WO2015149663A1 - Système et procédé de piégeage d'attaque réseau sur un dispositif intégré dans un réseau électrique intelligent - Google Patents

Système et procédé de piégeage d'attaque réseau sur un dispositif intégré dans un réseau électrique intelligent Download PDF

Info

Publication number
WO2015149663A1
WO2015149663A1 PCT/CN2015/075367 CN2015075367W WO2015149663A1 WO 2015149663 A1 WO2015149663 A1 WO 2015149663A1 CN 2015075367 W CN2015075367 W CN 2015075367W WO 2015149663 A1 WO2015149663 A1 WO 2015149663A1
Authority
WO
WIPO (PCT)
Prior art keywords
embedded device
network
data packet
security
module
Prior art date
Application number
PCT/CN2015/075367
Other languages
English (en)
Chinese (zh)
Inventor
牛霜霞
张之刚
吕卓
王艳敏
Original Assignee
国家电网公司
国网河南省电力公司电力科学研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国家电网公司, 国网河南省电力公司电力科学研究院 filed Critical 国家电网公司
Publication of WO2015149663A1 publication Critical patent/WO2015149663A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Definitions

  • the present invention relates to the field of network security defense, and in particular, to a system and method capable of trapping network attacks in a smart grid.
  • the embedded system In addition to the measurement and transmission functions of the business, the embedded system also functions as the core business operation control. For example, user-level multi-rate energy metering management unit, sensor layer oil temperature sensor, voltage and current transmitter, relay protection device, fault recording, line protection, fault location device, digital recording of control room.
  • the image monitoring of the substation, the remote meter reading of the distribution network, the load control and the automation protection module, etc. basically cover all aspects of the power grid command operation.
  • the embedded system From the network level, with the popularization of 3G, WIFI and other means of communication, the embedded system extends from the wired network to the wireless network, making the network security problem more prominent.
  • Embedded systems Due to limited computing resources, many embedded network protocols do not consider security issues. The design goal is to be as Simply implement routing and facilitate future network expansion, basically without any security mechanisms. Once the embedded system is attacked by the network, the normal business of the entire smart grid will be affected or even paralyzed.
  • embedded systems Compared with traditional PC devices, embedded systems have less computing resources, low energy consumption, and complex working environments. Many existing security solutions are not applicable, and embedded systems are generally in an open working environment. Traditional computers are easy to solve. Physical security issues have also become a problem in embedded systems. These embedded systems are mostly integrated devices, and their operating systems include embedded Linux, VxWorks, WinCe, and so on. For attacks such as illegal interception, interruption, tampering or forgery at the network level, it is impossible to install additional network security detection software or systems directly on these embedded devices, so real-time network security detection for embedded systems cannot be performed. And evaluation.
  • the network attack initiator can easily use the network interface module to attack the network attack filtering device, and the attacker obtains the permission to configure the network security device through the configuration program, and then modifies the configuration in the network security device. information.
  • the attacker will set a specific configuration according to the purpose of the subsequent attack to achieve the ultimate attack on the network protected by the above network security device. Therefore, the existing network attack filtering device has a loophole in the configuration program, and the damage is very huge, which easily causes the network security device to completely lose its defense effect.
  • the object of the present invention is to provide a smart network embedded device network attack trapping system and trapping method, which can capture various attacks against real devices through the trapping device on the basis of protecting the real smart grid terminal without affecting the embedded terminal.
  • Real-time dynamic security detection and evaluation of known or unknown power system network attacks quickly and accurately under normal working conditions; at the same time, the present invention can realize data packet identification and resolution of network attack filtering devices through hardware improvement. Separation between the discriminating mode and the file configuration mode, effectively preventing the attacker from using the network interface module to trap the device Attacks, improve safety, and achieve effective protection of traps.
  • a smart grid embedded device network attack trapping system including a trapping device and a security analysis server;
  • the data receiving end of the trapping device is connected to the smart grid network, and the data sending end of the trapping device is respectively connected to the actual embedded device and the security analysis server;
  • the trapping device comprises a network interface module, a security control module and an actual embedded device simulator;
  • the network interface module is used for transmitting and receiving IP data packets, including an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network for receiving IP data sent by the external communication network.
  • the packet is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network;
  • the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator and the security control module and the actual An embedded device, configured to receive an IP data packet sent by the security control module and transmit it to an actual embedded device or an actual embedded device simulator, and receive an IP data packet sent by the actual embedded device and transmit the IP data packet to the security control module;
  • the security control module is configured to identify the IP data packet sent by the received actual embedded device, send it to the smart grid network through the network interface module, and parse and discriminate the IP data packet sent by the received smart grid network, and The normal IP data packet is sent to the actual embedded device, and the abnormal IP data packet is sent to the actual embedded device simulator;
  • the security control module is connected with the serial communication module and the external memory for separately storing the file configuration program, and the security control module
  • a switch module is further connected, and a signal output end of the switch module is connected to a signal input end of the safety control module;
  • the actual embedded device simulator is used to simulate the running environment and computing environment of the actual embedded device, including hardware environment simulation and software environment simulation, and detects the network state and host state changes of the actual embedded device when it is attacked by the network. And sending network status and host status information to the security analysis server;
  • the security analysis server is configured to perform network state and host state information sent by the actual embedded device simulator, and obtain a final multi-dimensional attribute metric based on the platform configuration attribute metric, the platform running attribute metric, and the user authentication attribute metric. Safety test results.
  • the security control module stores a key, a transmission sequence number, and a receiving sequence number corresponding to the corresponding destination address and the source address; when the security control module receives the IP data packet sent by the actual embedded device, the security control module Read the IP data packet and extract the IP data packet destination address, obtain the corresponding key and transmission sequence number according to the destination address, place the transmission sequence number at the end of the IP data packet, and use the key to perform the IP data packet and the transmission sequence number.
  • the abstract operation is performed after the summary operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the smart grid network through the external network interface module;
  • the security control module receives the IP data packet sent by the smart grid network
  • the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address, and is secure.
  • the control module uses the key to perform a digest operation on the protected content and the transmitted sequence number in the IP packet, and The calculation result is compared with the summary operation result in the IP data packet.
  • the IP data packet is considered to be falsified and forged, and the IP data packet is sent to the actual embedded device simulation machine through the intranet network interface module; If the results are consistent, it is judged that the IP data packet has not been tampered with and forged, and the size of the transmission sequence number and the reception sequence number read from the IP data packet are continuously compared. If the transmission sequence number is larger than the reception sequence number, the IP data packet is considered to be normal.
  • the security control module receives the IP data packet and sends the IP data packet to the actual embedded device through the intranet network interface module; if the sending serial number is less than or equal to the receiving serial number, the IP data packet is considered illegal, and the IP data packet is passed through The network interface module is sent to the actual embedded device simulator.
  • the actual embedded device emulation device includes a hardware trusted cryptographic module TPM for implementing information collection and component dynamic trusted metrics; wherein the information collection refers to collecting abnormal network events and host events and sending them to the security analysis server, the abnormal network.
  • the event information includes abnormal network data information and network traffic information
  • the host event includes the actual embedded device simulator configuration information and the actual embedded device.
  • Prepare the simulator running information firstly configure the XEN virtual machine in the actual embedded device simulator when performing dynamic credibility measurement of the component.
  • the XEN virtual machine is located on the hardware layer of the actual embedded device emulator and under the operating system; then use XEN
  • the super-call mechanism of the virtual machine obtains the page loaded into the memory through the address pointer before the component request page is loaded into the memory.
  • the processing function of the super call is executed;
  • the security analysis server is configured to perform multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute, and the user authentication attribute;
  • the platform configuration attribute metric reflects the trustworthiness of the platform configuration by comprehensively evaluating the integrity of each component stored in the corresponding platform configuration register PCRs of the hardware trusted cryptographic module TPM: firstly based on the actual embedded device simulator trusted hardware The module TPM obtains the integrity report information of each component of the actual embedded device simulator computing platform in a secure and credible manner, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains PCR0, PCR1, ... PCRn-1 corresponds to the integrity information of the component, where n is the number of components; if the number of components that fail the integrity verification is obtained, the number of successful components for integrity verification is nf; No information, computing platform configuration trust Ti;
  • the present invention uses the triplet ⁇ bS, dS, uS ⁇ to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code.
  • the triplet ⁇ bF, dF, uF ⁇ is used to indicate the trusted condition of the component whose integrity verification failed (integrity verification failure does not necessarily mean that the component security is threatened, where bF indicates the possibility of the component causing damage to the system security, dF Indicates the possibility that the component will not cause damage to the system security. uF indicates the uncertainty of whether the component will cause damage to the system security.
  • the platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T H ;
  • T H ⁇ b H ,d H ,u H ⁇
  • b H indicates the possibility of normal network communication
  • d H indicates the possibility of an illegal network communication event
  • u H indicates the degree of uncertainty of normal network communication
  • the user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken.
  • the probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used.
  • A's credibility level levelA -log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken.
  • the authentication methods are all broken, and the probability is P(A1 ⁇ A2... ⁇ Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:
  • u P ⁇ I u I + ⁇ H u H ;
  • b P represents the possibility of the actual embedded device simulator safety and credibility
  • d P represents the possibility that the actual embedded device simulator is not safe and reliable
  • u P represents the uncertainty of the actual embedded device simulator safety and credibility degree.
  • a smart network embedded device network attack trapping method includes the following steps:
  • the data receiving end of the trapping device is directly connected to the smart grid network, and the data transmitting end of the trapping device is respectively connected to the actual embedded device and the security analysis server;
  • the trapping device comprises a network interface module, a security control module and an actual embedded device.
  • the network interface module includes an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network, and is configured to receive the IP data packet sent by the external communication network and transmit it to the security control.
  • the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator, the security control module and the actual embedded device, Receiving the IP data packet sent by the security control module and transmitting it to the actual embedded device or the actual embedded device simulator, and receiving the IP data packet sent by the actual embedded device and transmitting it to the security control module;
  • the security control module uses the security control module to identify the IP data packets sent by the actual embedded device. After the network interface module sends to the smart grid network, the security control module stores a key corresponding to the corresponding destination address and source address, a transmission sequence number, and a receiving sequence number; when the security control module receives the IP sent by the actual embedded device When the data packet is received, the security control module reads the IP data packet and extracts the destination address of the IP data packet, obtains the corresponding key and the transmission sequence number according to the destination address, and places the transmission sequence number at the end of the IP data packet, using the key pair IP.
  • the data packet and the transmission sequence number are digested, and the summary operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is passed through the external network interface module. Send to the smart grid network;
  • the security control module When the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; if the results are relatively consistent, the IP data packet is judged not to be tampered with and forged, and the comparison is read from the IP data packet.
  • the security control module receives the IP data packet and sends the IP data packet to the actual embedded network through the intranet network interface module.
  • Device if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal, and the IP packet is passed.
  • Intranet network interface module to transmit the actual embedded device simulation engine;
  • the serial communication module and the external memory of the file configuration program for separately storing the network attack filtering device are connected to the security processing module, and the switch module is connected to the security processing module, and the signal output end of the switch module is connected.
  • the security processing module Connecting the signal input end of the security processing module; using the switch module to input a high level or low level signal to the security processing module, the security processing module respectively performs IP data packet identification and parsing discrimination mode and file according to different signals sent by the receiving switch module
  • the security processing module communicates with the outside world only through the serial communication module in the file configuration mode; when the security processing module performs the IP packet identification and the resolution determination mode, the security processing module is internally activated, that is, the security processing module is from the internal storage unit.
  • the network attack filter is read and executed, and the security processing module cannot access the external memory; when the security processing module executes the configuration program running mode, the security processing module reads the configuration program from the external memory and executes the configuration program in the user's computer. Transport User computer through the serial communication module in communication with the secure processing module.
  • the actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamic trusted metrics; wherein the information collection refers to collecting abnormal network events and host events and sending them to the security analysis.
  • the server the abnormal network event information includes abnormal network data information and network traffic information, and the host event includes the actual embedded device simulator configuration information and the actual embedded device simulator running information; when the component dynamic trusted metric is performed, the first embedded in the actual The XEN virtual machine is configured in the device emulator.
  • the XEN virtual machine is located on the hardware layer of the actual embedded device emulator and under the operating system. Then, the XEN virtual machine's super call mechanism is used to pass the component request page into the memory before running.
  • the address pointer obtains the page loaded into the memory; after the XEN virtual machine performs the permission check, the processing function of the super call is executed; the code for measuring the component is added in the processing function, so that the measurement code operation is performed first; and finally, the measurement code is used.
  • Implement the component based on the specified metric Trusted metrics or risk monitoring of memory snapshots.
  • the security analysis server is used to configure attributes from the platform and platform running attributes.
  • the platform configuration attribute metric reflects the trustworthiness of the platform configuration by comprehensively evaluating the integrity of each component stored in the corresponding platform configuration register PCRs of the hardware trusted cryptographic module TPM: firstly based on the actual embedded device simulator trusted hardware The module TPM obtains the integrity report information of each component of the actual embedded device simulator computing platform in a secure and credible manner, including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains PCR0, PCR1, ... PCRn-1 corresponds to the integrity information of the component, where n is the number of components; if the number of components that fail the integrity verification is obtained, the number of successful components for integrity verification is nf; No information, computing platform configuration trust Ti:
  • the present invention uses the triplet ⁇ bS, dS, uS ⁇ to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code.
  • the triplet ⁇ bF, dF, uF ⁇ is used to indicate the trusted condition of the component whose integrity verification failed, where bF indicates the possibility of the component causing damage to the system security, and dF indicates that the component does not cause damage to the system security. Possibility, uF indicates the degree of uncertainty about whether the component is causing damage to the system's security.
  • the platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T H ;
  • T H ⁇ b H ,d H ,u H ⁇
  • b H indicates the possibility of normal network communication
  • d H indicates the possibility of an illegal network communication event
  • u H indicates the degree of uncertainty of normal network communication
  • the user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken.
  • the probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used.
  • A's credibility level levelA -log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken.
  • the authentication methods are all broken, and the probability is P(A1 ⁇ A2... ⁇ Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:
  • u P ⁇ I u I + ⁇ H u H ;
  • b P represents the possibility of the actual embedded device simulator safety and credibility
  • d P represents the possibility that the actual embedded device simulator is not safe and reliable
  • u P represents the uncertainty of the actual embedded device simulator safety and credibility degree.
  • the smart grid embedded device network attack trapping system of the present invention uses the IP data packet sent by the actual embedded device received by the security control module to identify the IP data packet sent by the received smart grid network by introducing the trapping device. Analyze and discriminate, and send the normal IP data packet to the actual embedded device, send the abnormal IP data packet to the actual embedded device simulator, and then use the actual embedded device simulator to operate the actual embedded device and The computing environment is simulated.
  • the actual embedded device can detect the network status and host status changes when the network is attacked, and send the network status and host status information to the security analysis server, and finally simulate the actual embedded device through the security analysis server.
  • the network status and host status information sent by the machine are obtained through the multi-dimensional attribute comprehensive measurement based on the platform configuration attribute metric, the platform running attribute metric and the user authentication attribute metric, and the final security detection result is obtained.
  • the invention can detect and perceive an unknown network attack in real time while ensuring the normal working of the embedded device, and overcome the drawbacks that the existing network attack detection technology cannot be directly applied to the embedded device and can only be used for the after-the-fact defense. To trap network attacks on embedded devices.
  • the invention can also realize the isolation of the packet identification and the parsing discriminating mode and the file configuration mode of the network attack filtering device through the improvement of the hardware, effectively preventing the attacker from attacking the trapping device through the network interface module, improving the security and realizing the trapping. Effective protection of the device.
  • FIG. 1 is a schematic block diagram of a network attack trapping system for a smart grid embedded device according to the present invention
  • FIG. 2 is a flow chart of a method for trapping network attack of a smart grid embedded device according to the present invention
  • FIG. 3 is a schematic diagram of the principle of IP packet identification.
  • the smart grid embedded device network attack trapping system of the present invention includes a trapping device and a security analysis server;
  • the data receiving end of the trapping device is connected to the smart grid network, and the data sending end of the trapping device is respectively connected to the actual embedded device and the security analysis server;
  • the trapping device comprises a network interface module, a security control module and an actual embedded device simulator;
  • the network interface module is used for transmitting and receiving IP data packets, including an external network interface module and an intranet network interface module; the external network interface module is connected to the control module and the smart grid network for receiving IP data sent by the external communication network.
  • the packet is transmitted to the security control module, and the IP data packet sent by the security control module is received and sent through the external communication network;
  • the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator and the security control module and the actual
  • the embedded device is configured to receive the IP data packet sent by the security control module and transmit it to the actual embedded device or the actual embedded device simulator, and receive the IP data packet sent by the actual embedded device and transmit it to the security control module.
  • the security control module is configured to identify the IP data packet sent by the received actual embedded device, send it to the smart grid network through the network interface module, and parse and discriminate the IP data packet sent by the received smart grid network, and Normal IP packets are sent to the actual embedded device, sending abnormal IP packets to the actual embedded device simulator.
  • Abnormal network data information consists of two parts:
  • the network data content is abnormal: the security control module sends the abnormal network information to the actual embedded device simulator by judging the network packet format, protocol, data content and other information, and the security analysis server can find the scan and infiltration based on the information. Attacks, replay attacks, buffer overflows, exploits, and more.
  • the security control module sends abnormal network traffic information to the actual embedded device simulator by judging the network traffic information such as the overall traffic of the device, a certain service traffic, and the current number of session connections, and the security analysis server passes these Information can detect illegal information rumors, Denial of service attacks, etc.
  • the security control module stores a key corresponding to the corresponding destination address and the source address, a transmission sequence number, and a receiving sequence number; when the security control module receives the IP data packet sent by the actual embedded device, the security control module reads the The IP data packet extracts the destination address of the IP data packet, obtains the corresponding key and the transmission sequence number according to the destination address, places the transmission sequence number at the end of the IP data packet, and performs a digest operation on the IP data packet and the transmission sequence number by using the key.
  • the summary operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the added IP data packet is sent to the smart grid network through the external network interface module; when the security control module Upon receiving the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address, and the security control module utilizes The key performs a digest operation on the protected content and the transmitted sequence number in the IP packet, and the operation is terminated. Compare with the summary operation result in the IP data packet. If the result is inconsistent, the IP data packet is considered to be tampered with and forged.
  • the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; If the comparison is consistent, it is judged that the IP data packet has not been tampered with and forged, and the size of the transmission sequence number and the reception sequence number read from the IP data packet are continuously compared. If the transmission sequence number is larger than the reception sequence number, the IP data packet is considered to be normal, and the security control is performed.
  • the module receives the IP data packet and sends the IP data packet to the actual embedded device through the intranet network interface module; if the sending serial number is less than or equal to the receiving serial number, the IP data packet is considered illegal, and the IP data packet is passed through the intranet network.
  • the interface module is sent to the actual embedded device simulator.
  • Figure 3 is a schematic diagram of the principle of IP packet identification.
  • the safety control module is also connected with a serial communication module and an external memory for separately storing the file configuration program.
  • the safety control module is also connected with a switch module, and the signal output end of the switch module is connected to the signal input end of the safety control module; the switch module is used to The safety control module inputs a high level or low level signal, and the safety control module respectively performs IP data packet identification, analysis and discrimination mode and file configuration mode according to different signals sent by the switch module, and the security control module only passes in the file configuration mode.
  • the serial communication module communicates with the outside world.
  • the security control module executes the attack filtering mode
  • the security control module is internally started, that is, the security control module reads the IP packet identifier and the parsing and discriminating program from the internal storage unit and executes, and the security control module cannot access the external memory, and can ensure that no The program in the external storage will be tampered with, thus ensuring the security of the configuration program.
  • the security control module executes the configuration program running mode
  • the security control module reads the configuration program from the external memory and executes, the configuration program runs in the user's computer, and the user computer communicates with the security control module through the serial communication module.
  • the configuration program is run in the control module to form a C/S working mode with the user's computer.
  • the invention utilizes the hardware switch to isolate the two operation modes of the security control module, and the security control module does not perform the network when performing the configuration program, and can effectively prevent the attack against the security control module itself initiated by the network interface module, regardless of the configuration procedure of the security control module. With or without a vulnerability, an attacker cannot modify the configuration program of the security control module, and the security is greatly improved.
  • the network interface module adopts an interface chip supporting an Ethernet specification such as IEEE802.3, which is called a network card chip, and can support transmission and reception of Ethernet data packets.
  • the network card chip selects domestic chips.
  • the security control module refers to a control chip with security functions.
  • the security function refers to the ability to perform cryptographic operations and has strong anti-multiple attack measures.
  • the cryptographic operations can be digested, and the anti-attack measures included by the chip include multiple layers of the chip. Special layout design, voltage detection, storage area encryption protection, light detection, MPU (memory protection unit) and other protection measures against physical attacks and software attacks.
  • the switch module can adopt a circuit switch, and the opening and closing of the circuit switch can send two different control signals of low level and high level to the security processing chip.
  • the serial communication module can adopt the asynchronous serial communication interface chip supporting the RS232 standard. The communication requires a dedicated serial cable to connect the asynchronous serial communication interface chip and the asynchronous serial communication interface chip on the user configuration computer (generally called COM). mouth).
  • the external memory can adopt a FLASH chip, and the FLASH chip is a general-purpose memory chip. When the data is saved in the case of power failure, the FLASH chip can be read, written, erased, etc. through the external interface of the FLASH chip.
  • the actual embedded device simulator is used to enter the operating environment and computing environment of the actual embedded device.
  • Line simulation including hardware environment simulation and software environment simulation, detects the network status and host status changes of the actual embedded device when it is attacked by the network, and sends the network status and host status information to the security analysis server.
  • the actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamic trusted measurement.
  • the information collection refers to collecting abnormal network events and host events and sending them to the security analysis server.
  • the abnormal network event information includes Abnormal network data information and network traffic information, host events include actual embedded device simulator configuration information and actual embedded device simulator operation information; actual embedded device simulator dynamic component metrics are simulated using actual embedded devices
  • the privilege control mechanism of the machine analyzes the dynamic memory image of the components running in the actual embedded device simulator, so as to effectively measure the dynamic components of the running component, and timely discover the abnormal operation of the component (by attack or destruction), and take the initiative to attack. Defense provides a secure and reliable computing and operating environment for the safe and stable operation of the actual embedded device simulator.
  • Dynamic changes in components are reflected in the allocation and replacement of memory by the operating system.
  • the operating system implements load management and operational management of applications (components).
  • the operating system allocates a certain amount of memory for it and creates a page table for the process to map physical memory and address space.
  • the operating system replaces some of the required pages from the disk into the memory according to a certain page replacement algorithm, and updates the page table.
  • the XEN virtual machine is located on the hardware layer of the actual embedded device simulator and under the operating system.
  • the metrics of the current memory snapshot of the component are implemented based on the specified metrics.
  • Metrics or risk monitoring, specified metrics include integrity metrics, code feature detection, and behavioral similarity detection.
  • the dynamic measurement of the component change process can be realized by performing dynamic dynamic metric measurement of the component every time memory allocation and replacement occur.
  • the security analysis server performs multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute and the user authentication attribute by using the network state and the host state information sent by the actual embedded device simulator, and finally obtains the security detection result.
  • the multidimensional attributes of the Security Analysis Server include compute platform configuration, platform operations, and identity attributes, all of which have an impact on system security.
  • the platform configuration attribute metric is actually a comprehensive evaluation based on the integrity of each component, reflecting the degree of trust in platform configuration.
  • the integrity metrics of the various components of the platform have been extended to the actual embedded device simulator platform Trusted Platform Module TPM (Trusted Platform Module) ⁇
  • TPM Trusted Platform Module
  • the integrity report information of each component of the actual embedded device simulator computing platform is obtained in a secure and trusted manner, including PCR value and signature information;
  • the security analysis server verifies the integrity report, and obtains the integrity information of the components corresponding to PCR0, PCR1, ..., PCRn-1, where n is the number of components; if the number of components of the obtained integrity verification fails is f, then The number of components for successful integrity verification is nf;
  • the present invention uses the triplet ⁇ bS, dS, uS ⁇ to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code;
  • Equation (1) can be simplified to
  • the platform run properties reflect the trust properties that the actual embedded device simulator can observe at the current behavior.
  • Platform operating attributes include performance characteristics (such as CPU, memory, hard disk usage, and network traffic information), reliable features (such as success rate, packet loss rate, and mean time between failures) and security features (such as Number of illegal connections, number of port scans, and unauthorized attempts, etc.).
  • the platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; the computing platform runs Attribute trust degree T H ;
  • the trust value of the current actual embedded device simulator operation can be calculated.
  • the calculation method is as follows:
  • b H represents the possibility of normal network communication
  • d H represents the possibility of an illegal network communication event
  • u H indicates the degree of uncertainty of normal network communication
  • the platform running attribute trust degree T H can be calculated.
  • b P represents the possibility of the actual embedded device simulator safety and credibility
  • d P represents the possibility that the actual embedded device simulator is not safe and reliable
  • u P represents the uncertainty of the actual embedded device simulator safety and credibility degree.
  • the actual embedded device simulator platform metric value is ⁇ 0.6, 0.2, 0.2 ⁇ , although the user authentication attribute metric value 0.7>user authentication security threshold 0.65
  • the smart network embedded device network attack trapping system of the invention introduces a trapping device to detect and perceive an unknown network attack in real time while ensuring the normal operation of the embedded device.
  • the actual embedded device simulator simulates the actual device, and dynamically detects and controls the key factors affecting system security, such as components, processes, and hardware configurations.
  • the unknown network attacks and exceptions should be timely and correspondingly processed to overcome existing network attacks. Detection technology can not be directly applied to embedded devices and can only do the drawbacks of after-the-fact defense, and can actively trap network attacks on embedded devices.
  • the invention can also realize the isolation of the packet identification and the parsing discriminating mode and the file configuration mode of the network attack filtering device through the improvement of the hardware, effectively preventing the attacker from attacking the trapping device through the network interface module, improving the security and realizing the trapping. Effective protection of the device.
  • the smart network embedded device network attack trapping method of the present invention comprises the following steps:
  • the data receiving end of the trapping device is directly connected to the smart grid network, and the data transmitting end of the trapping device is respectively connected to the actual embedded device and the security analysis server;
  • the trapping device comprises a network interface module, a security control module and an actual embedded device.
  • the network interface module includes an external network interface module and an intranet network interface module; the external network interface module is connected to the security control module and the smart grid network, and is configured to receive the IP data packet sent by the external communication network and transmit it to the security control.
  • the intranet network interface module is respectively connected with the security control module and the actual embedded device simulator, the security control module and the actual embedded device, Receiving the IP data packet sent by the security control module and transmitting it to the actual embedded device or the actual embedded device simulator, and receiving the IP data packet sent by the actual embedded device and transmitting it to the security control module;
  • the security control module identifies the IP data packets sent by the actual embedded device and sends them to the smart grid network through the network interface module.
  • the security control module stores a key corresponding to the corresponding destination address and the source address, a transmission sequence number, and a reception sequence number; when the security control module receives
  • the security control module reads the IP data packet and extracts the destination address of the IP data packet, obtains the corresponding key and the transmission serial number according to the destination address, and places the transmission serial number in the IP address.
  • the IP data packet and the transmission sequence number are digested by the key, and the digest operation result is attached to the transmission sequence number, and the length indication information in the IP header information is adjusted according to the current length, and then the identifier is added.
  • the IP data packet is sent to the smart grid network through the external network interface module;
  • the security control module When the security control module receives the IP data packet sent by the smart grid network, the security control module reads the IP data packet and extracts the IP data packet source address, and obtains the corresponding key and the receiving serial number according to the IP data packet source address. The security control module performs a digest operation on the protected content and the transmission sequence number in the IP data packet by using the key, and compares the operation result with the digest operation result included in the IP data packet, and considers the IP data packet if the result is inconsistent. Tampered and forged, the IP data packet is sent to the actual embedded device simulator through the intranet network interface module; if the results are relatively consistent, the IP data packet is judged not to be tampered with and forged, and the comparison is read from the IP data packet.
  • the security control module receives the IP data packet and sends the IP data packet to the actual embedded network through the intranet network interface module.
  • Device if the sending sequence number is less than or equal to the receiving sequence number, the IP packet is considered illegal, and the IP packet is passed.
  • Intranet network interface module to transmit the actual embedded device simulation engine;
  • the serial communication module and the external memory of the file configuration program for separately storing the network attack filtering device are connected to the security processing module, and the switch module is connected to the security processing module, and the signal output end of the switch module is connected for security processing.
  • the signal input end of the module; the high-level or low-level signal is input to the safety processing module by the switch module, and the security processing module respectively performs IP data packet identification, analysis and discrimination mode and file configuration mode according to different signals sent by the switch module.
  • the security processing module communicates with the outside world only through the serial communication module; when the security processing module performs the IP packet identification and the resolution determination mode, the security processing module is internally started, that is, the security processing module reads from the internal storage unit.
  • the network attack filter program executes and the security processing module cannot access the external memory; when the security processing module executes the configuration program running mode, the security processing module reads the configuration program from the external memory and executes, and the configuration program runs in the user's computer, Computers to communicate through the serial communication processing module and security module.
  • the actual embedded device simulator includes a hardware trusted password module TPM for implementing information collection and component dynamic trusted metrics; wherein information collection refers to collecting abnormal network events and host events and sending them to the security analysis server, abnormal
  • the network event information includes abnormal network data information and network traffic information
  • the host event includes the actual embedded device simulator configuration information and the actual embedded device simulator running information
  • the actual embedded device simulator first The XEN virtual machine is configured.
  • the XEN virtual machine is located on the hardware layer of the actual embedded device emulator and under the operating system. Then, the XEN virtual machine's super-call mechanism is used to obtain the address pointer through the component request page before being loaded into the memory.
  • step D the security analysis server is configured to perform multi-dimensional attribute comprehensive quantitative evaluation from the platform configuration attribute, the platform running attribute, and the user authentication attribute;
  • the platform configuration attribute metric is determined by the corresponding platform stored in the hardware trusted password module TPM
  • the integrity of each component in the configuration register PCRs is comprehensively evaluated to reflect the trustworthiness of the platform configuration: firstly based on the actual embedded device simulator trusted hardware module TPM, the actual embedded device simulator computing platform is obtained in a secure and trusted manner.
  • the integrity report information of the component including the PCR value and the signature information; then the security analysis server verifies the integrity report, and obtains the integrity information of the components corresponding to PCR0, PCR1, ..., PCRn-1, where n is the number of components; If the number of components failing to complete the integrity verification is f, the number of components for which the integrity verification succeeds is nf; finally, based on the information of the integrity of the component, the platform configuration trust Ti:
  • the present invention uses the triplet ⁇ bS, dS, uS ⁇ to indicate the authenticity of the component for successful integrity verification, bS indicates the possibility that the component is not affected by malicious code, and dS indicates the possibility that the component is affected by malicious code, uS Indicates the degree of uncertainty that the component is affected by malicious code;
  • the triplet ⁇ bF, dF, uF ⁇ is used to indicate the trusted condition of the component whose integrity verification failed.
  • the failure of the complete verification does not necessarily mean that the security of the component is deterred.
  • software version upgrade will also cause the PCR value to fail, but it is none.
  • bF indicates the possibility of damage to the system security
  • dF indicates the possibility that the component will not cause damage to the system security
  • uF indicates the uncertainty of whether the component will cause damage to the system security.
  • the platform running attribute metric is determined by using a normal network communication event as a positive event, and the cumulative number of positive events is represented by r; the attack event and the sniffing event of the network are regarded as negative events, and the cumulative number of negative events is represented by s; Computing platform running attribute trust degree T H ;
  • T H ⁇ b H ,d H ,u H ⁇
  • b H indicates the possibility of normal network communication
  • d H indicates the possibility of an illegal network communication event
  • u H indicates the degree of uncertainty of normal network communication
  • the user authentication attribute metric calculates the authentication trust level by using the probability that the authentication method is broken.
  • the probability that an attacker successfully breaks the authentication method A and can act as a normal user is P(A), and the authentication method is used.
  • A's credibility level levelA -log(P(A)); if the system adopts multi-factor authentication scheme, A1, A2, ... Am, m is the number of authentication factors, then the multi-factor authentication method is broken.
  • the authentication methods are all broken, and the probability is P(A1 ⁇ A2... ⁇ Am); assuming that the user U passes the multi-factor authentication, the trusted level AU obtained by the U after the system authentication is expressed as:
  • u P ⁇ I u I + ⁇ H u H ;
  • b P represents the possibility of the actual embedded device simulator safety and credibility
  • d P represents the possibility that the actual embedded device simulator is not safe and reliable
  • u P represents the uncertainty of the actual embedded device simulator safety and credibility degree.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un système pour piéger une attaque réseau sur des dispositifs intégrés dans un réseau électrique intelligent. Le système comprend un dispositif de piégeage et un serveur d'analyse de sécurité. Le dispositif de piégeage comprend un module d'interface réseau, un module de commande de sécurité et un simulateur de dispositif intégré réel. Le module d'interface réseau est utilisé pour recevoir et transmettre des paquets de données IP. Le module de commande de sécurité est utilisé pour identifier, analyser et différencier les paquets de données IP. Il est connecté à un module de communication à port série, une mémoire externe et un module de commutation. Le simulateur de dispositif intégré réel transmet au serveur d'analyse de sécurité l'état du réseau et des informations d'état hôte. Le serveur d'analyse de sécurité acquiert un résultat de détection de sécurité final via un mesurage complet multidimensionnel d'attributs. La présente invention peut exécuter rapidement et précisément une détection et une évaluation de sécurité dynamique en temps réel d'une attaque connue ou inconnue d'un système électrique sans affecter le fonctionnement normal de terminaux intégrés, et empêche efficacement un attaquant d'attaquer le dispositif de piégeage via le module d'interface réseau.
PCT/CN2015/075367 2014-04-03 2015-03-30 Système et procédé de piégeage d'attaque réseau sur un dispositif intégré dans un réseau électrique intelligent WO2015149663A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410133307.9A CN103905451B (zh) 2014-04-03 2014-04-03 一种智能电网嵌入式设备网络攻击诱捕系统和诱捕方法
CN201410133307.9 2014-04-03

Publications (1)

Publication Number Publication Date
WO2015149663A1 true WO2015149663A1 (fr) 2015-10-08

Family

ID=50996605

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/075367 WO2015149663A1 (fr) 2014-04-03 2015-03-30 Système et procédé de piégeage d'attaque réseau sur un dispositif intégré dans un réseau électrique intelligent

Country Status (2)

Country Link
CN (1) CN103905451B (fr)
WO (1) WO2015149663A1 (fr)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105896529A (zh) * 2016-04-26 2016-08-24 武汉大学 针对智能电网中虚假数据注入攻击的数据修复方法
US10268170B2 (en) 2017-01-03 2019-04-23 General Electric Company Validation of control command in substantially real time for industrial asset control system threat detection
CN110083363A (zh) * 2019-04-22 2019-08-02 珠海网博信息科技股份有限公司 一种Linux内核动态注入方式截取无线数据包的方法
CN110492994A (zh) * 2019-07-25 2019-11-22 北京笛卡尔盾科技有限公司 一种可信网络接入方法和系统
CN110851885A (zh) * 2019-11-08 2020-02-28 北京计算机技术及应用研究所 嵌入式系统安全防护架构体系
CN110995841A (zh) * 2019-12-04 2020-04-10 国网山东省电力公司信息通信公司 基于iamt的电力调度录音系统远程维护方法及系统
CN111651740A (zh) * 2020-05-26 2020-09-11 西安电子科技大学 一种面向分布式智能嵌入式系统的可信平台共享系统
CN112347472A (zh) * 2020-10-27 2021-02-09 中国南方电网有限责任公司 电力系统的行为度量方法和装置
CN112383150A (zh) * 2020-11-27 2021-02-19 中能电力科技开发有限公司 一种新能源电力监控系统安全监测装置
CN112491849A (zh) * 2020-11-18 2021-03-12 深圳供电局有限公司 一种基于流量特征的电力终端漏洞攻击防护方法
CN112511494A (zh) * 2020-11-05 2021-03-16 中国电力科学研究院有限公司 一种适用于电力智能终端设备的安全防护系统及方法
CN113098844A (zh) * 2021-03-08 2021-07-09 黑龙江大学 硬件协议的智能网络检测入侵系统
US11075926B2 (en) 2018-01-15 2021-07-27 Carrier Corporation Cyber security framework for internet-connected embedded devices
CN113219895A (zh) * 2021-05-10 2021-08-06 上海交通大学宁波人工智能研究院 一种使能边缘控制器安全可信的装置和方法
CN113542036A (zh) * 2021-09-14 2021-10-22 广州锦行网络科技有限公司 针对网络攻击行为的演示方法、电子及演示装置
CN114124523A (zh) * 2021-11-22 2022-03-01 中国电子科技集团公司第五十四研究所 一种零信任与网络诱捕相结合的网络防御系统及方法
CN114500014A (zh) * 2022-01-14 2022-05-13 成都网域探行科技有限公司 一种网络系统安全评估方法
CN114745191A (zh) * 2022-04-22 2022-07-12 中国电力科学研究院有限公司 能源互联网终端的可信实时度量方法、装置、设备及介质
CN114745182A (zh) * 2022-04-12 2022-07-12 宇辰科技(山东)有限公司 一种内、外网应用数据安全交互智慧出行系统及其设备
CN114979281A (zh) * 2022-07-11 2022-08-30 成都信息工程大学 一种应用于工业互联网云服务平台的数据交互方法

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905451B (zh) * 2014-04-03 2017-04-12 国网河南省电力公司电力科学研究院 一种智能电网嵌入式设备网络攻击诱捕系统和诱捕方法
CN105516159B (zh) * 2015-12-17 2016-11-23 西安交通大学 基于SmartGrid的攻击智能捕获系统
CN105552886B (zh) * 2015-12-17 2016-11-23 西安交通大学 基于Smart Grid的智能诱骗系统
CN105959131A (zh) * 2016-04-15 2016-09-21 贵州电网有限责任公司信息中心 一种基于安全日志数据挖掘的电力信息网络安全度量方法
JP6396519B2 (ja) * 2017-01-23 2018-09-26 ファナック株式会社 通信環境への侵入を検出するシステム、および侵入検出方法
CN108650225B (zh) * 2018-04-03 2021-03-02 国家计算机网络与信息安全管理中心 一种远程安全监测设备、系统及远程安全监测方法
CN109167794B (zh) * 2018-09-25 2021-05-14 北京计算机技术及应用研究所 一种面向网络系统安全度量的攻击检测方法
US10896261B2 (en) * 2018-11-29 2021-01-19 Battelle Energy Alliance, Llc Systems and methods for control system security
CN109802973A (zh) 2019-03-15 2019-05-24 北京百度网讯科技有限公司 用于检测流量的方法和装置
CN110826075A (zh) * 2019-12-20 2020-02-21 宁波和利时信息安全研究院有限公司 Plc动态度量方法、装置、系统、存储介质及电子设备
CN111901348A (zh) * 2020-07-29 2020-11-06 北京宏达隆和科技有限公司 主动网络威胁感知与拟态防御的方法及系统
CN112073375B (zh) * 2020-08-07 2023-09-26 中国电力科学研究院有限公司 一种适用于电力物联网客户侧的隔离装置及隔离方法
CN113467311B (zh) * 2021-07-08 2023-03-14 国网新疆电力有限公司电力科学研究院 基于软件定义的电力物联网安全防护装置及方法
CN113596022A (zh) * 2021-07-27 2021-11-02 北京卫达信息技术有限公司 识别网络内恶意源的设备和方法
CN113572793B (zh) * 2021-09-26 2021-12-21 苏州浪潮智能科技有限公司 访问请求捕获方法、装置、计算机设备和存储介质
CN115150140B (zh) * 2022-06-23 2024-04-09 云南电网有限责任公司 一种基于集中统一布防的分布式攻击诱捕系统
CN116132194B (zh) * 2023-03-24 2023-06-27 杭州海康威视数字技术股份有限公司 嵌入式设备未知攻击入侵检测防御方法、系统及装置
CN116506208B (zh) * 2023-05-17 2023-12-12 河南省电子信息产品质量检验技术研究院 一种基于局域网内计算机软件信息安全维护系统
CN117591542B (zh) * 2024-01-18 2024-03-22 准检河北检测技术服务有限公司 一种数据库软件数据安全智能检测方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102438026A (zh) * 2012-01-12 2012-05-02 冶金自动化研究设计院 工业控制网络安全防护方法及系统
CN102821102A (zh) * 2012-07-30 2012-12-12 中国电力科学研究院 一种智能配电网防御系统及其防御方法
US20130086635A1 (en) * 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
CN103905451A (zh) * 2014-04-03 2014-07-02 国家电网公司 一种智能电网嵌入式设备网络攻击诱捕系统和诱捕方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060034305A1 (en) * 2004-08-13 2006-02-16 Honeywell International Inc. Anomaly-based intrusion detection
US7617170B2 (en) * 2006-10-09 2009-11-10 Radware, Ltd. Generated anomaly pattern for HTTP flood protection
US8712596B2 (en) * 2010-05-20 2014-04-29 Accenture Global Services Limited Malicious attack detection and analysis
CN102014138A (zh) * 2010-12-16 2011-04-13 北京安天电子设备有限公司 嵌入式病毒捕获设备和电路板
CN102710649A (zh) * 2012-06-12 2012-10-03 上海市电力公司 一种用于电力信息采集系统的网络安全架构
CN103546488A (zh) * 2013-11-05 2014-01-29 上海电机学院 电力二次系统的主动安全防御系统及方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130086635A1 (en) * 2011-09-30 2013-04-04 General Electric Company System and method for communication in a network
CN102438026A (zh) * 2012-01-12 2012-05-02 冶金自动化研究设计院 工业控制网络安全防护方法及系统
CN102821102A (zh) * 2012-07-30 2012-12-12 中国电力科学研究院 一种智能配电网防御系统及其防御方法
CN103905451A (zh) * 2014-04-03 2014-07-02 国家电网公司 一种智能电网嵌入式设备网络攻击诱捕系统和诱捕方法

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105896529B (zh) * 2016-04-26 2018-05-29 武汉大学 针对智能电网中虚假数据注入攻击的数据修复方法
CN105896529A (zh) * 2016-04-26 2016-08-24 武汉大学 针对智能电网中虚假数据注入攻击的数据修复方法
US10268170B2 (en) 2017-01-03 2019-04-23 General Electric Company Validation of control command in substantially real time for industrial asset control system threat detection
US11075926B2 (en) 2018-01-15 2021-07-27 Carrier Corporation Cyber security framework for internet-connected embedded devices
CN110083363A (zh) * 2019-04-22 2019-08-02 珠海网博信息科技股份有限公司 一种Linux内核动态注入方式截取无线数据包的方法
CN110083363B (zh) * 2019-04-22 2022-04-01 珠海网博信息科技股份有限公司 一种Linux内核动态注入方式截取无线数据包的方法
CN110492994A (zh) * 2019-07-25 2019-11-22 北京笛卡尔盾科技有限公司 一种可信网络接入方法和系统
CN110851885A (zh) * 2019-11-08 2020-02-28 北京计算机技术及应用研究所 嵌入式系统安全防护架构体系
CN110851885B (zh) * 2019-11-08 2023-09-26 北京计算机技术及应用研究所 嵌入式系统安全防护架构体系
CN110995841A (zh) * 2019-12-04 2020-04-10 国网山东省电力公司信息通信公司 基于iamt的电力调度录音系统远程维护方法及系统
CN111651740A (zh) * 2020-05-26 2020-09-11 西安电子科技大学 一种面向分布式智能嵌入式系统的可信平台共享系统
CN111651740B (zh) * 2020-05-26 2023-04-07 西安电子科技大学 一种面向分布式智能嵌入式系统的可信平台共享系统
CN112347472A (zh) * 2020-10-27 2021-02-09 中国南方电网有限责任公司 电力系统的行为度量方法和装置
CN112511494A (zh) * 2020-11-05 2021-03-16 中国电力科学研究院有限公司 一种适用于电力智能终端设备的安全防护系统及方法
CN112511494B (zh) * 2020-11-05 2023-10-31 中国电力科学研究院有限公司 一种适用于电力智能终端设备的安全防护系统及方法
CN112491849A (zh) * 2020-11-18 2021-03-12 深圳供电局有限公司 一种基于流量特征的电力终端漏洞攻击防护方法
CN112491849B (zh) * 2020-11-18 2022-08-05 深圳供电局有限公司 一种基于流量特征的电力终端漏洞攻击防护方法
CN112383150A (zh) * 2020-11-27 2021-02-19 中能电力科技开发有限公司 一种新能源电力监控系统安全监测装置
CN113098844A (zh) * 2021-03-08 2021-07-09 黑龙江大学 硬件协议的智能网络检测入侵系统
CN113219895A (zh) * 2021-05-10 2021-08-06 上海交通大学宁波人工智能研究院 一种使能边缘控制器安全可信的装置和方法
CN113219895B (zh) * 2021-05-10 2022-06-10 上海交通大学宁波人工智能研究院 一种使能边缘控制器安全可信的装置和方法
CN113542036A (zh) * 2021-09-14 2021-10-22 广州锦行网络科技有限公司 针对网络攻击行为的演示方法、电子及演示装置
CN114124523A (zh) * 2021-11-22 2022-03-01 中国电子科技集团公司第五十四研究所 一种零信任与网络诱捕相结合的网络防御系统及方法
CN114124523B (zh) * 2021-11-22 2024-01-26 中国电子科技集团公司第五十四研究所 一种零信任与网络诱捕相结合的网络防御系统及方法
CN114500014A (zh) * 2022-01-14 2022-05-13 成都网域探行科技有限公司 一种网络系统安全评估方法
CN114500014B (zh) * 2022-01-14 2024-03-08 成都网域探行科技有限公司 一种网络系统安全评估方法
CN114745182A (zh) * 2022-04-12 2022-07-12 宇辰科技(山东)有限公司 一种内、外网应用数据安全交互智慧出行系统及其设备
CN114745191A (zh) * 2022-04-22 2022-07-12 中国电力科学研究院有限公司 能源互联网终端的可信实时度量方法、装置、设备及介质
CN114745191B (zh) * 2022-04-22 2024-03-08 中国电力科学研究院有限公司 能源互联网终端的可信实时度量方法、装置、设备及介质
CN114979281A (zh) * 2022-07-11 2022-08-30 成都信息工程大学 一种应用于工业互联网云服务平台的数据交互方法
CN114979281B (zh) * 2022-07-11 2022-11-08 成都信息工程大学 一种应用于工业互联网云服务平台的数据交互方法

Also Published As

Publication number Publication date
CN103905451B (zh) 2017-04-12
CN103905451A (zh) 2014-07-02

Similar Documents

Publication Publication Date Title
WO2015149663A1 (fr) Système et procédé de piégeage d'attaque réseau sur un dispositif intégré dans un réseau électrique intelligent
US10931635B2 (en) Host behavior and network analytics based automotive secure gateway
KR101737726B1 (ko) 네트워크 트래픽에서의 불일치들을 검출하기 위한 하드웨어 자원들의 사용에 의한 루트킷 검출
RU2680736C1 (ru) Сервер и способ для определения вредоносных файлов в сетевом трафике
CN103905450B (zh) 智能电网嵌入式设备网络检测评估系统与检测评估方法
US9497163B2 (en) Identifying malicious devices within a computer network
CN111274583A (zh) 一种大数据计算机网络安全防护装置及其控制方法
CN113660224B (zh) 基于网络漏洞扫描的态势感知防御方法、装置及系统
Mudgerikar et al. E-spion: A system-level intrusion detection system for iot devices
KR101964148B1 (ko) 기계 학습 기반으로 이상 행위를 분석하는 유무선 공유기 및 그 방법
US11258812B2 (en) Automatic characterization of malicious data flows
CN108369541B (zh) 用于安全威胁的威胁风险评分的系统和方法
CN114666088A (zh) 工业网络数据行为信息的侦测方法、装置、设备和介质
CN113411295A (zh) 基于角色的访问控制态势感知防御方法及系统
CN113660222A (zh) 基于强制访问控制的态势感知防御方法及系统
CN113645181A (zh) 一种基于孤立森林的分布式规约攻击检测方法及系统
RU2703329C1 (ru) Способ обнаружения несанкционированного использования сетевых устройств ограниченной функциональности из локальной сети и предотвращения исходящих от них распределенных сетевых атак
CN111800427B (zh) 一种物联网设备评估方法、装置及系统
KR101923054B1 (ko) 시그니쳐 기반으로 악성행위를 자체 탐지하는 유무선 게이트웨이 및 그 탐지 방법
CN115883170A (zh) 网络流量数据监测分析方法、装置及电子设备及存储介质
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
KR101153115B1 (ko) 해킹 툴을 탐지하는 방법, 서버 및 단말기
Todd et al. Alert verification evasion through server response forging
CN112637217B (zh) 基于诱饵生成的云计算系统的主动防御方法及装置
US8806211B2 (en) Method and systems for computer security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15772649

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 15772649

Country of ref document: EP

Kind code of ref document: A1