CN116781315A - Attack detection method based on EGD protocol - Google Patents
Attack detection method based on EGD protocol Download PDFInfo
- Publication number
- CN116781315A CN116781315A CN202310046009.5A CN202310046009A CN116781315A CN 116781315 A CN116781315 A CN 116781315A CN 202310046009 A CN202310046009 A CN 202310046009A CN 116781315 A CN116781315 A CN 116781315A
- Authority
- CN
- China
- Prior art keywords
- data packet
- flow
- protocol
- egd
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 109
- 230000000903 blocking effect Effects 0.000 claims abstract description 50
- 238000012550 audit Methods 0.000 claims abstract description 22
- 238000000034 method Methods 0.000 claims abstract description 22
- 238000007726 management method Methods 0.000 claims abstract description 9
- 230000003139 buffering effect Effects 0.000 claims abstract description 8
- 238000012544 monitoring process Methods 0.000 claims abstract description 7
- 230000005540 biological transmission Effects 0.000 claims description 70
- 238000004891 communication Methods 0.000 claims description 44
- 230000004044 response Effects 0.000 claims description 24
- 238000012545 processing Methods 0.000 claims description 19
- 230000003578 releasing effect Effects 0.000 claims description 12
- 230000002159 abnormal effect Effects 0.000 claims description 11
- 230000009471 action Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000011010 flushing procedure Methods 0.000 claims description 5
- 230000008447 perception Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 15
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 10
- 230000006399 behavior Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses an attack detection method based on an EGD protocol, and belongs to the technical field of network information security. Which comprises the following steps: deploying a vehicle-mounted firewall provided with an EGD protocol, receiving a data packet containing the EGD protocol through a network monitoring module of the vehicle-mounted firewall, identifying the data packet containing EGD protocol characteristics by utilizing a protocol identification module, and sending the identified data packet into a flow detection plug-in; the deployment management platform uses the flow detection plug-in to detect and sets a flow detection strategy to audit the flow related to the data packet; the flow detection plug-in is used for buffering data in the data packet load and analyzing characteristic fields of the data packet; a self-learning traffic detection module is deployed. The method creatively introduces three steps of feature recognition process, flow feature detection and self-learning detection of the data packet, and utilizes a scheduling algorithm of a self-learning flow detection module to discover the attack behavior based on legal commands, so as to timely block network attack by using a blocking strategy.
Description
Technical Field
The invention belongs to the technical field of network information security, and particularly relates to an attack detection method based on an EGD protocol.
Background
In industrial control, the PLC communication adopts RS232/RS485 serial communication. The method is difficult to meet the requirements on occasions with larger data volume, longer communication distance and higher real-time performance. The ethernet communication is rapidly developed and widely popularized, and the advantages of high speed and interconnection are incomparable, so that the ethernet communication becomes the fact standard of high speed communication in the field of industrial control in the world and the development trend of future communication. With these advantages of ethernet, a fully decentralized, fully open industrial control system can be constructed.
EGD protocol, ethernet Global Data. The EGD protocol is a data communication protocol that is efficient, simple, and high-speed for inter-device communication. The EGD protocol is based on the UDP/IP protocol. With EGD mode communication, no user change is needed, and only parameters requiring broadcast (Producer) and acceptance (Consumer) are configured. In the EGD communication mode, communication nodes are classified into a Producer and a Consumer. In EGD communication, the Producer broadcasts data to individual Consumer or groups of Consumers at time periods set in the Producer, and the Consumer reads the received data at time periods set in the Consumer. The EGD communication belongs to a non-connection-oriented data transmission protocol, has higher communication efficiency and lower system overhead compared with a communication mode based on a TCP/IP protocol, and is suitable for high-speed fixed-period communication between devices. For Versamax PLC, the communication period can be set to be in the range of 10ms-1 hour. The EGD protocol supports products such as hubs, switches, routers, etc.
In order to ensure the reliability and safety data of the information transmission of the train communication network, the protocol EGD protocol is widely applied. However, the real-time performance is required to be high due to the large communication data volume of the train and the reliability and certainty. The message data is generally used for equipment state information and fault alarm information, the data size is different, and the requirement on real-time performance is low. Therefore, the relevant scheduling algorithm of the EDG protocol needs to be optimized.
Disclosure of Invention
1. Problems to be solved
Aiming at the problems in the prior art, the invention provides an attack detection method based on an EGD protocol, which creatively introduces three steps of feature recognition, flow detection and self-learning detection of data packets, and utilizes a dispatching algorithm of a self-learning flow detection module so as to discover the attack behavior based on legal commands, further uses a blocking strategy and timely blocks network attack; in particular, in the flow detection plug-in, firstly, a PAF (Protocol-Aware Flushing) sensing refreshing technology is used for buffering data in a data packet load, preventing an attacker from splitting attack data into a plurality of independent data packets to send, then analyzing a transmission state field, a transmission command field and a packet serial number field in the data packets, further blocking, releasing and paying attention to the flow according to a black-white gray policy, realizing the function of detecting the attack flow of an EGD Protocol based on characteristics, and writing the transmission state, the transmission command and the serial number in the data packets into a database in the form of audit events so as to be convenient for a self-learning module of the next process to detect.
2. Technical proposal
In order to solve the problems, the invention adopts the following technical scheme.
An attack detection method based on EGD protocol includes the following steps:
(1) And (3) characteristic identification of the data packet: deploying a vehicle-mounted firewall provided with an EGD protocol, receiving a data packet containing the EGD protocol through a network monitoring module of the vehicle-mounted firewall, and simultaneously utilizing a characteristic identification module to identify the data packet containing the EG D protocol characteristic, wherein the identified data packet is sent into a flow detection plug-in;
(2) Processing flow detection: the deployment management platform detects the data packet identified in the step (1) by using a flow detection plug-in, and sets a flow detection strategy to act on the flow related to the data packet; the flow detection plug-in is used for buffering data in the data packet load and analyzing characteristic fields of the data packet;
(3) Processing of self-learning detection: and deploying a self-learning flow detection module, wherein the self-learning flow detection module is used for blocking attack flow of an EGD protocol based on legal instructions, such as repeated command attack flow.
In the above mentioned EGD protocol based attack detection method, the vehicle firewall in step (1) is set on a hardware platform based on intelx86_64 or arm, including but not limited to the above mentioned hardware platform; the vehicle-mounted firewall is deployed at a network gateway in an industrial control environment.
In the attack detection method based on the EGD protocol, the network monitoring module in the step (1) is also connected with an EGD protocol identification module, and the EGD protocol identification module is used for identifying the flow of the data packet containing the EGD protocol;
wherein the characteristic field of the data packet belonging to the EGD protocol includes a request response code characteristic of a packet header of the data packet, a sequence number characteristic of the data packet, and a port characteristic of the data packet for auxiliary identification; and the flow identification module records the flow of the data packet in the session and transfers the flow to the flow detection plug-in unit by judging whether the characteristic field packet of the data packet accords with the characteristics belonging to the EGD protocol or not.
In the attack detection method based on the EGD protocol, the vehicle-mounted firewall in the step (1) is connected with the central processing unit, and the vehicle-mounted firewall is connected with the communication module through the central processing unit;
the communication module on be provided with the ethernet network card, the ethernet network card be provided with ethernet communication unit, RS485 communication unit and RS232 communication unit, the data interface of central processing unit pass through the RMII interface and link to each other with the ethernet communication unit, the data interface of central processing unit still pass through the USART interface and link to each other with RS485 communication unit, RS232 communication unit.
In the above attack detection method based on EGD protocol, the management platform in step (2) is set in a server, and the management platform is connected with the access device.
In the above attack detection method based on EGD protocol, the specific operation method of using the flow detection plug-in step (2) to detect the data packet identified in step (1) is as follows:
firstly, using Protocol-Aware Flushing perception refreshing technology to buffer data in a data packet load, setting a PAF buffer zone according to the normal length of a network Protocol command, buffering data packets smaller than the normal length, detecting the content of the buffer zone after the buffer zone is full, analyzing a transmission state field, a transmission command field and a packet sequence number field of a characteristic field in the data packet load or the PAF buffer zone, and writing the transmission state, the transmission command and the sequence number of the data packet into a database in the form of audit events.
In the attack detection method based on the EGD protocol, the action in the step (2) is a blocking action, a releasing action or a focusing action;
the flow detection strategy in the step (2) comprises a blacklist strategy, a whitelist strategy and a gray list strategy, wherein the blacklist strategy is used for blocking flow according to abnormal rules of event contents of the data packet and generating alarm audit events, the whitelist strategy is used for releasing flow according to normal rules of the event contents of the data packet and generating white list audit events, and the gray list strategy is used for releasing flow according to possible abnormal rules of the event contents of the data packet and generating gray list audit events;
the event content comprises the transmission state of the data packet, a transmission command, a serial number and a request response code.
In the attack detection method based on the EGD protocol, the self-learning detection flow module in the step (3) is arranged in the server, wherein the self-learning flow detection module detects flow according to a transmission state baseline, a repeated attack baseline and a command baseline so as to discover attack behaviors based on legal commands, and further uses a blocking strategy to block network attacks in time;
wherein the transmission state baseline is a frequency threshold value of the transmission state field value in the data packet in a certain period of time;
wherein the repeated attack baseline is a frequency threshold value of repeated occurrence of a normal command in a data packet in a certain period of time;
wherein the command baseline is a frequency threshold at which a particular command in the data packet occurs within a certain period of time.
In the attack detection method based on the EGD protocol, the blocking strategy in the step (3) comprises a blocking time strategy, a blocking command strategy and a blocking direction strategy;
wherein the blocking time strategy is to continuously block the flow time length of the specific five-tuple;
wherein the blocking command policy is to block a specific command session in the traffic of a specific five-tuple;
wherein the blocking direction policy is to block request or response sessions in traffic of a specific five-tuple.
In the attack detection method based on the EGD protocol, the dispatching algorithm formula of the self-learning detection flow module in the step (3) is as follows:
the self-learning detection flow module is randomly distributed on a server to run when being established, and uses T i And t d,i Respectively representing the period and the deadline of the ith blocking strategy, WCET i Representing the worst execution time of blocking policy i; the kernel scheduler receives the task when the current task meets the condition shown in the formula (I);
sum(WCET i /min{t d,i ,T i })≤M(I),
wherein M represents the number of system cores; a schedulable set of blocking policies may be demonstrated, but the condition is not satisfied; equation (I) is a sufficiently unnecessary condition for admission control by the deadle scheduling algorithm.
3. Advantageous effects
Compared with the prior art, the invention has the beneficial effects that:
creatively introducing three steps of feature recognition, flow detection and self-learning detection of the data packet, and utilizing a scheduling algorithm of a self-learning flow detection module so as to discover the attack behavior based on legal commands, and further using a blocking strategy to timely block network attacks; in particular, in the flow detection plug-in, firstly, a PAF (Protocol-Aware Flushing) sensing refreshing technology is used for buffering data in a data packet load, preventing an attacker from splitting attack data into a plurality of independent data packets to send, then analyzing a transmission state field, a transmission command field and a packet serial number field in the data packets, further blocking, releasing and paying attention to the flow according to a black-white gray policy, realizing the function of detecting the attack flow of an EGD Protocol based on characteristics, and writing the transmission state, the transmission command and the serial number in the data packets into a database in the form of audit events so as to be convenient for a self-learning module of the next process to detect.
Drawings
FIG. 1 is a flow chart of an EGD protocol-based attack detection method of the present invention;
FIG. 2 is a diagram of the request response code feature in the flow detection process of the present invention;
FIG. 3 is a schematic diagram of the sequence number feature in the process of flow detection of the present invention;
FIG. 4 is a diagram of the request response code feature in the flow detection process of the present invention;
FIG. 5 is a schematic diagram of a transmission status field in the flow detection process of the present invention;
FIG. 6 is a schematic diagram of a transmission command field in the flow detection process of the present invention;
FIG. 7 is a diagram of a packet sequence number field in the flow detection process of the present invention;
fig. 8 is a flowchart of the flow detection process of the present invention.
Detailed Description
The invention is further described below in connection with specific embodiments.
As shown in fig. 1, the attack detection method based on the EGD protocol in this embodiment mainly detects traffic of an attack performed by using the EGD protocol in an industrial control or internet of things. Mainly involves three steps: the protocol identification module is used for identifying EGD protocol traffic; the flow detection plug-in is used for detecting attack flow, blocking attack and alarming at the same time; and the baseline self-learning module is used for detecting the attack behavior based on legal commands, blocking the attack and alarming at the same time.
The common processing method facing the ros packet attack source is as follows:
1. when the problem of packet sending is handled, an attempt is not made to locate the culprit by using the IP, because the IP is generally forged from the source, and the spectrum is compared according to the MAC judgment;
2. during automatic processing, the situation of forging the MAC is noted, so that false killing is avoided; if the configuration inside the VMware ESXI does not allow for counterfeiting of the MAC, this need not be considered;
3. the source address limit is configured in the filter rule of the firewall, whether the source address is a packet with fake source address or not is judged according to the counter of the rule, and the method can be matched with searching a culprit.
The specific analysis comprises the following steps:
(1) And (3) characteristic identification of the data packet: deploying a vehicle-mounted firewall provided with an EGD protocol, receiving a data packet containing the EGD protocol through a network monitoring module of the vehicle-mounted firewall, and simultaneously utilizing a characteristic identification module to identify the data packet containing the EG D protocol characteristic, wherein the identified data packet is sent into a flow detection plug-in; the flow detection plug-in refers to a dynamic library containing a function of analyzing a data packet, and the analysis of the data packet refers to a process of extracting specific fields from the data packet containing characteristics, such as a request response code, a serial number, a transmission state, a source destination port, a source destination IP and the like.
(2) Processing flow detection: the deployment management platform detects the data packet identified in the step (1) by using a flow detection plug-in, and sets a flow detection strategy to act on the flow related to the data packet; the flow detection plug-in is used for buffering data in the data packet load and analyzing characteristic fields of the data packet;
(3) Processing of self-learning detection: the self-learning flow detection module is deployed, wherein the self-learning flow detection module is used for blocking attack flow (such as repeated command attack flow) of an EGD protocol based on legal commands and realizing an attack detection function based on self-learning baselines.
In the attack detection method based on the EGD protocol, the vehicle-mounted firewall in the step (1) is arranged on a hardware platform based on int el x 86-64 and arm;
the vehicle-mounted firewall is deployed at a network gateway in an industrial control environment.
In the attack detection method based on the EGD protocol, the network monitoring module in the step (1) is also connected with an EGD protocol identification module, and the EGD protocol identification module is used for identifying the flow of the data packet containing the EGD protocol;
wherein the characteristic field of the data packet belonging to the EGD protocol includes a request response code characteristic of a packet header of the data packet, a sequence number characteristic of the data packet, and a port characteristic of the data packet for auxiliary identification; and the flow identification module records the flow of the data packet belonging to the EGD protocol in the session and transfers the flow to the flow detection plug-in unit by judging whether the characteristic field of the data packet accords with the EGD protocol characteristic or not, if so, the flow identification module records the flow of the data packet belonging to the EGD protocol in the session and transfers the flow to the flow detection plug-in unit.
In the attack detection method based on the EGD protocol, the vehicle-mounted firewall in the step (1) is connected with a central processing unit, and the vehicle-mounted firewall is connected with a communication module through the central processing unit; meanwhile, an identification tool is also arranged, the identification tool is a flow identification module in a firewall main process, the process is an application program running in a calculated value, and the flow identification module is a flow identification function in the process.
The communication module on be provided with the ethernet network card, the ethernet network card be provided with ethernet communication unit, RS485 communication unit and RS232 communication unit, the data interface of central processing unit pass through the RMII interface and link to each other with the ethernet communication unit, the data interface of central processing unit still pass through the USART interface and link to each other with RS485 communication unit, RS232 communication unit.
In the above attack detection method based on EGD protocol, the management platform in step (2) is set in a server, and the management platform is connected with the access device.
In the above attack detection method based on EGD protocol, the specific operation method of using the flow detection plug-in step (2) to detect the data packet identified in step (1) is as follows:
as shown in FIG. 8, an EGD data packet is received from a Protocol identification module, data in the data packet load is buffered by using a Protocol-Aware Flushing perception refreshing technology, an attacker is prevented from splitting attack data into a plurality of independent data packets to send, a PAF buffer is set according to the normal length of a network Protocol command, data packets smaller than the normal length are buffered, the buffer content is detected after the buffer is full, the attacker is prevented from splitting load data into any small packet to transmit, feature inspection is avoided, then a transmission state field, a transmission command field and a packet sequence number field of a feature field in the data packet load or the PAF buffer are analyzed, and the transmission state, the transmission command and the sequence number of the data packet load or the PAF buffer are written into a database in the form of audit events. In addition, the above operation realizes the function of detecting the attack flow of the EGD protocol based on the characteristics, and simultaneously writes the transmission state, the transmission command and the serial number in the data packet into the database in the form of audit events so as to be convenient for the self-learning module of the next process to detect.
Further analysis, as shown in FIG. 2, the request response code feature, which refers to byte encoding in EGD session packets, 0x02,0x00 representing request packets, 0x03,0x00 representing response packets, square frame portion in the screenshot;
as shown in fig. 3, the sequence number feature is the sequence number code (sequence number is equal to (0 x18< < 8) > 0x 00) in the data packet, the square frame part in the screenshot;
as shown in fig. 4, the port feature refers to the port number in the data packet and the square frame in the screenshot.
In the above-mentioned attack detection method based on EGD protocol, the action in step (2) is a blocking action, a releasing action or a focusing action.
In addition, as shown in fig. 5, the position of the transmission status field in the data packet, the 20 th byte of the load, the red box in the screenshot;
as shown in fig. 6, a transmission command field, which is all bytes in the payload except the first four bytes up to the end of the packet, among which bytes, including a transmission state, transmission data, and the like;
as shown in fig. 7, the packet sequence number field is the 3 rd and 4 th byte of the payload.
The flow detection strategy in the step (2) comprises a blacklist strategy, a whitelist strategy and a gray list strategy, wherein the blacklist strategy is used for blocking flow according to abnormal rules of event contents of the data packet and generating alarm audit events, the whitelist strategy is used for releasing flow according to normal rules of the event contents of the data packet and generating white list audit events, and the gray list strategy is used for releasing flow according to possible abnormal rules of the event contents of the data packet and generating gray list audit events;
the event content comprises the transmission state of the data packet, a transmission command, a serial number and a request response code.
Specifically, the following are:
the blacklist strategy is a rule file, the transmission state, the transmission command, the serial number and the request response code are stored in the file, the file is an abnormal rule, if the analyzed transmission state, the transmission command, the serial number and the request response code in the data packet hit records in the rule file, the command is proved to be an abnormal command, so that the firewall blocks the flow session according to the quintuple of the data packet, protects the internal network security, generates an alarm audit event, and the event content is the transmission state, the transmission command, the serial number, the request response code, the quintuple and the like in the data packet, and the event content is written into a database and can be queried in an interface.
The whitelist strategy is also a rule file, the file stores a transmission state, a transmission command, a serial number and a request response code, the file is a normal rule, if the transmission state, the transmission command, the serial number and the request response code analyzed in the data packet hit records in the rule file, the command is a normal command, so that the firewall releases the traffic session according to the quintuple of the data packet to generate a whitelist audit event, and the event content is the transmission state, the transmission command, the serial number, the request response code, the quintuple and the like in the data packet, and the event content is written into a database and can be inquired in an interface.
The gray list strategy is also a rule file, the file stores the transmission state, the transmission command, the serial number and the request response code, the file stores the rule of the command which is possibly abnormal, if the analyzed transmission state, the transmission command, the serial number and the request response code in the data packet hit the record in the rule file, the command is a command which is possibly abnormal, so that the firewall releases the flow session according to the quintuple of the data packet to generate a gray list audit event, the event content is the transmission state, the transmission command, the serial number, the request response code, the quintuple and the like in the data packet, the event content is written into a database, the data packet can be inquired in an interface, and an administrator judges whether the event is a malicious command according to the real service flow in the network.
In the attack detection method based on the EGD protocol, the self-learning flow detection module in the step (3) is arranged in the server, wherein the self-learning flow detection module detects the flow according to a transmission state baseline, a repeated attack baseline and a command baseline so as to discover the attack behavior based on legal commands, and further uses a blocking strategy to block network attacks in time;
wherein the transmission state baseline is a frequency threshold value of the transmission state field value in the data packet in a certain period of time;
wherein the repeated attack baseline is a frequency threshold value of repeated occurrence of a normal command in a data packet in a certain period of time;
wherein the command baseline is a frequency threshold at which a particular command in the data packet occurs within a certain period of time.
In addition, blocking refers to that the firewall prevents the session of the pentad from entering the network environment inside the firewall according to the pentad of the data packet hitting the blacklist policy, and simultaneously prevents the session of the type from being sent from the internal network to the external network of the firewall, so as to protect the network security. And releasing the flow of the internal and external networks according to the five-tuple of the data packet hitting the white list policy by the firewall. The focus is that the firewall releases the flow of the data packet which goes in and out of the internal and external network according to the five-tuple of the data packet which hits the gray list strategy, and simultaneously generates an audit event, and the administrator judges whether the flow is abnormal according to the real service flow in the network. It should be noted that, the transmission state, the transmission command, and the serial number in the data packet are written into the database in the form of an audit event, that is, the transmission state, the transmission command, the serial number, and the 16-ary character of the request response code analyzed in the data packet call the database access interface function, and are written into the corresponding table of the database.
In the attack detection method based on the EGD protocol, the blocking strategy in the step (3) comprises a blocking time strategy, a blocking command strategy and a blocking direction strategy;
wherein the blocking time strategy is to continuously block the flow time length of the specific five-tuple;
wherein the blocking command policy is to block a specific command session in the traffic of a specific five-tuple;
wherein the blocking direction policy is to block request or response sessions in traffic of a specific five-tuple.
In the attack detection method based on the EGD protocol, the dispatching algorithm formula of the self-learning detection flow module in the step (3) is as follows:
the self-learning detection flow module is randomly distributed on a server to run when being established, and uses T i And t d,i Respectively representing the period and the deadline of the ith blocking strategy, WCET i Representing the worst execution time of blocking policy i; the kernel scheduler receives the task when the current task meets the condition shown in the formula (I);
sum(WCET i /min{t d,i ,T i })≤M (I),
wherein M represents the number of system cores; a schedulable set of blocking policies may be demonstrated, but the condition is not satisfied; equation (I) is a sufficiently unnecessary condition for admission control by the deadle scheduling algorithm. In addition, the self-learning module is a module with a self-learning function, and the self-learning function is a module capable of counting transmission states, repeated commands and specific command frequency thresholds in a certain period of time from an audit event table, and generating an alarm when transmission state fields, repeated commands and specific commands in a data packet in a network exceed the thresholds so as to discover attack behaviors based on legal commands.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The name of the unit does not in any way constitute a limitation of the unit itself, for example the first acquisition unit may also be described as "unit acquiring at least two internet protocol addresses".
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Furthermore, it should be understood that although the present disclosure describes embodiments, not every embodiment is provided with a separate embodiment, and that this description is provided for clarity only, and that the disclosure is not limited to the embodiments described in detail below, and that the embodiments described in the examples may be combined as appropriate to form other embodiments that will be apparent to those skilled in the art.
Claims (10)
1. An attack detection method based on an EGD protocol is characterized by comprising the following steps:
(1) Protocol identification of data packets: deploying a vehicle-mounted firewall provided with an EGD protocol, receiving a data packet containing the EGD protocol through a network monitoring module of the vehicle-mounted firewall, and simultaneously utilizing a protocol identification module to identify the data packet containing the EG D protocol characteristics, wherein the identified data packet is sent into a flow detection plug-in;
(2) Processing flow detection: the deployment management platform detects the data packet identified in the step (1) by using a flow detection plug-in, and sets a flow detection strategy to act on the flow related to the data packet; the flow detection plug-in is used for buffering data in the data packet load and analyzing characteristic fields of the data packet;
(3) Processing of self-learning detection: and deploying a self-learning flow detection module, wherein the self-learning flow detection module is used for blocking attack flow of an EGD protocol based on legal instructions.
2. The EGD protocol-based attack detection method according to claim 1, wherein:
the vehicle-mounted firewall in the step (1) is arranged on a hardware platform based on intelx86_64 and arm;
the vehicle-mounted firewall is deployed at a network gateway in an industrial control environment.
3. The EGD protocol-based attack detection method according to claim 2, wherein:
the network monitoring module in the step (1) is also connected with an EGD protocol identification module, and the EGD protocol identification module is used for identifying the flow of the data packet containing the EGD protocol;
wherein the characteristic field of the data packet belonging to the EGD protocol includes a request response code characteristic of a packet header of the data packet, a sequence number characteristic of the data packet, and a port characteristic of the data packet for auxiliary identification; and the flow identification module records the flow of the data packet belonging to the EGD protocol in the session and transfers the flow to the flow detection plug-in unit by judging whether the characteristic field of the data packet accords with the EGD protocol characteristic or not, if so, the flow identification module records the flow of the data packet belonging to the EGD protocol in the session and transfers the flow to the flow detection plug-in unit.
4. The EGD protocol based attack detection method according to claim 3, wherein:
the vehicle-mounted firewall in the step (1) is connected with a central processing unit, and is connected with a communication module through the central processing unit;
the communication module on be provided with the ethernet network card, the ethernet network card be provided with ethernet communication unit, RS485 communication unit and RS232 communication unit, the data interface of central processing unit pass through the RMII interface and link to each other with the ethernet communication unit, the data interface of central processing unit still pass through the USART interface and link to each other with RS485 communication unit, RS232 communication unit.
5. The EGD protocol based attack detection method according to claim 4, wherein:
the management platform in the step (2) is arranged in a server, and is connected with the access equipment.
6. The EGD protocol based attack detection method according to claim 5, wherein:
the specific operation method for detecting the data packet identified in the step (1) by using the flow detection plug-in the step (2) is as follows:
firstly, using Protocol-Aware Flushing perception refreshing technology to buffer data in a data packet load, setting a PAF buffer zone according to the normal length of a network Protocol command, buffering data packets smaller than the normal length, detecting the content of the buffer zone after the buffer zone is full, analyzing a transmission state field, a transmission command field and a packet sequence number field of a characteristic field in the data packet load or the PAF buffer zone, and writing the transmission state, the transmission command and the sequence number of the data packet into a database in the form of audit events.
7. The EGD protocol based attack detection method according to claim 6, wherein:
the action in the step (2) is a blocking action, a releasing action or a focusing action;
the flow detection strategy in the step (2) comprises a blacklist strategy, a whitelist strategy and a gray list strategy, wherein the blacklist strategy is used for blocking flow according to abnormal rules of event contents of the data packet and generating alarm audit events, the whitelist strategy is used for releasing flow according to normal rules of the event contents of the data packet and generating white list audit events, and the gray list strategy is used for releasing flow according to possible abnormal rules of the event contents of the data packet and generating gray list audit events;
the event content comprises the transmission state of the data packet, a transmission command, a serial number and a request response code.
8. The EGD protocol based attack detection method according to claim 7, wherein:
the self-learning flow detection module in the step (3) is arranged in the server, wherein the self-learning flow detection module detects flow according to a transmission state baseline, a repeated attack baseline and a command baseline so as to discover the attack behavior based on legal commands, and further uses a blocking strategy to timely block network attacks;
wherein the transmission state baseline is a frequency threshold value of the transmission state field value in the data packet in a certain period of time;
wherein the repeated attack baseline is a frequency threshold value of repeated occurrence of a normal command in a data packet in a certain period of time;
wherein the command baseline is a frequency threshold at which a particular command in the data packet occurs within a certain period of time.
9. The EGD protocol based attack detection method according to claim 8, wherein:
the blocking strategy in the step (3) comprises a blocking time strategy, a blocking command strategy and a blocking direction strategy;
wherein the blocking time strategy is to continuously block the flow time length of the specific five-tuple;
wherein the blocking command policy is to block a specific command session in the traffic of a specific five-tuple;
wherein the blocking direction policy is to block request or response sessions in traffic of a specific five-tuple.
10. The EGD protocol-based attack detection method according to claim 1, wherein:
the dispatching algorithm formula of the self-learning detection flow module in the step (3) is as follows:
the self-learning detection flow module is randomly distributed on a server to run when being established, and uses T i And t d,i Respectively representing the period and the deadline of the ith blocking strategy, WCET i Representing the worst execution time of blocking policy i; the kernel scheduler receives the task when the current task meets the condition shown in the formula (I);
sum(WCET i /min{t d,i ,T i })≤M(I),
wherein M represents the number of system cores; a schedulable set of blocking policies may be demonstrated, but the condition is not satisfied; equation (I) is a sufficiently unnecessary condition for admission control by the deadle scheduling algorithm.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2022101162455 | 2022-01-30 | ||
| CN202210116245.5A CN114500065A (en) | 2022-01-30 | 2022-01-30 | Attack detection method based on EGD protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116781315A true CN116781315A (en) | 2023-09-19 |
Family
ID=81477556
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210116245.5A Withdrawn CN114500065A (en) | 2022-01-30 | 2022-01-30 | Attack detection method based on EGD protocol |
| CN202310046009.5A Pending CN116781315A (en) | 2022-01-30 | 2023-01-30 | Attack detection method based on EGD protocol |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210116245.5A Withdrawn CN114500065A (en) | 2022-01-30 | 2022-01-30 | Attack detection method based on EGD protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN114500065A (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866355B (en) * | 2022-07-06 | 2023-04-28 | 浙江国利网安科技有限公司 | Message flow forwarding method, device and computer equipment |
-
2022
- 2022-01-30 CN CN202210116245.5A patent/CN114500065A/en not_active Withdrawn
-
2023
- 2023-01-30 CN CN202310046009.5A patent/CN116781315A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500065A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| CN108183886B (en) | Safety enhancement equipment for safety gateway of rail transit signal system | |
| US6499107B1 (en) | Method and system for adaptive network security using intelligent packet analysis | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| CN101778112B (en) | Network attack detection method | |
| CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
| US20230216867A1 (en) | Information security protection method and apparatus | |
| CN107612890B (en) | Network monitoring method and system | |
| US20120047573A1 (en) | Methods and apparatus for detecting invalid ipv6 packets | |
| CN105554016A (en) | Network attack processing method and device | |
| US20170208083A1 (en) | Network management device at network edge | |
| CN112953971B (en) | Network security flow intrusion detection method and system | |
| CN103475653A (en) | Method for detecting network data package | |
| CN113315771B (en) | Safety event alarm device and method based on industrial control system | |
| CN116781315A (en) | Attack detection method based on EGD protocol | |
| CN1435977A (en) | Method for detecting and responding of fire wall invasion | |
| US20120047572A1 (en) | Decapsulation of data packet tunnels to process encapsulated ipv4 or ipv6 packets | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN114465796A (en) | Safety protection method applied to vehicle-mounted firewall | |
| CN105516200B (en) | Cloud system method and device of safe processing | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN104917757A (en) | Event-triggered MTD protection system and method | |
| US20240114052A1 (en) | Network security system for preventing spoofed ip attacks | |
| CN101547127B (en) | Identification method of inside and outside network messages | |
| Choi et al. | Implementation and design of a zero-day intrusion detection and response system for responding to network security blind spots |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |