CN117278423B - Model construction method, test platform, computer device and storage medium - Google Patents
Model construction method, test platform, computer device and storage medium Download PDFInfo
- Publication number
- CN117278423B CN117278423B CN202311468742.2A CN202311468742A CN117278423B CN 117278423 B CN117278423 B CN 117278423B CN 202311468742 A CN202311468742 A CN 202311468742A CN 117278423 B CN117278423 B CN 117278423B
- Authority
- CN
- China
- Prior art keywords
- data packet
- information
- data
- layer
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 26
- 238000003860 storage Methods 0.000 title claims abstract description 20
- 238000010276 construction Methods 0.000 title claims abstract description 6
- 230000002159 abnormal effect Effects 0.000 claims abstract description 114
- 238000001514 detection method Methods 0.000 claims abstract description 110
- 238000004088 simulation Methods 0.000 claims abstract description 72
- 238000000034 method Methods 0.000 claims abstract description 49
- 238000012549 training Methods 0.000 claims abstract description 44
- 230000006854 communication Effects 0.000 claims description 82
- 238000004891 communication Methods 0.000 claims description 79
- 230000006870 function Effects 0.000 claims description 70
- 238000004590 computer program Methods 0.000 claims description 20
- 230000006399 behavior Effects 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000008569 process Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 14
- 238000003062 neural network model Methods 0.000 description 9
- 238000012544 monitoring process Methods 0.000 description 7
- 230000005856 abnormality Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000002547 anomalous effect Effects 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000010248 power generation Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012858 packaging process Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F30/00—Computer-aided design [CAD]
- G06F30/20—Design optimisation, verification or simulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Geometry (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a model construction method, a test platform, computer equipment and a storage medium, and belongs to the technical field of computers. The method comprises the following steps: analyzing the data packet transmitted in the simulation network to obtain key information in the data packet transmitted in the simulation network, wherein the simulation network is obtained by simulating a target network system; detecting normal data packets and abnormal data packets transmitted in the simulation network according to key information in the data packets transmitted in the simulation network; constructing a training sample set according to key information in a normal data packet and key information in an abnormal data packet transmitted in a simulation network; and training the model by using the training sample set to obtain an anomaly detection model, wherein the anomaly detection model is used for carrying out anomaly detection on the data packet transmitted in the target network system. The anomaly detection model can accurately detect the anomalies of the data packets transmitted in the target network system, so that the safety of the target network system can be effectively improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a model building method, a test platform, a computer device, and a storage medium.
Background
With the development of the age and the progress of society, the overall scale of industrial control systems is gradually expanding. In order to ensure safe and stable operation of the industrial control system, data transmitted in the industrial control system needs to be detected so that abnormal data can be found in time, and the safety risk of the industrial control system is reduced.
In the related art, a technician manually establishes a data feature library according to the data features of the discovered abnormal data and continuously updates the data feature library. When detecting data transmitted in an industrial control system, matching data features of the data to be detected with data features in a data feature library, and if the data features of the data are successfully matched with any one data feature in the data feature library, determining that the data are abnormal data.
However, the data features in the data feature library in the above manner are a limited number of data features manually added by human, which may affect the accuracy in detecting abnormal data through the data feature library to some extent.
Disclosure of Invention
The application provides a model construction method, a test platform, computer equipment and a storage medium, which can improve the abnormality detection accuracy. The technical scheme is as follows:
in a first aspect, a method for constructing a model is provided, the method comprising:
Analyzing a data packet transmitted in a simulation network to obtain key information in the data packet transmitted in the simulation network, wherein the simulation network is obtained by simulating a target network system;
detecting normal data packets and abnormal data packets transmitted in the simulation network according to key information in the data packets transmitted in the simulation network;
Constructing a training sample set according to key information in a normal data packet and key information in an abnormal data packet transmitted in the simulation network;
And training the model by using the training sample set to obtain an anomaly detection model, wherein the anomaly detection model is used for detecting anomalies of the data packets transmitted in the target network system.
In the application, the normal data packet and the abnormal data packet transmitted in the simulation network can more comprehensively and accurately simulate the normal data packet and the abnormal data packet transmitted in the target network system, so that the abnormal detection model obtained by training according to the key information of the normal data packet and the abnormal data packet transmitted in the simulation network can more accurately realize the abnormal detection of the data packet transmitted in the target network system, thereby effectively improving the safety of the target network system.
Optionally, the target network system is an industrial control system, and the simulation network uses a plurality of industrial control protocols for data packet transmission.
Optionally, the analyzing the data packet transmitted in the emulation network to obtain key information in the data packet transmitted in the emulation network includes:
And analyzing any one data packet transmitted in the simulation network layer by layer to obtain key information of the data packet in each layer.
Optionally, the key information includes a media access control MAC address, an internet protocol IP address, a port number, and function information; the step of analyzing the data packet layer by layer to obtain key information of the data packet in each layer comprises the following steps:
analyzing the data link layer information of the data packet to obtain the MAC address in the data packet;
analyzing the network layer information of the data packet to obtain an IP address in the data packet;
analyzing the transmission layer information of the data packet to obtain the port number in the data packet;
and analyzing the application layer information of the data packet to obtain the function information in the data packet.
Optionally, the function information includes a transaction identifier, a protocol identifier, a length, a unit identifier, and operation information; the analyzing the application layer information of the data packet to obtain the function information in the data packet includes:
analyzing the head part of the data packet in the application layer to obtain a transaction identifier, a protocol identifier, a length and a unit identifier in the data packet;
and analyzing the data part of the data packet in the application layer to obtain the operation information in the data packet.
Optionally, the operation information includes a function code and target information, and the target information includes first target information or second target information; the analyzing the data part of the data packet in the application layer to obtain the operation information in the data packet includes:
analyzing the function code of the data packet in the data part of the application layer;
If the operation object of the function code is a basic register, analyzing the data of the data packet in the data part of the application layer according to a basic field to obtain first target information in the data packet, wherein the first target information comprises one or more of operation object types, register addresses, operation quantity and written values;
And if the operation object of the function code is not a basic register, acquiring a key field corresponding to the function code, and analyzing the data of the data packet in the data part of the application layer according to the key field corresponding to the function code to obtain second target information in the data packet.
Optionally, the detecting normal data packets and abnormal data packets transmitted in the emulation network according to key information in the data packets transmitted in the emulation network includes:
For any one data packet transmitted in the simulation network, determining legal values corresponding to each key information in the data packet according to a communication protocol standard used by the data packet;
if at least one key information in the data packet is inconsistent with the corresponding legal value, determining the data packet as an abnormal data packet;
and if all the key information in the data packet accords with the corresponding legal value, determining the data packet as a normal data packet.
In a second aspect, a test platform is provided, where the test platform includes a simulation network, an intrusion module and a detection module, where the simulation network is obtained by simulating a target network system, the intrusion module is used to simulate an attack, and the detection module is used to execute the model building method according to the first aspect.
In a third aspect, a computer device is provided, the computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the computer program implementing the model building method according to the first aspect described above when executed by the processor.
In a fourth aspect, a computer-readable storage medium is provided, in which a computer program is stored, which when executed by a processor, implements the model building method according to the first aspect.
In a fifth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the steps of the model building method of the first aspect described above.
It will be appreciated that the advantages of the second, third, fourth and fifth aspects may be found in the relevant description of the first aspect, and are not repeated here.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a test platform according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a bridge structure built by a container engine according to an embodiment of the present application;
FIG. 3 is a schematic diagram of communication in a test platform according to an embodiment of the present application;
Fig. 4 is a schematic diagram of a packet detection flow according to an embodiment of the present application;
FIG. 5 is a flowchart of a model building method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a detection process according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a data portion detection flow according to an embodiment of the present application;
Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
It should be understood that references to "a plurality" in this disclosure refer to two or more. In the description of the present application, "/" means or, unless otherwise indicated, for example, A/B may represent A or B; "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, in order to facilitate the clear description of the technical solution of the present application, the words "first", "second", etc. are used to distinguish the same item or similar items having substantially the same function and function. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
The statements of "one embodiment" or "some embodiments" and the like, described in this disclosure, mean that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present disclosure. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the present application are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. Furthermore, the terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless otherwise specifically noted.
Before explaining the embodiment of the present application in detail, an application scenario of the embodiment of the present application is described.
With the advent of industrial control systems, industrial control systems have been increasingly applied to various fields of petrochemical, electric power, building, traffic, medical, metallurgical, etc., and wherein more than 80% of critical infrastructure has been automated by industrial control systems.
The industrial control system is an automatic control system composed of a computer and an industrial process control component, and mainly comprises a SCADA (Supervisory Control And Data Acquisition, a data acquisition and monitoring system), a PLC (Programmable Logic Controller, a programmable logic controller), an RTU (Remote Terminal Unit, a remote terminal unit), a DCS (Distributed Contorl System, a distributed control system), an IED (INTELLIGENT ELECTRONIC DEVICE, intelligent electronic equipment) and related communication technologies, wherein the aim is to acquire and monitor real-time data so as to ensure the automatic operation of an industrial infrastructure, the process control and the like.
While industrial control systems have advanced for industrial development, demands for industrial control systems are gradually increased, and most of them are continuous optimization and technology update of system availability and communication instantaneity in the communication process, and protection measures for data security in the communication process are relatively ignored, so that after an intruder has a certain knowledge of the industrial control system and a communication protocol used by the industrial control system, connection with equipment can be easily established, equipment permission can be easily stolen, and the intruder can tend to send, change instructions or steal information through minor tampering of network data flow on the premise of maintaining normal communication of the system. For example, the network data flow between the upper layer station and the field control device is still composed of data packets strictly conforming to the protocol specifications, however, fields related to the device functions or physical objects in the data packets are tampered by an intruder, the tampered data packets are analyzed and executed as normal data packets, the upper layer station cannot monitor the tampered data packets, or the data packets monitored by the upper layer station cannot acquire real data due to tampering, so that the monitoring function is disabled, and the intruder can steal and control the industrial control system in such a way. This way of attack, which is well-crafted by an intruder for a specific target, is often referred to as APT (ADVANCED PERSISTENT THREAT ).
Therefore, the embodiment of the application provides a test platform which comprises a simulation network, an intrusion module and a detection module, wherein the simulation network can simulate an industrial control system, and the intrusion module can simulate the attack of an intruder.
Specifically, a normal data packet is generated in the emulation network, and the intrusion module constructs an abnormal data packet and sends the abnormal data packet to the emulation network. The detection module acquires the data packet in the simulation network, analyzes and detects the acquired data packet to obtain key information of a normal data packet and key information of an abnormal data packet, establishes a training sample set according to the obtained key information of the normal data packet and the obtained key information of the abnormal data packet, and finally carries out model training according to the training sample set to obtain an abnormal detection model capable of carrying out abnormal detection on the data packet transmitted in the industrial control system.
The normal data packet and the abnormal data packet transmitted in the simulation network can be comprehensively and accurately simulated, so that the abnormal detection model obtained by training the key information of the normal data packet and the abnormal data packet transmitted in the simulation network can accurately realize the abnormal detection of the data packet transmitted in the industrial control system, and the safety of the industrial control system can be effectively improved.
The test platform provided by the embodiment of the application is explained in detail below.
Fig. 1 is a schematic diagram of a test platform according to an embodiment of the present application. Referring to fig. 1, the test platform includes: an emulation network 101, an intrusion module 102, a detection module 103.
The simulation network 101 is used to simulate a target network system. For example, the target network system may be an industrial control system, and the simulation network is a 1:1 simulated network of the internal network of the industrial control system.
Alternatively, the emulation network 101 can communicate using a variety of industrial control protocols. For example, the plurality of industrial control protocols may include: IEC (International Electrical Commission, international electrotechnical commission) 60870-5-104 protocol, modbus/TCP (Transmission Control Protocol ) protocol, BACnet (A Data Communication Protocol for Building Automation Control Networks, building automation network data communication protocol)/IP (Internet Protocol ) protocol, ethermet/IP protocol, CC-LINK (Control & Communication Link, control and communication LINK system) protocol, and the like.
Alternatively, the simulation network 101 may include a process monitor layer 1011, a switch 1012, a field control layer 1013, and an object model 1014, with the process monitor layer 1011 and the field control layer 1013 in communication via the switch 1012.
The process monitor layer 1011 is used to monitor and control the field control layer 1013 and the object model 1014 in the simulation network 101. Specifically, the process monitor layer 1011 sends data packets to the field control layer 1013 to control and schedule the object model 1014, and monitors the field control layer 1013 and the object model 1014, which is an upper computer in the simulation network 101.
Alternatively, the process monitor layer 1011 may include a SCADA server and an engineer station.
The SCADA server can establish corresponding parameters such as device functions, register types, register addresses and the like of each protocol configuration communication and configuration process monitoring layer 1011, so as to complete functions such as monitoring, control, data real-time acquisition, storage, alarm, printing and the like on the object model 1014. By way of example, the SCADA server may establish configuration communications for IEC 60870-5-104, modbus/TCP, BACnet/IP, ethemet/IP, CC-LINK, etc. protocols.
Engineer stations are used for industrial process control. Specifically, the engineer station can implement functions of editing, modifying, downloading, uploading, etc. each PLC engineering project. Alternatively, the engineer station may be implemented by configuration software from a different vendor.
The site control layer 1013 is configured to receive a control instruction issued by the host computer and transmit variable information of the controlled process to the host computer. Specifically, the field control layer 1013 includes a plurality of PLCs, and is configured to receive a control instruction issued by an upper computer, complete control of the corresponding object model 1014 according to the control instruction, and transmit variable information of the object model 1014 in a controlled process to the process monitoring layer 1011 in real time.
Alternatively, the PLCs in the field control layer 1013 may include physical PLCs connected by physical cables and simulation PLCs that interact with the host computer and the object model 1014 via network communications.
The physical PLC is used to control and monitor the object model 1014. Specifically, the physical PLC receives a control instruction sent by the host computer, converts the control instruction into a control signal through a control program, and sends the control signal to the object model 1014 for control, and meanwhile, the physical PLC also communicates with the object model 1014 in real time, and transmits the control variable of the object model 1014 in the controlled process to the host computer in real time. Optionally, the physical PLC may also simulate PLCs of different vendors to generate data packets of different protocols, respectively.
The simulated PLC may include a PLC honeypot. The PLC honeypot is used for attracting the attack of an intruder. The PLC honeypot is a tool for realizing the physical PLC function and simulating interaction with various PLCs, and can effectively replace the physical PLCs to carry out various attack tests and information acquisition. By way of example, the PLC honeypot can implement the basic functions of IEC 60870-5-104, modbus/TCP, BACnet/IP, and the like.
Optionally, the PLC honeypot can also meet the requirements of the testing platform on the functions of the PLC and the environment of the testing platform through secondary development.
For example, to achieve portability and scalability of the test platform in different network environments, the building of the system network architecture may be achieved through a container engine (including, but not limited to, a Docker), and a specific building process refers to fig. 2.
FIG. 2 is a schematic diagram of a bridge structure built by a container engine according to an embodiment of the present application.
Referring to fig. 2, the bridge structure includes a plurality of hosts (i.e., PLCs in field control layer 1013), switches (i.e., switch 1012). Each of the hosts has an independent IP address, one or more containers, an independent network card and an independent virtual bridge can be arranged in each host, all containers on each host are connected to the virtual bridge through a virtual interface, and each container has a virtual IP address.
All of the containers of each of the plurality of hosts share an operating system kernel (including but not limited to a Linux kernel), each of which may emulate a PLC honeypot. For example, a container a and a container B are built in the host a, a PLC honeypot using the Modbus protocol is simulated in the container a, and a PLC honeypot using the Modbus protocol is simulated in the container B. All containers on one host are connected to one virtual network bridge, and the problem of repeated addresses of multiple PLC honeypots can be avoided by establishing host port mapping for the containers, so that tens of hundreds of containers can be operated on one host at the same time, the expansibility of the PLC honeypots is greatly improved, and the cost for constructing a test platform is reduced.
Alternatively, the technician may also deploy the PLC honeypots in each container.
By way of example, the PLC honeypots of the test platform may include Conpot honeypots. Conpot honeypots can be rapidly deployed and modified according to requirements, and custom module types and addresses can be realized so as to meet simulation requirements of PLCs with different functions. For example, a Modbus/TCP protocol PLC honeypot and a BACnet/IP protocol PLC honeypot may be deployed through Conpot honeypots.
To better simulate the interaction pattern of the industrial control system, technicians analyze various industrial control protocol formats and applications in the industrial control system. In industrial control systems, direct information interaction with the object model 1014 and the process monitoring layer 1011 is achieved primarily through coil registers, discrete magnitude input registers, and hold registers.
For example, the register types and associated characteristics are shown in Table 1 below, with each type of register having a different register address, function code, permissions, and achievable functions. For example, the function code 05 represents a coil register, the address of the coil register is 0xxxx, and the coil register can realize the function of controlling the voltage (i.e. on-off of a circuit). In an emulation network, different types of registers may implement different control functions.
TABLE 1
The register types and related characteristics are only exemplified in table 1, and table 1 is not limited to the embodiment of the present application.
In some embodiments, the technician may also configure the object type for the PLC honeypots in each container to implement PLC honeypots of different functions. By way of example, the BACnet protocol may define a total of 18 object types including analog input output objects, binary input output objects, device objects, file objects, program objects, and the like, each object having a separate structure and a respective object access service.
By way of example, the code for a PLC honeypot that configures the Modbus/TCP protocol is as follows:
The configuration realizes the PLC honeypot with the function of analog input. Wherein the configuration item sets parameters such as a communication protocol, a host address, a port number, a vendor name, a product code, a revision, a mode, a delay, a device id, an interception configuration, a type, and the like.
Illustratively, the code of the PLC honeypot configuring the BACnet/IP protocol is as follows:
the configuration realizes the PLC honeypot with the function of binary analog input. The configuration item sets parameters such as a communication protocol, a host address, a port number, a device name, a device identifier, a vendor name, a vendor identifier, a maximum protocol length, a support segment, a mode name, a version number of a product version, and the like.
The object model 1014 is used to receive and respond to control instructions sent from the host computer. Specifically, the object model 1014 is a model obtained by simulation by mathematical modeling or the like based on the actual physical device functions. For example, the object model 1014 may be built using a Simulink (simulationlink, analog link) module of Matlab (Matrix Labortory, matrix laboratory).
The intrusion module 102 is configured to attack the emulated network 101, i.e. the intrusion module 102 is configured to simulate an attack behavior of an intruder on the target network system. Specifically, the intrusion module 102 analyzes the vulnerability of the protocol, constructs an abnormal data packet according to the mutation rule of the protocol, and sends the abnormal data packet to the simulation network 101 for destruction, so as to simulate the abnormal state of the target network system. For example, the intrusion module 102 may implement the simulation of the abnormal scenario through an open source security vulnerability detection tool MSF (Metasploit Framework, penetration test) and an internationally known industrial security certification Achilles test platform.
The detection module 103 is configured to detect whether a data packet transmitted in the emulation network 101 is a normal data packet or an abnormal data packet. Specifically, the detection module 103 collects data packets in the emulation network 101, parses the collected data packets, and detects parsed data to determine whether the data packets are normal data packets or abnormal data packets.
Fig. 3 is a schematic communication diagram in a test platform according to an embodiment of the present application. Referring to fig. 3, the communication process in the test platform is:
The SCADA server sends control instructions to the physical PLC or the PLC honeypot through the switch. The physical PLC or the PLC honeypot receives the control instruction, and converts the control instruction into a control signal through a control program and sends the control signal to the object model. After receiving a control signal sent by a physical PLC or a PLC honeypot, the object model simulates a reaction process of a controlled object in an industrial control system in a real environment, simultaneously generates a state variable and an output variable of the controlled process, and transmits the state variable and the output variable to the physical PLC or the PLC honeypot in real time. The physical PLC or the PLC honeypot responds to a periodic inquiry request initiated by the SCADA server, and sends state variables and output variables of the object model to the SCADA server, and the SCADA server receives the state variables and the output variables and performs corresponding display and processing. In this process, the intrusion module builds an abnormal data packet and sends the abnormal data packet to the emulation network, for example, the intrusion module builds an abnormal data packet and sends the abnormal data packet to the switch. The detection module collects data packets transmitted in the emulation network, for example, the detection module can collect data packets transmitted in the emulation network from the switch, then the detection module can analyze the collected data packets and detect the analyzed data packets so as to determine whether the data packets are normal data packets or abnormal data packets.
In the embodiment of the application, the detection module not only can determine the normal data packet and the abnormal data packet transmitted in the simulation network, but also can train to obtain the abnormal detection model according to the key information of the normal data packet and the key information of the abnormal data packet transmitted in the simulation network, and then the abnormal detection model can be used for carrying out abnormal detection on the data packet transmitted in the target network system.
The following explains the packet detection flow provided in the embodiment of the present application in detail.
Fig. 4 is a schematic diagram illustrating a packet detection flow according to an embodiment of the present application. Referring to fig. 4, the packet detection flow includes packet analysis, key information detection, and flow detection for the multi-source industrial control protocol packet.
A multi-source industrial control protocol data packet refers to a data packet transmitted using a plurality of different industrial control protocols.
The data packet parsing refers to parsing key information in a data packet. Specifically, the data packet can be parsed layer by layer according to a communication protocol used by the data packet, so as to obtain key information in each layer of the data packet.
The key information in the data packet includes, for example, a MAC (MEDIA ACCESS Control Address), an IP Address, a port number, function information, and the like.
The key information detection refers to detecting whether a data packet is a normal data packet or an abnormal data packet according to key information in the data packet.
Optionally, a filtering rule may be established by a technician, and key information in the data packet is filtered according to the filtering rule, so as to determine whether the data packet is a normal data packet or an abnormal data packet.
The normal data packet is a data packet for information interaction inside the simulation network.
An abnormal data packet refers to a data packet that attacks the emulated network.
The flow detection refers to detecting whether a data packet is a normal data packet or an abnormal data packet according to the data flow characteristics in the simulation network. For example, the data traffic characteristic may be determined according to the data packets collected in the emulation network within a period of time, and if the determined data traffic characteristic does not match the preset normal data traffic characteristic when a certain data packet is collected, the data packet may be determined to be an abnormal data packet.
In the embodiment of the application, after the normal data packet and the abnormal data packet transmitted in the simulation network are determined, an abnormal detection model can be obtained by training according to the key information of the normal data packet and the key information of the abnormal data packet transmitted in the simulation network, and then the abnormal detection model can be used for carrying out abnormal detection on the data packet transmitted in the target network system.
The model construction method provided by the embodiment of the application is explained in detail below.
Fig. 5 is a flowchart of a model building method according to an embodiment of the present application. The method is applied to a computer device, which may be the detection module described in the embodiments of fig. 1 to 4 above, see fig. 5, and the model building method comprises the steps of:
Step 501: the computer equipment analyzes the data packet transmitted in the simulation network to obtain key information in the data packet transmitted in the simulation network.
The data packets transmitted in the simulation network comprise data packets transmitted in the simulation network and data packets sent to the simulation network by the intrusion module. Specifically, the data packet transmitted inside the simulation network can be a normal data packet when the process monitoring layer communicates with the field control layer and the object model; the data packet sent to the simulation network by the intrusion module is an abnormal data packet sent when the intrusion module simulates the attack.
Optionally, the data packet may also need to be decapsulated before it is parsed. Each layer of the communication protocol has a strict standard packet specification, and the data packets are packaged from an application layer, a transmission layer, a network layer and a data link layer sequentially according to the communication protocol standard layer by layer, so that the packaging process has high order. After the computer equipment acquires a data packet, the data packet is firstly subjected to decapsulation, the data packet is decapsulated layer by layer according to the reverse sequence of the encapsulation of the data packet, the decapsulated data packet is parsed according to the communication protocol standard, namely, the encapsulation, decapsulation and parsing processes can be performed according to the communication protocol standard, and the communication protocol standard prescribes protocol fields which the data packet should have.
Illustratively, the key information in the data packet is shown in table 2, wherein the key information in the data link layer includes a source MAC address and a destination MAC address, the key information in the network layer includes a source IP address and a destination IP address, the key information in the transport layer includes a source port number and a destination port number, and the key information in the application layer includes a protocol identifier, a length, a unit identifier, a function code, and a register address.
TABLE 2
The embodiment of the present application is only exemplified in table 2 above, and the above table 2 does not limit the embodiment of the present application.
Alternatively, the operation of step 501 may be: and analyzing any data packet transmitted in the simulation network layer by layer to obtain key information of the data packet in each layer.
In this way, the key information in the data packet can be comprehensively obtained by analyzing the data packet layer by layer.
Alternatively, the operation of the computer device for layer-by-layer parsing of the data packet may be: analyzing the data link layer information of the data packet to obtain the MAC address in the data packet; analyzing the network layer information of the data packet to obtain an IP address in the data packet; analyzing the transmission layer information of the data packet to obtain the port number in the data packet; and analyzing the application layer information of the data packet to obtain the function information in the data packet.
Illustratively, the data link layer information of the data packet includes a source MAC address, a destination MAC address of the data packet.
Illustratively, the network layer information of the data packet includes a source IP address, a destination IP address of the data packet.
Illustratively, the transport layer information of the data packet includes a source port number and a destination port number of the data packet.
The function information in the data packet includes header part information and data part information of the application layer, for example.
The header portion of the application layer is used to indicate the function to be implemented by the data packet.
The data part of the application layer is a specific parameter required by the data packet to realize the function.
Illustratively, the header portion of the application layer may include fields for a transaction identifier, a protocol identifier, a length, and a unit identifier. Wherein the transaction identifier field is an identification code of a request or response transaction, the protocol identifier field is used to identify a communication protocol used by the data packet, the length field is used to measure the total length of the unit identifier and the data portion, and the unit identifier field is an identification code of a remote slave station connected to the serial link or other bus.
Optionally, the operation of the computer device to parse the header portion and the data portion of the data packet at the application layer may be: analyzing the head part of the data packet in the application layer to obtain a transaction identifier, a protocol identifier, a length and a unit identifier in the data packet; and analyzing the data part of the data packet in the application layer to obtain the operation information in the data packet.
The operation information is used to indicate the specific operation to be performed on the data packet. Illustratively, the operation information includes function codes and target information. The target information is a specific parameter to be used by the data packet when executing the operation, and may include first target information and second target information as described below.
Optionally, the operation of parsing the data portion of the data packet at the application layer may be: analyzing the function code of the data packet in the data part of the application layer; if the operation object of the function code is a basic register, analyzing the data of the data packet in the data part of the application layer according to the basic field to obtain first target information in the data packet, wherein the first target information comprises one or more of operation object type, register address, operation number and writing value; if the operation object of the function code is not the basic register, acquiring a key field corresponding to the function code, and analyzing the data of the data packet in the data part of the application layer according to the key field corresponding to the function code to obtain second target information in the data packet.
The basic registers are registers specified in advance by the skilled person for performing some basic operations. Illustratively, the basic registers include discrete magnitude input registers, coil registers, input registers, and hold registers; the non-essential registers include read exception status registers, loopback diagnostic check registers, programming registers, polling registers, read event count registers, read communication event log registers, and the like.
The basic field is a field corresponding to the basic register. The basic fields are some fields related to the operation of the basic registers, whereby the corresponding basic registers can be operated on.
The first target information is some information obtained by analyzing the data part of the application layer according to the field corresponding to the basic register.
The operand type is used to indicate which type of register in the base register the operand of the function code is.
The register address is used to indicate the starting address of the register to be operated on.
The number of operations is the number of registers to be operated on.
The written value is a specific parameter which is input into the register and performs logic operation.
The key field corresponding to the function code is a field corresponding to the non-basic register, and is some fields needed for realizing the function indicated by the function code, namely, some fields related to the operation of the non-basic register, so that the corresponding non-basic register can be operated. Key fields corresponding to the function codes can be stored in the computer equipment in advance.
The second target information is some information obtained by analyzing the data part of the application layer according to the field corresponding to the non-basic register.
Step 502: and the computer equipment detects normal data packets and abnormal data packets transmitted in the simulation network according to the key information in the data packets transmitted in the simulation network.
Since the key information in the data packet can indicate some key characteristics of the data packet, whether the data packet is a normal data packet or an abnormal data packet can be detected according to the key information in the data packet.
Alternatively, the operation of step 502 may be: for any data packet transmitted in the simulation network, determining legal values corresponding to each key information in the data packet according to a communication protocol standard used by the data packet; if at least one key information in the data packet is inconsistent with the corresponding legal value, determining the data packet as an abnormal data packet; if all the key information in the data packet accords with the corresponding legal value, determining the data packet as a normal data packet.
The legal value is used for detecting whether key information in the data packet is legal or not. The legal value may be obtained directly according to a rule in the communication protocol standard, or may be set in advance by a technician with reference to the communication protocol standard, which is not limited in the embodiment of the present application.
Fig. 6 is a schematic diagram illustrating a detection procedure according to an embodiment of the present application. Referring to fig. 6, the detection flow includes performing data link layer MAC address detection, network layer IP address detection, transport layer port detection, and application layer detection on a multi-source industrial control protocol data packet, which is specifically described as follows:
the data link layer MAC address detection is to detect the source MAC address and the destination MAC address in the data link layer in the data packet.
The legal value of the MAC address may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. For example, the communication protocol standard specifies a MAC address format, and if the format of the destination MAC address in the packet is inconsistent with the format specified by the communication protocol standard, the packet is determined to be an abnormal packet. For another example, the technician may set a source MAC address white list in advance, and if the source MAC address in the data packet is not in the source MAC address white list, determine that the data packet is an abnormal data packet.
The network layer IP address detection is to detect a source IP address and a destination IP address in a network layer in a data packet.
The legal value of the IP address may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. For example, the communication protocol standard specifies an IP address format, and if the format of the destination IP address in the packet does not match the format specified by the communication protocol standard, the packet is determined to be an abnormal packet. For another example, the technician may set a source IP address white list in advance, and if the source IP address in the data packet is not in the source IP address white list, determine that the data packet is an abnormal data packet.
The transport layer port detection is to detect a source port number and a destination port number in a transport layer in a data packet.
The legal value of the port number may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. For example, the communication protocol standard specifies a port number format, and if the format of the destination port number in the data packet is inconsistent with the format specified by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set a source port number white list in advance, and if the source port number in the data packet is not in the source port number white list, determine that the data packet is an abnormal data packet.
Application layer detection is the detection of header portions and data portions in the application layer in the data packet.
In some embodiments, the communication protocol realizes high-speed stable transmission by means of a connection-oriented TCP technology, and has a relatively fixed protocol format and a field with a fixed size, so that the key information in the data packet can be completely obtained by analyzing the data packet according to bits.
As shown in table 3, the size of each field in the application layer of the data packet is shown in table 3, the size of the transaction identifier field is defined as 2 bytes, the size of the protocol identifier field is defined as 2 bytes, the size of the length field is defined as 2 bytes, the size of the unit identifier field is defined as 1 byte, the size of the function code field is defined as 1 byte, and the size of the data field is not limited.
TABLE 3 Table 3
The above table 3 is merely an example for illustrating the specific size of each field in the application layer of the data packet according to the embodiment of the present application, and the above table 3 is not limited to the embodiment of the present application.
The detection process of the header portion of the application layer is described below.
Optionally, the data packet includes a transaction identifier, a protocol identifier, a length, and a unit identifier at a header portion of the application layer.
The legal value of the transaction identifier may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. For example, the communication protocol standard specifies a transaction identifier format, and if the format of the transaction identifier in the data packet does not match the format specified by the communication protocol standard, the data packet is determined to be an anomalous data packet. For another example, the technician may set a specified transaction identifier in advance, and if the transaction identifier in the data packet is not the specified transaction identifier, determine that the data packet is an abnormal data packet.
The legal value of the protocol identifier may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. For example, the communication protocol standard specifies a protocol identifier format, and if the format of the protocol identifier in the data packet is inconsistent with the format specified by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set a specified protocol identifier in advance, and if the protocol identifier in the data packet is not the specified protocol identifier, determine that the data packet is an abnormal data packet.
The length field is used to indicate the legal size of the subsequent unit identifier field and the data portion. In this case, if the data obtained by adding the size of the unit identifier field and the size of the data portion is different from the data in the length field, the data packet is determined to be an abnormal data packet.
The legal value of the unit identifier may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. Such as: the communication protocol standard specifies a unit identifier format, and if the format of the unit identifier in the data packet is inconsistent with the format specified by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set the designated unit identifier in advance, and if the unit identifier in the data packet is not the designated unit identifier, determine that the data packet is an abnormal data packet.
The detection process of the data portion is explained below.
Fig. 7 is a schematic diagram illustrating a data portion detection flow according to an embodiment of the present application. Referring to fig. 7, the detection process includes performing function code detection on the data packet to determine whether an operation object of the function code is a basic register or a non-basic register. The operation object type detection, the register address detection, the operation number detection and the written value detection are continued when the operation object of the function code is a basic register, and the corresponding field detection is continued when the operation object of the function code is a non-basic register.
The legal value of the function code may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. Such as: the communication protocol standard prescribes the function code format, and if the format of the function code in the data packet is inconsistent with the format prescribed by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set the specified function code in advance, and if the function code in the data packet is not the specified function code, determine that the data packet is an abnormal data packet.
The legal value of the operation object type may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. Such as: the communication protocol standard prescribes the operation object type format, and if the format of the operation object type in the data packet is inconsistent with the format prescribed by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set the specified operation object type in advance, and if the operation object type in the data packet is not the specified operation object type, determine that the data packet is an abnormal data packet.
The legal value of the register address may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. Such as: the communication protocol standard specifies a register address format, and if the format of the register address in the data packet is inconsistent with the format specified by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set a register address range in advance, and if the register address in the data packet is not in the register address range, determine that the data packet is an abnormal data packet.
The legal value of the operation number may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. Such as: the communication protocol standard prescribes the operation number format, and if the format of the operation number in the data packet is inconsistent with the format prescribed by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set an operation number range in advance, and if the operation number in the data packet is not within the operation number range, determine that the data packet is an abnormal data packet.
The legal value of the written value may be a legal value specified by the communication protocol standard, or may be a legal value set in advance by a technician with reference to the communication protocol standard. Such as: the communication protocol standard prescribes a writing value format, and if the writing value format in the data packet is inconsistent with the format prescribed by the communication protocol standard, the data packet is determined to be an abnormal data packet. For another example, the technician may set a write value range in advance, and if the write value in the data packet is not in the write value range, determine that the data packet is an abnormal data packet.
The legal value of the corresponding field of the non-basic register can be a legal value specified by the communication protocol standard, or can be a legal value preset by a technician with reference to the communication protocol standard. Whether the packet is an exception packet may be determined by comparing the corresponding field of the non-basic register with a corresponding legal value.
It should be noted that if all the key information in the data packet accords with the corresponding legal value, the data packet can be directly determined to be a normal data packet.
Or if all the key information in the data packet accords with the corresponding legal value, determining the operation behavior of the data packet according to the key information in the data packet, and determining whether the data packet is a normal data packet or an abnormal data packet according to the operation behavior of the data packet. Since the key information in the data packet can embody the semantics of the data packet, the operation behavior to be performed by the data packet can be determined according to the key information in the data packet. If the operation behavior to be performed by the data packet is an abnormal operation behavior, the data packet can be determined to be an abnormal data packet. For example, the power generation apparatus generates power for a prescribed period of time. The time when the data packet is collected by the computer equipment is within a specified time period, but the operation behavior of the data packet is used for indicating the power-down of the power generation equipment, the abnormal operation behavior of the data packet can be determined at the moment, and the data packet can be determined to be an abnormal data packet.
Further, if the operation to be performed by the data packet is not abnormal operation, it may be determined that the data packet is a normal data packet. Or if the operation behavior to be performed by the data packet is not abnormal operation behavior, determining the data flow characteristic when the data packet is acquired, and if the data flow characteristic determined when the data packet is acquired is not matched with the preset normal data flow characteristic, determining the data packet as an abnormal data packet; if the data flow characteristics determined when the data packet is acquired are matched with the preset normal data flow characteristics, the data packet can be determined to be a normal data packet.
Whether the data packet is a normal data packet or an abnormal data packet may be determined by detection of critical information in the data packet, operational behavior of the data packet, and/or data traffic characteristics in the emulated network. Accordingly, the computer device can determine all normal data packets and all abnormal data packets transmitted in the simulation network, and then can acquire key information in the normal data packets and key information in the abnormal data packets transmitted in the simulation network.
Step 503: the computer equipment constructs a training sample set according to the key information in the normal data packet and the key information in the abnormal data packet transmitted in the simulation network.
The training sample set includes a plurality of positive training samples and a plurality of negative training samples. The training samples include input data and sample markers. The input data in the positive training sample is the key information of the normal data packet, and the sample in the positive training sample is marked as the normal type. The input data in the negative training sample is the key information of the abnormal data packet, and the sample in the negative training sample is marked as an abnormal type.
Alternatively, the operation of step 503 may be: and for any normal data packet transmitted in the simulation network, taking key information in the normal data packet as input data of a positive training sample, and taking a normal type as a sample mark of the positive training sample to construct the positive training sample. And for any abnormal data packet transmitted in the simulation network, taking key information in the abnormal data packet as input data of a negative training sample, taking an abnormal type as a sample mark of the negative training sample, and constructing the negative training sample.
Step 504: the computer equipment uses the training sample set to carry out model training to obtain an anomaly detection model, and the anomaly detection model is used for carrying out anomaly detection on the data packets transmitted in the target network system.
The anomaly detection model is a model for detecting whether a packet is a normal packet or an abnormal packet. That is, after inputting the key information of one data packet to the anomaly detection model, the anomaly detection model may output a detection result that may indicate whether this data packet is a normal data packet or an anomalous data packet.
For example, the computer device may train the neural network model using the training sample set to obtain the anomaly detection model.
The neural network model may include a plurality of network layers including an input layer, a plurality of hidden layers, and an output layer. The input layer is responsible for receiving input data; the output layer is responsible for outputting the processed data; a plurality of hidden layers are located between the input layer and the output layer, responsible for processing data, the plurality of hidden layers being invisible to the outside.
When the computer equipment trains the neural network model by using the training sample set, for each training sample in the training sample set, input data in the training sample can be input into the neural network model to obtain output data; determining a loss value between the output data and a sample marker in the training sample by a loss function; and adjusting parameters in the neural network model according to the loss value. After the parameters in the neural network model are adjusted based on each training sample in the training sample set, the neural network model with the adjusted parameters is an anomaly detection model.
The operation of the computer device to adjust the parameters in the neural network model according to the loss value may refer to the related art, which is not described in detail in the embodiments of the present application.
For example, the computer device may be represented by the formulaTo adjust any one of the parameters in the neural network model. Wherein/>Is the adjusted parameter. /(I)Is a parameter before adjustment. /(I)Is learning rate,/>Can be preset as/>May be 0.001, 0.000001, etc., and embodiments of the present application are not limited in this regard. /(I)Is the loss function with respect to/>The partial derivative of (2) can be obtained from the loss value.
Furthermore, after the abnormality detection model is obtained, the abnormality detection model can be verified based on the built test platform. Specifically, a technician builds a collection of exception packets through the intrusion module and sends the exception packets into the emulated network. The technician creates a collection of normal data packets through the emulation network. The detection module acquires the data packet transmitted in the simulation network, analyzes the key information in the data packet, and inputs the key information in the data packet into the anomaly detection model to obtain the detection result of the data packet. The technician can determine the detection accuracy of the abnormal detection model according to the detection result of the data packet. And under the condition that the accuracy of the anomaly detection model is high, the successful verification of the anomaly detection model can be determined, and the anomaly detection model can be put into the anomaly detection of the data packet in the target network system subsequently. Under the condition that the accuracy of the abnormal detection model is low, the failure of verification of the abnormal detection model can be determined, and at the moment, the abnormal detection model needs to be trained again so as to improve the detection accuracy of the abnormal detection model.
For example, in actual use, the anomaly detection model may be installed in a detection module of the target network system, where the detection module collects a data packet transmitted in the target network system, parses the collected data packet to obtain key information in the data packet, inputs the key information in the data packet into the anomaly detection model, and outputs a detection result by the anomaly detection model, where the detection result is used to indicate whether the data packet is a normal data packet or an abnormal data packet. The anomaly detection model can accurately detect the anomalies of the data packets transmitted in the target network system, so that the safety of the target network system can be effectively improved.
In some embodiments, after outputting the detection result of the data packet, if the detection result indicates that the data packet is an abnormal data packet, the detection module in the target network system may send an alarm message to indicate that the target network system is attacked. Illustratively, the alert message may include the operational behavior of the abnormal data packet, critical information in the abnormal data packet, and the like. Therefore, a technician can quickly acquire specific information of the attack suffered by the target network system, so that related problems can be quickly and pointedly solved.
In the embodiment of the application, the data packet transmitted in the simulation network is analyzed to obtain the key information in the data packet. Detecting key information in a data packet, obtaining key information in a normal data packet and key information in an abnormal data packet, constructing a training sample set according to the obtained key information in the normal data packet and the obtained key information in the abnormal data packet, and finally performing model training according to the training sample set to obtain an abnormal detection model capable of performing abnormal detection on the data packet transmitted in the target network system. The normal data packet and the abnormal data packet transmitted in the simulation network can be comprehensively and accurately simulated, so that the abnormality detection model obtained by training the key information of the normal data packet and the abnormal data packet transmitted in the simulation network can accurately realize abnormality detection of the data packet transmitted in the target network system, and the safety of the target network system can be effectively improved.
Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application. As shown in fig. 8, the computer device 8 includes: a processor 80, a memory 81 and a computer program 82 stored in the memory 81 and executable on the processor 80, the processor 80 implementing the steps in the model building method in the above embodiment when executing the computer program 82.
The computer device 8 may be a general purpose computer device or a special purpose computer device. In a specific implementation, the computer device 8 may be a desktop, a portable computer, a network server, a palmtop, a mobile phone, a tablet, a wireless terminal device, a communication device, or an embedded device, and embodiments of the present application are not limited to the type of computer device 8. It will be appreciated by those skilled in the art that fig. 8 is merely an example of computer device 8 and is not intended to be limiting of computer device 8, and may include more or fewer components than shown, or may combine certain components, or may include different components, such as may also include input-output devices, network access devices, etc.
The Processor 80 may be a central processing unit (Central Processing Unit, CPU), and the Processor 80 may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL processors, DSPs), application SPECIFIC INTEGRATED Circuits (ASICs), off-the-shelf Programmable gate arrays (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general purpose processor may be a microprocessor or may be any conventional processor.
The memory 81 may in some embodiments be an internal storage unit of the computer device 8, such as a hard disk or memory of the computer device 8. The memory 81 may also be an external storage device of the computer device 8 in other embodiments, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), etc. provided on the computer device 8. Further, the memory 81 may also include both internal storage units of the computer device 8 and external storage devices. The memory 81 is used to store an operating system, application programs, boot Loader (Boot Loader), data, and other programs. The memory 81 may also be used to temporarily store data that has been output or is to be output.
The embodiment of the application also provides a computer device, which comprises: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, which when executed by the processor performs the steps of any of the various method embodiments described above.
Embodiments of the present application also provide a computer readable storage medium storing a computer program which, when executed by a processor, performs the steps of the respective method embodiments described above.
Embodiments of the present application provide a computer program product which, when run on a computer, causes the computer to perform the steps of the various method embodiments described above.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the above-described method embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and where the computer program, when executed by a processor, may implement the steps of the above-described method embodiments. Wherein the computer program comprises computer program code which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing apparatus/terminal device, recording medium, computer Memory, ROM (Read-Only Memory), RAM (Random Access Memory ), CD-ROM (Compact Disc Read-Only Memory), magnetic tape, floppy disk, optical data storage device, and so forth. The computer readable storage medium mentioned in the present application may be a non-volatile storage medium, in other words, a non-transitory storage medium.
It should be understood that all or part of the steps to implement the above-described embodiments may be implemented by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The computer instructions may be stored in the computer-readable storage medium described above.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided by the present application, it should be understood that the disclosed apparatus/computer device and method may be implemented in other manners. For example, the apparatus/computer device embodiments described above are merely illustrative, e.g., the division of modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (8)
1. A method of model construction, the method comprising:
Analyzing a data packet transmitted in a simulation network to obtain key information in the data packet transmitted in the simulation network, wherein the simulation network is obtained by simulating a target network system;
detecting normal data packets and abnormal data packets transmitted in the simulation network according to key information in the data packets transmitted in the simulation network;
Constructing a training sample set according to key information in a normal data packet and key information in an abnormal data packet transmitted in the simulation network;
performing model training by using the training sample set to obtain an anomaly detection model, wherein the anomaly detection model is used for performing anomaly detection on a data packet transmitted in the target network system;
the analyzing the data packet transmitted in the simulation network to obtain key information in the data packet transmitted in the simulation network includes:
for any one data packet transmitted in the simulation network, analyzing the one data packet layer by layer to obtain key information of the one data packet in each layer;
the step of analyzing the data packet layer by layer to obtain the key information of the data packet in each layer comprises the following steps:
analyzing the application layer information of the data packet to obtain the function information in the data packet;
The function information comprises operation information, wherein the operation information comprises a function code and target information, and the target information comprises first target information or second target information; the analyzing the application layer information of the data packet to obtain the function information in the data packet includes:
analyzing the function code of the data packet in the data part of the application layer;
If the operation object of the function code is a basic register, analyzing the data of the data packet in the data part of the application layer according to a basic field to obtain first target information in the data packet, wherein the first target information comprises one or more of operation object types, register addresses, operation quantity and written values;
And if the operation object of the function code is not a basic register, acquiring a key field corresponding to the function code, and analyzing the data of the data packet in the data part of the application layer according to the key field corresponding to the function code to obtain second target information in the data packet.
2. The method of claim 1, wherein the target network system is an industrial control system and the emulation network uses a plurality of industrial control protocols for data packet transmission.
3. The method of claim 1, wherein the critical information further comprises a media access control, MAC, address, internet protocol, IP, address, port number; the step of analyzing the data packet layer by layer to obtain key information of the data packet in each layer further comprises:
analyzing the data link layer information of the data packet to obtain the MAC address in the data packet;
analyzing the network layer information of the data packet to obtain an IP address in the data packet;
Analyzing the transmission layer information of the data packet to obtain the port number in the data packet.
4. The method of claim 1, wherein the functional information further comprises a transaction identifier, a protocol identifier, a length, a unit identifier; the analyzing the application layer information of the data packet to obtain the function information in the data packet further includes:
and analyzing the head part of the data packet in the application layer to obtain a transaction identifier, a protocol identifier, a length and a unit identifier in the data packet.
5. The method according to any one of claims 1 to 4, wherein detecting normal data packets and abnormal data packets transmitted in the emulation network based on key information in data packets transmitted in the emulation network, comprises:
For any one data packet transmitted in the simulation network, determining legal values corresponding to each key information in the data packet according to a communication protocol standard used by the data packet;
if at least one key information in the data packet is inconsistent with the corresponding legal value, determining the data packet as an abnormal data packet;
and if all the key information in the data packet accords with the corresponding legal value, determining the data packet as a normal data packet.
6. A test platform, characterized in that the test platform comprises a simulation network, an intrusion module and a detection module, the simulation network is obtained by simulating a target network system, the intrusion module is used for simulating an attack behavior, and the detection module is used for executing the method according to any one of claims 1 to 5.
7. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, which computer program, when executed by the processor, implements the method according to any one of claims 1 to 5.
8. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311468742.2A CN117278423B (en) | 2023-11-07 | 2023-11-07 | Model construction method, test platform, computer device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311468742.2A CN117278423B (en) | 2023-11-07 | 2023-11-07 | Model construction method, test platform, computer device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117278423A CN117278423A (en) | 2023-12-22 |
| CN117278423B true CN117278423B (en) | 2024-06-21 |
Family
ID=89201028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311468742.2A Active CN117278423B (en) | 2023-11-07 | 2023-11-07 | Model construction method, test platform, computer device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117278423B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108418807A (en) * | 2018-02-05 | 2018-08-17 | 浙江大学 | A kind of industrial control system popular protocol is realized and monitoring analyzing platform |
| CN115906048A (en) * | 2022-12-07 | 2023-04-04 | 国网浙江省电力有限公司电力科学研究院 | Equipment identification method and system based on terminal information |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109962881A (en) * | 2017-12-22 | 2019-07-02 | 北京安天网络安全技术有限公司 | Intrusion detection method, device and system based on industrial control system |
| KR102587055B1 (en) * | 2021-10-26 | 2023-10-11 | 인천대학교 산학협력단 | System for Detecting Anomaly Computing Based on Artificial Intelligence |
| US20230275914A1 (en) * | 2022-02-27 | 2023-08-31 | Nozomi Networks Sagl | Method and apparatus for detecting anomalies of an infrastructure in a network |
-
2023
- 2023-11-07 CN CN202311468742.2A patent/CN117278423B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108418807A (en) * | 2018-02-05 | 2018-08-17 | 浙江大学 | A kind of industrial control system popular protocol is realized and monitoring analyzing platform |
| CN115906048A (en) * | 2022-12-07 | 2023-04-04 | 国网浙江省电力有限公司电力科学研究院 | Equipment identification method and system based on terminal information |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117278423A (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| EP3101581B1 (en) | Security system for industrial control infrastructure using dynamic signatures | |
| CN108319161B (en) | Industrial SCADA system simulation platform | |
| EP1480096B1 (en) | Field device maintenance tool with enhanced scripts | |
| CN107222515B (en) | Honeypot deployment method and device and cloud server | |
| JP7148303B2 (en) | Firewall for encrypted traffic in process control systems | |
| CN106054822B (en) | Planning and engineering method, software tool and simulation tool | |
| CN105404207A (en) | Industrial environment vulnerability discovering device and method | |
| Yang et al. | iFinger: Intrusion detection in industrial control systems via register-based fingerprinting | |
| CN110912927A (en) | Method and device for detecting control message in industrial control system | |
| CN112615858B (en) | Internet of things equipment monitoring method, device and system | |
| CN114296406B (en) | Network attack and defense display system, method and device and computer readable storage medium | |
| CN103401930A (en) | Web Service-based industrial monitoring method and device | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| EP3457286B1 (en) | Method and computing device for commissioning an industrial automation control system | |
| Ferling et al. | Intrusion detection for sequence-based attacks with reduced traffic models | |
| Rodríguez et al. | MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP | |
| CN117278423B (en) | Model construction method, test platform, computer device and storage medium | |
| Siddavatam et al. | Testing and validation of Modbus/TCP protocol for secure SCADA communication in CPS using formal methods | |
| Puys et al. | SCADA cybersecurity awareness and teaching with Hardware-In-The-Loop platforms | |
| KR101079036B1 (en) | Apparatus and method of detecting anomaly in control system network | |
| CN114978782B (en) | Industrial control threat detection method and device, industrial control equipment and storage medium | |
| Berman et al. | Towards characterization of cyber attacks on industrial control systems: emulating field devices using gumstix technology | |
| CN113852623B (en) | Virus industrial control behavior detection method and device | |
| CN110557298A (en) | method and system for testing a system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |