CN115834218A - Safety protection method and system for scheduling data network multistage blocking - Google Patents
Safety protection method and system for scheduling data network multistage blocking Download PDFInfo
- Publication number
- CN115834218A CN115834218A CN202211504880.7A CN202211504880A CN115834218A CN 115834218 A CN115834218 A CN 115834218A CN 202211504880 A CN202211504880 A CN 202211504880A CN 115834218 A CN115834218 A CN 115834218A
- Authority
- CN
- China
- Prior art keywords
- data network
- layer
- blocking
- network
- safety protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safety protection method and a system for multistage blocking of a dispatching data network, which particularly comprises the steps of accessing a dispatching data network safety protection device to a network in a serial mode, presetting a white list, and establishing a communication tunnel for links in the white list; the device blocks the application layer message after detecting the application layer message is abnormal; the device blocks the network layer link after detecting the network layer or the transmission layer illegal link; after detecting the attack behavior, the device blocks the physical layer; after the block occurs, the device can recover the communication through a local or remote mode, and the continuity of the service is ensured. The method realizes the gradual safety protection of the threats of each layer of the scheduling data network layer by layer, and ensures the safety of the scheduling data network.
Description
Technical Field
The invention relates to a safety protection method and a safety protection system for multi-stage blocking of a dispatching data network, and belongs to the technical field of power grid automation.
Background
The communication network of the transformer substation belongs to a local area network, and the only export of external communication is a scheduling layer network. Various remote signaling telemetering data in the station can be transmitted to the dispatching through a dispatching layer network, and a control command transmitted by the dispatching is transmitted to the station through the dispatching layer network. As a gateway of external communication of the transformer substation, the security problem of a scheduling layer network is very important, and once the scheduling layer network is subjected to intrusion or other malicious threats, the operation of the transformer substation is seriously influenced.
At present, a dispatching layer network is lack of effective management, along with the increase of external services of a transformer substation, more and more devices are accessed to the dispatching layer network, the services are more and more complex, and a network is urgently needed to be managed and controlled, so that the network risk is reduced.
Disclosure of Invention
The invention aims to solve the technical problem of managing and controlling threats faced by each layer of a scheduling data network, and provides a safety protection method and a safety protection system for multilevel blocking of the scheduling data network.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
the invention provides a safety protection method for scheduling multistage blocking of a data network, which comprises the following steps:
accessing a scheduling data network safety protection device to a scheduling layer network in a serial mode, and establishing a communication tunnel for a link in a pre-configured white list;
detecting an application layer message of a scheduling data network through a scheduling data network safety protection device, and blocking the application layer message if an abnormality is detected;
detecting the links of a network layer and a transmission layer of a scheduling data network through a scheduling data network safety protection device, and blocking the links of the network layer if the links are illegal links;
and detecting the attack behavior through the safety protection device of the dispatching data network, and blocking a physical layer of the dispatching data network if the attack behavior exists.
Further, a link within the whitelist includes: protocol name, source IP address, destination IP address, source port, and destination port.
Further, the link of the white list further includes an application layer protocol name.
Further, the detecting the application layer packet of the scheduling data network includes:
analyzing the application layer message in a normal state based on a communication protocol to obtain effective data and form a reference library;
and if the effective data extracted from the received application layer message has jump compared with the reference library and the jump value exceeds a preset threshold value, judging that the application layer message is abnormal.
Further, the blocking the application layer packet includes:
and discarding the application layer message.
Further, the detecting the network layer and transport layer link of the data network includes:
and comparing the link captured from the message with the link in the white list, and blocking the normal communication of the communication tunnel of the link if the captured link is not in the white list.
Further, the attack behavior includes a flooding attack, a malformed message attack, and a blocking service attack.
Further, the blocking the physical layer of the scheduling data network includes:
and carrying out disabling operation on the attacked internet access.
The invention also provides a safety protection system for the multistage blocking of the dispatching data network, which adopts the safety protection method for the multistage blocking of the dispatching data network to carry out safety protection on the dispatching data network, and the system comprises:
the scheduling data network safety protection device is accessed to a scheduling layer network in a serial mode and establishes a communication tunnel for a link in a preconfigured white list;
the safety protection device configuration of the dispatching data network comprises the following steps:
the first blocking module is used for detecting the application layer message of the scheduling data network, and if the application layer message is detected to be abnormal, the application layer message is blocked;
the second blocking module is used for detecting the links of the network layer and the transmission layer of the scheduling data network, and blocking the links of the network layer if the links are illegal links;
and the third blocking module is used for detecting the attack behavior, and if the attack behavior exists, blocking the physical layer of the scheduling data network.
The invention has the beneficial effects that:
the method analyzes and controls the scheduling layer network layer by layer from the application layer to the physical layer, senses and processes threats of various layers, realizes the gradual safety protection of threats of each layer of the scheduling data network layer by layer, and ensures the safety of the scheduling data network.
Drawings
Fig. 1 is a schematic diagram of input and output of multi-level blocking on various layers of a network according to an embodiment of the present invention;
fig. 2 is a flowchart of a security protection method for scheduling multi-level blocking of a data network according to an embodiment of the present invention.
Detailed Description
The invention is further described below. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Example 1
The embodiment provides a safety protection method for multilevel blocking of a scheduling data network, which analyzes and controls a scheduling layer network from an application layer to a physical layer by layer, and correspondingly, blocking strength is enhanced along with increase of threat intensity, as shown in fig. 1, thereby realizing gradual safety protection for each layer of threat of the scheduling data network.
The specific implementation process of the safety protection method for scheduling data network multi-level blocking according to this embodiment is shown in fig. 2, and includes:
s1, a scheduling data network safety protection device is connected to a network in a serial mode, and network flow flows in from one network port of the safety protection device and flows out from the other network port; and establishing a communication tunnel for the link in the pre-configured white list, wherein all communication messages pass through the tunnel.
The white list may be configured in advance, or may be obtained through learning.
It should be noted that the white list at least includes a protocol name (such as TCP or UDP), a source IP address, a destination IP address, a source port, and a destination port, and may also include an application layer protocol name used by the link, such as IEC104 protocol. The white list is exemplified as follows: TCP,10.10.10.1,0, 192.168.0.1, 2404, IEC104.
And S2, detecting the application layer message through the safety protection device of the dispatching data network, and blocking the application layer message if the abnormity is detected.
In this embodiment, the application layer packet is detected, and the specific implementation manner is,
the characteristic behavior of the message is judged to be abnormal,
the characteristic behavior refers to the jump of effective data extracted from the message based on a communication protocol, if the protocol is an IEC104 protocol, in the embodiment, the remote signaling and remote measuring content is extracted from the message in a normal state based on the IEC104 protocol format and analyzed to form a reference library; and if the remote signaling telemetry content extracted from the received application layer message jumps compared with the reference library and the jump value exceeds a preset threshold value, judging that the application layer message is abnormal.
In this embodiment, blocking an application layer packet includes:
and discarding the application layer message.
Because the safety protection device of the dispatching data network is a tunnel realized by a network agent mode, the discarding of the messages of the application layer does not influence the communication of the transmission layer and the network layer of the link.
And S3, detecting the link of the network layer and the transmission layer by the safety protection device of the scheduling data network, and blocking the link of the network layer if the link is illegal.
In this embodiment, the network layer and the transport layer link are detected in the following specific implementation manner:
the network link white list is compared with the actual data stream.
Assume that a link is captured in the actual message as TCP,10.10.10.1, 7686, 192.168.0.1, 2405, and that the link is not in the white list. Normal communication of the communication tunnel of the link is blocked.
And S4, detecting the attack behavior through the safety protection device of the dispatching data network, and blocking the physical layer if the attack behavior exists.
In this embodiment, the attack behavior includes a flooding attack, a malformed message attack, a blocking service attack, and the like, such as a SYN flood attack and a teardrop attack.
In this embodiment, blocking the physical layer is to disable the network port under attack.
In this embodiment, after the block occurs, the device can resume communication in a local or remote manner, thereby ensuring the continuity of the service.
Example 2
The embodiment provides a safety protection system for scheduling data network multi-level blocking, which includes:
the scheduling data network safety protection device is accessed to a scheduling layer network in a serial mode and establishes a communication tunnel for a link in a preconfigured white list;
in this embodiment, the scheduling data network security protection device is configured to:
the first blocking module is used for detecting the application layer message, and if the application layer message is detected to be abnormal, the application layer message is blocked;
the second blocking module is used for detecting the link of the network layer and the transmission layer, and blocking the link of the network layer if the link is an illegal link;
and the third blocking module is used for detecting the attack behavior and blocking the physical layer if the attack behavior exists.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (9)
1. A safety protection method for scheduling data network multistage blocking is characterized by comprising the following steps:
accessing a scheduling data network safety protection device to a scheduling layer network in a serial mode, and establishing a communication tunnel for a link in a pre-configured white list;
detecting an application layer message of a scheduling data network through a scheduling data network safety protection device, and blocking the application layer message if an abnormality is detected;
detecting the links of a network layer and a transmission layer of a scheduling data network through a scheduling data network safety protection device, and blocking the links of the network layer if the links are illegal links;
and detecting the attack behavior through the safety protection device of the dispatching data network, and blocking a physical layer of the dispatching data network if the attack behavior exists.
2. The method of claim 1, wherein a link in the whitelist comprises: protocol name, source IP address, destination IP address, source port, and destination port.
3. The method of claim 2, wherein the link of the white list further comprises an application layer protocol name.
4. The method according to claim 1, wherein the detecting the application layer packet of the data network includes:
analyzing the application layer message in a normal state based on a communication protocol to obtain effective data and form a reference library;
and if the effective data extracted from the received application layer message has jump compared with the reference library and the jump value exceeds a preset threshold value, judging that the application layer message is abnormal.
5. The method according to claim 4, wherein the blocking of the application layer packet comprises:
and discarding the application layer message.
6. The method of claim 1, wherein the detecting network layer and transport layer links of the scheduled data network comprises:
and comparing the link captured from the message with the link in the white list, and blocking the normal communication of the communication tunnel of the link if the captured link is not in the white list.
7. The method of claim 1, wherein the attack behavior includes flooding attack, malformed message attack, and blocking service attack.
8. The method of claim 7, wherein the blocking a physical layer of the scheduled data network comprises:
and carrying out disabling operation on the attacked internet access.
9. A safety protection system for scheduling data network multi-level blocking, which is characterized in that the safety protection method for scheduling data network multi-level blocking according to any one of claims 1 to 8 is used to perform safety protection on a scheduling data network, and the system comprises:
the scheduling data network safety protection device is accessed to a scheduling layer network in a serial mode and establishes a communication tunnel for a link in a preconfigured white list;
the safety protection device configuration of the dispatching data network comprises the following steps:
the first blocking module is used for detecting the application layer message of the scheduling data network, and if the application layer message is detected to be abnormal, the application layer message is blocked;
the second blocking module is used for detecting the links of the network layer and the transmission layer of the scheduling data network, and blocking the links of the network layer if the links are illegal links;
and the third blocking module is used for detecting the attack behavior, and if the attack behavior exists, blocking the physical layer of the scheduling data network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211504880.7A CN115834218A (en) | 2022-11-29 | 2022-11-29 | Safety protection method and system for scheduling data network multistage blocking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211504880.7A CN115834218A (en) | 2022-11-29 | 2022-11-29 | Safety protection method and system for scheduling data network multistage blocking |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834218A true CN115834218A (en) | 2023-03-21 |
Family
ID=85532384
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211504880.7A Pending CN115834218A (en) | 2022-11-29 | 2022-11-29 | Safety protection method and system for scheduling data network multistage blocking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834218A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117294538A (en) * | 2023-11-27 | 2023-12-26 | 华信咨询设计研究院有限公司 | Bypass detection and blocking method and system for data security risk behaviors |
-
2022
- 2022-11-29 CN CN202211504880.7A patent/CN115834218A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117294538A (en) * | 2023-11-27 | 2023-12-26 | 华信咨询设计研究院有限公司 | Bypass detection and blocking method and system for data security risk behaviors |
| CN117294538B (en) * | 2023-11-27 | 2024-04-02 | 华信咨询设计研究院有限公司 | Bypass detection and blocking method and system for data security risk behaviors |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106168757B (en) | Configurable robustness agent in a plant safety system | |
| Flaus | Cybersecurity of industrial systems | |
| JP2016163352A (en) | Anomaly detection in industrial communications networks, anomaly detection system, and methods for performing anomaly detection | |
| CN111897284B (en) | Safety protection method and system for PLC (programmable logic controller) equipment | |
| CN107493265A (en) | A kind of network security monitoring method towards industrial control system | |
| CN111869189A (en) | Network probe and method for processing message | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| CN110768965B (en) | Remote operation safety permission method for power grid dispatching based on message replacement | |
| US11378929B2 (en) | Threat detection system for industrial controllers | |
| CN113873512B (en) | Internet of things edge gateway security architecture system | |
| CN115834218A (en) | Safety protection method and system for scheduling data network multistage blocking | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| AbuEmera et al. | Security framework for identifying threats in smart manufacturing systems using STRIDE approach | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| Hong et al. | Security monitoring and network management for the power control network | |
| US20140297004A1 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN111052116B (en) | Illegal intrusion prevention device, illegal intrusion prevention method, and recording medium | |
| CN110138773B (en) | Protection method for goose attack | |
| CN114760151A (en) | Method and device for acquiring authority of upper computer through PLC | |
| Twardawa et al. | SCADvanceXP—an intelligent Polish system for threat detection and monitoring of industrial networks | |
| CN111314278A (en) | Safety detection method based on Ethernet IP industrial control protocol | |
| CN115167261B (en) | Vulnerability discovery method for Rockwell PLC | |
| CN117240599B (en) | Security protection method, device, equipment, network and storage medium | |
| CN212302289U (en) | Distributed remote IO (input/output) equipment and automatic control system comprising same | |
| CN115296929B (en) | Industrial firewall management system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |