WO2015149663A1 - System and method for trapping network attack on embedded device in smart power grid - Google Patents

Abstract

Disclosed is a system for trapping a network attack on embedded devices in a smart power grid, comprising a trapping device and a security analyzing server; the trapping device comprises a network interface module, a security control module and an actual embedded device simulator; the network interface module is used to receive and transmit IP data packets; the security control module is used to identify, parse and distinguish the IP data packets, and is connected to a serial port communication module, an external memory and a switch module; the actual embedded device simulator transmits to the security analyzing server the network status and host status information; and the security analyzing server acquires a final security detection result via comprehensive multi-dimensional attribute measurement. The present invention can quickly and accurately conduct real-time dynamic security detection and evaluation on a known or unknown power system network attack without affecting the normal operation of embedded terminals, and effectively prevents an attacker from attacking the trapping device via the network interface module.

Description

Smart grid embedded device network attack trapping system and trapping method Technical field

The present invention relates to the field of network security defense, and in particular, to a system and method capable of trapping network attacks in a smart grid.

Background technique

At present, with the rise of the Internet of Things industry, in the smart grid, various sensors and control devices are embedded systems, which are widely used in power transmission, transmission, substation, power distribution and user power. In addition to the measurement and transmission functions of the business, the embedded system also functions as the core business operation control. For example, user-level multi-rate energy metering management unit, sensor layer oil temperature sensor, voltage and current transmitter, relay protection device, fault recording, line protection, fault location device, digital recording of control room The image monitoring of the substation, the remote meter reading of the distribution network, the load control and the automation protection module, etc., basically cover all aspects of the power grid command operation.

From the point of view of the embedded system itself, compared with the traditional PC equipment, the embedded operating system and its application program mainly consider hardware compatibility, less resource occupation and other issues. Many embedded systems have security protection functions. Less or almost no, malicious attackers can easily invade the system, interfere, monitor and even remote control the embedded system. In recent years, power system accidents caused by embedded systems have occurred frequently at home and abroad, such as the famous Iranian Stuxnet earthquake virus incident, which is specifically targeted at PLC (Programmable Logic Controller) devices. PLC to change the behavior of industrial production control systems, once led to delayed power generation in Iranian nuclear power plants.

From the network level, with the popularization of 3G, WIFI and other means of communication, the embedded system extends from the wired network to the wireless network, making the network security problem more prominent. Embedded systems Due to limited computing resources, many embedded network protocols do not consider security issues. The design goal is to be as Simply implement routing and facilitate future network expansion, basically without any security mechanisms. Once the embedded system is attacked by the network, the normal business of the entire smart grid will be affected or even paralyzed.

Compared with traditional PC devices, embedded systems have less computing resources, low energy consumption, and complex working environments. Many existing security solutions are not applicable, and embedded systems are generally in an open working environment. Traditional computers are easy to solve. Physical security issues have also become a problem in embedded systems. These embedded systems are mostly integrated devices, and their operating systems include embedded Linux, VxWorks, WinCe, and so on. For attacks such as illegal interception, interruption, tampering or forgery at the network level, it is impossible to install additional network security detection software or systems directly on these embedded devices, so real-time network security detection for embedded systems cannot be performed. And evaluation.

On the other hand, with the increasing severity of network attacks, in order to improve network security, devices such as firewalls, intrusion detection, and encrypted VPNs have been introduced, which can improve network security to a certain extent. However, for the existing network security device, the network attack initiator can easily use the network interface module to attack the network attack filtering device, and the attacker obtains the permission to configure the network security device through the configuration program, and then modifies the configuration in the network security device. information. When the configuration is modified, the attacker will set a specific configuration according to the purpose of the subsequent attack to achieve the ultimate attack on the network protected by the above network security device. Therefore, the existing network attack filtering device has a loophole in the configuration program, and the damage is very huge, which easily causes the network security device to completely lose its defense effect.

Summary of the invention

The object of the present invention is to provide a smart network embedded device network attack trapping system and trapping method, which can capture various attacks against real devices through the trapping device on the basis of protecting the real smart grid terminal without affecting the embedded terminal. Real-time dynamic security detection and evaluation of known or unknown power system network attacks quickly and accurately under normal working conditions; at the same time, the present invention can realize data packet identification and resolution of network attack filtering devices through hardware improvement. Separation between the discriminating mode and the file configuration mode, effectively preventing the attacker from using the network interface module to trap the device Attacks, improve safety, and achieve effective protection of traps.

The invention adopts the following technical solutions:

A smart grid embedded device network attack trapping system, including a trapping device and a security analysis server;

The data receiving end of the trapping device is connected to the smart grid network, and the data sending end of the trapping device is respectively connected to the actual embedded device and the security analysis server; the trapping device comprises a network interface module, a security control module and an actual embedded device simulator;

The network interface module is used for transmitting and receiving IP data packets, including an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network for receiving IP data sent by the external communication network. The packet is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network; the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator and the security control module and the actual An embedded device, configured to receive an IP data packet sent by the security control module and transmit it to an actual embedded device or an actual embedded device simulator, and receive an IP data packet sent by the actual embedded device and transmit the IP data packet to the security control module;

The security control module is configured to identify the IP data packet sent by the received actual embedded device, send it to the smart grid network through the network interface module, and parse and discriminate the IP data packet sent by the received smart grid network, and The normal IP data packet is sent to the actual embedded device, and the abnormal IP data packet is sent to the actual embedded device simulator; the security control module is connected with the serial communication module and the external memory for separately storing the file configuration program, and the security control module A switch module is further connected, and a signal output end of the switch module is connected to a signal input end of the safety control module;

The actual embedded device simulator is used to simulate the running environment and computing environment of the actual embedded device, including hardware environment simulation and software environment simulation, and detects the network state and host state changes of the actual embedded device when it is attacked by the network. And sending network status and host status information to the security analysis server;

The security analysis server is configured to perform network state and host state information sent by the actual embedded device simulator, and obtain a final multi-dimensional attribute metric based on the platform configuration attribute metric, the platform running attribute metric, and the user authentication attribute metric. Safety test results.

The security control module stores a key, a transmission sequence number, and a receiving sequence number corresponding to the corresponding destination address and the source address; when the security control module receives the IP data packet sent by the actual embedded device, the security control module Read the IP data packet and extract the IP data packet destination address, obtain the corresponding key and transmission sequence number according to the destination address, place the transmission sequence number at the end of the IP data packet, and use the key to perform the IP data packet and the transmission sequence number. The abstract operation is performed after the summary operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the smart grid network through the external network interface module; When the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address, and is secure. The control module uses the key to perform a digest operation on the protected content and the transmitted sequence number in the IP packet, and The calculation result is compared with the summary operation result in the IP data packet. If the result is inconsistent, the IP data packet is considered to be falsified and forged, and the IP data packet is sent to the actual embedded device simulation machine through the intranet network interface module; If the results are consistent, it is judged that the IP data packet has not been tampered with and forged, and the size of the transmission sequence number and the reception sequence number read from the IP data packet are continuously compared. If the transmission sequence number is larger than the reception sequence number, the IP data packet is considered to be normal. The security control module receives the IP data packet and sends the IP data packet to the actual embedded device through the intranet network interface module; if the sending serial number is less than or equal to the receiving serial number, the IP data packet is considered illegal, and the IP data packet is passed through The network interface module is sent to the actual embedded device simulator.

The actual embedded device emulation device includes a hardware trusted cryptographic module TPM for implementing information collection and component dynamic trusted metrics; wherein the information collection refers to collecting abnormal network events and host events and sending them to the security analysis server, the abnormal network. The event information includes abnormal network data information and network traffic information, and the host event includes the actual embedded device simulator configuration information and the actual embedded device. Prepare the simulator running information; firstly configure the XEN virtual machine in the actual embedded device simulator when performing dynamic credibility measurement of the component. The XEN virtual machine is located on the hardware layer of the actual embedded device emulator and under the operating system; then use XEN The super-call mechanism of the virtual machine obtains the page loaded into the memory through the address pointer before the component request page is loaded into the memory. After the XEN virtual machine executes the permission check, the processing function of the super call is executed; The code that the component performs the measurement, so that the measurement code operation is executed first; finally, the trusted measurement or risk monitoring of the current memory snapshot of the component is implemented based on the specified measurement method in the measurement code.

The security analysis server is configured to perform multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute, and the user authentication attribute;

The platform configuration attribute metric reflects the trustworthiness of the platform configuration by comprehensively evaluating the integrity of each component stored in the corresponding platform configuration register PCRs of the hardware trusted cryptographic module TPM: firstly based on the actual embedded device simulator trusted hardware The module TPM obtains the integrity report information of each component of the actual embedded device simulator computing platform in a secure and credible manner, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains PCR0, PCR1, ... PCRn-1 corresponds to the integrity information of the component, where n is the number of components; if the number of components that fail the integrity verification is obtained, the number of successful components for integrity verification is nf; No information, computing platform configuration trust Ti;

The present invention uses the triplet {bS, dS, uS} to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code.

The triplet {bF, dF, uF} is used to indicate the trusted condition of the component whose integrity verification failed (integrity verification failure does not necessarily mean that the component security is threatened, where bF indicates the possibility of the component causing damage to the system security, dF Indicates the possibility that the component will not cause damage to the system security. uF indicates the uncertainty of whether the component will cause damage to the system security.

Use the triplet to indicate the platform configuration trust TI, TI={bI, dI, uI};

Where, b _I indicates the possibility that the integrity of the platform is not damaged; d _I indicates the possibility that the integrity of the platform is damaged; u _I indicates the degree of uncertainty of the integrity of the platform; κ is the adjustment factor, generally taken

When f=0, κ=1; the larger f is, the smaller κ is, the smaller b _{I is} , and the trust component is affected more and more with the increase of non-trust components, which is in line with the actual situation; when trust or distrust When there is no attenuation, u _S and u _F are 0;

The platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T _H ;

Use a triple to represent the platform running attribute trust T _H , T _H ={b _H ,d _H ,u _H },

among them,

b _H indicates the possibility of normal network communication;

d _H indicates the possibility of an illegal network communication event;

u _H indicates the degree of uncertainty of normal network communication;

The user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken. The probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used. A's credibility level levelA=-log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken. The authentication methods are all broken, and the probability is P(A1∩A2...∩Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:

AU=-log(P(A1∩A2...∩Am));

The configuration properties metric based platform, the platform and the run attribute metrics user authentication attributes attribute comprehensive multi-dimensional metric measurement is based on the measure of user authentication attributes, properties of the measurement platform configuration and operation of a weighted average of metric properties internet; disposed α _I , α _H is the weight of the platform configuration attribute metric and the platform running attribute metric respectively, α _I + α _H =1, then the actual embedded device simulator safety metric evaluation value T _P = {b _P , d _P , u _P } is :

b _P =α _I b _I +α _H b _H

d _P =α _I d _I +α _H d _H

u _P =α _I u _I +α _H u _H ;

Among them, b _P represents the possibility of the actual embedded device simulator safety and credibility; d _P represents the possibility that the actual embedded device simulator is not safe and reliable; u _P represents the uncertainty of the actual embedded device simulator safety and credibility degree.

A smart network embedded device network attack trapping method includes the following steps:

A: The data receiving end of the trapping device is directly connected to the smart grid network, and the data transmitting end of the trapping device is respectively connected to the actual embedded device and the security analysis server; the trapping device comprises a network interface module, a security control module and an actual embedded device. The network interface module includes an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network, and is configured to receive the IP data packet sent by the external communication network and transmit it to the security control. The module, and receiving the IP data packet sent by the security control module and transmitting through the external communication network; the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator, the security control module and the actual embedded device, Receiving the IP data packet sent by the security control module and transmitting it to the actual embedded device or the actual embedded device simulator, and receiving the IP data packet sent by the actual embedded device and transmitting it to the security control module;

B: When the actual embedded device needs to send IP data packets to other devices on the smart grid network, the security control module uses the security control module to identify the IP data packets sent by the actual embedded device. After the network interface module sends to the smart grid network, the security control module stores a key corresponding to the corresponding destination address and source address, a transmission sequence number, and a receiving sequence number; when the security control module receives the IP sent by the actual embedded device When the data packet is received, the security control module reads the IP data packet and extracts the destination address of the IP data packet, obtains the corresponding key and the transmission sequence number according to the destination address, and places the transmission sequence number at the end of the IP data packet, using the key pair IP. The data packet and the transmission sequence number are digested, and the summary operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is passed through the external network interface module. Send to the smart grid network;

When the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; if the results are relatively consistent, the IP data packet is judged not to be tampered with and forged, and the comparison is read from the IP data packet. Sending the serial number and the receiving serial number. If the sending serial number is greater than the receiving serial number, the IP data packet is considered normal. The security control module receives the IP data packet and sends the IP data packet to the actual embedded network through the intranet network interface module. Device; if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal, and the IP packet is passed. Intranet network interface module to transmit the actual embedded device simulation engine;

C: Simulate the operating environment and computing environment of the actual embedded device by using the actual embedded device simulator, including hardware environment simulation and software environment simulation, and change the network state and host state of the actual embedded device when it is attacked by the network. Detect and send network status and host status information to the security analysis server;

D: use the security analysis server to send the network status to the actual embedded device simulator and Host status information, through the multi-dimensional attribute comprehensive measurement based on platform configuration attribute metric, platform running attribute metric and user authentication attribute metric, the final security detection result is obtained.

In the step B, the serial communication module and the external memory of the file configuration program for separately storing the network attack filtering device are connected to the security processing module, and the switch module is connected to the security processing module, and the signal output end of the switch module is connected. Connecting the signal input end of the security processing module; using the switch module to input a high level or low level signal to the security processing module, the security processing module respectively performs IP data packet identification and parsing discrimination mode and file according to different signals sent by the receiving switch module In the configuration mode, the security processing module communicates with the outside world only through the serial communication module in the file configuration mode; when the security processing module performs the IP packet identification and the resolution determination mode, the security processing module is internally activated, that is, the security processing module is from the internal storage unit. The network attack filter is read and executed, and the security processing module cannot access the external memory; when the security processing module executes the configuration program running mode, the security processing module reads the configuration program from the external memory and executes the configuration program in the user's computer. Transport User computer through the serial communication module in communication with the secure processing module.

In the C step, the actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamic trusted metrics; wherein the information collection refers to collecting abnormal network events and host events and sending them to the security analysis. The server, the abnormal network event information includes abnormal network data information and network traffic information, and the host event includes the actual embedded device simulator configuration information and the actual embedded device simulator running information; when the component dynamic trusted metric is performed, the first embedded in the actual The XEN virtual machine is configured in the device emulator. The XEN virtual machine is located on the hardware layer of the actual embedded device emulator and under the operating system. Then, the XEN virtual machine's super call mechanism is used to pass the component request page into the memory before running. The address pointer obtains the page loaded into the memory; after the XEN virtual machine performs the permission check, the processing function of the super call is executed; the code for measuring the component is added in the processing function, so that the measurement code operation is performed first; and finally, the measurement code is used. Implement the component based on the specified metric Trusted metrics or risk monitoring of memory snapshots.

In the step D, the security analysis server is used to configure attributes from the platform and platform running attributes. Comprehensive quantitative evaluation of multi-dimensional attributes with user authentication attributes;

The platform configuration attribute metric reflects the trustworthiness of the platform configuration by comprehensively evaluating the integrity of each component stored in the corresponding platform configuration register PCRs of the hardware trusted cryptographic module TPM: firstly based on the actual embedded device simulator trusted hardware The module TPM obtains the integrity report information of each component of the actual embedded device simulator computing platform in a secure and credible manner, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains PCR0, PCR1, ... PCRn-1 corresponds to the integrity information of the component, where n is the number of components; if the number of components that fail the integrity verification is obtained, the number of successful components for integrity verification is nf; No information, computing platform configuration trust Ti:

The present invention uses the triplet {bS, dS, uS} to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code.

The triplet {bF, dF, uF} is used to indicate the trusted condition of the component whose integrity verification failed, where bF indicates the possibility of the component causing damage to the system security, and dF indicates that the component does not cause damage to the system security. Possibility, uF indicates the degree of uncertainty about whether the component is causing damage to the system's security.

Use the triplet to indicate the platform configuration trust TI, TI={bI, dI, uI};

Where, b _I indicates the possibility that the integrity of the platform is not damaged; d _I indicates the possibility that the integrity of the platform is damaged; u _I indicates the degree of uncertainty of the integrity of the platform; κ is the adjustment factor, generally taken

When f=0, κ=1; the larger f is, the smaller κ is, the smaller b _{I is} , and the trust component is affected more and more with the increase of non-trust components, which is in line with the actual situation; when trust or distrust When there is no attenuation, u _S and u _F are 0;

The platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T _H ;

Use a triple to represent the platform running attribute trust T _H , T _H ={b _H ,d _H ,u _H },

among them,

b _H indicates the possibility of normal network communication;

d _H indicates the possibility of an illegal network communication event;

u _H indicates the degree of uncertainty of normal network communication;

The user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken. The probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used. A's credibility level levelA=-log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken. The authentication methods are all broken, and the probability is P(A1∩A2...∩Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:

AU=-log(P(A1∩A2...∩Am));

The configuration properties metric based platform, the platform and the run attribute metrics user authentication attributes attribute comprehensive multi-dimensional metric measurement is based on the measure of user authentication attributes, properties of the measurement platform configuration and operation of a weighted average of metric properties internet; disposed α _I , α _H is the weight of the platform configuration attribute metric and the platform running attribute metric respectively, α _I + α _H =1, then the actual embedded device simulator safety metric evaluation value T _P = {b _P , d _P , u _P } is :

b _P =α _I b _I +α _H b _H

d _P =α _I d _I +α _H d _H

u _P =α _I u _I +α _H u _H ;

Among them, b _P represents the possibility of the actual embedded device simulator safety and credibility; d _P represents the possibility that the actual embedded device simulator is not safe and reliable; u _P represents the uncertainty of the actual embedded device simulator safety and credibility degree.

The smart grid embedded device network attack trapping system of the present invention uses the IP data packet sent by the actual embedded device received by the security control module to identify the IP data packet sent by the received smart grid network by introducing the trapping device. Analyze and discriminate, and send the normal IP data packet to the actual embedded device, send the abnormal IP data packet to the actual embedded device simulator, and then use the actual embedded device simulator to operate the actual embedded device and The computing environment is simulated. The actual embedded device can detect the network status and host status changes when the network is attacked, and send the network status and host status information to the security analysis server, and finally simulate the actual embedded device through the security analysis server. The network status and host status information sent by the machine are obtained through the multi-dimensional attribute comprehensive measurement based on the platform configuration attribute metric, the platform running attribute metric and the user authentication attribute metric, and the final security detection result is obtained. The invention can detect and perceive an unknown network attack in real time while ensuring the normal working of the embedded device, and overcome the drawbacks that the existing network attack detection technology cannot be directly applied to the embedded device and can only be used for the after-the-fact defense. To trap network attacks on embedded devices. At the same time, the invention can also realize the isolation of the packet identification and the parsing discriminating mode and the file configuration mode of the network attack filtering device through the improvement of the hardware, effectively preventing the attacker from attacking the trapping device through the network interface module, improving the security and realizing the trapping. Effective protection of the device.

DRAWINGS

1 is a schematic block diagram of a network attack trapping system for a smart grid embedded device according to the present invention;

2 is a flow chart of a method for trapping network attack of a smart grid embedded device according to the present invention;

Figure 3 is a schematic diagram of the principle of IP packet identification.

Detailed ways

As shown in FIG. 1 , the smart grid embedded device network attack trapping system of the present invention includes a trapping device and a security analysis server;

The data receiving end of the trapping device is connected to the smart grid network, and the data sending end of the trapping device is respectively connected to the actual embedded device and the security analysis server; the trapping device comprises a network interface module, a security control module and an actual embedded device simulator;

The network interface module is used for transmitting and receiving IP data packets, including an external network interface module and an intranet network interface module; the external network interface module is connected to the control module and the smart grid network for receiving IP data sent by the external communication network. The packet is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network; the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator and the security control module and the actual The embedded device is configured to receive the IP data packet sent by the security control module and transmit it to the actual embedded device or the actual embedded device simulator, and receive the IP data packet sent by the actual embedded device and transmit it to the security control module.

The security control module is configured to identify the IP data packet sent by the received actual embedded device, send it to the smart grid network through the network interface module, and parse and discriminate the IP data packet sent by the received smart grid network, and Normal IP packets are sent to the actual embedded device, sending abnormal IP packets to the actual embedded device simulator. Abnormal network data information consists of two parts:

(1) The network data content is abnormal: the security control module sends the abnormal network information to the actual embedded device simulator by judging the network packet format, protocol, data content and other information, and the security analysis server can find the scan and infiltration based on the information. Attacks, replay attacks, buffer overflows, exploits, and more.

(2) Network traffic information: The security control module sends abnormal network traffic information to the actual embedded device simulator by judging the network traffic information such as the overall traffic of the device, a certain service traffic, and the current number of session connections, and the security analysis server passes these Information can detect illegal information rumors, Denial of service attacks, etc.

The security control module stores a key corresponding to the corresponding destination address and the source address, a transmission sequence number, and a receiving sequence number; when the security control module receives the IP data packet sent by the actual embedded device, the security control module reads the The IP data packet extracts the destination address of the IP data packet, obtains the corresponding key and the transmission sequence number according to the destination address, places the transmission sequence number at the end of the IP data packet, and performs a digest operation on the IP data packet and the transmission sequence number by using the key. The summary operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the smart grid network through the external network interface module; when the security control module Upon receiving the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address, and the security control module utilizes The key performs a digest operation on the protected content and the transmitted sequence number in the IP packet, and the operation is terminated. Compare with the summary operation result in the IP data packet. If the result is inconsistent, the IP data packet is considered to be tampered with and forged. The IP data packet is sent to the actual embedded device simulator through the intranet network interface module; If the comparison is consistent, it is judged that the IP data packet has not been tampered with and forged, and the size of the transmission sequence number and the reception sequence number read from the IP data packet are continuously compared. If the transmission sequence number is larger than the reception sequence number, the IP data packet is considered to be normal, and the security control is performed. The module receives the IP data packet and sends the IP data packet to the actual embedded device through the intranet network interface module; if the sending serial number is less than or equal to the receiving serial number, the IP data packet is considered illegal, and the IP data packet is passed through the intranet network. The interface module is sent to the actual embedded device simulator. Figure 3 is a schematic diagram of the principle of IP packet identification.

The safety control module is also connected with a serial communication module and an external memory for separately storing the file configuration program. The safety control module is also connected with a switch module, and the signal output end of the switch module is connected to the signal input end of the safety control module; the switch module is used to The safety control module inputs a high level or low level signal, and the safety control module respectively performs IP data packet identification, analysis and discrimination mode and file configuration mode according to different signals sent by the switch module, and the security control module only passes in the file configuration mode. The serial communication module communicates with the outside world. When the security control module executes the attack filtering mode, the security control module is internally started, that is, the security control module reads the IP packet identifier and the parsing and discriminating program from the internal storage unit and executes, and the security control module cannot access the external memory, and can ensure that no The program in the external storage will be tampered with, thus ensuring the security of the configuration program. When the security control module executes the configuration program running mode, the security control module reads the configuration program from the external memory and executes, the configuration program runs in the user's computer, and the user computer communicates with the security control module through the serial communication module. The configuration program is run in the control module to form a C/S working mode with the user's computer. The invention utilizes the hardware switch to isolate the two operation modes of the security control module, and the security control module does not perform the network when performing the configuration program, and can effectively prevent the attack against the security control module itself initiated by the network interface module, regardless of the configuration procedure of the security control module. With or without a vulnerability, an attacker cannot modify the configuration program of the security control module, and the security is greatly improved.

In this embodiment, the network interface module adopts an interface chip supporting an Ethernet specification such as IEEE802.3, which is called a network card chip, and can support transmission and reception of Ethernet data packets. In order to improve the overall security, the network card chip selects domestic chips. The security control module refers to a control chip with security functions. The security function refers to the ability to perform cryptographic operations and has strong anti-multiple attack measures. The cryptographic operations can be digested, and the anti-attack measures included by the chip include multiple layers of the chip. Special layout design, voltage detection, storage area encryption protection, light detection, MPU (memory protection unit) and other protection measures against physical attacks and software attacks. The switch module can adopt a circuit switch, and the opening and closing of the circuit switch can send two different control signals of low level and high level to the security processing chip. The serial communication module can adopt the asynchronous serial communication interface chip supporting the RS232 standard. The communication requires a dedicated serial cable to connect the asynchronous serial communication interface chip and the asynchronous serial communication interface chip on the user configuration computer (generally called COM). mouth). The external memory can adopt a FLASH chip, and the FLASH chip is a general-purpose memory chip. When the data is saved in the case of power failure, the FLASH chip can be read, written, erased, etc. through the external interface of the FLASH chip.

The actual embedded device simulator is used to enter the operating environment and computing environment of the actual embedded device. Line simulation, including hardware environment simulation and software environment simulation, detects the network status and host status changes of the actual embedded device when it is attacked by the network, and sends the network status and host status information to the security analysis server. The actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamic trusted measurement. The information collection refers to collecting abnormal network events and host events and sending them to the security analysis server. The abnormal network event information includes Abnormal network data information and network traffic information, host events include actual embedded device simulator configuration information and actual embedded device simulator operation information; actual embedded device simulator dynamic component metrics are simulated using actual embedded devices The privilege control mechanism of the machine analyzes the dynamic memory image of the components running in the actual embedded device simulator, so as to effectively measure the dynamic components of the running component, and timely discover the abnormal operation of the component (by attack or destruction), and take the initiative to attack. Defense provides a secure and reliable computing and operating environment for the safe and stable operation of the actual embedded device simulator.

Dynamic changes in components are reflected in the allocation and replacement of memory by the operating system. The operating system implements load management and operational management of applications (components). When a component or application is executed, the operating system allocates a certain amount of memory for it and creates a page table for the process to map physical memory and address space. When a component or application fails a page, that is, during the running process, the operating system replaces some of the required pages from the disk into the memory according to a certain page replacement algorithm, and updates the page table.

Based on the above working principle, when performing component dynamic trusted metrics:

First, configure the XEN virtual machine in the actual embedded device simulator. The XEN virtual machine is located on the hardware layer of the actual embedded device simulator and under the operating system.

Then use the super-call mechanism of the XEN virtual machine to obtain the page loaded into the memory through the address pointer before the component request page is loaded into the memory. After the XEN virtual machine executes the permission check, the processing function of the super call is executed; Add the code that measures the component so that the metric code operation is executed first;

Finally, the metrics of the current memory snapshot of the component are implemented based on the specified metrics. Metrics or risk monitoring, specified metrics include integrity metrics, code feature detection, and behavioral similarity detection. The dynamic measurement of the component change process can be realized by performing dynamic dynamic metric measurement of the component every time memory allocation and replacement occur.

The security analysis server performs multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute and the user authentication attribute by using the network state and the host state information sent by the actual embedded device simulator, and finally obtains the security detection result. The multidimensional attributes of the Security Analysis Server include compute platform configuration, platform operations, and identity attributes, all of which have an impact on system security.

(1) platform configuration attribute metrics

The platform configuration attribute metric is actually a comprehensive evaluation based on the integrity of each component, reflecting the degree of trust in platform configuration. The integrity metrics of the various components of the platform have been extended to the actual embedded device simulator platform Trusted Platform Module TPM (Trusted Platform Module) › The platform configuration register PCRs, one configuration attribute metric by verifying these PCRs values, ie The trustworthiness of the platform configuration can be calculated.

(1) The specific method of platform configuration attribute measurement is as follows:

Firstly, based on the actual embedded device simulator trusted hardware module TPM, the integrity report information of each component of the actual embedded device simulator computing platform is obtained in a secure and trusted manner, including PCR value and signature information;

Then the security analysis server verifies the integrity report, and obtains the integrity information of the components corresponding to PCR0, PCR1, ..., PCRn-1, where n is the number of components; if the number of components of the obtained integrity verification fails is f, then The number of components for successful integrity verification is nf;

Finally, based on the information on the integrity of the component, calculate the platform configuration trust Ti:

The present invention uses the triplet {bS, dS, uS} to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code;

Use the triplet {bF,dF,uF} to indicate the trustedness of the component that failed the integrity verification (integrity verification) Failure does not necessarily mean that component security is threatened. For example, software version upgrades may cause PCR value verification failure, but it is harmless. bF indicates the possibility of damage to the system security of the component, and dF indicates the component to the system. Security does not create the possibility of damage, and uF indicates the degree of uncertainty about whether the component is causing damage to the system's security;

Use the triplet to indicate the platform configuration trust TI, TI={bI, dI, uI};

Where, b _I indicates the possibility that the integrity of the platform is not damaged; d _I indicates the possibility that the integrity of the platform is damaged; u _I indicates the degree of uncertainty of the integrity of the platform; κ is the adjustment factor, generally taken

When f=0, κ=1; the larger f is, the smaller κ is, the smaller b _{I is} , and the trust component is affected more and more with the increase of non-trust components, which is in line with the actual situation; when trust or distrust When there is no attenuation, u _S and u _F are 0;

Equation (1) can be simplified to

(2) platform operation attribute metrics

The platform run properties reflect the trust properties that the actual embedded device simulator can observe at the current behavior. Platform operating attributes include performance characteristics (such as CPU, memory, hard disk usage, and network traffic information), reliable features (such as success rate, packet loss rate, and mean time between failures) and security features (such as Number of illegal connections, number of port scans, and unauthorized attempts, etc.).

The platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; the computing platform runs Attribute trust degree T _H ;

Based on these characteristics, the trust value of the current actual embedded device simulator operation can be calculated. The calculation method is as follows:

The platform running attribute trust degree T _{H is} composed of a triplet T _H ={b _H , d _H , u _H }, wherein

Where b _H represents the possibility of normal network communication; d _H represents the possibility of an illegal network communication event; u _H indicates the degree of uncertainty of normal network communication;

Based on formula (3), the platform running attribute trust degree T _H can be calculated.

(3) User authentication attribute metrics

When users gain illegal benefits, such as accessing unauthorized resources, they may use system vulnerabilities or other technical means to impersonate other users. This requires measuring the credibility of the user-submitted credentials, that is, calculating the authentication trust level. . In the system, there may be multiple user credentials, such as digital certificates, fingerprints, irises, and even simple PIN codes. In order to unify the credibility of user identity attributes, the user authentication attribute metrics are calculated using the probability that the authentication method is compromised. Trust level. The user identity attribute measurement problem actually calculates how to solve the multi-factor authentication method.

The specific steps of the user authentication attribute measurement are as follows:

First, let the probability that an attacker successfully breaks the authentication method A and can act as a legitimate user is P(A), then the authentication level of the authentication method A is levelA=-log(P(A));

Then, if the system adopts a multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, such as fingerprint, password and certificate ä factor authentication, then m=3; then the multi-factor authentication method is broken. All the authentication methods are broken, and the probability is P(A1∩A2...∩Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:

AU=-log(P(A1∩A2...∩Am));

(4) Multi-dimensional attribute comprehensive measurement

Multi-dimensional attribute comprehensive measurement based on platform configuration attribute metric, platform running attribute metric and user authentication attribute metric is a weighted average of platform configuration attribute metric and platform running attribute metric based on user authentication attribute metric; set α _I , α _H is the weight of the platform configuration attribute metric and the platform running attribute metric respectively, α _I +α _H =1, then the actual embedded device simulator safety metric evaluation value T _P ={b _P ,d _P ,u _P } is:

b _P =α _I b _I +α _H b _H

d _P =α _I d _I +α _H d _H (4)

u _P =α _I u _I +α _H u _H

Among them, b _P represents the possibility of the actual embedded device simulator safety and credibility; d _P represents the possibility that the actual embedded device simulator is not safe and reliable; u _P represents the uncertainty of the actual embedded device simulator safety and credibility degree.

Based on formula (4), the quantified value of the actual embedded device simulator safety status can be calculated, and the final safety test result is obtained.

For example, the detection system sets the user authentication security threshold AU=0.65, and the actual embedded device simulator security status threshold {λb _P , λd _P , λu _P }={0.7, 0.1, 0.2}. When the above method is used to calculate the user authentication attribute metric value of 0.7 at a certain time, and the actual embedded device simulator platform metric value is {0.6, 0.2, 0.2}, although the user authentication attribute metric value 0.7>user authentication security threshold 0.65, However, since b _{P =} 0.6 < λb _P = 0.7 in the platform metric, it is considered that the actual embedded device simulator safety status at this time does not meet the regulations, which is a security risk.

The smart network embedded device network attack trapping system of the invention introduces a trapping device to detect and perceive an unknown network attack in real time while ensuring the normal operation of the embedded device. The actual embedded device simulator simulates the actual device, and dynamically detects and controls the key factors affecting system security, such as components, processes, and hardware configurations. The unknown network attacks and exceptions should be timely and correspondingly processed to overcome existing network attacks. Detection technology can not be directly applied to embedded devices and can only do the drawbacks of after-the-fact defense, and can actively trap network attacks on embedded devices. At the same time, the invention can also realize the isolation of the packet identification and the parsing discriminating mode and the file configuration mode of the network attack filtering device through the improvement of the hardware, effectively preventing the attacker from attacking the trapping device through the network interface module, improving the security and realizing the trapping. Effective protection of the device.

As shown in FIG. 2, the smart network embedded device network attack trapping method of the present invention comprises the following steps:

A: The data receiving end of the trapping device is directly connected to the smart grid network, and the data transmitting end of the trapping device is respectively connected to the actual embedded device and the security analysis server; the trapping device comprises a network interface module, a security control module and an actual embedded device. The network interface module includes an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network, and is configured to receive the IP data packet sent by the external communication network and transmit it to the security control. The module, and receiving the IP data packet sent by the security control module and transmitting through the external communication network; the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator, the security control module and the actual embedded device, Receiving the IP data packet sent by the security control module and transmitting it to the actual embedded device or the actual embedded device simulator, and receiving the IP data packet sent by the actual embedded device and transmitting it to the security control module;

B: When the actual embedded device needs to send IP data packets to other devices on the smart grid network, the security control module identifies the IP data packets sent by the actual embedded device and sends them to the smart grid network through the network interface module. The security control module stores a key corresponding to the corresponding destination address and the source address, a transmission sequence number, and a reception sequence number; when the security control module receives When the IP data packet sent by the actual embedded device is received, the security control module reads the IP data packet and extracts the destination address of the IP data packet, obtains the corresponding key and the transmission serial number according to the destination address, and places the transmission serial number in the IP address. At the end of the data packet, the IP data packet and the transmission sequence number are digested by the key, and the digest operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the identifier is added. The IP data packet is sent to the smart grid network through the external network interface module;

When the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; if the results are relatively consistent, the IP data packet is judged not to be tampered with and forged, and the comparison is read from the IP data packet. Sending the serial number and the receiving serial number. If the sending serial number is greater than the receiving serial number, the IP data packet is considered normal. The security control module receives the IP data packet and sends the IP data packet to the actual embedded network through the intranet network interface module. Device; if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal, and the IP packet is passed. Intranet network interface module to transmit the actual embedded device simulation engine;

C: Simulate the operating environment and computing environment of the actual embedded device by using the actual embedded device simulator, including hardware environment simulation and software environment simulation, and change the network state and host state of the actual embedded device when it is attacked by the network. Detect and send network status and host status information to the security analysis server;

D: Using the security analysis server for the network state and host state information sent by the actual embedded device simulator, the multi-dimensional attribute comprehensive measurement based on the platform configuration attribute metric, the platform running attribute metric, and the user authentication attribute metric is obtained. Final safety test results.

In the step B, the serial communication module and the external memory of the file configuration program for separately storing the network attack filtering device are connected to the security processing module, and the switch module is connected to the security processing module, and the signal output end of the switch module is connected for security processing. The signal input end of the module; the high-level or low-level signal is input to the safety processing module by the switch module, and the security processing module respectively performs IP data packet identification, analysis and discrimination mode and file configuration mode according to different signals sent by the switch module. In the file configuration mode, the security processing module communicates with the outside world only through the serial communication module; when the security processing module performs the IP packet identification and the resolution determination mode, the security processing module is internally started, that is, the security processing module reads from the internal storage unit. The network attack filter program executes and the security processing module cannot access the external memory; when the security processing module executes the configuration program running mode, the security processing module reads the configuration program from the external memory and executes, and the configuration program runs in the user's computer, Computers to communicate through the serial communication processing module and security module.

In the C step, the actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamic trusted metrics; wherein information collection refers to collecting abnormal network events and host events and sending them to the security analysis server, abnormal The network event information includes abnormal network data information and network traffic information, and the host event includes the actual embedded device simulator configuration information and the actual embedded device simulator running information; when the component dynamic trusted metric is performed, the actual embedded device simulator first The XEN virtual machine is configured. The XEN virtual machine is located on the hardware layer of the actual embedded device emulator and under the operating system. Then, the XEN virtual machine's super-call mechanism is used to obtain the address pointer through the component request page before being loaded into the memory. The page loaded into the memory; after the XEN virtual machine performs the permission check, the processing function of the super call is executed; the code for measuring the component is added in the processing function, so that the measurement code operation is executed first; and finally, the specified measurement code is based on the specified Metrics implement components current memory fast Trusted metrics or risk monitoring.

In step D, the security analysis server is configured to perform multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute, and the user authentication attribute;

The platform configuration attribute metric is determined by the corresponding platform stored in the hardware trusted password module TPM The integrity of each component in the configuration register PCRs is comprehensively evaluated to reflect the trustworthiness of the platform configuration: firstly based on the actual embedded device simulator trusted hardware module TPM, the actual embedded device simulator computing platform is obtained in a secure and trusted manner. The integrity report information of the component, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains the integrity information of the components corresponding to PCR0, PCR1, ..., PCRn-1, where n is the number of components; If the number of components failing to complete the integrity verification is f, the number of components for which the integrity verification succeeds is nf; finally, based on the information of the integrity of the component, the platform configuration trust Ti:

The present invention uses the triplet {bS, dS, uS} to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code;

The triplet {bF, dF, uF} is used to indicate the trusted condition of the component whose integrity verification failed. The failure of the complete verification does not necessarily mean that the security of the component is deterred. For example, software version upgrade will also cause the PCR value to fail, but it is none. bF), where bF indicates the possibility of damage to the system security, dF indicates the possibility that the component will not cause damage to the system security, and uF indicates the uncertainty of whether the component will cause damage to the system security. ;

Use the triplet to indicate the platform configuration trust TI, TI={bI, dI, uI};

Where, b _I indicates the possibility that the integrity of the platform is not damaged; d _I indicates the possibility that the integrity of the platform is damaged; u _I indicates the degree of uncertainty of the integrity of the platform; κ is the adjustment factor, generally taken

When f=0, κ=1; the larger f is, the smaller κ is, the smaller b _{I is} , and the trust component is affected more and more with the increase of non-trust components, which is in line with the actual situation; when trust or distrust When there is no attenuation, u _S and u _F are 0;

The platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T _H ;

Use a triple to represent the platform running attribute trust T _H , T _H ={b _H ,d _H ,u _H },

among them,

b _H indicates the possibility of normal network communication;

d _H indicates the possibility of an illegal network communication event;

u _H indicates the degree of uncertainty of normal network communication;

The user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken. The probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used. A's credibility level levelA=-log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken. The authentication methods are all broken, and the probability is P(A1∩A2...∩Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:

AU=-log(P(A1∩A2...∩Am));

The configuration properties metric based platform, the platform and the run attribute metrics user authentication attributes attribute comprehensive multi-dimensional metric measurement is based on the measure of user authentication attributes, properties of the measurement platform configuration and operation of a weighted average of metric properties internet; disposed α _I , α _H is the weight of the platform configuration attribute metric and the platform running attribute metric respectively, α _I + α _H =1, then the actual embedded device simulator safety metric evaluation value T _P = {b _P , d _P , u _P } is :

b _P =α _I b _I +α _H b _H

d _P =α _I d _I +α _H d _H

u _P =α _I u _I +α _H u _H ;

Among them, b _P represents the possibility of the actual embedded device simulator safety and credibility; d _P represents the possibility that the actual embedded device simulator is not safe and reliable; u _P represents the uncertainty of the actual embedded device simulator safety and credibility degree.

Because the smart grid embedded device network attack trapping method is implemented with the smart grid embedded device network attack trapping system, the method and working principle are not repeated here.

Claims (8)

1. A smart grid embedded device network attack trapping system, comprising: a trapping device and a security analysis server;

   The data receiving end of the trapping device is connected to the smart grid network, and the data sending end of the trapping device is respectively connected to the actual embedded device and the security analysis server; the trapping device comprises a network interface module, a security control module and an actual embedded device simulator;

   The network interface module is used for transmitting and receiving IP data packets, including an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network for receiving IP data sent by the external communication network. The packet is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network; the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator and the security control module and the actual An embedded device, configured to receive an IP data packet sent by the security control module and transmit it to an actual embedded device or an actual embedded device simulator, and receive an IP data packet sent by the actual embedded device and transmit the IP data packet to the security control module;

   The security control module is configured to identify the IP data packet sent by the received actual embedded device, send it to the smart grid network through the network interface module, and parse and discriminate the IP data packet sent by the received smart grid network, and The normal IP data packet is sent to the actual embedded device, and the abnormal IP data packet is sent to the actual embedded device simulator; the security control module is connected with the serial communication module and the external memory for separately storing the file configuration program, and the security control module A switch module is further connected, and a signal output end of the switch module is connected to a signal input end of the safety control module;

   The actual embedded device simulator is used to simulate the running environment and computing environment of the actual embedded device, including hardware environment simulation and software environment simulation, and detects the network state and host state changes of the actual embedded device when it is attacked by the network. And sending network status and host status information to the security analysis server;

   The security analysis server is used for the network status and host sent by the actual embedded device simulator Status information, through the multi-dimensional attribute comprehensive measurement based on platform configuration attribute metric, platform running attribute metric and user authentication attribute metric, the final security detection result is obtained.
2. The smart grid embedded device network attack trapping system according to claim 1, wherein the security control module stores a key, a transmission sequence number, and a receiving sequence number corresponding to the corresponding destination address and the source address; When the security control module receives the IP data packet sent by the actual embedded device, the security control module reads the IP data packet and extracts the destination address of the IP data packet, and obtains a corresponding key and a transmission sequence number according to the destination address, and sends the data packet. The serial number is placed at the end of the IP data packet, and the IP data packet and the transmission sequence number are digested by the key, and the digest operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then Sending the identified IP data packet to the smart grid network through the external network interface module; when the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data. The source address of the packet, the corresponding key and the receiving serial number are obtained according to the IP packet source address, and the security control is performed. The module uses the key to perform digest operation on the protected content and the transmission sequence number in the IP data packet, and compares the operation result with the digest operation result in the IP data packet. If the result is inconsistent, the IP data packet is considered to be tampered with. And forging, the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; if the results are relatively consistent, it is determined that the IP data packet has not been tampered with and forged, and the transmission sequence read from the IP data packet is continuously compared. The size of the receiving number and the receiving serial number, if the sending serial number is greater than the receiving serial number, the IP data packet is considered to be normal, and the security control module receives the IP data packet and sends the IP data packet to the actual embedded device through the intranet network interface module; If the sending sequence number is less than or equal to the receiving sequence number, the IP data packet is considered illegal, and the IP data packet is sent to the actual embedded device simulator through the intranet network interface module.
3. The smart grid embedded device network attack trapping system according to claim 2, wherein the actual embedded device simulator comprises a hardware trusted password module TPM for implementing information collection and component dynamic trusted metrics; The information collection refers to collecting abnormal network events and host events and sending them to the security analysis server. The abnormal network event information includes abnormal network data information and network flows. The quantity information, the host event includes the actual embedded device simulator configuration information and the actual embedded device simulator running information; when performing the component dynamic trusted metric, the XEN virtual machine is first configured in the actual embedded device simulator, and the XEN virtual machine is located in the actual The embedded device emulator is above the hardware layer and under the operating system; then, using the XEN virtual machine's super-call mechanism, the page is loaded into the memory through the address pointer before the component request page is loaded into the memory; the XEN virtual machine executes After the permission check, execute the processing function of the super call; add the code for measuring the component in the processing function, so that the metric code operation is executed first; finally, use the metric code to implement the trusted metric of the current memory snapshot of the component based on the specified metric Or risk monitoring.
4. The smart grid embedded device network attack trapping system according to claim 3, wherein the security analysis server is configured to perform multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute and the user authentication attribute;

   The platform configuration attribute metric reflects the trustworthiness of the platform configuration by comprehensively evaluating the integrity of each component stored in the corresponding platform configuration register PCRs of the hardware trusted cryptographic module TPM: firstly based on the actual embedded device simulator trusted hardware The module TPM obtains the integrity report information of each component of the actual embedded device simulator computing platform in a secure and credible manner, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains PCR0, PCR1, ... PCRn-1 corresponds to the integrity information of the component, where n is the number of components; if the number of components that fail the integrity verification is obtained, the number of successful components for integrity verification is nf; No information, computing platform configuration trust Ti;

   The present invention uses the triplet {bS, dS, uS} to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code;

   The triplet {bF, dF, uF} is used to indicate the trusted condition of the component whose integrity verification failed, where bF indicates the possibility of the component causing damage to the system security, and dF indicates that the component does not cause damage to the system security. Possibility, uF indicates the degree of uncertainty about whether the component is causing damage to the system's security;

   Use the triplet to indicate the platform configuration trust TI, TI={bI, dI, uI};

   

   

   

   Where, b _I indicates the possibility that the integrity of the platform is not damaged; d _I indicates the possibility that the integrity of the platform is damaged; u _I indicates the degree of uncertainty of the integrity of the platform; κ is the adjustment factor, generally taken

   

   When f=0, κ=1; the larger f is, the smaller κ is, the smaller b _{I is} , and the trust component is affected more and more with the increase of non-trust components, which is in line with the actual situation; when trust or distrust When there is no attenuation, u _S and u _F are 0;

   The platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T _H ;

   Use a triple to represent the platform running attribute trust T _H , T _H ={b _H ,d _H ,u _H },

   among them,

   

   b _H indicates the possibility of normal network communication;

   

   d _H indicates the possibility of an illegal network communication event;

   

   u _H indicates the degree of uncertainty of normal network communication;

   The user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken. The probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used. A's credibility level levelA=-log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken. The authentication methods are all broken, and the probability is P(A1∩A2...∩Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:

   AU=-log(P(A1∩A2...∩Am));

   The configuration properties metric based platform, the platform and the run attribute metrics user authentication attributes attribute comprehensive multi-dimensional metric measurement is based on the measure of user authentication attributes, properties of the measurement platform configuration and operation of a weighted average of metric properties internet; disposed α _I , α _H is the weight of the platform configuration attribute metric and the platform running attribute metric respectively, α _I + α _H =1, then the actual embedded device simulator safety metric evaluation value T _P = {b _P , d _P , u _P } is :

   b _P =α _I b _I +α _H b _H

   d _P =α _I d _I +α _H d _H

   u _P =α _I u _I +α _H u _H ;

   Among them, b _P represents the possibility of the actual embedded device simulator safety and credibility; d _P represents the possibility that the actual embedded device simulator is not safe and reliable; u _P represents the uncertainty of the actual embedded device simulator safety and credibility degree.
5. A smart network embedded device network attack trapping method, characterized in that the method comprises the following steps:

   A: The data receiving end of the trapping device is directly connected to the smart grid network, and the data transmitting end of the trapping device is respectively connected to the actual embedded device and the security analysis server; the trapping device comprises a network interface module, a security control module and an actual embedded device. The network interface module includes an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network, and is configured to receive the IP data packet sent by the external communication network and transmit it to the security control. The module, and receiving the IP data packet sent by the security control module and transmitting through the external communication network; the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator, the security control module and the actual embedded device, Receiving the IP data packet sent by the security control module and transmitting it to the actual embedded device or the actual embedded device simulator, and receiving the IP data packet sent by the actual embedded device and transmitting it to the security control module;

   B: When the actual embedded device needs to send IP data packets to other devices on the smart grid network, The security control module identifies the IP data packet sent by the received actual embedded device and sends it to the smart grid network through the network interface module. The security control module stores a key and a transmission sequence corresponding to the corresponding destination address and source address. And receiving the serial number; when the security control module receives the IP data packet sent by the actual embedded device, the security control module reads the IP data packet and extracts the destination address of the IP data packet, and obtains the corresponding key according to the destination address. Send the serial number, put the sending serial number at the end of the IP data packet, perform a digest operation on the IP data packet and the sending serial number by using the key, attach the summary operation result to the sending serial number, and adjust the IP header information according to the current length. Length indication information, and then sending the identified IP data packet to the smart grid network through the external network interface module;

   When the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; if the results are relatively consistent, the IP data packet is judged not to be tampered with and forged, and the comparison is read from the IP data packet. Sending the serial number and the receiving serial number. If the sending serial number is greater than the receiving serial number, the IP data packet is considered normal. The security control module receives the IP data packet and sends the IP data packet to the actual embedded network through the intranet network interface module. Device; if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal, and the IP packet is passed. Intranet network interface module to transmit the actual embedded device simulation engine;

   C: Simulate the operating environment and computing environment of the actual embedded device by using the actual embedded device simulator, including hardware environment simulation and software environment simulation, and change the network state and host state of the actual embedded device when it is attacked by the network. Detect and send network status and host status information to the security analysis server;

   D: Use the security analysis server to send network status and host status information to the actual embedded device simulator, based on platform configuration attribute metrics, platform running attribute metrics, and user authentication attributes. The multi-dimensional attribute synthesis measure of the measurement is made to obtain the final safety test result.
6. The smart network embedded device network attack trapping method according to claim 5, wherein in the step B, a serial communication module and a file configuration for separately storing the network attack filtering device are connected to the security processing module. The external memory of the program is connected to the switch module at the same time, and the signal output end of the switch module is connected to the signal input end of the safety processing module; the switch module is used to input a high level or low level signal to the safety processing module, and the safety processing module According to the different signals sent by the switch module, the IP packet identification and the parsing mode and the file configuration mode are respectively performed. In the file configuration mode, the security processing module communicates with the outside world only through the serial communication module; when the security processing module performs the IP packet identification And when the discriminating mode is parsed, the security processing module is internally started, that is, the security processing module reads the network attack filtering program from the internal storage unit and executes, and the security processing module cannot access the external memory; when the security processing module executes the configuration program running mode, Safety office From the external memory module reads and executes the configuration program, running the configuration program on the user's computer, the user computer through the serial communication module in communication with the secure processing module.
7. The smart grid embedded device network attack trapping method according to claim 6, wherein in the C step, the actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamics. Trusted metrics; information collection refers to collecting abnormal network events and host events and sending them to the security analysis server. The abnormal network event information includes abnormal network data information and network traffic information, and the host events include actual embedded device simulator configuration information and The actual embedded device simulator operation information; when performing the component dynamic trusted measurement, the XEN virtual machine is first configured in the actual embedded device simulator, and the XEN virtual machine is located on the hardware layer of the actual embedded device simulator and under the operating system; Then use the super-call mechanism of the XEN virtual machine to obtain the page loaded into the memory through the address pointer before the component request page is loaded into the memory. After the XEN virtual machine executes the permission check, the processing function of the super call is executed; Add the code that measures the component, making Code first action; Finally, a measure of credibility or the amount of risk monitoring to achieve a snapshot of the current memory assembly code based on the specified metric.
8. The smart grid embedded device network attack trapping method according to claim 7, wherein in the step D, the security analysis server is configured to perform multi-dimensional attribute synthesis from the platform configuration attribute, the platform running attribute and the user authentication attribute. Quantitative assessment;

   The platform configuration attribute metric reflects the trustworthiness of the platform configuration by comprehensively evaluating the integrity of each component stored in the corresponding platform configuration register PCRs of the hardware trusted cryptographic module TPM: firstly based on the actual embedded device simulator trusted hardware The module TPM obtains the integrity report information of each component of the actual embedded device simulator computing platform in a secure and credible manner, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains PCR0, PCR1, ... PCRn-1 corresponds to the integrity information of the component, where n is the number of components; if the number of components that fail the integrity verification is obtained, the number of successful components for integrity verification is nf; No information, computing platform configuration trust Ti:

   The present invention uses the triplet {bS, dS, uS} to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code;

   The triplet {bF, dF, uF} is used to indicate the trusted condition of the component whose integrity verification failed. The failure of the complete verification does not necessarily mean that the security of the component is deterred. For example, software version upgrade will also cause the PCR value to fail, but it is none. bF), where bF indicates the possibility of damage to the system security, dF indicates the possibility that the component will not cause damage to the system security, and uF indicates the uncertainty of whether the component will cause damage to the system security. ;

   Use the triplet to indicate the platform configuration trust TI, TI={bI, dI, uI};

   

   

   

   Where, b _I indicates the possibility that the integrity of the platform is not damaged; d _I indicates the possibility that the integrity of the platform is damaged; u _I indicates the degree of uncertainty of the integrity of the platform; κ is the adjustment factor, generally taken

   

   When f=0, κ=1; the larger f is, the smaller κ is, the smaller b _{I is} , and the trust component is affected more and more with the increase of non-trust components, which is in line with the actual situation; when trust or distrust When there is no attenuation, u _S and u _F are 0;

   The platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T _H ;

   Use a triple to represent the platform running attribute trust T _H , T _H ={b _H ,d _H ,u _H },

   among them,

   

   b _H indicates the possibility of normal network communication;

   

   d _H indicates the possibility of an illegal network communication event;

   

   u _H indicates the degree of uncertainty of normal network communication;

   The user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken. The probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used. A's credibility level levelA=-log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken. The authentication methods are all broken, and the probability is P(A1∩A2...∩Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:

   AU=-log(P(A1∩A2...∩Am));

   The configuration properties metric based platform, the platform and the run attribute metrics user authentication attributes attribute comprehensive multi-dimensional metric measurement is based on the measure of user authentication attributes, properties of the measurement platform configuration and operation of a weighted average of metric properties internet; disposed α _I , α _H is the weight of the platform configuration attribute metric and the platform running attribute metric respectively, α _I + α _H =1, then the actual embedded device simulator safety metric evaluation value T _P = {b _P , d _P , u _P } is :

   b _P =α _I b _I +α _H b _H

   d _P =α _I d _I +α _H d _H

   u _P =α _I u _I +α _H u _H ;

   Among them, b _P represents the possibility of the actual embedded device simulator safety and credibility; d _P represents the possibility that the actual embedded device simulator is not safe and reliable; u _P represents the uncertainty of the actual embedded device simulator safety and credibility degree.

Images