CN116319106A - Process-level micro-isolation method and system for industrial control security - Google Patents
Process-level micro-isolation method and system for industrial control security Download PDFInfo
- Publication number
- CN116319106A CN116319106A CN202310578463.5A CN202310578463A CN116319106A CN 116319106 A CN116319106 A CN 116319106A CN 202310578463 A CN202310578463 A CN 202310578463A CN 116319106 A CN116319106 A CN 116319106A
- Authority
- CN
- China
- Prior art keywords
- isolation
- micro
- control center
- message
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 197
- 230000008569 process Effects 0.000 title claims abstract description 175
- 238000002955 isolation Methods 0.000 title claims abstract description 99
- 238000012545 processing Methods 0.000 claims description 15
- 238000004458 analytical method Methods 0.000 claims description 14
- 238000011217 control strategy Methods 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 8
- 230000000903 blocking effect Effects 0.000 claims description 7
- 238000004519 manufacturing process Methods 0.000 abstract description 21
- 238000004364 calculation method Methods 0.000 abstract description 3
- 238000004590 computer program Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 238000011084 recovery Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of industrial control network security, and discloses a process-level micro-isolation method and a system for industrial control security, wherein the method comprises the steps that a terminal arranged in a machine acquires message information and sends all messages and process information for sending the messages to a control center; the control center judges whether a certain specific message is an attack message or not based on the calculation result of the message, when judging that the message is the attack message, the process of sending the message is a bad process, and the control center detects the attack message, alarms and analyzes and processes related information; the control center sends a micro-isolation strategy to the terminal, and the terminal performs micro-isolation on the bad process. The isolation precision is controlled at the process level by applying the process level micro isolation in the industrial control network security, and only the process is isolated and can be recovered at any time, so that the normal production is ensured, and malicious programs can be managed and controlled, thereby improving the safety of the industrial control network.
Description
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a process-level micro-isolation method and system used in industrial control security.
Background
Micro isolation (micro) has been widely used in traditional network security, and is a fundamental technology especially in zero trust architecture. Conventional micro-isolation has 3 implementations, SDN/info based, hyperVisor based and Host based (Host-based), in either way, the smallest particle that is managed is a machine, which may be a physical machine, a virtual machine, etc.
The industrial control network has the particularity, taking DCS (Digital Control System) units as an example, in one unit, about there are nodes such as a DCS controller, an operator station, an engineer station, a history station, an externally connected Link station, a reported interface station, a monitoring terminal and the like, and each node is an indispensable part for the whole system, and the absence of any node can lead to the downtime of the whole DCS unit and cause production accidents. If it is necessary to perform the whole micro-isolation, the machine is used as a management entity, the whole machine is isolated by the traditional micro-isolation, and the machine and the production software therein are also isolated together, so that production accidents can be caused, but the traditional micro-isolation cannot adapt to the industrial control network, because of the possibility of misjudgment of the implementation of any safety product, and a recovery means is reserved. If a bad process is killed directly, then to restart the process, all intermediate states are lost, possibly with immeasurable consequences; therefore, the traditional micro-isolation concept needs to be redefined, so that the traditional micro-isolation concept can adapt to the safety requirement of the industrial control network, and the safety of the industrial control network is improved.
Disclosure of Invention
The invention mainly provides a process-level micro-isolation method and a system for industrial control safety, which can adapt to the requirement of industrial control network safety, and because the traditional micro-isolation method has the possibility of misjudgment, a recovery means is reserved, if a bad process is directly killed, the process is restarted, all intermediate states are lost, immeasurable results are possibly caused, and the safety of the industrial control network is not ensured.
In order to solve the technical problems, the invention adopts the following technical scheme:
in a first aspect, a method for process-level micro-isolation in industrial control security includes
S100: a terminal arranged in the machine acquires message information, and sends all messages and process information of a sending message to a control center based on the acquired message information;
s200: the control center detects the acquired message information, judges whether a certain specific message is an attack message or not based on the detection result, and when judging that the specific message is the attack message, the process of the control center for transmitting the specific message is a bad process, and the control center detects the attack message and alarms and analyzes and processes related information;
s300: based on analysis and processing results of the control center, the control center sends a micro-isolation strategy to the terminal, and the terminal performs micro-isolation on the bad process.
Further, based on the analysis and processing result of the control center, the control center sends a micro-isolation policy to the terminal, and the terminal performs micro-isolation on the bad process, including,
the Linux system blocks the network connectivity of the process through the name space;
windows systems block the process' network connectivity by developing a set of network drivers.
Further, in the Linux system, the network connectivity of the process is blocked through the namespaces, including,
creating a new namespace;
the call interface adds the target process to the new namespace.
Further, in Windows systems, network connectivity through the development of a set of network driven blocking processes, including,
developing an NDIS network driver;
intercepting all the outgoing network messages, and sending all the messages and the process information for sending the messages to a control center;
and determining whether to micro-isolate the process sending the attack message according to the control strategy.
Further, when a non-critical bad process needs to be micro-isolated, the NDIS network driver intercepts all outgoing requests of the process;
when the control center makes a decision error and makes a misjudgment, and a normal process is micro-isolated by the error, a user removes the micro-isolation of the process through a console of the control center.
In a second aspect, a system for process-level micro-isolation in industrial control security comprises
The message information acquisition module is used for acquiring message information by a terminal arranged in the machine and transmitting all messages and the process information of the transmitted messages to the control center based on the acquired message information;
the message information analysis processing module is used for detecting the acquired message information by the control center, judging whether a certain specific message is an attack message or not based on a detection result, and when judging that the specific message is the attack message, the process of the control center for transmitting the specific message is a bad process, and the control center detects the attack message and alarms and carries out analysis processing on related information;
the process micro-isolation module is used for sending a micro-isolation strategy to the terminal based on the analysis and processing result of the control center, and the terminal carries out micro-isolation on the bad process.
Further, the process micro-isolation module comprises,
the Linux system isolation submodule is used for blocking network connectivity of a process through a naming space by the Linux system;
and the Windows system isolation sub-module is used for the Windows system to block the network connectivity of the process by developing a set of network drivers.
Further, the Linux system isolation submodule comprises,
a namespace creation unit for creating a new namespace;
and the interface calling unit is used for calling the interface to add the target process into the new name space.
Further, the Windows system isolator sub-module comprises,
a network driver setting unit for developing an NDIS network driver; intercepting all the outgoing network messages, and sending all the messages and the process information for sending the messages to a control center; and determining whether to micro-isolate the process sending the attack message according to the control strategy.
Further, the network drive setting unit includes,
a network driver interception subunit, configured to, when a non-critical bad process needs to be micro-isolated, intercept all outgoing requests of the process by an NDIS network driver;
and the micro-isolation removing subunit is used for removing micro-isolation of a normal process by a user through a console of the control center when the control center makes a decision error and makes a false judgment to cause the process to be micro-isolated by the error.
The beneficial effects are that: the process-level micro-isolation method for industrial control safety further refines isolation granularity and controls isolation precision at a process level by applying the process-level micro-isolation to industrial control network safety, so that the safety of the industrial control network is improved; the process can be recovered at any time through micro isolation of the process level, so that the intermediate state of the process is completely maintained, the production safety is not affected, the normal operation of production is ensured, and malicious programs can be managed and controlled.
Drawings
FIG. 1 is a schematic flow chart of a method for process-level micro-isolation in industrial control security application;
FIG. 2 is a schematic diagram of a system module of a process level micro-isolation in industrial control security application;
FIG. 3 is a schematic diagram of a system distribution of process level micro-isolation in industrial control security applications.
Detailed Description
The technical scheme of the process-level micro-isolation method and system for industrial control safety related to the invention is further described in detail below by combining the embodiment.
As shown in fig. 1 and 3, a method for process-level micro-isolation in industrial control security includes
S100: a terminal arranged in the machine acquires message information, and transmits all messages and process information of a transmitted message to a control center based on the acquired message information;
specifically, when obtaining the message information, if the message is an attack message, intercepting or discarding the attack message, where the machine may be a physical machine, a virtual machine, or even a Docker.
S200: the control center detects the acquired message information, judges whether a certain specific message is an attack message or not based on the detection result, and when judging that the specific message is the attack message, the process of the control center for transmitting the specific message is a bad process, and the control center detects the attack message and alarms and analyzes and processes related information;
wherein, the detection of the attack message can adopt rules, script, behavior analysis or AI/ML.
In this case, taking a rule as an example, detection rules of Snort and surica may be compatible, for example: alert tcp $HOME_NET any- > any any (msg: "Command Shell Access"; content: "C: users Administrator Desktophs2.3b"; sed: 1000004; rev: 1).
The alarm mode can be that a popup window is displayed or a log is recorded on the monitoring terminal, and if a sound box is arranged on the monitoring terminal, the alarm can be given out by sound.
The relevant information is analyzed and processed, the calculation result can generate a management and control strategy, a certain process sends an attack message, if the process is a process of key industrial software and cannot be isolated, the calculation process is combined with the site to determine whether to micro-isolate the sent attack message and how to treat the message, and discard or release the message.
S300: based on analysis and processing results of the control center, the control center sends a micro-isolation strategy to the terminal, and the terminal performs micro-isolation on the bad process.
Specifically, the Linux process level micro-isolation method is that a Linux system blocks the network connectivity of a process through a name space;
firstly, creating a new naming space;
the recall interface adds the target process to the newly created namespace.
Because the newly created namespace, by default, has no network capabilities, no configuration veth, no communication propagation capabilities,
specifically, the Linux system intercepts all outgoing network messages by using a BPF of a NetFilter, sends all messages and process information for sending the messages to a control center, receives a control strategy returned by the control center, and arbitrates, discards or releases the messages; according to the control strategy, determining whether to micro-isolate the process sending the attack message, wherein the non-critical bad process needs to be micro-isolated, creating a new Namespace by the isolation module and adding the process into the new Namespace through the setns API, and the process added into the Namespace can not send any request any more because the new Namespace is not provided with veth and has no network connection.
The method for removing the isolation of the Linux system is to move the process back to the default name space, and the most important is to ensure the production safety for industrial control enterprises. Even a perfected system cannot be guaranteed to be free of erroneous judgment, and in consideration of the specificity of industrial control, a backup means for removing isolation is required to be provided. If the administrator finds that a process required by a certain production is misjudged and micro-isolated, the control center can be used for removing the micro-isolation to restore the production.
In another embodiment, the method of Windows process-level micro isolation is as follows: the Windows system blocks the network connectivity of the process by developing a set of network drivers;
wherein all steps must be done automatically, to be implemented through an API wherein the Windows-dependent API interface is NetFwMgr
Specifically, the method for the Windows system to pass through the system built-in firewall comprises the following steps:
windows systems provide for the ability to block the process of network connectivity by developing a set of network drivers, including,
developing an NDIS network driver;
intercepting all the outgoing network messages, and sending all the messages and the process information for sending the messages to a control center;
and determining whether to micro-isolate the process sending the attack message according to the control strategy.
In deciding whether to micro-isolate the process sending the attack message according to the control strategy, including,
when a non-critical bad process needs to be micro-isolated, the NDIS network driver intercepts all outgoing requests of the process;
when the control center makes a decision error and makes a misjudgment, and a normal process is micro-isolated by the error, a user can remove the micro-isolation of the process through a console of the control center.
Specifically, a network driver is designed to intercept and filter all the external connection requests, and the external connection requests aiming at a specific target program are all blocked.
The corresponding release method is to release micro-isolation and restore production through the control center if an administrator finds that a process required by the production is misjudged and micro-isolated for all the external connection requests and the external connection requests of a specific target program are not blocked.
The isolation granularity is further refined by applying the process-level micro isolation in the safety of the industrial control network, and the isolation precision is controlled at the process level, so that the safety of the industrial control network is improved, and the method has a particularly important advantage compared with the method for directly killing malicious processes; because of the possibility of misjudgment, a recovery means is reserved; if the process is directly killed, all intermediate states are lost to restart the process, potentially leading to immeasurable consequences; if only isolation is carried out, the process can be recovered at any time, and the intermediate state of the process is kept completely, so that the production safety is not influenced.
Referring to fig. 2, a system for process-level micro-isolation in industrial control security, comprising,
the message information acquisition module 01 is used for acquiring message information by a terminal arranged in the machine and transmitting all messages and the process information of the transmitted messages to the control center based on the acquired message information;
the message information analysis processing module 02 is configured to detect the acquired message information by using a control center, determine whether a specific message is an attack message based on a detection result, and when the specific message is determined to be the attack message, the process of the control center sending the specific message is a bad process, and the control center detects the attack message, alarms, and analyzes and processes related information;
the process micro-isolation module 03 is configured to send a micro-isolation policy to a terminal based on an analysis and processing result of the control center, where the terminal performs micro-isolation on a bad process.
In another embodiment, the Linux system isolation submodule 04 is used for blocking the network connectivity of the process through the naming space by the Linux system;
specifically, the Linux system isolation submodule 04 includes a namespace creation unit 06, configured to create a new namespace;
an interface calling unit 07, configured to call an interface to add the target process to the newly created namespace.
Because the newly created namespace has no network capability by default and no veth is configured, there is no communication propagation capability.
Specifically, the Linux system intercepts all outgoing network messages by using a BPF of a NetFilter, sends all messages and process information for sending the messages to a control center, receives a control strategy returned by the control center, and arbitrates, discards or releases the messages; according to the control strategy, determining whether to micro-isolate the process sending the attack message, wherein the non-critical bad process needs to be micro-isolated, creating a new Namespace by the isolation module and adding the process into the new Namespace through the setns API, and the process added into the Namespace can not send any request any more because the new Namespace is not provided with veth and has no network connection.
The method for removing the isolation of the Linux system is to move the process back to the default name space, and the most important is to ensure the production safety for industrial control enterprises. Even a perfected system cannot be guaranteed to be free of erroneous judgment, and in consideration of the specificity of industrial control, a backup means for removing isolation is required to be provided. If the administrator finds that a process required by a certain production is misjudged and micro-isolated, the control center can be used for removing the micro-isolation to restore the production.
In another embodiment, the Windows system isolator sub-module 05 is used for network connectivity of the Indows system by developing a set of network driven blocking processes.
Wherein, the network driver setting unit 08 is used for developing an NDIS network driver; intercepting all the outgoing network messages, and sending all the messages and the process information for sending the messages to a control center; and determining whether to micro-isolate the process sending the attack message according to the control strategy.
For industrial control enterprises, the most important is to ensure production safety. Even a perfected system cannot be guaranteed to be free of erroneous judgment, and in consideration of the specificity of industrial control, a backup means for removing isolation is required to be provided. If the administrator finds that a process required by a certain production is misjudged and micro-isolated, the control center can be used for removing the micro-isolation to restore the production.
Wherein the network drive setting unit 08 comprises,
the network driver interception subunit 09, when a non-critical bad process needs to be micro-isolated, the NDIS network driver intercepts all outgoing requests of the process;
the micro isolation removing subunit 10 removes micro isolation of a normal process through a console of the control center when the control center makes a decision error and makes a false decision, resulting in that the normal process is micro isolated by error.
For the external connection request of a specific target program, the external connection request is not blocked, and if an administrator finds that a process required by a certain production is misjudged and micro-isolated, the micro-isolated production can be removed through a control center to restore the production.
The isolation granularity is further refined by applying the process-level micro isolation in the safety of the industrial control network, and the isolation precision is controlled at the process level, so that the safety of the industrial control network is improved, and the method has a particularly important advantage compared with the method for directly killing malicious processes; because of the possibility of misjudgment, a recovery means is reserved; if the process is directly killed, all intermediate states are lost to restart the process, potentially leading to immeasurable consequences; if only isolation is carried out, the process can be recovered at any time, and the intermediate state of the process is kept completely, so that the production safety is not influenced.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the functions described above. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
In the embodiments provided in the present disclosure, it should be understood that the disclosed apparatus/computer device and method may be implemented in other manners. For example, the apparatus/computer device embodiments described above are merely illustrative, e.g., the division of modules or elements is merely a logical functional division, and there may be additional divisions of actual implementations, multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units. The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present disclosure may implement all or part of the flow of the method of the above-described embodiments, or may be implemented by a computer program to instruct related hardware, and the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of the method embodiments described above. The computer program may comprise computer program code, which may be in source code form, object code form, executable file or in some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be appropriately increased or decreased according to the requirements of the jurisdiction's jurisdiction and the patent practice, for example, in some jurisdictions, the computer readable medium does not include electrical carrier signals and telecommunication signals according to the jurisdiction and the patent practice.
The above embodiments are merely for illustrating the technical solution of the present disclosure, and are not limiting thereof; although the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the disclosure, and are intended to be included in the scope of the present disclosure.
Claims (10)
1. A method for process-level micro-isolation in industrial control security, comprising
S100: a terminal arranged in the machine acquires message information, and sends all messages and process information of a sending message to a control center based on the acquired message information;
s200: the control center detects the acquired message information, judges whether a certain specific message is an attack message or not based on the detection result, and when judging that the specific message is the attack message, the process of the control center for transmitting the specific message is a bad process, and the control center detects the attack message and alarms and analyzes and processes related information;
s300: based on analysis and processing results of the control center, the control center sends a micro-isolation strategy to the terminal, and the terminal performs micro-isolation on the bad process.
2. The method for process-level micro-isolation in industrial control security according to claim 1, wherein in step S300, based on the analysis and processing result of the control center, the control center sends a micro-isolation policy to the terminal, and the terminal performs micro-isolation on the bad process,
the Linux system blocks the network connectivity of the process through the name space;
windows systems block the process' network connectivity by developing a set of network drivers.
3. A method for process-level micro-isolation in industrial control security as defined in claim 2, wherein in the network connectivity of the Linux system blocking processes through namespaces, comprising,
creating a new namespace;
the call interface adds the target process to the new namespace.
4. A method for process-level micro-isolation in industrial control security as defined in claim 2, wherein in the Windows system by developing a set of network-driven blocking processes' network connectivity, comprising,
developing an NDIS network driver;
intercepting all the outgoing network messages, and sending all the messages and the process information for sending the messages to a control center;
and determining whether to micro-isolate the process sending the attack message according to the control strategy.
5. A method for process-level micro-isolation in industrial control safety as claimed in claim 4, comprising,
when a non-critical bad process needs to be micro-isolated, the NDIS network driver intercepts all outgoing requests of the process;
when the control center makes a decision error and makes a misjudgment, and a normal process is micro-isolated by the error, a user removes the micro-isolation of the process through a console of the control center.
6. A system for process-level micro-isolation in industrial control security, comprising
The message information acquisition module is used for acquiring message information by a terminal arranged in the machine and transmitting all messages and the process information of the transmitted messages to the control center based on the acquired message information;
the message information analysis processing module is used for detecting the acquired message information by the control center, judging whether a certain specific message is an attack message or not based on a detection result, and when judging that the specific message is the attack message, the process of the control center for transmitting the specific message is a bad process, and the control center detects the attack message and alarms and carries out analysis processing on related information;
the process micro-isolation module is used for sending a micro-isolation strategy to the terminal based on the analysis and processing result of the control center, and the terminal carries out micro-isolation on the bad process.
7. The system for process-level micro-isolation in industrial control safety according to claim 6, wherein said process micro-isolation module comprises,
the Linux system isolation submodule is used for blocking network connectivity of a process through a naming space by the Linux system;
and the Windows system isolation sub-module is used for the Windows system to block the network connectivity of the process by developing a set of network drivers.
8. The system for process-level micro-isolation in industrial control security of claim 7, wherein the Linux system isolation submodule comprises,
a namespace creation unit for creating a new namespace;
and the interface calling unit is used for calling the interface to add the target process into the new name space.
9. The system for process-level micro-isolation in industrial control security of claim 7, wherein the Windows system isolator sub-module comprises,
a network driver setting unit for developing an NDIS network driver; intercepting all the outgoing network messages, and sending all the messages and the process information for sending the messages to a control center; and determining whether to micro-isolate the process sending the attack message according to the control strategy.
10. The system for process-level micro-isolation in industrial control security according to claim 9, wherein the network driver setup unit comprises,
a network driver interception subunit, configured to, when a non-critical bad process needs to be micro-isolated, intercept all outgoing requests of the process by an NDIS network driver;
and the micro-isolation removing subunit is used for removing micro-isolation of a normal process by a user through a console of the control center when the control center makes a decision error and makes a false judgment to cause the process to be micro-isolated by the error.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310578463.5A CN116319106B (en) | 2023-05-22 | 2023-05-22 | Process-level micro-isolation method and system for industrial control security |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310578463.5A CN116319106B (en) | 2023-05-22 | 2023-05-22 | Process-level micro-isolation method and system for industrial control security |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116319106A true CN116319106A (en) | 2023-06-23 |
CN116319106B CN116319106B (en) | 2023-08-08 |
Family
ID=86832734
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310578463.5A Active CN116319106B (en) | 2023-05-22 | 2023-05-22 | Process-level micro-isolation method and system for industrial control security |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116319106B (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
US20200089204A1 (en) * | 2017-05-31 | 2020-03-19 | Siemens Aktiengesellschaft | Industrial control system and network security monitoring method therefor |
WO2022011578A1 (en) * | 2020-07-15 | 2022-01-20 | Nokia Shanghai Bell Co., Ltd. | Method and apparatus for isolation support in network slicing |
CN115514519A (en) * | 2022-08-11 | 2022-12-23 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
CN115987644A (en) * | 2022-12-26 | 2023-04-18 | 中国电力科学研究院有限公司 | Intelligent power distribution internet of things safety authentication system |
-
2023
- 2023-05-22 CN CN202310578463.5A patent/CN116319106B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
CN106341397A (en) * | 2016-08-25 | 2017-01-18 | 柏盟(北京)科技发展有限公司 | Industrial safety isolation GAP |
US20200089204A1 (en) * | 2017-05-31 | 2020-03-19 | Siemens Aktiengesellschaft | Industrial control system and network security monitoring method therefor |
WO2022011578A1 (en) * | 2020-07-15 | 2022-01-20 | Nokia Shanghai Bell Co., Ltd. | Method and apparatus for isolation support in network slicing |
CN115514519A (en) * | 2022-08-11 | 2022-12-23 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
CN115987644A (en) * | 2022-12-26 | 2023-04-18 | 中国电力科学研究院有限公司 | Intelligent power distribution internet of things safety authentication system |
Non-Patent Citations (1)
Title |
---|
赵波等: "用于虚拟化环境的进程隔离方法研究与实现", 华中科技大学学报(自然科学版), vol. 42, no. 11, pages 74 - 79 * |
Also Published As
Publication number | Publication date |
---|---|
CN116319106B (en) | 2023-08-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10009361B2 (en) | Detecting malicious resources in a network based upon active client reputation monitoring | |
US8256003B2 (en) | Real-time network malware protection | |
TWI362196B (en) | Network isolation techniques suitable for virus protection | |
US20120005743A1 (en) | Internal network management system, internal network management method, and program | |
US20090271504A1 (en) | Techniques for agent configuration | |
US20100071065A1 (en) | Infiltration of malware communications | |
CA3021285C (en) | Methods and systems for network security | |
CA2526759A1 (en) | Event monitoring and management | |
CN108931968A (en) | A kind of network security protection system and its means of defence applied in industrial control system | |
GB2532630A (en) | Network intrusion alarm method and system for nuclear power station | |
EP3433783A1 (en) | Rule enforcement in a network | |
CN116319106B (en) | Process-level micro-isolation method and system for industrial control security | |
JP5307238B2 (en) | Intrusion prevention method and system for communication networks | |
CN112671781A (en) | RASP-based firewall system | |
CN114124585B (en) | Security defense method, device, electronic equipment and medium | |
CN112583932B (en) | Service processing method, device and network architecture | |
KR20030049853A (en) | system for protecting of network and operation method thereof | |
CN116015776A (en) | Sealing method and device of collapse host, electronic equipment and storage medium | |
CN113328976B (en) | Security threat event identification method, device and equipment | |
CN112564982A (en) | Automatic safety risk reporting method and system | |
CN111541644A (en) | Illegal IP scanning prevention technology realized based on dynamic host configuration protocol | |
CN111988333B (en) | Proxy software work abnormality detection method, device and medium | |
TWM652740U (en) | computer protection device | |
KR100587612B1 (en) | Method for eliminating overlapped event in invasion detection system | |
Ohoussou et al. | Autonomous agent based intrusion detection in virtual computing environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |