CN116980468B - Asset discovery and management method, device, equipment and medium in industrial control environment - Google Patents

Asset discovery and management method, device, equipment and medium in industrial control environment Download PDF

Info

Publication number
CN116980468B
CN116980468B CN202311211972.0A CN202311211972A CN116980468B CN 116980468 B CN116980468 B CN 116980468B CN 202311211972 A CN202311211972 A CN 202311211972A CN 116980468 B CN116980468 B CN 116980468B
Authority
CN
China
Prior art keywords
asset
network
assets
additional information
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311211972.0A
Other languages
Chinese (zh)
Other versions
CN116980468A (en
Inventor
曲星宇
汪义舟
姜海昆
范宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changyang Technology Beijing Co ltd
Original Assignee
Changyang Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changyang Technology Beijing Co ltd filed Critical Changyang Technology Beijing Co ltd
Priority to CN202311211972.0A priority Critical patent/CN116980468B/en
Publication of CN116980468A publication Critical patent/CN116980468A/en
Application granted granted Critical
Publication of CN116980468B publication Critical patent/CN116980468B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The present invention relates to the field of asset management technologies, and in particular, to a method, an apparatus, a device, and a medium for discovering and managing assets in an industrial control environment. The method comprises the following steps: information acquisition is carried out on network assets and non-network assets in an industrial control environment by using a manual importing mode and an automatic discovering mode, and fingerprints and additional information of the assets are generated; wherein the assets include network assets and non-network assets; merging the collected assets and updating the additional information based on the fingerprints and the additional information of each asset to generate an asset library; after the asset library is generated, the target network asset and the target non-network asset in the industrial control environment are acquired by utilizing an automatic discovery mode, so that whether the target network asset and the target non-network asset are suspicious assets or not is determined by utilizing the asset library, and further management and treatment are carried out on the target network asset and the target non-network asset. The scheme can realize the reliability from end to end of the control system and greatly improve the safety level of the industrial control network.

Description

Asset discovery and management method, device, equipment and medium in industrial control environment
Technical Field
The embodiment of the invention relates to the technical field of asset management, in particular to a method, a device, equipment and a medium for discovering and managing assets in an industrial control environment.
Background
Existing asset management methods are limited to network assets, including switches, hosts, servers, etc., and discovery methods include active probing and passive probing, and are limited to the discovery of network device assets only. The existing asset discovery and management method has smaller coverage to the assets, only comprises network equipment, and cannot manage coverage to industrial control equipment, video monitoring equipment and the like.
In addition, in the existing asset management method, manual duplicate removal and merging are needed to be carried out on the discovered assets, management errors on the assets are large, such as multi-network-port equipment of an exchanger, a server and the like, and multiple network cards, multiple IP and multiple MAC are identified into multiple assets, and the condition that the multiple assets point to the same equipment can occur, so that the management efficiency is low and the accuracy is poor.
Therefore, a new method for discovering and managing assets in an industrial control environment is needed.
Disclosure of Invention
In order to solve the problems of low management efficiency and poor accuracy caused by the fact that the existing asset discovery and management method is small in asset coverage and lacks coverage of non-network assets, the embodiment of the invention provides an asset discovery and management method, device, equipment and medium in an industrial control environment.
In a first aspect, an embodiment of the present invention provides a method for discovering and managing assets in an industrial control environment, where the method is applied to a server, and the method includes:
information acquisition is carried out on network assets and non-network assets in an industrial control environment by using a manual importing mode and an automatic discovering mode, and fingerprints and additional information of the assets are generated; wherein the assets include network assets and non-network assets;
merging the collected assets and updating the additional information based on the fingerprints and the additional information of each asset to generate an asset library;
after the asset library is generated, acquiring target network assets and target non-network assets in an industrial control environment by utilizing an automatic discovery mode so as to determine whether the target network assets and the target non-network assets are suspicious assets or not by utilizing the asset library, so as to further manage and treat the target network assets and the target non-network assets.
In a second aspect, an embodiment of the present invention further provides an apparatus for discovering and managing assets in an industrial control environment, where the apparatus is disposed on a server, and the apparatus includes:
the acquisition unit is used for acquiring information of network assets and non-network assets in the industrial control environment by utilizing a manual importing mode and an automatic finding mode and generating fingerprints and additional information of the assets; wherein the assets include network assets and non-network assets;
the generation unit is used for merging the collected assets and updating the additional information based on the fingerprints and the additional information of each asset so as to generate an asset library;
and the management unit is used for acquiring the target network asset and the target non-network asset in the industrial control environment by utilizing an automatic discovery mode after the asset library is generated so as to determine whether the target network asset and the target non-network asset are suspicious assets or not by utilizing the asset library, so as to further manage and treat the target network asset and the target non-network asset.
The embodiment of the invention provides a method, a device, equipment and a medium for discovering and managing assets in an industrial control environment, which are used for acquiring information of network assets and non-network assets in the industrial control environment by a manual introduction mode and an automatic discovery mode, so that the coverage of the assets can be enlarged, and network equipment and non-network equipment can be managed at the same time. The collected assets are automatically combined and the additional information is automatically updated through the fingerprints and the additional information of the assets, so that an asset library is generated, after the asset library is generated, the target network assets and the target non-network assets in the industrial control environment can be obtained in an automatic discovery mode, suspicious assets in the target network assets and the target non-network assets can be automatically detected by utilizing the asset library, and therefore, the method can automatically combine and update repeated assets, improve the management efficiency and the accuracy of the asset library, and can automatically detect, manage and treat the suspicious assets by utilizing the asset library.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for asset discovery and management in an industrial control environment according to one embodiment of the present invention;
FIG. 2 is a hardware architecture diagram of a computing device according to one embodiment of the present invention;
fig. 3 is a block diagram of an apparatus for discovering and managing assets in an industrial control environment according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for discovering and managing assets in an industrial control environment, which is applied to a server, and the method includes:
step 100, information acquisition is carried out on network assets and non-network assets in an industrial control environment by using a manual import mode and an automatic discovery mode, and fingerprints and additional information of all the assets are generated; wherein the assets include network assets and non-network assets;
102, merging collected assets and updating the additional information based on fingerprints and the additional information of each asset to generate an asset library;
and 104, after the asset library is generated, acquiring the target network asset and the target non-network asset in the industrial control environment by utilizing an automatic discovery mode so as to determine whether the target network asset and the target non-network asset are suspicious assets or not by utilizing the asset library, so as to further manage and dispose the target network asset and the target non-network asset.
In the embodiment of the invention, the information acquisition is carried out on the network assets and the non-network assets in the industrial control environment by a manual importing mode and an automatic discovering mode, so that the coverage of the assets can be enlarged, and the network equipment and the non-network equipment can be managed at the same time. The collected assets are automatically combined and the additional information is automatically updated through the fingerprints and the additional information of the assets, so that an asset library is generated, after the asset library is generated, the target network assets and the target non-network assets in the industrial control environment can be obtained in an automatic discovery mode, suspicious assets in the target network assets and the target non-network assets can be automatically detected by utilizing the asset library, and therefore, the method can automatically combine and update repeated assets, improve the management efficiency and the accuracy of the asset library, and can automatically detect, manage and treat the suspicious assets by utilizing the asset library.
For step 100:
in some embodiments, the manual import mode includes a manual entry mode, a batch import mode, and a vulnerability scanning result import mode;
the step of acquiring information of network assets and non-network assets in an industrial control environment by using a manual import mode to generate fingerprints and additional information of the assets, which comprises the following steps:
importing additional information of network assets and non-network assets by using a manual input mode, a batch input mode and a vulnerability scanning result input mode; wherein, the additional information at least comprises IP, equipment model, manufacturer and serial number;
for each asset imported, perform:
based on the additional information of the current asset, utilizing a snmp protocol to acquire detailed data of the current asset; wherein, the detailed data at least comprises: system basic information, machine name, contacts, number of network interfaces, network interface type, and physical address of the interface;
when the acquisition is successful, taking the acquired detailed data as the fingerprint of the current asset;
and when the acquisition is unsuccessful, taking the equipment model, the manufacturer and the serial number in the additional information of the current asset as the fingerprint of the current asset.
In this embodiment, in order to make the generated asset library more complete and more accurate, and to cover network assets and non-network assets, a manual input mode, a batch input mode and a vulnerability scanning result input mode are first utilized, where the manual input mode is additional information that needs to be filled in manually, and includes at least IP, equipment model, manufacturer, serial number, etc.; the batch import mode is to use an asset import template to import the network asset and the non-network asset in batches; the loophole scanning result importing method is to export the loophole scanning results of the products of each website, such as the firewall and the like, and then import the loophole scanning results into the server; after the additional information of each imported asset is acquired, the detailed data of each asset can be automatically acquired by utilizing a snmp protocol, and when the acquisition is successful, the current asset is represented as a network asset, and the detailed data can be directly used as the fingerprint of the current asset; if the acquisition is unsuccessful, the current asset may be a non-network asset or a network asset, but the snmp protocol is not supported, and then the device model+vendor+serial number in the additional information of the current asset may be used as a fingerprint of the current asset, so as to facilitate the merging and management of the assets in the asset library. In this embodiment, more perfect detailed data can be automatically obtained through the snmp protocol, so that, on one hand, compared with the manual processing efficiency and accuracy are higher, on the other hand, more detailed fingerprints can be generated, and asset merging in step 102 is more accurate and effective.
In some embodiments, the step of "using an auto discovery method to collect information about network assets and non-network assets in an industrial control environment, and generating fingerprints and additional information of each asset" includes:
acquiring data messages of all terminals in an industrial control environment to analyze source side data and destination side data, and de-duplicating the source side data and the destination side data according to the IP of the source side and the destination side to obtain additional information of network assets;
based on the additional information of the network assets, utilizing a snmp protocol to acquire detailed data of each network asset, and taking the acquired detailed data as fingerprints of the corresponding network asset;
acquiring additional information of non-network assets reported by each terminal management and control device;
the device model number, vendor and serial number in the additional information of the non-network asset are used as fingerprints of the corresponding non-network asset.
In this embodiment, in order to expand the asset discovery scope and improve the integrity of the asset library, not only a manual import mode, but also an automatic discovery mode is added.
In particular, the auto-discovery approach is classified into network asset auto-discovery and non-network asset auto-discovery.
The network asset automatic discovery mode is as follows:
acquiring data messages of all terminals in an industrial control environment, and analyzing the srCIP and srcMAC of a source party and destIP, destMAC of a destination party to be used as two groups of data; because the data can influence the running performance of the program if checked in real time, checking once in one minute, and carrying out de-duplication and combination on the IP and MAC data in one minute to obtain the additional information of the network asset; based on the additional information of the network assets, detailed data of each network asset is acquired by utilizing a snmp protocol, and the acquired detailed data is used as a fingerprint of the corresponding network asset.
The non-network asset automatic discovery mode is as follows:
acquiring additional information of non-network assets reported by each terminal management and control device (such as a safety guard and the like); the device model number, vendor and serial number in the additional information of the non-network asset are used as fingerprints of the corresponding non-network asset.
In some embodiments, before the step of "using the manual import mode and the automatic discovery mode to collect information on the network asset and the non-network asset in the industrial control environment", the method further includes:
grouping is added to the manual import mode and the automatic discovery mode, and an asset IP address range and a management responsible person corresponding to each grouping are configured, so that the collected network assets and non-network assets are automatically divided into corresponding groupings of an asset library according to the IP address ranges configured by the grouping.
In this embodiment, groups are added to the manual import mode and the automatic discovery mode, and an asset IP address range and a management responsible person corresponding to each group are configured, so that the collected network assets and non-network assets can be automatically divided into corresponding groups of the asset library according to the IP address ranges configured by the groups, and the hierarchical domain management is facilitated.
For step 102:
in some embodiments, step 102 may include:
for each asset, perform:
matching the fingerprint of the current asset with the fingerprints of known assets in the current asset library;
if the matching is successful, the additional information of the current asset is checked with the additional information of the known asset which is successfully matched, and if the additional information of the current asset is consistent with the additional information of the known asset, the current asset and the known asset are combined into the same asset and stored in an asset library;
if the additional information of the current asset is inconsistent with the additional information of the known asset successfully matched, the credibility of the current asset and the credibility of the known asset are calculated respectively, so that after the current asset and the known asset are combined into the same asset, the additional information of the asset with higher credibility is used as the additional information of the combined asset, and the combination of the current asset and the updating of the additional information are completed;
if the fingerprint of the current asset is not successfully matched, the current asset is added to the asset library as a new asset.
In this embodiment, the fingerprint of the current asset may be matched with the fingerprint of the known asset in the current asset library, and when the matching is successful, the current asset and the known asset are represented as the same asset, and asset merging may be performed, but there may be a case that the additional information of the current asset is inconsistent with the additional information of the known asset, then the additional information of the merged asset needs to be updated. In this embodiment, the additional information of the current asset needs to be checked with the additional information of the known asset successfully matched, if the additional information is consistent with the additional information of the known asset, the current asset and the known asset are combined into the same asset, that is, the IP address information and mac address information of the current asset are included in the IP address and mac address corresponding to the known asset, that is, one asset can correspond to a plurality of IPs and macs; if the current asset and the known asset are inconsistent, the credibility of the current asset and the known asset are calculated respectively, and after the current asset and the known asset are combined into the same asset, the additional information of the asset with higher credibility is used as the additional information of the combined asset, so that the additional information is updated. When the fingerprint of the current asset is not successfully matched, then the current asset is added to the asset library as a new asset on behalf of no current asset in the asset library. It will be appreciated that each imported asset will need to be consolidated and updated with known assets stored in the then-current asset library to gradually generate an accurate and complete asset library.
In some embodiments, the additional information further includes asset type, management principal;
the trustworthiness of the current asset and the known asset is calculated by:
for both the current asset and the known asset, performing:
determining a importance level of the asset based on the number of times the asset appears at each terminal, the time of occurrence, and the number of terminals;
determining a target group based on the IP of the asset, and judging whether the target group is the same as the group of the asset in an asset library so as to determine a first trust value;
determining a target type of the asset based on whether the asset is able to acquire detailed data via a snmp protocol, and then determining whether the target type is the same as the asset type described in the additional information of the asset to determine a second trust value;
judging whether the management responsible person corresponding to the target group is the same as the management responsible person recorded in the additional information of the asset so as to determine a third trust value;
the trustworthiness of the asset is determined based on the importance of the asset, the first trust value, the second trust value, and the third trust value.
In this embodiment, the importance of an asset may be determined by: step S1, acquiring the occurrence of the asset at a plurality of terminals from an asset library, wherein the number of the terminals is used as a first numerical value; step S2, counting the number of times of the asset which appears in each terminal in nearly 7 days, recording 3 when the asset appears in the current terminal for more than 20 times, recording 2 when the asset appears in the current terminal for more than 10 times, and recording 1 when the asset appears in the current terminal for less than or equal to 10 times, so as to count a second numerical value of the asset; step S3, the asset is active for 10 days, 5 days and 0 days; and S4, adding the first value, the second value and the third value, wherein the importance degree of the asset is 0.25 when the addition result is more than or equal to 20, the importance degree of the asset is 0.10 when the addition result is more than or equal to 10 and less than 20, and the importance degree of the asset is 0 when the addition result is less than 10.
Since the IP, group, and additional information of the known asset stored in the asset library may be changed, the reason may be a human change, a virus attack, or a system reason, it is necessary to re-check and judge the IP, the target group, the target type, and the management responsible person of the asset, so as to compare the re-judged result with the previously generated group and additional information to judge the credibility of the asset.
Specifically, when the target group is the same as the group of assets in the asset library, the first trust value is scored as 0.25; when the target group is different from the group of the assets in the asset library, the first trust value is recorded as 0; the second trust value and the third trust value are the same. And adding the importance degree of the asset, the first trust value, the second trust value and the third trust value to obtain the credibility of the asset, so as to respectively calculate the credibility of the current asset and the credibility of the known asset successfully matched, merge the current asset and the known asset into the same asset, and then use the additional information of the asset with higher credibility as the additional information of the merged asset to accurately and automatically finish the merging of the current asset and the updating of the additional information.
For step 104:
in some embodiments, the step of "utilizing the asset library to determine whether the target network asset and the target non-network asset are suspicious assets to further manage and handle the target network asset and the target non-network asset" includes:
for each of the target network asset and the target non-network asset, performing:
generating a fingerprint of the current target asset; wherein the target assets include target network assets and target non-network assets;
matching the fingerprint of the current target asset with the fingerprint of the known asset in the asset library;
if the matching is successful, determining that the current target asset and the known asset which is successfully matched are the same asset, and updating the active time of the known asset;
if the matching is unsuccessful, determining the current target asset as a suspicious asset;
tracing the suspicious asset, and determining a management responsible person corresponding to the group according to the IP of the suspicious asset so as to push the tracing result of the suspicious asset and the information data of the suspicious asset to the management responsible person for disposal.
In this embodiment, after the asset library is generated, the target network asset and the target non-network asset in the industrial control environment may be monitored by using an auto discovery method to obtain fingerprints and additional information of the target network asset and the target non-network asset, where the fingerprints and the additional information are generated in the same manner as in step 100. Then, the fingerprints of each of the target network asset and the target non-network asset are matched with the fingerprints of the known assets in the asset library, and if the matching is unsuccessful, the suspicious asset is determined. After the suspicious asset is discovered, the following management and handling may be performed: firstly tracing the suspicious asset, and providing access relation and accessed relation if the suspicious asset is network equipment; if a pluggable device, a host list is provided. And then, pushing the tracing result and information data of the suspicious asset to a management responsible person corresponding to the grouping, wherein the management responsible person can verify and confirm the suspicious asset, if the suspicious asset is the same asset as the existing asset in the asset library, the suspicious asset can be combined, if the suspicious asset is an inactive asset in the generation time of the asset library, the suspicious asset is added into the asset library, and if the suspicious asset is confirmed to be a harmful asset, the suspicious asset is intercepted and correspondingly disposed.
As shown in fig. 2 and 3, the embodiment of the invention provides a device for discovering and managing assets in an industrial control environment. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 2, a hardware architecture diagram of a computing device where an asset discovery and management apparatus in an industrial control environment is located in an embodiment of the present invention is shown, where in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 2, the computing device where the apparatus is located in the embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. Taking a software implementation as an example, as shown in fig. 3, as a device in a logic sense, the device is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of a computing device where the device is located. The device for discovering and managing assets in an industrial control environment is provided in this embodiment, and is configured in a server, where the device includes:
the acquisition unit 301 is configured to perform information acquisition on network assets and non-network assets in an industrial control environment by using a manual import mode and an automatic discovery mode, and generate fingerprints and additional information of each asset; wherein the assets include network assets and non-network assets;
a generating unit 302, configured to combine the collected assets and update the additional information based on the fingerprints and the additional information of each asset, so as to generate an asset library;
and the management unit 303 is configured to obtain the target network asset and the target non-network asset in the industrial control environment by using an automatic discovery manner after the asset library is generated, so as to determine whether the target network asset and the target non-network asset are suspicious assets by using the asset library, so as to further manage and dispose the target network asset and the target non-network asset.
In one embodiment of the present invention, the manual input mode in the acquisition unit 301 includes a manual input mode, a batch input mode, and a vulnerability scanning result input mode; the collection unit 301 is configured to, when performing information collection on network assets and non-network assets in an industrial control environment by using a manual import manner and generating fingerprints and additional information of each asset:
importing additional information of network assets and non-network assets by using a manual input mode, a batch input mode and a vulnerability scanning result input mode; wherein, the additional information at least comprises IP, equipment model, manufacturer and serial number;
for each asset imported, perform:
based on the additional information of the current asset, utilizing a snmp protocol to acquire detailed data of the current asset; wherein, the detailed data at least comprises: system basic information, machine name, contacts, number of network interfaces, network interface type, and physical address of the interface;
when the acquisition is successful, taking the acquired detailed data as the fingerprint of the current asset;
and when the acquisition is unsuccessful, taking the equipment model, the manufacturer and the serial number in the additional information of the current asset as the fingerprint of the current asset.
In one embodiment of the present invention, the collection unit 301 is configured to, when performing information collection on network assets and non-network assets in an industrial control environment by using an auto discovery manner, generate fingerprints and additional information of each asset:
acquiring data messages of all terminals in an industrial control environment to analyze source side data and destination side data, and de-duplicating the source side data and the destination side data according to the IP of the source side and the destination side to obtain additional information of network assets;
based on the additional information of the network assets, utilizing a snmp protocol to acquire detailed data of each network asset, and taking the acquired detailed data as fingerprints of the corresponding network asset;
acquiring additional information of non-network assets reported by each terminal management and control device;
the device model number, vendor and serial number in the additional information of the non-network asset are used as fingerprints of the corresponding non-network asset.
In one embodiment of the present invention, the collection unit 301 is further configured to, before performing information collection on the network asset and the non-network asset in the industrial control environment by using the manual import mode and the automatic discovery mode:
grouping is added to the manual import mode and the automatic discovery mode, and an asset IP address range and a management responsible person corresponding to each grouping are configured, so that the collected network assets and non-network assets are automatically divided into corresponding groupings of an asset library according to the IP address ranges configured by the grouping.
In one embodiment of the present invention, the generating unit 302 is configured to perform:
for each asset, perform:
matching the fingerprint of the current asset with the fingerprints of known assets in the current asset library;
if the matching is successful, the additional information of the current asset is checked with the additional information of the known asset which is successfully matched, and if the additional information of the current asset is consistent with the additional information of the known asset, the current asset and the known asset are combined into the same asset and stored in an asset library;
if the additional information of the current asset is inconsistent with the additional information of the known asset successfully matched, the credibility of the current asset and the credibility of the known asset are calculated respectively, so that after the current asset and the known asset are combined into the same asset, the additional information of the asset with higher credibility is used as the additional information of the combined asset, and the combination of the current asset and the updating of the additional information are completed;
if the fingerprint of the current asset is not successfully matched, the current asset is added to the asset library as a new asset.
In one embodiment of the present invention, the additional information in the generating unit 302 further includes asset type, management responsible;
the trustworthiness of the current asset and the known asset in the generation unit 302 is calculated as follows:
for both the current asset and the known asset, performing:
determining a importance level of the asset based on the number of times the asset appears at each terminal, the time of occurrence, and the number of terminals;
determining a target group based on the IP of the asset, and judging whether the target group is the same as the group of the asset in an asset library so as to determine a first trust value;
determining a target type of the asset based on whether the asset is able to acquire detailed data via a snmp protocol, and then determining whether the target type is the same as the asset type described in the additional information of the asset to determine a second trust value;
judging whether the management responsible person corresponding to the target group is the same as the management responsible person recorded in the additional information of the asset so as to determine a third trust value;
the trustworthiness of the asset is determined based on the importance of the asset, the first trust value, the second trust value, and the third trust value.
In one embodiment of the present invention, the management unit 303, when executing the use of the asset library to determine whether the target network asset and the target non-network asset are suspicious assets for further management and handling of the target network asset and the target non-network asset, is configured to:
for each of the target network asset and the target non-network asset, performing:
generating a fingerprint of the current target asset; wherein the target assets include target network assets and target non-network assets;
matching the fingerprint of the current target asset with the fingerprint of the known asset in the asset library;
if the matching is successful, determining that the current target asset and the known asset which is successfully matched are the same asset, and updating the active time of the known asset;
if the matching is unsuccessful, determining the current target asset as a suspicious asset;
tracing the suspicious asset, and determining a management responsible person corresponding to the group according to the IP of the suspicious asset so as to push the tracing result of the suspicious asset and the information data of the suspicious asset to the management responsible person for disposal.
It will be appreciated that the architecture illustrated in the embodiments of the present invention does not constitute a specific limitation on the means for discovering and managing assets in an industrial control environment. In other embodiments of the invention, an asset discovery and management device in an industrial control environment may include more or less components than illustrated, or may combine certain components, or may split certain components, or may have a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method for discovering and managing the assets in the industrial control environment in any embodiment of the invention when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, wherein the computer readable storage medium is stored with a computer program, and the computer program when being executed by a processor, causes the processor to execute the method for discovering and managing the assets in the industrial control environment in any embodiment of the invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of the storage medium for providing the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (7)

1. The method for discovering and managing the assets in the industrial control environment is characterized by being applied to a server, and comprises the following steps:
information acquisition is carried out on network assets and non-network assets in an industrial control environment by using a manual importing mode and an automatic discovering mode, and fingerprints and additional information of the assets are generated; wherein the assets include network assets and non-network assets;
merging the collected assets and updating the additional information based on the fingerprints and the additional information of each asset to generate an asset library;
after the asset library is generated, acquiring target network assets and target non-network assets in an industrial control environment by utilizing an automatic discovery mode, and determining whether the target network assets and the target non-network assets are suspicious assets or not by utilizing the asset library so as to further manage and treat the target network assets and the target non-network assets;
before the information acquisition is carried out on the network assets and the non-network assets in the industrial control environment by utilizing the manual import mode and the automatic discovery mode, the method further comprises the following steps:
adding groups to a manual import mode and an automatic discovery mode, configuring an asset IP address range and a management responsible person corresponding to each group, and automatically dividing the acquired network assets and non-network assets into corresponding groups of an asset library according to the IP address ranges configured by the groups;
the step of merging collected assets and updating the additional information based on the fingerprints and the additional information of each asset to generate an asset library comprises the following steps:
for each asset, perform:
matching the fingerprint of the current asset with the fingerprints of known assets in the current asset library;
if the matching is successful, the additional information of the current asset is checked with the additional information of the known asset which is successfully matched, and if the additional information of the current asset is consistent with the additional information of the known asset, the current asset and the known asset are combined into the same asset and stored in an asset library;
if the additional information of the current asset is inconsistent with the additional information of the known asset successfully matched, the credibility of the current asset and the credibility of the known asset are calculated respectively, so that after the current asset and the known asset are combined into the same asset, the additional information of the asset with higher credibility is used as the additional information of the combined asset, and the combination of the current asset and the updating of the additional information are completed;
if the fingerprint of the current asset is not successfully matched, the current asset is added to an asset library as a new asset;
the determining, using the asset library, whether the target network asset and the target non-network asset are suspicious assets to further manage and handle the target network asset and the target non-network asset, comprising:
for each of the target network asset and the target non-network asset, performing:
generating a fingerprint of the current target asset; wherein the target assets include target network assets and target non-network assets;
matching the fingerprint of the current target asset with the fingerprint of the known asset in the asset library;
if the matching is successful, determining that the current target asset and the known asset which is successfully matched are the same asset, and updating the active time of the known asset;
if the matching is unsuccessful, determining the current target asset as a suspicious asset;
tracing the suspicious asset, and determining a management responsible person corresponding to the grouping according to the IP of the suspicious asset so as to push the tracing result of the suspicious asset and the information data of the suspicious asset to the management responsible person for disposal.
2. The method of claim 1, wherein the manual import mode includes a manual entry mode, a batch import mode, and a vulnerability scanning result import mode;
the method for acquiring information of network assets and non-network assets in an industrial control environment by using a manual import mode to generate fingerprints and additional information of each asset comprises the following steps:
introducing additional information of network assets and non-network assets by using the manual input mode, the batch introduction mode and the vulnerability scanning result introduction mode; wherein, the additional information at least comprises IP, equipment model, manufacturer and serial number;
for each asset imported, perform:
based on the additional information of the current asset, utilizing a snmp protocol to acquire detailed data of the current asset; wherein, the detailed data at least comprises: system basic information, machine name, contacts, number of network interfaces, network interface type, and physical address of the interface;
when the acquisition is successful, taking the acquired detailed data as the fingerprint of the current asset;
and when the acquisition is unsuccessful, taking the equipment model, the manufacturer and the serial number in the additional information of the current asset as the fingerprint of the current asset.
3. The method of claim 2, wherein the step of collecting information on the network assets and the non-network assets in the industrial control environment by using the auto discovery method to generate fingerprints and additional information of each asset comprises:
acquiring data messages of all terminals in an industrial control environment to analyze source side data and destination side data, and de-duplicating the source side data and the destination side data according to the IP of the source side and the destination side to obtain additional information of network assets;
based on the additional information of the network assets, utilizing a snmp protocol to acquire detailed data of each network asset, and taking the acquired detailed data as fingerprints of the corresponding network asset;
acquiring additional information of non-network assets reported by each terminal management and control device;
the device model number, vendor and serial number in the additional information of the non-network asset are used as fingerprints of the corresponding non-network asset.
4. The method of claim 1, wherein the additional information further comprises asset type, management responsible;
the trustworthiness of the current asset and the known asset is calculated by:
for both the current asset and the known asset, performing:
determining a importance level of the asset based on the number of times the asset appears at each terminal, the time of occurrence, and the number of terminals;
determining a target group based on the IP of the asset, and judging whether the target group is the same as the group of the asset in the asset library so as to determine a first trust value;
determining a target type of the asset based on whether the asset is able to acquire detailed data via a snmp protocol, and then determining whether the target type is the same as the asset type described in the additional information of the asset to determine a second trust value;
judging whether the management responsible person corresponding to the target group is the same as the management responsible person recorded in the additional information of the asset so as to determine a third trust value;
the trustworthiness of the asset is determined based on the importance of the asset, the first trust value, the second trust value, and the third trust value.
5. An asset discovery and management device in an industrial control environment, wherein the device is arranged on a server and comprises:
the acquisition unit is used for acquiring information of network assets and non-network assets in the industrial control environment by utilizing a manual importing mode and an automatic finding mode and generating fingerprints and additional information of the assets; wherein the assets include network assets and non-network assets;
the generation unit is used for merging the collected assets and updating the additional information based on the fingerprints and the additional information of each asset so as to generate an asset library;
the management unit is used for acquiring target network assets and target non-network assets in an industrial control environment by utilizing an automatic discovery mode after the asset library is generated so as to determine whether the target network assets and the target non-network assets are suspicious assets or not by utilizing the asset library, so that the target network assets and the target non-network assets are further managed and treated;
the acquisition unit is further used for before information acquisition of the network asset and the non-network asset in the industrial control environment by utilizing a manual introduction mode and an automatic discovery mode:
adding groups to a manual import mode and an automatic discovery mode, configuring an asset IP address range and a management responsible person corresponding to each group, and automatically dividing the acquired network assets and non-network assets into corresponding groups of an asset library according to the IP address ranges configured by the groups;
the generation unit is configured to perform:
for each asset, perform:
matching the fingerprint of the current asset with the fingerprints of known assets in the current asset library;
if the matching is successful, the additional information of the current asset is checked with the additional information of the known asset which is successfully matched, and if the additional information of the current asset is consistent with the additional information of the known asset, the current asset and the known asset are combined into the same asset and stored in an asset library;
if the additional information of the current asset is inconsistent with the additional information of the known asset successfully matched, the credibility of the current asset and the credibility of the known asset are calculated respectively, so that after the current asset and the known asset are combined into the same asset, the additional information of the asset with higher credibility is used as the additional information of the combined asset, and the combination of the current asset and the updating of the additional information are completed;
if the fingerprint of the current asset is not successfully matched, the current asset is added to an asset library as a new asset;
the management unit, when executing the utilization asset library, determines whether the target network asset and the target non-network asset are suspicious assets to further manage and dispose of the target network asset and the target non-network asset, is configured to:
for each of the target network asset and the target non-network asset, performing:
generating a fingerprint of the current target asset; wherein the target assets include target network assets and target non-network assets;
matching the fingerprint of the current target asset with the fingerprint of the known asset in the asset library;
if the matching is successful, determining that the current target asset and the known asset which is successfully matched are the same asset, and updating the active time of the known asset;
if the matching is unsuccessful, determining the current target asset as a suspicious asset;
tracing the suspicious asset, and determining a management responsible person corresponding to the group according to the IP of the suspicious asset so as to push the tracing result of the suspicious asset and the information data of the suspicious asset to the management responsible person for disposal.
6. A computing device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-4 when the computer program is executed.
7. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-4.
CN202311211972.0A 2023-09-20 2023-09-20 Asset discovery and management method, device, equipment and medium in industrial control environment Active CN116980468B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311211972.0A CN116980468B (en) 2023-09-20 2023-09-20 Asset discovery and management method, device, equipment and medium in industrial control environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311211972.0A CN116980468B (en) 2023-09-20 2023-09-20 Asset discovery and management method, device, equipment and medium in industrial control environment

Publications (2)

Publication Number Publication Date
CN116980468A CN116980468A (en) 2023-10-31
CN116980468B true CN116980468B (en) 2023-12-19

Family

ID=88476967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311211972.0A Active CN116980468B (en) 2023-09-20 2023-09-20 Asset discovery and management method, device, equipment and medium in industrial control environment

Country Status (1)

Country Link
CN (1) CN116980468B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018199912A1 (en) * 2017-04-25 2018-11-01 Siemens Aktiengesellschaft Plant design based incremental asset discovery architecture, method and protocol
CN109327461A (en) * 2018-11-12 2019-02-12 广东省信息安全测评中心 Distributed asset identification and change cognitive method and system
CN112182065A (en) * 2020-09-27 2021-01-05 南京南瑞继保电气有限公司 Asset management system and method based on automatic acquisition and multi-source import
CN114189348A (en) * 2021-10-18 2022-03-15 中国电子科技网络信息安全有限公司 Asset identification method suitable for industrial control network environment
CN114422341A (en) * 2022-01-14 2022-04-29 杭州立思辰安科科技有限公司 Industrial control asset identification method and system based on fingerprint characteristics
CN115834368A (en) * 2021-11-29 2023-03-21 中国南方电网有限责任公司超高压输电公司 System for identifying network space asset information
CN116628215A (en) * 2023-04-03 2023-08-22 北京云从科技有限公司 Data asset management method, control device and readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230156030A1 (en) * 2021-11-18 2023-05-18 Honeywell International Inc. Asset discovery engine with deep vulnerabilities scanner

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018199912A1 (en) * 2017-04-25 2018-11-01 Siemens Aktiengesellschaft Plant design based incremental asset discovery architecture, method and protocol
CN109327461A (en) * 2018-11-12 2019-02-12 广东省信息安全测评中心 Distributed asset identification and change cognitive method and system
CN112182065A (en) * 2020-09-27 2021-01-05 南京南瑞继保电气有限公司 Asset management system and method based on automatic acquisition and multi-source import
CN114189348A (en) * 2021-10-18 2022-03-15 中国电子科技网络信息安全有限公司 Asset identification method suitable for industrial control network environment
CN115834368A (en) * 2021-11-29 2023-03-21 中国南方电网有限责任公司超高压输电公司 System for identifying network space asset information
CN114422341A (en) * 2022-01-14 2022-04-29 杭州立思辰安科科技有限公司 Industrial control asset identification method and system based on fingerprint characteristics
CN116628215A (en) * 2023-04-03 2023-08-22 北京云从科技有限公司 Data asset management method, control device and readable storage medium

Also Published As

Publication number Publication date
CN116980468A (en) 2023-10-31

Similar Documents

Publication Publication Date Title
CN108881294B (en) Attack source IP portrait generation method and device based on network attack behaviors
CN111901327B (en) Cloud network vulnerability mining method and device, electronic equipment and medium
CN110535702B (en) Alarm information processing method and device
CN111339151B (en) Online examination method, device, equipment and computer storage medium
CN112818307A (en) User operation processing method, system, device and computer readable storage medium
CN114598506B (en) Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN112769775A (en) Threat information correlation analysis method, system, equipment and computer medium
CN108650123B (en) Fault information recording method, device, equipment and storage medium
US11811587B1 (en) Generating incident response action flows using anonymized action implementation data
CN116980468B (en) Asset discovery and management method, device, equipment and medium in industrial control environment
CN112615857B (en) Network data processing method, device and system
CN115865525A (en) Log data processing method and device, electronic equipment and storage medium
CN115766258A (en) Multi-stage attack trend prediction method and device based on causal graph and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN112104523B (en) Detection method, device and equipment for flow transparent transmission and storage medium
CN112738175B (en) Request processing method and related equipment
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
WO2021184588A1 (en) Cluster optimization method and device, server, and medium
CN114297037A (en) Alarm clustering method and device
Kobayashi et al. amulog: A general log analysis framework for comparison and combination of diverse template generation methods
CN110647473A (en) Anti-interference method and device for automatic regression test, computer equipment and storage medium
CN113347203B (en) Network attack detection method and device, electronic equipment and storage medium
CN115412358B (en) Network security risk assessment method and device, electronic equipment and storage medium
CN113992436B (en) Local information generating method, device, equipment and storage medium
WO2021059518A1 (en) Analysis system, method, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant