WO2015024315A1 - Network intrusion alarm method and system for nuclear power station - Google Patents

Network intrusion alarm method and system for nuclear power station Download PDF

Info

Publication number
WO2015024315A1
WO2015024315A1 PCT/CN2013/087737 CN2013087737W WO2015024315A1 WO 2015024315 A1 WO2015024315 A1 WO 2015024315A1 CN 2013087737 W CN2013087737 W CN 2013087737W WO 2015024315 A1 WO2015024315 A1 WO 2015024315A1
Authority
WO
WIPO (PCT)
Prior art keywords
warning information
information
historical
instant
module
Prior art date
Application number
PCT/CN2013/087737
Other languages
French (fr)
Chinese (zh)
Inventor
孙永滨
刘高俊
王婷
孙奇
张建波
何大宇
陈卫华
黄伟军
彭华清
王春冰
段奇志
杨华龙
Original Assignee
中广核工程有限公司
中国广核集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中广核工程有限公司, 中国广核集团有限公司 filed Critical 中广核工程有限公司
Priority to GB1602102.4A priority Critical patent/GB2532630B/en
Publication of WO2015024315A1 publication Critical patent/WO2015024315A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/18Network protocols supporting networked applications, e.g. including control of end-device applications over a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the invention belongs to the field of nuclear power station security, and particularly relates to a network intrusion alarm method and system for a nuclear power plant.
  • BACKGROUND Intrusion Detection System refers to a system for identifying and processing malicious use behaviors of computers and network resources. As the scale of the network grows larger and larger, the resources on the network become more and more abundant, and the threats from the network are increasing, and the attacks are more and more secret.
  • the data of nuclear power operation is related to national security and social stability. Therefore, it is imperative to construct a network security system to ensure the security of the data center.
  • the industrial control system including the nuclear power plant control system, is an independent network because it is not connected to the Internet. Under normal circumstances, it will not have a virus, and outside hackers can not attack. In addition, the usual hacker and network virus attacks are directed at computer devices, and there is generally no virus for control devices in the industrial control system network.
  • the data of nuclear power operation is related to national security and social stability. Therefore, it is imperative to construct a network security system to ensure the security of the data center.
  • the existing network security system usually consists of a firewall, anti-virus software, and an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS).
  • IDS Intrusion Detection System
  • IPS Intrusion Prevention System
  • the commercial intrusion detection system is not deployed in the nuclear power control system for network defense, or the deployed commercial intrusion detection system is also an intrusion detection system based on misuse detection. Since the nuclear power industry network is not connected to the Internet, the virus database for intrusion detection cannot be updated in time in the nuclear power industry network. It is impossible to detect a new virus or a virus designed for a specific industrial control system using a commercial intrusion detection system.
  • the object of the present invention is: a nuclear power control system provides a network intrusion alarm method and system based on a nuclear power plant for virus intrusion from a network, and improves the network intrusion by the nuclear power plant control system by using an anomaly detection technology and a misuse detection technology.
  • the detection capability and the perfection of the intrusion alarm mechanism effectively meet the requirements of the nuclear power plant industrial network for network security protection.
  • the present invention provides a network intrusion alarm method for a nuclear power plant, which includes:
  • Detecting data information sent by the access object where the detection includes misuse detection and protocol abnormal data detection;
  • the intrusion alarm information is sent.
  • the method further includes:
  • the historical early warning information includes a field of the number of early warnings, and if the matching result of the instant warning information and the historical early warning information meets a preset matching value, the early warning The number of times increases.
  • the method further includes: performing association analysis on the instant warning information and the historical early warning information, and determining the access object according to a preset association rule. Purpose of the visit.
  • the method further includes: if the access purpose of the access object cannot be determined according to a preset association rule, establishing a new association rule according to the instant warning information, And update the association rules in real time.
  • the method further comprises: saving the instant warning information to a database, and updating the database.
  • the method further includes: performing blocking of the IP address or port access of the access object according to the intrusion alarm information.
  • the present invention also provides a network intrusion alarm system for a nuclear power plant, comprising:
  • a detecting module configured to detect data information sent by the access object, where the detecting includes misuse detection and protocol abnormal data detection;
  • the warning module is configured to generate instant warning information if the result of detecting the data information by the detecting module is abnormal;
  • a matching module configured to match the early warning information generated by the early warning module with historical warning information in a database
  • the alarm module is configured to: if the matching result of the instant warning information and the historical warning information does not meet the preset matching value, issue an intrusion alarm message.
  • the system further includes: a receiving module, configured to receive data information sent by the access object.
  • a receiving module configured to receive data information sent by the access object.
  • the system further includes: a database, configured to store historical warning information, wherein the historical early warning information includes a field of the number of early warnings, if the instant warning information and the The matching result of the historical warning information meets a preset matching value, and the number of the warnings is increased once.
  • the system further includes: an analysis module, configured to perform correlation analysis on the instant warning information and the historical early warning information, and determine according to a preset association rule The access purpose of the access object.
  • the system further includes: an adaptive module, configured to save a preset association rule, if the analysis module cannot determine the according to a preset association rule Accessing the object's access purpose, establishing a new association rule according to the instant warning information, and updating the association rule in real time.
  • the system further includes: an update module, configured to save the instant warning information to a database, and update the database.
  • an execution module configured to perform blocking of an IP address or port access of the access object according to the intrusion alarm information.
  • the network intrusion alarm method and system of the nuclear power plant of the invention has the following beneficial technical effects:
  • the analysis and matching are performed on the basis of the above detection, and the alarm is performed according to the matching result, thereby realizing the invasion of the adaptive network environment of the nuclear power plant control system;
  • the detection capability and alarm mechanism of the nuclear power plant control system for network intrusion are improved, and the requirements of the nuclear power plant industrial network for network security protection are effectively met, and good technical results are obtained.
  • FIG. 1 provides a flow chart of one embodiment of a network intrusion alarm method for a nuclear power plant of the present invention.
  • Figure 2 provides a schematic diagram of one embodiment of a network intrusion alarm system for a nuclear power plant of the present invention.
  • Figure 3 provides a schematic diagram of yet another embodiment of a network intrusion alarm system for a nuclear power plant of the present invention. detailed description
  • Network intrusion detection technology is divided into two categories: misuse detection technology and anomaly detection technology according to its working principle.
  • the misuse detection technology is based on the matching of data message features. This detection technology has high accuracy, but the problem is that the new intrusion mode cannot be found and the omission is reported.
  • Anomaly detection technology such as Protocol Anomaly Detection System (PADS)
  • PADS Protocol Anomaly Detection System
  • PADS Protocol Anomaly Detection System
  • the detection technology can discover new network intrusion, but there is a problem that the false positive rate is high and a large number of training samples are needed. At present, the combination of misuse detection technology and anomaly detection technology in the field of nuclear power control systems is still blank.
  • FIG. 1 provides a network intrusion alarm method for a nuclear power plant, which specifically includes: Step 101: Detecting data information sent by an access object, including detection of misuse detection and protocol abnormal data detection.
  • the nuclear power intrusion alarm management system receives the data information sent by the access object, and specifically, the accessed data information enters the control system application server through the switch.
  • Intrusion Detection Alert Management System installed in a computer server The ND-IDAMS obtains the data information of the accessed object through the switch.
  • the nuclear power intrusion alarm management system receives the data information sent by the access object.
  • the access object can also send data information to the nuclear power plant control system through the server.
  • the nuclear power intrusion alarm management system detects the data information sent by the access object, including: the detection includes misuse detection and protocol abnormal data detection. Specifically, the nuclear power intrusion alarm management system calls the misuse detection module to detect the data information; further, the protocol abnormal data detection for the data information PADS, PADS can use the Markov model to detect the protocol in the network data.
  • the nuclear power intrusion alarm management system can detect data information through a networked commercial intrusion detection system (IPS or IDS).
  • IPS or IDS networked commercial intrusion detection system
  • the nuclear power intrusion alarm management system can be connected to multiple commercial intrusion detection systems (IPS or IDS).
  • Step 103 Generate an instant warning information if the result of detecting the data information is abnormal.
  • the relevant system can be accessed normally. If the result of detecting the data information is abnormal, the nuclear power intrusion alarm management system generates instant warning information.
  • Step 105 Match the instant warning information with the historical warning information in the database.
  • the nuclear power intrusion alarm management system matches the instant warning information with the historical warning information stored in the database, and the classification algorithm determines that the historical warning information exists in the database and is the same as the instant warning information.
  • the foregoing method further includes: pre-setting a matching value between the instant warning information and the historical warning information.
  • the matching value of the instant warning information and the historical warning information may be preset. For example, if the matching value is set to 75%, if the instant warning information and the historical warning information are more than 75% (including 75%), the instant warning information is matched with the historical warning information. Match values can be adjusted as needed.
  • the historical warning information includes a field of the number of warnings. If the matching result of the instant warning information and the historical warning information meets a preset matching value, the number of warnings increases once.
  • the historical warning information includes at least the content of the warning and the number of warnings. When the instant warning information matches the historical warning information, the content of the warning is unchanged, and the number of warnings is increased once.
  • correlation analysis is performed on the instant warning information and the historical warning information, and the access purpose of the access object is determined according to the association rule set in advance.
  • Step 107 If the matching result of the instant warning information and the historical warning information does not meet the preset matching value, the intrusion alarm information is sent.
  • the matching value is set to 75%
  • the instant warning information and the historical warning information are less than 75%
  • the immediate warning information and the historical warning information are determined to be mismatched. If the matching result of the instant warning information and the historical warning information does not meet the preset matching value, the nuclear power intrusion alarm management system issues the intrusion alarm information.
  • the received real-time warning information cannot find historical warning information of similar or matching matching values in the database. Confirmed by the administrator, and establish a new alert fusion classification, association rules for it. View the attack alert association table that has occurred, and the administrator can update the association rules that have occurred.
  • the instant warning information is saved to the database, and the database is updated. Establish new early warning fusion classification and association rules, and update the database in real time.
  • the IP address or port access of the blocking access object is performed according to the intrusion alarm information. Associate with a firewall or IPS to block access to the IP address or port to which the access object belongs.
  • the detecting module 201 is configured to detect data information sent by the access object, and the detecting includes misuse detection and protocol abnormal data detection;
  • the warning module 203 is configured to generate an instant warning information if the result of detecting the data information by the detecting module 201 is abnormal;
  • the matching module 205 is configured to match the generated early warning information generated by the early warning module 203 with the historical warning information in the database;
  • the alarm module 207 is configured to issue an intrusion "3 ⁇ 4" alarm information if the matching result of the instant warning information and the historical warning information does not meet the preset matching value.
  • Figure 3 provides a schematic diagram of one embodiment of a network intrusion alarm system for a nuclear power plant.
  • the system includes: a receiving module 301, a detecting module 303, an alerting module 305, a matching module 307, an alarm module, an updating module 311, a database 313, an analyzing module, an adaptive module 317, and an executing module 319.
  • the receiving module 301 is configured to receive data information sent by the access object.
  • the accessed data information enters the control system application server through the switch.
  • the receiving module 301 in the nuclear power intrusion alarm management system ND-IDAMS installed in the computer server obtains the data information of the access object through the switch.
  • the receiving module 301 receives the data information transmitted by the access object.
  • the access object may also send data information to the nuclear power plant control system through the server, and then the receiving module 301 receives the data information.
  • the detecting module 303 is configured to detect data information sent by the access object, where the detecting includes misuse detection and protocol abnormal data detection;
  • the detecting module 303 detects the data information sent by the access object received by the receiving module 301, and includes: the detecting module 303 detects the misuse detection and the protocol abnormal data detection.
  • the detecting module 303 performs protocol anomaly data detection PADS on the data information, and the PADS can detect the protocol in the network data by using the Markov model.
  • the detection module 303 can detect the data information through a networked commercial intrusion detection system (IPS or IDS).
  • IPS or IDS networked commercial intrusion detection system
  • the detection module 303 can be connected to a plurality of commercial intrusion detection systems (IPS or IDS).
  • the warning module 305 is configured to generate an instant warning information if the result of detecting the data information by the detecting module is abnormal;
  • the detecting module 303 can detect the passed normal data to access the related system normally. If the result of detecting the data information is abnormal, the early warning module 305 generates the instant warning information.
  • the matching module 307 is configured to match the generated early warning information generated by the early warning module 35 with the historical warning information in the database;
  • the matching module 307 matches the instant warning information with the historical warning information stored in the database, and determines, by the classification algorithm, that the historical warning information exists in the database 313 is the same as the instant warning information.
  • the system further includes a setting module, configured to preset a matching value between the instant warning information and the historical warning information.
  • the matching module 307 can preset a matching value that matches the real-time warning information with the historical warning information. For example, if the matching value is set to 75%, if the instant warning information and the historical warning information are more than 75% (including 75%), the instant warning information is matched with the historical warning information. Match values can be adjusted as needed.
  • the historical warning information matching the instant warning information is found, it is classified into the same type of early warning. No matter how many instant warning information is available, as long as it matches the historical warning information, the return of the early warning information is the historical warning information, which can be greatly Reduce the repeatability of similar warnings.
  • the database 313 is configured to save historical warning information, and the historical warning information includes a field of the number of early warnings. If the matching result of the instant warning information and the historical warning information meets the preset matching value, the number of warnings is increased once.
  • the historical warning information includes at least the content of the warning and the number of warnings. When the instant warning information matches the historical warning information, the content of the warning is unchanged, and the number of warnings is increased once.
  • the update module 311 is configured to save the instant alert information to the database 313 and update the database 313.
  • the analysis module 315 is configured to perform association analysis on the instant warning information and the historical warning information, and determine the access purpose of the access object according to the association rule set in advance.
  • the adaptation module 317 is configured to save a preset association rule. If the analysis module 315 cannot determine the access destination of the access object according to the preset association rule, the adaptation module 317 establishes a new association rule according to the instant warning information, and updates the file immediately. Association rules.
  • the alarm module 309 is configured to: if the matching module 307 determines that the matching result of the instant warning information and the historical warning information does not meet the preset matching value, issue the intrusion alarm information.
  • the executing module 319 is configured to perform blocking of the IP address or port access of the access object according to the intrusion alarm information.
  • the present invention has at least the following advantageous technical effects with respect to the prior art:
  • the analysis and matching are performed on the basis of the above detection, and the alarm is performed according to the matching result, thereby realizing the invasion of the adaptive network environment of the nuclear power plant control system;
  • anomaly detection technology and misuse detection technology the detection capability and alarm mechanism of the nuclear power plant control system for network intrusion are improved, and the requirements for network security protection of the nuclear power plant industrial network are effectively met.
  • the intrusion alarm information since the intrusion alarm information is discovered in time, it can pass Adaptively constantly update the database and intrusion types, and perform policy processing alarms, such as blocking IP or ports, so that nuclear power plant control security is guaranteed, and good technical results are achieved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Medical Informatics (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Monitoring And Testing Of Nuclear Reactors (AREA)
  • Alarm Systems (AREA)

Abstract

Disclosed is a network intrusion alarm method for a nuclear power station, which comprises: detecting data information sent by an access object, the detection comprising misuse detection and protocol abnormality data detection; if the result of the data information detection is abnormal, generating instant pre-alarm information; matching the instant pre-alarm information with historical pre-alarm information in a database; and if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a pre-set matching value, sending intrusion alarm information. The network intrusion alarm method for a nuclear power station of the present invention effectively satisfies the requirements of a nuclear power station industry network for network security protection. In addition, further disclosed is a network intrusion alarm system for a nuclear power station.

Description

核电站网络入 4曼报警方法和系统  Nuclear power plant network into 4 MAN alarm method and system
技术领域 Technical field
本发明属于核电站安防领域, 具体涉及一种核电站的网络入侵报警方法和 系统。 说  The invention belongs to the field of nuclear power station security, and particularly relates to a network intrusion alarm method and system for a nuclear power plant. Say
背景技术 入侵检测系统 (Intrusion Detection Syste书m, IDS)是指对计算机和网络资源的 恶意使用行为进行识别和相应处理的系统。 随着网络的规模越来越庞大, 网络 上的资源也越来越丰富, 从网络而来的威胁也越来越多、 攻击越来越隐秘。 核 电运行的数据关系到国家安全和社会稳定, 因此, 构造网络安全体系以保障数 据中心的安全势在必行。 工业控制系统包括核电站控制系统由于不与因特网网 络相连, 它是一个独立的网络。 正常情况下它是不会有病毒存在的, 外面的黑 客也无法攻击。 加之通常的黑客及网络病毒攻击都是针对计算机设备, 一般没 有针对工业控制系统网络中的控制设备的病毒。 在核电控制系统中, 随着信息技术的发展, 由于核电系统集成和使用的便 利性, 大量使用了工业以太环网和 (OLE for Process Control , OPC)通信协议进行 核电控制系统的集成。 同时, 也大量使用了 PC服务器和终端产品, 核电操作系 统和数据库也大量的使用了通用的系统, 虽然核电工业网不与 internet网相连, 核电站也制定了很多规范。 但现实中往往有人不遵守规定。 例如使用 U盘在互 联网与核电工业网交互使用, 使用未经检测的光盘等行为, 很容易导致来自企 业管理网或互联网的病毒、 木马、 黑客的攻击。 并由此可能导致对实际物理系 统故障。 核电运行的数据关系到国家安全和社会稳定, 因此, 构造网络安全体 系以保障数据中心的安全势在必行。 现有的网络安全体系通常由防火墙、 杀毒软件以及入侵检测系统 (Intrusion Detection System, IDS)或者入侵防御系统 (Intrusion Prevention System, IPS)组成。 但核电控制系统中没有部署商业入侵检测系统进行网络防御, 或者部署的商业 入侵检测系统也是误用检测为基础的入侵检测系统。 由于核电工业网不与互联 网相连, 所以在核电工业网中无法及时更新入侵检测的病毒库, 对于新病毒或 者针对特定工业控制系统设计的病毒利用商业入侵检测系统是无法检测出来 的。 BACKGROUND Intrusion Detection System (IDS) refers to a system for identifying and processing malicious use behaviors of computers and network resources. As the scale of the network grows larger and larger, the resources on the network become more and more abundant, and the threats from the network are increasing, and the attacks are more and more secret. The data of nuclear power operation is related to national security and social stability. Therefore, it is imperative to construct a network security system to ensure the security of the data center. The industrial control system, including the nuclear power plant control system, is an independent network because it is not connected to the Internet. Under normal circumstances, it will not have a virus, and outside hackers can not attack. In addition, the usual hacker and network virus attacks are directed at computer devices, and there is generally no virus for control devices in the industrial control system network. In the nuclear power control system, with the development of information technology, due to the convenience of integration and use of nuclear power systems, the industrial Ethernet ring network and (OLE for Process Control, OPC) communication protocol are widely used for the integration of nuclear power control systems. At the same time, PC servers and terminal products have also been used extensively. Nuclear power operating systems and databases have also used a large number of general-purpose systems. Although the nuclear power industry network is not connected to the internet, nuclear power plants have developed many specifications. However, in reality, people often fail to comply with the regulations. For example, using a USB flash drive to interact with the nuclear power industry network and using undetected optical discs can easily lead to attacks from viruses, Trojans, and hackers from the corporate management network or the Internet. And this can lead to failures in the actual physical system. The data of nuclear power operation is related to national security and social stability. Therefore, it is imperative to construct a network security system to ensure the security of the data center. The existing network security system usually consists of a firewall, anti-virus software, and an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS). However, the commercial intrusion detection system is not deployed in the nuclear power control system for network defense, or the deployed commercial intrusion detection system is also an intrusion detection system based on misuse detection. Since the nuclear power industry network is not connected to the Internet, the virus database for intrusion detection cannot be updated in time in the nuclear power industry network. It is impossible to detect a new virus or a virus designed for a specific industrial control system using a commercial intrusion detection system.
因此, 如何针对来自网络的病毒入侵进行检测和预警, 是核电安全亟待解 决的问题。  Therefore, how to detect and warn against virus intrusion from the network is an urgent issue for nuclear power security.
发明内容 Summary of the invention
本发明的目的在于: 核电控制系统针对可能来自网络的病毒入侵, 提供一 种基于核电站的网络入侵报警方法和系统, 通过结合使用异常检测技术和误用 检测技术, 提高核电站控制系统对网络入侵的检测能力和完善入侵报警机制, 有效地满足了核电站工业网对网络安全防护的要求。  The object of the present invention is: a nuclear power control system provides a network intrusion alarm method and system based on a nuclear power plant for virus intrusion from a network, and improves the network intrusion by the nuclear power plant control system by using an anomaly detection technology and a misuse detection technology. The detection capability and the perfection of the intrusion alarm mechanism effectively meet the requirements of the nuclear power plant industrial network for network security protection.
为了实现上述发明目的, 本发明提供了一种核电站的网络入侵报警方法, 其包括:  In order to achieve the above object, the present invention provides a network intrusion alarm method for a nuclear power plant, which includes:
对访问对象发送的数据信息进行检测, 所述检测包括误用检测和协议异常 数据检测;  Detecting data information sent by the access object, where the detection includes misuse detection and protocol abnormal data detection;
若检测所述数据信息的结果为异常, 生成即时预警信息;  If the result of detecting the data information is abnormal, generating an instant warning information;
将所述即时预警信息与数据库中的历史预警信息进行匹配;  Matching the instant warning information with historical warning information in the database;
若所述即时预警信息与所述历史预警信息的匹配结果不符合预先设置的匹 配值, 发出入侵报警信息。  If the matching result of the instant warning information and the historical warning information does not meet the preset matching value, the intrusion alarm information is sent.
作为本发明核电站的网络入侵 "¾警方法的一种改进, 所述方法还包括: 作为本发明核电站的网络入侵报警方法的一种改进, 所述历史预警信息包 括预警次数的字段, 若所述即时预警信息与所述历史预警信息的匹配结果符合 预先设置的匹配值, 所述预警次数增加一次。 As an improvement of the network intrusion method of the nuclear power plant of the present invention, the method further includes: As an improvement of the network intrusion alarm method of the nuclear power plant of the present invention, the historical early warning information includes a field of the number of early warnings, and if the matching result of the instant warning information and the historical early warning information meets a preset matching value, the early warning The number of times increases.
作为本发明核电站的网络入侵 "¾警方法的一种改进, 所述方法还包括: 对所述即时预警信息与所述历史预警信息进行关联分析, 根据预先设置的 关联规则判断所述访问对象的访问目的。  As an improvement of the network intrusion method of the nuclear power plant of the present invention, the method further includes: performing association analysis on the instant warning information and the historical early warning information, and determining the access object according to a preset association rule. Purpose of the visit.
作为本发明核电站的网络入侵 "¾警方法的一种改进, 所述方法还包括: 若根据预先设置的关联规则无法判断所述访问对象的访问目的, 根据所述 即时预警信息建立新关联规则, 并即时更新关联规则。  As an improvement of the network intrusion method of the nuclear power plant of the present invention, the method further includes: if the access purpose of the access object cannot be determined according to a preset association rule, establishing a new association rule according to the instant warning information, And update the association rules in real time.
作为本发明核电站的网络入侵 "¾警方法的一种改进, 所述方法还包括: 将所述即时预警信息保存至数据库, 并更新所述数据库。  As an improvement of the network intrusion method of the nuclear power plant of the present invention, the method further comprises: saving the instant warning information to a database, and updating the database.
作为本发明核电站的网络入侵 "¾警方法的一种改进, 所述方法还包括: 根据所述入侵 警信息执行阻断访问对象所属 IP地址或端口访问。  As an improvement of the network intrusion method of the nuclear power plant of the present invention, the method further includes: performing blocking of the IP address or port access of the access object according to the intrusion alarm information.
为了实现上述发明目的, 本发明还提供了一种核电站的网络入侵报警系统, 其包括:  In order to achieve the above object, the present invention also provides a network intrusion alarm system for a nuclear power plant, comprising:
检测模块, 用于对访问对象发送的数据信息进行检测, 所述检测包括误用 检测和协议异常数据检测;  a detecting module, configured to detect data information sent by the access object, where the detecting includes misuse detection and protocol abnormal data detection;
预警模块, 用于若所述检测模块检测所述数据信息的结果为异常, 生成即 时预警信息;  The warning module is configured to generate instant warning information if the result of detecting the data information by the detecting module is abnormal;
匹配模块, 用于将所述预警模块生成所述即时预警信息与数据库中的历史 预警信息进行匹配;  a matching module, configured to match the early warning information generated by the early warning module with historical warning information in a database;
报警模块, 用于若所述即时预警信息与所述历史预警信息的匹配结果不符 合预先设置的匹配值, 发出入侵报警信息。  The alarm module is configured to: if the matching result of the instant warning information and the historical warning information does not meet the preset matching value, issue an intrusion alarm message.
作为本发明核电站的网络入侵 "¾警系统的一种改进, 所述系统还包括: 接收模块, 用于接收访问对象发送的数据信息。 作为本发明核电站的网络入侵 "¾警系统的一种改进, 所述系统还包括: 数据库, 用于保存历史预警信息, 所述历史预警信息包括预警次数的字段, 若所述即时预警信息与所述历史预警信息的匹配结果符合预先设置的匹配值, 所述预警次数增加一次。 As an improvement of the network intrusion "3" alarm system of the nuclear power plant of the present invention, the system further includes: a receiving module, configured to receive data information sent by the access object. As an improvement of the network intrusion "3⁄4" alarm system of the nuclear power plant of the present invention, the system further includes: a database, configured to store historical warning information, wherein the historical early warning information includes a field of the number of early warnings, if the instant warning information and the The matching result of the historical warning information meets a preset matching value, and the number of the warnings is increased once.
作为本发明核电站的网络入侵 "¾警系统的一种改进, 所述系统还包括: 分析模块, 用于对所述即时预警信息与所述历史预警信息进行关联分析, 根据预先设置的关联规则判断所述访问对象的访问目的。  As an improvement of the network intrusion "3" alarm system of the nuclear power plant of the present invention, the system further includes: an analysis module, configured to perform correlation analysis on the instant warning information and the historical early warning information, and determine according to a preset association rule The access purpose of the access object.
作为本发明核电站的网络入侵 "¾警系统的一种改进, 所述系统还包括: 自适应模块, 用于保存预先设置的关联规则, 若所述分析模块根据预先设 置的关联规则无法判断所述访问对象的访问目的, 根据所述即时预警信息建立 新关联规则, 并即时更新关联规则。  As an improvement of the network intrusion "3" alarm system of the nuclear power plant of the present invention, the system further includes: an adaptive module, configured to save a preset association rule, if the analysis module cannot determine the according to a preset association rule Accessing the object's access purpose, establishing a new association rule according to the instant warning information, and updating the association rule in real time.
作为本发明核电站的网络入侵 "¾警系统的一种改进, 所述系统还包括: 更新模块, 用于将所述即时预警信息保存至数据库, 并更新所述数据库。 作为本发明核电站的网络入侵 "¾警系统的一种改进, 所述系统还包括: 执行模块, 用于根据所述入侵报警信息执行阻断访问对象所属 IP地址或端 口访问。  As an improvement of the network intrusion "3" alarm system of the nuclear power plant of the present invention, the system further includes: an update module, configured to save the instant warning information to a database, and update the database. As a network intrusion of the nuclear power plant of the present invention An improvement of the alarm system, the system further comprising: an execution module, configured to perform blocking of an IP address or port access of the access object according to the intrusion alarm information.
与现有技术相比, 本发明核电站的网络入侵报警方法和系统具有以下有益 技术效果:  Compared with the prior art, the network intrusion alarm method and system of the nuclear power plant of the invention has the following beneficial technical effects:
通过对访问对象发送的数据信息进行误用检测和协议异常数据检测, 在上 述检测的基础上进行分析匹配, 并根据匹配结果进行报警, 实现了核电站控制 系统的自适应网络环境的入侵; 此外, 由于通过结合异常检测技术和误用检测 技术, 提高核电站控制系统对网络入侵的检测能力和报警机制, 有效地满足了 核电站工业网对网络安全防护的要求, 取得很好的技术效果。 附图说明 Through the misuse detection and protocol abnormal data detection of the data information sent by the access object, the analysis and matching are performed on the basis of the above detection, and the alarm is performed according to the matching result, thereby realizing the invasion of the adaptive network environment of the nuclear power plant control system; By combining the abnormal detection technology and misuse detection technology, the detection capability and alarm mechanism of the nuclear power plant control system for network intrusion are improved, and the requirements of the nuclear power plant industrial network for network security protection are effectively met, and good technical results are obtained. DRAWINGS
下面结合附图和具体实施方式, 对本发明核电站的网络入侵报警方法和系 统进行详细说明, 其中:  The network intrusion alarm method and system of the nuclear power plant of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments, wherein:
图 1提供了本发明核电站的网络入侵报警方法一个实施例的流程图。  1 provides a flow chart of one embodiment of a network intrusion alarm method for a nuclear power plant of the present invention.
图 2提供了本发明核电站的网络入侵报警系统一个实施例的示意图。  Figure 2 provides a schematic diagram of one embodiment of a network intrusion alarm system for a nuclear power plant of the present invention.
图 3提供了本发明核电站的网络入侵报警系统又一个实施例的示意图。 具体实施方式  Figure 3 provides a schematic diagram of yet another embodiment of a network intrusion alarm system for a nuclear power plant of the present invention. detailed description
为了使本发明的发明目的、 技术方案及其有益技术效果更加清晰, 以下结 合附图和具体实施方式, 对本发明进行进一步详细说明。 应当理解的是, 本说 明书中描述的具体实施方式仅仅是为了解释本发明, 并非为了限定本发明。  The present invention will be further described in detail below with reference to the drawings and embodiments. The specific embodiments described in the specification are to be construed as illustrative only and not limiting.
网络入侵检测技术按其工作原理分为误用检测技术和异常检测技术两类。 其中误用检测技术基于数据报文特征匹配为基础, 这种检测技术准确率高, 但 其问题是不能发现新的入侵模式而出现漏报情况。 异常检测技术, 如协议异常 检测 (Protocol Anomaly Detection System, PADS) , 则以网络连接特征、 系统调用 特征、 网络流量特征以及系统时延特征等数据为基础, 建立正常网络行为的描 述模型, 当用户活动与正常行为有重大偏离时即被认为是入侵, 该检测技术可 以发现新型网络入侵, 但是存在误报率高, 需要大量训练样本的问题。 目前, 将误用检测技术和异常检测技术结合应用于核电控制系统领域, 还是空白。  Network intrusion detection technology is divided into two categories: misuse detection technology and anomaly detection technology according to its working principle. The misuse detection technology is based on the matching of data message features. This detection technology has high accuracy, but the problem is that the new intrusion mode cannot be found and the omission is reported. Anomaly detection technology, such as Protocol Anomaly Detection System (PADS), establishes a description model of normal network behavior based on data such as network connection characteristics, system call characteristics, network traffic characteristics, and system delay characteristics. When the activity deviates significantly from normal behavior, it is considered to be an intrusion. The detection technology can discover new network intrusion, but there is a problem that the false positive rate is high and a large number of training samples are needed. At present, the combination of misuse detection technology and anomaly detection technology in the field of nuclear power control systems is still blank.
请结合参看图 1 , 图 1提供了一种核电站的网络入侵报警方法, 具体包括: 步骤 101 , 对访问对象发送的数据信息进行检测,检测包括误用检测和协议 异常数据检测。  Referring to FIG. 1 , FIG. 1 provides a network intrusion alarm method for a nuclear power plant, which specifically includes: Step 101: Detecting data information sent by an access object, including detection of misuse detection and protocol abnormal data detection.
核电入侵报警管理系统接收访问对象发送的数据信息, 具体的, 访问的数 据信息经过交换机进入控制系统应用服务器。 在计算机服务器中安装的核电入 侵才艮警管理系统 (Intrusion Detection Alert Management System , IDAMS) ND-IDAMS通过交换机得到访问对象的数据信息。 The nuclear power intrusion alarm management system receives the data information sent by the access object, and specifically, the accessed data information enters the control system application server through the switch. Intrusion Detection Alert Management System (IDAMS) installed in a computer server The ND-IDAMS obtains the data information of the accessed object through the switch.
核电入侵报警管理系统接收访问对象发送的数据信息。 可选的, 访问对象 也可以通过服务器向核电站控制系统发送数据信息。  The nuclear power intrusion alarm management system receives the data information sent by the access object. Optionally, the access object can also send data information to the nuclear power plant control system through the server.
核电入侵报警管理系统对访问对象发送的数据信息进行检测, 包括: 检测 包括误用检测和协议异常数据检测。 具体的, 核电入侵报警管理系统调用误用 检测模块对数据信息进行检测; 进一步的, 对数据信息进行协议异常数据检测 PADS, PADS可使用马尔科夫模型检测网络数据中的协议。  The nuclear power intrusion alarm management system detects the data information sent by the access object, including: the detection includes misuse detection and protocol abnormal data detection. Specifically, the nuclear power intrusion alarm management system calls the misuse detection module to detect the data information; further, the protocol abnormal data detection for the data information PADS, PADS can use the Markov model to detect the protocol in the network data.
可选的,核电入侵报警管理系统可以通过联网商用入侵检测系统 (IPS或 IDS) 对数据信息进行检测。 核电入侵报警管理系统可以连接多个商用入侵检测系统 (IPS或 IDS)。  Optionally, the nuclear power intrusion alarm management system can detect data information through a networked commercial intrusion detection system (IPS or IDS). The nuclear power intrusion alarm management system can be connected to multiple commercial intrusion detection systems (IPS or IDS).
步骤 103, 若检测数据信息的结果为异常, 生成即时预警信息。  Step 103: Generate an instant warning information if the result of detecting the data information is abnormal.
通过检测的正常数据则可以正常访问相关系统, 若检测数据信息的结果为 异常, 核电入侵报警管理系统生成即时预警信息。  Through the detection of normal data, the relevant system can be accessed normally. If the result of detecting the data information is abnormal, the nuclear power intrusion alarm management system generates instant warning information.
步骤 105, 将即时预警信息与数据库中的历史预警信息进行匹配。  Step 105: Match the instant warning information with the historical warning information in the database.
具体的, 核电入侵报警管理系统将即时预警信息与数据库中存储的历史预 警信息进行匹配, 分类算法确定在数据库中存在历史预警信息与该即时预警信 息相同。  Specifically, the nuclear power intrusion alarm management system matches the instant warning information with the historical warning information stored in the database, and the classification algorithm determines that the historical warning information exists in the database and is the same as the instant warning information.
可选的, 上述方法还包括: 预先设置即时预警信息与历史预警信息的匹配 值。  Optionally, the foregoing method further includes: pre-setting a matching value between the instant warning information and the historical warning information.
可选的, 可以预先设置即时预警信息与历史预警信息匹配的匹配值。 例如, 设置匹配值为 75%,若即时预警信息与历史预警信息有 75%以上 (包括 75%), 即 认定即时预警信息与历史预警信息匹配。 匹配值可以根据需要不断调整。  Optionally, the matching value of the instant warning information and the historical warning information may be preset. For example, if the matching value is set to 75%, if the instant warning information and the historical warning information are more than 75% (including 75%), the instant warning information is matched with the historical warning information. Match values can be adjusted as needed.
若找到即时预警信息匹配的历史预警信息, 则将其归为同一类预警, 无论 有多少即时预警信息, 只要与该历史预警信息匹配, 返回预警信息融合的就是 该条历史预警信息, 这样可以大幅减少相似预警的重复性。 可选的, 历史预警信息包括预警次数的字段, 若即时预警信息与历史预警 信息的匹配结果符合预先设置的匹配值, 预警次数增加一次。 例如, 历史预警 信息至少包括预警内容和预警次数, 当即时预警信息与历史预警信息匹配, 预 警内容不变, 预警次数增加一次。 If the historical warning information matching the instant warning information is found, it is classified into the same type of early warning. No matter how many instant warning information is available, as long as it matches the historical warning information, the return of the early warning information is the historical warning information, which can be greatly Reduce the repeatability of similar warnings. Optionally, the historical warning information includes a field of the number of warnings. If the matching result of the instant warning information and the historical warning information meets a preset matching value, the number of warnings increases once. For example, the historical warning information includes at least the content of the warning and the number of warnings. When the instant warning information matches the historical warning information, the content of the warning is unchanged, and the number of warnings is increased once.
进一步的, 对即时预警信息与历史预警信息进行关联分析, 根据预先设置 的关联规则判断访问对象的访问目的。  Further, correlation analysis is performed on the instant warning information and the historical warning information, and the access purpose of the access object is determined according to the association rule set in advance.
步骤 107,若即时预警信息与历史预警信息的匹配结果不符合预先设置的匹 配值, 发出入侵报警信息。  Step 107: If the matching result of the instant warning information and the historical warning information does not meet the preset matching value, the intrusion alarm information is sent.
例如, 设置匹配值为 75%, 若即时预警信息与历史预警信息低于 75%匹配 值, 即认定即时预警信息与历史预警信息不匹配。 若即时预警信息与历史预警 信息的匹配结果不符合预先设置的匹配值, 核电入侵报警管理系统发出入侵报 警信息。  For example, if the matching value is set to 75%, if the instant warning information and the historical warning information are less than 75%, the immediate warning information and the historical warning information are determined to be mismatched. If the matching result of the instant warning information and the historical warning information does not meet the preset matching value, the nuclear power intrusion alarm management system issues the intrusion alarm information.
若根据预先设置的关联规则无法判断访问对象的访问目的, 根据即时预警 信息建立新关联规则, 并即时更新关联规则。  If the access purpose of the access object cannot be determined according to the preset association rule, a new association rule is established according to the instant warning information, and the association rule is updated in real time.
接收的即时预警信息在数据库中无法找到类似或相符匹配值的历史预警信 息。 由管理员确认, 并为其建立新的预警融合分类, 关联规则。 查看已经发生 的攻击预警关联表, 管理员可以更新已发生的关联规则。  The received real-time warning information cannot find historical warning information of similar or matching matching values in the database. Confirmed by the administrator, and establish a new alert fusion classification, association rules for it. View the attack alert association table that has occurred, and the administrator can update the association rules that have occurred.
进一步的, 将即时预警信息保存至数据库, 并更新所述数据库。 建立新的 预警融合分类和关联规则, 并即时更新数据库。  Further, the instant warning information is saved to the database, and the database is updated. Establish new early warning fusion classification and association rules, and update the database in real time.
进一步的, 根据入侵报警信息执行阻断访问对象所属 IP地址或端口访问。 与防火墙或 IPS联动, 阻断访问对象所属 IP地址或端口访问。  Further, the IP address or port access of the blocking access object is performed according to the intrusion alarm information. Associate with a firewall or IPS to block access to the IP address or port to which the access object belongs.
通过对访问对象发送的数据信息进行误用检测和协议异常数据检测, 在上 述检测的基础上进行分析匹配, 并根据匹配结果进行报警。 实现了核电站控制 系统的自适应网络环境的入侵; 同时, 由于通过结合异常检测技术和误用检测 技术, 提高核电站控制系统对网络入侵的检测能力和报警机制, 有效地满足了 核电站工业网对网络安全防护的要求, 取得很好的技术效果。 By performing misuse detection and protocol abnormal data detection on the data information sent by the access object, analysis and matching are performed on the basis of the above detection, and an alarm is performed according to the matching result. The intrusion of the adaptive network environment of the nuclear power plant control system is realized. At the same time, by combining the abnormal detection technology and the misuse detection technology, the detection capability and alarm mechanism of the nuclear power plant control system for network intrusion are improved, which effectively satisfies The requirements of the nuclear power plant industrial network for network security protection have achieved good technical results.
图 2提供了一种核电站的网络入侵 警系统的一个实施例的示意图, 其包 括: 检测模块 201 , 预警模块 203、 匹配模块 205以及报警模块 207。 具体的, 检测模块 201 , 用于对访问对象发送的数据信息进行检测,检测包括误用检 测和协议异常数据检测;  2 provides a schematic diagram of one embodiment of a network intrusion alarm system for a nuclear power plant, including: a detection module 201, an early warning module 203, a matching module 205, and an alarm module 207. Specifically, the detecting module 201 is configured to detect data information sent by the access object, and the detecting includes misuse detection and protocol abnormal data detection;
预警模块 203 , 用于若检测模块 201检测数据信息的结果为异常, 生成即时 预警信息;  The warning module 203 is configured to generate an instant warning information if the result of detecting the data information by the detecting module 201 is abnormal;
匹配模块 205 ,用于将预警模块 203生成即时预警信息与数据库中的历史预 警信息进行匹配;  The matching module 205 is configured to match the generated early warning information generated by the early warning module 203 with the historical warning information in the database;
报警模块 207,用于若即时预警信息与历史预警信息的匹配结果不符合预先 设置的匹配值, 发出入侵 "¾警信息。  The alarm module 207 is configured to issue an intrusion "3⁄4" alarm information if the matching result of the instant warning information and the historical warning information does not meet the preset matching value.
系统的实施方法和流程可以参见前述实施例中介绍的方法实施例, 此处不 再赘述。  For the implementation method and the process of the system, refer to the method embodiment described in the foregoing embodiment, and details are not described herein again.
请结合参看图 3 ,图 3提供了一种核电站的网络入侵报警系统的一个实施例 的示意图。 该系统包括: 接收模块 301、 检测模块 303、 预警模块 305、 匹配模 块 307、 报警模块、 更新模块 311、 数据库 313、 分析模块、 自适应模块 317以 及执行模块 319。 具体的,  Referring to Figure 3, Figure 3 provides a schematic diagram of one embodiment of a network intrusion alarm system for a nuclear power plant. The system includes: a receiving module 301, a detecting module 303, an alerting module 305, a matching module 307, an alarm module, an updating module 311, a database 313, an analyzing module, an adaptive module 317, and an executing module 319. specific,
接收模块 301 , 用于接收访问对象发送的数据信息;  The receiving module 301 is configured to receive data information sent by the access object.
具体的, 访问的数据信息经过交换机进入控制系统应用服务器。 在计算机 服务器中安装的核电入侵报警管理系统 ND-IDAMS中的接收模块 301通过交换 机得到访问对象的数据信息。  Specifically, the accessed data information enters the control system application server through the switch. The receiving module 301 in the nuclear power intrusion alarm management system ND-IDAMS installed in the computer server obtains the data information of the access object through the switch.
接收模块 301接收访问对象发送的数据信息。 可选的, 访问对象也可以通 过服务器向核电站控制系统发送数据信息, 再有接收模块 301接收。  The receiving module 301 receives the data information transmitted by the access object. Optionally, the access object may also send data information to the nuclear power plant control system through the server, and then the receiving module 301 receives the data information.
检测模块 303 , 用于对访问对象发送的数据信息进行检测,检测包括误用检 测和协议异常数据检测; 检测模块 303对接收模块 301接收的访问对象发送的数据信息进行检测, 包括: 检测模块 303检测包括误用检测和协议异常数据检测。 具体的, 进一步 的, 检测模块 303对数据信息进行协议异常数据检测 PADS, PADS可使用马尔 科夫模型检测网络数据中的协议。 The detecting module 303 is configured to detect data information sent by the access object, where the detecting includes misuse detection and protocol abnormal data detection; The detecting module 303 detects the data information sent by the access object received by the receiving module 301, and includes: the detecting module 303 detects the misuse detection and the protocol abnormal data detection. Specifically, the detecting module 303 performs protocol anomaly data detection PADS on the data information, and the PADS can detect the protocol in the network data by using the Markov model.
可选的,检测模块 303可以通过联网商用入侵检测系统 (IPS或 IDS)对数据 信息进行检测。 检测模块 303可以连接多个商用入侵检测系统 (IPS或 IDS)。  Optionally, the detection module 303 can detect the data information through a networked commercial intrusion detection system (IPS or IDS). The detection module 303 can be connected to a plurality of commercial intrusion detection systems (IPS or IDS).
预警模块 305, 用于若检测模块检测数据信息的结果为异常, 生成即时预警 信息;  The warning module 305 is configured to generate an instant warning information if the result of detecting the data information by the detecting module is abnormal;
检测模块 303检测通过的正常数据则可以正常访问相关系统, 若检测数据 信息的结果为异常, 预警模块 305生成即时预警信息。  The detecting module 303 can detect the passed normal data to access the related system normally. If the result of detecting the data information is abnormal, the early warning module 305 generates the instant warning information.
匹配模块 307, 用于将预警模块 35生成即时预警信息与数据库中的历史预 警信息进行匹配;  The matching module 307 is configured to match the generated early warning information generated by the early warning module 35 with the historical warning information in the database;
具体的, 匹配模块 307将即时预警信息与数据库中存储的历史预警信息进 行匹配, 通过分类算法确定在数据库 313 中存在历史预警信息与该即时预警信 息相同。  Specifically, the matching module 307 matches the instant warning information with the historical warning information stored in the database, and determines, by the classification algorithm, that the historical warning information exists in the database 313 is the same as the instant warning information.
可选的, 上述系统还包括设置模块, 用于预先设置即时预警信息与历史预 警信息的匹配值。  Optionally, the system further includes a setting module, configured to preset a matching value between the instant warning information and the historical warning information.
可选的, 匹配模块 307可以预先设置即时预警信息与历史预警信息匹配的 匹配值。 例如, 设置匹配值为 75%, 若即时预警信息与历史预警信息有 75%以 上 (包括 75%), 即认定即时预警信息与历史预警信息匹配。 匹配值可以根据需要 不断调整。  Optionally, the matching module 307 can preset a matching value that matches the real-time warning information with the historical warning information. For example, if the matching value is set to 75%, if the instant warning information and the historical warning information are more than 75% (including 75%), the instant warning information is matched with the historical warning information. Match values can be adjusted as needed.
若找到即时预警信息匹配的历史预警信息, 则将其归为同一类预警, 无论 有多少即时预警信息, 只要与该历史预警信息匹配, 返回预警信息融合的就是 该条历史预警信息, 这样可以大幅减少相似预警的重复性。  If the historical warning information matching the instant warning information is found, it is classified into the same type of early warning. No matter how many instant warning information is available, as long as it matches the historical warning information, the return of the early warning information is the historical warning information, which can be greatly Reduce the repeatability of similar warnings.
数据库 313, 用于保存历史预警信息, 历史预警信息包括预警次数的字段, 若即时预警信息与历史预警信息的匹配结果符合预先设置的匹配值, 预警次数 增加一次。 例如, 历史预警信息至少包括预警内容和预警次数, 当即时预警信 息与历史预警信息匹配, 预警内容不变, 预警次数增加一次。 The database 313 is configured to save historical warning information, and the historical warning information includes a field of the number of early warnings. If the matching result of the instant warning information and the historical warning information meets the preset matching value, the number of warnings is increased once. For example, the historical warning information includes at least the content of the warning and the number of warnings. When the instant warning information matches the historical warning information, the content of the warning is unchanged, and the number of warnings is increased once.
若即时预警信息与历史预警信息不匹配, 更新模块 311 用于将即时预警信 息保存至数据库 313, 并更新所述数据库 313。  If the instant alert information does not match the historical alert information, the update module 311 is configured to save the instant alert information to the database 313 and update the database 313.
分析模块 315, 用于对即时预警信息与历史预警信息进行关联分析, 根据预 先设置的关联规则判断所述访问对象的访问目的。  The analysis module 315 is configured to perform association analysis on the instant warning information and the historical warning information, and determine the access purpose of the access object according to the association rule set in advance.
自适应模块 317, 用于保存预先设置的关联规则, 若分析模块 315根据预先 设置的关联规则无法判断所述访问对象的访问目的, 自适应模块 317根据即时 预警信息建立新关联规则, 并即时更新关联规则。  The adaptation module 317 is configured to save a preset association rule. If the analysis module 315 cannot determine the access destination of the access object according to the preset association rule, the adaptation module 317 establishes a new association rule according to the instant warning information, and updates the file immediately. Association rules.
报警模块 309,用于若匹配模块 307判断即时预警信息与历史预警信息的匹 配结果不符合预先设置的匹配值, 发出入侵报警信息。  The alarm module 309 is configured to: if the matching module 307 determines that the matching result of the instant warning information and the historical warning information does not meet the preset matching value, issue the intrusion alarm information.
执行模块 319, 用于根据入侵报警信息执行阻断访问对象所属 IP地址或端 口访问。  The executing module 319 is configured to perform blocking of the IP address or port access of the access object according to the intrusion alarm information.
结合以上对本发明的详细描述可以看出, 相对于现有技术, 本发明至少具 有以下有益技术效果:  As can be seen from the above detailed description of the present invention, the present invention has at least the following advantageous technical effects with respect to the prior art:
通过对访问对象发送的数据信息进行误用检测和协议异常数据检测, 在上 述检测的基础上进行分析匹配, 并根据匹配结果进行报警, 实现了核电站控制 系统的自适应网络环境的入侵; 由于通过结合异常检测技术和误用检测技术, 提高核电站控制系统对网络入侵的检测能力和报警机制, 有效地满足了核电站 工业网对网络安全防护的要求; 此外, 由于及时发现入侵报警信息后, 能通过 自适应不断更新数据库和入侵类型, 并进行策略处理报警, 如阻断 IP或端口, 使得核电站控制安全得到保障, 取得很好的技术效果。  Through the misuse detection and protocol abnormal data detection of the data information sent by the access object, the analysis and matching are performed on the basis of the above detection, and the alarm is performed according to the matching result, thereby realizing the invasion of the adaptive network environment of the nuclear power plant control system; Combined with anomaly detection technology and misuse detection technology, the detection capability and alarm mechanism of the nuclear power plant control system for network intrusion are improved, and the requirements for network security protection of the nuclear power plant industrial network are effectively met. In addition, since the intrusion alarm information is discovered in time, it can pass Adaptively constantly update the database and intrusion types, and perform policy processing alarms, such as blocking IP or ports, so that nuclear power plant control security is guaranteed, and good technical results are achieved.
根据上述原理, 本发明还可以对上述实施方式进行适当的变更和修改。 因 此, 本发明并不局限于上面揭示和描述的具体实施方式, 对本发明的一些修改 和变更也应当落入本发明的权利要求的保护范围内。 此外, 尽管本说明书中使 用了一些特定的术语, 但这些术语只是为了方便说明, 并不对本发明构成任何 限制。 According to the above principle, the present invention can also be appropriately modified and modified as described above. Therefore, the invention is not limited to the specific embodiments disclosed and described above, some modifications of the invention And modifications are also intended to fall within the scope of the appended claims. In addition, although specific terms are used in the specification, these terms are merely for convenience of description and do not limit the invention.

Claims

权 利 要 求 书 Claim
1.一种核电站网络入侵报警方法, 其特征在于, 所述方法包括: A nuclear power plant network intrusion alarm method, characterized in that the method comprises:
对访问对象发送的数据信息进行检测, 所述检测包括误用检测和协议异常 数据检测;  Detecting data information sent by the access object, where the detection includes misuse detection and protocol abnormal data detection;
若检测所述数据信息的结果为异常, 生成即时预警信息;  If the result of detecting the data information is abnormal, generating an instant warning information;
将所述即时预警信息与数据库中的历史预警信息进行匹配;  Matching the instant warning information with historical warning information in the database;
若所述即时预警信息与所述历史预警信息的匹配结果不符合预先设置的匹 配值, 发出入侵报警信息。  If the matching result of the instant warning information and the historical warning information does not meet the preset matching value, the intrusion alarm information is sent.
2. 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括:  2. The method according to claim 1, wherein the method further comprises:
接收访问对象发送的数据信息。  Receive data information sent by the access object.
3. 根据权利要求 2所述的方法, 其特征在于, 所述方法还包括:  The method according to claim 2, wherein the method further comprises:
预先设置即时预警信息与历史预警信息的匹配值。  The matching value of the instant warning information and the historical warning information is preset.
4. 根据权利要求 2所述的方法, 其特征在于, 所述历史预警信息包括预警 次数的字段, 若所述即时预警信息与所述历史预警信息的匹配结果符合预先设 置的匹配值, 所述预警次数增加一次。  The method according to claim 2, wherein the historical warning information includes a field of the number of warnings, and if the matching result of the instant warning information and the historical warning information meets a preset matching value, The number of warnings is increased once.
5. 根据权利要求 2所述的方法, 其特征在于, 所述方法还包括:  The method according to claim 2, wherein the method further comprises:
对所述即时预警信息与所述历史预警信息进行关联分析, 根据预先设置的 关联规则判断所述访问对象的访问目的。  And correlating the instant warning information with the historical early warning information, and determining an access destination of the access object according to a preset association rule.
6. 根据权利要求 5所述的方法, 其特征在于, 所述方法还包括:  The method according to claim 5, wherein the method further comprises:
若根据预先设置的关联规则无法判断所述访问对象的访问目的, 根据所述 即时预警信息建立新关联规则, 并即时更新关联规则。  If the access purpose of the access object cannot be determined according to the preset association rule, a new association rule is established according to the instant warning information, and the association rule is updated in real time.
7. 根据权利要求 6所述的方法, 其特征在于, 所述方法还包括:  The method according to claim 6, wherein the method further comprises:
将所述即时预警信息保存至数据库, 并更新所述数据库。  The instant alert information is saved to a database and the database is updated.
8. 根据权利要求 7所述的方法, 其特征在于, 所述方法还包括: 根据所述入侵 警信息执行阻断访问对象所属 IP地址或端口访问。The method according to claim 7, wherein the method further comprises: Performing blocking of the IP address or port access of the access object according to the intrusion alarm information.
9.一种核电站网络入侵报警系统, 其特征在于, 所述系统包括: A nuclear power plant network intrusion alarm system, characterized in that the system comprises:
检测模块, 用于对访问对象发送的数据信息进行检测, 所述检测包括误用 检测和协议异常数据检测;  a detecting module, configured to detect data information sent by the access object, where the detecting includes misuse detection and protocol abnormal data detection;
预警模块, 用于若所述检测模块检测所述数据信息的结果为异常, 生成即 时预警信息;  The warning module is configured to generate instant warning information if the result of detecting the data information by the detecting module is abnormal;
匹配模块, 用于将所述预警模块生成所述即时预警信息与数据库中的历史 预警信息进行匹配;  a matching module, configured to match the early warning information generated by the early warning module with historical warning information in a database;
报警模块, 用于若所述即时预警信息与所述历史预警信息的匹配结果不符 合预先设置的匹配值, 发出入侵报警信息。  The alarm module is configured to: if the matching result of the instant warning information and the historical warning information does not meet the preset matching value, issue an intrusion alarm message.
10.根据权利要求 9所述的系统, 其特征在于, 所述系统还包括:  The system according to claim 9, wherein the system further comprises:
接收模块, 用于接收访问对象发送的数据信息。  The receiving module is configured to receive data information sent by the access object.
11.根据权利要求 10所述的系统, 其特征在于, 所述系统还包括: 设置模块, 用于预先设置即时预警信息与历史预警信息的匹配值。  The system according to claim 10, wherein the system further comprises: a setting module, configured to preset a matching value of the instant warning information and the historical warning information.
12.根据权利要求 9所述的系统, 其特征在于, 所述系统还包括:  The system according to claim 9, wherein the system further comprises:
数据库, 用于保存历史预警信息, 所述历史预警信息包括预警次数的字段, 若所述即时预警信息与所述历史预警信息的匹配结果符合预先设置的匹配值, 所述预警次数增加一次。  The database is configured to save the historical warning information, where the historical early warning information includes a field of the number of early warnings. If the matching result of the instant warning information and the historical early warning information meets a preset matching value, the number of the early warnings is increased once.
13.根据权利要求 12所述的系统, 其特征在于, 所述系统还包括: 分析模块, 用于对所述即时预警信息与所述历史预警信息进行关联分析, 根据预先设置的关联规则判断所述访问对象的访问目的。  The system according to claim 12, wherein the system further comprises: an analysis module, configured to perform association analysis on the instant warning information and the historical early warning information, and determine the location according to a preset association rule The access purpose of the access object.
14.根据权利要求 13所述的系统, 其特征在于, 所述系统还包括: 自适应模块, 用于保存预先设置的关联规则, 若所述分析模块根据预先设 置的关联规则无法判断所述访问对象的访问目的, 根据所述即时预警信息建立 新关联规则, 并即时更新关联规则。 The system according to claim 13, wherein the system further comprises: an adaptation module, configured to save a preset association rule, if the analysis module cannot determine the access according to a preset association rule The purpose of the object is to establish a new association rule according to the instant warning information, and update the association rule in real time.
15.根据权利要求 14所述的系统, 其特征在于, 所述系统还包括: 更新模块, 用于将所述即时预警信息保存至数据库, 并更新所述数据库。The system according to claim 14, wherein the system further comprises: an update module, configured to save the instant warning information to a database, and update the database.
16.根据权利要求 15所述的系统, 其特征在于, 所述系统还包括: 执行模块, 用于根据所述入侵报警信息执行阻断访问对象所属 IP地址或端 口访问。 The system according to claim 15, wherein the system further comprises: an execution module, configured to perform blocking of an IP address or port access of the access object according to the intrusion alarm information.
PCT/CN2013/087737 2013-08-19 2013-11-24 Network intrusion alarm method and system for nuclear power station WO2015024315A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1602102.4A GB2532630B (en) 2013-08-19 2013-11-24 Network intrusion alarm method and system for nuclear power plant

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310361837.4 2013-08-19
CN201310361837.4A CN103888282A (en) 2013-08-19 2013-08-19 Network intrusion alarm method and system based on nuclear power plant

Publications (1)

Publication Number Publication Date
WO2015024315A1 true WO2015024315A1 (en) 2015-02-26

Family

ID=50957009

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/087737 WO2015024315A1 (en) 2013-08-19 2013-11-24 Network intrusion alarm method and system for nuclear power station

Country Status (3)

Country Link
CN (1) CN103888282A (en)
GB (1) GB2532630B (en)
WO (1) WO2015024315A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111325463A (en) * 2020-02-18 2020-06-23 深圳前海微众银行股份有限公司 Data quality detection method, device, equipment and computer readable storage medium
CN113904811A (en) * 2021-09-16 2022-01-07 深圳供电局有限公司 Anomaly detection method and device, computer equipment and storage medium
CN113985226A (en) * 2021-10-25 2022-01-28 广东电网有限责任公司 Cable processing method and system
CN116401157A (en) * 2023-03-29 2023-07-07 中国铁道科学研究院集团有限公司 Test evaluation method and system for perimeter intrusion detection equipment

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106571886B (en) * 2016-11-03 2019-02-01 福建宁德核电有限公司 A kind of implementation method of data collection system DCS and wired broadcast system DTP linkage
CN106921676B (en) * 2017-04-20 2020-05-08 电子科技大学 Intrusion detection method based on OPCClasic
CN108693391A (en) * 2018-05-19 2018-10-23 安徽国电京润电力科技有限公司 A kind of nuclear power station electric energy amount detection systems
CN112118141B (en) * 2020-09-21 2021-12-17 中山大学 Communication network-oriented alarm event correlation compression method and device
CN112235304A (en) * 2020-10-15 2021-01-15 唐琪林 Dynamic security protection method and system for industrial internet
CN113708959B (en) * 2021-08-11 2023-08-25 新华三技术有限公司 Rule base updating method, device and equipment
CN114742247A (en) * 2022-04-08 2022-07-12 广东电网有限责任公司 Characteristic extraction method and device based on distribution network distribution transformer abnormal alarm information

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN102075516A (en) * 2010-11-26 2011-05-25 哈尔滨工程大学 Method for identifying and predicting network multi-step attacks

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399710B (en) * 2007-09-29 2011-06-22 北京启明星辰信息技术股份有限公司 Detection method and system for protocol format exception
FI20096394A0 (en) * 2009-12-23 2009-12-23 Valtion Teknillinen DETECTING DETECTION IN COMMUNICATIONS NETWORKS
JP5731223B2 (en) * 2011-02-14 2015-06-10 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Abnormality detection device, monitoring control system, abnormality detection method, program, and recording medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN102075516A (en) * 2010-11-26 2011-05-25 哈尔滨工程大学 Method for identifying and predicting network multi-step attacks

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111325463A (en) * 2020-02-18 2020-06-23 深圳前海微众银行股份有限公司 Data quality detection method, device, equipment and computer readable storage medium
CN113904811A (en) * 2021-09-16 2022-01-07 深圳供电局有限公司 Anomaly detection method and device, computer equipment and storage medium
CN113904811B (en) * 2021-09-16 2023-11-24 深圳供电局有限公司 Abnormality detection method, abnormality detection device, computer device, and storage medium
CN113985226A (en) * 2021-10-25 2022-01-28 广东电网有限责任公司 Cable processing method and system
CN116401157A (en) * 2023-03-29 2023-07-07 中国铁道科学研究院集团有限公司 Test evaluation method and system for perimeter intrusion detection equipment
CN116401157B (en) * 2023-03-29 2024-04-02 中国铁道科学研究院集团有限公司 Test evaluation method and system for perimeter intrusion detection equipment

Also Published As

Publication number Publication date
GB201602102D0 (en) 2016-03-23
GB2532630A (en) 2016-05-25
CN103888282A (en) 2014-06-25
GB2532630B (en) 2018-04-25

Similar Documents

Publication Publication Date Title
WO2015024315A1 (en) Network intrusion alarm method and system for nuclear power station
AU2017221858B2 (en) Graph database analysis for network anomaly detection systems
CN107454109B (en) Network privacy stealing behavior detection method based on HTTP traffic analysis
US10148685B2 (en) Event correlation across heterogeneous operations
CN110495138B (en) Industrial control system and monitoring method for network security thereof
US10686814B2 (en) Network anomaly detection
CN110881049B (en) Computer network safety intelligent control system
US9032521B2 (en) Adaptive cyber-security analytics
US8578493B1 (en) Botnet beacon detection
US20150341380A1 (en) System and method for detecting abnormal behavior of control system
CA2926579A1 (en) Event correlation across heterogeneous operations
WO2018099206A1 (en) Apt detection method, system, and device
JP2014530419A (en) System and method for real-time customized protection against threats
CN108924084B (en) Network equipment security assessment method and device
CN112134877A (en) Network threat detection method, device, equipment and storage medium
CN110113336B (en) Network flow abnormity analysis and identification method for transformer substation network environment
US20150172302A1 (en) Interface for analysis of malicious activity on a network
CN110417578B (en) Abnormal FTP connection alarm processing method
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
JP2018007179A (en) Device, method and program for monitoring
CN111786986B (en) Numerical control system network intrusion prevention system and method
Das et al. On the edge realtime intrusion prevention system for DoS attack
CN113328976B (en) Security threat event identification method, device and equipment
CN114338233A (en) Network attack detection method and system based on flow analysis
CN114726579A (en) Method, apparatus, device, storage medium and program product for defending against network attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13891904

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 201602102

Country of ref document: GB

Kind code of ref document: A

Free format text: PCT FILING DATE = 20131124

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06/06/2016)

122 Ep: pct application non-entry in european phase

Ref document number: 13891904

Country of ref document: EP

Kind code of ref document: A1