CN115694846A - Safety detection system and method based on industrial protocol - Google Patents
Safety detection system and method based on industrial protocol Download PDFInfo
- Publication number
- CN115694846A CN115694846A CN202110827984.0A CN202110827984A CN115694846A CN 115694846 A CN115694846 A CN 115694846A CN 202110827984 A CN202110827984 A CN 202110827984A CN 115694846 A CN115694846 A CN 115694846A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- devices
- transmission
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a safety detection system and a method based on an industrial protocol, which comprises the following steps: the system comprises a communication data acquisition module, a database, a protocol application analysis module, a data transmission mode analysis module, a protocol attack safety detection module and an attack defense early warning module, wherein mode data of serial and parallel communication transmission data and characteristic data of denial of service attack behaviors are acquired by the communication data acquisition module and are transmitted to the database, the protocol application analysis module is matched with the current transmission modes among devices, the protocol type adopted by data transmission among the devices is predicted, the devices which adopt serial protocols for communication are screened out, the devices which carry out broadcast communication are analyzed and screened by the data transmission mode analysis module and are subjected to centralized safety detection, and the denial of service attack early warning and defense work are carried out by the protocol attack safety detection module and the attack defense early warning module, so that the safety detection efficiency is improved, and the risks of data transmission delay and leakage caused by Dos attack are avoided.
Description
Technical Field
The invention relates to the technical field of industrial safety detection, in particular to a safety detection system and a safety detection method based on an industrial protocol.
Background
The purpose of establishing an industrial control network is to realize intercommunication and interconnection among devices in an industrial control system, and can help to access a large number of industrial devices into a network to realize connection of industrial production lines, and after the industrial control network is accessed into the internet, the industrial control network is attacked by different networks, various industrial protocols are needed to realize data communication among the devices, a large number of new industrial protocols are derived along with continuous complication of the industrial control system, the difficulty of carrying out security detection on data communication is increased, a mature technical scheme is still lacked for security detection on data communicated with the industrial devices in the prior art, although a plurality of detection modes of network attack are adopted, the efficiency of single network attack detection is not effectively improved, the industrial protocols are continuously increased, and the main types are roughly classified into two types according to the data communication modes among the devices: the serial communication protocol and the parallel communication protocol judge the communication modes among different devices by comparing data through a big data technology, judge the type of the adopted industrial communication protocol according to the communication mode, screen out the data transmission process adopting the serial communication protocol, in the serial communication protocol, dos attacks, namely, denial of service attacks are common, for which the broadcast communication mode among serial connection devices is the most attractive, judge whether the devices are in broadcast communication in advance, carry out Dos attack centralized security detection on the devices in broadcast communication, timely carry out defense work, effectively avoid the risk that data transmission delay is even leaked due to Dos attack on part of data transmission, and improve the efficiency of security detection.
Therefore, a safety detection system and method based on industrial protocol are needed to solve the above problems.
Disclosure of Invention
The present invention is directed to a system and a method for security detection based on industrial protocol, so as to solve the problems set forth in the background art.
In order to solve the technical problems, the invention provides the following technical scheme: a safety detection system based on industrial protocol is characterized in that: the system comprises: the system comprises a communication data acquisition module, a database, a protocol application analysis module, a data transmission mode analysis module, a protocol attack safety detection module and an attack defense early warning module;
the communication data acquisition module is used for acquiring mode data of serial and parallel communication transmission data and characteristic data of denial of service attack behavior to the database; the protocol application analysis module is used for matching the current transmission mode among the devices, predicting the protocol type adopted by data transmission among different devices through the transmission mode, and screening out all devices which communicate through a serial protocol, wherein the protocol type comprises a serial communication protocol and a parallel communication protocol; the data transmission mode analysis module is used for positioning all current equipment which is in serial communication data transmission, acquiring a data link, counting the number and the direction of data transmission links where all the equipment is located according to the direction of the data transmission on the data link, and screening out the equipment which is in broadcast communication; the protocol attack security detection module is used for carrying out centralized security detection on the screened equipment, matching the features of the denial of service attack and transmitting the matching result to the attack defense early warning module; and the attack defense early warning module is used for analyzing a matching result, sending an early warning signal after successful matching, and performing the defense work of the denial of service attack.
Furthermore, the communication data acquisition module comprises a transmission information acquisition unit and a Dos attack characteristic acquisition unit, a serial communication data transmission mode and a parallel communication data transmission mode are acquired through the transmission information acquisition unit, denial of service attack characteristic data are acquired through the Dos attack characteristic acquisition unit, and all acquired data are transmitted to the database.
Furthermore, the protocol application analysis module comprises a transmission mode analysis unit and a protocol type prediction unit, the transmission mode analysis unit is used for testing the data transmission mode among the current devices, the mode characteristics of the collected serial and parallel communication transmission data are compared, the comparison result is transmitted to the protocol type prediction unit, the protocol type prediction unit is used for predicting the communication protocol type according to the corresponding data transmission process, and the devices which are communicated through the serial protocol are screened out.
Furthermore, the data transmission mode analysis module comprises a transmission equipment positioning unit, a data link acquisition unit, a transmission direction test unit and a transmission mode detection unit, the equipment which is currently carrying out serial communication data transmission is positioned through the transmission equipment positioning unit, transmission data links among all equipment which are in mutual communication are acquired through the data link acquisition unit, the data transmission directions of all data links are tested through the transmission direction test unit, the number and the directions of data transmission links where all the equipment are located are counted through the broadcast communication screening unit, and the equipment which is in broadcast communication is screened out.
Further, the protocol attack security detection module comprises a security centralized detection unit and a detection result matching unit, centralized security detection is carried out on the screened equipment through the security centralized detection unit, the detection result is matched with the denial of service characteristic data in the database through the detection result matching unit, the matching result is transmitted to the attack defense early warning module, the matching result is analyzed through the attack defense early warning module, an early warning signal is sent out after the matching is successful, and the denial of service attack defense work is carried out.
A safety detection method based on an industrial protocol is characterized in that: the method comprises the following steps:
s1: collecting communication transmission modes among devices and characteristic data of denial of service attack;
s2: matching and analyzing the transmission mode between the current devices, predicting the protocol type adopted by data transmission, and screening out the devices which communicate through the serial protocol;
s3: positioning all serial communication equipment, acquiring a data transmission link, and testing the data transmission direction;
s4: counting the number and the directions of data transmission links in which all the devices are positioned, and screening out device related links for broadcast communication;
s5: and carrying out centralized security detection on the screened links, matching the features of the denial of service attack, and sending out an early warning signal after successful matching to carry out attack defense work.
Further, in steps S1-S2, the data volume collected by the transmission information collection unit for each transmission of the serial communication of the device is 1, the data volume collected for each transmission of the parallel communication of the device is a, and the unit is: bit, using a Dos attack characteristic acquisition unit to acquire the data transmission characteristics attacked by the denial of service, transmitting all the acquired data to a database, and using a transmission mode analysis unit to count the transmitted data volume set between the devices as B = { B = 1 ,B 2 ,...,B n A set of transmitted times, a = { a = } 1 ,a 2 ,...,a n Calculating a unit transmission data amount b in a random data transmission process according to the following formula i :
Where n denotes the number of ongoing data transfers, B i And a i Respectively representing the transmitted data volume and the transmitted times in a random data transmission process, and comparing the data volume transmitted each time of the collected serial and parallel communication with the data volume b i : if b is i If the data transmission mode is more than 1, the data transmission mode is parallel communication transmission, and the adopted protocol is predicted to be a parallel communication protocol; if b is i =1, it is stated that the data transmission mode is serial communication transmission, the protocol used for prediction is serial communication protocol, all devices communicating through the serial protocol are screened out, the data amount transmitted each time by the devices is calculated according to the transmitted data amount and the transmission times, the purpose of the data amount transmitted each time by the devices is to compare with the data amount transmitted each time by serial and parallel communication, the data communication mode is confirmed, the accuracy of predicting the protocol type used for data communication is improved, and the screening out of the serial communication devices is beneficial to reducing the number of serial communication devicesIt is subsequently determined whether the device is engaged in a workload for broadcast communication.
Further, in step S3: positioning the positions of all the devices which are communicated through the serial protocol by using a transmission device positioning unit, wherein the coordinate set of the positioned devices is (x, y) = { (x) 1 ,y 1 ),(x 2 ,y 2 ),...,(x m ,y m ) And m represents the number of devices communicating through a serial protocol, a data link acquisition unit is used for acquiring a data link where the device is located, and a transmission direction test unit is used for testing that a data link vector coordinate set of a random device sending data to all other devices is (X, Y) = { (X) 1 -x i ,y 1 -y i ),...,(x i-1 -x i ,y i-1 -y i ),(x i+1 -x i ,y i+1 -y i ),...,(x m -x i ,y m -y i ) Testing the vector coordinate set of the data link where the equipment is located to be (x) Measuring ,y Side survey )={(x Side 1 ,y Side 1 ),(x Side 2 ,y Side 2 ),...,(x Measure k ,y Measure k ) K represents the number of data links where the equipment is currently located, and an included angle α between a random link and a data link through which the equipment sends data to any other equipment is calculated according to the following formula j :
Wherein, X j And Y j Respectively representing the abscissa and ordinate, x, of a data link vector for the device to transmit data to any other device Measure j And y Measure j Respectively representing the horizontal and vertical coordinates of the data link vector of the current equipment to obtain the angle set of the random link and the data link vector of the equipment sending data to all other equipment, wherein the angle set is alpha = { alpha = 1 ,α 2 ,...,α m-1 Sending the angle set to a broadcast communication screening unit, and passing through a vectorThe purpose of calculating the link included angle in a coordinate mode is to judge the current data sending and receiving conditions of all the devices so as to count the number of data links sent by the devices and judge whether the corresponding devices are in broadcast communication, thereby being beneficial to giving early warning in time, carrying out concentrated safety detection on the corresponding data transmission process in a targeted manner and improving the safety detection efficiency and precision.
Further, the broadcast communication screening unit is used for analyzing the included angle degree: if α is j =0 °, indicating that the device is currently transmitting data to the corresponding device; if α is j =180 °, indicating that the device is currently receiving the data transmitted by the corresponding device; if α is j Not equal to 0 DEG and alpha j Not equal to 180 degrees, which indicates that data is not transmitted between the device and the corresponding device currently, the number of links for sending data to other devices by the device is counted to be C, the number of links for receiving data sent by other devices is counted to be C, C + C = k, and if C is the number of links for sending data by other devices>1, explaining that the device is currently carrying out broadcast communication, judging whether other devices are currently carrying out broadcast communication according to the same mode, screening out all links of the devices carrying out broadcast communication and transmitting data to other devices, and sending the links to a security centralized detection unit.
Further, the selected links are subjected to concentrated security detection by the security concentrated detection unit, and whether data transmission on the corresponding links conforms to data transmission characteristics of denial of service attack in the database or not is matched by the detection result matching unit: if the matching is unsuccessful, the corresponding data transmission process is not attacked by the denial of service, and the security detection is continued; if the matching is successful, the corresponding data transmission process is indicated to be attacked by denial of service, the attack defense early warning module is used for sending out early warning signals, and the defense work of denial of service attack is carried out, so that the risk that data transmission delay or even leakage is caused by that part of data transmission is attacked by Dos is effectively avoided.
Compared with the prior art, the invention has the following beneficial effects:
1. the invention collects the mode data of serial and parallel communication transmission data and the characteristic data of denial of service attack behavior through a big data technology, analyzes and judges the transmission mode among devices, predicts the type of an industrial protocol adopted by data transmission according to the transmission mode, screens out all devices which communicate through a serial protocol, lightens the workload of subsequently judging whether the devices carry out broadcast communication or not, tests the data transmission direction on a data link according to the direction of the data link by acquiring the data link among the devices which are carrying out serial communication data transmission, counts the number and the direction of the data transmission links where all the devices are positioned, screens out all the devices carrying out broadcast communication, carries out centralized security detection, improves the efficiency and the precision of security detection, judges whether the data transmission on the broadcast communication related link is attacked by denial of service attack or not through an attack defense early warning module, sends out early warning signals after the attack is attacked, carries out the defense work of denial of service attack, and effectively avoids the risk that the data transmission delay or even leakage is caused by Dos attack on part of data transmission.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a block diagram of an industrial protocol based security detection system of the present invention;
fig. 2 is a flow chart of a security detection method based on an industrial protocol according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it should be understood that they are presented herein only to illustrate and explain the present invention and not to limit the present invention.
Referring to fig. 1-2, the present invention provides the following technical solutions: a safety detection system based on industrial protocol is characterized in that: the system comprises: the system comprises a communication data acquisition module, a database, a protocol application analysis module, a data transmission mode analysis module, a protocol attack safety detection module and an attack defense early warning module;
the communication data acquisition module is used for acquiring mode data of serial and parallel communication transmission data and characteristic data of denial of service attack behavior to a database; the protocol application analysis module is used for matching the current transmission mode among the devices, predicting the protocol type adopted by data transmission among different devices through the transmission mode, and screening out all devices which communicate through a serial protocol, wherein the protocol type comprises a serial communication protocol and a parallel communication protocol; the data transmission mode analysis module is used for positioning all current equipment which is in serial communication data transmission, acquiring a data link, counting the number and the direction of data transmission links where all the equipment is located according to the direction of the data transmission on the data link, and screening out the equipment which is in broadcast communication; the protocol attack security detection module is used for carrying out centralized security detection on the screened equipment, matching the features of the denial of service attack and transmitting the matching result to the attack defense early warning module; and the attack defense early warning module is used for analyzing the matching result, sending an early warning signal after the matching is successful, and performing the defense work of denial of service attack.
The communication data acquisition module comprises a transmission information acquisition unit and a Dos attack characteristic acquisition unit, a serial communication data transmission mode and a parallel communication data transmission mode are acquired through the transmission information acquisition unit, denial of service attack characteristic data are acquired through the Dos attack characteristic acquisition unit, and all acquired data are transmitted to the database.
The protocol application analysis module comprises a transmission mode analysis unit and a protocol type prediction unit, the transmission mode analysis unit is used for testing the data transmission mode among the current devices, the mode characteristics of the collected serial and parallel communication transmission data are compared, the comparison result is transmitted to the protocol type prediction unit, the protocol type prediction unit is used for predicting the communication protocol type according to the corresponding data transmission process, and the devices which are communicated through the serial protocol are screened out.
The data transmission mode analysis module comprises a transmission equipment positioning unit, a data link acquisition unit, a transmission direction test unit and a transmission mode detection unit, the equipment which is currently carrying out serial communication data transmission is positioned through the transmission equipment positioning unit, transmission data links among all the equipment which are communicated with each other are acquired through the data link acquisition unit, the data transmission directions of all the data links are tested through the transmission direction test unit, the number and the directions of data transmission links where all the equipment are located are counted through the broadcast communication screening unit, and the equipment which is carried out broadcast communication is screened out.
The protocol attack security detection module comprises a security centralized detection unit and a detection result matching unit, centralized security detection is carried out on the screened equipment through the security centralized detection unit, the detection result is matched with the denial of service characteristic data in the database through the detection result matching unit, the matching result is transmitted to the attack defense early warning module, the matching result is analyzed through the attack defense early warning module, an early warning signal is sent out after the matching is successful, and the defense work of denial of service attack is carried out.
A safety detection method based on an industrial protocol is characterized in that: the method comprises the following steps:
s1: collecting communication transmission modes among devices and characteristic data of denial of service attack;
s2: matching and analyzing the transmission mode between the current devices, predicting the protocol type adopted by data transmission, and screening out the devices which communicate through the serial protocol;
s3: positioning all serial communication equipment, acquiring a data transmission link, and testing the data transmission direction;
s4: counting the number and the directions of data transmission links in which all the devices are positioned, and screening out device related links for broadcast communication;
s5: and carrying out centralized security detection on the screened links, matching the features of the denial of service attack, and sending out an early warning signal after successful matching to carry out attack defense work.
In steps S1-S2, the data volume acquired by the transmission information acquisition unit for each transmission of the serial communication of the device is 1, and the data volume acquired for each transmission of the parallel communication of the device is a, and the unit is: bit, using a Dos attack characteristic acquisition unit to acquire the data transmission characteristics attacked by the denial of service, transmitting all the acquired data to a database, and using a transmission mode analysis unit to count the transmitted data volume set between the devices as B ={B 1 ,B 2 ,...,B n The number of times of transmission is a = { a = } 1 ,a 2 ,...,a n A unit transmission data amount b in a random one data transmission process is calculated according to the following formula i :
Where n denotes the number of ongoing data transmissions, B i And a i Respectively representing the transmitted data quantity and the transmitted times in a random data transmission process, comparing the collected data quantity transmitted each time of serial and parallel communication with the data quantity b i : if b is i If the data transmission mode is more than 1, the data transmission mode is parallel communication transmission, and the adopted protocol is predicted to be a parallel communication protocol; if b is i And =1, the data transmission mode is described as serial communication transmission, the protocol adopted by the device is predicted to be a serial communication protocol, all devices which communicate through the serial protocol are screened out, the data volume transmitted by the device each time is calculated according to the transmitted data volume and the transmission times, the purpose of the data volume transmitted by the device each time is to compare with the data volume transmitted by serial and parallel communication each time, the data communication mode is confirmed, the accuracy of predicting the protocol type adopted by the data communication is improved, and the workload of subsequently judging whether the device is performing broadcast communication or not can be reduced by screening out the serial communication device.
In step S3: positioning the positions of all the devices which are communicated through the serial protocol by using a transmission device positioning unit, wherein the coordinate set of the positioned devices is (x, y) = { (x) 1 ,y 1 ),(x 2 ,y 2 ),...,(x m ,y m ) And m represents the number of devices communicating through a serial protocol, a data link acquisition unit is used for acquiring a data link where the device is located, and a transmission direction test unit is used for testing that a data link vector coordinate set of a random device sending data to all other devices is (X, Y) = { (X) 1 -x i ,y 1 -y i ),...,(x i-1 -x i ,y i-1 -y i ),(x i+1 -x i ,y i+1 -y i ),...,(x m -x i ,y m -y i ) Testing the vector coordinate set of the data link where the current equipment is located to be (x) Measuring ,y Side survey )={(x Side 1 ,y Side 1 ),(x Side 2 ,y Side 2 ),...,(x Measure k ,y Measure k ) K represents the number of the data links where the equipment is located, and the included angle alpha between a random link and the data link for sending data from the equipment to any other equipment is calculated according to the following formula j :
Wherein, X j And Y j Respectively representing the abscissa and ordinate, x, of a data link vector for the device to transmit data to any other device Measure j And y Measure j Respectively representing the horizontal and vertical coordinates of the data link vector of the current device to obtain a set of included angles between a random link and the data link vector of the device transmitting data to all other devices, which is alpha = { alpha = 1 ,α 2 ,...,α m-1 And sending the angle set to a broadcast communication screening unit, and calculating link angles in a vector coordinate mode to judge the current data sending and receiving conditions of all the devices so as to count the number of data links sent by the devices and judge whether the corresponding devices are in broadcast communication, thereby being beneficial to giving early warning in time, carrying out concentrated safety detection on the corresponding data transmission process in a targeted manner and improving the safety detection efficiency and precision.
And analyzing the included angle degrees by using a broadcast communication screening unit: if α is j =0 °, indicating that the device is currently transmitting data to the corresponding device; if α is j =180 °, indicating that the device is currently receiving the data transmitted by the corresponding device; if α is j Not equal to 0 DEG and alpha j Not equal to 180 degrees, the data is not transmitted between the equipment and the corresponding equipment at present, and the number of links for sending the data to other equipment by the equipment is countedThe quantity is C, the number of links receiving data transmitted by other devices is C, C + C = k, if C is>1, explaining that the device is currently carrying out broadcast communication, judging whether other devices are currently carrying out broadcast communication according to the same mode, screening out all links of the devices carrying out broadcast communication and transmitting data to other devices, and sending the links to a security centralized detection unit.
Carrying out concentrated security detection on the screened links by using a security concentrated detection unit, and matching whether data transmission on the corresponding links conforms to data transmission characteristics attacked by denial of service in a database or not by using a detection result matching unit: if the matching is unsuccessful, the corresponding data transmission process is not attacked by the denial of service, and the security detection is continued; if the matching is successful, the corresponding data transmission process is indicated to be attacked by the denial of service, the attack defense early warning module is used for sending out an early warning signal, and the defense work of the denial of service attack is carried out, so that the risk that the data transmission is delayed or even leaked due to the fact that part of the data transmission is attacked by Dos can be effectively avoided.
The first embodiment is as follows: the data volume acquired by the transmission information acquisition unit and transmitted each time in serial communication of the equipment is 1, the data volume acquired by the equipment in parallel communication and transmitted each time is A =16bit, and the transmission mode analysis unit is used for counting that the set of the transmitted data volume between the equipment is B = { B = { (B) } 1 ,B 2 ,B 3 ,B 4 ,B 5 } = {20, 10, 30, 15, 40}, unit: byte, the set of transmitted times is a = { a = { a } 1 ,a 2 ,a 3 ,a 4 ,a 5 } = {160, 80, 15, 120, 20}, according to the formula
B is calculated as the unit transmission data quantity in all data transmission processes 1 =1bit,b 2 =1bit,b 3 =16bit,b 4 =1bit,b 1 =16bit,b 1 =1,b 2 =1,b 4 =1, the corresponding data transmission mode is serial communication transmission, the adopted protocol is predicted to be a serial communication protocol, and all the data are screened out to be carried out through the serial protocolThe communication equipment utilizes the transmission equipment positioning unit to position all equipment positions which are communicated through the serial protocol, and the position coordinate set of the positioned equipment is (x, y) = { (x) 1 ,y 1 ),(x 2 ,y 2 ),(x 3 ,y 3 ) The transmission direction test unit is used for testing the coordinate set of a data link vector for sending data to other equipment from the equipment 1 to (X, Y) = { (X) } according to the transmission direction test unit 2 -x 1 ,y 2 -y 1 ),(x 3 -x 1 ,y 3 -y 1 ) } = { (-1, -2), (1, 1) }, and the set of vector coordinates of the data link where the device 1 is tested to be (x) Measuring ,y Measuring )={(x Side 1 ,y Side 1 ),(x Side 2 ,y Side 2 ),(x Side 3 ,y Side 3 ) = (-1, -2), (-1, -1), (1, 1) }, according to the formula
Calculating included angles alpha between all links and data links of the device 1 for sending data to other devices 1 =0°,α 2 =180°,α 3 =0 °, indicating that the device 1 transmits data being transmitted to the device 2 and the device 3, the device 1 receives the data transmitted by the device 3 at the same time, and the number of links for transmitting data from the device 1 to other devices is counted as 2>1, the device 1 is currently carrying out broadcast communication, the device 3 is judged to be currently carrying out broadcast communication according to the same mode, the device 2 is not carrying out broadcast communication, the device 1 and the device 3 are screened out to send data to links of other devices to a safety centralized detection unit, the screened links are subjected to centralized safety detection, when the corresponding data transmission process is detected to be attacked by denial of service, an attack defense early warning module is utilized to send out an early warning signal, and the defense work of denial of service attack is carried out.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A safety detection system based on industrial protocol is characterized in that: the system comprises: the system comprises a communication data acquisition module, a database, a protocol application analysis module, a data transmission mode analysis module, a protocol attack safety detection module and an attack defense early warning module;
the communication data acquisition module is used for acquiring mode data of serial and parallel communication transmission data and characteristic data of denial of service attack behaviors to the database; the protocol application analysis module is used for matching the current transmission mode among the devices, predicting the protocol type adopted by data transmission among different devices through the transmission mode, and screening out all devices which communicate through a serial protocol, wherein the protocol type comprises a serial communication protocol and a parallel communication protocol; the data transmission mode analysis module is used for positioning all current equipment which is in serial communication data transmission, acquiring a data link, counting the number and the direction of data transmission links where all the equipment is located according to the direction of the data transmission on the data link, and screening out the equipment which is in broadcast communication; the protocol attack security detection module is used for carrying out centralized security detection on the screened equipment, matching the features of the denial of service attack and transmitting the matching result to the attack defense early warning module; the attack defense early warning module is used for analyzing the matching result, sending out an early warning signal after the matching is successful, and carrying out the defense work of denial of service attack.
2. The industrial protocol-based security detection system of claim 1, wherein: the communication data acquisition module comprises a transmission information acquisition unit and a Dos attack characteristic acquisition unit, a serial communication data transmission mode and a parallel communication data transmission mode are acquired through the transmission information acquisition unit, denial of service attack characteristic data are acquired through the Dos attack characteristic acquisition unit, and all acquired data are transmitted to the database.
3. The industrial protocol-based security detection system of claim 1, wherein: the protocol application analysis module comprises a transmission mode analysis unit and a protocol type prediction unit, a data transmission mode between current devices is tested through the transmission mode analysis unit, the mode characteristics of the collected serial and parallel communication transmission data are compared, the comparison result is transmitted to the protocol type prediction unit, the communication protocol type of the corresponding data transmission process basis is predicted through the protocol type prediction unit, and the devices which communicate through the serial protocol are screened out.
4. The industrial protocol-based security detection system of claim 1, wherein: the data transmission mode analysis module comprises a transmission equipment positioning unit, a data link acquisition unit, a transmission direction test unit and a transmission mode detection unit, the transmission equipment positioning unit is used for positioning the equipment which is currently carrying out serial communication data transmission, the data link acquisition unit is used for acquiring transmission data links among all the equipment which are communicated with each other, the transmission direction test unit is used for testing the data transmission directions of all the data links, and the broadcast communication screening unit is used for counting the number and the directions of data transmission links where all the equipment are located to screen out the equipment which carries out broadcast communication.
5. The industrial protocol-based security detection system of claim 1, wherein: the protocol attack security detection module comprises a security centralized detection unit and a detection result matching unit, centralized security detection is carried out on the selected equipment through the security centralized detection unit, the detection result is matched with the denial of service characteristic data in the database through the detection result matching unit, the matching result is transmitted to the attack defense early warning module, the matching result is analyzed through the attack defense early warning module, an early warning signal is sent out after the matching is successful, and the defense work of denial of service attack is carried out.
6. A safety detection method based on an industrial protocol is characterized in that: the method comprises the following steps:
s1: collecting communication transmission modes among devices and characteristic data of denial of service attack;
s2: matching and analyzing the transmission mode between the current devices, predicting the protocol type adopted by data transmission, and screening out the devices which communicate through the serial protocol;
s3: positioning all serial communication equipment, acquiring a data transmission link, and testing the data transmission direction;
s4: counting the number and direction of data transmission links where all the devices are located, and screening out the related links of the devices for broadcast communication;
s5: and carrying out centralized security detection on the screened links, matching the features of the denial of service attack, sending out an early warning signal after successful matching, and carrying out attack defense work.
7. The industrial protocol-based security detection method according to claim 6, wherein: in steps S1-S2, the transmission information acquisition unit acquires that the data volume transmitted each time by the serial communication of the device is 1, and acquires that the data volume transmitted each time by the parallel communication of the device is a, where the unit is: bit, using Dos attack characteristic acquisition unit to acquire data transmission characteristics attacked by denial of service, transmitting all acquired data to a database, using transmission mode analysis unit to count the transmitted data amount set between devices as B = { B = 1 ,B 2 ,...,B n A set of transmitted times, a = { a = } 1 ,a 2 ,...,a n A unit transmission data amount b in a random one data transmission process is calculated according to the following formula i :
Where n denotes the number of ongoing data transmissions, B i And a i Respectively representing the transmitted data quantity and the transmitted times in a random data transmission process, comparing the collected data quantity transmitted each time of serial and parallel communication with the data quantity b i : if b is i If the data transmission mode is more than 1, the data transmission mode is parallel communication transmission, and the adopted protocol is predicted to be a parallel communication protocol; if b is i The data transmission method is described as serial communication transmission, and the protocol used is predicted to be a serial communication protocol, and all devices that communicate using the serial protocol are screened out.
8. The industrial protocol-based security detection method according to claim 7, wherein: in step S3: positioning the positions of all the devices which are communicated through the serial protocol by using a transmission device positioning unit, wherein the coordinate set of the positioned devices is (x, y) = { (x) 1 ,y 1 ),(x 2 ,y 2 ),...,(x m ,y m ) And m represents the number of devices communicating through a serial protocol, a data link acquisition unit is used for acquiring a data link where the device is located, and a transmission direction test unit is used for testing that a data link vector coordinate set of a random device sending data to all other devices is (X, Y) = { (X) 1 -x i ,y 1 -y i ),...,(x i-1 -x i ,y i-1 -y i ),(x i+1 -x i ,y i+1 -y i ),...,(x m -x i ,y m -y i ) Testing the vector coordinate set of the data link where the equipment is located to be (x) Side survey ,y Measuring )={(x Side 1 ,y Side 1 ),(x Side 2 ,y Side 2 ),...,(x Measure k ,y Measure k ) K represents the number of the data links where the equipment is located, and the included angle alpha between a random link and the data link for sending data from the equipment to any other equipment is calculated according to the following formula j :
Wherein, X j And Y j Respectively representing the abscissa and ordinate, x, of a data link vector for the device to transmit data to any other device Measure j And y Measure j Respectively representing the horizontal and vertical coordinates of the data link vector of the current device to obtain a set of included angles between a random link and the data link vector of the device transmitting data to all other devices, which is alpha = { alpha = 1 ,α 2 ,...,α m-1 And sending the angle set to a broadcast communication screening unit.
9. The industrial protocol-based security detection method according to claim 8, wherein: in step S4: and analyzing the included angle degrees by using the broadcast communication screening unit: if α is j =0 °, indicating that the device is currently transmitting data to the corresponding device; if α is j =180 °, indicating that the device is currently receiving the data transmitted by the corresponding device; if α is j Not equal to 0 DEG and alpha j Not equal to 180 degrees, which indicates that data is not transmitted between the device and the corresponding device currently, the number of links for sending data to other devices by the device is counted to be C, the number of links for receiving data sent by other devices is counted to be C, C + C = k, and if C is the number of links for sending data by other devices>1, explaining that the device is currently carrying out broadcast communication, judging whether other devices are currently carrying out broadcast communication according to the same mode, screening out all links of the devices carrying out broadcast communication and transmitting data to other devices, and sending the links to a security centralized detection unit.
10. The industrial protocol-based security detection method according to claim 9, wherein: in step S5: carrying out concentrated security detection on the screened links by using the security concentrated detection unit, and matching whether data transmission on the corresponding links conforms to data transmission characteristics attacked by denial of service in a database or not by using a detection result matching unit: if the matching is unsuccessful, the corresponding data transmission process is not attacked by the denial of service, and the security detection is continued; if the matching is successful, the corresponding data transmission process is indicated to be attacked by the denial of service, an attack defense early warning module is used for sending out an early warning signal, and the defense work of the denial of service attack is carried out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110827984.0A CN115694846B (en) | 2021-07-22 | 2021-07-22 | Security detection system and method based on industrial protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110827984.0A CN115694846B (en) | 2021-07-22 | 2021-07-22 | Security detection system and method based on industrial protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115694846A true CN115694846A (en) | 2023-02-03 |
| CN115694846B CN115694846B (en) | 2023-06-30 |
Family
ID=85044863
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110827984.0A Active CN115694846B (en) | 2021-07-22 | 2021-07-22 | Security detection system and method based on industrial protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115694846B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596160A (en) * | 2024-01-18 | 2024-02-23 | 中电山河数字科技(南通)有限公司 | Method and system for manufacturing industry data link communication |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN110213233A (en) * | 2019-04-29 | 2019-09-06 | 国网宁夏电力有限公司电力科学研究院 | Defend the emulation platform and method for building up of power grid distributed denial of service attack |
| WO2019200944A1 (en) * | 2018-04-20 | 2019-10-24 | 西安交通大学 | Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis |
| CN112907321A (en) * | 2021-02-03 | 2021-06-04 | 珠海市鸿瑞信息技术股份有限公司 | Big data-based information security anomaly sensing platform for data mining and analysis |
-
2021
- 2021-07-22 CN CN202110827984.0A patent/CN115694846B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| WO2019200944A1 (en) * | 2018-04-20 | 2019-10-24 | 西安交通大学 | Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis |
| CN110213233A (en) * | 2019-04-29 | 2019-09-06 | 国网宁夏电力有限公司电力科学研究院 | Defend the emulation platform and method for building up of power grid distributed denial of service attack |
| CN112907321A (en) * | 2021-02-03 | 2021-06-04 | 珠海市鸿瑞信息技术股份有限公司 | Big data-based information security anomaly sensing platform for data mining and analysis |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596160A (en) * | 2024-01-18 | 2024-02-23 | 中电山河数字科技(南通)有限公司 | Method and system for manufacturing industry data link communication |
| CN117596160B (en) * | 2024-01-18 | 2024-04-26 | 中电山河数字科技(南通)有限公司 | Method and system for manufacturing industry data link communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115694846B (en) | 2023-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101741633B (en) | Association analysis method and system for massive logs | |
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| CN101686235B (en) | Device and method for analyzing abnormal network flow | |
| US8020205B2 (en) | Unauthorized information detection system and unauthorized attack source search system | |
| CA2484041A1 (en) | Method and system for wireless intrusion detection | |
| US8689326B2 (en) | Device for analyzing and diagnosing network traffic, a system for analyzing and diagnosing network traffic, and a system for tracing network traffic | |
| CN111181971B (en) | System for automatically detecting industrial network attack | |
| CN109347880A (en) | A kind of safety protecting method, apparatus and system | |
| JP2017099274A (en) | System and method for applying aggregated cable test result data | |
| CN106713074A (en) | Data network quality piecewise detection method and system based on service content | |
| WO2020138977A1 (en) | Apparatus and method for monitoring performance of network device in wireless communication system | |
| CN114629802A (en) | Power communication backbone network quality evaluation method based on service perception | |
| CN115022908A (en) | Method for predicting and positioning abnormity of core network and base station transmission network | |
| CN115694846B (en) | Security detection system and method based on industrial protocol | |
| Lu et al. | A passive client-based approach to detect evil twin attacks | |
| CN106470128A (en) | Failure detector and system | |
| CN104684014A (en) | Mobile communication network transmission testing method | |
| CN114828057A (en) | Communication base station distribution network monitoring system and method based on GIS | |
| CN111490991B (en) | Multiple server connection request system and method based on communication equipment | |
| CN109936848A (en) | A kind of detection method, device and the computer readable storage medium of puppet access point | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| CN117061257A (en) | Network security assessment system | |
| CN115996259B (en) | Smart phone communication test system based on communication monitoring technology | |
| CN103458431A (en) | Multi-point acquisition and cross-layer playback system | |
| CN110650145A (en) | Low-rate denial of service attack detection method based on SA-DBSCAN algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |