CN115549950A - Safety protection system of industrial control equipment based on virtualization - Google Patents
Safety protection system of industrial control equipment based on virtualization Download PDFInfo
- Publication number
- CN115549950A CN115549950A CN202210969614.5A CN202210969614A CN115549950A CN 115549950 A CN115549950 A CN 115549950A CN 202210969614 A CN202210969614 A CN 202210969614A CN 115549950 A CN115549950 A CN 115549950A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- module
- virtualization
- real
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a safety protection system of an industrial control device based on virtualization, which comprises: the device comprises a data acquisition module, a trap module, a control instruction module and a result analysis module; the data acquisition module dynamically acquires the state and data of the field equipment and provides the data to the trap module; the trap module is used for inducing an attacker to access and attack by operating a simulation system of the industrial control system; the control instruction module monitors a control instruction from an upper computer in the industrial control system at an edge gateway and forwards the control instruction to the trap module; and the result analysis module analyzes the operation result of the simulation system and judges whether the result is safe. The safety protection system provided by the invention can effectively resist the attack action on the industrial control system and ensure the production order of a factory.
Description
Technical Field
The invention relates to the technical field of industrial control safety, in particular to a safety protection system of industrial control equipment based on virtualization.
Background
With the continuous development of emerging technologies such as internet of things and cloud computing and the continuous promotion of automation and informatization integration, the design of the original lack of safety consideration of equipment in an Industrial Control System (ICS) causes more and more industrial control systems to expose the serious defect of structural vulnerability. This includes product lifecycle management using unsecure industrial control protocols (e.g., the unauthenticated Modbus protocol is not encrypted), which does not comply with the security specifications. Industrial device firmware, operating systems, and other software vulnerabilities are frequent, and devices with such vulnerabilities may attract attackers and become vulnerable targets. As more and more industrial environments are connected to intranet or Internet, the number of attack events for industrial control system network is varying.
To protect the ICS environment from attacks by malicious entities, traditional security mechanisms may be employed, such as cryptography, firewalls, intrusion detection and prevention systems (IDS, IPS) and other solutions. However, these schemes are more directed to known attacks. For unknown attacks such as highly concealed APT attacks, these passive defense approaches cannot help security researchers observe and analyze how the attacker performs the attack and predict in advance the damage caused by the attack. At present, more and more researchers are focusing on the study of honeypots for active defense. Honeypots are an application used to entice hackers to launch attacks. The simulation network consisting of a plurality of honeypots implemented on one system is called a honeynet. The industrial control honeypot can be used for simulating various industrial control protocols and industrial control equipment and comprehensively capturing the access flow of an attacker. The honeypot host can record various kinds of attack information for accessing the host. Moreover, the honeypot is deployed on a bypass and can monitor network data, and the communication data packet of the attacker is analyzed by collecting network communication data of the switch mirror image, so that the network attack behavior and the data packet of the attacker are discovered.
The existing honeypots and honeynets have limited defense capability against unknown threats to real ICS, cannot simulate business logic and are difficult to resist APT attack with strong hiding performance. At present, most of industrial control honeypots and honeynet bypasses are deployed in ICS, the industrial control honeypots and the honeynet bypasses are independent of an actual production system, and the industrial control honeypots are often greatly different from the actual ICS when deployed and are easily identified by attackers; and is isolated in deployment, and is in linkage with the existing safety mechanism. Gao Jiaohu honeypot systems are able to discover attacks against unknown vulnerabilities, but are limited to applications that an attacker exploits to have vulnerabilities present in building honeypots, which limits the scope of capture of honeypots. The honeypot also has springboard property, and if the honeypot is attacked, the honeypot has the risk of attacking other industrial control equipment as a springboard, so that the normal work of the ICS is influenced. Therefore, it is necessary to readjust the security policy of the industrial control system against unknown APT attacks, which is the key point of the security research of the industrial control system.
The existing attack identification and defense architecture and system based on the ICS honeypot and the honeynet mainly have the following defects:
(1) The theoretical research is more and less used in the production system
Because the devices in the ICS are all prevented from being interrupted or stopped to the utmost extent, and the real-time constraint of response time is ensured, most honeypots and honeynets stay in the research purpose and are not used in the real production environment.
(2) Low simulation degree and deceptive deficiency
Honeypots and honeynets proposed for ICS can play a role in scanning, target protocols, attack sources, brute force cracking, etc., but honeypots with low interaction are not sufficient to build highly emulated industrial control system networks to fool smart attackers.
(3) Few open source honeypots limit research progress
At present, open source ICS honeypots and honeynets are few, and the development of ICS defense by honeypot technology is limited due to the lack of available honeypot tools.
(4) Static simulation, lack of adaptability
The industrial honeypots and honeynets based on static specifications may still differ from the actual implementation of a real system even if the implementation is completely consistent with the protocol specifications. For example, a system with a proprietary implementation in a real utility environment.
The main reasons for the above disadvantages include two aspects: (1) Industrial control scenes are complex and diverse, so that industrial control attack types are complicated, the existing honeypot-based defense strategy is mainly set aiming at simple attack types such as scanning, and the APT attack of an industrial control network is difficult to effectively defend. (2) With the development of anti-honeypot technology, industrial control honeypots are difficult to cheat hackers, and therefore new requirements are put on the security architecture of the industrial control system based on virtualization.
Disclosure of Invention
In view of the conventional problems, the present invention provides a safety protection system based on a virtualized industrial control device to solve the above problems.
The invention provides the following technical scheme'
A safety protection system based on an industrial control device of virtualization is characterized by comprising: the device comprises a data acquisition module, a trap module, a control instruction module and a result analysis module; the data acquisition module dynamically acquires the state and data of the field equipment and provides the data to the trap module; the trap module is used for inducing an attacker to access and attack by operating a simulation system of the industrial control system; the control instruction module monitors a control instruction from an upper computer in the industrial control system at the edge gateway and forwards the control instruction to the trap module; and the result analysis module analyzes the operation result of the simulation system and judges whether the result is safe.
The system is deployed on an industrial server, and a general Windows/Linux operating system and a real-time operating system are run in parallel through a virtual machine management program. The simulation system runs the industrial control system in the real-time operating system and consists of a plurality of virtual controllers.
The data acquisition module defines a universal sensor interface on an operating system of the industrial control system, so that the data acquisition module accesses a sensor mounted in the operating system through the same interface to acquire real-time data. The generic sensor interface is not tied to a specific hardware device.
The trap module dynamically updates the model and parameters of the simulation system through the real-time acquisition of the data acquisition module, so that the simulation system performs calculation based on the state of the real industrial control system, and discovers and predicts the potential attack behavior.
And the trap module obtains the operation result of the control instruction module for forwarding the instruction through the set parameters and function operation.
The trap module connects a simulation system for a deceased in series to a real industrial control system through technical methods such as data modeling, parameter estimation, control application program deduction, anomaly detection algorithm and the like, so that the simulation system and the real industrial control system execute in parallel, the threat of an abnormal instruction is deduced in advance, and a warning is provided.
The control instruction module monitors a control instruction from an upper computer in a real industrial control system at the edge gateway, and forwards a normal instruction and a malicious instruction to a simulation system in the trap module to drive a plurality of virtual controllers to cooperatively operate to form a virtual industrial control system.
And the result analysis module analyzes the operation result of the simulation system, carries out threat warning on the result which does not conform to the safety rule and records the behavior process of the malicious instruction.
The beneficial technical effects of the invention are as follows:
the safety protection system based on the virtualized industrial control equipment can attract an attacker to start an attack on the trap module, analyze the received malicious instructions and threaten the deduced malicious instructions in advance, so that the instructions carrying APT attacks are filtered. The invention can effectively defend the attack behavior implemented by an attacker after stealing the legal identity and avoid causing substantial damage to industrial production.
Drawings
FIG. 1 is a block diagram of a security system for a virtualization-based industrial control device provided in accordance with the present invention;
FIG. 2 is a schematic diagram of the layout of a safety protection system based on a virtualized industrial control device in a real industrial control system according to the present invention;
fig. 3 is an interaction schematic diagram of a virtual industrial control system and a real industrial control system in an embodiment of a safety protection system based on a virtualized industrial control device according to the present invention.
Fig. 4 is a schematic diagram of a safety protection system based on a virtualized industrial control device according to an embodiment of the present invention, which is deployed in a display production scenario.
Detailed Description
The following examples are given to illustrate the present invention in detail, and the following examples are given to illustrate the detailed embodiments and specific procedures of the present invention, but the scope of the present invention is not limited to the following examples. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those skilled in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Example 1
As shown in fig. 1, in a preferred embodiment of the present invention, the safety protection system based on a virtualized industrial control device includes: the device comprises a data acquisition module, a trap module, a control instruction module and a result analysis module; the data acquisition module dynamically acquires the state and data of the field equipment and provides the data to the trap module; the trap module is used for inducing an attacker to access and attack by operating a simulation system of the industrial control system; the control instruction module monitors a control instruction from an upper computer in the industrial control system at the edge gateway and forwards the control instruction to the trap module; and the result analysis module analyzes the operation result of the simulation system and judges whether the result is safe.
The system is deployed on an industrial server, and a general Windows/Linux operating system and a real-time operating system are run in parallel through a virtual machine management program. The simulation system runs the industrial control system in the real-time operating system and consists of a plurality of virtual controllers.
As shown in fig. 3, the data acquisition module defines a general sensor interface on an operating system of the industrial control system, so that the data acquisition module accesses a sensor mounted in the operating system through the same interface to perform real-time data acquisition. The generic sensor interface is not tied to a specific hardware device.
As shown in fig. 2, the trap module dynamically updates the model and parameters of the simulation system through real-time acquisition by the data acquisition module, so that the simulation system performs calculation based on the state of the real industrial control system, and discovers and predicts the potential attack behavior.
And the trap module obtains the operation result of the control instruction module for forwarding the instruction through the set parameters and function operation.
The trap module connects a simulation system for a deceased in series to a real industrial control system through technical methods such as data modeling, parameter estimation, control application program deduction, anomaly detection algorithm and the like, so that the simulation system and the real industrial control system execute in parallel, the threat of an abnormal instruction is deduced in advance, and a warning is provided.
The control instruction module monitors a control instruction from an upper computer in a real industrial control system at the edge gateway, uniformly forwards a normal instruction and a malicious instruction to a simulation system in the trap module, and drives a plurality of virtual controllers to cooperatively operate to form a virtual industrial control system.
And the result analysis module analyzes the operation result of the simulation system, warns threats to the results which do not accord with the safety rules, and records the behavior process of the malicious instructions.
Example 2
In a preferred embodiment of the present invention, as shown in fig. 4, the safety protection system based on the virtualized industrial control device is specifically introduced into a pumping control system of an automated water plant.
The water tanks 1 and 2 are provided with sensors that recognize the water level in the water tanks and maintain the water level in a safe state by an industrial control system.
The states and data of the water tank 1 and the water tank 2 are sent to the simulation system through the data acquisition module, a safety protection system based on the virtualized industrial control equipment is deployed on the virtualized industrial server, the server is connected in series to the real industrial control system through the trap module to realize dynamic deception simulation, and an attacker can easily think that the simulation system is the real industrial control system.
The safety protection system based on the virtualized industrial control equipment acquires data and states of the field equipment in real time through the control instruction module and transmits the data and the states as input values to the virtual controller, and the simulation system obtains an operation result of the control instruction earlier than a real industrial control system through the result analysis module so as to judge safety.
The safety protection system provided by the embodiment of the invention can effectively resist the attack action on the industrial control system and ensure the production order of a factory.
The foregoing detailed description of the preferred embodiments of the invention has been presented. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (10)
1. A safety protection system based on a virtualized industrial control device, characterized in that it comprises: the device comprises a data acquisition module, a trap module, a control instruction module and a result analysis module; the data acquisition module dynamically acquires the state and data of the field equipment and provides the data to the trap module; the trap module is used for inducing an attacker to access and attack by operating a simulation system of the industrial control system; the control instruction module monitors a control instruction from an upper computer in the industrial control system at the edge gateway and forwards the control instruction to the trap module; and the result analysis module analyzes the operation result of the simulation system and judges whether the result is safe.
2. The virtualization-based industrial control device security protection system of claim 1, wherein the system is deployed on an industrial server and runs a general purpose Windows/Linux operating system and a real-time operating system in parallel through a virtual machine hypervisor.
3. The virtualization-based industrial control device safety protection system according to claim 2, wherein the real-time operating system runs a simulation system of an industrial control system, and the simulation system is composed of a plurality of virtual controllers.
4. The virtualization-based industrial control device security protection system according to claim 3, wherein the data acquisition module defines a universal sensor interface on an operating system of the industrial control system, so that the data acquisition module accesses a sensor mounted in the operating system through the same interface to perform real-time data acquisition.
5. The virtualization-based industrial control device security system of claim 4 wherein the generic sensor interface is not tied to a specific hardware device.
6. The virtualization-based industrial control device security protection system according to claim 5, wherein the trap module dynamically updates the model and parameters of the simulation system through real-time collection of the data acquisition module, so that the simulation system performs calculation based on a real industrial control system state, and discovers and predicts a potential attack behavior.
7. The safety protection system for the virtualized industrial control device according to claim 6, wherein the trap module obtains the operation result of the control instruction module forwarding instruction through the set parameters and function operation.
8. The virtualization-based industrial control device security protection system according to claim 3, wherein the trap module connects the simulation system for the deceased to the real industrial control system in series through technical methods such as data modeling, parameter estimation, control application deduction, and anomaly detection algorithm, so that the simulation system and the real industrial control system execute in parallel, and the threat of the abnormal instruction is deduced in advance and a warning is given.
9. The virtualization-based industrial control device safety protection system according to claim 3, wherein the control instruction module monitors a control instruction from an upper computer in a real industrial control system at the edge gateway, and forwards a normal instruction and a malicious instruction to the simulation system in the trap module, so as to drive the plurality of virtual controllers to cooperatively operate and form a virtual industrial control system.
10. The virtualization-based industrial control device security protection system of claim 3, wherein the result analysis module analyzes the operation result of the simulation system, warns threats for results that do not conform to security rules, and records the behavior process of malicious instructions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210969614.5A CN115549950A (en) | 2022-08-12 | 2022-08-12 | Safety protection system of industrial control equipment based on virtualization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210969614.5A CN115549950A (en) | 2022-08-12 | 2022-08-12 | Safety protection system of industrial control equipment based on virtualization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115549950A true CN115549950A (en) | 2022-12-30 |
Family
ID=84724086
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210969614.5A Pending CN115549950A (en) | 2022-08-12 | 2022-08-12 | Safety protection system of industrial control equipment based on virtualization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115549950A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760620A (en) * | 2023-07-10 | 2023-09-15 | 苏州恒臻星科技有限公司 | Network risk early warning and management and control system of industrial control system |
-
2022
- 2022-08-12 CN CN202210969614.5A patent/CN115549950A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760620A (en) * | 2023-07-10 | 2023-09-15 | 苏州恒臻星科技有限公司 | Network risk early warning and management and control system of industrial control system |
| CN116760620B (en) * | 2023-07-10 | 2024-03-26 | 释空(上海)品牌策划有限公司 | Network risk early warning and management and control system of industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9106697B2 (en) | System and method for identifying unauthorized activities on a computer system using a data structure model | |
| CA2689126C (en) | System and method for analyzing unauthorized intrusion into a computer network | |
| Mairh et al. | Honeypot in network security: a survey | |
| CN110401638B (en) | Network traffic analysis method and device | |
| CN104660610A (en) | Cloud computing environment based intelligent security defending system and defending method thereof | |
| CN115549950A (en) | Safety protection system of industrial control equipment based on virtualization | |
| Ahmad et al. | Detection and Analysis of Active Attacks using Honeypot | |
| LaBar et al. | Honeypots: Security by deceiving threats | |
| Li-Juan | Honeypot-based defense system research and design | |
| Ojugo et al. | Forging A Smart Dependable Data Integrity And Protection System Through Hybrid-Integration Honeypot In Web and Database Server | |
| Al Shibani et al. | Automated Threat Hunting Using ELK Stack-A Case Study | |
| Lakh et al. | Using Honeypot Programs for Providing Defense of Banking Network Infrastructure | |
| Morozov et al. | Honeypot and cyber deception as a tool for detecting cyber attacks on critical infrastructure | |
| Yu et al. | Research on key technology of industrial network boundary protection based on endogenous security | |
| Lau et al. | Securing supervisory control and data acquisition control systems | |
| Anitha | Network Security using Linux Intrusion Detection System | |
| En et al. | Honeypots for Internet of Things Research: An Effective Mitigation Tool | |
| Jaramillo | Detecting malware capabilities with Foss: lessons learned through a real-life incident | |
| Capalik | Next-generation honeynet technology with real-time forensics for US defense | |
| Kiravuo et al. | The care and maintenance of cyberweapons | |
| Wang et al. | Hacking Risk Analysis of Web Trojan in Electric Power System | |
| CN116074022A (en) | Automatic lateral movement identification method based on process control and artificial intelligence | |
| Patel et al. | A Literature Review On Anti Virus And Its Analysis | |
| Kula | Implementing Honeypots to Build Risk Profiles for IoT Devices in a Home-Based Environment | |
| CN116318824A (en) | Web attack trapping system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |