CN116915515B - Access security control method and system for industrial control network - Google Patents
Access security control method and system for industrial control network Download PDFInfo
- Publication number
- CN116915515B CN116915515B CN202311182076.6A CN202311182076A CN116915515B CN 116915515 B CN116915515 B CN 116915515B CN 202311182076 A CN202311182076 A CN 202311182076A CN 116915515 B CN116915515 B CN 116915515B
- Authority
- CN
- China
- Prior art keywords
- access
- verification
- security
- node
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000012795 verification Methods 0.000 claims abstract description 240
- 238000013524 data verification Methods 0.000 claims abstract description 13
- 230000003993 interaction Effects 0.000 claims abstract description 12
- 230000002159 abnormal effect Effects 0.000 claims description 45
- 230000005856 abnormality Effects 0.000 claims description 15
- 238000011156 evaluation Methods 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 6
- 230000003044 adaptive effect Effects 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000005206 flow analysis Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 abstract description 10
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 230000006978 adaptation Effects 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 29
- 230000008569 process Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 7
- 206010000117 Abnormal behaviour Diseases 0.000 description 4
- 230000002452 interceptive effect Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 230000007423 decrease Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 206010027339 Menstruation irregular Diseases 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000010183 spectrum analysis Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention provides an access security control method and system for an industrial control network, which relate to the technical field of digital information transmission and comprise the following steps: establishing calibrated flow data corresponding to the N-level access node, establishing access characteristics of a user account, configuring adaptation authority characteristics of the user account and the N-level access node, generating triggering constraint of the account and the data, performing access characteristic matching when access is executed, reconstructing a verification database according to the matching result, the access node and the access request, performing access verification, generating a first security verification result, calling user track information, generating a second security verification result, performing data verification of interaction data, generating a third security verification result, and performing access security control. The invention solves the technical problems that the matching and control of the adapting authority of the user account and the access node by the traditional method are complex and low-efficiency, and the verification information is inaccurate and the access control effect is poor.
Description
Technical Field
The invention relates to the technical field of digital information transmission, in particular to an access security control method and system for an industrial control network.
Background
Industrial control network security involves multiple departments, access security control of which is critical, and industrial control networks face various security threats due to the criticality and complexity, including unauthorized access, malicious operations, data leakage, and the like, so that an efficient and accurate access security control method is needed to protect the security of the industrial control networks.
The conventional access control method often cannot meet the special requirements of an industrial control network, and has difficulty in the configuration of the adapting authority characteristics of a user account and an access node, so that the matching and control of the access authority become complex and low-efficiency.
Therefore, a certain liftable space exists for access security control of the industrial control network.
Disclosure of Invention
The application provides an access security control method and system for an industrial control network, which aim to solve the technical problems that the matching and control of the adapting authority of a user account and an access node by the traditional method are complex and low-efficiency, and the verification database is not maintained in time when an access request changes, so that verification information is inaccurate and the access control effect is poor.
In view of the above problems, the present application provides an access security control method and system for an industrial control network.
In a first aspect of the disclosure, an access security control method for an industrial control network is provided, where the method includes: establishing calibration flow data corresponding to N-level access nodes, wherein each level of access node corresponds to an industrial control device, and the calibration flow data is constructed by extracting flow characteristics of the normalized N-level access nodes; establishing access characteristics of a user account, wherein the access characteristics comprise frequent access interval characteristics, edge access interval characteristics and non-access interval characteristics; configuring the adapting authority characteristics of a user account and the N-level access node, and generating triggering constraint of the account and data; when a user executes access of an N-level access node, carrying out the access characteristic matching according to an access request, and reconstructing a verification database according to a matching result, the access node and the access request; performing access verification on the access request by using the verification database, and generating a first security verification result; invoking user track information corresponding to the access request, and generating a second security verification result according to the user track information; performing data verification of interaction data through the triggering constraint and the calibration flow data to generate a third safety verification result; and performing access security control through the first security verification result, the second security verification result and the third security verification result.
In another aspect of the disclosure, an access security control system for an industrial control network is provided, where the system is used in the above method, and the system includes: the system comprises a calibration flow establishing module, a flow analysis module and a flow analysis module, wherein the calibration flow establishing module is used for establishing calibration flow data corresponding to N-level access nodes, each level of access node corresponds to an industrial control device, and the calibration flow data is established by extracting flow characteristics of the normalized N-level access nodes; the access characteristic establishing module is used for establishing access characteristics of the user account, wherein the access characteristics comprise frequent access interval characteristics, edge access interval characteristics and non-access interval characteristics; the authority feature configuration module is used for configuring the adaptive authority features of the user account and the N-level access node and generating triggering constraint of the account and the data; the access characteristic matching module is used for carrying out the access characteristic matching according to the access request when the user executes the access of the N-level access node, and reconstructing the verification database according to the matching result, the access node and the access request; the access verification module is used for carrying out access verification on the access request by using the verification database and generating a first security verification result; the track verification module is used for calling the user track information corresponding to the access request and generating a second security verification result according to the user track information; the data verification module is used for carrying out data verification of interaction data through the triggering constraint and the calibration flow data to generate a third safety verification result; and the security control module is used for performing access security control through the first security verification result, the second security verification result and the third security verification result.
One or more technical schemes provided by the application have at least the following technical effects or advantages:
by establishing the calibration flow data of the N-level access node, extracting the normalized flow characteristics and combining the access characteristics of the user account, abnormal access and legal access can be more accurately identified, and the access security of the industrial control network is improved; by configuring the adaptive authority characteristics of the user account and the N-level access node and generating the triggering constraint of the account and the data, the accurate matching and control of the access authority are realized, and the access management and control effect of the industrial control network is improved; by performing access characteristic matching and verification database reconstruction on the access request and combining user track information and interactive data verification, real-time access verification and safety control are realized, and the real-time monitoring and response capability of the industrial control network is enhanced. In summary, the method effectively solves the problems of lack of normalized access data, inaccurate analysis of user behavior patterns, difficult access right matching and maintenance of verification databases, and achieves higher access security, accurate access right control, real-time verification and security control.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
Fig. 1 is a schematic flow chart of an access security control method for an industrial control network according to an embodiment of the present application;
fig. 2 is a schematic diagram of an access security control system for an industrial control network according to an embodiment of the present application.
Reference numerals illustrate: the system comprises a calibration flow establishment module 10, an access characteristic establishment module 20, a permission characteristic configuration module 30, an access characteristic matching module 40, an access verification module 50, a track verification module 60, a data verification module 70 and a security control module 80.
Detailed Description
The embodiment of the application solves the technical problems that the matching and control of the adapting authority of the user account and the access node are complex and low-efficient by the traditional method, and the verification database is not maintained in time when the access request changes, so that the verification information is inaccurate and the access control effect is poor.
Having described the basic principles of the present application, various non-limiting embodiments of the present application will now be described in detail with reference to the accompanying drawings.
Embodiment one:
as shown in fig. 1, an embodiment of the present application provides an access security control method for an industrial control network, where the method includes:
Establishing calibration flow data corresponding to N-level access nodes, wherein each level of access node corresponds to an industrial control device, and the calibration flow data is constructed by extracting flow characteristics of the normalized N-level access nodes;
n-level access nodes in the industrial control network are determined, each level of access node corresponds to one industrial control device, which can be physical equipment or virtual equipment, normalized flow characteristics of each level of access node are extracted, the normalized flow characteristics refer to typical flow modes of the access node in a normal operation state, and the characteristics comprise information such as data packet size, source IP address, protocol type, communication frequency and the like. And constructing calibration flow data of each level of access node by using the extracted flow characteristics, wherein the calibration flow data is a result of analyzing and mapping normal flow behaviors and is used as a reference for subsequent access verification.
Further, the method further comprises:
the interaction control database is used for calling the flow data of the normalized N-level access node;
analyzing the flow data and establishing a mapping label of a user and an N-level access node;
taking a user as a cluster classification constraint, and executing flow characteristic extraction of each classification cluster;
And constructing the calibration flow data according to the flow characteristics.
Establishing a connection with a control database, acquiring the authority required for operating the database, and sending a request to the database by using a corresponding query statement to acquire traffic data of a normalized N-level access node, wherein the traffic data comprises information such as a source address, a destination address, a port, a protocol and the like of network communication, and a timestamp and other performance indexes related to the access node.
For the acquired flow data, resolving operation is performed to extract relevant information about the user and the N-level access node, for example, fields such as a source address, a destination address and the like are resolved and processed, and user identity information of each network communication is identified through the source address in the resolved flow data, including a known user name, a known user ID, a known device identifier and the like; and determining N-level access nodes of corresponding network communication through the destination address, wherein the N-level access nodes comprise node names, node IDs and the like. Based on the existing user account information, a mapping relation label between the user and the N-level access node is established according to the user identity and the identification result of the N-level access node.
This allows identification of which user initiated the network communication on which access node, providing an accurate and reliable data basis for subsequent analysis of access behavior, inference of user behavior patterns, and security control.
According to the established mapping labels of the users and the N-level access nodes, the traffic data of the same user on different access nodes are divided into different clusters, so that each cluster contains network communication data of the same user on different nodes, and for each classified cluster, traffic characteristic extraction operation is performed, for example, a spectrum analysis method is adopted to correspondingly analyze the traffic data in the cluster, traffic characteristic information is extracted, the traffic characteristic information comprises statistical indexes, spectrum characteristics, time sequence modes and the like related to network communication, and information on the aspects of user behavior mode, anomaly detection, behavior identification and the like can be provided.
And integrating the extracted flow characteristics into samples of calibration flow data, wherein each sample corresponds to one flow record and contains different characteristic values for subsequent access behavior analysis, anomaly detection and verification processes.
Establishing access characteristics of a user account, wherein the access characteristics comprise frequent access interval characteristics, edge access interval characteristics and non-access interval characteristics;
establishing access characteristics of a user account so as to perform identity verification and access behavior analysis on the user, wherein the frequent access interval characteristics refer to a time period when the user account is frequently accessed in a certain time period, the frequent access interval characteristics are obtained by counting indexes such as login frequency, operation frequency and the like of the user in a certain time period, and the normal activity mode and habit of the user can be judged by analyzing the frequent access interval characteristics of the user; the edge access interval feature refers to a period of time when the user account is less accessed in a period of time, and the edge access interval feature can reflect atypical access behaviors or potential abnormal behaviors of the user, for example, the access behaviors may represent abnormal activities in an irregular period of time; the non-accessed interval feature refers to a period of time during which the user account is not accessed at all for a period of time, and may be used to detect an off-Shift condition or long-term inactivity of the user.
By analyzing the access characteristics of the user account, the characteristics can be used in the subsequent access verification process to judge whether the identity and the access behavior of the user are normal, for example, in the access request matching process, the access characteristics of the user can be compared with the access characteristics established previously, and whether abnormal or non-compliant access conditions exist can be detected.
Configuring the adapting authority characteristics of a user account and the N-level access node, and generating triggering constraint of the account and data;
for each user account and corresponding N-level access node, determining the authority of the user on the node, such as the readable and writable, read-only authority, and performing finer authority control according to specific requirements. According to the configuration result of the authority characteristics, triggering constraint of the account and the data is generated, wherein the triggering constraint refers to limitation required to be met when a user accesses the data, and the constraint can be defined based on factors such as the user account, the accessed data, the access node and the like, for example, the user account is limited to access the node or the data of a specific level only in a specific time period, or the user is required to access the sensitive data through an additional authentication step.
By configuring the adapting authority characteristics and generating the triggering constraint, the user account can be ensured to be accessed only in the authorized range, and the user account can be accessed by a party meeting a certain condition, so that the access of unauthorized users to equipment and data can be effectively limited, and the safety of an industrial control network is improved.
When a user executes access of an N-level access node, carrying out the access characteristic matching according to an access request, and reconstructing a verification database according to a matching result, the access node and the access request;
when a user executes access of an N-level access node, analyzing an access request, acquiring contents of a user account, access node information and other related parameters, matching the contents with access characteristics of the established user account by using information provided in the access request, including information such as access mode, frequency and authority of the user account, judging whether the access accords with an expected mode and authority according to the result of the access characteristic matching, and if the matching is successful, indicating that the access behavior of the user account is normal; if the match fails, an abnormal or non-compliant access behavior is indicated.
And updating the user access record, the authority information and the corresponding security policy stored in the verification database according to the matching result, the access node and the content of the access request, so that the information in the verification database can be ensured to be consistent with the actual access behavior, and the subsequent access verification and control request can be responded in time.
Further, the method further comprises:
determining node basic level characteristics of the N-level access nodes;
determining account grade characteristics of the account according to the user account;
calling the node basic grade characteristics and the account grade characteristics through an access request and an access node to generate verification constraint;
and completing verification database reconstruction according to the verification constraint and the matching result.
And evaluating each access node, analyzing security attributes in the access nodes, including consideration of aspects such as authorization strategy, authentication mode, password strength requirement and access frequency of the nodes, and determining node basic level characteristics of each node according to evaluation results, wherein the characteristics include authority level, credibility index and the like, and are used for describing basic security characteristics of the nodes, for example, the higher the security is, the higher the node basic level is, the more complicated the corresponding authentication mode is and the higher the password strength requirement is, so as to ensure that the grading of the nodes accords with the access control requirement and security strategy of an industrial control network.
For each user account, performing security attribute evaluation, including analyzing password strength, multi-factor authentication setting, historical access behavior and the like of the account to evaluate, determining the security level and related attributes of the account according to the evaluation result, and determining account grade characteristics of the account based on the security attribute evaluation result, wherein the characteristics include authority grade, trust degree, risk evaluation index and the like, are used for describing the authority grade of the account, and the grade of the account reflects the security and the authority grade of the account.
According to the access request, user account information, the operation type of the request, path nodes and the like are obtained, according to the access node and the user account, node basic grade characteristics and account grade characteristics are called, verification constraint is generated according to the characteristic values, the verification constraint is a set of rules or limiting conditions and is used for limiting the processing and authorization process of the access request, including the distribution of verification authority, the limitation of access modes, further identity verification requirements and the like. The constraints are defined based on the level characteristics of the nodes and the accounts, for example, the higher the node level is, the higher the account level is, the higher the corresponding access authority is, and the more complex the verification mode is, so as to ensure the access control and the security of the industrial control network. By applying authentication constraints, the system can accurately control and authenticate access requests based on node and account level characteristics.
Determining a verification database for storing verification related information, wherein the database comprises node authorities, account access records, security rules and the like, and based on the generated verification constraint, selecting related data meeting the condition from the database for further processing by the system through screening the related data in the verification database, namely according to the constraint condition. And according to the matching result and the verification constraint, performing corresponding updating, modifying or adding operation on the selected verification database data, such as adjusting node authority, updating access records, changing security rules and the like, so as to ensure that the content of the verification database is consistent with the new verification constraint and the new matching result.
Performing access verification on the access request by using the verification database, and generating a first security verification result;
the access request is compared with the information in the verification database, the access request is verified according to the content in the verification database, the access request comprises checking whether a user account exists or not, judging user authority, access node authority and the like, for example, when a primary user accesses a primary node, only account password verification is needed, when the primary user accesses a secondary node, fingerprint identification is possibly needed to be added on the basis of account password verification, and the higher the level is, the higher the verification complexity is, so that the access security is ensured. Generating a first security verification result according to the access verification result, wherein if the verification is passed, the access request of the user is legal and safe; if the verification is not passed, the abnormal or non-compliant access behavior is indicated, and the next operation is forbidden.
Further, while the verification is passed, the stability of the verification process is evaluated, for example, the verification speed is evaluated, when the verification speed is slower than the normal speed, which means that the verification process is more likely to have an abnormality, the lower the passed stable value is, the first stable value is obtained, and the first stable value is added to the first security verification result for reference of the subsequent abnormality.
Invoking user track information corresponding to the access request, and generating a second security verification result according to the user track information;
further, the method further comprises:
accessing a unique positioning device of a target user, and extracting a track path of the unique positioning device;
performing path abnormality verification on the track path to generate a basic track verification result;
according to the path nodes of the track path, a time node image database is called, and an auxiliary track verification result is generated;
and generating a second security verification result through the basic track verification result and the auxiliary track verification result.
Determining a target user and corresponding unique positioning equipment, including a smart phone, a computer, a smart card and the like, performing data interaction with the unique positioning equipment of the target user, retrieving position data, and combining the position data and a timestamp to form a corresponding track path, wherein the track path can describe the active paths of the user at different time points in a past period of time.
By analyzing historical data, business requirements, user habits and the like, a normal track behavior mode of a target user, namely a track path of the target user under typical conditions, is defined, an abnormal verification rule is established according to the normal track behavior mode to detect abnormal conditions in the track path, such as detecting abnormal logging places of the user, and the like, according to the defined abnormal verification rule, abnormal verification is executed on the extracted track path, the track path is compared with the normal track behavior mode, and whether abnormal track behaviors which are not in accordance with the normal behaviors exist is detected. Generating a basic track verification result according to the abnormal verification result of the path, wherein if abnormal behavior exists in the path, the basic track verification result is in a refused or abnormal state; if no abnormal behavior is found in the path, the basic track verification result is a pass or normal state.
And determining path nodes from the extracted track paths, wherein the path nodes refer to specific time points and corresponding position points on the track paths, the path nodes can represent the activities of users at a certain moment and corresponding positions, and a time node image database is called based on the path nodes, and comprises time information associated with the path nodes and image data of authentication equipment, and relevant time and position node image data are retrieved through matching the path nodes. Auxiliary trajectory verification is performed using data in the time node image database, including verifying whether the time node meets an expected range, identifying whether an image of the authentication device is consistent with the path node, and the like.
And generating an auxiliary track verification result according to the auxiliary track verification result, wherein if verification is successful, the time node and the image of the authentication device are matched with the nodes of the track path, a passing or normal auxiliary track verification result can be generated, and if mismatch or abnormal condition exists, further examination needs to be triggered or corresponding control measures need to be taken.
The basic track verification result reflects an abnormal verification result of the path, the auxiliary track verification result reflects an abnormal verification result of the time node image database, and the basic track verification result and the auxiliary track verification result are comprehensively considered, for example, logic operation is used, namely, the second security verification is passed only when the basic track verification result and the auxiliary track verification result are passed, and the second security verification result is generated based on the comprehensive verification result.
Further, similar to the first security verification, the stability of the verification process is evaluated while the verification is passed, a second stable value is obtained, and the second stable value is added to the second security verification result for reference of subsequent anomalies.
Further, the method further comprises:
setting a time attenuation correlation factor, wherein the time attenuation correlation factor is a trusted correlation factor taking an access verification node as a zero point and the time before the zero point as an attenuation direction;
determining a time node of the authenticatable image and authentication equipment according to the path node;
and calling a preset number of time nodes and the authentication equipment by taking the time attenuation correlation factors as random probability, and establishing the time node image database.
Determining an access verification node, wherein the access verification node is used as a time point when a user starts access verification, the access verification node is used as a zero point, the time before the zero point is used as a decay direction, the weight of track data gradually decreases along with the time, and the weight of new track data relatively increases. A trusted correlation factor is set according to the time decay direction, the trusted correlation factor representing the degree of weight decay of the historical track data, wherein the value of the trusted correlation factor decreases over time. In this way, the closer to the access authentication node the more track data is weighted, thereby more annotating the authentication and referencing of the re-track data and reducing the impact of past behavior on access security control.
The path node is a time point and a corresponding position point on the path of the track, represents the activity of a user at a certain moment or place, and is associated with a corresponding time period and authentication equipment according to the path node, wherein the time period is a time period related to the time of the path node, for example, 3 minutes before and after the path node, and the authentication equipment is equipment used in the time period associated with the path node, for example, a camera corresponding to the path node and used for acquiring images of the time period and a target user in the path node.
Based on the path nodes, a time node and an authentication device of an authenticatable image are determined, which means that a specific time node is selected during this time period, and image data is acquired from the authentication device associated with the time period.
The time decay correlation factor is used as a random probability for deciding whether each time node and authentication device should be selected, for example by generating a random number in the range of 0,1, and comparing with the time decay correlation factor to decide whether the time node and authentication device should be selected. This ensures that the database contains image data of a representative time node and authentication device for performing the process of auxiliary track verification and access security control.
Determining a preset number according to the system demand and the resource availability, selecting a time node and authentication equipment meeting the preset number according to the comparison result, and selecting the time node and the authentication equipment if the random number is smaller than or equal to a time decay correlation factor; otherwise, the time node and authentication device are skipped. Using the selected time node and authentication device, image data is obtained from the corresponding device and stored in a time node image database, which is used for subsequent auxiliary trajectory verification.
Performing data verification of interaction data through the triggering constraint and the calibration flow data to generate a third safety verification result;
acquiring interactive data related to an access request, such as a data packet, an instruction and the like, verifying the acquired interactive data according to a preset trigger constraint, judging whether the access behavior accords with the authority characteristics, and if not, indicating that abnormal or non-compliant access behaviors exist; and verifying the obtained interaction data according to the pre-acquired calibration flow data, and judging whether the access accords with a typical flow mode of the access node under a normal operation state, wherein the typical flow mode comprises a data packet size, a source IP address, a destination IP address, a protocol type, a communication frequency and the like.
Based on the verification result of the triggering constraint and the verification result of the calibration flow data, a third security verification result is generated, and logic operation can be adopted as well, namely only the third security verification result is judged to pass through at the same time, and the third security verification result is used as a final judgment basis for determining whether to allow the access to proceed or execute corresponding security measures.
Further, similar to the first security verification, the stability of the verification process is evaluated while the verification is passed, a third stable value is obtained, and the third stable value is added to the third security verification result for reference of subsequent anomalies.
And performing access security control through the first security verification result, the second security verification result and the third security verification result.
Combining the first security verification result, the second security verification result and the third security verification result, for example, combining the results together by using logic operation, if all the verification results are passed, indicating that the access is secure, and continuing; if one or more of the authentication results are rejected or anomalous, it may be necessary to interrupt or further review the access request.
Further, when all the verification results are passed, further judgment is performed according to the first stable value, the second stable value and the third stable value in the first security verification result, the second security verification result and the third security verification result, for example, a stable threshold is set, the stable values are compared with the stable threshold, if one stable value exceeds the stable threshold, it is indicated that an abnormality may still exist under the condition that the authentication is passed, and further inspection of the access request may be required, for example, a measure for enhancing security by using multi-factor authentication, audit control, continuous monitoring and the like is required.
And executing access security control according to the judgment result, such as allowing or rejecting user access, recording security events, triggering an alarm mechanism, updating an access log and the like, and performing security control on access through three comprehensive security verification results to comprehensively consider a plurality of verification results, thereby improving the security and reliability of access so as to cope with various security threats and risks.
Further, the method further comprises:
recording abnormal access data, and carrying out abnormal classification on the abnormal access data, wherein a classification label comprises early warning abnormality and suspected abnormality;
Generating a linkage verification instruction according to the abnormal classification result, and matching an auxiliary user associated with the access request through the linkage verification instruction;
and acquiring an auxiliary authentication result of the auxiliary user, and performing access security control according to the auxiliary authentication result and the abnormal classification result.
The system identifies and records abnormal access data by monitoring access behavior in the industrial control network, including access logs, network traffic data, abnormal event reports, and the like. And carrying out abnormal classification on the abnormal access data by analyzing factors such as access modes, authority behaviors, time intervals, abnormal events and the like, and setting corresponding labels for each classification according to the abnormal classification result, such as early warning abnormality and suspected abnormality, wherein the labels are used for indicating different levels and risk degrees of the abnormal access data.
Aiming at different abnormal classification labels in the abnormal classification results, corresponding generation rules of linkage verification instructions are formulated, the rules define conditions and modes for triggering additional safety verification measures through the linkage verification instructions, for example, the condition of early warning abnormality is serious, the condition for triggering additional verification is lower, and the triggered additional verification is more complex. And generating corresponding linkage verification instructions according to the abnormal classification result and the linkage verification instruction generation rule, wherein the instructions relate to additional verification layers, identity authentication modes or other security verification measures.
The linkage verification instruction is associated with an auxiliary user related to the access request, the auxiliary user can be a user with a higher authority level than the target user, and the auxiliary user receives the corresponding linkage verification instruction to trigger an additional verification level and safety measures so as to ensure the credibility of the auxiliary user, so that the safety verification and control of abnormal access behaviors are enhanced, and the access safety of an industrial control network is improved.
And through an auxiliary authentication mechanism triggered by the linkage authentication instruction, the user is assisted to perform additional authentication or other security authentication steps, such as biometric identification, independent equipment authentication and the like, so as to acquire an auxiliary authentication result. And according to the acquired auxiliary authentication result and the abnormal classification result, the system makes access security control decisions including access authorization, access refusal, security log recording and other operations so as to ensure that only legal users and normal behaviors obtain access rights.
Further, the method further comprises:
if dangerous access early warning is generated according to the first safety verification result, the second safety verification result and the third safety verification result, matching an association triggering coefficient and an association time period according to an early warning value;
If other access is available in the association time period, performing early warning verification on the newly added access through the association trigger coefficient;
performing association evaluation on the newly added access and the access request, and generating auxiliary authentication based on an association evaluation result;
and finishing access security control of the newly added access according to the early warning verification result and the auxiliary authentication result.
Based on the first security verification result, the second security verification result and the third security verification result, comprehensive analysis is performed, for example, the first stable value, the second stable value and the third stable value are weighted and summed, an early warning threshold value is preset according to a system security policy, the calculated result is compared with the preset early warning threshold value, when the calculated result exceeds the preset early warning threshold value, dangerous access early warning is generated, and an early warning value is generated according to the calculated result.
According to the early warning value, matching a corresponding association triggering coefficient and an association time period, wherein the association triggering coefficient is a coefficient related to the early warning value and is used for setting a threshold for triggering early warning verification; the associated time period is a time period in which response measures need to be observed or taken after the early warning is triggered.
And in the association time period, detecting whether other access events exist, including access requests of other users or devices, and if other access events exist in the association time period and the early warning trigger condition is met, correspondingly reducing the early warning threshold according to the set association trigger coefficient, wherein the newly added access event is processed more sensitively than normal conditions so as to increase the identification and early warning capability of potential risks or abnormal behaviors. And performing early warning verification on the newly-added access according to the reduced early warning threshold value so as to ensure the safety and compliance of the newly-added access.
And performing association evaluation to judge the association between the newly added access and the access request, for example, comparing the access mode, the equipment attribute and the like to determine whether the newly added access and the access request are associated with each other, and generating auxiliary authentication according to the result of the association evaluation for further verifying the security of the newly added access. The secondary authentication may be an additional verification measure such as multi-factor authentication, two-time password validation, biometric identification, etc., for providing an additional level of verification.
Based on the comprehensive analysis of the early warning verification result and the auxiliary authentication result, the access security control of the newly added access is completed, so that the newly added access is controlled and judged more accurately and reliably.
In summary, the access security control method and system for the industrial control network provided by the embodiment of the application have the following technical effects:
1. by establishing the calibration flow data of the N-level access node, extracting the normalized flow characteristics and combining the access characteristics of the user account, abnormal access and legal access can be more accurately identified, and the access security of the industrial control network is improved;
2. by configuring the adaptive authority characteristics of the user account and the N-level access node and generating the triggering constraint of the account and the data, the accurate matching and control of the access authority are realized, and the access management and control effect of the industrial control network is improved;
3. By performing access characteristic matching and verification database reconstruction on the access request and combining user track information and interactive data verification, real-time access verification and safety control are realized, and the real-time monitoring and response capability of the industrial control network is enhanced.
In summary, the method effectively solves the problems of lack of normalized access data, inaccurate analysis of user behavior patterns, difficult access right matching and maintenance of verification databases, and achieves higher access security, accurate access right control, real-time verification and security control.
Embodiment two:
based on the same inventive concept as the access security control method for an industrial control network in the foregoing embodiments, as shown in fig. 2, the present application provides an access security control system for an industrial control network, the system comprising:
the system comprises a calibration flow establishing module 10, wherein the calibration flow establishing module 10 is used for establishing calibration flow data corresponding to N-level access nodes, each level of access node corresponds to an industrial control device, and the calibration flow data is established by extracting flow characteristics of the normalized N-level access nodes;
an access characteristic establishing module 20, where the access characteristic establishing module 20 is configured to establish access characteristics of a user account, where the access characteristics include a frequent access interval characteristic, an edge access interval characteristic, and a non-access interval characteristic;
The authority feature configuration module 30 is configured to configure the adapting authority feature of the user account and the N-level access node, and generate triggering constraint of the account and the data;
the access characteristic matching module 40 is used for performing the access characteristic matching according to the access request when the user executes the access of the N-level access node, and reconstructing the verification database according to the matching result, the access node and the access request;
the access verification module 50 is configured to perform access verification on the access request with the verification database, and generate a first security verification result;
the track verification module 60 is configured to invoke user track information corresponding to the access request, and generate a second security verification result according to the user track information;
the data verification module 70 is configured to perform data verification of the interaction data through the triggering constraint and the calibration flow data, and generate a third security verification result;
and the security control module 80 is configured to perform access security control according to the first security verification result, the second security verification result, and the third security verification result by using the security control module 80.
Further, the system further comprises a second verification result generation module for executing the following operation steps:
accessing a unique positioning device of a target user, and extracting a track path of the unique positioning device;
performing path abnormality verification on the track path to generate a basic track verification result;
according to the path nodes of the track path, a time node image database is called, and an auxiliary track verification result is generated;
and generating a second security verification result through the basic track verification result and the auxiliary track verification result.
Further, the system also comprises an image database construction module for executing the following operation steps:
setting a time attenuation correlation factor, wherein the time attenuation correlation factor is a trusted correlation factor taking an access verification node as a zero point and the time before the zero point as an attenuation direction;
determining a time node of the authenticatable image and authentication equipment according to the path node;
and calling a preset number of time nodes and the authentication equipment by taking the time attenuation correlation factors as random probability, and establishing the time node image database.
Further, the system also comprises an access security control module to perform the following operation steps:
If dangerous access early warning is generated according to the first safety verification result, the second safety verification result and the third safety verification result, matching an association triggering coefficient and an association time period according to an early warning value;
if other access is available in the association time period, performing early warning verification on the newly added access through the association trigger coefficient;
performing association evaluation on the newly added access and the access request, and generating auxiliary authentication based on an association evaluation result;
and finishing access security control of the newly added access according to the early warning verification result and the auxiliary authentication result.
Further, the system also comprises a database reconstruction module for executing the following operation steps:
determining node basic level characteristics of the N-level access nodes;
determining account grade characteristics of the account according to the user account;
calling the node basic grade characteristics and the account grade characteristics through an access request and an access node to generate verification constraint;
and completing verification database reconstruction according to the verification constraint and the matching result.
Further, the system also comprises a calibration flow data construction module for executing the following operation steps:
The interaction control database is used for calling the flow data of the normalized N-level access node;
analyzing the flow data and establishing a mapping label of a user and an N-level access node;
taking a user as a cluster classification constraint, and executing flow characteristic extraction of each classification cluster;
and constructing the calibration flow data according to the flow characteristics.
Further, the system also comprises an access security control module to perform the following operation steps:
recording abnormal access data, and carrying out abnormal classification on the abnormal access data, wherein a classification label comprises early warning abnormality and suspected abnormality;
generating a linkage verification instruction according to the abnormal classification result, and matching an auxiliary user associated with the access request through the linkage verification instruction;
and acquiring an auxiliary authentication result of the auxiliary user, and performing access security control according to the auxiliary authentication result and the abnormal classification result.
The foregoing detailed description of the access security control method for the industrial control network will clearly be known to those skilled in the art, and the device disclosed in this embodiment is relatively simple to describe, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. An access security control method for an industrial control network, the method comprising:
establishing calibration flow data corresponding to N-level access nodes, wherein each level of access node corresponds to an industrial control device, and the calibration flow data is constructed by extracting flow characteristics of the normalized N-level access nodes;
establishing access characteristics of a user account, wherein the access characteristics comprise frequent access interval characteristics, edge access interval characteristics and non-access interval characteristics;
configuring the adapting authority characteristics of a user account and the N-level access node, and generating triggering constraint of the account and data;
When a user executes access of an N-level access node, carrying out the access characteristic matching according to an access request, and reconstructing a verification database according to a matching result, the access node and the access request;
performing access verification on the access request by using the verification database, and generating a first security verification result;
invoking user track information corresponding to the access request, and generating a second security verification result according to the user track information;
performing data verification of interaction data through the triggering constraint and the calibration flow data to generate a third safety verification result;
and performing access security control through the first security verification result, the second security verification result and the third security verification result.
2. The method of claim 1, wherein the method further comprises:
accessing a unique positioning device of a target user, and extracting a track path of the unique positioning device;
performing path abnormality verification on the track path to generate a basic track verification result;
according to the path nodes of the track path, a time node image database is called, and an auxiliary track verification result is generated;
and generating a second security verification result through the basic track verification result and the auxiliary track verification result.
3. The method of claim 2, wherein the method further comprises:
setting a time attenuation correlation factor, wherein the time attenuation correlation factor is a trusted correlation factor taking an access verification node as a zero point and the time before the zero point as an attenuation direction;
determining a time node of the authenticatable image and authentication equipment according to the path node;
and calling a preset number of time nodes and the authentication equipment by taking the time attenuation correlation factors as random probability, and establishing the time node image database.
4. The method of claim 1, wherein the method further comprises:
if dangerous access early warning is generated according to the first safety verification result, the second safety verification result and the third safety verification result, matching an association triggering coefficient and an association time period according to an early warning value;
if other access is available in the association time period, performing early warning verification on the newly added access through the association trigger coefficient;
performing association evaluation on the newly added access and the access request, and generating auxiliary authentication based on an association evaluation result;
and finishing access security control of the newly added access according to the early warning verification result and the auxiliary authentication result.
5. The method of claim 1, wherein the method further comprises:
determining node basic level characteristics of the N-level access nodes;
determining account grade characteristics of the account according to the user account;
calling the node basic grade characteristics and the account grade characteristics through an access request and an access node to generate verification constraint;
and completing verification database reconstruction according to the verification constraint and the matching result.
6. The method of claim 1, wherein the method further comprises:
the interaction control database is used for calling the flow data of the normalized N-level access node;
analyzing the flow data and establishing a mapping label of a user and an N-level access node;
taking a user as a cluster classification constraint, and executing flow characteristic extraction of each classification cluster;
and constructing the calibration flow data according to the flow characteristics.
7. The method of claim 1, wherein the method further comprises:
recording abnormal access data, and carrying out abnormal classification on the abnormal access data, wherein a classification label comprises early warning abnormality and suspected abnormality;
generating a linkage verification instruction according to the abnormal classification result, and matching an auxiliary user associated with the access request through the linkage verification instruction;
And acquiring an auxiliary authentication result of the auxiliary user, and performing access security control according to the auxiliary authentication result and the abnormal classification result.
8. An access security control system for an industrial control network, for implementing the access security control method for an industrial control network according to any one of claims 1 to 7, comprising:
the system comprises a calibration flow establishing module, a flow analysis module and a flow analysis module, wherein the calibration flow establishing module is used for establishing calibration flow data corresponding to N-level access nodes, each level of access node corresponds to an industrial control device, and the calibration flow data is established by extracting flow characteristics of the normalized N-level access nodes;
the access characteristic establishing module is used for establishing access characteristics of the user account, wherein the access characteristics comprise frequent access interval characteristics, edge access interval characteristics and non-access interval characteristics;
the authority feature configuration module is used for configuring the adaptive authority features of the user account and the N-level access node and generating triggering constraint of the account and the data;
the access characteristic matching module is used for carrying out the access characteristic matching according to the access request when the user executes the access of the N-level access node, and reconstructing the verification database according to the matching result, the access node and the access request;
The access verification module is used for carrying out access verification on the access request by using the verification database and generating a first security verification result;
the track verification module is used for calling the user track information corresponding to the access request and generating a second security verification result according to the user track information;
the data verification module is used for carrying out data verification of the interaction data through the triggering constraint and generating a third security verification result;
and the security control module is used for performing access security control through the first security verification result, the second security verification result and the third security verification result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311182076.6A CN116915515B (en) | 2023-09-14 | 2023-09-14 | Access security control method and system for industrial control network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311182076.6A CN116915515B (en) | 2023-09-14 | 2023-09-14 | Access security control method and system for industrial control network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116915515A CN116915515A (en) | 2023-10-20 |
| CN116915515B true CN116915515B (en) | 2023-11-10 |
Family
ID=88351515
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311182076.6A Active CN116915515B (en) | 2023-09-14 | 2023-09-14 | Access security control method and system for industrial control network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116915515B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117221015B (en) * | 2023-11-09 | 2024-01-05 | 北京东方森太科技发展有限公司 | Industrial control host safety management method based on block chain technology |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9516053B1 (en) * | 2015-08-31 | 2016-12-06 | Splunk Inc. | Network security threat detection by user/user-entity behavioral analysis |
| CN107580767A (en) * | 2015-03-12 | 2018-01-12 | 眼锁有限责任公司 | The method and system of network activity is managed using biological characteristic |
| CN113904811A (en) * | 2021-09-16 | 2022-01-07 | 深圳供电局有限公司 | Anomaly detection method and device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110047628A1 (en) * | 2007-06-13 | 2011-02-24 | Videntity Systems, Inc. | Identity verification and information management |
-
2023
- 2023-09-14 CN CN202311182076.6A patent/CN116915515B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107580767A (en) * | 2015-03-12 | 2018-01-12 | 眼锁有限责任公司 | The method and system of network activity is managed using biological characteristic |
| US9516053B1 (en) * | 2015-08-31 | 2016-12-06 | Splunk Inc. | Network security threat detection by user/user-entity behavioral analysis |
| CN113904811A (en) * | 2021-09-16 | 2022-01-07 | 深圳供电局有限公司 | Anomaly detection method and device, computer equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 工业控制系统网络安全的主动防御技术研究与实践;石永杰等;信息技术与网络安全(第04期);第13-18页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116915515A (en) | 2023-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111245793A (en) | Method and device for analyzing abnormity of network data | |
| CN111917714B (en) | Zero trust architecture system and use method thereof | |
| CN108989150A (en) | A kind of login method for detecting abnormality and device | |
| CN115733681A (en) | Data security management platform for preventing data loss | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN116915515B (en) | Access security control method and system for industrial control network | |
| CN110851872B (en) | Risk assessment method and device for private data leakage | |
| CN112543196A (en) | Network threat information sharing platform based on block chain intelligent contract | |
| CN110912855A (en) | Block chain architecture security assessment method and system based on permeability test case set | |
| CN113962787A (en) | Safety protection method for financial information | |
| CN116633615A (en) | Access control method based on blockchain and risk assessment | |
| CN114338105B (en) | Zero trust based system for creating fort | |
| Bortolameotti et al. | Headprint: detecting anomalous communications through header-based application fingerprinting | |
| KR20090044202A (en) | System and method for processing security for webservices detecting evasion attack by roundabout way or parameter alteration | |
| CN117081868B (en) | Network security operation method based on security policy | |
| JP4843546B2 (en) | Information leakage monitoring system and information leakage monitoring method | |
| CN112287345A (en) | Credible edge computing system based on intelligent risk detection | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| CN114205118B (en) | Data access control analysis method based on data security method category | |
| US20210209067A1 (en) | Network activity identification and characterization based on characteristic active directory (ad) event segments | |
| Xi et al. | Quantitative threat situation assessment based on alert verification | |
| Hakkoymaz | Classifying Database Users for Intrusion Prediction and Detection in Data Security | |
| CN111585953A (en) | Method and system for judging network access validity of local area network terminal equipment | |
| CN117478441B (en) | Dynamic access control method and system based on intelligent analysis of user behaviors | |
| CN116541815B (en) | Computer equipment operation and maintenance data safety management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |