CN115964564A - Industrial protocol rule recommendation method and device - Google Patents
Industrial protocol rule recommendation method and device Download PDFInfo
- Publication number
- CN115964564A CN115964564A CN202211703595.8A CN202211703595A CN115964564A CN 115964564 A CN115964564 A CN 115964564A CN 202211703595 A CN202211703595 A CN 202211703595A CN 115964564 A CN115964564 A CN 115964564A
- Authority
- CN
- China
- Prior art keywords
- event
- rule
- statistical analysis
- industrial
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention discloses an industrial protocol rule recommendation method and device, which comprise the following steps: s1, configuring industrial protocol rules and a processing mode, determining log data generated after rules are hit as security events according to the processing mode, and storing the security events in a database; s2, extracting key characteristic attributes and characteristic values of the security events according to the security events; s3, defining weight values for key characteristic attributes and characteristic values of the safety events, calculating the total weight value of the safety events, and establishing a hazard grade model according to the weight value; s4, grouping according to the source ip of the safety event, combining the safety event, carrying out statistical analysis on the safety hazard level model, and generating a statistical analysis result; and S5, generating an industrial protocol recommendation rule according to the statistical analysis result. The labor cost is reduced, the timeliness is improved, and the efficiency is higher when the rule is determined.
Description
Technical Field
The invention relates to the field of computer technology and industrial control safety, in particular to an industrial protocol rule recommendation method and device.
Background
With the rapid development of industrial informatization, an industrial control system is opened from original closed independence, interconnected from a single machine and intelligentized from automation. However, under the environmental background that industrial enterprises are greatly developed, a great number of potential safety hazards are generated.
For the security of the industrial network, safety devices such as an industrial firewall and an industrial gatekeeper need to be introduced into the industrial network to ensure the security of the devices in the industrial network. The safety devices are generally matched with network flow messages by configuring industrial protocol rules, so that the messages are released or blocked, and safety events are recorded, so that the safety of industrial control devices in the industrial network is ensured. Generally, in order to not affect the service in the industrial network, the industrial protocol rules should be adjusted in time, and when abnormal traffic is found, the rules are issued in time to block the abnormal traffic.
In the above manner, abnormal traffic is discovered by analyzing security events, but which security events are valid may have potential security problems and need to be manually determined. If the number of the safety events is large, the safety events need to be judged one by one, the confirmation efficiency is low, and the labor cost is high. Meanwhile, the industrial protocol is relatively complex and is influenced by human factors, the accuracy of the newly created rule is low, and the risk of blocking normal business exists.
Disclosure of Invention
Aiming at the defects in the prior art, the industrial protocol rule recommendation method and device provided by the invention solve the problems of poor effect, low accuracy and high labor cost existing in the conventional manual adjustment strategy.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that: an industrial protocol rule recommendation method comprises the following steps:
s1, configuring industrial protocol rules and a processing mode, determining log data generated after the rules are hit as security events according to the processing mode, and storing the security events in a database;
s2, extracting key characteristic attributes and characteristic values of the security events according to the security events;
s3, defining weight values for key characteristic attributes and characteristic values of the safety events, calculating the total weight value of the safety events, and establishing a hazard grade model according to the weight value;
s4, grouping according to the source ip of the safety event, combining the safety event, carrying out statistical analysis on the safety hazard level model, and generating a statistical analysis result;
and S5, generating an industrial protocol recommendation rule according to the statistical analysis result.
Further, the method comprises the following steps: the key characteristic attributes of the security event comprise a source IP, a destination IP, a risk level, an event type, a processing mode, an industrial protocol and a rule item.
Further: the industrial protocols comprise Modbus, S7, IEC104, OPCDA, OPCUA, CIP, MMS, DNP3, FINS, and the processing modes comprise release, warning, blocking and discarding.
Further: the hazard classification model is as follows: defining a safety event with a weight score of more than 10 points as high-hazard, defining a safety event with a weight score of more than 5 points and less than or equal to 10 points as medium-hazard, and defining a safety event with a weight score of less than or equal to 5 points as low-hazard.
Further: and the statistical analysis is to group according to the source IP of the safety event, combine and statistically analyze the safety event by combining the hazard level model, and finally generate a statistical analysis result.
Further: the step S5 specifically comprises the following steps: performing drill-down analysis on the result of the hazard statistical analysis, and respectively counting the occupation ratios of event types, risk levels and processing modes in the security events; generating a recommendation strategy by setting a threshold; the threshold configuration comprises a processing mode threshold, an event type statistic threshold and a risk level threshold; and when the statistical result is larger than the threshold value, generating an industrial protocol recommendation strategy.
Further: the industrial protocol recommendation strategy comprises a source IP, a destination IP, a protocol, a rule item and an action, wherein the rule item is according to the characteristics defined in the industrial protocol specification.
Further: classifying the characteristics of the industrial protocol according to the operation types of the characteristics, wherein the characteristics can be divided into reading operation, writing operation and key operation; the feature set defining the read operation is a read operation template, the feature set defining the write operation is a write operation template, and the feature set defining the key operation is a key operation template.
An industrial protocol rule recommendation device comprising:
the event acquisition module is used for acquiring data of a security event generated by a message hit industrial protocol rule in network flow;
the model definition module is used for extracting the characteristic attribute of the safety event, defining the weight of the value of the characteristic attribute and generating a hazard level model;
the statistical analysis module is used for calculating the weight score of the safety event according to the defined characteristic attribute and the characteristic value and carrying out statistical analysis according to the score;
and the strategy recommendation module is used for generating an industrial protocol recommendation strategy according to the statistical analysis result.
The invention has the beneficial effects that: the invention provides an industrial protocol rule recommendation method and device, when a security event in an industrial network is monitored, the method and device can quickly analyze and extract an effective event from the security event, automatically generate a new recommendation strategy, reduce labor cost, improve timeliness and have higher efficiency in determining rules when the industrial network is protected by using security equipment.
Drawings
FIG. 1 is a flow diagram of a method of data processing according to an embodiment of the invention;
fig. 2 is a schematic structural diagram of a data conversion device according to an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
The industrial protocol rule described in the embodiment of the present invention refers to defining a format to describe characteristics of an industrial protocol packet, where the format includes information such as a source IP, a destination IP, a source port, a destination port, a packet depth, an offset, a value, and an action. And the industrial protocol rule is used for matching whether a corresponding message exists in the industrial network or not and executing a corresponding action. The industrial protocol rules also include that the industrial protocols include, but are not limited to, modbus, S7, IEC104, OPCDA, OPCUA, CIP, MMS, DNP3, FINS, and the like. The actions include clear, alert, block, and discard.
In practical application, according to the characteristics of an industrial network, industrial protocol rules are configured to protect the safety of industrial equipment, when the network flow messages are matched with the industrial protocol rules, predefined actions are executed, and corresponding safety events are reported. The security event comprises key attributes such as action, source IP, destination IP, characteristics, event type, risk level and the like. For unknown operation of the industrial protocol, the operation is generally defined as alarm operation, and smooth service communication is ensured.
The embodiment provides a method for recommending industrial protocol rules, as shown in fig. 1, which is a schematic diagram provided in the embodiment and includes the following specific steps:
In the embodiment of the present invention, in order to protect an industrial device in an industrial network, an industrial protocol rule and a processing method need to be configured on a security device, so as to check whether a corresponding flow exists in the network according to a defined rule, and if so, the corresponding flow is processed in a predefined processing method. For example, in an industrial network, an industrial firewall is used to protect the boundary of industrial control equipment, an industrial protocol rule is configured on the industrial firewall, if a message matched with the industrial protocol rule exists in network flow, a corresponding processing mode is executed, generated log data is determined as a security event, and the security event is stored in a database. In an industrial network, blocking rules are not configured too much, generally in order to ensure normal traffic communication of industrial equipment.
102, extracting key characteristic attributes and characteristic values of the security events according to the security events;
in the embodiment of the present invention, first, key feature attributes of data of a security event are extracted, it should be noted that, in the security event, the extracted key feature attributes may be set by themselves, which is not particularly limited in the embodiment of the present invention, for example, in an industrial firewall system, the key feature attributes of the security event may include: source IP, destination IP, risk level, event type, action, protocol, rule item.
The risk classes include high, medium, and low.
The event type includes vulnerability, white list, IPMAC binding,
the actions include clear, alert, block, and discard.
The rule item extracts the protocol characteristics according to the communication specification of the industrial protocol, and the characteristics of different industrial protocols are different. For example, the following steps are carried out: if the modbus communication protocol defines features such as function codes, coil addresses and the like, the rule item is defined as ' func: {1} | endiddr: {3} | startaddr: {1} ", wherein ' func: {1} ' represents that the function codes are used for reading coils, and ' startaddr: {1} ' represents that the starting address is 1, and ' endaddr: {3} ' represents that the ending address is 3.
Optionally, in the ethernet, the control of the industrial control device depends on an industrial protocol, that is, each operation has a corresponding feature, and the features are classified by combining the operations, including readable, writable, and key operations, where the corresponding template is a readable template, a writable template, and a key operation template. The templates are rules divided according to protocol features, for example, for a modbus protocol, the readable templates include rules of a read coil, a read holding register and the like, the writable templates include rules of a write coil, a write holding register and the like, and the key operation templates include rules of uploading, downloading and the like.
And after the characteristic attributes and the characteristic values of the security events are confirmed, defining a weight value for each characteristic attribute. Defining the weight value of the risk level, wherein the high is 5 points, the medium is 3 points, and the low time is 1 point; defining the weight value of the event type, wherein the IPMAC binding is 5 points, the leak library is 3 points, and the white list is 1 point; defining the weight value of the action type, blocking for 3 points, discarding for 2 points and warning for 1 point. In summary, the hazard level model is established according to the scores after the weighted values are added, that is, the definition weight total score is higher than 10 points, the definition weight total score is middle than 5 points and less than or equal to 10 points, and the definition weight total score is lower than or equal to 5 points. Theoretically, the highest score is 13, and the lowest score is 4.
For example, the security event data a, the event type is a leak library, the risk level is high, and the action is blocking; the event type of security event B is white list, risk level is medium, and action is alert. At the moment, the total score is calculated according to the weight value, the safety event A is 13 scores, and the safety event A belongs to data with high harmfulness; the safety event B is 7 points and belongs to data in harmfulness.
in practical application, for network attacks, a source IP is generally identified as an attack source through message analysis, so that a recommendation rule is generated for the source IP. After the hazard classification model is established, grouping is performed through a source IP and statistical analysis is performed. The statistical analysis is to calculate the weight value of each safety event according to the defined hazard level model and calculate the event proportion of high, medium and low hazard levels.
In the embodiment of the invention, the hazard level of the security event with the source IP of 192.168.1.10 is calculated in all the security events, wherein the number of the security events with high hazard level is 10, the number of the security events with low hazard level is 10, and the number of the security events with high hazard level is 10. The result after statistical analysis is one third of the high or low damage level.
And 105, generating an industrial protocol recommendation rule according to the statistical analysis result.
In the embodiment of the invention, rule recommendation is carried out according to the statistical analysis result. The rule recommendation firstly needs to set a corresponding threshold value, such as a harm grade threshold value, and generates a recommendation rule when the proportion of harm grades exceeds the threshold value. The recommendation strategy comprises a source IP, a destination IP, a protocol, a rule and an action.
Optionally, the generated rules differ according to the hazard level. For example, for a recommended rule with a high hazard level, the generated rule is that the source IP is 192.168.1.100, the destination IP is any, the protocol is any, the rule is any, and the action is blocking, for an IP of 192.168.1.100, such a rule may block all actions of the source IP of 192.168.1.100.
Optionally, for the harm grades, rule recommendation can be performed by using rule templates, wherein the templates comprise a readable template, a writable template and a key operation template. For example, for an IP of 192.168.1.100, the recommended rule is generated to be that the source IP is 192.168.1.100, the destination IP is any, the protocol is modbus, the rule is a key operation and a writable template, and the action is blocked, so that all write operations and key operations of the source IP of 192.168.1.100 can be blocked, only read operations are reserved, and the safety risk of the industrial equipment is reduced.
Optionally, no rule recommendations are made for statistical results with low hazard levels.
Optionally, the statistical results of the high and medium harmfulness may be drilled down, and further statistical analysis may be performed, for example, in the security events greater than 10 points, the number of each of the bugs, the white list, and the IPMAC binding events is counted according to the event type; according to the risk level statistics, the high, medium and low ratios are what. In the event of high hazard, if an IPMAC binding event is found, the IP is considered to be counterfeited, and the blocking strategy is recommended according to the source IP in the event. When the event type is a vulnerability and the event with a high risk level exceeds a certain value, a blocking policy with the source IP as a packet and the destination IP as any is also generated.
Optionally, after generating the recommendation policy, the support allows the user to manually modify and manually deploy the rules, and also supports automatic rule deployment.
In conclusion, with the recommendation rule, when the industrial network is protected by using the safety equipment, the labor cost is reduced, the timeliness is improved, and the efficiency is higher when the rule is determined.
The embodiment provides an industrial protocol rule device, as shown in fig. 2, which is a schematic diagram provided in this embodiment, and the device includes:
an event obtaining module 201, configured to obtain data of a security event that a message hits an industrial protocol rule in network traffic;
the model definition module 202 is used for extracting the characteristic attribute of the security event, defining the weight of the value of the characteristic attribute and generating a hazard level model;
the statistical analysis module 203 is used for calculating the weight score of the security event according to the defined characteristic attribute and characteristic value and performing statistical analysis according to the score;
and the rule recommending module 204 is used for generating an industrial protocol recommending strategy according to the statistical analysis result.
Claims (10)
1. An industrial protocol rule recommendation method is characterized by comprising the following steps:
s1, configuring industrial protocol rules and a processing mode, determining log data generated after rules are hit as security events according to the processing mode, and storing the security events in a database;
s2, extracting key characteristic attributes and characteristic values of the security events according to the security events;
s3, defining weight values for key characteristic attributes and characteristic values of the safety events, calculating the total weight value of the safety events, and establishing a hazard grade model according to the weight value;
s4, grouping according to the source ip of the safety event, combining the safety event, carrying out statistical analysis on the safety hazard level model, and generating a statistical analysis result;
and S5, generating an industrial protocol recommendation rule according to the statistical analysis result.
2. The method according to claim 1, wherein the key feature attributes of the security event include source IP, destination IP, risk level, event type, processing method, industrial protocol, and rule item.
3. The method of claim 1, wherein the industrial protocols include Modbus, S7, IEC104, OPCDA, OPCUA, CIP, MMS, DNP3, FINS, and the processing includes release, warning, blocking, and discard.
4. The industrial protocol rule recommendation method of claim 1 wherein the hazard classification model is: defining a safety event with a weight score of more than 10 points as high-hazard, defining a safety event with a weight score of more than 5 points and less than or equal to 10 points as medium-hazard, and defining a safety event with a weight score of less than or equal to 5 points as low-hazard.
5. The method for recommending industrial protocol rules according to claim 1, wherein the statistical analysis is grouping according to the source IP of the security events, and combining the hazard level model to perform merging and statistical analysis on the security events, and finally generating a statistical analysis result.
6. The method for recommending industrial agreement rules according to claim 1, wherein said step S5 specifically comprises: performing drill-down analysis on the result of the hazard statistical analysis, and respectively counting the occupation ratios of event types, risk levels and processing modes in the security events; and generating a recommendation strategy by setting a threshold value.
7. The industrial protocol rule recommendation method of claim 6 wherein the threshold values comprise a handling mode threshold value, an event type statistics threshold value, a risk level threshold value; and when the statistical result is larger than the threshold value, generating an industrial protocol recommendation strategy.
8. The method of claim 1, wherein the industry protocol recommendation policy comprises a source IP, a destination IP, a protocol, a rule item, an action, the rule item is in accordance with a feature defined in an industry protocol specification.
9. The method of claim 8, wherein the characteristics of the industrial protocol are classified according to their operation types, which can be classified into read operation, write operation, and critical operation; the feature set defining the read operation is a read operation template, the feature set defining the write operation is a write operation template, and the feature set defining the key operation is a key operation template.
10. An industrial protocol rule recommendation device, comprising:
the event acquisition module is used for acquiring data of a security event generated by a message hitting an industrial protocol rule in network flow;
the model definition module is used for extracting the characteristic attribute of the safety event, defining the weight of the value of the characteristic attribute and generating a hazard level model;
the statistical analysis module is used for calculating the weight score of the safety event according to the defined characteristic attribute and the characteristic value and carrying out statistical analysis according to the score;
and the strategy recommendation module is used for generating an industrial protocol recommendation strategy according to the statistical analysis result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211703595.8A CN115964564A (en) | 2022-12-29 | 2022-12-29 | Industrial protocol rule recommendation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211703595.8A CN115964564A (en) | 2022-12-29 | 2022-12-29 | Industrial protocol rule recommendation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115964564A true CN115964564A (en) | 2023-04-14 |
Family
ID=87358310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211703595.8A Pending CN115964564A (en) | 2022-12-29 | 2022-12-29 | Industrial protocol rule recommendation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115964564A (en) |
-
2022
- 2022-12-29 CN CN202211703595.8A patent/CN115964564A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109714322B (en) | Method and system for detecting network abnormal flow | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN111478920A (en) | Method, device and equipment for detecting communication of hidden channel | |
| CN108600003B (en) | Intrusion detection method, device and system for video monitoring network | |
| CN112769623A (en) | Internet of things equipment identification method under edge environment | |
| CN111191767A (en) | Vectorization-based malicious traffic attack type judgment method | |
| CN112751835B (en) | Flow early warning method, system, equipment and storage medium | |
| CN106960153B (en) | Virus type identification method and device | |
| CN111367874B (en) | Log processing method, device, medium and equipment | |
| CN113328985B (en) | Passive Internet of things equipment identification method, system, medium and equipment | |
| CN109818970A (en) | A kind of data processing method and device | |
| CN109088903A (en) | A kind of exception flow of network detection method based on streaming | |
| CN112800424A (en) | Botnet malicious traffic monitoring method based on random forest | |
| CN111464510B (en) | Network real-time intrusion detection method based on rapid gradient lifting tree classification model | |
| CN112019449A (en) | Traffic identification packet capturing method and device | |
| CN111404768A (en) | DPI recognition realization method and equipment | |
| CN105516200B (en) | Cloud system method and device of safe processing | |
| CN113268735B (en) | Distributed denial of service attack detection method, device, equipment and storage medium | |
| CN109190408B (en) | Data information security processing method and system | |
| CN114972827A (en) | Asset identification method, device, equipment and computer readable storage medium | |
| CN111901199A (en) | Mass data-based quick early warning matching implementation method | |
| CN115964564A (en) | Industrial protocol rule recommendation method and device | |
| CN111224890A (en) | Traffic classification method and system of cloud platform and related equipment | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |