followsActual state values of the industrial system under each control period;are fusion coefficients.
Preferably, the industrial system state fitting module is configured to fit the industrial system state by fitting fusion coefficientsOptimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can be obtained、、The proportion is fused in the model, and finally the fitted industrial system state value is obtained。
(III) advantageous effects
In summary, the present invention obtains the state expected value caused by the remote control instruction to the industrial system by analyzing the remote control instruction transmitted by the industrial control network, and fuses the state expected value and the actual state value of the industrial system based on the intelligent matching of the characteristics of the industrial system, thereby verifying whether the remote control instruction has an attack and an attack mode on the industrial system. The method can deeply verify the remote control instruction of the industrial control network by simulating the response of a real industrial system in a mode of industrial system state fitting, and is suitable for mining and discriminating the attack behavior disguised as a normal instruction.
Drawings
The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining and illustrating the present application and should not be construed as limiting the scope of the present application.
Fig. 1 is a flowchart of a method for deep parsing and verifying a modular industrial control protocol packet disclosed in the present application;
fig. 2 is a block diagram of a modular industrial control protocol packet deep parsing verification system disclosed in the present application.
Detailed Description
In order to make the implementation objects, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the drawings in the embodiments of the present application.
The application discloses an attack mode verification method and system based on intelligent feature matching. According to the method and the device, the remote control instruction transmitted by the industrial control network is analyzed to obtain the state expected value caused by the remote control instruction to the industrial system, and the state expected value and the actual state value of the industrial system are fused based on intelligent matching of characteristics of the industrial system, so that whether the remote control instruction exists or not is verified, and the attack mode of the industrial system is verified.
Referring to fig. 1, the application discloses an attack pattern verification method based on intelligent feature matching, comprising the following steps:
the method comprises the steps of remote control instruction analysis, wherein the remote control instruction transmitted by an industrial control network is obtained, an effective field of the remote control instruction is identified, the effective field is analyzed according to a control protocol, and a state expected value caused by the remote control instruction to an industrial system is formed according to a response mechanism of the industrial system to the effective field;
an industrial system state fitting step, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and a verification step, namely verifying whether the remote control instruction has an attack on the industrial system and an attack mode thereof according to the industrial system state under the influence of the remote control instruction.
Specifically, for a remote control instruction transmitted by an industrial control network, a control target of the remote control instruction in an industrial system is determined firstly, and then an analysis rule, an industrial system state fitting model and a verification rule matched with the control target are adopted subsequently to realize attack verification of the remote control instruction.
In the step of analyzing the remote control instruction, according to the rule definition of the industrial control protocol, the effective load of the remote control instruction is split layer by layer, the field name and the field value in each layer of effective load are determined, and the effective field in the remote control instruction is selected according to the field name and the field value. For the remote control instruction, the industrial control protocol name and the version thereof supported by the remote control instruction can be identified through the frame header of the instruction frame. Furthermore, according to the name and version of the industrial control protocol, the hierarchical structure of the instruction frame can be determined, the hierarchy of the general industrial control protocol can be divided into a data link layer, a network layer, a transmission layer and an application layer from bottom to top, and each layer is added with the field name and field value belonging to the layer, necessary check information, filling information and the like on the basis of the lower layer instruction frame. Therefore, in this step, the instruction frame of the remote control instruction can be split layer by layer with reference to the definition of the industrial control protocol name and the version thereof, the check information and the filling information are removed, the field name and the field value in the payload split from each layer are further analyzed, and the effective field name and the field value such as the address information, the state information, the operation code, the operation register number and the register value are extracted.
Furthermore, in the remote control instruction analyzing step, the effective field is analyzed according to the control protocol, and a state expected value caused by the remote control instruction to the industrial system is formed according to a response mechanism of the industrial system to the effective field. Specifically, the effective field name and field value selected from remote control instruction are adopted according to industryAnd determining the control change type and the control change quantity formed by the control target responding to the effective field according to the response rule of the control target in the system to the effective field, and further forming a state expected value caused by the remote control instruction to the industrial system. The expected value of the state is expressed as(ii) a Wherein k represents the kth control period, theIs the expected value of the state caused by the remote control command to the industrial system in the k control period.
And fitting the state of the industrial system, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and the actual state value of the industrial system through the industrial system state fitting model, and determining the state value of the industrial system under the influence of the remote control instruction through the coefficient optimization and updating of the industrial system state fitting model.
Wherein the industrial system state fitting model is represented as:
wherein the content of the first and second substances,representing the length of the fitting window, i.e. the succession simulated by the model starting from the kth control cycleIn the control period, the control unit is used for controlling the control period,to fit the window lengthIndustrial system of k control period under conditionA system state value;andis the kth, theState expected values under each control cycle;is as followsActual state values of the industrial system in each control period;for fusing the coefficients, by matching the fused coefficientsOptimized updating based on intelligent matching with characteristics of industrial system can be achieved、、The proportion is fused in the model, and finally the fitted industrial system state value is obtained。
Following fusion coefficientsOptimization updating tool based on intelligent matching with industrial system characteristicsAnd (4) body description.
Firstly, calling in a reference quantity matrix matched with characteristics of the industrial systemWhereinRepresenting a reference quantityThe number of the (c) is,representing a reference quantityThe number of (2); each reference in the above reference matrixAndthe method is obtained by intelligently matching an industrial system state fitting model with an actual industrial system, namely, on the basis of preset values of the industrial system state fitting model for each reference quantity, the industrial system state fitting model is matched with the actual industrial system through actual measurement and appropriate parameter adjustment. And further, performing multiple iterations in the following manner, and performing optimization updating on the fusion coefficient of the industrial system state fitting model:
setting initial conditions:
assigning values according to initial conditions(ii) a Further, the following iterations are initiated:
for i=1,…,p do
end for
end for
setting initial conditions:
assigning values according to initial conditions(ii) a Further, the following iterations are initiated:
for i=1,…,p do
end for
end for
setting initial conditions:
assigning values according to initial conditions(ii) a Further, the following iterations are initiated:
end for
in the verification step, according to the remote control fingerOrder the state value of the affected industrial systemAnd judging the degree of the state value of the industrial system exceeding the allowable state range caused by the remote control instruction, thereby verifying whether the remote control instruction attacks the industrial system. And determining the attack mode of the remote control instruction according to the value of the industrial system state value exceeding the allowable state range.
The application further discloses an attack mode verification system based on intelligent feature matching, which comprises:
the remote control instruction analysis module is used for acquiring a remote control instruction transmitted by an industrial control network, identifying an effective field of the remote control instruction, analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to an industrial system according to a response mechanism of the industrial system to the effective field;
the industrial system state fitting module is used for inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of an industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model;
and the verification module is used for verifying whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the state value of the industrial system under the influence of the remote control instruction.
Specifically, for a remote control instruction transmitted by an industrial control network, a control target of the remote control instruction in an industrial system is determined firstly, and then an analysis rule, an industrial system state fitting model and a verification rule matched with the control target are adopted subsequently to realize attack verification of the remote control instruction.
The remote control instruction analysis module is used for splitting the effective load of the remote control instruction layer by layer according to the rule definition of the industrial control protocol, determining the field name and the field value in each layer of effective load, and selecting the effective field in the remote control instruction according to the field name and the field value. For the remote control instruction, the industrial control protocol name and the version thereof supported by the remote control instruction can be identified through the frame header of the instruction frame. Furthermore, according to the name and version of the industrial control protocol, the hierarchical structure of the instruction frame can be determined, the hierarchy of the general industrial control protocol can be divided into a data link layer, a network layer, a transmission layer and an application layer from bottom to top, and each layer is added with a field name and a field value belonging to the layer, necessary check information, filling information and the like on the basis of the instruction frame of the lower layer. Therefore, in the module, the instruction frame of the remote control instruction can be split layer by layer according to the definition of the industrial control protocol name and the version thereof, the check information and the filling information are removed, the field name and the field value in the payload split from each layer are further analyzed, and effective field names and field values such as address information, state information, operation codes, operation register numbers and register values are extracted.
The remote control instruction analysis module is used for analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to the industrial system according to a response mechanism of the industrial system to the effective field. Specifically, according to the effective field name and field value selected from the remote control instruction, the control change type and the control change quantity formed by the control target responding to the effective field are determined according to the response rule of the control target in the industrial system to the effective field, and further the state expected value caused by the remote control instruction to the industrial system is formed. The expected value of the state is expressed as(ii) a Wherein k represents the kth control period, theIs the expected value of the state caused by the remote control command to the industrial system in the k control period.
And the industrial system state fitting module is used for inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization and updating of the industrial system state fitting model.
Wherein the industrial system state fitting model is represented as:
wherein the content of the first and second substances,representing the length of the fitting window, i.e. the succession simulated by the model starting from the kth control cycleIn the control period, the control unit is used for controlling the control period,to fit the window lengthAn industrial system state value of a kth control period under the condition;andis the kth, theState expected values under each control cycle;is as followsActual state values of the industrial system under each control period;for fusing the coefficients, by matching the fused coefficientsOptimized updating based on intelligent matching with industrial system characteristics can be obtained、、The specific gravity is fused in the model, and the fitted industrial system state value is finally obtained。
Fitting Module pairs fusion coefficients to Industrial System StateAnd performing specific description on optimization updating based on intelligent matching with the characteristics of the industrial system.
First, the reference quantity matrix matched with the characteristics of the industrial system is calledIn whichRepresenting a reference quantityThe number of the (c) is,representing a reference quantityThe number of (2); each of the above reference quantity matricesAndthe method is obtained by intelligently matching the industrial system state fitting model with an actual industrial system. And then, performing multiple iterations according to the following mode to perform optimization updating on the fusion coefficient of the industrial system state fitting model:
setting initial conditions:
assigning values according to initial conditions(ii) a Further, the following iterations are initiated:
for i=1,…,p do
end for
end for
setting initial conditions:
assigning values according to initial conditions(ii) a Further, the following iterations are initiated:
for i=1,…,p do
end for
end for
setting initial conditions:
end for
the verification module is used for verifying the state value of the industrial system under the influence of the remote control instructionAnd judging the degree of the state value of the industrial system exceeding the allowable state range caused by the remote control instruction, thereby verifying whether the remote control instruction attacks the industrial system. And determining the attack mode of the remote control instruction according to the value of the industrial system state value exceeding the allowable state range.
The method obtains the state expected value caused by the remote control instruction to the industrial system by analyzing the remote control instruction transmitted by the industrial control network, and fuses the state expected value and the actual state value of the industrial system based on intelligent matching of the characteristics of the industrial system, thereby verifying whether the remote control instruction exists in the attack of the industrial system and the attack mode thereof. The method can deeply verify the remote control instruction of the industrial control network by simulating the response of a real industrial system in a mode of industrial system state fitting, and is suitable for mining and discriminating the attack behavior disguised as a normal instruction.
The division of modules, units or components herein is merely a logical division, and other divisions may be possible in an actual implementation, for example, a plurality of modules and/or units may be combined or integrated in another system. Modules, units, assemblies described as separate parts may or may not be physically separate. The components displayed as cells may or may not be physical cells, and may be located in a specific place or distributed in grid cells. Therefore, some or all of the units can be selected according to actual needs to implement the scheme of the embodiment.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (6)
1. The attack mode verification method based on intelligent feature matching is characterized by comprising the following steps:
the method comprises the steps of remote control instruction analysis, wherein the remote control instruction transmitted by an industrial control network is obtained, an effective field of the remote control instruction is identified, the effective field is analyzed according to a control protocol, and a state expected value caused by the remote control instruction to an industrial system is formed according to a response mechanism of the industrial system to the effective field;
an industrial system state fitting step, namely inputting the state expected value into an industrial system state fitting model, fusing the state expected value and an actual state value of the industrial system through the industrial system state fitting model, and determining the industrial system state value under the influence of the remote control instruction through the coefficient optimization updating of the industrial system state fitting model; the industrial system state fitting model is represented as:
wherein the content of the first and second substances,representing the length of the fitting window, i.e. the succession simulated by the model starting from the kth control cycleIn one control period, the control unit is used for controlling the power supply,to fit the window lengthAn industrial system state value of a kth control period under the condition;and withIs the kth, theState expected values under each control cycle;is as followsActual state values of the industrial system in each control period;is a fusion coefficient; the above-mentioned、Respectively representing the number of reference quantities in a reference quantity matrix which is called into the industrial system characteristic matching; and, by fitting the fusion coefficientOptimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can obtain、、The proportion is fused in the model, and finally the fitted industrial system state value is obtained;
And a verification step, namely verifying whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the industrial system state value under the influence of the remote control instruction.
2. The attack mode verification method based on intelligent feature matching according to claim 1, wherein in the step of analyzing the remote control instruction, the payload of the remote control instruction is split layer by layer according to the rule definition of an industrial control protocol, the field name and the field value in each layer of payload are determined, and the effective field in the remote control instruction is selected according to the field name and the field value.
3. The attack pattern verification method based on intelligent feature matching according to claim 2, wherein in the step of analyzing the remote control command, the valid field is analyzed according to a control protocol and a state expected value caused by the remote control command to the industrial system is formed according to a response mechanism of the industrial system to the valid field.
4. Attack pattern verification system based on intelligent feature matching is characterized by comprising:
the remote control instruction analysis module is used for obtaining a remote control instruction transmitted by an industrial control network, identifying an effective field of the remote control instruction, analyzing the effective field according to a control protocol and forming a state expected value caused by the remote control instruction to an industrial system according to a response mechanism of the industrial system to the effective field;
the industrial system state fitting module inputs the state expected value into an industrial system state fitting model, fuses the state expected value and an actual state value of an industrial system through the industrial system state fitting model, and determines the state value of the industrial system under the influence of the remote control instruction through the coefficient optimization and updating of the industrial system state fitting model; the industrial system state fitting model is represented as:
wherein, the first and the second end of the pipe are connected with each other,indicating the length of the fitting window, i.e. the succession simulated by the model starting from the k-th control cycleIn the control period, the control unit is used for controlling the control period,to fit the window lengthAn industrial system state value of a kth control period under the condition;and withIs the kth, theState expected values in each control period;is as followsActual state values of the industrial system in each control period;is a fusion coefficient; the described、Respectively representing the number of reference quantities in a reference quantity matrix which is called into the industrial system characteristic matching; and, by fitting the fusion coefficientsOptimized updating is carried out on the basis of intelligent matching with the characteristics of the industrial system, and the method can obtain、、Fusion in the modelThe combined weight finally obtains the state value of the fitted industrial system;
And the verification module verifies whether the remote control instruction has attack on the industrial system and an attack mode thereof according to the industrial system state value under the influence of the remote control instruction.
5. The attack pattern verification system based on intelligent feature matching according to claim 4, wherein the remote control instruction parsing module is configured to split the payload of the remote control instruction layer by layer according to a rule definition of an industrial control protocol, determine a field name and a field value in each layer of the payload, and select an effective field in the remote control instruction according to the field name and the field value.
6. The attack pattern verification system based on intelligent feature matching as claimed in claim 5, wherein the remote control command parsing module is configured to parse the valid field according to a control protocol and form a state expected value caused by the remote control command to the industrial system according to a response mechanism of the industrial system to the valid field.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211359312.2A CN115412376B (en) | 2022-11-02 | 2022-11-02 | Attack mode verification method and system based on intelligent feature matching |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211359312.2A CN115412376B (en) | 2022-11-02 | 2022-11-02 | Attack mode verification method and system based on intelligent feature matching |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115412376A CN115412376A (en) | 2022-11-29 |
CN115412376B true CN115412376B (en) | 2023-02-14 |
Family
ID=84169382
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211359312.2A Active CN115412376B (en) | 2022-11-02 | 2022-11-02 | Attack mode verification method and system based on intelligent feature matching |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115412376B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
CN107862108A (en) * | 2017-10-12 | 2018-03-30 | 成都阜特科技股份有限公司 | A kind of industrial machinery health status analysis and Forecasting Methodology and its system |
CN114679291A (en) * | 2021-05-31 | 2022-06-28 | 北京网藤科技有限公司 | System for monitoring industrial network intrusion |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3794491B2 (en) * | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | Attack defense system and attack defense method |
AU2011200413B1 (en) * | 2011-02-01 | 2011-09-15 | Symbiotic Technologies Pty Ltd | Methods and Systems to Detect Attacks on Internet Transactions |
JP6173541B2 (en) * | 2015-10-09 | 2017-08-02 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | Security device, attack detection method and program |
DE102017218134B3 (en) * | 2017-10-11 | 2019-02-14 | Volkswagen Aktiengesellschaft | A method and apparatus for transmitting a message sequence over a data bus and method and apparatus for detecting an attack on a message sequence thus transmitted |
CN112395603B (en) * | 2019-08-15 | 2023-09-05 | 奇安信安全技术(珠海)有限公司 | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment |
CN110740143B (en) * | 2019-11-22 | 2020-11-17 | 南京邮电大学 | Network attack emergency coping method based on attack tracing |
-
2022
- 2022-11-02 CN CN202211359312.2A patent/CN115412376B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
CN107862108A (en) * | 2017-10-12 | 2018-03-30 | 成都阜特科技股份有限公司 | A kind of industrial machinery health status analysis and Forecasting Methodology and its system |
CN114679291A (en) * | 2021-05-31 | 2022-06-28 | 北京网藤科技有限公司 | System for monitoring industrial network intrusion |
Non-Patent Citations (1)
Title |
---|
基于可信计算技术构建电力监测控制系统网络安全免疫系统;高昆仑 等;《工程科学与技术》;20170331;第49卷(第2期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN115412376A (en) | 2022-11-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109902709B (en) | Method for generating malicious sample of industrial control system based on counterstudy | |
Chandia et al. | Security strategies for SCADA networks | |
US20170126711A1 (en) | In-vehicle network attack detection method and apparatus | |
CN102823195B (en) | The system and method for the FTP client FTP in the software test remote maintenance electric network that utilization is carried out by virtual machine | |
US20150127192A1 (en) | Wireless vehicle control system | |
US20170169623A1 (en) | Apparatus for providing data to a harware-in-the-loop simulator | |
US8078692B2 (en) | Method of loading files from a client to a target server and device for implementing the method | |
CN103905450B (en) | Intelligent grid embedded device network check and evaluation system and check and evaluation method | |
CN107992321A (en) | ECU software update method, device, vehicle-mounted T-BOX and vehicle | |
CN112422557B (en) | Attack testing method and device for industrial control network | |
CN110326268A (en) | Transparent fireproof wall for the equipment that keeps the scene intact | |
Xiong et al. | Threat Modeling and Attack Simulations of Connected Vehicles: A Research Outlook. | |
CN107395666A (en) | A kind of method and device of operating numerical control lathe upgrading data packet | |
CN115412376B (en) | Attack mode verification method and system based on intelligent feature matching | |
CN105049403A (en) | Power distribution network control system safety protection method and system | |
CN108847983B (en) | Intrusion detection method based on MQTT protocol | |
CN102469107B (en) | For the secure connection system and method for vehicle | |
CN116662184B (en) | Industrial control protocol fuzzy test case screening method and system based on Bert | |
US11232190B2 (en) | Device attestation techniques | |
CN107968764B (en) | Authentication method and device | |
US11606366B2 (en) | Using CRC for sender authentication in a serial network | |
US10051004B2 (en) | Evaluation system | |
Siddavatam et al. | Testing and validation of Modbus/TCP protocol for secure SCADA communication in CPS using formal methods | |
JP2020166583A (en) | Computational unit and determination method | |
KR101759893B1 (en) | Virtual device management apparatus based on scenario for distributed energy resources |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |