WO2021217636A1 - 工业网络行为分析方法、装置、系统和计算机可读介质 - Google Patents

工业网络行为分析方法、装置、系统和计算机可读介质 Download PDF

Info

Publication number
WO2021217636A1
WO2021217636A1 PCT/CN2020/088460 CN2020088460W WO2021217636A1 WO 2021217636 A1 WO2021217636 A1 WO 2021217636A1 CN 2020088460 W CN2020088460 W CN 2020088460W WO 2021217636 A1 WO2021217636 A1 WO 2021217636A1
Authority
WO
WIPO (PCT)
Prior art keywords
time window
control
time
control instruction
executed
Prior art date
Application number
PCT/CN2020/088460
Other languages
English (en)
French (fr)
Inventor
郭代飞
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to PCT/CN2020/088460 priority Critical patent/WO2021217636A1/zh
Priority to US17/921,863 priority patent/US11829122B2/en
Priority to EP20933508.2A priority patent/EP4131881A4/en
Priority to CN202080099460.8A priority patent/CN115380505A/zh
Publication of WO2021217636A1 publication Critical patent/WO2021217636A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
    • G05B19/4185Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by the network communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/23Pc programming
    • G05B2219/23317Safe mode, secure program, environment in case of error, intrusion

Definitions

  • the present invention relates to the field of communication technology, in particular to an industrial network behavior analysis method, device, system and computer readable medium.
  • IOT Internet of Things
  • OT Operational Technology
  • large-scale production enterprises require that all industrial control systems be monitored in the same safety monitoring system, so different industrial controls
  • the system will be connected to the same security monitoring system to form an OT network, but due to the weak security defense capabilities of the industrial control system, the risk of malicious attacks on the OT network is higher.
  • the control instructions between the control devices in the industrial control system can be collected, and then the industrial network behavior analysis can be performed on the collected control instructions to determine whether the OT network is at risk of malicious attacks.
  • a trust list is created in advance for the industrial control system, and the identification information of the trusted control command is stored in the trust list. After the control command between the control devices in the industrial control system is collected, it is determined whether the collected control command is Record in the trust list. If the collected control instructions are recorded in the trust list, it is determined that the collected control instructions are legal control instructions. If the collected control instructions are not recorded in the trust list, then it is determined The collected control command is an abnormal control command, and then it is determined that the OT network is at risk of malicious attacks.
  • each control instruction needs to be compared with the trust list, so it is only applicable to all It includes a simple control process with fewer types of control instructions, but is not applicable to a complex control process with more types of control instructions included. Therefore, the applicability of the existing industrial network behavior analysis methods is poor.
  • the industrial network behavior analysis method, device, system and computer readable medium provided by the present invention can improve the applicability of analyzing industrial network behavior.
  • an embodiment of the present invention provides an industrial network behavior analysis method, including:
  • At least one second time window is determined, wherein the second time window is used to characterize the time period during which the target industrial control system (30) executes the corresponding control behavior, and the The control behavior executed by the target industrial control system (30) in the second time window is the same as the control behavior executed in one of the first time windows;
  • the time window corresponds to the execution probability deviation of the control instruction in the first time window of the same control behavior
  • control instruction is determined to be a suspicious control instruction.
  • the determining at least one first time window for the target industrial control system includes:
  • the time when the first control instruction is collected is determined as the start point of the time window, and when the preset time window end flag is collected In the case of the corresponding second control instruction, the time when the second control instruction is collected is determined as the end of the time window;
  • the third time window is determined as a fourth time window
  • each of the fourth time windows to obtain at least one time window group, where each time window group includes at least one fourth time window, and the target industrial control system is grouped in the same time window
  • the same control behavior is executed in each of the included fourth time windows, and the target industrial control system executes different control behaviors in the fourth time windows included in different time window groups;
  • a corresponding first time window is formed, wherein the first time window and each of the first time windows included in the time window group corresponding to the first time window Four time windows have the same start point and end point of the time window, or the first time window and each of the fourth time windows included in the time window group corresponding to the first time window Have the same length of time.
  • the respectively determining the execution probability deviation of each control instruction in the target industrial controller in each of the first time windows includes:
  • the determining at least one second time window according to the collected control instruction includes:
  • the fifth time window For each of the fifth time windows, if the control instructions collected in the fifth time window satisfy the complexity rules, and there is the first control behavior corresponding to the fifth time window and the same control behavior A time window, the fifth time window is determined as the second time window.
  • each of the executed commands in the fifth time window is determined separately. Whether the control command is in the pre-set command whitelist;
  • control instruction is in the instruction whitelist, determine that the control instruction is the legal control instruction
  • control instruction is not in the instruction whitelist, it is determined that the control instruction is the suspicious control instruction.
  • control command includes at least one control command executed sequentially, wherein the control command is a basic unit for realizing device control and status feedback in the target industrial control system, and each control command can be Include at least one relevant parameter.
  • an embodiment of the present invention also provides an industrial network behavior analysis device, including:
  • a first identification module for determining at least one first time window for the target industrial control system, wherein the first time window is used to characterize the time period during which the target industrial control system executes a corresponding control action;
  • a deviation calculation module is used to determine the execution probability deviation of each control instruction in the target industrial controller in each of the first time windows determined by the first identification module, wherein the execution probability deviation is In order to characterize the fluctuation of the execution probability of the corresponding control instruction, the execution probability is used to characterize the number of times the corresponding control instruction is executed in a time period and the total number of the control instructions executed in the time period. Ratio of times;
  • An instruction collection module for collecting the control instructions executed in the industrial control system
  • a second identification module is used to determine at least one second time window according to the control instruction collected by the instruction collection module, wherein the second time window is used to characterize the execution of the corresponding control instruction by the target industrial control system
  • the time period of the control behavior, and the control behavior executed by the target industrial control system in the second time window is the same as the control behavior executed in one of the first time windows;
  • a probability calculation module for each of the second time windows determined by the second recognition module, for each of the control instructions that have been executed in the second time window, calculate the The probability of being executed in the second time window;
  • a probability comparison module for determining the probability for each of the second time windows determined by the second recognition module for each of the control instructions that have been executed within the second time window Whether the execution probability of the control instruction calculated by the calculation module satisfies the target execution probability deviation, wherein the target execution probability deviation is calculated by the deviation calculation module when the control instruction corresponds to the second time window.
  • a first analysis module is used to determine that the control instruction is a legal control instruction if the execution probability of a control instruction satisfies the target execution probability deviation according to the judgment result of the probability comparison module. If the execution probability of the control instruction does not meet the target execution probability deviation, it is determined that the control instruction is a suspicious control instruction.
  • the first identification module includes:
  • a first identification unit configured to determine the time when the first control instruction is collected as the start point of the time window when the collection unit collects the first control instruction corresponding to the preset time window start identifier, When the collecting unit collects the second control instruction corresponding to the preset time window end identifier, determining the time when the second control instruction is collected as the end of the time window;
  • a first extraction unit configured to determine the time period between each pair of sequentially adjacent start of the time window and the end of the time window determined by the first identification unit as a third time window;
  • a first filtering unit for each of the third time windows determined by the first extraction unit, if the control instructions collected in the third time window satisfy a preset complexity rule , The third time window is determined as a fourth time window;
  • a time window grouping unit configured to group each of the fourth time windows determined by the first filtering unit to obtain at least one time window group, wherein each of the time window groups includes at least one of the first Four time windows, the target industrial control system executes the same control action in each of the fourth time windows included in the same time window group, and the target industrial control system is included in different time window groups Executing different control behaviors in the fourth time window;
  • a time window generating unit configured to form a corresponding first time window for each of the time window groups divided by the time window grouping unit, wherein the first time window and the first time window
  • Each of the fourth time windows included in the time window grouping corresponding to the time window has the same start point and end point of the time window, or the first time window is the same as the first time window.
  • Each of the fourth time windows included in the corresponding time window group has the same time length.
  • the deviation calculation module includes:
  • a probability calculation unit for each of the time window groups, respectively calculating the execution probability of each of the control instructions executed in each of the fourth time windows included in the time window group;
  • a deviation calculation unit for each of the time window groups, for each of the control instructions executed in each of the fourth time windows included in the time window group, calculate according to the probability calculation unit The execution probability of the control instruction in each of the fourth time windows included in the time window group is calculated, and the control instruction in the first time window corresponding to the time window group is calculated. Execution probability deviation.
  • the second identification module includes:
  • a second identification unit configured to identify the time window start indicator and the time window end indicator from the collected control instructions
  • a starting point determination unit configured to determine, for each of the time window start identifiers identified by the second recognition unit, the time at which the control instruction corresponding to the time window start identifier is collected as the time window start point;
  • An end point determining unit configured to determine, for each of the time window end identifiers identified by the second identifying unit, the time at which the control instruction corresponding to the time window end identifier is collected as the time window end point;
  • a second extracting unit configured to determine each pair of sequentially adjacent time periods between the start point of the time window and the end point of the time window determined by the start point determination unit and the end point determination unit as a first Five time windows
  • a second filtering unit for each of the fifth time windows determined by the second extraction unit, if the control instructions collected within the fifth time window satisfy the complexity rule, and If there is the first time window corresponding to the same control behavior as the fifth time window, the fifth time window is determined as the second time window.
  • the industrial network behavior analysis device further includes: a second analysis module
  • the second analysis module is configured to, for each of the fifth time windows determined by the second extraction unit, if the control instructions collected within the fifth time window do not meet the complexity rule , It is determined whether each of the control instructions that have been executed in the fifth time window is in the preset instruction white list, if one of the control instructions that have been executed in the fifth time window is located in In the instruction white list, it is determined that the control instruction is the legal control instruction, and if one of the control instructions executed within the fifth time window is not in the instruction white list, then the control instruction is determined Is the suspicious control command.
  • control command includes at least one control command executed sequentially, wherein the control command is a basic unit for realizing device control and status feedback in the target industrial control system, and each control command can be Include at least one relevant parameter.
  • an embodiment of the present invention also provides another industrial network behavior analysis device, including: at least one memory and at least one processor;
  • the at least one memory is used to store a machine-readable program
  • the at least one processor is configured to invoke the machine-readable program to execute the foregoing first aspect and the method provided in any possible implementation manner of the first aspect.
  • an embodiment of the present invention also provides an industrial network behavior analysis system, including: an industrial network behavior analysis device provided by the second aspect, any possible implementation of the second aspect or the third aspect, and at least An industrial control system.
  • an embodiment of the present invention also provides a computer-readable medium having computer instructions stored on the computer-readable medium, and when the computer instructions are executed by a processor, the processor executes the first Aspect and the method provided by any possible implementation of the first aspect.
  • At least one first time window is determined for the target industrial control system, so that different first time windows characterize the time periods during which the target industrial control system executes different control actions, and each first time window is determined to be executed.
  • the execution probability deviation of the control instruction is used to characterize the fluctuation of the execution probability of the corresponding control instruction when the target industrial control system executes the corresponding control behavior for different times. Since the execution law of each control instruction remains the same when the target industrial control system executes the same control behavior, and the probability of each control instruction being executed remains stable, the second control instruction can be determined according to the type of control instruction collected and the related parameters included.
  • Time window and according to whether the execution probability of each control instruction executed in the second time window meets the execution probability deviation of the same control instruction in the corresponding first time window, so as to determine the target industrial control system in the process of executing the corresponding control behavior. Whether the control instruction is legal, realize the analysis of the industrial network behavior.
  • FIG. 1 is a flowchart of an industrial network behavior analysis method according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for determining a first time window according to an embodiment of the present invention
  • Fig. 3 is a flowchart of a method for performing probability deviation calculation provided by an embodiment of the present invention
  • FIG. 4 is a flowchart of a method for determining a second time window according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an industrial network behavior analysis device provided by an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of another industrial network behavior analysis device provided by an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of yet another industrial network behavior analysis device provided by an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of still another industrial network behavior analysis device according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of an industrial network behavior analysis device including a second analysis module according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of an industrial network behavior analysis device including a memory and a processor according to an embodiment of the present invention
  • Fig. 11 is a schematic diagram of an industrial network behavior analysis system provided by an embodiment of the present invention.
  • Second identification module 15 Probability calculation module 16: Probability comparison module
  • First extraction unit 114 First filter unit 115: Time window grouping unit
  • Second identification unit 142 Starting point determination unit 143: End point determination unit
  • Second extraction unit 145 Second filter unit 18: Second analysis module
  • the control commands between the various control devices in the industrial control system can be collected, and then the collected control commands can be used to control the industrial network.
  • Behavior analysis where industrial network behaviors include control instructions, industrial status collection, industrial data transmission, etc., to determine whether the OT network is at risk of malicious attacks.
  • a trust list with legal control instructions is created in advance. After the control instructions are collected from the industrial control system, it is determined whether the collected control instructions are recorded in the trust list. If the collected control instruction is recorded in the trust list, it is determined that the collected control instruction is a legal control instruction.
  • the collected control instruction is not recorded in the trust list, it is determined that the collected control instruction is an illegal control instruction. In turn, it is determined that the OT network is at risk of malicious attacks.
  • Analyze industrial network behavior in the form of pre-created trust list (white list). This is only suitable for simple control processes with fewer control command types. For complex control processes, it is difficult to create a corresponding trust list, so the trust list-based The industrial network behavior analysis method is not applicable, so the applicability of the existing industrial network behavior analysis method is poor.
  • At least one first time window is determined for a target industrial control system, so that each first time window is used to characterize the time period during which the target industrial control system executes a corresponding control action, and each first time window is determined separately
  • the execution probability deviation of each control instruction in a time window so that the execution probability deviation is used to characterize the fluctuation of the probability that the corresponding control instruction is executed in the corresponding first time window, and then collect the control executed by it during the operation of the target industrial control system Instructions, and determine at least one second time window corresponding to the same control behavior as the first time window according to the collected control instructions, and then calculate the execution probability of each control instruction in each second time window, and determine the second time window Whether the execution probability of each control instruction executed in the time window deviates from the execution probability of the control instruction in the corresponding first time window, if the execution probability of a control instruction satisfies the control instruction in the corresponding first time window If the execution probability deviation, the control instruction is determined to be a legal control instruction.
  • the control instruction is determined to be a control instruction. It can be seen that the first time window used as a reference and the execution probability deviation of the corresponding control command are created in advance, and the control command is collected during the working process of the industrial control system to determine the second time window corresponding to the same control behavior as the first time window.
  • an embodiment of the present invention provides an industrial network behavior analysis method.
  • the method may include the following steps:
  • Step 101 Determine at least one first time window for the target industrial control system, where the first time window is used to characterize the time period during which the target industrial control system executes a corresponding control behavior;
  • Step 102 Determine respectively the execution probability deviation of each control instruction in the target industrial controller in each first time window, where the execution probability deviation is used to characterize the fluctuation of the corresponding control instruction's execution probability, and the execution probability is used to characterize the corresponding control instruction.
  • Step 103 Collect the executed control instructions in the target industrial control system
  • Step 104 Determine at least one second time window according to the collected control instructions, where the second time window is used to characterize the time period during which the target industrial control system executes the corresponding control action, and the target industrial control system is within the second time window
  • the executed control behavior is the same as the control behavior executed in a first time window
  • Step 105 For each second time window, for each control instruction executed in the second time window, calculate the probability of the control instruction being executed in the second time window;
  • Step 106 For each second time window, for each control instruction executed in the second time window, determine whether the execution probability of the control instruction meets the target execution probability deviation, if it is Y, go to step 107 , If not N, go to step 108, where the target execution probability deviation is the execution probability deviation of the control instruction in the first time window corresponding to the same control behavior in the second time window;
  • Step 107 Determine that the control instruction is a legal control instruction, and end the current process
  • Step 108 Determine that the control command is a suspicious control command.
  • step 101 and step 102 are pre-processed, that is, the first time window and the execution probability deviation of different control instructions in each first time window need to be determined in advance for the target industrial control system, that is, step 101 And step 102 is the learning stage of the judgment criterion.
  • Step 103 to step 108 are the subsequent processing, that is, the processing performed periodically in the normal process of the target industrial control system, that is, the step 103 to step 108 are the detection phase of the control instruction security.
  • At least one first time window is determined for the target industrial control system, so that different first time windows characterize the time periods during which the target industrial control system executes different control actions, and the target industrial control system is determined to be in each first time window.
  • the execution probability deviation of the executed control instruction makes the execution probability deviation used to characterize the fluctuation of the execution probability of the corresponding control instruction when the target industrial control system executes the corresponding control behavior for different times. Since the execution law of each control instruction remains the same when the target industrial control system executes the same control behavior, and the probability of each control instruction being executed remains stable, the second control instruction can be determined according to the type of control instruction collected and the related parameters included.
  • Time window and according to whether the execution probability of each control instruction executed in the second time window meets the execution probability deviation of the same control instruction in the corresponding first time window, so as to determine the target industrial control system in the process of executing the corresponding control behavior. Whether the control instruction is legal, realize the analysis of the safety of the control instruction.
  • the number of first time windows is determined by the control actions that can be performed by the target industrial control system.
  • the number of first time windows is less than or equal to the control actions that can be performed by the target industrial control system.
  • the target industrial control system is used to control the operation of the automobile production line. Every day is a production cycle. 8:00 ⁇ 12:00 is used to control the production line to produce Model A cars. 12:00 ⁇ 14:00 is the suspension time of the production line. 14: 00 ⁇ 19:00 are used to control the production line to produce model B cars, and 19:00 ⁇ 8:00 the next day is the suspension time of the production line.
  • the target industrial control system controls the production line to produce model A cars and the control production line to produce model B cars can be used as two There are two different control behaviors.
  • the production line suspension of the target industrial control system can also be used as a control behavior, and then two first time windows can be determined.
  • the first time window 1 corresponds to the time period from 8:00 to 12:00, the first The time period corresponding to time window 2 is 14:00 ⁇ 19:00.
  • first time window corresponds to the control behavior of the target industrial control system, and different control behaviors of the target industrial control system require the same or different time lengths
  • different first time windows may be Have different lengths of time, and may also have the same length of time.
  • different second time windows may have different time lengths, or may have the same time length.
  • step 103 collects the control instructions executed in the target industrial control system, usually refers to real-time acquisition of the control instructions executed in the target industrial control system, to ensure that the second time window is determined according to the collected control instructions Therefore, the accuracy of the analysis of the safety of the control command according to the second time window and the first time window is ensured.
  • the second time window and the first time window are both used to characterize the time period during which the target industrial control system executes the corresponding control action, and for each second time, the target industrial control system is in the second time window.
  • the control behavior performed within is the same as the control behavior performed by the target industrial control system in one of the first time windows. For example, if the target industrial control system executes control action A in a second time window X, there is a first time window Y. In the first time window Y, the target industrial control system also executes control action A. At this time, the second The time window X corresponds to the first time window Y.
  • the target industrial control system may repeatedly perform the same control behavior, there may be multiple second time windows corresponding to the same first time window in each of the determined second time windows, that is, the target industrial control system is in multiple The control behavior executed in the second time window is the same as the control behavior executed by the target industrial control system in the same first time window.
  • the method for determining the first time window may include the following steps:
  • Step 201 Collect control instructions executed in the target industrial control system within a preset learning time period
  • Step 202 When the first control instruction corresponding to the preset time window start identifier is collected, the time when the first control instruction is collected is determined as the start point of the time window, and when the collection ends with the preset time window When the corresponding second control instruction is identified, the time when the second control instruction is collected is determined as the end of the time window;
  • Step 203 Determine the time period between the start of each pair of sequentially adjacent time windows and the end of the time window as a third time window;
  • Step 204 For each third time window, if the control command collected in the third time window meets a preset complexity rule, determine the third time window as a fourth time window;
  • Step 205 Group each fourth time window to obtain at least one time window group, where each time window group includes at least one fourth time window, and the target industrial control system includes each fourth time window in the same time window group The same control behavior is executed within, and the target industrial control system executes different control behaviors in the fourth time window included in the different time window groups;
  • Step 206 For each time window grouping, a corresponding first time window is formed, where the first time window and each fourth time window included in the time window group corresponding to the first time window have the same time The window start point and the time window end point, or the first time window and each fourth time window included in the time window group corresponding to the first time window have the same time length.
  • the control instructions that are executed when the target industrial control system executes each control behavior can be collected within a period of time, Identify the fourth time window corresponding to each control behavior through the collected control instructions, divide the fourth time windows corresponding to the same control behavior into the same time window group, and then generate one for each time window group
  • the corresponding first time window, and in turn, the first time window can be used as a reference to determine the safety of each control instruction when the target industrial control system executes the corresponding control behavior.
  • the length of the learning time period can be determined according to the number of control actions executed by the target industrial control system and the time span of each control action. Generally, the more the number of control actions executed by the target industrial control system is The longer the learning period, the longer the time span of each control behavior, the longer the learning period. For example, the length of the learning period can be set to one month, then the control instructions of the target industrial control system are collected within a predetermined one month period, and then the first time window is determined based on the control instructions collected within this month .
  • the corresponding time window start identifier and the time window end identifier may be predefined for each control behavior of the target industrial control system. .
  • Make the time window start identifier correspond to the control instruction executed by the target industrial control system when the corresponding control action starts
  • make the time window end identifier correspond to the control instruction executed by the target industrial control system when the corresponding control action ends, and then pass
  • the start indicator of the time window and the end indicator of the time window are detected to determine the corresponding third time window.
  • the time window start indicator can be a write instruction, a start or stop instruction, one or more diagnostic instructions, one or more read instructions, one or more read instructions with specific parameters, and a specific Diagnostic information or a command sequence including multiple inhalation or reading instructions.
  • the time window end indicator may be that there is no valid instruction or specific instruction sequence or information in one or more monitoring periods.
  • the time window end indicator may be a generation stop instruction or a device restart instruction.
  • the time collected to the start of the time window is taken as the start point of the time window, and the time collected to the end of the time window is taken as the end of the time window.
  • the start of a pair of adjacent time windows is set The time period between the end of the time window and the end of the time window is determined as a third time window, thereby completing the conversion of the control behavior to the third time window, and converting each control task executed by the target industrial control system during the learning time period into a corresponding The third time window.
  • each third time window after each third time window is determined, it can be separately detected whether the control instructions collected in each third time window meet the preset complexity rules, if in a third time window If the control instructions collected within a third time window meet the complexity rules, the third time window is determined to be a fourth time window. If the control instructions collected within a third time window do not meet the complexity rules, the first time window can be The control instructions collected in the three time windows are stored in the instruction white list, and the third time window is not determined as the fourth time window.
  • Pre-set complexity rules filter the obtained third time windows through the complexity rules, and only determine the third time window that meets the complexity rules as the fourth time window, so that the fourth time window corresponds to complex control
  • the control instructions in the third time window that do not meet the complexity rules are stored in the whitelist, and then the security of the control instructions is analyzed based on the time window and execution probability deviation for complex control behaviors, while for simple control behaviors based on
  • the whitelist is used to analyze the security of control instructions, which not only saves computing resources, but also avoids the interference noise of control instructions corresponding to simple control behaviors from becoming control instructions corresponding to complex control behaviors, ensuring that industrial network behavior analysis is performed for complex control behaviors. accuracy.
  • the complexity rule can be defined as including at least two different control instructions in the corresponding time window, different parameters in the same control instruction, or the same control instruction in a relatively long period of time.
  • the same control behavior may be executed multiple times by the target industrial control system during the learning time period, it is necessary to group the determined fourth time windows to group each control behavior corresponding to the same control behavior.
  • the fourth time window is divided into the same time window group, and then a corresponding first time window can be formed for each time window group, so that each first time window corresponds to a control action.
  • the fourth time windows When the fourth time windows are grouped, different fourth time windows have different index identifiers, and the first few control commands executed in the fourth time window will be stored as characteristic values, and then can be stored according to each The index identifiers and characteristic values of the four time windows are used to group the respective fourth time windows, so as to divide the fourth time windows corresponding to the same control behavior into the same time window group.
  • a corresponding first time window is generated according to each fourth time window in the time window group, so that the generated first time window can be from As a whole, the start time or time span of each fourth time window in the corresponding time window group is reflected.
  • different fourth time windows corresponding to the same control behavior may have a relatively stable starting time or a relatively stable time span.
  • the first time window can be generated according to the start time of each fourth time window in the time window group, for example, the time window group 1 includes There are three fourth time windows, and the corresponding start times of the three fourth time windows are 8:00 ⁇ 12:00, 8:05 ⁇ 12:06 and 8:02 ⁇ 12:05 respectively, and the corresponding start time can be generated
  • the first time window from 8:00 to 12:00 corresponds to time window group 1.
  • the first time window can be generated according to the time span of each fourth time window in the time window grouping.
  • the time window group 2 includes 4 first time windows.
  • the starting times corresponding to the four fourth time windows are 14:00 ⁇ 19:00, 13:00 ⁇ 18:00, 14:30 ⁇ 19:30, and 13:30 ⁇ 18:30, and then A first time window with a time span of 5 hours can be generated to correspond to time window group 2.
  • the start time and time span of the generated first time window may be different from the respective fourth time windows in the corresponding time window group, especially the start time, and the time span usually has a smaller time span. Difference.
  • the time span of the first time window may be equal to the average of the time spans of the respective fourth time windows in the corresponding time window group, and the start time of the first time window may also be equal to The average value of the start time of each fourth time window in the corresponding time window group.
  • the traffic of the target industrial control system can be intercepted, and the control instructions can be extracted from the intercepted traffic according to the preset control instruction extraction rules.
  • probes sensors
  • the probes can be set in the target industrial control system, and the probes can be used to intercept traffic from the access switch and the system bus in the target industrial control system.
  • the system bus is used to connect the PLC with the engineer station and the operator.
  • the access switch is used to connect the operation center with the engineer station and the operator station.
  • the control commands and related parameters in the control commands can be extracted from the intercepted traffic, that is, the control commands are composed of one or more control commands and related parameters.
  • step 103 the method of collecting control instructions in step 103 is the same as the method of collecting control instructions in the embodiment of the present invention, that is, the traffic can be intercepted from the access switch and system bus of the target industrial control system, and then from the intercepted traffic Extract control instructions.
  • each fourth time window included in the first time window and the time window group corresponding to the first time window has the same time window start point and time window end point, and the same time window start point and time window end point are not It means that the first time window and the fourth time window have exactly the same start time and end time, but it means that the difference between the start time of the first time window and the fourth time window is less than the preset threshold, and the first time window The difference between the end time of the fourth time window and the fourth time window is less than the preset threshold, and the time window starting point and the time window starting point do not refer to absolute time, but relative time in a corresponding period, such as time in a day.
  • the first time window and the respective fourth time windows included in the time window group corresponding to the first time window have the same time length.
  • the same time length does not mean that the first time window and the fourth time window have Exactly the same length of time means that the difference between the length of time of the first time window and the fourth time window is less than the preset threshold.
  • the corresponding first time window may be determined according to the execution probability of each control control executed in each fourth time window in the time window grouping.
  • the execution probability deviation of each control command within the control unit may include the following steps:
  • Step 301 For each fourth time window, calculate the execution probability of each control instruction executed in the fourth time window;
  • Step 302 For each time window grouping, for each control instruction executed in each fourth time window included in the time window grouping, according to the control instruction in each fourth time window included in the time window grouping Calculate the execution probability deviation of the control instruction in the first time window corresponding to the time window group.
  • each fourth time window is divided into multiple time window groups, for each fourth time window in each time window group, it is possible to calculate what is executed in the fourth time window The probability of each control being executed.
  • the executed probability is used to characterize the probability of the corresponding control instruction being executed in a period of time.
  • the execution probability of a control instruction in a period of time is equal to the number of times the control instruction is executed in the period of time and all of the control instructions in the period of time.
  • the ratio of the total number of times the control instruction is executed.
  • the target industrial control system has executed a total of 100 control instructions. Among them, the control instruction A is executed 20 times in the fourth time window, and the control instruction A is in the fourth time window.
  • the probability of being executed is 20%.
  • each fourth time window included in the time window group is included in the control instruction according to the control instruction.
  • the execution probability in the time window is calculated, and the execution probability deviation of the control instruction in the first time window corresponding to the time window group is calculated. Since the target industrial control system performs the same control behavior at different times, the probability of each control instruction being executed remains basically stable, so the execution probability deviation of a control instruction is used to characterize the fluctuation of the control instruction when the target industrial control system executes the corresponding control behavior. Allowable range.
  • time window group 1 includes three fourth time windows, and the probability of execution of control instruction A in these three fourth time windows is 20%, 21%, and 19%, respectively.
  • the maximum probability of control instruction A being executed is The difference of 2% between 21% and the smallest probability of being executed 19% is taken as the execution probability deviation of the control instruction A in the first time window corresponding to the time window group 1.
  • the average execution probability of the control instruction in the corresponding first time window can be determined in advance, thereby determining the execution probability of the control instruction Whether the difference between the probability and the average execution probability is less than the target execution probability deviation, if so, it is determined that the execution probability of the control instruction meets the target execution probability deviation; otherwise, it is determined that the execution probability of the control instruction does not meet the target execution probability deviation.
  • the average execution probability of a control instruction is equal to the average of the execution probabilities of the control instruction in each fourth time window included in the corresponding time window group.
  • the second time window may be determined according to the time window start identifier and the time window end identifier used when determining the first time window.
  • the method for determining the second time window may include the following steps:
  • Step 401 Identify the time window start indicator and the time window end indicator from the collected control instructions
  • Step 402 For each identified start identifier of the time window, determine the time at which the control instruction corresponding to the start identifier of the time window is collected as the start point of the time window;
  • Step 403 For each identified end indicator of the time window, determine the time at which the control instruction corresponding to the end indicator of the time window is collected as the end of the time window;
  • Step 404 Determine the time period between the start point and the end point of each pair of sequentially adjacent time windows as a fifth time window;
  • Step 405 For each fifth time window, if the control command collected in the fifth time window satisfies the complexity rule, and there is a first time window corresponding to the same control behavior as the fifth time window, then The fifth time window is determined as a second time window.
  • the time window start indicator and the time window end indicator used when determining the first time window are used to identify the time window start indicator and the time window end indicator from the control instructions collected during the detection process, and
  • the time when the start mark of the time window is collected is determined as the start point of the time window, and the time when the end mark of the time window is collected is determined as the end of the time window, and then the time between each pair of sequentially adjacent time window start points and time window end points
  • the segment is determined as a fifth time window, and then the second time window is selected from the fifth time window, and the same time window identification basis is used to ensure that the second time window corresponding to the same control behavior as the first time window can be obtained, and then Ensure that the safety analysis of control commands can be carried out normally.
  • the control instructions collected in the fifth time window meet the complexity rule, and if the control instructions collected in the fifth time window do not meet the complexity
  • the degree rule indicates that the target industrial control system performs a simple control behavior in the fifth time window, and the whitelist can be used to determine whether the control instructions collected in the fifth time window are legal, so as to avoid the waste of computing resources. If the control command collected in the fifth time window meets the complexity rule, it is further judged whether there is a first time window, and the control behavior executed by the target industrial control system in the first time window and the target industrial control system The control phases executed in the fifth time window are the same.
  • the fifth time window is determined as the second time window to perform subsequent processing. If there is no first time that meets the above conditions Window indicates that the target industrial control system has executed a control behavior that has not been executed before, and then it is determined that all control instructions collected in the fifth time window are suspicious control instructions.
  • step 404 if the control command collected in the determined fifth time window does not satisfy the complexity Rule, it is determined whether each control command executed in the fifth time window is in the preset command white list, if so, the control command is determined to be a legal control command, otherwise the control command is determined to be a suspicious control command instruction.
  • a security analysis is performed on the control commands collected in the fifth time window based on a preset command white list, and the fifth time window is determined Whether each control instruction executed within is recorded in the instruction white list, if so, it is determined that the control instruction is a legal control instruction, otherwise, it is determined that the control instruction is a suspicious control instruction.
  • the simple control behavior executed by the target industrial control system can easily create an instruction whitelist, and then based on the created instruction whitelist, the security analysis of the control instruction polarity executed during the simple control behavior of the target industrial control system can be avoided. The waste of computing resources caused by security analysis by calculating the probability of being executed.
  • control command can be a single control command or a control command sequence composed of multiple control commands, and the control command is the target industrial control
  • Each control command can include one or more related parameters.
  • a single control command can be collected from the target industrial control system as a control command, or a control command sequence can be collected from the target industrial control system as a control command, and the control command can also include
  • the relevant parameters can thus be applied to different application scenarios, which further improves the applicability of the industrial network behavior analysis method.
  • a control command can be any one of a write command, a read command, a start command, diagnostic information, a heartbeat signal, etc., and it can also be a write command, a read command, a start command, and diagnostic information.
  • the sequence combination of any two or more of, heartbeat signal, etc., and the key parameters transmitted in the target industrial control system can also be used as control commands.
  • the collected control instructions may be converted according to a preset conversion rule. Converted into the corresponding digital sequence, and then the converted digital sequence can be used to calculate the executed probability and execution probability deviation of the corresponding control instruction, so that the executed probability calculation, the execution probability deviation calculation, and the first time window and the second time window.
  • the matching is more convenient and faster, and can reduce the computing resources required for the analysis of the industrial network behavior.
  • an embodiment of the present invention provides an industrial network behavior analysis device 10, including:
  • a first identification module 11 configured to determine at least one first time window for the target industrial control system, where the first time window is used to characterize the time period during which the target industrial control system executes a corresponding control action;
  • a deviation calculation module 12 is used to separately determine the execution probability deviation of each control instruction in the target industrial controller within each first time window determined by the first identification module 11, wherein the execution probability deviation is used to characterize the corresponding control instruction Fluctuations in the probability of being executed, the probability of being executed is used to characterize the ratio of the number of times the corresponding control instruction is executed in a time period to the total number of control instructions executed in the time period;
  • An instruction collection module 13 for collecting control instructions executed in the industrial control system
  • a second identification module 14 is configured to determine at least one second time window according to the control instructions collected by the instruction collection module 13, where the second time window is used to characterize the time period during which the target industrial control system executes the corresponding control behavior, and The control behavior executed by the target industrial control system in the second time window is the same as the control behavior executed in a first time window;
  • a probability calculation module 15 is used to calculate for each second time window determined by the second recognition module 14, for each control instruction that has been executed within the second time window, the control instruction is calculated in the second time window Probability of being executed within;
  • a probability comparison module 16 is used to determine for each second time window determined by the second recognition module 14, for each control instruction that has been executed within the second time window, determine the value calculated by the probability calculation module 15 Whether the execution probability of the control instruction satisfies the target execution probability deviation, where the target execution probability deviation is the execution of the control instruction in the first time window corresponding to the same control behavior as the second time window calculated by the deviation calculation module 12 Probability deviation
  • a first analysis module 17 is used to determine, according to the judgment result of the probability comparison module 16, if the probability of a control instruction being executed meets the target execution probability deviation, the control instruction is determined to be a legal control instruction, and if the probability of a control instruction being executed If the target execution probability deviation is not met, it is determined that the control command is a suspicious control command.
  • the first identification module 11 can be used to perform step 101 in the above method embodiment
  • the deviation calculation module 12 can be used to perform step 102 in the above method embodiment
  • the instruction collection module 13 can be used to perform the above method implementation.
  • the second identification module 14 can be used to perform step 104 in the above method embodiment
  • the probability calculation module 15 can be used to perform step 105 in the above method embodiment
  • the probability comparison module 16 can be used to perform the above method implementation.
  • the first analysis module 17 can be used to execute step 107 and step 108 in the foregoing method embodiment.
  • the first identification module 11 includes:
  • An acquisition unit 111 which is used to collect control instructions executed in the target industrial control system within a preset learning time period;
  • a first identification unit 112 is used to determine the time when the first control instruction is collected as the start point of the time window when the collection unit 111 collects the first control instruction corresponding to the preset time window start identifier, and when the collection unit 111 collects the first control instruction When the unit 111 collects the second control instruction corresponding to the preset time window end identifier, it determines the time when the second control instruction is collected as the end of the time window;
  • a first extraction unit 113 configured to determine the time period between the start point and the end point of each pair of sequentially adjacent time windows determined by the first recognition unit 112 as a third time window;
  • a first filtering unit 114 is used for each third time window determined by the first extracting unit 113, if the control command collected in the third time window meets a preset complexity rule, then The third time window is determined to be a fourth time window;
  • a time window grouping unit 115 is configured to group each fourth time window determined by the first filtering unit 114 to obtain at least one time window group, wherein each time window group includes at least one fourth time window, and the target industry
  • the control system executes the same control behavior in each fourth time window included in the same time window group, and the target industrial control system executes different control behaviors in the fourth time window included in the different time window group;
  • a time window generating unit 116 is configured to form a corresponding first time window for each time window group divided by the time window grouping unit 115, where the first time window and the time corresponding to the first time window Each fourth time window included in the window group has the same time window start point and time window end point, or the first time window and each fourth time window included in the time window group corresponding to the first time window have the same length of time.
  • the collection unit 111 can be used to perform step 201 in the above method embodiment
  • the first identification unit 112 can be used to perform step 202 in the above method embodiment
  • the first extraction unit 113 can be used to perform the above method implementation.
  • the first filtering unit 114 can be used to perform step 204 in the above method embodiment
  • the time window grouping unit 115 can be used to perform step 205 in the above method embodiment
  • the time window generating unit 116 can be used to perform the above method.
  • the deviation calculation module 12 includes:
  • a probability calculation unit 121 for each time window group, respectively calculating the execution probability of each control instruction executed in each fourth time window included in the time window group;
  • a deviation calculation unit 122 for each time window grouping, for each control instruction executed in each fourth time window included in the time window grouping, according to the time window grouping calculated by the probability calculation unit 121 The execution probability of the control instruction in each included fourth time window is calculated, and the execution probability deviation of the control instruction in the first time window corresponding to the time window group is calculated.
  • the probability calculation unit 121 may be used to perform step 301 in the foregoing method embodiment, and the deviation calculation unit 122 may be used to perform step 302 in the foregoing method embodiment.
  • the second identification module 14 includes:
  • a second identification unit 141 used to identify the time window start indicator and the time window end indicator from the collected control instructions
  • a starting point determination unit 142 configured to determine, for each time window start identifier identified by the second recognition unit 141, the time at which the control instruction corresponding to the time window start identifier is collected as the time window start point;
  • An end point determination unit 143 configured to determine, for each time window end identifier identified by the second recognition unit 141, the time at which the control instruction corresponding to the time window end identifier is collected as the time window end point;
  • a second extraction unit 144 configured to determine the time period between the start point and the end point of each pair of sequentially adjacent time windows determined by the start point determination unit 142 and the end point determination unit 143 as a fifth time window;
  • a second filtering unit 145 is configured to, for each fifth time window determined by the second extracting unit 144, if the control command collected in the fifth time window meets the complexity rule, and there is a difference in the fifth time window If the window corresponds to the first time window of the same control behavior, the fifth time window is determined as a second time window.
  • the second identification unit 141 can be used to perform step 401 in the above method embodiment
  • the starting point determination unit 142 can be used to perform step 402 in the above method embodiment
  • the end point determining unit 143 can be used to perform the above method implementation.
  • the second extraction unit 144 can be used to perform step 404 in the above method embodiment
  • the second filtering unit 145 can be used to perform step 405 in the above method embodiment.
  • the industrial network behavior analysis device 10 further includes: a second analysis module 18;
  • the second analysis module 18 is configured to, for each fifth time window determined by the second extracting unit 144, if the control instructions collected in the fifth time window do not meet the complexity rules, respectively determine whether the control command is in the fifth time window. Whether each control instruction executed in the time window is in the pre-set instruction white list, if a control instruction executed in the fifth time window is in the instruction white list, it is determined that the control instruction is legal A control instruction, if a control instruction that has been executed within the fifth time window is not in the instruction white list, it is determined that the control instruction is a suspicious control instruction.
  • the control command includes at least one control command executed sequentially, wherein the control command is implemented in the target industrial control system
  • Each control command can include at least one related parameter.
  • an embodiment of the present invention provides an industrial network behavior analysis device 20, which includes: at least one memory 21 and at least one processor 22;
  • the at least one memory 21 is used to store a machine-readable program
  • the at least one processor 22 is configured to invoke the machine-readable program to execute the industrial network behavior analysis method provided by the foregoing embodiments.
  • an embodiment of the present invention provides an industrial network behavior analysis system 100, which includes: an industrial network behavior analysis device 10/20 and at least one industrial control system 30 provided in any of the foregoing embodiments.
  • probes can be set in each industrial control system 30, and the industrial network behavior analysis device 10/20 uses each probe to collect the control instructions in each industrial control system 30, thereby realizing the control of multiple industrial control systems.
  • the control system 30 performs industrial network behavior analysis.
  • the present invention also provides a computer-readable medium that stores instructions for making a computer execute the industrial network behavior analysis method as described herein.
  • a system or device equipped with a storage medium may be provided, and the software program code for realizing the function of any one of the above-mentioned embodiments is stored on the storage medium, and the computer (or CPU or MPU of the system or device) ) Read and execute the program code stored in the storage medium.
  • the program code itself read from the storage medium can implement the function of any one of the above embodiments, so the program code and the storage medium storing the program code constitute a part of the present invention.
  • Examples of storage media used to provide program codes include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Magnetic tape, non-volatile memory card and ROM.
  • the program code can be downloaded from the server computer via a communication network.
  • the program code read from the storage medium is written to the memory provided in the expansion board inserted into the computer or to the memory provided in the expansion unit connected to the computer, and then the program code is based on The instructions cause the CPU installed on the expansion board or the expansion unit to perform part or all of the actual operations, so as to realize the function of any one of the above-mentioned embodiments.
  • system structure described in the foregoing embodiments may be a physical structure or a logical structure. That is, some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities, or may be implemented by multiple physical entities. Some components in independent devices are implemented together.
  • the hardware unit can be implemented mechanically or electrically.
  • a hardware unit may include a permanent dedicated circuit or logic (such as a dedicated processor, FPGA or ASIC) to complete the corresponding operation.
  • the hardware unit may also include programmable logic or circuits (such as general-purpose processors or other programmable processors), which may be temporarily set by software to complete corresponding operations.
  • the specific implementation mechanical, or dedicated permanent circuit, or temporarily set circuit

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Quality & Reliability (AREA)
  • Manufacturing & Machinery (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • General Factory Administration (AREA)

Abstract

一种工业网络行为分析方法、装置、系统和计算机可读介质,该工业网络行为分析方法包括:针对目标工业控制系统确定至少一个第一时间窗(101);分别确定每一个第一时间窗内目标工业控制器中各控制指令的执行概率偏差(102);采集目标工业控制系统中被执行的控制指令(103);根据采集到的控制指令,确定至少一个第二时间窗(104);计算该控制指令在第二时间窗内的被执行概率(105);判断该控制指令的被执行概率是否满足目标执行概率偏差(106);如果是则确定该控制指令为合法控制指令(107),否则确定该控制指令为可疑控制指令(108)。

Description

工业网络行为分析方法、装置、系统和计算机可读介质 技术领域
本发明涉及通信技术领域,尤其涉及工业网络行为分析方法、装置、系统和计算机可读介质。
背景技术
随着物联网(The Internet of Things,IOT)技术和运营技术(Operational Technology,OT)的不断发展与进步,大型生产型企业要求在同一个安全监控系统内监控所有工业控制系统,因此不同的工业控制系统会接入到同一安全监控系统构成OT网络,但由于工业控制系统的安全防御能力较弱,进而导致OT网络被恶意攻击的风险较高。为了保证OT网络的安全性,可以采集工业控制系统内各控制设备之间的控制指令,进而通过对采集到的控制指令进行工业网络行为分析,以确定OT网络是否存在被恶意攻击的风险。
目前,针对工业控制系统预先创建信任列表,在信任列表中存储可信任控制指令的标识信息,当采集到工业控制系统内各控制设备之间的控制指令后,判断所采集到的控制指令是否被记录在信任列表中,如果所采集到的控制指令被记录在信任列表中,则确定所采集到的控制指令为合法控制指令,如果所采集到的控制指令未被记录在信任列表中,则确定所采集到的控制指令为异常控制指令,进而确定OT网络存在被恶意攻击的风险。
针对目前对工业网络行为进行分析的方法,基于预先创建的信任列表确定所采集到的控制指令是否对应异常的操作行为,需要分别将每一个控制指令与信任列表进行比对,因此仅适用于所包括控制指令类型较少的简单控制过程,而对于所包括控制指令类型较多的复杂控制过程并不适用,从而现有的工业网络行为分析方法的适用性较差。
发明内容
有鉴于此,本发明提供的工业网络行为分析方法、装置、系统和计算机可读介质,能够提高对工业网络行为进行分析的适用性。
第一方面,本发明实施例提供了一种工业网络行为分析方法,包括:
针对目标工业控制系统确定至少一个第一时间窗,其中,所述第一时间窗用于表征所述目标工业控制系统执行相应控制行为的时间段;
分别确定每一个所述第一时间窗内所述目标工业控制器中各控制指令的执行概率偏差,其中,所述执行概率偏差用于表征相应所述控制指令的被执行概率的波动,所述被执行概率用于表征相应所述控制指令在一个时间段内被执行的次数与在该时间段内执行的所述控制指令的总次数的比值;
采集所述目标工业控制系统中被执行的所述控制指令;
根据采集到的所述控制指令,确定至少一个第二时间窗,其中,所述第二时间窗用于表征所述目标工业控制系统(30)执行相应所述控制行为的时间段,且所述目标工业控制系统(30)在所述第二时间窗内执行的所述控制行为与在一个所述第一时间窗内执行的所述控制行为相同;
针对每一个所述第二时间窗,均执行:
针对在该第二时间窗内被执行过的每一个所述控制指令,计算该控制指令在所述第二时间窗内的所述被执行概率;
针对在该第二时间窗内被执行过的每一个所述控制指令,判断该控制指令的所述被执行概率是否满足目标执行概率偏差,其中,所述目标执行概率偏差为在与该第二时间窗对应相同所述控制行为的所述第一时间窗内该控制指令的所述执行概率偏差;
如果该控制指令的所述被执行概率满足所述目标执行概率偏差,则确定该控制指令为合法控制指令;
如果该控制指令的所述被执行概率不满足所述目标执行概率偏差,则确定该控制指令为可疑控制指令。
在第一种可能的实现方式中,结合上述第一方面,所述针对目标工业控制系统确定至少一个第一时间窗,包括:
在预设的学习时间段内采集所述目标工业控制系统中被执行的所述控制指令;
当采集到与预先设定的时间窗开始标识相对应的第一控制指令时,将采集到所述第一控制指令的时间确定为时间窗起点,当采集到与预先设定的时间窗结束标识相对应的第二控制指令时,将采集到所述第二控制指令的时间确定为时间窗终点;
将每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第三时间窗;
针对每一个所述第三时间窗,如果在该第三时间窗内采集到的所述控制指令满足预先设定的复杂度规则,则将该第三时间窗确定为一个第四时间窗;
对各个所述第四时间窗进行分组,获得至少一个时间窗分组,其中,每一个所述时间窗分组包括至少一个所述第四时间窗,所述目标工业控制系统在同一所述时间窗分组所包括各 个所述第四时间窗内执行同一所述控制行为,且所述目标工业控制系统在不同所述时间窗分组所包括所述第四时间窗内执行不同的所述控制行为;
针对每一个所述时间窗分组形成一个相对应的所述第一时间窗,其中,所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的所述时间窗起点和所述时间窗终点,或者所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的时间长度。
在第二种可能的实现方式中,结合上述第一种可能的实现方式,所述分别确定每一个所述第一时间窗内所述目标工业控制器中各控制指令的执行概率偏差,包括:
针对每一个所述第四时间窗,计算在该第四时间窗内每一个被执行的所述控制指令的所述被执行概率;
针对每一个所述时间窗分组,均执行:
针对在该时间窗分组所包括的各个所述第四时间窗内被执行的每一个所述控制指令,根据该时间窗分组所包括的各个所述第四时间窗内该控制指令的所述被执行概率,计算该控制指令在与该时间窗分组相对应的所述第一时间窗内的所述执行概率偏差。
在第三种可能的实现方式中,结合上述第一种可能的实现方式,所述根据采集到的所述控制指令确定至少一个第二时间窗,包括:
从采集到的所述控制指令中识别所述时间窗开始标识和所述时间窗结束标识;
针对识别出的每一个所述时间窗开始标识,将采集该时间窗开始标识所对应的所述控制指令的时间确定为时间窗起点;
针对识别出的每一个所述时间窗结束标识,将采集该时间窗结束标识所对应的所述控制指令的时间确定为时间窗终点;
将确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第五时间窗;
针对每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令满足所述复杂度规则,且存在与该第五时间窗对应相同所述控制行为的所述第一时间窗,则将该第五时间窗确定为一个所述第二时间窗。
在第四种可能的实现方式中,结合上述第三种可能的实现方式,在所述将确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第五时间窗之后,进一步包括:
针对每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令不满足所述复杂度规则,则分别判断在该第五时间窗内被执行过的每一个所述控制指令是否位于预先设 定的指令白名单中;
如果该控制指令位于所述指令白名单中,则确定该控制指令为所述合法控制指令;
如果该控制指令不位于所述指令白名单中,则确定该控制指令为所述可疑控制指令。
在第五种可能的实现方式中,结合上述第一方面以及第一方面的第一种可能的实现方式、第二种可能的实现方式、第三种可能的实现方式和第四种可能的实现方式中的任意一个,所述控制指令包括顺序执行的至少一个控制命令,其中,所述控制命令是所述目标工业控制系统中实现设备控制和状态反馈的基本单位,每一个所述控制命令可以包括至少一个相关参数。
第二方面,本发明实施例还提供了一种工业网络行为分析装置,包括:
一个第一识别模块,用于针对目标工业控制系统确定至少一个第一时间窗,其中,所述第一时间窗用于表征所述目标工业控制系统执行相应控制行为的时间段;
一个偏差计算模块,用于分别确定所述第一识别模块确定出的每一个所述第一时间窗内所述目标工业控制器中各控制指令的执行概率偏差,其中,所述执行概率偏差用于表征相应所述控制指令的被执行概率的波动,所述被执行概率用于表征相应所述控制指令在一个时间段内被执行的次数与在该时间段内执行的所述控制指令的总次数的比值;
一个指令采集模块,用于采集所述工业控制系统中被执行的所述控制指令;
一个第二识别模块,用于根据所述指令采集模块采集到的所述控制指令,确定至少一个第二时间窗,其中,所述第二时间窗用于表征所述目标工业控制系统执行相应所述控制行为的时间段,且所述目标工业控制系统在所述第二时间窗内执行的所述控制行为与在一个所述第一时间窗内执行的所述控制行为相同;
一个概率计算模块,用于针对所述第二识别模块确定出的每一个所述第二时间窗,对于在该第二时间窗内被执行过的每一个所述控制指令,计算该控制指令在所述第二时间窗内的所述被执行概率;
一个概率比对模块,用于针对所述第二识别模块确定出的每一个所述第二时间窗,对于在该第二时间窗内被执行过的每一个所述控制指令,判断所述概率计算模块计算出的该控制指令的所述被执行概率是否满足目标执行概率偏差,其中,所述目标执行概率偏差为所述偏差计算模块计算出的在与该第二时间窗对应相同所述控制行为的所述第一时间窗内该控制指令的所述执行概率偏差;
一个第一分析模块,用于根据所述概率比对模块的判断结果,如果一个所述控制指令所述被执行概率满足所述目标执行概率偏差,则确定该控制指令为合法控制指令,如果一个所述控制指令的所述被执行概率不满足所述目标执行概率偏差,则确定该控制指令为可疑控制 指令。
在第一种可能的实现方式中,结合上述第二方面,所述第一识别模块包括:
一个采集单元,用于在预设的学习时间段内采集所述目标工业控制系统中被执行的所述控制指令;
一个第一识别单元,用于当所述采集单元采集到与预先设定的时间窗开始标识相对应的第一控制指令时,将采集到所述第一控制指令的时间确定为时间窗起点,当所述采集单元采集到与预先设定的时间窗结束标识相对应的第二控制指令时,将采集到所述第二控制指令的时间确定为时间窗终点;
一个第一提取单元,用于将所述第一识别单元确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第三时间窗;
一个第一过滤单元,用于针对所述第一提取单元确定出的每一个所述第三时间窗,如果在该第三时间窗内采集到的所述控制指令满足预先设定的复杂度规则,则将该第三时间窗确定为一个第四时间窗;
一个时间窗分组单元,用于对所述第一过滤单元确定出的各个所述第四时间窗进行分组,获得至少一个时间窗分组,其中,每一个所述时间窗分组包括至少一个所述第四时间窗,所述目标工业控制系统在同一所述时间窗分组所包括各个所述第四时间窗内执行同一所述控制行为,且所述目标工业控制系统在不同所述时间窗分组所包括所述第四时间窗内执行不同的所述控制行为;
一个时间窗生成单元,用于针对所述时间窗分组单元划分出的每一个所述时间窗分组形成一个相对应的所述第一时间窗,其中,所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的所述时间窗起点和所述时间窗终点,或者所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的时间长度。
在第二种可能的实现方式中,结合上述第一种可能的实现方式,所述偏差计算模块包括:
一个概率计算单元,用于针对每一个所述时间窗分组,分别计算在该时间窗分组所包括的各个所述第四时间窗内每一个被执行的所述控制指令的所述被执行概率;
一个偏差计算单元,用于针对每一个所述时间窗分组,对于在该时间窗分组所包括的各个所述第四时间窗内被执行的每一个所述控制指令,根据所述概率计算单元计算出的该时间窗分组所包括的各个所述第四时间窗内该控制指令的所述被执行概率,计算该控制指令在与该时间窗分组相对应的所述第一时间窗内的所述执行概率偏差。
在第三种可能的实现方式中,结合上述第一种可能的实现方式,所述第二识别模块包括:
一个第二识别单元,用于从采集到的所述控制指令中识别所述时间窗开始标识和所述时间窗结束标识;
一个起点确定单元,用于针对所述第二识别单元识别出的每一个所述时间窗开始标识,将采集该时间窗开始标识所对应的所述控制指令的时间确定为时间窗起点;
一个终点确定单元,用于针对所述第二识别单元识别出的每一个所述时间窗结束标识,将采集该时间窗结束标识所对应的所述控制指令的时间确定为时间窗终点;
一个第二提取单元,用于将所述起点确定单元和所述终点确定单元确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第五时间窗;
一个第二过滤单元,用于针对所述第二提取单元确定出的每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令满足所述复杂度规则,且存在与该第五时间窗对应相同所述控制行为的所述第一时间窗,则将该第五时间窗确定为一个所述第二时间窗。
在第四种可能的实现方式中,结合上述第三种可能的实现方式,该工业网络行为分析装置进一步包括:第二分析模块;
所述第二分析模块,用于针对所述第二提取单元确定出的每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令不满足所述复杂度规则,则分别判断在该第五时间窗内被执行过的每一个所述控制指令是否位于预先设定的指令白名单中,如果在该第五时间窗内被执行过的一个所述控制指令位于所述指令白名单中,则确定该控制指令为所述合法控制指令,如果在该第五时间窗内被执行过的一个所述控制指令不位于所述指令白名单中,则确定该控制指令为所述可疑控制指令。
在第五种可能的实现方式中,结合上述第二方面以及第二方面的第一种可能的实现方式、第二种可能的实现方式、第三种可能的实现方式和第四种可能的实现方式中的任意一个,所述控制指令包括顺序执行的至少一个控制命令,其中,所述控制命令是所述目标工业控制系统中实现设备控制和状态反馈的基本单位,每一个所述控制命令可以包括至少一个相关参数。
第三方面,本发明实施例还提供了另一种工业网络行为分析装置,包括:至少一个存储器和至少一个处理器;
所述至少一个存储器,用于存储机器可读程序;
所述至少一个处理器,用于调用所述机器可读程序,执行上述第一方面以及第一方面的任一可能的实现方式所提供的方法。
第四方面,本发明实施例还提供了一种工业网络行为分析系统,包括:一个上述第二方 面、第二方面的任一可能的实现方式或第三方面提供的工业网络行为分析装置和至少一个工业控制系统。
第五方面,本发明实施例还提供了一种计算机可读介质,所述计算机可读介质上存储有计算机指令,所述计算机指令在被处理器执行时,使所述处理器执行上述第一方面以及第一方面的任一可能的实现方式所提供的方法。
由上述技术方案可知,针对目标工业控制系统确定至少一个第一时间窗,使得不同第一时间窗表征目标工业控制系统执行不同控制行为的时间段,并分别确定每一个第一时间窗内被执行的控制指令的执行概率偏差,使得执行概率偏差用于表征目标工业控制系统不同次执行相应控制行为时相应控制指令的被执行概率的波动。由于目标工业控制系统在执行相同控制行为时各控制指令的执行规律保持相同,且各控制指令的被执行概率保持稳定,因此可以根据所采集到控制指令的类型及所包括相关参数来确定第二时间窗,并根据第二时间窗内被执行的各控制指令的被执行概率是否满足相应第一时间窗内相同控制指令的执行概率偏差,从而确定目标工业控制系统在执行相应控制行为过程中各控制指令是否合法,实现对工业网络行为进行分析。
附图说明
图1是本发明一个实施例提供的一种工业网络行为分析方法的流程图;
图2是本发明一个实施例提供的一种第一时间窗确定方法的流程图;
图3是本发明一个实施例提供的一种执行概率偏差计算方法的流程图;
图4是本发明一个实施例提供的一种第二时间窗确定方法的流程图;
图5是本发明一个实施例提供的一种工业网络行为分析装置的示意图;
图6是本发明一个实施例提供的另一种工业网络行为分析装置的示意图;
图7是本发明一个实施例提供的又一种工业网络行为分析装置的示意图;
图8是本发明一个实施例提供的再一种工业网络行为分析装置的示意图;
图9是本发明一个实施例提供的一种包括第二分析模块的工业网络行为分析装置的示意图;
图10是本发明一个实施例提供的一种包括存储器和处理器的工业网络行为分析装置的示意图;
图11是本发明一个实施例提供的一种工业网络行为分析系统的示意图。
附图标记列表:
101:针对目标工业控制系统确定至少一个第一时间窗
102:分别确定每一个第一时间窗内目标工业控制器中各控制指令的执行概率偏差
103:采集目标工业控制系统中被执行的控制指令
104:根据采集到的控制指令,确定至少一个第二时间窗
105:计算控制指令在相应第二时间窗内的被执行概率
106:判断第二时间窗内控制指令被执行的概率是否满足目标执行概率偏差
107:确定控制指令为合法控制指令
108:确定控制指令为可疑控制指令
201:在预设的学习时间段内采集目标工业控制系统中被执行的控制指令
202:确定时间窗起点和时间窗终点
203:将每一对顺序相邻的时间窗起点与时间窗终点之间的时间段确定为一个第三时间窗
204:将在其中采集到的控制指令满足复杂度规则的第三时间窗确定为第四时间窗
205:将各个第四时间窗划分为至少一个时间窗分组
206:针对每一个时间窗分组形成一个相对应的第一时间窗
301:分别计算在每个第四时间窗内每一个被执行的控制指令的被执行概率
302:分别计算每个时间窗分组所对应第一时间窗内各个控制指令的执行概率偏差
401:从采集到的控制指令中识别时间窗开始标识和时间窗结束标识
402:将采集时间窗开始标识所对应的控制指令的时间确定为时间窗起点
403:将采集时间窗结束标识所对应的控制指令的时间确定为时间窗终点
404:将每一对顺序相邻的时间窗起点与时间窗终点之间的时间段确定为一个第五时间窗
405:将满足复杂度规则且存在相应的第一时间窗的第五时间窗确定为第二时间窗
10:工业网络行为分析装置    20:工业网络行为分析装置  30:工业控制系统
11:第一识别模块            12:偏差计算模块          13:指令采集模块
14:第二识别模块            15:概率计算模块          16:概率比对模块
17:第一分析模块            111:采集单元             112:第一识别单元
113:第一提取单元           114:第一过滤单元         115:时间窗分组单元
116:时间窗生成单元         121:概率计算单元         122:偏差计算单元
141:第二识别单元           142:起点确定单元         143:终点确定单元
144:第二提取单元           145:第二过滤单元         18:第二分析模块
100:工业网络行为分析系统   21:存储器          22:处理器
具体实施方式
如前所述,为了保证由安全监控系统和工业控制系统所构成的OT网络的安全性,可以采集工业控制系统内各个控制设备之间的控制指令,进而通过对采集到的控制指令对工业网络行为进行分析,其中工业网络行为包括控制指令、工业状态采集、工业数据传输等,以确定OT网络是否存在被恶意攻击的风险。目前在对工业网络行为进行分析时,预先创建记录有合法控制指令的信任列表,在从工业控制系统中采集到控制指令后,判断所采集到的控制指令是否被记录在信任列表中,如果所采集到的控制指令被记录在信任列表中则确定所采集到控制指令为合法控制指令,如果所采集到的控制指令未被记录在信任列表中则确定所采集到的控制指令为非法控制指令,进而确定OT网络存在被恶意攻击的风险。通过预先创建信任列表(白名单)的形式对工业网络行为进行分析,这仅适用于控制指令类型较少的简单控制过程,对于复杂控制过程由于难以创建相对应的信任列表,所以基于信任列表的工业网络行为分析方法并不适用,因此现有的工业网络行为分析方法的适用性较差。
本发明实施例中,针对一个目标工业控制系统确定至少一个第一时间窗,使得每一个第一时间窗用于表征该目标工业控制系统执行相应控制行为的时间段,并分别确定出每一个第一时间窗内各个控制指令的执行概率偏差,使得执行概率偏差用于表征相应控制指令在相应第一时间窗内被执行概率的波动,之后在目标工业控制系统运行过程中采集被其执行的控制指令,并根据采集到的控制指令确定至少一个与第一时间窗对应相同控制行为的第二时间窗,之后分别计算每一个第二时间窗内每一个控制指令的被执行概率,并判断第二时间窗内被执行的每一个控制指令的被执行概率是否与满足相应第一时间窗内该控制指令的执行概率偏差,如果一个控制指令的被执行概率满足相应第一时间窗内该控制指令的执行概率偏差,则确定该控制指令为合法控制指令,如果一个控制指令的被执行概率不满足相应第一时间窗内该控制指令的执行概率偏差,则确定该控制指令为可以控制指令。由此可见,预先创建用于作为参照的第一时间窗和相应控制指令的执行概率偏差,在工业控制系统工作过程中采集控制指令确定与第一时间窗对应相同控制行为的第二时间窗,进而判断第二时间窗内被执行的控制指令的被执行概率是否满足相应第一时间窗内相同控制指令的执行概率偏差,通过对比工业控制系统执行相同控制行为过程中各控制指令的被执行概率,以此确定各控制指令的安全性,由于简单的控制过程和复杂的控制过程均可以获得相应的第一时间窗和第二时间窗以对控制指令的安全性进行分析,因此能够提高对控制指令的安全性进行分析的适用性。
下面结合附图对本发明实施例提供的工业网络行为分析方法、装置和系统进行详细说明。
如图1所示,本发明实施例提供了一种工业网络行为分析方法,该方法可以包括如下步骤:
步骤101:针对目标工业控制系统确定至少一个第一时间窗,其中,第一时间窗用于表征目标工业控制系统执行相应控制行为的时间段;
步骤102:分别确定每一个第一时间窗内目标工业控制器中各控制指令的执行概率偏差,其中,执行概率偏差用于表征相应控制指令的被执行概率的波动,被执行概率用于表征相应控制指令在一个时间段内被执行的次数与在该时间段内执行的控制指令的总次数的比值;
步骤103:采集目标工业控制系统中被执行的控制指令;
步骤104:根据采集到的控制指令,确定至少一个第二时间窗,其中,第二时间窗用于表征目标工业控制系统执行相应控制行为的时间段,且目标工业控制系统在第二时间窗内执行的控制行为与在一个第一时间窗内执行的控制行为相同;
步骤105:针对每一个第二时间窗,针对在该第二时间窗内被执行过的每一个控制指令,计算该控制指令在第二时间窗内的被执行概率;
步骤106:针对每一个第二时间窗,针对在该第二时间窗内被执行过的每一个控制指令,判断该控制指令的被执行概率是否满足目标执行概率偏差,如果是Y,执行步骤107,如果否N,执行步骤108,其中,目标执行概率偏差为在与该第二时间窗对应相同控制行为的第一时间窗内该控制指令的执行概率偏差;
步骤107:确定该控制指令为合法控制指令,并结束当前流程;
步骤108:确定该控制指令为可疑控制指令。
在本发明实施例中,步骤101和步骤102为预先进行的处理,即需要预先针对目标工业控制系统确定第一时间窗以及每一个第一时间窗内不同控制指令的执行概率偏差,即步骤101和步骤102为判断基准的学习阶段。步骤103至步骤108为后续进行的处理,即在目标工业控制系统正常过程中周期性进行的处理,即步骤103至步骤108为控制指令安全性的检测阶段。
在本发明实施例中,针对目标工业控制系统确定至少一个第一时间窗,使得不同第一时间窗表征目标工业控制系统执行不同控制行为的时间段,并分别确定每一个第一时间窗内被执行的控制指令的执行概率偏差,使得执行概率偏差用于表征目标工业控制系统不同次执行相应控制行为时相应控制指令的被执行概率的波动。由于目标工业控制系统在执行相同控制行为时各控制指令的执行规律保持相同,且各控制指令的被执行概率保持稳定,因此可以根 据所采集到控制指令的类型及所包括相关参数来确定第二时间窗,并根据第二时间窗内被执行的各控制指令的被执行概率是否满足相应第一时间窗内相同控制指令的执行概率偏差,从而确定目标工业控制系统在执行相应控制行为过程中各控制指令是否合法,实现对控制指令的安全性进行分析。
在本发明实施例中,第一时间窗的数量由目标工业控制系统所能够执行的控制行为决定,通常情况下第一时间窗的数量小于或等于目标工业控制系统所能够执行的控制行为。比如,目标工业控制系统用于控制汽车生产线的运行,每天是一个生产周期,8:00~12:00用于控制生产线生产A型号汽车,12:00~14:00为生产线暂停时间,14:00~19:00用于控制生产线生产B型号汽车,19:00~次日8:00为生产线暂停时间,此时目标工业控制系统控制生产线生产A型号汽车和控制生产线生产B型号汽车可以作为两个不同的控制行为,目标工业控制系统控制生产线暂停也可以作为一个控制行为,进而可以确定两个第一时间窗,第一时间窗1对应的时间段为8:00~12:00,第一时间窗2对应的时间段为14:00~19:00。
在本发明实施例中,由于第一时间窗与目标工业控制系统的控制行为相对应,而目标工业控制系统执行不同的控制行为需要相同或不同的时间长度,因此,不同的第一时间窗可能具有不同的时间长度,也可能具有相同的时间长度。与之相对应的,不同的第二时间窗可能具有不同的时间长度,也可能具有相同的时间长度。
在本发明实施例中,步骤103采集目标工业控制系统中被执行的控制指令,通常是指实时采集目标工业控制系统中被执行的控制指令,保证根据所采集到的控制指令确定第二时间窗的准确性,进而保证根据第二时间窗和第一时间窗对控制指令的安全性进行分析的准确性。
在本发明实施例中,第二时间窗与第一时间窗均用于表征目标工业控制系统执行相应控制行为的时间段,而且针对每一个第二时间,目标工业控制系统在该第二时间窗内所执行的控制行为与目标工业控制系统在其中一个第一时间窗内所执行的控制行为相同。比如,目标工业控制系统在一个第二时间窗X内执行控制行为A,则存在一个第一时间窗Y,在该第一时间窗Y内目标工业控制系统也执行控制行为A,此时第二时间窗X与第一时间窗Y相对应。另外,由于目标工业控制系统可能重复执行同一控制行为,因此在确定出的各个第二时间窗中可能存在多个第二时间窗与同一第一时间窗相对应,即目标工业控制系统在多个第二时间窗内执行的控制行为与目标工业控制系统在同一第一时间窗内执行的控制行为相同。
可选地,在图1所示工业网络行为分析方法的基础上,可以确定目标工业控制系统无非法或可疑控制指令出现的学习时间段,通过在学习时间段内采集目标工业控制系统中被执行的控制指令来确定第一时间窗。如图2所示,确定第一时间窗的方法可以包括如下步骤:
步骤201:在预设的学习时间段内采集目标工业控制系统中被执行的控制指令;
步骤202:当采集到与预先设定的时间窗开始标识相对应的第一控制指令时,将采集到第一控制指令的时间确定为时间窗起点,当采集到与预先设定的时间窗结束标识相对应的第二控制指令时,将采集到第二控制指令的时间确定为时间窗终点;
步骤203:将每一对顺序相邻的时间窗起点与时间窗终点之间的时间段确定为一个第三时间窗;
步骤204:针对每一个第三时间窗,如果在该第三时间窗内采集到的控制指令满足预先设定的复杂度规则,则将该第三时间窗确定为一个第四时间窗;
步骤205:对各个第四时间窗进行分组,获得至少一个时间窗分组,其中,每一个时间窗分组包括至少一个第四时间窗,目标工业控制系统在同一时间窗分组所包括各个第四时间窗内执行同一控制行为,且目标工业控制系统在不同时间窗分组所包括第四时间窗内执行不同的控制行为;
步骤206:针对每一个时间窗分组形成一个相对应的第一时间窗,其中,第一时间窗和与该第一时间窗相对应的时间窗分组所包括的各个第四时间窗具有相同的时间窗起点和时间窗终点,或者第一时间窗和与该第一时间窗相对应的时间窗分组所包括的各个第四时间窗具有相同的时间长度。
在本发明实施例中,由于目标工业控制系统在执行同一控制行为时各控制执行的被执行概率保持稳定,因此可以在一段时间内采集目标工业控制系统执行各控制行为时被执行的控制指令,通过采集到的控制指令识别出对应于每一个控制行为的第四时间窗,并将对应于同一控制行为的各个第四时间窗划分到同一时间窗分组中,之后针对每一个时间窗分组生成一个相对应的第一时间窗,进而第一时间窗可以作为基准来判断目标工业控制系统执行相应控制行为时各控制指令的安全性。
在本发明实施例中,可以根据目标工业控制系统所执行控制行为的数量以及每个控制行为的时间跨度来确定学习时间段的长度,通常情况下目标工业控制系统所执行控制行为的数量越多则学习时间段越长,每个控制行为的时间跨度越长则学习时段也越长。比如,可以设定学习时间段的长度为一个月,则在预定的一个月时间段内采集目标工业控制系统的控制指令,进而根据这一个月时间内采集到的控制指令来确定第一时间窗。
在本发明实施例中,为了使第一时间窗与目标工业控制系统的控制行为相对应,可以针对目标工业控制系统的每一种控制行为预先定义相对应的时间窗开始标识和时间窗结束标识,使得时间窗开始标识与相应控制行为开始时目标工业控制系统所执行的控制指令相对应,并使时间窗结束标识与相应控制行为结束时目标工业控制系统所执行的控制指令相对应,进而通过检测时间窗开始标识和时间窗结束标识来确定相应的第三时间窗。
时间窗开始标识可以是一条写入指令、一个启动或停止指令、一个或多个诊断指令、一个或多个读取指令、一个或多个带有特定参数的读取指令、可以被排出的特定诊断信息或者包括多个吸入或读取指令的命令序列。
时间窗结束标识可以是在一个或多个监视周期内没有有效的指令或者特定指令序列或信息,比如,时间窗结束标识可以是生成停止指令或设备重启指令。
将采集到时间窗开始标识的时间作为时间窗起点,将采集到时间窗结束标识的时间作为时间窗终端,在获得系列时间窗起点和时间窗终点后,将顺序相邻的一对时间窗起点和时间窗终点之间的时间段确定为一个第三时间窗,从而完成了控制行为至第三时间窗的转换,将目标工业控制系统在学习时间段内执行的每一个控制任务转换为一个相应的第三时间窗。
在本发明实施例中,在确定出各个第三时间窗后,可以分别检测在每一个第三时间窗内采集到的控制指令是否满足预先设定的复杂度规则,如果在一个第三时间窗内采集到的控制指令满足复杂度规则,则将该第三时间窗确定为一个第四时间窗,如果在一个第三时间窗内采集到的控制指令不满足复杂度规则,则可以将该第三时间窗内采集到的控制指令存储到指令白名单中,而不将该第三时间窗确定为第四时间窗。
预先设定复杂度规则,通过复杂度规则对获得的各个第三时间窗进行筛选,仅将满足复杂度规则的第三时间窗确定为第四时间窗,使得第四时间窗对应于复杂的控制行为,而将不满足复杂度规则的第三时间窗内的控制指令存储到白名单中,进而对于复杂控制行为基于时间窗和执行概率偏差来分析控制指令的安全性,而对于简单控制行为基于白名单来分析控制指令的安全性,这不仅可以节约计算资源,还能够避免对应简单控制行为的控制指令成为对应复杂控制行为的控制指令的干扰噪声,保证对于复杂控制行为进行工业网络行为分析的准确性。
复杂度规则可以定义为相应时间窗内包括有至少两种不同的控制指令、同一控制指令中包括有不同的参数或者在较长时间内控制指令是相同的。
在本发明实施例中,由于在学习时间段内同一控制行为可能被目标工业控制系统执行多次,为此需要对确定出的各个第四时间窗进行分组,以将对应于同一控制行为的各个第四时间窗划分到同一时间窗分组中,进而可以针对每一个时间窗分组形成相应的第一时间窗,使得每一个第一时间窗与一个控制行为相对应。
在对第四时间窗进行分组时,不同的第四时间窗具有不同的索引标识,而且在第四时间窗内被执行的前几个控制指令会被作为特征值进行存储,进而可以根据各个第四时间窗的索引标识和特征值来对各个第四时间窗进行分组,以将对应于同一控制行为的第四时间窗划分到同一时间窗分组中。
在本发明实施例中,针对所划分出的每一个时间窗分组,根据该时间窗分组中的各个第四时间窗生成一个相对应的第一时间窗,使得所生成的第一时间窗可以从整体上反映相应时间窗分组中各个第四时间窗的起始时间或时间跨度。
根据具体业务场景的不同,对应同一控制行为的不同第四时间窗可能具有相对稳定的起始时间或相对稳定的时间跨度。当对应同一控制行为的不同第四时间窗具有相对稳定的起始时间时,可以根据时间窗分组中各个第四时间窗的起始时间来生成第一时间窗,比如时间窗分组1中包括有3个第四时间窗,3个第四时间窗对应的起始时间分别为8:00~12:00、8:05~12:06和8:02~12:05,进而可以生成对应起始时间为8:00~12:00的第一时间窗与时间窗分组1相对应。当对应同一控制行为的不同第四时间窗具有相对稳定的时间跨度时,可以根据时间窗分组中各个第四时间窗的时间跨度来生成第一时间窗,比如时间窗分组2中包括4个第四时间窗,4个第四时间窗对应的起始时间分别为14:00~19:00、13:00~18:00、14:30~19:30和13:30~18:30,继而可以生成一个时间跨度为5小时的第一时间窗与时间窗分组2相对应。
根据实际业务场景的不同,所生成第一时间窗的起始时间和时间跨度可能与相对应时间窗分组中的各个第四时间窗不同,尤其是起始时间,而时间跨度通常具有较小的差值。在生成第一时间窗时,可以使第一时间窗的时间跨度等于相对应时间窗分组中的各个第四时间窗的时间跨度的平均值,还可以使第一时间窗的起始时间分别等于相对应时间窗分组中的各个第四时间窗的起始时间的平均值。
在本发明实施例中,在采集目标工业控制系统中被执行的控制指令时,可以截取目标工业控制系统的流量,进而按照预先设定的控制指令提取规则从截取到的流量中提取控制指令。具体地,可以在目标工业控制系统中设置探针(传感器),利用探针从目标工业控制系统中的接入交换机和系统总线截取流量,其中,系统总线用于连接PLC与工程师站和操作员站,接入交换机用于连接运营中心与工程师站和操作员站。另外,通过设置控制指令提取规则,可以从截取到的流量中提取控制命令以及控制命令中的相关参数,即控制指令由一个或多个控制命令以及相关参数组成。需要说明的是,步骤103采集控制指令的方法与本发明实施例中采集控制指令的方式相同,即可以从目标工业控制系统的接入交换机和系统总线截取流量,进而从所截取到的流量中提取控制指令。
需要说明的是,第一时间窗与该第一时间窗所对应的时间窗分组所包括的各个第四时间窗具有相同的时间窗起点和时间窗终点,相同的时间窗起点和时间窗终点并非是指第一时间窗和第四时间窗具有完全相同的起始时间和结束时间,而是指第一时间窗和第四时间窗的起始时间之差小于预设阈值,且第一时间窗和第四时间窗的结束时间之差小于预设阈值,而且时间窗起点和时间窗起点并非指绝对时间,而是在相应周期内的相对时间,比如在每天内的 时间。相应地,第一时间窗与该第一时间窗所对应的时间窗分组所包括的各个第四时间窗具有相同的时间长度,相同的时间长度并非是指第一时间窗和第四时间窗具有完全相同的时间长度,而是指第一时间窗和第四时间窗的时间长度之差小于预设阈值。
可选地,在图2所示第一时间窗确定方法的基础上,可以根据时间窗分组内各个第四时间窗内被执行的每一个控制控制的被执行概率来确定相对应第一时间窗内各个控制指令的执行概率偏差。如图3所述,确定第一时间窗内各控制指令的执行概率偏差的方法可以包括如下步骤:
步骤301:针对每一个第四时间窗,计算在该第四时间窗内每一个被执行的控制指令的被执行概率;
步骤302:针对每一个时间窗分组,对于在该时间窗分组所包括的各个第四时间窗内被执行的每一个控制指令,根据该时间窗分组所包括的各个第四时间窗内该控制指令的被执行概率,计算该控制指令在与该时间窗分组相对应的第一时间窗内的执行概率偏差。
在本发明实施例中,在将各个第四时间窗划分为多个时间窗分组后,针对每一个时间窗分组中的每一个第四时间窗,可以计算在该第四时间窗内被执行的每一个控制控制的被执行概率。被执行概率用于表征相应控制指令在一段时间内被执行的概率,具体地,一个控制指令在一段时间内的被执行概率等于该时间段内该控制指令被执行的次数与该时间段内所有控制指令被执行总次数的比值。比如,在一个第四时间窗内目标工业控制系统共计执行了100个控制指令,其中在该第四时间窗内控制指令A被执行了20次,则控制指令A在该第四时间窗内的被执行概率为20%。
在本发明实施例中,针对每一个时间窗分组,对于在该时间窗分组所包括各个第四时间窗内被执行的每一个控制指令,根据该控制指令在该时间窗分组所包括各个第四时间窗内的被执行概率,计算该控制指令在与该时间窗分组相对应的第一时间窗内的执行概率偏差。由于目标工业控制系统在不同次执行同一控制行为时各控制指令被执行的概率基本保持稳定,因此一个控制指令的执行概率偏差用于表征目标工业控制系统执行相应控制行为时该控制指令发生波动的允许范围。
在根据控制指令在不同第四时间窗内被执行概率计算执行概率偏差时,根据实际应用场景的不同可以采用不同的方式来计算执行概率偏差。比如,可以将一个控制指令的最大被执行概率与最小被执行概率之差作为该控制指令的执行概率偏差,还可以通过对一个控制指令在不同第四时间窗内的被执行概率进行正态分布计算来获得执行概率偏差。比如,时间窗分组1包括3个第四时间窗,控制指令A在这3个第四时间窗内的被执行概率分别为20%、21%和19%,将控制指令A的最大被执行概率21%与最小被执行概率19%之差2%作为控制指令 A在与时间窗分组1相对应的第一时间窗内的执行概率偏差。
在本发明实施例中,判断一个控制指令的被执行概率是否满足目标执行概率偏差时,可以预先确定该控制指令在相应第一时间窗内的平均被执行概率,进而确定该控制指令的被执行概率与平均被执行概率的差值是否小于目标执行概率偏差,如果是则确定该控制指令的被执行概率满足目标执行概率偏差,否则确定该控制指令的被执行概率不满足目标执行概率偏差。一个控制指令的平均被执行概率等于相应时间窗分组所包括各个第四时间窗内该控制指令的被执行概率的平均值。
可选地,在图2所示第一时间窗确定方法的基础上,可以根据确定第一时间窗时所使用的时间窗开始标识和时间窗结束标识来确定第二时间窗。如图4所述,确定第二时间窗的方法可以包括如下步骤:
步骤401:从采集到的控制指令中识别时间窗开始标识和时间窗结束标识;
步骤402:针对识别出的每一个时间窗开始标识,将采集该时间窗开始标识所对应的控制指令的时间确定为时间窗起点;
步骤403:针对识别出的每一个时间窗结束标识,将采集该时间窗结束标识所对应的控制指令的时间确定为时间窗终点;
步骤404:将确定出的每一对顺序相邻的时间窗起点与时间窗终点之间的时间段确定为一个第五时间窗;
步骤405:针对每一个第五时间窗,如果在该第五时间窗内采集到的控制指令满足复杂度规则,且存在与该第五时间窗对应相同控制行为的第一时间窗,则将该第五时间窗确定为一个第二时间窗。
在本发明实施例中,采用确定第一时间窗时所使用的时间窗开始标识和时间窗结束标识,从检测过程中所采集到的控制指令中识别时间窗开始标识和时间窗结束标识,将采集到时间窗开始标识的时间确定为时间窗起点,并将采集到时间窗结束标识的时间确定为时间窗终点,进而将每一对顺序相邻的时间窗起点和时间窗终点之间的时间段确定为一个第五时间窗,之后从第五时间窗中筛选出第二时间窗,采用相同的时间窗识别依据保证能够获取到与第一时间窗对应相同控制行为的第二时间窗,进而保证对控制指令进行安全性分析能够正常进行。
在本发明实施例中,在获得一个第五时间窗后,首先判断该第五时间窗内采集到的控制指令是否满足复杂度规则,如果该第五时间窗内采集到的控制指令不满足复杂度规则,说明在该第五时间窗内目标工业控制系统执行的是简单控制行为,可以基于白名单来判断该第五时间窗内采集到的控制指令是否合法,以避免计算资源的浪费。如果该第五时间窗内采集到的控制指令满足复杂度规则,则进一步判断否存在一个第一时间窗,目标工业控制系统在该 第一时间窗内执行的控制行为与目标工业控制系统在该第五时间窗内执行的控制相位相同,如果存在符合上述条件的第一时间窗,则将该第五时间窗确定为第二时间窗以执行后续处理,如果不存在符合上述条件的第一时间窗,说明目标工业控制系统执行了此前未执行过的控制行为,进而确定该第五时间窗内采集到的所有控制指令均为可疑控制指令。
可选地,在图4所示第二时间窗确定方法的基础上,在步骤404确定出第五时间窗之后,如果在所确定出的第五时间窗内采集到的控制指令不满足复杂度规则,则分别判断该第五时间窗内被执行过的每一个控制指令是否位于预先设定的指令白名单中,如果是则确定该控制指令为合法控制指令,否则确定该控制指令为可疑控制指令。
在本发明实施例中,对于不满足复杂度规则的第五时间窗,基于预先设定的指令白名单对该第五时间窗内采集到的控制指令进行安全性分析,判断该第五时间窗内被执行的每一个控制指令是否被记录在指令白名单中,如果是则确定该控制指令为合法控制指令,否则确定该控制指令为可疑控制指令。针对目标工业控制系统执行的简单控制行为可以方便地创建指令白名单,进而基于所创建的指令白名单对目标工业控制系统执行简单控制行为过程中所执行的控制指令极性安全性分析,避免了通过计算被执行概率进行安全性分析所造成的计算资源浪费。
可选地,在上述各个实施例所提供工业网络行为分析的基础上,控制指令可以是单个的控制命令,也可以是由多个控制命令所构成的控制命令序列,而控制命令是目标工业控制系统中实现设备控制和状态反馈的基本单元,每一个控制命令可以包括一个或多个相关参数。
在本发明实施例中,根据具体业务场景,可以从目标工业控制系统中采集单个的控制命令作为控制指令,也可以从目标工业控制系统中采集控制命令序列作为控制指令,而且控制指令还可以包括相关参数,从而可以适用于不用的应用场景,进一步提高了该工业网络行为分析方法的适用性。
在本发明实施例中,一个控制指令可以是写入命令、读取命令、启动命令、诊断信息、心跳信号等中的任意一个,还可以是写入命令、读取命令、启动命令、诊断信息、心跳信号等中任意两个或多个的顺序组合,而且目标工业控制系统内传输的关键参数也可以作为控制指令。
可选地,在上述各个实施例所提供的工业网络行为分析方法的基础上,在确定第一时间窗和第二时间窗的过程中,可以按照预先设定的转换规则将采集到的控制指令转换成相应的数字序列,之后便可以利用所转换出的数字序列计算相应控制指令的被执行概率以及执行概率偏差,使得被执行概率计算、执行概率偏差计算以及第一时间窗与第二时间窗的匹配更加方便和快捷,并能够降低该工业网络行为分析所需的计算资源。
如图5所示,本发明一个实施例提供了一种工业网络行为分析装置10,包括:
一个第一识别模块11,用于针对目标工业控制系统确定至少一个第一时间窗,其中,第一时间窗用于表征目标工业控制系统执行相应控制行为的时间段;
一个偏差计算模块12,用于分别确定第一识别模块11确定出的每一个第一时间窗内目标工业控制器中各控制指令的执行概率偏差,其中,执行概率偏差用于表征相应控制指令的被执行概率的波动,被执行概率用于表征相应控制指令在一个时间段内被执行的次数与在该时间段内执行的控制指令的总次数的比值;
一个指令采集模块13,用于采集工业控制系统中被执行的控制指令;
一个第二识别模块14,用于根据指令采集模块13采集到的控制指令,确定至少一个第二时间窗,其中,第二时间窗用于表征目标工业控制系统执行相应控制行为的时间段,且目标工业控制系统在第二时间窗内执行的控制行为与在一个第一时间窗内执行的控制行为相同;
一个概率计算模块15,用于针对第二识别模块14确定出的每一个第二时间窗,对于在该第二时间窗内被执行过的每一个控制指令,计算该控制指令在第二时间窗内的被执行概率;
一个概率比对模块16,用于针对第二识别模块14确定出的每一个第二时间窗,对于在该第二时间窗内被执行过的每一个控制指令,判断概率计算模块15计算出的该控制指令的被执行概率是否满足目标执行概率偏差,其中,目标执行概率偏差为偏差计算模块12计算出的在与该第二时间窗对应相同控制行为的第一时间窗内该控制指令的执行概率偏差;
一个第一分析模块17,用于根据概率比对模块16的判断结果,如果一个控制指令被执行概率满足目标执行概率偏差,则确定该控制指令为合法控制指令,如果一个控制指令的被执行概率不满足目标执行概率偏差,则确定该控制指令为可疑控制指令。
在本发明实施例中,第一识别模块11可用于执行上述方法实施例中的步骤101,偏差计算模块12可用于执行上述方法实施例中的步骤102,指令采集模块13可用于执行上述方法实施例中的步骤103,第二识别模块14可用于执行上述方法实施例中的步骤104,概率计算模块15可用于执行上述方法实施例中的步骤105,概率比对模块16可用于执行上述方法实施例中的步骤106,第一分析模块17可用于执行上述方法实施例中的步骤107和步骤108。
可选地,在图5所示工业网络行为分析装置10的基础上,如图6所示,第一识别模块11包括:
一个采集单元111,用于在预设的学习时间段内采集目标工业控制系统中被执行的控制指令;
一个第一识别单元112,用于当采集单元111采集到与预先设定的时间窗开始标识相对应 的第一控制指令时,将采集到第一控制指令的时间确定为时间窗起点,当采集单元111采集到与预先设定的时间窗结束标识相对应的第二控制指令时,将采集到第二控制指令的时间确定为时间窗终点;
一个第一提取单元113,用于将第一识别单元112确定出的每一对顺序相邻的时间窗起点与时间窗终点之间的时间段确定为一个第三时间窗;
一个第一过滤单元114,用于针对第一提取单元113确定出的每一个第三时间窗,如果在该第三时间窗内采集到的控制指令满足预先设定的复杂度规则,则将该第三时间窗确定为一个第四时间窗;
一个时间窗分组单元115,用于对第一过滤单元114确定出的各个第四时间窗进行分组,获得至少一个时间窗分组,其中,每一个时间窗分组包括至少一个第四时间窗,目标工业控制系统在同一时间窗分组所包括各个第四时间窗内执行同一控制行为,且目标工业控制系统在不同时间窗分组所包括第四时间窗内执行不同的控制行为;
一个时间窗生成单元116,用于针对时间窗分组单元115划分出的每一个时间窗分组形成一个相对应的第一时间窗,其中,第一时间窗和与该第一时间窗相对应的时间窗分组所包括的各个第四时间窗具有相同的时间窗起点和时间窗终点,或者第一时间窗和与该第一时间窗相对应的时间窗分组所包括的各个第四时间窗具有相同的时间长度。
在本发明实施例中,采集单元111可用于执行上述方法实施例中的步骤201,第一识别单元112可用于执行上述方法实施例中的步骤202,第一提取单元113可用于执行上述方法实施例中的步骤203,第一过滤单元114可用于执行上述方法实施例中的步骤204,时间窗分组单元115可用于执行上述方法实施例中的步骤205,时间窗生成单元116可用于执行上述方法实施例中的步骤206。
可选地,在图6所示工业网络行为分析装置10的基础上,如图7所示,偏差计算模块12包括:
一个概率计算单元121,用于针对每一个时间窗分组,分别计算在该时间窗分组所包括的各个第四时间窗内每一个被执行的控制指令的被执行概率;
一个偏差计算单元122,用于针对每一个时间窗分组,对于在该时间窗分组所包括的各个第四时间窗内被执行的每一个控制指令,根据概率计算单元121计算出的该时间窗分组所包括的各个第四时间窗内该控制指令的被执行概率,计算该控制指令在与该时间窗分组相对应的第一时间窗内的执行概率偏差。
在本发明实施例中,概率计算单元121可用于执行上述方法实施例中的步骤301,偏差计算单元122可用于执行上述方法实施例中的步骤302。
可选地,在图6所示工业网络行为分析装置10的基础上,如图8所示,第二识别模块14包括:
一个第二识别单元141,用于从采集到的控制指令中识别时间窗开始标识和时间窗结束标识;
一个起点确定单元142,用于针对第二识别单元141识别出的每一个时间窗开始标识,将采集该时间窗开始标识所对应的控制指令的时间确定为时间窗起点;
一个终点确定单元143,用于针对第二识别单元141识别出的每一个时间窗结束标识,将采集该时间窗结束标识所对应的控制指令的时间确定为时间窗终点;
一个第二提取单元144,用于将起点确定单元142和终点确定单元143确定出的每一对顺序相邻的时间窗起点与时间窗终点之间的时间段确定为一个第五时间窗;
一个第二过滤单元145,用于针对第二提取单元144确定出的每一个第五时间窗,如果在该第五时间窗内采集到的控制指令满足复杂度规则,且存在与该第五时间窗对应相同控制行为的第一时间窗,则将该第五时间窗确定为一个第二时间窗。
在本发明实施例中,第二识别单元141可用于执行上述方法实施例中的步骤401,起点确定单元142可用于执行上述方法实施例中的步骤402,终点确定单元143可用于执行上述方法实施例中的步骤403,第二提取单元144可用于执行上述方法实施例中的步骤404,第二过滤单元145可用于执行上述方法实施例中的步骤405。
可选地,在图8所示工业网络行为分析装置10的基础上,如图9所示,该工业网络行为分析装置10进一步包括:第二分析模块18;
第二分析模块18,用于针对第二提取单元144确定出的每一个第五时间窗,如果在该第五时间窗内采集到的控制指令不满足复杂度规则,则分别判断在该第五时间窗内被执行过的每一个控制指令是否位于预先设定的指令白名单中,如果在该第五时间窗内被执行过的一个控制指令位于指令白名单中,则确定该控制指令为合法控制指令,如果在该第五时间窗内被执行过的一个控制指令不位于指令白名单中,则确定该控制指令为可疑控制指令。
可选地,在上述图5至图9中任一附图所示工业网络行为分析装置10的基础上,控制指令包括顺序执行的至少一个控制命令,其中,控制命令是目标工业控制系统中实现设备控制和状态反馈的基本单位,每一个控制命令可以包括至少一个相关参数。
如图10所示,本发明一个实施例提供了一种工业网络行为分析装置20,包括:至少一个存储器21和至少一个处理器22;
所述至少一个存储器21,用于存储机器可读程序;
所述至少一个处理器22,用于调用所述机器可读程序,执行上述各个实施例所提供的工业网络行为分析方法。
如图11所示,本发明一个实施例提供了一种工业网络行为分析系统100,包括:一个上述任一实施例所提供的工业网络行为分析装置10/20和至少一个工业控制系统30。
在本发明实施例中,可以在每一个工业控制系统30中设置探针,工业网络行为分析装置10/20利用各个探针分别采集各个工业控制系统30中的控制指令,进而实现对多个工业控制系统30进行工业网络行为分析。
本发明还提供了一种计算机可读介质,存储用于使一计算机执行如本文的工业网络行为分析方法的指令。具体地,可以提供配有存储介质的系统或者装置,在该存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机(或CPU或MPU)读出并执行存储在存储介质中的程序代码。
在这种情况下,从存储介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此程序代码和存储程序代码的存储介质构成了本发明的一部分。
用于提供程序代码的存储介质实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上下载程序代码。
此外,应该清楚的是,不仅可以通过执行计算机所读出的程序代码,而且可以通过基于程序代码的指令使计算机上操作的操作系统等来完成部分或者全部的实际操作,从而实现上述实施例中任意一项实施例的功能。
此外,可以理解的是,将由存储介质读出的程序代码写到插入计算机内的扩展板中所设置的存储器中或者写到与计算机相连接的扩展单元中设置的存储器中,随后基于程序代码的指令使安装在扩展板或者扩展单元上的CPU等来执行部分和全部实际操作,从而实现上述实施例中任一实施例的功能。
需要说明的是,上述各流程和各系统结构图中不是所有的步骤和模块都是必须的,可以根据实际的需要忽略某些步骤或模块。各步骤的执行顺序不是固定的,可以根据需要进行调整。上述各实施例中描述的系统结构可以是物理结构,也可以是逻辑结构,即,有些模块可能由同一物理实体实现,或者,有些模块可能分由多个物理实体实现,或者,可以由多个独立设备中的某些部件共同实现。
以上各实施例中,硬件单元可以通过机械方式或电气方式实现。例如,一个硬件单元可以包括永久性专用的电路或逻辑(如专门的处理器,FPGA或ASIC)来完成相应操作。硬件单元还可以包括可编程逻辑或电路(如通用处理器或其它可编程处理器),可以由软件进行临时的设置以完成相应操作。具体的实现方式(机械方式、或专用的永久性电路、或者临时设置的电路)可以基于成本和时间上的考虑来确定。
上文通过附图和优选实施例对本发明进行了详细展示和说明,然而本发明不限于这些已揭示的实施例,基与上述多个实施例本领域技术人员可以知晓,可以组合上述不同实施例中的代码审核手段得到本发明更多的实施例,这些实施例也在本发明的保护范围之内。

Claims (15)

  1. 工业网络行为分析方法,包括:
    针对目标工业控制系统(30)确定至少一个第一时间窗,其中,所述第一时间窗用于表征所述目标工业控制系统(30)执行相应控制行为的时间段;
    分别确定每一个所述第一时间窗内所述目标工业控制器中各控制指令的执行概率偏差,其中,所述执行概率偏差用于表征相应所述控制指令的被执行概率的波动,所述被执行概率用于表征相应所述控制指令在一个时间段内被执行的次数与在该时间段内执行的所述控制指令的总次数的比值;
    采集所述目标工业控制系统(30)中被执行的所述控制指令;
    根据采集到的所述控制指令,确定至少一个第二时间窗,其中,所述第二时间窗用于表征所述目标工业控制系统(30)执行相应所述控制行为的时间段,且所述目标工业控制系统(30)在所述第二时间窗内执行的所述控制行为与在一个所述第一时间窗内执行的所述控制行为相同;
    针对每一个所述第二时间窗,均执行:
    针对在该第二时间窗内被执行过的每一个所述控制指令,计算该控制指令在所述第二时间窗内的所述被执行概率;
    针对在该第二时间窗内被执行过的每一个所述控制指令,判断该控制指令的所述被执行概率是否满足目标执行概率偏差,其中,所述目标执行概率偏差为在与该第二时间窗对应相同所述控制行为的所述第一时间窗内该控制指令的所述执行概率偏差;
    如果该控制指令的所述被执行概率满足所述目标执行概率偏差,则确定该控制指令为合法控制指令;
    如果该控制指令的所述被执行概率不满足所述目标执行概率偏差,则确定该控制指令为可疑控制指令。
  2. 根据权利要求1所述的方法,其中,所述针对目标工业控制系统(30)确定至少一个第一时间窗,包括:
    在预设的学习时间段内采集所述目标工业控制系统(30)中被执行的所述控制指令;
    当采集到与预先设定的时间窗开始标识相对应的第一控制指令时,将采集到所述第一控制指令的时间确定为时间窗起点,当采集到与预先设定的时间窗结束标识相对应的第二控制指令时,将采集到所述第二控制指令的时间确定为时间窗终点;
    将每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第三时间窗;
    针对每一个所述第三时间窗,如果在该第三时间窗内采集到的所述控制指令满足预先设 定的复杂度规则,则将该第三时间窗确定为一个第四时间窗;
    对各个所述第四时间窗进行分组,获得至少一个时间窗分组,其中,每一个所述时间窗分组包括至少一个所述第四时间窗,所述目标工业控制系统(30)在同一所述时间窗分组所包括各个所述第四时间窗内执行同一所述控制行为,且所述目标工业控制系统(30)在不同所述时间窗分组所包括所述第四时间窗内执行不同的所述控制行为;
    针对每一个所述时间窗分组形成一个相对应的所述第一时间窗,其中,所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的所述时间窗起点和所述时间窗终点,或者所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的时间长度。
  3. 根据权利要求2所述的方法,其中,所述分别确定每一个所述第一时间窗内所述目标工业控制器中各控制指令的执行概率偏差,包括:
    针对每一个所述第四时间窗,计算在该第四时间窗内每一个被执行的所述控制指令的所述被执行概率;
    针对每一个所述时间窗分组,均执行:
    针对在该时间窗分组所包括的各个所述第四时间窗内被执行的每一个所述控制指令,根据该时间窗分组所包括的各个所述第四时间窗内该控制指令的所述被执行概率,计算该控制指令在与该时间窗分组相对应的所述第一时间窗内的所述执行概率偏差。
  4. 根据权利要求2所述的方法,其中,所述根据采集到的所述控制指令确定至少一个第二时间窗,包括:
    从采集到的所述控制指令中识别所述时间窗开始标识和所述时间窗结束标识;
    针对识别出的每一个所述时间窗开始标识,将采集该时间窗开始标识所对应的所述控制指令的时间确定为时间窗起点;
    针对识别出的每一个所述时间窗结束标识,将采集该时间窗结束标识所对应的所述控制指令的时间确定为时间窗终点;
    将确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第五时间窗;
    针对每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令满足所述复杂度规则,且存在与该第五时间窗对应相同所述控制行为的所述第一时间窗,则将该第五时间窗确定为一个所述第二时间窗。
  5. 根据权利要求4所述的方法,其中,在所述将确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第五时间窗之后,进一步包括:
    针对每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令不满足所述复杂度规则,则分别判断在该第五时间窗内被执行过的每一个所述控制指令是否位于预先设定的指令白名单中;
    如果该控制指令位于所述指令白名单中,则确定该控制指令为所述合法控制指令;
    如果该控制指令不位于所述指令白名单中,则确定该控制指令为所述可疑控制指令。
  6. 根据权利要求1至5中任一所述的方法,其中,
    所述控制指令包括顺序执行的至少一个控制命令,其中,所述控制命令是所述目标工业控制系统(30)中实现设备控制和状态反馈的基本单位,每一个所述控制命令可以包括至少一个相关参数。
  7. 工业网络行为分析装置(10),包括:
    一个第一识别模块(11),用于针对目标工业控制系统(30)确定至少一个第一时间窗,其中,所述第一时间窗用于表征所述目标工业控制系统(30)执行相应控制行为的时间段;
    一个偏差计算模块(12),用于分别确定所述第一识别模块(11)确定出的每一个所述第一时间窗内所述目标工业控制器中各控制指令的执行概率偏差,其中,所述执行概率偏差用于表征相应所述控制指令的被执行概率的波动,所述被执行概率用于表征相应所述控制指令在一个时间段内被执行的次数与在该时间段内执行的所述控制指令的总次数的比值;
    一个指令采集模块(13),用于采集所述工业控制系统中被执行的所述控制指令;
    一个第二识别模块(14),用于根据所述指令采集模块(13)采集到的所述控制指令,确定至少一个第二时间窗,其中,所述第二时间窗用于表征所述目标工业控制系统(30)执行相应所述控制行为的时间段,且所述目标工业控制系统(30)在所述第二时间窗内执行的所述控制行为与在一个所述第一时间窗内执行的所述控制行为相同;
    一个概率计算模块(15),用于针对所述第二识别模块(14)确定出的每一个所述第二时间窗,对于在该第二时间窗内被执行过的每一个所述控制指令,计算该控制指令在所述第二时间窗内的所述被执行概率;
    一个概率比对模块(16),用于针对所述第二识别模块(14)确定出的每一个所述第二时间窗,对于在该第二时间窗内被执行过的每一个所述控制指令,判断所述概率计算模块(15)计算出的该控制指令的所述被执行概率是否满足目标执行概率偏差,其中,所述目标执行概率偏差为所述偏差计算模块(12)计算出的在与该第二时间窗对应相同所述控制行为的所述第一时间窗内该控制指令的所述执行概率偏差;
    一个第一分析模块(17),用于根据所述概率比对模块(16)的判断结果,如果一个所述 控制指令所述被执行概率满足所述目标执行概率偏差,则确定该控制指令为合法控制指令,如果一个所述控制指令的所述被执行概率不满足所述目标执行概率偏差,则确定该控制指令为可疑控制指令。
  8. 根据权利要求7所述的装置,其中,所述第一识别模块(11)包括:
    一个采集单元(111),用于在预设的学习时间段内采集所述目标工业控制系统(30)中被执行的所述控制指令;
    一个第一识别单元(112),用于当所述采集单元(111)采集到与预先设定的时间窗开始标识相对应的第一控制指令时,将采集到所述第一控制指令的时间确定为时间窗起点,当所述采集单元采集到与预先设定的时间窗结束标识相对应的第二控制指令时,将采集到所述第二控制指令的时间确定为时间窗终点;
    一个第一提取单元(113),用于将所述第一识别单元(112)确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第三时间窗;
    一个第一过滤单元(114),用于针对所述第一提取单元(113)确定出的每一个所述第三时间窗,如果在该第三时间窗内采集到的所述控制指令满足预先设定的复杂度规则,则将该第三时间窗确定为一个第四时间窗;
    一个时间窗分组单元(115),用于对所述第一过滤单元(114)确定出的各个所述第四时间窗进行分组,获得至少一个时间窗分组,其中,每一个所述时间窗分组包括至少一个所述第四时间窗,所述目标工业控制系统(30)在同一所述时间窗分组所包括各个所述第四时间窗内执行同一所述控制行为,且所述目标工业控制系统(30)在不同所述时间窗分组所包括所述第四时间窗内执行不同的所述控制行为;
    一个时间窗生成单元(116),用于针对所述时间窗分组单元(115)划分出的每一个所述时间窗分组形成一个相对应的所述第一时间窗,其中,所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的所述时间窗起点和所述时间窗终点,或者所述第一时间窗和与该第一时间窗相对应的所述时间窗分组所包括的各个所述第四时间窗具有相同的时间长度。
  9. 根据权利要求8所述的装置,其中,所述偏差计算模块(12)包括:
    一个概率计算单元(121),用于针对每一个所述时间窗分组,分别计算在该时间窗分组所包括的各个所述第四时间窗内每一个被执行的所述控制指令的所述被执行概率;
    一个偏差计算单元(122),用于针对每一个所述时间窗分组,对于在该时间窗分组所包括的各个所述第四时间窗内被执行的每一个所述控制指令,根据所述概率计算单元(121)计算出的该时间窗分组所包括的各个所述第四时间窗内该控制指令的所述被执行概率,计算该 控制指令在与该时间窗分组相对应的所述第一时间窗内的所述执行概率偏差。
  10. 根据权利要求8所述的装置,其中,所述第二识别模块(14)包括:
    一个第二识别单元(141),用于从采集到的所述控制指令中识别所述时间窗开始标识和所述时间窗结束标识;
    一个起点确定单元(142),用于针对所述第二识别单元(141)识别出的每一个所述时间窗开始标识,将采集该时间窗开始标识所对应的所述控制指令的时间确定为时间窗起点;
    一个终点确定单元(143),用于针对所述第二识别单元(141)识别出的每一个所述时间窗结束标识,将采集该时间窗结束标识所对应的所述控制指令的时间确定为时间窗终点;
    一个第二提取单元(144),用于将所述起点确定单元(142)和所述终点确定单元(143)确定出的每一对顺序相邻的所述时间窗起点与所述时间窗终点之间的时间段确定为一个第五时间窗;
    一个第二过滤单元(145),用于针对所述第二提取单元(144)确定出的每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令满足所述复杂度规则,且存在与该第五时间窗对应相同控制行为的所述第一时间窗,则将该第五时间窗确定为一个所述第二时间窗。
  11. 根据权利要求10所述的装置,其中,进一步包括:第二分析模块(18);
    所述第二分析模块(18),用于针对所述第二提取单元(144)确定出的每一个所述第五时间窗,如果在该第五时间窗内采集到的所述控制指令不满足所述复杂度规则,则分别判断在该第五时间窗内被执行过的每一个所述控制指令是否位于预先设定的指令白名单中,如果在该第五时间窗内被执行过的一个所述控制指令位于所述指令白名单中,则确定该控制指令为所述合法控制指令,如果在该第五时间窗内被执行过的一个所述控制指令不位于所述指令白名单中,则确定该控制指令为所述可疑控制指令。
  12. 根据权利要求7至11中任一所述的装置,其中,
    所述控制指令包括顺序执行的至少一个控制命令,其中,所述控制命令是所述目标工业控制系统(30)中实现设备控制和状态反馈的基本单位,每一个所述控制命令可以包括至少一个相关参数。
  13. 工业网络行为分析装置(20),包括:至少一个存储器(21)和至少一个处理器(22);
    所述至少一个存储器(21),用于存储机器可读程序;
    所述至少一个处理器(22),用于调用所述机器可读程序,执行权利要求1至6中任一所述的方法。
  14. 工业网络行为分析系统(100),包括:一个要求7至13中任一所述的工业网络行为分析装置(10,20)和至少一个工业控制系统(30)。
  15. 计算机可读介质,所述计算机可读介质上存储有计算机指令,所述计算机指令在被处理器执行时,使所述处理器执行权利要求1至6中任一所述的方法。
PCT/CN2020/088460 2020-04-30 2020-04-30 工业网络行为分析方法、装置、系统和计算机可读介质 WO2021217636A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
PCT/CN2020/088460 WO2021217636A1 (zh) 2020-04-30 2020-04-30 工业网络行为分析方法、装置、系统和计算机可读介质
US17/921,863 US11829122B2 (en) 2020-04-30 2020-04-30 Industrial network behavior analysis method, apparatus and system, and computer-readable medium
EP20933508.2A EP4131881A4 (en) 2020-04-30 2020-04-30 METHOD, APPARATUS AND SYSTEM FOR ANALYZING THE BEHAVIOR OF AN INDUSTRIAL NETWORK AND COMPUTER READABLE MEDIUM
CN202080099460.8A CN115380505A (zh) 2020-04-30 2020-04-30 工业网络行为分析方法、装置、系统和计算机可读介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/088460 WO2021217636A1 (zh) 2020-04-30 2020-04-30 工业网络行为分析方法、装置、系统和计算机可读介质

Publications (1)

Publication Number Publication Date
WO2021217636A1 true WO2021217636A1 (zh) 2021-11-04

Family

ID=78331656

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/088460 WO2021217636A1 (zh) 2020-04-30 2020-04-30 工业网络行为分析方法、装置、系统和计算机可读介质

Country Status (4)

Country Link
US (1) US11829122B2 (zh)
EP (1) EP4131881A4 (zh)
CN (1) CN115380505A (zh)
WO (1) WO2021217636A1 (zh)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102577305A (zh) * 2009-09-21 2012-07-11 西门子公司 网络中的异常检测的方法
CN103235882A (zh) * 2013-04-23 2013-08-07 湖南工学院 核电厂数字化主控室操作员监视行为可靠性判定方法
US20170257437A1 (en) * 2016-03-02 2017-09-07 Tom Freund Networked Gate Machines Gaging the Condition of Unmanned Platforms
CN109144023A (zh) * 2017-06-27 2019-01-04 西门子(中国)有限公司 一种工业控制系统的安全检测方法和设备
CN110224970A (zh) * 2018-03-01 2019-09-10 西门子公司 一种工业控制系统的安全监视方法和装置

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330949B (zh) * 2016-09-13 2019-07-16 哈尔滨工程大学 一种基于马尔科夫链的入侵检测方法
EP3588206B1 (en) * 2018-06-21 2024-01-10 Siemens Aktiengesellschaft A safe guard detection for unexpected operations in a mes system
CN110086810B (zh) * 2019-04-29 2020-08-18 西安交通大学 基于特征行为分析的被动式工控设备指纹识别方法及装置
CN110456765B (zh) * 2019-07-29 2020-12-25 北京威努特技术有限公司 工控指令的时序模型生成方法、装置及其检测方法、装置
CN110825040B (zh) * 2019-10-22 2021-02-19 中国科学院信息工程研究所 一种工业控制系统的过程控制攻击检测方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102577305A (zh) * 2009-09-21 2012-07-11 西门子公司 网络中的异常检测的方法
CN103235882A (zh) * 2013-04-23 2013-08-07 湖南工学院 核电厂数字化主控室操作员监视行为可靠性判定方法
US20170257437A1 (en) * 2016-03-02 2017-09-07 Tom Freund Networked Gate Machines Gaging the Condition of Unmanned Platforms
CN109144023A (zh) * 2017-06-27 2019-01-04 西门子(中国)有限公司 一种工业控制系统的安全检测方法和设备
CN110224970A (zh) * 2018-03-01 2019-09-10 西门子公司 一种工业控制系统的安全监视方法和装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4131881A4 *

Also Published As

Publication number Publication date
EP4131881A4 (en) 2024-01-10
EP4131881A1 (en) 2023-02-08
CN115380505A (zh) 2022-11-22
US20230119829A1 (en) 2023-04-20
US11829122B2 (en) 2023-11-28

Similar Documents

Publication Publication Date Title
CN110535702B (zh) 一种告警信息处理方法及装置
CN111459700A (zh) 设备故障的诊断方法、诊断装置、诊断设备及存储介质
JP2015011027A (ja) 時系列データにおける異常を検出する方法
CN111970229B (zh) 一种针对多种攻击方式的can总线数据异常检测方法
CN116304909A (zh) 一种异常检测模型训练方法、故障场景定位方法及装置
CN114244594A (zh) 网络流量异常检测方法及检测系统
Moore et al. Anomaly detection of cyber physical network data using 2D images
CN115800272A (zh) 基于拓扑识别的电网故障分析方法、系统、终端及介质
CN116992376A (zh) 用于检测电网中的异常的装置、系统和方法
CN112905370A (zh) 拓扑图生成方法、异常检测方法、装置、设备及存储介质
CN118041587A (zh) 一种网络安全测试评估系统及方法
JP2008154010A (ja) データ処理装置及びデータ処理方法及びプログラム
JP2020166407A (ja) モデル生成装置、異常発生予測装置、異常発生予測モデルの生成方法及び異常発生予測方法
KR20180060616A (ko) Rba기반 통합 취약점 진단 방법
WO2021217636A1 (zh) 工业网络行为分析方法、装置、系统和计算机可读介质
CN117633779A (zh) 电力网中网络威胁的元学习检测模型快速部署方法及系统
CN108761250B (zh) 一种基于工控设备电压电流的入侵检测方法
CN114674511B (zh) 一种用于剔除时变环境因素影响的桥梁模态异常预警方法
CN114155914B (zh) 基于宏基因组拼接错误的检测校正系统
KR101621959B1 (ko) 로그패턴추출장치, 로그패턴분석장치 및 그 방법
CN114997207A (zh) 设备状态检测方法、装置、设备和存储介质
CN117041362B (zh) 一种针对工控协议语义逆向结果的校验方法及系统
US20220318388A1 (en) Method for detecting anomalies in an information system, computer program and system for detecting anomalies implementing such a method
CN114169415B (zh) 一种系统故障模式识别的方法和系统
KR102706766B1 (ko) 제어 시스템의 운전 데이터 기반 평가 데이터 생성 장치 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20933508

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020933508

Country of ref document: EP

Effective date: 20221026

NENP Non-entry into the national phase

Ref country code: DE