CN206181087U - Active leak detecting system towards industrial control system - Google Patents
Active leak detecting system towards industrial control system Download PDFInfo
- Publication number
- CN206181087U CN206181087U CN201621005419.7U CN201621005419U CN206181087U CN 206181087 U CN206181087 U CN 206181087U CN 201621005419 U CN201621005419 U CN 201621005419U CN 206181087 U CN206181087 U CN 206181087U
- Authority
- CN
- China
- Prior art keywords
- control system
- industrial control
- server
- leak
- data center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The utility model discloses an active application detecting system towards industrial control system relates to industrial control system security domain, leak detecting system adoption client server mode, including controller, customer end, server, assessment report and data center, wherein the controller links to each other with the server, and the server links to each other with different customer ends, and the customer end accessible is prevented also can being connected with data center and carrying out the data interaction in hot wall, router connection internet, and the while server links to each other with data center and carries out the data interaction, and the data that provide according to data center generate the assessment report. The utility model has the advantages of a steady operation does not have an influence that's leak detecting system need not develop the attack code, compares with the MBSA leak detecting system of microsoft development, detects fastly, and the degree of accuracy is high, can satisfy industrial control system's high stability, high real -time requirement well, is suitable for the safe situation that the administrator evaluateed whole industrial control system, just to industrial control system is proposed.
Description
Technical field
The utility model is related to industrial information security fields, more particularly to a kind of active leak towards industrial control system is examined
Examining system.
Background technology
The information security of industrial control system is related to safety and the stable operation of national energy and infrastructure industry, is
The severe challenge that enterprise and national security face.System product is increasingly employed puppy parc, common hardware and general soft
Part, is connected in a variety of ways with the public network such as internet, and virus, wooden horse etc. are threatened and spread to industrial control system, are
System information security issue becomes increasingly conspicuous.Process Control System from unit, it is distributed develop towards networking direction, set in network
Different types of information and mechanics of communication (ICT), including Internet and wireless technology are introduced during meter.These new technologies
Introducing also bring new challenge, including electric power, water conservancy, communications and transportation and large-scale manufacture row to the safety of basic activity
Industry.
The agreement of industrial control system and design, bias toward the real-time and reliability of functional realiey.Security attack is lacked
The design of weary early stage and effectively resist method.Due to system compatible sex chromosome mosaicism, industrial control system does not generally upgrade, does not beat benefit
Fourth, in addition the work station supplier having be distinctly claimed user must not voluntarily upgrade-system.Therefore, can accumulate after system longtime running
Substantial amounts of security breaches, it is extremely fragile during network security attacks that these defects face industrial control system, and to safety in production pole is brought
Big hidden danger.State of the present situation of industry control safety in " inadequate natural endowment, will lose and support the day after tomorrow, and future causes anxiety ":System cannot upgrade in time,
Itself leak is hidden, it is impossible to which, by detection in time and reparation, the potential safety hazard of system itself can not be ignored;System protocol itself is short of
Safety factor, safety policy and management system and imperfection, are easily utilized by attacker;Violation that can not well in auditing system
Operation behavior, for the administrative mechanism imperfection of system user access rights;System operators lack necessary awareness of safety,
Operating process is lack of standardization.
In recent years, industry control information security Frequent Accidents, industry control leak quantity is presented explosive growth.Industrial control system it
So facing, refusal service, control command are distorted, senior continuation threatens (APT) etc. to attack, most the underlying cause is system
The leak that presence can be saturated.Leak is the root of safety problem, and Hole Detection is to solve the basis of safety problem.Only
The potential safety hazard that solution system is present, just can accomplish targetedly to protect.
Therefore, those skilled in the art is devoted to a kind of active leakage location towards industrial control system of exploitation,
Strengthen the Hole Detection of industrial control system, fundamentally solve the safety problem of industrial control system.
Utility model content
In view of the drawbacks described above of prior art, technical problem to be solved in the utility model is how to realize industrial control
The active safety detection of system processed.
For achieving the above object, the utility model provides a kind of active leakage location towards industrial control system,
Including controller, client, server, assessment report module and data center, wherein, the controller and the server phase
Even, the server is connected from the different clients, and the client is by fire wall and/or router connection interconnection
Net, and be connected with the data center and carry out data interaction, the server is connected with the data center carries out data interaction;
The leakage location is configured to gather software, user, process and the application configuration information of industrial control system, is then patrolled
Volume judge to find security breaches present in the industrial control system, and according to the data of data center offer by institute's commentary
Estimate reporting modules and generate assessment report.
Further, the controller is configured to control the start and stop of the leakage location and according to need by keeper
Detection parameter and detection target are set.
Further, the server is configured to notice client and carries out Data Collection and detection logical condition judgement,
After the message that all clients detection is finished is received, notify that the assessment report module generates assessment report.
Further, the client is configured to receive after the message that the server is sent, and read the machine is
System and configuration information, determine whether whether the logical condition that leak is present is set up, and finally detection judged result are sent to described
Data center, while notifying that the server detection is completed.
Further, the data center is configured to the common interface of the client and the assessment report module,
The all information of storage system, including logical condition and the CVE lists of client detection of vulnerability scan, leak presence.
Further, the assessment report module is configured to provide the vulnerability information of assessment target to system manager,
The vulnerability information includes leak title, leak issue date, leak content Description, leak danger classes, loss type, leak
Type, exposed system component, coherent reference information, fragile software and its version and remedial measure.
The utility model has the advantage of propose leakage location need not develop attack code, with Microsoft exploitation
MBSA leakage locations are compared, and detection speed is fast, and the degree of accuracy is high, can meet well industrial control system high stability,
High real-time requires, are suitable for the safe condition that keeper assesses whole industrial control system, and to the stable fortune of control system
Row is without impact.
The technique effect of design of the present utility model, concrete structure and generation is made furtherly below with reference to accompanying drawing
It is bright, to be fully understood from the purpose of this utility model, feature and effect.
Description of the drawings
Fig. 1 is the active leakage location structure chart of a preferred embodiment of the present utility model;
Fig. 2 is the Hole Detection hum pattern of a preferred embodiment of the present utility model;
Fig. 3 is the Hole Detection flowchart of a preferred embodiment of the present utility model;
Fig. 4 is the experiment test environment map of a preferred embodiment of the present utility model.
Specific embodiment
Below in conjunction with the accompanying drawings the utility model is described in further detail with specific embodiment.
A kind of active security breaches detecting system towards industrial control system described in the utility model, using client computer/
Server C/S model, is mainly included such as lower module:Controller, client (client), server (server), assessment report
And data center, its architecture is as shown in figure 1, where the dotted line signifies that control signal, the flow direction of arrow directional signal;It is real
Line represents data message, and arrow points to the flow direction of data, and wherein controller is connected with server, server and different clients
End is connected, and client can connect internet by fire wall, router, and also can be connected with data center carries out data interaction, together
When server be connected with data center and carry out data interaction, according to the data genaration assessment report that data center provides.Safety leakage
The software of hole detecting system acquisition system first, user, process and application configuration information, then carry out logic judgment to find to be
Security breaches present in system.
In system architecture the function of each module and its between relation it is as follows:Controller is the user of Hole Detection system
Interface, mainly the start and stop of keeper's control system and be arranged as required to detect parameter and detection target;Server is responsible for
The coordination of system, notifies that client carries out Data Collection and detection logical condition judges, detects what is finished when all clients are received
After message, vulnerability assessment reporting modules are notified, export assessment report;Client is received after the message that server is sent, and is read
The system and configuration information of the machine, determines whether whether the logical condition that leak is present is set up, finally detection judged result
Data center is sent to, while notifying that server module detection is completed;Data center is client modules and assessment report module
Common interface, all of information is all deposited here in system, including logical condition and the client of vulnerability scan, leak presence
CVE lists (Common Vulnerabilities&Exposures, public leak and exposure) of end module detection etc.;Leak is commented
Estimate and be reported as the vulnerability information that system manager provides assessment target, mainly including in leak title, leak issue date, leak
Hold summary, leak danger classes, loss type, leak type, exposed system component, coherent reference information, fragile software
And its version and remedial measure.
The core of the lossless formula Hole Detection is that the configuration information to system carries out logic judgment, and then is obtained in system
The vulnerability information of presence.Firstly the need of read operation system version, have leaky file name, application version and patch shape
State, to judge that the software of fragility whether there is.Then obtain whether corresponding service runs, concrete configuration is arranged and other work
Area, judges that fragile configuration whether there is.Its concrete principle is given below.
First, some set are defined:(1) file name FN={ fn1, fn2 ... ..., fnn }, (2) Software Edition AV
={ av1, av2 ... ..., avm }, (3) software patch PS={ ps1, ps2 ... ..., psk }, (4) operation service RS=rs1,
Rs2 ... ..., rst }, (5) configuration arranges CS={ cs1, cs2 ... ..., csi }.Above all elements are three in this five set
State variable, its codomain is { 0,1, Φ }.When the judgement of leak does not use a certain variable, its value is Φ, when system has phase
Information variations per hour value is answered to be 1, otherwise value is 0.
Secondly, three functions are defined:
(1) judge that system has the discriminant function of fragile software
Wherein, fn ∈ FN, av ∈ AV, ps ∈ PS, the output result of its function represents that the fragile software that leak is deposited is present
Whether.
(2) judge that system has the discriminant function of fragile configuration
Wherein, rs ∈ RS,Cs ∈ CS, the output result of its function represents that the fragile configuration related to leak whether there is.
(3) the system discriminant function fragile to leak is judged
F (g, h)=g (fn, av, ps) ∩ h (rs, cs) (3)
The conclusion that the output result of formula (3) whether there is for leak, value is that 1 expression has leak, and value is 0 expression leakage
Hole is not present.When judgement system whether there is a certain leak, judge whether is fragile software that leak deposited first with formula (1)
Exist, followed by the fragile configuration that formula (2) judgement system is depended on the presence or absence of leak, can be using formula (3) finally
The whether fragile judged result of system.
Here verify and do not encrypt Lou with remote data protocol (RDP) plain text session in detection Windows operating system
It is introduced as a example by hole, here the ∈ FN of fn=Terminal Server 5.0, cs=Φ ∈ CS, av=rdpwd.sys
Versions ∈ AV, rs=RDP service ∈ RS, ps=Patch Q324380_W2K_SP4_X86_EN.exe ∈ PS, by
This obtains following 2 discriminant functions:
The ∩ of g=Terminal Server 5.0 (rdpwd.sys versions < 5.0.2195.5880) ∩!Patch
Q324380_W2K_SP4_X86_EN.exe(4)
F=RDP service ∩ Φ (5)
By the registry value and file system attributes that read system, so that it may the value of function g and f is obtained, finally using formula
(3) leak that system is verified with the presence or absence of the session of entitled remote data protocol (RDP) plain text and do not encrypted can be judged
(CAN-2002-0863)。
The information, the judgment rule of leak logical condition, the system that implement including definition collection of leakage location
Coordination between controller, server and client side etc..By taking Windows systems as an example, it realizes that process is as follows.
(1) system information is collected
Definition needs the first step that the system information collected is leakage location work, for Windows systems, to receive
The main information for integrating is system file, registration table, process, register user and IIS server registration information etc..
(2) rule detection
Detected rule is the core of leakage location, fragile condition and how to judge fragility that its regulation leak is relied on
Whether condition is set up, and detection information is as shown in Figure 2.Leak is possibly one-to-one with the corresponding relation of fragile condition in figure, also may be used
It can be one-to-many.(i=1,2 ... ..., are n) the fragile condition of leak to Conditions (i), and RULE is the judgement of fragile condition
Rule, its form is IF ..., THEN ....Such as, one of leak CAN-2002-0863 fragile condition is:Conditions(1)
=Terminal Server 5.0, its judgment rule is:
IF RegistryKey=
'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server'
AND EntryName='ProductVersion'AND EntryValue='5.0'in TABLE Win2K_
RegistryKeys, THEN Terminal Server 5.0.
(3) data center
Data center preserves all data that evaluation process is used, including system configuration information, vulnerability information, testing result
And the system information that leakage location is gathered in evaluation process.The system information that wherein leakage location is collected directly is determined
Assessment result is determined, these data are determined by the pattern (Schema) related to platform.
(4) flow process is realized
As shown in figure 3, the system is realized including that information table is set up, system information is obtained, detects logic judgment and assessment knot
Fruit exports:
Step 1,:Information table is set up
First, the information for being provided according to Mitre websites sets up vulnerability information Table V UL_LIST and corresponding Query Information table
Detail_LIST, and manually add corresponding information;
Secondly, set up:
A. system registration information table Win2K_RegistryKeys and its allocation list Win2K_RegistryKeys_Conf;
B. file attribute table Win2K_FileAttributes and its allocation list Win2K_FileAttributes_Conf,
MetabaseKeys;
C. attribute list Win2K_MetabaseKeys and its allocation list Win2K_MetabaseKeys_Conf.
Step 2:System information is obtained
First, using database schema INSERT sentences filling allocation list Win2K_RegistryKeys_Conf,
The value of Win2K_FileAttributes_Conf and Win2K_MetabaseKeys_Conf;
Secondly, it is right with it in reading system according to the RegistryKey of allocation list Win2K_RegistryKeys_Conf
EntryName, the EntryType and EntryValue value answered, and fill out in Win2K_RegistryKeys tables;
Again, it is corresponding in reading system according to the FilePath of allocation list Win2K_FileAttributes_Conf
Owner, Filesize, Modified, MSChecksum, MD5 and Version value, and fill out Win2K_
In FileAttributes tables;
Finally, it is right with it in reading system according to the MetabaseKey of allocation list Win2K_MetabaseKeys_Conf
Id, Name for answering etc., and fill out in Win2K_MetabaseKeys tables.
Step 3:Detection logic judgment
The CVE_ID being successively read in VUL_LIST, according to its corresponding fragile condition C onditions (i) Detail_ is arrived
Its corresponding RULE is inquired about in LIST tables, reading corresponding information in correspondence table carries out rule match, must spring a leak and whether there is
Judgement.
Step 4:Assessment result is exported
For the system vulnerability for finding, associated corresponding information is searched in vulnerability scan according to its CVE title,
Classification is carried out according to host ip and leak severity level to show.
Leakage location to designing carries out experimental enviroment test, and its experimental enviroment is as shown in Figure 4.Experimental situation is interior
Portion 10M LAN segment 192.168.1.0/24, share a C classes address 202.117.14.189 and link Internet.
192.168.1.19, the controller and server end of leakage location are installed, 192.168.1.231 is used as database on main frame
Server, three main websites:192.168.1.226,192.168.1.218 and 192.168.1.18 as detection target, and at it
The upper client for installing leakage location.The operating system of 3 main websites is Windows 2K, 192.168.1.226 services
Device is mounted with all security patch in addition to IE browser patch.
For comparative test result, the vulnerability scanners Microsoft Baseline Security of Microsoft are have chosen
Analyzer (MBSA), it is the most powerful leakage location of current Microsoft windows platforms function.Be given and be
Scanning result of system two detecting systems of ICS-VS and MBSA to main website 192.168.1.226:
1) for same simple target main frame, 40 seconds MBSA used times, 21 seconds ICS-VS used times, almost simply the one of MBSA
Half, this fully shows the rapidity of ICS-VS.This utilizes system configuration information mainly due to ICS-VS, using internal queries
Mode obtains the leak of system.Therefore, compared with the vulnerability assessment system worked using external scan mode, ICS-VS detection speed
Degree is fast.
2) leak found before IE6.0SP1 is installed in quantity, MBSA is found that 3, and ICS-VS is found that 7.
The leak of discovery is gone through, with reference to the data of Microsoft's Web site, it is found that the leak repairing program that ICS-VS has found all is received
Enter IE6.0SP1.Find out from this point, the system is point-device.
In order to further test the detection speed of ICS-VS, 3 main websites are carried out with 3 vulnerability scannings, used by ICS-VS
Minimum time is 30 seconds, and the minimum time of MBSA is 150s.This test further highlights the great advantage of the system:Hurry up
Speed.This further illustrates the system and can apply in large scale industry control system environment, and this has been fully demonstrated is matched somebody with somebody using system
Confidence breath, the benefit brought using the vulnerability assessment mode of internal queries mode.
The utility model proposes the lossless formula leakage location ICS-VS of the active towards industrial control system, can very well
Meet the requirement of industrial control system high stability and high real-time.Can from the experiment to main website and industry control network system
Go out, network system Hole Detection evaluation system ICS-VS for being proposed has that accuracy of detection is high, fireballing advantage, and it is not required to
Attack code is developed, the runnability zero for detecting target is affected.The detecting system is applied to network manager and analyzes industry control
The safe condition of system, with preferable application prospect.
Preferred embodiment of the present utility model described in detail above.It should be appreciated that the ordinary skill of this area without
Need creative work just can make many modifications and variations according to design of the present utility model.Therefore, it is all in the art
Technical staff on the basis of existing technology can by logical analysis, reasoning, or a limited experiment according to design of the present utility model
With the technical scheme for obtaining, all should be in the protection domain being defined in the patent claims.
Claims (6)
1. a kind of active leakage location towards industrial control system, it is characterised in that including controller, client, service
Device, assessment report module and data center, wherein, the controller is connected with the server, the server from it is different
The client is connected, and the client connects internet by fire wall and/or router, and is connected with the data center
Data interaction is carried out, the server is connected with the data center carries out data interaction;The leakage location is configured
To gather software, user, process and the application configuration information of industrial control system, then carry out logic judgment to find the industry control system
Security breaches present in system, and the data provided according to the data center generate assessment report by the assessment report module
Accuse.
2. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the controller
It is configured to control the start and stop of the leakage location by keeper and is arranged as required to detect parameter and detection target.
3. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the server
It is configured to notify that client carries out Data Collection and detection logical condition judges, detects that what is finished disappears when all clients are received
After breath, notify that the assessment report module generates assessment report.
4. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the client
It is configured to receive after the message that the server is sent, reads the system and configuration information of the machine, determines whether leak
Whether the logical condition of presence is set up, and finally detection judged result is sent to the data center, while notifying the server
Detection is completed.
5. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that in the data
The heart is configured to the common interface of the client and the assessment report module, all information of storage system, including leak number
The logical condition existed according to storehouse, leak and the CVE lists of client detection.
6. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the assessment report
Accuse module to be configured to provide the vulnerability information of assessment target to system manager, the vulnerability information includes leak title, leakage
Hole issue date, leak content Description, leak danger classes, loss type, leak type, exposed system component, related ginseng
Examine information, fragile software and its version and remedial measure.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201621005419.7U CN206181087U (en) | 2016-08-30 | 2016-08-30 | Active leak detecting system towards industrial control system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201621005419.7U CN206181087U (en) | 2016-08-30 | 2016-08-30 | Active leak detecting system towards industrial control system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN206181087U true CN206181087U (en) | 2017-05-17 |
Family
ID=58674839
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201621005419.7U Active CN206181087U (en) | 2016-08-30 | 2016-08-30 | Active leak detecting system towards industrial control system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN206181087U (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109613899A (en) * | 2018-12-21 | 2019-04-12 | 国家计算机网络与信息安全管理中心 | A method of the industrial control system security risk assessment based on allocation list |
CN110262420A (en) * | 2019-06-18 | 2019-09-20 | 国家计算机网络与信息安全管理中心 | A kind of distributed industrial control network security detection system |
-
2016
- 2016-08-30 CN CN201621005419.7U patent/CN206181087U/en active Active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109613899A (en) * | 2018-12-21 | 2019-04-12 | 国家计算机网络与信息安全管理中心 | A method of the industrial control system security risk assessment based on allocation list |
CN110262420A (en) * | 2019-06-18 | 2019-09-20 | 国家计算机网络与信息安全管理中心 | A kind of distributed industrial control network security detection system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210326451A1 (en) | Automated security assessment of business-critical systems and applications | |
CN106230857A (en) | A kind of active leakage location towards industrial control system and detection method | |
US8561175B2 (en) | System and method for automated policy audit and remediation management | |
US7627891B2 (en) | Network audit and policy assurance system | |
KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
CN105391687A (en) | System and method for supplying information security operation service to medium-sized and small enterprises | |
CN101635730A (en) | Method and system for safe management of internal network information of small and medium-sized enterprises | |
CN107733706A (en) | The illegal external connection monitoring method and system of a kind of no agency | |
US20050154733A1 (en) | Real-time change detection for network systems | |
CN102821137A (en) | Website safety detection method and website safety detection system | |
JP2001282655A (en) | Method, device, and storage medium for network device management | |
US11621974B2 (en) | Managing supersedence of solutions for security issues among assets of an enterprise network | |
US20140325618A1 (en) | System and method for delivering external data to a process running on a virtual machine | |
CN106982194A (en) | Vulnerability scanning method and device | |
CN107040518A (en) | A kind of private clound server log method and system | |
CN112039868A (en) | Firewall policy verification method, device, equipment and storage medium | |
CN108769063A (en) | A kind of method and device of automatic detection WebLogic known bugs | |
CN206181087U (en) | Active leak detecting system towards industrial control system | |
CN116668079A (en) | Network system vulnerability scanning method | |
CN105142150A (en) | Wireless device loophole scanning method and system based on BS mode | |
CN105099807B (en) | Apparatus testing method and device | |
CN101453388B (en) | Inspection method for Internet service operation field terminal safety | |
CN106453238B (en) | Login method and system, electronic terminal, public network server and private cloud equipment | |
CN115361203A (en) | Vulnerability analysis method based on distributed scanning engine | |
CN110034977B (en) | Equipment safety monitoring method and safety monitoring equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GR01 | Patent grant | ||
GR01 | Patent grant |