CN206611433U - A kind of industry control abnormal traffic detection system for ModBus agreements - Google Patents
A kind of industry control abnormal traffic detection system for ModBus agreements Download PDFInfo
- Publication number
- CN206611433U CN206611433U CN201720105760.8U CN201720105760U CN206611433U CN 206611433 U CN206611433 U CN 206611433U CN 201720105760 U CN201720105760 U CN 201720105760U CN 206611433 U CN206611433 U CN 206611433U
- Authority
- CN
- China
- Prior art keywords
- modbus
- module
- abnormal
- main control
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 90
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000005206 flow analysis Methods 0.000 claims abstract description 6
- 238000004891 communication Methods 0.000 claims description 87
- 230000006870 function Effects 0.000 claims description 46
- 238000003860 storage Methods 0.000 claims description 24
- 238000012545 processing Methods 0.000 claims description 20
- 238000004458 analytical method Methods 0.000 claims description 14
- 238000004088 simulation Methods 0.000 claims description 13
- 238000012546 transfer Methods 0.000 claims description 8
- 230000005611 electricity Effects 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000010835 comparative analysis Methods 0.000 claims description 5
- 238000012806 monitoring device Methods 0.000 claims description 5
- 238000012360 testing method Methods 0.000 abstract description 4
- 230000002547 anomalous effect Effects 0.000 abstract description 2
- 230000009545 invasion Effects 0.000 description 3
- 238000000034 method Methods 0.000 description 3
- 238000000465 moulding Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 230000007935 neutral effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000013332 literature search Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
Landscapes
- Small-Scale Networks (AREA)
Abstract
The utility model is related to a kind of detecting system, and in particular to a kind of industry control abnormal traffic detection system for ModBus agreements.Including analog machine, ModBus flow detectors, it is devices under and ModBus abnormal flow analytical equipments.The utility model proposes practicable ModBus anomalous traffic detection methods, realize the flow analysis communicated to industrial control system and equipment ModBus, the device level test problems of industrial control system information security are solved, the information security attack based on ModBus is taken precautions against.
Description
Technical field
The utility model is related to a kind of detecting system, and in particular to a kind of industry control abnormal flow for ModBus agreements is examined
Examining system.
Background technology
During ModBus agreements are a kind of communications protocol being widely used in a variety of industrial control systems, Industry Control
Collection in worksite signal and control instruction are usually transmitted in the form of plaintext by Modbus agreements, therefore, and ModBus's is logical
News safety is particularly significant.In recent years, industrial control system was more and more frequently attacked by information security.Increasing case
Example shows that information security issue is just gradually in industrial control system caused by commercial network, internet and other factorses
Middle diffusion, directly affects stabilization of industry production and personal safety.
At present, the main ethernet communication network based on TCP/IP of the conventional security protection means of industrial control network is made
For object, it is proposed that the solution of substantial amounts of protection and detection, and to the industry spot communication protocol using ModBus as representative
Lack specific protection and detection means.By patent retrieval, the information security detection system for ModBus agreements is not found temporarily
The existing patent of system or platform.
Meanwhile, the correlative study that information security is carried out mainly for ModBus Transmission Control Protocol is studied, to based on tradition
What the research of the ModBus rtu protocols of serial communication was missing from.By literature search, existing document mainly have studied ModBus
TCP Intrusion Detection Technique, method for detecting abnormality, guard technology and access control method, not to ModBus RTU information peace
Full problem expansion research, while also not providing the detecting system of ModBus protocol anomaly flows or the design method of platform.
Utility model content
The purpose of this utility model is, for problems of the prior art, proposes a kind of for ModBus agreements
Industry control abnormal traffic detection system, with realize to industrial control system and equipment ModBus communication flow analysis, solve work
The device level test problems of industry control system information security, take precautions against the information security attack based on ModBus.
To achieve these goals, the technical solution adopted in the utility model is:
A kind of industry control abnormal traffic detection system for ModBus agreements, including analog machine, ModBus flow detections
Device, be devices under with ModBus abnormal flow analytical equipments, the analog machine be used to simulate without information security hidden danger and
Trouble-free normal device, simulation ModBus main websites or slave station;The ModBus flow monitoring devices are used to intercept and capture analog machine
And the ModBus communication flows between being devices under;It is described to be devices under being the industry control that there may be information security hidden danger
Control equipment, may send abnormal ModBus communication messages to the equipment of analog machine;The ModBus abnormal flows analysis
Device is used for all ModBus messages for receiving and showing intercepting and capturing, and with comparative analysis function, can be according to setting rule judgment
The wall scroll or a plurality of message intercepted and captured are exception message, so as to judge to be devices under whether having information security hidden danger.
The analog machine is connected with ModBus flow detectors;The ModBus flow detectors are set with simulation
It is standby, be devices under being respectively connected with ModBus abnormal flow analytical equipments;It is described be devices under respectively with ModBus flows
Detection means is connected with ModBus abnormal flow analytical equipments;The ModBus abnormal flows analytical equipment is set with tested respectively
It is standby to be connected with ModBus flow detectors.
It is described to be devices under being the single equipment with ModBus communication functions, such as single PLC, field instrument;Institute
Analog machine is stated using the x86 computers for supporting ModBus protocol emulations;The ModBus abnormal flows analytical equipment uses x86
The industrial computer of framework.
The Industry Control for possessing ModBus communication functions for being devices under being made up of a variety of industrial control equipments
System;The analog machine is using the known industrial control equipment for supporting ModBus agreements;The ModBus abnormal flows analysis
Device uses the industrial computer of x86 frameworks.
The ModBus flow detectors include:
Main control module, main control module assume responsibility for system administration, the analysis of ModBus protocol massages, and abnormal traffic detection
Function;
Power module, power module is that main control module and other accessory circuits provide power supply, and receives watchdog module
The management and control exported to power supply;
Bypass modules, Bypass modules are used for ModBus in the case of ensureing device power-off or main control module exception and believed
Number can be normal through device;
ModBus TCP communication modules, the major function of ModBus TCP communication modules is the data of ModBus Transmission Control Protocol
Processing and ethernet signal transfer function;
ModBus RTU communication modules, the major function of ModBus RTU communication modules is the data of ModBus rtu protocols
Processing and RS485 signal transfer functions;
Watchdog module, watchdog module mainly realizes the monitoring to main control module running status and Bypass modules
With the management function of power module;
Extension storage module, extension storage module is mainly used in storage abnormal flow characteristic information, system configuration, system day
The information such as will.
The ModBus TCP communications module is connected with main control module and Bypass modules respectively, the ModBus
RTU communication modules are connected with main control module and Bypass modules respectively, the Bypass modules respectively with ModBus TCP
Communication module, ModBus RTU communication modules, main control module are connected with watchdog module, the watchdog module respectively with
Bypass modules, main control module are connected with power module, the power module respectively with watchdog module and master control molding
Block is connected, the main control module difference power module, watchdog module, Bypass modules, extension storage module, ModBus
TCP communication module is connected with ModBus RTU communication modules.
The ModBus TCP communications module includes two Ethernet interfaces, respectively ModBus TCP first interfaces and
ModBus TCP second interfaces;The ModBus RTU communication modules include 2 RS485 interfaces, respectively ModBus RTU the
One interface and ModBus RTU second interfaces.
The Bypass modules include a logic NAND gate circuit and a relay switching circuit, logic NAND gate electricity
Road is received respectively comes from main processing block output signal and watchdog module output signal, control relay on-off circuit it is many
Individual relay folding;Relay switch is located between ModBus TCP or RTU first interface and second interface, realizes ModBus
Signal intercommunication of the signal when Bypass functions are opened between ModBus TCP or RTU first interface and second interface.
The main control module is connected with extension storage module by system bus.
Running status lamp is additionally provided with the power module.
By adopting the above-described technical solution, the beneficial effects of the utility model are:
The utility model proposes practicable ModBus anomalous traffic detection methods, realize to industrial control system and
The flow analysis of equipment ModBus communications, solves the device level test problems of industrial control system information security, and strick precaution is based on
ModBus information security attack.The utility model is simple in construction, full-featured, stable, disclosure satisfy that unlike signal class
The detection of the ModBus agreements of type needs, while network is still unimpeded after a loss of power, meets invasion detecting device and ModBus is connect
Mouthful all standing and do not influence the requirement of industrial control equipment proper communication, ModBus Transmission Control Protocol and ModBus can be supported simultaneously
The intrusion detection of rtu protocol, improves ModBus communication security.
Brief description of the drawings
Fig. 1 is detecting system structural representation described in the utility model;
Fig. 2 is ModBus abnormal flow analytical equipment operational flow diagrams;
Fig. 3 is the structural representation of the embodiment of detecting system one described in the utility model;
Fig. 4 is the structural representation of another embodiment of detecting system described in the utility model;
Fig. 5 is ModBus flow detector schematic appearances;
Fig. 6 is ModBus flow detector structural representations;
Fig. 7 is Bypass inside modules circuit diagrams.
Embodiment
Below in conjunction with the accompanying drawings, the utility model is described in detail.
Embodiment 1
As a kind of preferred embodiment of the present utility model, with reference to Figure of description 1, accompanying drawing 2, accompanying drawing 3, accompanying drawing 5, accompanying drawing
6 and accompanying drawing 7, present embodiment discloses a kind of industry control abnormal traffic detection system for ModBus agreements, the present embodiment includes:
A kind of industry control abnormal traffic detection system for ModBus agreements, including analog machine, ModBus flow detections
Device, be devices under with ModBus abnormal flow analytical equipments, the analog machine be used to simulate without information security hidden danger and
Trouble-free normal device, simulation ModBus main websites or slave station;The ModBus flow monitoring devices are used to intercept and capture analog machine
And the ModBus communication flows between being devices under;It is described to be devices under being the industry control that there may be information security hidden danger
Control equipment, may send abnormal ModBus communication messages to the equipment of analog machine;The ModBus abnormal flows analysis
Device is used for all ModBus messages for receiving and showing intercepting and capturing, and with comparative analysis function, can be according to setting rule judgment
The wall scroll or a plurality of message intercepted and captured are exception message, so as to judge to be devices under whether having information security hidden danger.
The analog machine is connected with ModBus flow detectors;The ModBus flow detectors are set with simulation
It is standby, be devices under being respectively connected with ModBus abnormal flow analytical equipments;It is described be devices under respectively with ModBus flows
Detection means is connected with ModBus abnormal flow analytical equipments;The ModBus abnormal flows analytical equipment is set with tested respectively
It is standby to be connected with ModBus flow detectors.
It is described to be devices under being the single equipment with ModBus communication functions, such as single PLC, field instrument;Institute
Analog machine is stated using the x86 computers for supporting ModBus protocol emulations;The ModBus abnormal flows analytical equipment uses x86
The industrial computer of framework.
The ModBus flow detectors include:
Main control module, main control module assume responsibility for system administration, the analysis of ModBus protocol massages, and abnormal traffic detection
Function;
Power module, power module is that main control module and other accessory circuits provide power supply, and receives watchdog module
The management and control exported to power supply;
Bypass modules, Bypass modules are used for ModBus in the case of ensureing device power-off or main control module exception and believed
Number can be normal through device;
ModBus TCP communication modules, the major function of ModBus TCP communication modules is the data of ModBus Transmission Control Protocol
Processing and ethernet signal transfer function;
ModBus RTU communication modules, the major function of ModBus RTU communication modules is the data of ModBus rtu protocols
Processing and RS485 signal transfer functions;
Watchdog module, watchdog module mainly realizes the monitoring to main control module running status and Bypass modules
With the management function of power module;
Extension storage module, extension storage module is mainly used in storage abnormal flow characteristic information, system configuration, system day
The information such as will.
The ModBus TCP communications module is connected with main control module and Bypass modules respectively, the ModBus
RTU communication modules are connected with main control module and Bypass modules respectively, the Bypass modules respectively with ModBus TCP
Communication module, ModBus RTU communication modules, main control module are connected with watchdog module, the watchdog module respectively with
Bypass modules, main control module are connected with power module, the power module respectively with watchdog module and master control molding
Block is connected, the main control module difference power module, watchdog module, Bypass modules, extension storage module, ModBus
TCP communication module is connected with ModBus RTU communication modules.
The ModBus TCP communications module includes two Ethernet interfaces, respectively ModBus TCP first interfaces and
ModBus TCP second interfaces;The ModBus RTU communication modules include 2 RS485 interfaces, respectively ModBus RTU the
One interface and ModBus RTU second interfaces.
The Bypass modules include a logic NAND gate circuit and a relay switching circuit, logic NAND gate electricity
Road is received respectively comes from main processing block output signal and watchdog module output signal, control relay on-off circuit it is many
Individual relay folding;Relay switch is located between ModBus TCP or RTU first interface and second interface, realizes ModBus
Signal intercommunication of the signal when Bypass functions are opened between ModBus TCP or RTU first interface and second interface.
The main control module is connected with extension storage module by system bus.
Running status lamp is additionally provided with the power module.
It is described to be devices under being the single equipment with ModBus communication functions, such as single PLC, field instrument.
It is required that the equipment has the debugging interface of Ethernet or serial port form to connect ModBus abnormal flow analytical equipments.ModBus
Abnormal flow analytical equipment can read equipment running status, system configuration, signal input and control by accessing the debugging interface
The information such as system output.
The analog machine is using the x86 computers for supporting ModBus protocol emulations.The computer by MATLAB,
The Network Simulation Softwares such as OPNET, NS2, realize the analogue simulation of ModBus agreements.The Ethernet card that signal of communication passes through computer
Or serial port expanding module passes to ModBus flow detectors.
The ModBus abnormal flows analytical equipment is connected by Ethernet with ModBus flow detectors.Meanwhile,
ModBus abnormal flows analytical equipment can also be by Ethernet from being devices under middle obtaining the status information being devices under
And real time data.
ModBus abnormal flows analytical equipment is using the x86 frameworks for being equipped with DNP3.0 abnormal flows analysis system or software
Industrial computer realize that the industrial computer possesses 2 Ethernet interfaces and 1 RS232 serial ports.The computer passes through Ethernet
It is connected, is attached by Ethernet or serial ports and the debugging interface that is devices under with ModBus flow detectors.
The workflow of the ModBus abnormal flows analytical equipment is as follows:
1. accessing ModBus flow detectors, the ModBus agreement bi-directional data bags intercepted and captured are read;
2. access is devices under, the information such as equipment state, inputoutput data, system journal are read;
3. pass through machine learning algorithm(Neutral net, decision tree, SVMs etc.)The flow analysis model of structure comes
Judge the matching degree between intercepted and captured packet and the information being devices under, if matching degree is more than 90%, be determined as
Abnormal flow;
4. the abnormal flow that individually record judges is for post analysis.
The ModBus flow detectors intercept and capture simulation computer and be devices under between ModBus communication messages,
And the message of intercepting and capturing is forwarded in ModBus abnormal flow analytical equipments.
Main control module has selected the AM3358 based on ARM Cortex-A8 processors, working frequency 800MHz, possesses two
Individual industrial GBIC interface(10th, 100 and 1000Mbps)With multiple UART universal asynchronous receiving-transmittings interfaces.In order to ensure
AM3358 can normally be run, and the DDR storages for extending 256MB store invasion inspection with real time execution program, 1GB FLASH
Ranging sequence and basic data, while also extending a 4GB microSD card for storage system configuration and abnormal flow feature
Data.Meanwhile, main control module further comprises 1 road RS232 interface circuits, for apparatus function debugging.
ModBus TCP communication modules include the Ethernet change-over circuit of 2 matching RJ45 style interfaces.ModBus
RTU communication modules include 2 RS485 change-over circuits, support terminal coupling and endless matching both of which.Two communication moulds
The mode of light-coupled isolation is used between block and main control module to protect main control module not brought by interface voltage fluctuation
Influence.Meanwhile, two ModBus communication modules all have defencive function, can prevent impact of the unexpected high pressure to module.
Watchdog module includes watchdog processor and expanded circuit.House dog is received from main processing block AM3358's
GPIO feeding-dog signals, control the power supply circuit and Bypass modules of main processing block.Watchdog circuit is independently of other modules electricity
The running status on road, in real time monitoring main processing block, it is found that the module can be restarted and ensure by main processing block has during exception
Bypass functions are opened.
Power module is powered including main control module and reset control circuit, house dog power supply circuit, communication module are powered
Circuit.Exportable+the 5V of power module ,+3.3V and+1.8V supply voltages, respectively RS485 chips, Ethernet chip, house dog
Processor and AM3358 processors provide power supply.Power module provides reset signal, the input of reset circuit to main control module
Source is the output of watchdog processor.
Embodiment 2
As a kind of preferred embodiment of the present utility model, with reference to Figure of description 1, accompanying drawing 2, accompanying drawing 4, accompanying drawing 5, accompanying drawing
6 and accompanying drawing 7, present embodiment discloses a kind of industry control abnormal traffic detection system for ModBus agreements, the present embodiment includes:
A kind of industry control abnormal traffic detection system for ModBus agreements, including analog machine, ModBus flow detections
Device, be devices under with ModBus abnormal flow analytical equipments, the analog machine be used to simulate without information security hidden danger and
Trouble-free normal device, simulation ModBus main websites or slave station;The ModBus flow monitoring devices are used to intercept and capture analog machine
And the ModBus communication flows between being devices under;It is described to be devices under being the industry control that there may be information security hidden danger
Control equipment, may send abnormal ModBus communication messages to the equipment of analog machine;The ModBus abnormal flows analysis
Device is used for all ModBus messages for receiving and showing intercepting and capturing, and with comparative analysis function, can be according to setting rule judgment
The wall scroll or a plurality of message intercepted and captured are exception message, so as to judge to be devices under whether having information security hidden danger.
The analog machine is connected with ModBus flow detectors;The ModBus flow detectors are set with simulation
It is standby, be devices under being respectively connected with ModBus abnormal flow analytical equipments;It is described be devices under respectively with ModBus flows
Detection means is connected with ModBus abnormal flow analytical equipments;The ModBus abnormal flows analytical equipment is set with tested respectively
It is standby to be connected with ModBus flow detectors.
The Industry Control for possessing ModBus communication functions for being devices under being made up of a variety of industrial control equipments
System;The analog machine is using the known industrial control equipment for supporting ModBus agreements;The ModBus abnormal flows analysis
Device uses the industrial computer of x86 frameworks.
The ModBus flow detectors include:
Main control module, main control module assume responsibility for system administration, the analysis of ModBus protocol massages, and abnormal traffic detection
Function;
Power module, power module is that main control module and other accessory circuits provide power supply, and receives watchdog module
The management and control exported to power supply;
Bypass modules, Bypass modules are used for ModBus in the case of ensureing device power-off or main control module exception and believed
Number can be normal through device;
ModBus TCP communication modules, the major function of ModBus TCP communication modules is the data of ModBus Transmission Control Protocol
Processing and ethernet signal transfer function;
ModBus RTU communication modules, the major function of ModBus RTU communication modules is the data of ModBus rtu protocols
Processing and RS485 signal transfer functions;
Watchdog module, watchdog module mainly realizes the monitoring to main control module running status and Bypass modules
With the management function of power module;
Extension storage module, extension storage module is mainly used in storage abnormal flow characteristic information, system configuration, system day
The information such as will.
The ModBus TCP communications module is connected with main control module and Bypass modules respectively, the ModBus
RTU communication modules are connected with main control module and Bypass modules respectively, the Bypass modules respectively with ModBus TCP
Communication module, ModBus RTU communication modules, main control module are connected with watchdog module, the watchdog module respectively with
Bypass modules, main control module are connected with power module, the power module respectively with watchdog module and master control molding
Block is connected, the main control module difference power module, watchdog module, Bypass modules, extension storage module, ModBus
TCP communication module is connected with ModBus RTU communication modules.
The ModBus TCP communications module includes two Ethernet interfaces, respectively ModBus TCP first interfaces and
ModBus TCP second interfaces;The ModBus RTU communication modules include 2 RS485 interfaces, respectively ModBus RTU the
One interface and ModBus RTU second interfaces.
The Bypass modules include a logic NAND gate circuit and a relay switching circuit, logic NAND gate electricity
Road is received respectively comes from main processing block output signal and watchdog module output signal, control relay on-off circuit it is many
Individual relay folding;Relay switch is located between ModBus TCP or RTU first interface and second interface, realizes ModBus
Signal intercommunication of the signal when Bypass functions are opened between ModBus TCP or RTU first interface and second interface.
The main control module is connected with extension storage module by system bus.
Running status lamp is additionally provided with the power module.
The Industry Control for possessing ModBus communication functions for being devices under being made up of a variety of industrial control equipments
System, such as DCS system, SCADA system.Tested test system has the debugging interface of Ethernet or serial port form to connect
ModBus abnormal flow analytical equipments.ModBus abnormal flows analytical equipment can read system fortune by accessing the debugging interface
The information such as row state, system configuration, system configuration information, the input and output of I/O module, system journal.
The analog machine is using the known industrial control equipment for supporting ModBus agreements, such as field instrument, PLC, HMI
Deng.Each industrial control equipment is connected by industrial serial ports or Ethernet switch with ModBus flow detectors.
The ModBus abnormal flows analytical equipment is connected by Ethernet with ModBus flow detectors.Meanwhile,
ModBus abnormal flows analytical equipment can also be by Ethernet from being devices under middle obtaining the status information being devices under
And real time data.
ModBus abnormal flows analytical equipment is using the x86 frameworks for being equipped with DNP3.0 abnormal flows analysis system or software
Industrial computer realize that the industrial computer possesses 2 Ethernet interfaces and 1 RS232 serial ports.The computer passes through Ethernet
It is connected, is attached by Ethernet or serial ports and the debugging interface that is devices under with ModBus flow detectors.
The workflow of the ModBus abnormal flows analytical equipment is as follows:
1. accessing ModBus flow detectors, the ModBus agreement bi-directional data bags intercepted and captured are read;
2. access is devices under, the information such as equipment state, inputoutput data, system journal are read;
3. pass through machine learning algorithm(Neutral net, decision tree, SVMs etc.)The flow analysis model of structure comes
Judge the matching degree between intercepted and captured packet and the information being devices under, if matching degree is more than 90%, be determined as
Abnormal flow;
4. the abnormal flow that individually record judges is for post analysis.
The ModBus flow detectors intercept and capture simulation computer and be devices under between ModBus communication messages,
And the message of intercepting and capturing is forwarded in ModBus abnormal flow analytical equipments.
Main control module has selected the AM3358 based on ARM Cortex-A8 processors, working frequency 800MHz, possesses two
Individual industrial GBIC interface(10th, 100 and 1000Mbps)With multiple UART universal asynchronous receiving-transmittings interfaces.In order to ensure
AM3358 can normally be run, and the DDR storages for extending 256MB store invasion inspection with real time execution program, 1GB FLASH
Ranging sequence and basic data, while also extending a 4GB microSD card for storage system configuration and abnormal flow feature
Data.Meanwhile, main control module further comprises 1 road RS232 interface circuits, for apparatus function debugging.
ModBus TCP communication modules include the Ethernet change-over circuit of 2 matching RJ45 style interfaces.ModBus
RTU communication modules include 2 RS485 change-over circuits, support terminal coupling and endless matching both of which.Two communication moulds
The mode of light-coupled isolation is used between block and main control module to protect main control module not brought by interface voltage fluctuation
Influence.Meanwhile, two ModBus communication modules all have defencive function, can prevent impact of the unexpected high pressure to module.
Watchdog module includes watchdog processor and expanded circuit.House dog is received from main processing block AM3358's
GPIO feeding-dog signals, control the power supply circuit and Bypass modules of main processing block.Watchdog circuit is independently of other modules electricity
The running status on road, in real time monitoring main processing block, it is found that the module can be restarted and ensure by main processing block has during exception
Bypass functions are opened.
Power module is powered including main control module and reset control circuit, house dog power supply circuit, communication module are powered
Circuit.Exportable+the 5V of power module ,+3.3V and+1.8V supply voltages, respectively RS485 chips, Ethernet chip, house dog
Processor and AM3358 processors provide power supply.Power module provides reset signal, the input of reset circuit to main control module
Source is the output of watchdog processor.
Embodiment 3
As a kind of preferred embodiment of the present utility model, with reference to Figure of description 1, it is directed to present embodiment discloses one kind
The industry control abnormal traffic detection system of ModBus agreements, the present embodiment includes:
A kind of industry control abnormal traffic detection system for ModBus agreements, including analog machine, ModBus flow detections
Device, be devices under with ModBus abnormal flow analytical equipments, the analog machine be used to simulate without information security hidden danger and
Trouble-free normal device, simulation ModBus main websites or slave station;The ModBus flow monitoring devices are used to intercept and capture analog machine
And the ModBus communication flows between being devices under;It is described to be devices under being the industry control that there may be information security hidden danger
Control equipment, may send abnormal ModBus communication messages to the equipment of analog machine;The ModBus abnormal flows analysis
Device is used for all ModBus messages for receiving and showing intercepting and capturing, and with comparative analysis function, can be according to setting rule judgment
The wall scroll or a plurality of message intercepted and captured are exception message, so as to judge to be devices under whether having information security hidden danger.
The analog machine is connected with ModBus flow detectors;The ModBus flow detectors are set with simulation
It is standby, be devices under being respectively connected with ModBus abnormal flow analytical equipments;It is described be devices under respectively with ModBus flows
Detection means is connected with ModBus abnormal flow analytical equipments;The ModBus abnormal flows analytical equipment is set with tested respectively
It is standby to be connected with ModBus flow detectors.
Embodiment described above only expresses the embodiment of the application, and it describes more specific and detailed, but simultaneously
Therefore the limitation to the application protection domain can not be interpreted as.It should be pointed out that for one of ordinary skill in the art
For, on the premise of technical scheme design is not departed from, various modifications and improvements can be made, these belong to this
The protection domain of application.
Claims (10)
1. a kind of industry control abnormal traffic detection system for ModBus agreements, it is characterised in that:Including analog machine, ModBus
Flow detector, be devices under with ModBus abnormal flow analytical equipments, the analog machine be used for simulate without information peace
Full hidden danger and trouble-free normal device, simulation ModBus main websites or slave station;The ModBus flow monitoring devices are used to intercept and capture
Analog machine and the ModBus communication flows between being devices under;It is described to be devices under being that there may be information security hidden danger
Industrial control equipment, abnormal ModBus communication messages may be sent to the equipment of analog machine;The ModBus is abnormal
Flow analysis device is used for all ModBus messages for receiving and showing intercepting and capturing, and with comparative analysis function, can be according to setting
The wall scroll or a plurality of message that rule judgment is intercepted and captured are exception message, so as to judge to be devices under whether having information security hidden
Suffer from.
2. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 1, it is characterised in that:
The analog machine is connected with ModBus flow detectors;It is the ModBus flow detectors and analog machine, tested
Equipment and ModBus abnormal flow analytical equipments are respectively connected with;It is described be devices under respectively with ModBus flow detectors and
ModBus abnormal flows analytical equipment is connected;The ModBus abnormal flows analytical equipment is respectively with being devices under and ModBus
Flow detector is connected.
3. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 1, it is characterised in that:
It is described to be devices under being the single equipment with ModBus communication functions;The analog machine is imitated using support ModBus agreements
Genuine x86 computers;The ModBus abnormal flows analytical equipment uses the industrial computer of x86 frameworks.
4. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 1, it is characterised in that:
The industrial control system for possessing ModBus communication functions for being devices under being made up of a variety of industrial control equipments;It is described
Analog machine is using the known industrial control equipment for supporting ModBus agreements;The ModBus abnormal flows analytical equipment is used
The industrial computer of x86 frameworks.
5. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 1, it is characterised in that
The ModBus flow detectors include:
Main control module, main control module assume responsibility for system administration, the analysis of ModBus protocol massages, and abnormal traffic detection work(
Energy;
Power module, power module is that main control module and other accessory circuits provide power supply, and receives watchdog module to electricity
The management and control of source output;
Bypass modules, Bypass modules are used to ensure ModBus signal energy in the case of device power-off or main control module exception
Normal through device;
ModBus TCP communication modules, the major function of ModBus TCP communication modules is the data processing of ModBus Transmission Control Protocol
With ethernet signal transfer function;
ModBus RTU communication modules, the major function of ModBus RTU communication modules is the data processing of ModBus rtu protocols
With RS485 signal transfer functions;
Watchdog module, watchdog module mainly realizes the monitoring to main control module running status and Bypass modules and electricity
The management function of source module;
Extension storage module, extension storage module is mainly used in storage abnormal flow characteristic information, system configuration, system journal etc.
Information.
6. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 5, it is characterised in that:
The ModBus TCP communications module is connected with main control module and Bypass modules respectively, the ModBus RTU communications mould
Block is connected with main control module and Bypass modules respectively, the Bypass modules respectively with ModBus TCP communications module,
ModBus RTU communication modules, main control module are connected with watchdog module, the watchdog module respectively with Bypass moulds
Block, main control module are connected with power module, and the power module is connected with watchdog module and main control module respectively,
The main control module difference power module, watchdog module, Bypass modules, extension storage module, ModBus TCP communications
Module is connected with ModBus RTU communication modules.
7. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 6, it is characterised in that:
The ModBus TCP communications module includes two Ethernet interfaces, respectively ModBus TCP first interfaces and ModBus TCP
Second interface;The ModBus RTU communication modules include 2 RS485 interfaces, respectively ModBus RTU first interfaces and
ModBus RTU second interfaces.
8. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 7, it is characterised in that:
The Bypass modules include a logic NAND gate circuit and a relay switching circuit, and logic NAND gate circuit connects respectively
Receipts come from main processing block output signal and watchdog module output signal, multiple relays of control relay on-off circuit
Folding;Relay switch is located between ModBus TCP or RTU first interface and second interface, realizes that ModBus signals exist
Signal intercommunication when Bypass functions are opened between ModBus TCP or RTU first interface and second interface.
9. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 6, it is characterised in that:
The main control module is connected with extension storage module by system bus.
10. a kind of industry control abnormal traffic detection system for ModBus agreements according to claim 6, its feature exists
In:Running status lamp is additionally provided with the power module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201720105760.8U CN206611433U (en) | 2017-02-03 | 2017-02-03 | A kind of industry control abnormal traffic detection system for ModBus agreements |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201720105760.8U CN206611433U (en) | 2017-02-03 | 2017-02-03 | A kind of industry control abnormal traffic detection system for ModBus agreements |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN206611433U true CN206611433U (en) | 2017-11-03 |
Family
ID=60168551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201720105760.8U Active CN206611433U (en) | 2017-02-03 | 2017-02-03 | A kind of industry control abnormal traffic detection system for ModBus agreements |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN206611433U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110417745A (en) * | 2019-07-03 | 2019-11-05 | 长沙学院 | A kind of rule matching method and system for supporting the processing of ModbusTCP low delay |
-
2017
- 2017-02-03 CN CN201720105760.8U patent/CN206611433U/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110417745A (en) * | 2019-07-03 | 2019-11-05 | 长沙学院 | A kind of rule matching method and system for supporting the processing of ModbusTCP low delay |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105573239A (en) | High speed backboard bus communication control device and method | |
| CN203366083U (en) | Environment monitoring unit | |
| CN103220040A (en) | Method and system for switching state of embedded optical port BYPASS | |
| CN106250334A (en) | A kind of information processing system monitored | |
| CN103197231A (en) | Field programmable gate array (FPGA) device for diagnosing and predicting artificial circuit faults | |
| CN101286830A (en) | Double redundant high-speed IO network system based on dual-core controller for cards | |
| CN107172780A (en) | A kind of navaid lamp control system | |
| CN203933666U (en) | A kind of CAN bus repeater | |
| CN106406179A (en) | Modularly-designed multi-interface host, control system comprising same, and control method | |
| US9280426B2 (en) | System and method for server redundancy | |
| CN206611433U (en) | A kind of industry control abnormal traffic detection system for ModBus agreements | |
| CN100419705C (en) | Configurable universal synchronous and asynchronous communication debugging device and bugging method thereof | |
| CN103353778A (en) | Auxiliary monitoring, early-warning and processing system for power distribution automation | |
| CN202042898U (en) | Program controlled bypass protection circuit of network equipment | |
| CN213906954U (en) | Edge computing Internet of things gateway | |
| CN205123760U (en) | Communications management system based on intelligence passes accuse terminal | |
| CN206402261U (en) | A kind of abnormal traffic detection platform for DNP agreements | |
| CN103731316A (en) | Flow monitoring device and method | |
| CN101110019A (en) | Method for implementing remote Shell based on VxWorks operating system | |
| CN206402262U (en) | A kind of DNP protocol anomalies flow detector | |
| CN204795120U (en) | Split type extensible network message storage device | |
| CN208334957U (en) | A kind of exhaust gas concentration control system | |
| CN204392284U (en) | A kind of CAN gateway based on ARM7 | |
| CN113311776A (en) | Control device and system of intelligent zone controller applied to monitoring system | |
| CN203324867U (en) | Smart host based on power distribution automation auxiliary monitoring, early warning and processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |