CN116170236A - Industrial control system abnormal flow detection method and system - Google Patents
Industrial control system abnormal flow detection method and system Download PDFInfo
- Publication number
- CN116170236A CN116170236A CN202310445049.7A CN202310445049A CN116170236A CN 116170236 A CN116170236 A CN 116170236A CN 202310445049 A CN202310445049 A CN 202310445049A CN 116170236 A CN116170236 A CN 116170236A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- abnormal
- flow data
- data
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 35
- 238000001514 detection method Methods 0.000 title claims description 33
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 50
- 238000005516 engineering process Methods 0.000 claims abstract description 43
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000006399 behavior Effects 0.000 claims description 38
- 238000004458 analytical method Methods 0.000 claims description 25
- 238000012545 processing Methods 0.000 claims description 9
- 230000008859 change Effects 0.000 claims description 7
- 238000009776 industrial production Methods 0.000 claims description 7
- 238000003860 storage Methods 0.000 claims description 7
- 230000000007 visual effect Effects 0.000 claims description 7
- 230000002776 aggregation Effects 0.000 claims description 3
- 238000004220 aggregation Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000007405 data analysis Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 description 2
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 2
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 2
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 2
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
- H04L43/028—Capturing of monitoring data by filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a system for detecting abnormal flow of an industrial control system, comprising the following steps: collecting system flow data of an industrial control system based on a dpdk technology and a xdp technology; the system flow data comprises external network flow data and internal network flow data; analyzing the system flow data based on DPI technology to determine system abnormal behavior and storing system abnormal behavior information; and visually outputting the abnormal behavior information of the system. The method and the system for detecting the abnormal flow of the industrial control system provided by the invention adopt an elastic search high-efficiency architecture and a dpdk/xdp acquisition platform, can intensively acquire, store and analyze the internal network flow, realize the rapid identification of the abnormal behavior of the industrial control system and meet the requirements of performance and efficiency.
Description
Technical Field
The invention relates to the field of industrial control system equipment monitoring, in particular to a method and a system for detecting abnormal flow of an industrial control system.
Background
In the current technology development at high speed, the system structure is more and more complex, the attack means are updated continuously, and in particular, under the information security large background of advanced sustainable threat, it is impossible to block all attacks from protection. In the large background of the industrial Internet, the boundary of the industrial control system is fuzzy, and safety protection requirements cannot be met by simply relying on safety isolation equipment such as an industrial control firewall, an industrial control network gate, an industrial control gateway and the like.
Moreover, in recent years, industrial control system security threats are growing rapidly, especially the risks of mixed threats, such as hacking, worm viruses, trojan backdoors, etc. Traffic in an industrial control network is certainly a critical point in analyzing and handling security problems. At present, the research on abnormal behaviors in the flow of an industrial control system is less, the history data of the industrial control system is mostly used for carrying out related network simulation and research, and protocols in the industrial control system are various and complex, because the flow identification and analysis in the industrial control system are a great difficulty, and the collection, identification and analysis of the industrial control flow, the discovery of safety problems from the flow are important.
The performance and efficiency of the existing industrial control flow identification and analysis technology are difficult to meet the requirements, the abnormal behavior can not be quickly identified, and the safety event can not be found. Therefore, a high-efficiency method and system for detecting abnormal industrial control flow are needed to quickly discover malicious threats and attack behaviors in an industrial control environment and ensure safe and stable operation of an industrial control system.
Disclosure of Invention
The present invention aims to solve, at least to some extent, one of the technical problems in the above-described technology. Therefore, the first aspect of the present invention provides a method for detecting abnormal flow of an industrial control system, including:
collecting system flow data of an industrial control system based on a dpdk technology and a xdp technology; the system flow data comprises external network flow data and internal network flow data;
analyzing the system flow data based on DPI technology to determine system abnormal behavior and storing system abnormal behavior information;
and visually outputting the abnormal behavior information of the system.
Preferably, the dpdk technology and xdp technology are based to collect flow data from the kernel and/or physical network card of each device in the industrial control system and obtain the system flow data through RSS aggregation.
Preferably, the system abnormal behavior is determined based on the DPI technology analyzing the system flow data, which comprises the following steps: based on a network protocol and/or an industrial production control protocol corresponding to the industrial control system, respectively analyzing the external network flow data and the internal network flow data by using a DPI technology to determine flow behavior information corresponding to the industrial control system;
identifying the flow behavior information based on a preset safety detection rule, and determining system abnormal behaviors of the industrial control system;
wherein, the abnormal behavior of the system comprises: malicious file attack, tunnel attack and remote control; the safety detection rule comprises: malicious file attack detection rules, tunnel attack detection rules and remote control detection rules.
Preferably, before analyzing the external network traffic data and the internal network traffic data, the method further includes: and carrying out data filtering processing on the external network flow data and the internal network flow data.
Preferably, when analyzing the external network traffic data and the internal network traffic data, the method further includes: and respectively carrying out structural processing and storage on the external network flow data and the internal network flow data based on a network protocol and/or an industrial production control protocol corresponding to the industrial control system.
Preferably, the system abnormal behavior is determined based on the DPI technology analyzing the system flow data, and the method further comprises the following steps:
analyzing the intranet flow data by DPI technology based on an industrial production control protocol of the industrial control system, and determining industrial control behavior information in the industrial control system; wherein the industrial control behavior information includes: effective instruction information, intranet flow data content and equipment load information;
and matching the industrial control behavior information with an industrial control system behavior baseline, and determining abnormal industrial control behaviors in the industrial control system.
Preferably, after determining the abnormal industrial control behavior in the industrial control system, the method further comprises: and alarming the abnormal industrial control behaviors, and generating an industrial control behavior protocol log and an abnormal industrial control behavior alarm log according to the industrial control behavior information and the abnormal industrial control behaviors.
Preferably, the system abnormal behavior information is stored in a distributed manner based on an elastic search distributed analysis engine.
Preferably, the visual output of the abnormal behavior information of the system includes: and counting the system flow data and/or the change trend of the system abnormal behavior and visually outputting the system flow data and/or the change trend of the system abnormal behavior.
The second aspect of the present invention provides an abnormal flow detection system of an industrial control system, comprising:
the flow acquisition module is used for acquiring system flow data of the industrial control system based on a dpdk technology and a xdp technology;
the data processing module is used for analyzing the system flow data based on the DPI technology to determine the abnormal behavior of the system and storing the abnormal behavior information of the system;
and the visual output module is used for visually outputting the abnormal behavior information of the system.
Compared with the prior art, the invention has the beneficial effects that: the method and the system for detecting the abnormal flow of the industrial control system provided by the invention adopt an elastic search high-efficiency architecture and a dpdk/xdp acquisition platform to intensively acquire, store and analyze the internal network flow, realize the rapid identification of the abnormal behavior of the industrial control system and meet the requirements of performance and efficiency.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention. In the drawings:
FIG. 1 is a schematic diagram of a method for detecting abnormal flow in an industrial control system;
FIG. 2 is a schematic diagram of an industrial control system abnormal flow detection system.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
The invention provides an industrial control system abnormal flow detection method and system, which adopt a high-efficiency architecture and an advanced analysis scheme, can rapidly complete the collection, identification and analysis of flow, and meet the requirements of performance efficiency and rapid identification of abnormal behaviors.
FIG. 1 is a schematic diagram of an industrial control system abnormal flow detection method according to the present invention, including:
collecting system flow data of an industrial control system based on a dpdk technology and a xdp technology; the system flow data comprises external network flow data and internal network flow data;
analyzing the system flow data based on DPI technology to determine system abnormal behavior and storing system abnormal behavior information;
and visually outputting the abnormal behavior information of the system.
According to some embodiments of the present invention, the traffic collection includes a collection function interface for mirror image data, and the collection of network traffic is realized through a data plane development suite (dpdk, data Plane Development Kit) and an xml data encapsulation-based xdp (XML Data Package) technology, and the collected 2-7 layers of traditional network traffic and industrial control network traffic are identified and analyzed by combining a deep packet inspection technology (DPI, deep packet inspection). The common report detection only analyzes the content below the layer 4 of the IP packet, including the source address, the destination address, the source port, the destination port and the protocol type, and the DPI technology adds application layer analysis besides the previous layer analysis to identify various application protocols and the content deep analysis thereof. Conventional internet protocols such as HTTP, FTP, SMTP, POP, IMAP, SMB and the like can be parsed by using DPI technology. Based on deep analysis of DPI technology, threat detection, illegal operation detection and illegal external connection detection are carried out on protocol data. And simultaneously, carrying out structural processing and storage on the deeply resolved data/threat alarm data/violation alarm data, and then carrying out analysis and further processing by a data analysis system.
In other embodiments of the present invention, the acquisition system is deployed at the core switch of the production unit, the network traffic message in the industrial ethernet is replicated by way of port mirroring, and the acquisition of the mass real-time traffic is implemented by the dpdk/xdp technology, so as to obtain all traffic information of the production area, including the extranet traffic and the intranet traffic.
According to some embodiments of the invention, the data analysis system adopts an elastic search high-performance component clustering design to realize high-efficiency data storage and retrieval capability, and on the basis, the filtering, statistics and query of the original data packet, protocol, session and stream information are carried out, and the abnormal behavior analysis based on statistics is realized. The elastic search is a distributed, high-performance, high-availability and scalable search and analysis system, supports high-efficiency data search and analysis, can be used for search engines in various scenes such as e-commerce websites, portal websites and enterprise IT systems, and can also be used for carrying out near real-time (second-level) data analysis on a large amount of data. And the functions of storing, indexing, aggregating and the like of the flow data are realized by utilizing the elastic search, and a bottom data platform support is provided for further safety analysis.
In other embodiments of the present invention, all of the raw data packets, protocols, sessions and flow information collected are filtered, counted and queried, and then identified and deep parsed using DPI techniques according to conventional network application protocols (including HTTP, POP3, IMAP, DNS, TLS, FTP, SMB, NTP, TFTP, RLP, etc.) and industrial control protocols (including Modbus Tcp, S7common, dnp3, OPC-UA, IEC104, ENIP/CIP, OMRON, MMS, GE-SRTP, profinet, etc.). The threat behavior in the system network is detected in real time by comparing and matching with security detection rules (including vulnerability exploitation, malicious file attack, tunnel attack, remote control and the like); meanwhile, analysis of industrial control abnormal behaviors is carried out, various data packets of an industrial control protocol are captured and deeply analyzed in a rapid and targeted manner, effective instructions, data contents and load information of the data packets are detected, matching is carried out through an industrial control behavior baseline, a protocol log and an alarm log are formed, and an alarm is timely carried out on abnormal flow behaviors.
According to some embodiments of the present invention, the visual output of system abnormal behavior information includes: and counting the system flow data and/or the change trend of the abnormal behavior of the system and outputting the system flow data and/or the change trend of the abnormal behavior of the system in a visual way. Because the method provided by the embodiment adopts the elastic search and dpdk/xdp technology, besides the functions, the method for detecting the abnormal flow of the industrial control system provided by the invention can also realize multidimensional condition query and analysis on data such as system flow data, system behavior information, system abnormal behavior information and the like.
In other embodiments of the present invention, protocol logs and alarm logs formed after flow analysis are stored in an elastic search number bin for subsequent log and event queries, including but not limited to information such as time, source IP, destination IP, source port, destination port, applications, critical operational behavior, etc. generated by the industrial control system log. Based on the analysis and storage basis, the method can realize an efficient data retrieval function, realize quick backtracking analysis of mass data, can classify, view and call data in any time period at any time, and provide original data of a conversation log in different dimensions and different time intervals.
FIG. 2 is a schematic diagram of an abnormal flow detection system for an industrial control system according to the present invention, including:
the flow acquisition module is used for acquiring system flow data of the industrial control system based on a dpdk technology and a xdp technology;
the data processing module is used for analyzing the system flow data based on the DPI technology to determine the abnormal behavior of the system and storing the abnormal behavior information of the system;
and the visual output module is used for visually outputting the abnormal behavior information of the system.
According to some embodiments of the invention, an industrial control system abnormal flow detection system, the workflow of which comprises: 1. and (3) flow collection: collecting flow from a kernel or a physical network card by using technologies such as dpdk/xdp, collecting photoelectric signals by adopting a universal hardware network card in terms of hardware, completing grabbing and caching of network flow, and completing multi-queue distribution by simple information aggregation (rss, really Simple Syndication); 2. flow analysis: using a surica network security monitoring engine to carry out deep protocol analysis and abnormal behavior analysis on an acquired original data packet (raw packet) to obtain advanced events, namely an industrial control protocol log and an alarm log; using vector (a high-performance observability data container/pipeline) as a data extraction conversion loading tool (etl, extract transform load), converting advanced events obtained by analyzing network traffic data by surica (an open-source network threat detection engine), and sending the converted advanced events to an elastiscearch (an open-source distributed full-text retrieval engine) system for storage. 3. Store call: the elastiscearch system is used for storing and retrieving high-level events, and mysql (an open source cross-platform database management system) is used for storing configuration parameters. 4. Query function: realizing the query analysis of the event; system parameter configuration is realized; and providing an interface to the visualization; 5. and (3) visualization: and realizing front-end page visualization.
The technical scheme has the working principle and beneficial effects that:
1. the method and the system for detecting the abnormal flow of the industrial control system adopt the high-performance acquisition component to acquire, analyze and monitor the IP flow of the whole network, can sense the network behaviors of all network hosts and online industrial equipment, and can automatically detect and provide an alarm for the suspicious network flow and behaviors through the built-in analysis engine.
2. The method and the system for detecting the abnormal flow of the industrial control system provided by the invention support the traditional network application protocol in the flow, and comprise the following steps: common protocols such as HTTP, POP3, IMAP, DNS, TLS, FTP, SMB, NTP, TFTP, RLP and the like are used for identification and deep analysis, and structured application protocol session logs are put in storage to support network traffic auditing work.
3. The method and the system for detecting the abnormal flow of the industrial control system provided by the invention support the industrial production control protocol in the flow, and comprise the following steps: modbus Tcp, S7common, dnp3, OPC-UA, IEC104, ENIP/CIP, OMRON, MMS, GE-SRTP, profinet and the like are identified and deeply analyzed by using a wide industrial control protocol, structured protocol session data log is put in storage, and industrial control flow auditing work is supported through built-in visual display.
4. The method and the system for detecting the abnormal flow of the industrial control system support audit of key operations of an industrial protocol, including configuration change, downloading, uploading, firmware upgrading and the like. The supported protocols include: s7, modbus, CIP, DNP, OMRON, OPC-UA, MMS, GE-SRTP, profinet, ethernet/IP and the like support recording information of time, source IP, destination IP, source port, destination port, application, key operation behaviors and the like generated by industrial control key operation. And according to the established industrial protocol abnormal behavior detection rules, the abnormal behavior detection is carried out on the deeply-resolved industrial protocol data, wherein the abnormal behavior detection comprises the detection of abnormal behaviors such as operation code abnormality, client DOS, response timeout of a client, restarting operation, abnormal operation value and the like.
5. The industrial control system abnormal flow detection method and system provided by the invention detect the known threat through a large number of security detection rules including security detection rules of vulnerability exploitation, malicious file attack, tunnel attack, remote control and the like.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. An abnormal flow detection method for an industrial control system is characterized by comprising the following steps:
collecting system flow data of an industrial control system based on a dpdk technology and a xdp technology; the system flow data comprises external network flow data and internal network flow data;
analyzing the system flow data based on DPI technology to determine system abnormal behavior and storing system abnormal behavior information;
and visually outputting the abnormal behavior information of the system.
2. The method of claim 1, wherein traffic data is collected from cores and/or physical network cards of individual devices in the industrial control system based on dpdk technology and xdp technology and the system traffic data is obtained by RSS aggregation.
3. The method of claim 1, wherein determining system anomaly behavior based on parsing the system traffic data using DPI techniques comprises:
based on a network protocol and/or an industrial production control protocol corresponding to the industrial control system, respectively analyzing the external network flow data and the internal network flow data by using a DPI technology to determine flow behavior information corresponding to the industrial control system;
identifying the flow behavior information based on a preset safety detection rule, and determining system abnormal behaviors of the industrial control system;
wherein, the abnormal behavior of the system comprises: malicious file attack, tunnel attack and remote control; the safety detection rule comprises: malicious file attack detection rules, tunnel attack detection rules and remote control detection rules.
4. The method of claim 3, further comprising, prior to parsing the extranet traffic data and the intranet traffic data: and carrying out data filtering processing on the external network flow data and the internal network flow data.
5. The method of claim 4, wherein when parsing the extranet traffic data and the intranet traffic data, further comprising: and respectively carrying out structural processing and storage on the external network flow data and the internal network flow data based on a network protocol and/or an industrial production control protocol corresponding to the industrial control system.
6. The method of claim 1, wherein determining system anomaly behavior based on parsing the system traffic data based on DPI technology, further comprising:
analyzing the intranet flow data by DPI technology based on an industrial production control protocol of the industrial control system, and determining industrial control behavior information in the industrial control system; wherein the industrial control behavior information includes: effective instruction information, intranet flow data content and equipment load information;
and matching the industrial control behavior information with an industrial control system behavior baseline, and determining abnormal industrial control behaviors in the industrial control system.
7. The method of claim 6, further comprising, after determining abnormal industrial control behavior in the industrial control system: and alarming the abnormal industrial control behaviors, and generating an industrial control behavior protocol log and an abnormal industrial control behavior alarm log according to the industrial control behavior information and the abnormal industrial control behaviors.
8. The method of claim 1, wherein the system exception behavior information is stored in a distributed manner based on an elastiscearch distributed analysis engine.
9. The method of any of claims 1-8, wherein visually outputting the system abnormal behavior information comprises: and counting the system flow data and/or the change trend of the system abnormal behavior and visually outputting the system flow data and/or the change trend of the system abnormal behavior.
10. An industrial control system abnormal flow detection system, comprising:
the flow acquisition module is used for acquiring system flow data of the industrial control system based on a dpdk technology and a xdp technology;
the data processing module is used for analyzing the system flow data based on the DPI technology to determine the abnormal behavior of the system and storing the abnormal behavior information of the system;
and the visual output module is used for visually outputting the abnormal behavior information of the system.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310445049.7A CN116170236A (en) | 2023-04-24 | 2023-04-24 | Industrial control system abnormal flow detection method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310445049.7A CN116170236A (en) | 2023-04-24 | 2023-04-24 | Industrial control system abnormal flow detection method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116170236A true CN116170236A (en) | 2023-05-26 |
Family
ID=86422273
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310445049.7A Pending CN116170236A (en) | 2023-04-24 | 2023-04-24 | Industrial control system abnormal flow detection method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116170236A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
CN111490976A (en) * | 2020-03-24 | 2020-08-04 | 浙江中烟工业有限责任公司 | Dynamic baseline management and monitoring method for industrial control network |
CN112306019A (en) * | 2020-10-28 | 2021-02-02 | 北京珞安科技有限责任公司 | Industrial control safety audit system based on protocol deep analysis and application thereof |
-
2023
- 2023-04-24 CN CN202310445049.7A patent/CN116170236A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
CN111490976A (en) * | 2020-03-24 | 2020-08-04 | 浙江中烟工业有限责任公司 | Dynamic baseline management and monitoring method for industrial control network |
CN112306019A (en) * | 2020-10-28 | 2021-02-02 | 北京珞安科技有限责任公司 | Industrial control safety audit system based on protocol deep analysis and application thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108040074B (en) | Real-time network abnormal behavior detection system and method based on big data | |
CN103428196B (en) | A kind of WEB application intrusion detection method based on URL white list | |
Pilli et al. | Network forensic frameworks: Survey and research challenges | |
CN108111487B (en) | Safety monitoring method and system | |
US20030084328A1 (en) | Method and computer-readable medium for integrating a decode engine with an intrusion detection system | |
US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
CN110035062A (en) | A kind of network inspection method and apparatus | |
CN116800536A (en) | Network security monitoring system based on big data analysis | |
CN115134250B (en) | Network attack tracing evidence obtaining method | |
CN109922048A (en) | One kind serially dispersing concealed threat Network Intrusion detection method and system | |
Qureshi et al. | Network Forensics: A Comprehensive Review of Tools and Techniques | |
US20030084330A1 (en) | Node, method and computer readable medium for optimizing performance of signature rule matching in a network | |
CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
Chhabra et al. | Distributed network forensics framework: A systematic review | |
CN114125083B (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
Dressler et al. | Flow-based worm detection using correlated honeypot logs | |
CN116170236A (en) | Industrial control system abnormal flow detection method and system | |
CN112910842B (en) | Network attack event evidence obtaining method and device based on flow reduction | |
Anantharaman et al. | A communications validity detector for SCADA networks | |
Vassilev et al. | Network security analytics on the cloud: Public vs. private case | |
Polozhentsev et al. | Novel Cyber Incident Management System for 5G-based Critical Infrastructures | |
Yu et al. | Mining anomaly communication patterns for industrial control systems | |
Cheng et al. | Implementing IDS management on lock-keeper |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230526 |
|
RJ01 | Rejection of invention patent application after publication |