WO2024045095A1 - Data processing method, electronic device, and storage medium - Google Patents

Data processing method, electronic device, and storage medium Download PDF

Info

Publication number
WO2024045095A1
WO2024045095A1 PCT/CN2022/116365 CN2022116365W WO2024045095A1 WO 2024045095 A1 WO2024045095 A1 WO 2024045095A1 CN 2022116365 W CN2022116365 W CN 2022116365W WO 2024045095 A1 WO2024045095 A1 WO 2024045095A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
goose
verification information
data packet
number value
Prior art date
Application number
PCT/CN2022/116365
Other languages
French (fr)
Chinese (zh)
Inventor
林涛
易恺
金一泓
Original Assignee
西门子股份公司
西门子(中国)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西门子股份公司, 西门子(中国)有限公司 filed Critical 西门子股份公司
Priority to PCT/CN2022/116365 priority Critical patent/WO2024045095A1/en
Publication of WO2024045095A1 publication Critical patent/WO2024045095A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2113/00Details relating to the application field
    • G06F2113/04Power grid distribution networks

Definitions

  • the present application relates to the field of communication technology, and in particular, to a data processing method, electronic device and storage medium.
  • IEC 61850 GOOSE Generic Object Oriented Substation Events, GOOSE for short
  • GOOSE Generic Object Oriented Substation Events
  • the energy field that applies the GOOSE protocol for network communication has become the target of more extensive and complex network security attacks. These network security attacks may interrupt normal GOOSE communication or equipment control processes and cause damage to equipment and/or staff. These network security attacks Incidents can significantly impact productivity and increase operating costs. Therefore, a technical solution is needed to determine the potential security risks of GOOSE communication to improve the security of GOOSE communication and reduce the adverse effects of network security attacks.
  • embodiments of the present application provide a data processing method, electronic device, and storage medium.
  • the embodiments of the present application provide a data processing method, which includes:
  • Second verification information wherein the first verification information includes the first status number value of the first GOOSE data packet, and the second verification information includes the second status number value of the second GOOSE data packet;
  • the security of the current communication of the data recipient is determined.
  • the embodiments of the present application provide an electronic device, including: a processor, a communication interface, a memory, and a communication bus.
  • the processor, the communication interface, and the memory complete communication with each other through the communication bus.
  • the memory is used to store at least one executable instruction.
  • the executable instruction causes the processor to perform operations corresponding to any of the data processing methods provided in the first aspect.
  • the embodiments of the present application provide a computer-readable storage medium.
  • Computer instructions are stored on the computer-readable storage medium. When the computer instructions are executed by a processor, they cause the processor to execute the foregoing. Any data processing method provided by the first aspect.
  • the embodiments of the present application provide a computer program product.
  • the computer program product is tangibly stored on a computer-readable medium and includes computer-executable instructions.
  • the computer-executable instructions are executed when executed.
  • At least one processor is caused to execute any of the data processing methods provided in the first aspect.
  • the data processing method of the embodiment of the present application can obtain the first GOOSE data packet received by the data receiver in the current data receiving cycle and the data received by the data receiver in the previous data receiving cycle of the current data receiving cycle through the network traffic analysis tool.
  • the second GOOSE data packet is received, and the network traffic analysis tool can be used to analyze the first GOOSE data packet and the second GOOSE data packet, and determine the first verification information in the first GOOSE data packet and the second GOOSE data packet.
  • Second verification information the first verification information includes the first status number value of the first GOOSE data packet, the second verification information includes the second status number value of the second GOOSE data packet, and then it can be based on the first verification information and the second verification Comparison of information determines the security of the data recipient's current communication.
  • the data processing method in this application can quickly determine the security of the data recipient's current GOOSE communication in real time, and can more reliably determine whether there is potential in the current GOOSE communication.
  • Security risks so as to facilitate subsequent staff to deal with security risks in a timely manner, or automatically take measures to deal with security risks in a timely manner, thereby reducing the adverse effects of network security attacks during the GOOSE communication process.
  • Figure 1 shows an optional flow chart of the data processing method according to the embodiment of the present application.
  • Figure 2 shows a schematic diagram of the retransmission mechanism of the GOOSE protocol.
  • Figure 3 shows an optional structural schematic diagram of an electronic device according to an embodiment of the present application.
  • Figure 1 is an optional flow chart of the data processing method according to the embodiment of the present application.
  • the data processing method provided in the embodiment of the present application includes the following steps S101, step S102 and step S103:
  • Step S101 Obtain the first GOOSE data packet received by the data receiver in the current data reception cycle and the second GOOSE data packet received by the data receiver in the previous data reception cycle of the current data reception cycle through the network traffic analysis tool.
  • the data processing method in the embodiment of the present application can be executed by a computer device capable of data processing.
  • the computer device can include one or more processing units, such as CPU, MCU, PLC, etc., or the data
  • the processing method can also be executed and data processed based on cloud systems, edge computing systems, etc. It should be understood that there is no limitation on this in the embodiments of the present application.
  • the data receiver can be a device that receives the GOOSE data packet during the GOOSE communication process. After receiving the GOOSE data packet, it can perform actions in response to the data in the GOOSE data packet. For example, taking the data receiver as a relay as an example , after receiving the GOOSE data packet, it can respond to the data in it to maintain the status of the relay coil being energized or the relay coil being de-energized, etc.
  • the data sender is the other party that performs GOOSE communication with the data receiver, which can also be a device.
  • the data sender sends the GOOSE data packet to the data receiver.
  • the GOOSE data packet may be sent to the data receiver through a switch (such as an Ethernet switch).
  • network attackers can tamper with or perform other operations on the GOOSE data packets received by the data receiver, causing abnormalities in the GOOSE data packets received by the data receiver, making it difficult for the data receiver to correctly respond to the data in the GOOSE data packet and perform normal actions. This in turn affects the communication process and subsequent device control process to complete the purpose of network security attacks.
  • the network traffic analysis tool in this application can be used as an IDS (Intrusion Detection Systems, intrusion detection system), which can monitor and capture network traffic data (such as GOOSE data packets received by the data receiver, etc.).
  • This application uses a network traffic analysis tool as an IDS. Compared with the conventional means of using firewalls to intercept data packets, it does not cross borders on any links and can work without the need for network traffic to flow through it. It only needs to be hooked up to The network traffic of concern (that is, the network traffic that needs to be captured) must be on the link that must pass through, so it will not affect the connectivity and stability of the network, nor will it affect the speed of the original link at all.
  • the network traffic analysis tool in this application can be implemented with any existing network traffic analyzer.
  • the network traffic analysis tool can be implemented with Zeek network traffic analyzer.
  • Zeek is a passive, open source network traffic analyzer commonly used as a network security monitoring tool that can easily capture network data. It provides a flexible framework that allows developers to analyze the network traffic in different protocols (such as GOOSE, HTTP, FTP, SSH, DNP3, etc.) to create different plug-ins to achieve different functions.
  • the data receiver receives one GOOSE data packet within one data reception cycle.
  • the first GOOSE data packet received by the data receiver in the current data reception cycle and the second GOOSE data packet received by the data receiver in the previous data reception cycle of the current data reception cycle are data receptions. Two consecutive GOOSE data packets received by the party.
  • GOOSE communication in order to ensure the reliability of high-speed communication, GOOSE communication uses a retransmission mechanism.
  • GOOSE messages (including GOOSE data packets) appear in a new event 200 (for example, the data sender is a device, and the new event can be its switch state change, motor blockage, etc.
  • a physical event is converted into an abstract software event) and is immediately published to the data receiver, which then retransmits the same state as long as it persists.
  • the time interval between each adjacent GOOSE message transmission i.e., the interval from the time when one GOOSE message starts to be sent to the time when another GOOSE message starts to be sent
  • increases exponentially as shown in Figure 2 , the time intervals T1, T2, T3, T0, etc. increase successively), and stop changing when the time interval reaches the steady-state value T0.
  • the values of T1, T0, and exponential increment can be set during the initial configuration of the data sender before GOOSE communication starts.
  • T1 is the minimum retransmission time after a new event occurs
  • T2 and T3 are the retransmission times before reaching the stable value T0
  • T0 is the retransmission time in the stable state (no new events occur).
  • T0 can be shortened (refer to (T0) in Figure 2, after the new event 200 occurs, T1 starts directly). It should be understood that the retransmission mechanism of the GOOSE protocol in Figure 2 should belong to the existing technology, and its details will not be described again here.
  • the different time intervals T1, T2, T3, T0, etc. can be regarded as data reception cycles.
  • Step S102 Use a network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet, and determine the first verification information in the first GOOSE data packet and the second verification information in the second GOOSE data packet, where, The first verification information includes the first status number value of the first GOOSE data packet, and the second verification information includes the second status number value of the second GOOSE data packet.
  • Using a network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet can be implemented using any data packet parsing algorithm, and is not particularly limited here.
  • "Using a network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet" in step S102 includes: integrating a pre-established data packet analysis plug-in into the network traffic analysis tool , the first GOOSE data packet and the second GOOSE data packet are analyzed through the data packet analysis plug-in.
  • the pre-built packet analysis plug-in can be a DPA (Deep Packet Analyse) plug-in, which is integrated in a network traffic analysis tool (such as Zeek network traffic analyzer) and can implement deep packet analysis algorithms , when parsing the first GOOSE data packet, the first verification information in the first GOOSE data packet and the second verification information guaranteed by the second GOOSE data can be parsed out. In this way, it is easy to assist in determining the security of the current communication of the data recipient.
  • DPA Deep Packet Analyse
  • the first verification information at least includes the first status number value in the first GOOSE data packet
  • the second verification information at least includes the second status number value in the second GOOSE data packet
  • the first verification information and the second verification The information can be used in subsequent step S103 to determine the security of the current communication of the data recipient.
  • GOOSE's APDU Application Protocol Data Unit
  • StNum status number counter
  • SqNum sequence number counter
  • each new event such as the aforementioned new event, for example, the data sender is a device, and physical events such as switch state changes and motor blockage are converted into abstract software events
  • the data sender responds to the change by publishing a GOOSE message with incrementing StNum, that is, each time a value changes, StNum+1.
  • the data sender transmits the same GOOSE message and only increases SqNum while StNum remains unchanged.
  • the values of StNum, SqNum and the aforementioned T0 are all set on the data sender, the data receiver in GOOSE communication only responds to GOOSE messages whose StNum or SqNum (when StNum remains unchanged) is higher than the previous GOOSE message. It should be understood that the relevant content of StNum or SqNum of the GOOSE protocol should belong to the existing technology, and the details will not be described again here.
  • the first status number value is the value of the status number counter (StNum) in the first GOOSE data packet
  • the second status number value is the value of the status number counter (StNum) in the second GOOSE data packet.
  • the first status number value is denoted as StNum1
  • the second status number value is denoted as StNum2 in the following.
  • Step S103 Based on the comparison of the first verification information and the second verification information, determine the security of the current communication of the data recipient.
  • the network traffic analysis tool can be used to analyze the first GOOSE data packet and the second GOOSE data packet, and determine the first verification information in the first GOOSE data packet and the second GOOSE data packet.
  • the first verification information includes the first status number value of the first GOOSE data packet
  • the second verification information includes the second status number value of the second GOOSE data packet
  • it can be based on the first verification information and the second verification Comparison of information determines the security of the data recipient's current communication. Therefore, the data processing method in this application can quickly determine the security of the data recipient's current GOOSE communication in real time, and can more reliably determine whether there is potential in the current GOOSE communication. Security risks, so as to facilitate subsequent staff to deal with security risks in a timely manner, or automatically take measures to deal with security risks in a timely manner, thereby reducing the adverse effects of network security attacks during the GOOSE communication process.
  • the type of potential security risks can also be determined at the same time, which is not limited here.
  • step S103 is "determine the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information", including: if the first status number in the first verification information If the difference between the value and the second status number value in the second verification information is greater than the first predetermined threshold, it is determined that there is a security risk in the current communication of the data receiver, and the type of security risk is determined as the status number value of the GOOSE data packet been tampered with.
  • the status number value should increase sequentially according to the time sequence, that is, the first status number value of the first GOOSE data packet StNum1
  • the difference between the first status number value StNum1 and the second status number value StNum2 is too large, that is, the difference between the first status number value in the first verification information and the second status number value in the second verification information is
  • the difference is greater than the first predetermined threshold, it means that the status number value in the GOOSE data packet received by the data receiver has an abnormal mutation, and this abnormal mutation is often caused by an external network attacker inputting a GOOSE with a high StNum value to the data receiver. data packets, which caused the originally normal communication GOOSE data packets to be tampered with.
  • the data receiver Under the GOOSE protocol, the data receiver will receive and respond to GOOSE data packets with high StNum values (that is, GOOSE data packets input by external network attackers) during the current data reception cycle, and discard low StNum value packets sent by the data sender.
  • GOOSE data packets that is, GOOSE data packets during normal communication
  • External network attackers can directly attack the data receiver's subsequent data through tampered GOOSE data packets with high StNum values.
  • GOOSE communications and equipment control processes are interfered with, seriously affecting the normal operation of equipment and/or the personal safety of staff.
  • the first predetermined threshold can be set according to the actual situation, for example, it can be 2, 10, 100, 500, 1000, 2000, etc., and is not specifically limited here.
  • this application can effectively determine whether the status number value of the GOOSE data packet has been tampered with in this way, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner. , thereby reducing the adverse effects of this security risk in the GOOSE communication process.
  • the data sender is a protective relay at a factory site.
  • the relay coil loses power and the circuit breaker connected to it is de-energized.
  • the data receiver is the main relay at the factory site, which can trip the main circuit breaker connected to it through the loss of power in the relay coil to control
  • the equipment in a larger area in the factory site (for example, recorded as the second area, and the second area may include the aforementioned first site area) is powered off to ensure the safety of the equipment in the second area.
  • the protective relay i.e.
  • the data sender can communicate with the main relay (i.e. the data receiver) through a switch (which can be an Ethernet switch).
  • a switch which can be an Ethernet switch.
  • the protection relay sends a GOOSE data packet to the main relay through the switch to inform the main relay, so that the main relay will no longer cause the main relay to detect the fault after subsequent detection. Circuit breakers tripped to avoid widespread power outages.
  • the network attacker intercepts the GOOSE data packet transmitted from the switch to the main relay, analyzes the GOOSE data packet, tamperes with the status number value StNum of the GOOSE data packet to a higher value, and then sends it to the main relay through the switch.
  • the main relay will respond to the GOOSE data packet with a high StNum value tampered by the network attacker in accordance with the GOOSE protocol, and discard the GOOSE data packet with a low StNum value sent by the protection relay. Therefore, when the main relay subsequently detects the presence of a fault, it will make the connection The main circuit breaker tripped, causing equipment in the second area to lose power, causing a wider power outage.
  • the status of the GOOSE data packet is determined by determining whether the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than the first predetermined threshold.
  • the first verification information also includes the first sequence value number of the first GOOSE data packet
  • the second verification information also includes the second sequence value number of the second GOOSE data packet
  • step S103 is "based on Comparison of the first verification information and the second verification information to determine the security of the current communication of the data recipient", including: if the first serial number value in the first verification information is equal to the second serial number value in the second verification information The difference between them is greater than the second predetermined threshold, and the first status number value in the first verification information is equal to the second status number value in the second verification information, then it is determined that there is a security risk in the current communication of the data receiver, and the security The type of risk is determined to be that the sequence number value of the GOOSE packet is tampered with.
  • the first sequence number value of the first GOOSE data packet is referred to as SqNum1
  • the second sequence number value of the second GOOSE data packet is referred to as SqNum2.
  • the difference between the first serial number value SqNum1 and the second serial number value SqNum2 is too large, that is, the difference between the first serial number value SqNum1 in the first verification information and the second serial number value SqNum2 in the second verification information is
  • the difference between is greater than the first predetermined threshold, it means that the sequence number value in the GOOSE data packet received by the data receiver undergoes an abnormal mutation, and this abnormal mutation is often caused by an external network attacker inputting a high SqNum value to the data receiver.
  • the data receiver Under the GOOSE protocol, when the status number value StNum remains unchanged, the data receiver will receive and respond to the GOOSE data packet with a high SqNum value (that is, the GOOSE data packet input by the external network attacker) in the current data reception cycle, and discard the data.
  • the GOOSE data packet with a low SqNum value sent by the sender that is, the GOOSE data packet during normal communication
  • External network attackers can directly attack the data receiver's subsequent data through tampered GOOSE data packets with high SqNum values.
  • GOOSE communications and equipment control processes are interfered with, seriously affecting the normal operation of equipment and/or the personal safety of staff.
  • the second predetermined threshold can be set according to the actual situation, for example, it can be 2, 10, 50, 100, 200, 500, 1000, etc., which is not specifically limited here.
  • this application can effectively determine whether the sequence number value of the GOOSE data packet has been tampered with in this way, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner. , thereby reducing the adverse effects of this security risk in the GOOSE communication process.
  • the data processing method also includes: obtaining the first device operating parameters in the current data receiving cycle and the second device operating parameters in the previous data receiving cycle of the current data receiving cycle; step S103 is "Based on the comparison of the first verification information and the second verification information, determine the security of the current communication of the data recipient", including: if the first status number value in the first verification information and the second status number in the second verification information If the difference between the values is greater than the third predetermined threshold, and the first device operating parameter is not equal to the second device operating parameter, it is determined that there is a security risk in the current communication of the data recipient, and the type of security risk is determined to be that the data recipient is injected Equipment failure data.
  • both the data receiver and the data sender in this application can be equipment, such as relays, motors, etc.
  • the equipment operating parameters can refer to the operating parameters of relays, motors, switching equipment, etc.
  • relays it can It is a parameter that indicates whether the relay coil of the relay is energized.
  • motor it can be a parameter that indicates whether the motor is rotating.
  • switching device it can be a switching status parameter of the switching device.
  • the first device operating parameters can be parsed from the first GOOSE data packet
  • the second device operating parameters can be parsed from the second GOOSE data packet
  • both can be obtained by the aforementioned network traffic analysis tool integrated into the network traffic analysis tool. It can be obtained by parsing the data packet analysis plug-in, or it can be obtained through other methods, which is not limited by this application.
  • the third predetermined threshold can be set according to the actual situation.
  • the third predetermined threshold can be set to 1, or it can be 2, 5, 10, etc., which is not specifically limited here.
  • the status number value when the data sender is in normal GOOSE communication with the data receiver, when the status number value changes, the status number value should increase sequentially in chronological order, that is, the first status number of the first GOOSE data packet
  • the data reception can be more conveniently and accurately determined. Whether the equipment failure data is injected into the party, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner, thereby reducing the adverse effects of this security risk in the GOOSE communication process.
  • the data processing method also includes: obtaining the first timestamp parameter in the current data reception cycle and the second timestamp parameter in the previous data reception cycle of the current data reception cycle; step S103 is "Determining the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information" includes: if the first status number value in the first verification information and the second status number value in the second verification information If the difference between them is greater than the fourth predetermined threshold, and the first timestamp parameter is less than or equal to the second timestamp parameter, it is determined that there is a security risk in the current communication of the data receiver, and the type of security risk is determined to be the current communication of the data receiver. The communication timing of the communication process is disrupted.
  • the first timestamp parameter can be obtained by parsing the first GOOSE data packet
  • the second timestamp parameter can be obtained by parsing the second GOOSE data packet, and both of them can be obtained by the aforementioned network traffic analysis tool. It can be obtained by parsing the data packet analysis plug-in, or it can be obtained through other methods, which is not limited by this application.
  • the timestamp parameter can indicate the sending time of the GOOSE data packet.
  • the sending time of the first GOOSE data packet is later than the second GOOSE data packet.
  • the timestamp parameter of the first GOOSE data packet Should be greater than the first timestamp parameter. Therefore, if the timestamp parameter of the first GOOSE data packet is less than or equal to the second timestamp parameter, and the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than
  • the fourth predetermined threshold indicates that the communication timing of the current communication process between the data sender and the data receiver is confused, and the data sender resends the GOOSE message that has been sent to the data receiver, which will affect the data receiver.
  • the communication and data receiver's actions based on the first GOOSE data packet will have adverse effects.
  • the fourth predetermined threshold can be set according to actual conditions, and is not limited here. Generally, the fourth predetermined threshold may be set to 1.
  • this application can effectively determine whether the communication timing of the current communication process of the data recipient is chaotic in this way, so as to facilitate the subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner. Risks are dealt with to reduce the negative impact of this security risk in the GOOSE communication process.
  • the data processing method also includes: if it is determined that the number of times the data recipient has received the same GOOSE data packet within a predetermined time period is greater than the predetermined number threshold, determining that there is a security risk in the current communication of the data recipient. , and the type of security risk is determined to be that the data recipient is subject to a DoS flood attack.
  • the predetermined time period can be set according to the actual situation, for example, it can be 10 seconds, 30 seconds, 1 minute, 2 minutes, etc., and is not specifically limited here.
  • the predetermined times threshold can also be set according to the actual situation, for example, it can be 50,000 times, 80,000 times, 100,000 times, etc., and is not specifically limited here.
  • the predetermined time period is 1 minute and the predetermined frequency threshold is 100,000 times
  • this application can effectively determine whether the data receiver is subject to a DoS flood attack in this way, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner, thereby Reduce the adverse effects of this security risk during GOOSE communication.
  • the data processing method further includes: generating a log file indicating the determination result according to the determination result of the type of security risk, and sending the log file to an external monitoring unit.
  • the external monitoring unit can be a computer device (such as a host computer at the substation site, a worker's computer, etc.), a portable device (such as a worker's mobile phone, PAD, etc.), a cloud platform, or a software Monitoring platform is not restricted here.
  • the log file can also record in detail the determination process and relevant details of the security risk, the source of network security attacks, etc., so that staff can conduct better analysis. deal with.
  • a notification message indicating the determination result of the type of security risk may be sent directly to the external monitoring unit without generating a log file, which is not limited here.
  • Figure 3 shows a schematic structural diagram of an optional electronic device according to an embodiment of the present application.
  • the embodiment of the present application does not limit the specific implementation of the electronic device 300.
  • the electronic device 300 provided in the second aspect of the embodiment of the present application includes: a processor (processor) 302, a communication interface ( Communications Interface) 304, memory (memory) 306, and communication bus 308.
  • processor processor
  • communication interface Communications Interface
  • memory memory
  • the processor 302, the communication interface 304, and the memory 306 complete communication with each other through the communication bus 308.
  • Communication interface 304 is used to communicate with other electronic devices or servers.
  • the processor 302 is used to execute the program 310. Specifically, it can execute the relevant steps in any of the foregoing data processing method embodiments.
  • program 310 may include program code including computer operating instructions.
  • the processor 302 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application.
  • the one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
  • Memory 306 is used to store program 310.
  • the memory 306 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
  • the program 310 can be specifically used to cause the processor 302 to execute the data processing method in any of the foregoing embodiments.
  • each step in the program 310 please refer to the corresponding description of the corresponding steps and units in any of the foregoing data processing method embodiments, and will not be described again here.
  • Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding process descriptions in the foregoing method embodiments, and will not be described again here.
  • embodiments of the present application provide a computer storage medium that stores instructions for causing a machine to execute the data processing method as described herein.
  • a system or device equipped with a storage medium may be provided, on which the software program code that implements the functions of any of the above embodiments is stored, and the computer (or CPU or MPU) of the system or device ) reads and executes the program code stored in the storage medium.
  • the program code itself read from the storage medium can implement the functions of any one of the above embodiments, and therefore the program code and the storage medium storing the program code form part of this application.
  • Examples of storage media for providing program codes include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Tapes, non-volatile memory cards and ROM.
  • the program code can be downloaded from the server computer via the communications network.
  • the program code read from the storage medium is written into the memory provided in the expansion board inserted into the computer or written into the memory provided in the expansion module connected to the computer, and then based on the program code
  • the instructions cause the CPU installed on the expansion board or expansion module to perform part or all of the actual operations, thereby realizing the functions of any of the above embodiments.
  • the embodiments of the present application further provide a computer program product, the computer program product is tangibly stored on a computer-readable medium and includes computer-executable instructions, and the computer can When executed, the execution instructions cause at least one processor to execute the data processing method provided by the above embodiments. It should be understood that each solution in this embodiment has the corresponding technical effects in the above method embodiment, and will not be described again here.
  • the electronic device 400/computer storage medium embodiment of the present application is basically similar to the relevant content and beneficial effects in the data processing method embodiment provided in the first aspect, so the description here is relatively brief. This can be understood by referring to the embodiments of the aforementioned data processing method.
  • the term “include” and its variations are open-ended, ie, “including but not limited to.”
  • the term “based on” means “based at least in part on.”
  • the term “one embodiment” means “at least one embodiment”; the term “another embodiment” means “at least one additional embodiment”; and the term “some embodiments” means “at least some embodiments”. It should be noted that the modifications of "one” and “multiple” mentioned in this application are illustrative and not restrictive. Those skilled in the art will understand that unless the context clearly indicates otherwise, it should be understood as “one or Multiple”.

Abstract

Embodiments of the present application provide a data processing method, an electronic device, and a storage medium. The data processing method comprises: obtaining, by means of a network traffic analysis tool, a first GOOSE data packet received by a data receiver in the current data receiving period and a second GOOSE data packet received by the data receiver in the previous data receiving period of the current data receiving period; parsing the first GOOSE data packet and the second GOOSE data packet by using the network traffic analysis tool, to determine first verification information in the first GOOSE data packet and second verification information in the second GOOSE data packet, wherein the first verification information comprises a first state number value of the first GOOSE data packet, and the second verification information comprises a second state number value of the second GOOSE data packet; and determining the security of the current communication of the data receiver on the basis of the comparison of the first verification information and the second verification information.

Description

数据处理方法、电子设备及存储介质Data processing methods, electronic equipment and storage media 技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种数据处理方法、电子设备及存储介质。The present application relates to the field of communication technology, and in particular, to a data processing method, electronic device and storage medium.
背景技术Background technique
IEC 61850 GOOSE(Generic Object Oriented Substation Events,面向通用对象的变电站事件,简称GOOSE)是一种通信协议,其定义了一种受控模型机制,其中任何格式的数据(状态、值)都被分组到一个数据集,并在预定时间内传输,其在能源领域中的变电站事件通信中应用十分普遍。现如今,能源领域对国家的经济至关重要,并且正在不断寻求实现系统现代化、提高生产力和效率的途径。应用GOOSE协议进行网络通信的能源领域已成为更广泛和复杂的网络安全攻击的目标,这些网络安全攻击可能会中断正常的GOOSE通信或者设备控制过程,并对设备和/或工作人员造成损害,这些事件可能会显著影响生产力并提高运营成本。因此,需要一种技术方案来确定GOOSE通信的潜在安全风险,以提高GOOSE通信的安全性,降低网络安全攻击的不良影响。IEC 61850 GOOSE (Generic Object Oriented Substation Events, GOOSE for short) is a communication protocol that defines a controlled model mechanism in which data (status, value) in any format are grouped into A data set and transmitted within a predetermined time, which is widely used in substation event communication in the energy field. Today, the energy sector is vital to the country's economy and is constantly looking for ways to modernize the system and increase productivity and efficiency. The energy field that applies the GOOSE protocol for network communication has become the target of more extensive and complex network security attacks. These network security attacks may interrupt normal GOOSE communication or equipment control processes and cause damage to equipment and/or staff. These network security attacks Incidents can significantly impact productivity and increase operating costs. Therefore, a technical solution is needed to determine the potential security risks of GOOSE communication to improve the security of GOOSE communication and reduce the adverse effects of network security attacks.
发明内容Contents of the invention
为了至少部分地解决上述技术问题,本申请实施例提供了一种数据处理方法、电子设备及存储介质。In order to at least partially solve the above technical problems, embodiments of the present application provide a data processing method, electronic device, and storage medium.
根据本申请实施例中的第一方面,本申请实施例提供了一种数据处理方法,其包括:According to the first aspect of the embodiments of the present application, the embodiments of the present application provide a data processing method, which includes:
通过网络流量分析工具获取数据接收方在当前数据接接收周期内接收的第一GOOSE数据包和所述数据接收方在所述当前数据接收周期的前一个数据接收周期内接收的第二GOOSE数据包;Use the network traffic analysis tool to obtain the first GOOSE data packet received by the data receiver in the current data reception cycle and the second GOOSE data packet received by the data receiver in the previous data reception cycle of the current data reception cycle. ;
利用所述网络流量分析工具对所述第一GOOSE数据包和所述第二GOOSE数据包进行解析,确定所述第一GOOSE数据包中的第一验证信息和所述第二GOOSE数据包中的第二验证信息,其中,所述第一验证信息包括所述第一GOOSE数据包的第一状态号值,所述第二验证信息包括所述第二GOOSE数据包的第二状态号值;Use the network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet to determine the first verification information in the first GOOSE data packet and the second GOOSE data packet. Second verification information, wherein the first verification information includes the first status number value of the first GOOSE data packet, and the second verification information includes the second status number value of the second GOOSE data packet;
基于第一验证信息和第二验证信息的比较,确定所述数据接收方当前通信的安全性。Based on the comparison of the first verification information and the second verification information, the security of the current communication of the data recipient is determined.
根据本申请实施例中的第二方面,本申请实施例提供了一种电子设备,包括:处理器、 通信接口、存储器和通信总线,处理器、通信接口和存储器通过通信总线完成相互间的通信;存储器用于存放至少一可执行指令,可执行指令使处理器执行前述第一方面提供的任一项的数据处理方法对应的操作。According to the second aspect of the embodiments of the present application, the embodiments of the present application provide an electronic device, including: a processor, a communication interface, a memory, and a communication bus. The processor, the communication interface, and the memory complete communication with each other through the communication bus. ; The memory is used to store at least one executable instruction. The executable instruction causes the processor to perform operations corresponding to any of the data processing methods provided in the first aspect.
根据本申请实施例中的第三方面,本申请实施例提供了一种计算机可读存储介质,计算机可读存储介质上存储有计算机指令,计算机指令在被处理器执行时,使处理器执行前述第一方面提供的任一项的数据处理方法。According to the third aspect of the embodiments of the present application, the embodiments of the present application provide a computer-readable storage medium. Computer instructions are stored on the computer-readable storage medium. When the computer instructions are executed by a processor, they cause the processor to execute the foregoing. Any data processing method provided by the first aspect.
根据本申请实施例中的第四方面,本申请实施例提供了一种计算机程序产品,计算机程序产品被有形地存储在计算机可读介质上并且包括计算机可执行指令,计算机可执行指令在被执行时使至少一个处理器执行前述第一方面提供的任一项的数据处理方法。According to the fourth aspect of the embodiments of the present application, the embodiments of the present application provide a computer program product. The computer program product is tangibly stored on a computer-readable medium and includes computer-executable instructions. The computer-executable instructions are executed when executed. At least one processor is caused to execute any of the data processing methods provided in the first aspect.
本申请实施例的数据处理方法,由于能够通过网络流量分析工具获取数据接收方在当前数据接接收周期内接收的第一GOOSE数据包和数据接收方在当前数据接收周期的前一个数据接收周期内接收的第二GOOSE数据包,并能够利用网络流量分析工具对第一GOOSE数据包和第二GOOSE数据包进行解析,确定第一GOOSE数据包中的第一验证信息和第二GOOSE数据包中的第二验证信息,第一验证信息包括第一GOOSE数据包的第一状态号值,第二验证信息包括第二GOOSE数据包的第二状态号值,然后能够基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性,因此通过本申请中的数据处理方法可以实时快速的确定数据接收方在当前GOOSE通信的安全性,能够较为可靠地确定当前GOOSE通信是否存在潜在安全风险,从而便于后续令工作人员及时对安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中遭受网络安全攻击所带来的不良影响。The data processing method of the embodiment of the present application can obtain the first GOOSE data packet received by the data receiver in the current data receiving cycle and the data received by the data receiver in the previous data receiving cycle of the current data receiving cycle through the network traffic analysis tool. The second GOOSE data packet is received, and the network traffic analysis tool can be used to analyze the first GOOSE data packet and the second GOOSE data packet, and determine the first verification information in the first GOOSE data packet and the second GOOSE data packet. Second verification information, the first verification information includes the first status number value of the first GOOSE data packet, the second verification information includes the second status number value of the second GOOSE data packet, and then it can be based on the first verification information and the second verification Comparison of information determines the security of the data recipient's current communication. Therefore, the data processing method in this application can quickly determine the security of the data recipient's current GOOSE communication in real time, and can more reliably determine whether there is potential in the current GOOSE communication. Security risks, so as to facilitate subsequent staff to deal with security risks in a timely manner, or automatically take measures to deal with security risks in a timely manner, thereby reducing the adverse effects of network security attacks during the GOOSE communication process.
附图说明Description of drawings
以下附图仅旨在于对本申请做示意性说明和解释,并不限定本申请的范围。The following drawings are only intended to schematically illustrate and explain the present application and do not limit the scope of the present application.
图1示出了本申请实施例的数据处理方法的一个可选的流程图。Figure 1 shows an optional flow chart of the data processing method according to the embodiment of the present application.
图2示出了GOOSE协议的重传机制的示意图。Figure 2 shows a schematic diagram of the retransmission mechanism of the GOOSE protocol.
图3示出了本申请实施例的电子设备的一个可选的结构示意图。Figure 3 shows an optional structural schematic diagram of an electronic device according to an embodiment of the present application.
附图标记:Reference signs:
300、电子设备;302、处理器;304、通信接口;306、存储器;308、通信总线;310、程序。300. Electronic equipment; 302. Processor; 304. Communication interface; 306. Memory; 308. Communication bus; 310. Program.
具体实施方式Detailed ways
为了使本领域的人员更好地理解本申请实施例中的技术方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请实施例一部分实施例,而不是全部的实施例。基于本申请实施例中的实施例,本领域普通技术人员所获得的所有其他实施例,都应当属于本申请实施例保护的范围。In order to enable those in the art to better understand the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the description The embodiments are only part of the embodiments of the present application, rather than all the embodiments. Based on the examples in the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art should fall within the scope of protection of the embodiments of this application.
图1是本申请实施例的数据处理方法的一个可选的流程图。根据本申请实施例中的第一方面,参照图1中的流程图,本申请实施例中提供的数据处理方法包括下面的步骤S101、步骤S102和步骤S103:Figure 1 is an optional flow chart of the data processing method according to the embodiment of the present application. According to the first aspect of the embodiment of the present application, with reference to the flow chart in Figure 1, the data processing method provided in the embodiment of the present application includes the following steps S101, step S102 and step S103:
步骤S101:通过网络流量分析工具获取数据接收方在当前数据接接收周期内接收的第一GOOSE数据包和数据接收方在当前数据接收周期的前一个数据接收周期内接收的第二GOOSE数据包。Step S101: Obtain the first GOOSE data packet received by the data receiver in the current data reception cycle and the second GOOSE data packet received by the data receiver in the previous data reception cycle of the current data reception cycle through the network traffic analysis tool.
应说明的是,本申请实施例中的数据处理方法可以由一个能够进行数据处理的计算机设备执行,该计算机设备可以包括一个或多个处理单元,例如CPU、MCU、PLC等,或者,该数据处理方法也可以基于云系统、边缘计算系统等进行执行和数据处理,应理解,本申请实施例中对此不进行任何限定。It should be noted that the data processing method in the embodiment of the present application can be executed by a computer device capable of data processing. The computer device can include one or more processing units, such as CPU, MCU, PLC, etc., or the data The processing method can also be executed and data processed based on cloud systems, edge computing systems, etc. It should be understood that there is no limitation on this in the embodiments of the present application.
本申请中,数据接收方可以是GOOSE通信过程中接收GOOSE数据包的一个设备,在接收到GOOSE数据包后可以响应于GOOSE数据包中的数据执行动作,例如以数据接收方为一个继电器为例,在接收到GOOSE数据包后可以响应于其中的数据维持其继电器线圈得电或继电器线圈失电的状态等。In this application, the data receiver can be a device that receives the GOOSE data packet during the GOOSE communication process. After receiving the GOOSE data packet, it can perform actions in response to the data in the GOOSE data packet. For example, taking the data receiver as a relay as an example , after receiving the GOOSE data packet, it can respond to the data in it to maintain the status of the relay coil being energized or the relay coil being de-energized, etc.
与数据接收方相对应的,数据发送方是与数据接受方进行GOOSE通信的另一方,其也可以是一个设备。在正常的GOOSE通信过程中,数据发送方将GOOSE数据包发送给数据接收方,例如可以是通过交换机(例如以太网开关)将GOOSE数据包发送给数据接收方。网络攻击者可以在这个过程中对数据接收方接收的GOOSE数据包进行篡改或其他操作,使得数据接收方接收的GOOSE数据包发生异常,数据接收方难以正确响应GOOSE数据包的数据进行正常动作,进而影响通信过程以及后续的设备控制过程,以完成网络安全攻击的目的。Corresponding to the data receiver, the data sender is the other party that performs GOOSE communication with the data receiver, which can also be a device. In a normal GOOSE communication process, the data sender sends the GOOSE data packet to the data receiver. For example, the GOOSE data packet may be sent to the data receiver through a switch (such as an Ethernet switch). In this process, network attackers can tamper with or perform other operations on the GOOSE data packets received by the data receiver, causing abnormalities in the GOOSE data packets received by the data receiver, making it difficult for the data receiver to correctly respond to the data in the GOOSE data packet and perform normal actions. This in turn affects the communication process and subsequent device control process to complete the purpose of network security attacks.
本申请中的网络流量分析工具可以作为IDS(Intrusion Detection Systems,入侵检测系统),能够对网络流量数据(例如数据接收方接收的GOOSE数据包等)进行监控和捕获。本申请采用网络流量分析工具作为IDS,相对于常规手段中利用防火墙进行数据包拦截来说,其没有跨界在任何链路上,无需网络流量流经即可工作,只需将其挂接在所关注的网 络流量(即需要进行捕获的网络流量)必经的链路上即可,因此其不会影响网络的连通性和稳定性,丝毫不影响原有链路的速度。The network traffic analysis tool in this application can be used as an IDS (Intrusion Detection Systems, intrusion detection system), which can monitor and capture network traffic data (such as GOOSE data packets received by the data receiver, etc.). This application uses a network traffic analysis tool as an IDS. Compared with the conventional means of using firewalls to intercept data packets, it does not cross borders on any links and can work without the need for network traffic to flow through it. It only needs to be hooked up to The network traffic of concern (that is, the network traffic that needs to be captured) must be on the link that must pass through, so it will not affect the connectivity and stability of the network, nor will it affect the speed of the original link at all.
本申请中的网络流量分析工具可以以现有的任意的网络流量分析器实现,例如,在一些可选的实施例中,网络流量分析工具可以是Zeek网络流量分析器实现。Zeek是一种被动的、开源的网络流量分析器,常用作网络安全监控工具,可以轻松捕获网络数据,其提供了一个灵活的框架,允许开发人员以不同的协议(例如GOOSE、HTTP、FTP、SSH、DNP3等)来创建不同的插件,以实现不同的功能。The network traffic analysis tool in this application can be implemented with any existing network traffic analyzer. For example, in some optional embodiments, the network traffic analysis tool can be implemented with Zeek network traffic analyzer. Zeek is a passive, open source network traffic analyzer commonly used as a network security monitoring tool that can easily capture network data. It provides a flexible framework that allows developers to analyze the network traffic in different protocols (such as GOOSE, HTTP, FTP, SSH, DNP3, etc.) to create different plug-ins to achieve different functions.
本申请中,数据接收方在一个数据接收周期内接收一个GOOSE数据包。对于GOOSE通信而言,因此数据接收方在当前数据接接收周期内接收的第一GOOSE数据包和数据接收方在当前数据接收周期的前一个数据接收周期内接收的第二GOOSE数据包是数据接收方接收的连续两个GOOSE数据包。In this application, the data receiver receives one GOOSE data packet within one data reception cycle. For GOOSE communication, therefore the first GOOSE data packet received by the data receiver in the current data reception cycle and the second GOOSE data packet received by the data receiver in the previous data reception cycle of the current data reception cycle are data receptions. Two consecutive GOOSE data packets received by the party.
应理解,由于GOOSE协议的特性,连续的两个数据接收周期的时间长度未必是相同的。在GOOSE通信中,为了高速通信的可靠性,GOOSE通信使用重传机制。参照图2所示的GOOSE协议的重传机制的示意图,GOOSE消息(包括GOOSE数据包)在新事件200出现(例如数据发送方为一个设备,新事件可以是其发生开关状态改变、电机堵塞等物理事件转化为抽象的软件事件)之后立即向数据接收方发布,然后数据发送方重新传输相同的状态,只要它持续存在。在这些传输中,每相邻两个GOOSE消息传输之间的时间间隔(即从一个GOOSE消息开始发送的时刻到另一个GOOSE消息开始发送的时刻之间的间隔)呈指数级增加(如图2中,时间间隔T1、T2、T3、T0等依次增大),当时间间隔达到稳态值T0后就停止变化。T1、T0、指数增量的值可以在GOOSE通信开始前在数据发送方初始配置时进行设置。图2中,T1是新事件发生后的最小重传时间,T2、T3是达到稳定值T0之前的重传时间,T0是稳定状态(不发生新事件)下的重传时间,在T0过程中若发生新事件,T0可以缩短(参照图2中的(T0)所示,新事件200出现后,直接开始T1)。应理解,关于图2中的GOOSE协议的重传机制应属于现有技术,在此不再对其细节进行赘述。对于数据接收方来说,该不同的时间间隔T1、T2、T3、T0等,均可视为数据接收周期。It should be understood that due to the characteristics of the GOOSE protocol, the length of time of two consecutive data reception cycles may not be the same. In GOOSE communication, in order to ensure the reliability of high-speed communication, GOOSE communication uses a retransmission mechanism. Referring to the schematic diagram of the retransmission mechanism of the GOOSE protocol shown in Figure 2, GOOSE messages (including GOOSE data packets) appear in a new event 200 (for example, the data sender is a device, and the new event can be its switch state change, motor blockage, etc. A physical event is converted into an abstract software event) and is immediately published to the data receiver, which then retransmits the same state as long as it persists. In these transmissions, the time interval between each adjacent GOOSE message transmission (i.e., the interval from the time when one GOOSE message starts to be sent to the time when another GOOSE message starts to be sent) increases exponentially (as shown in Figure 2 , the time intervals T1, T2, T3, T0, etc. increase successively), and stop changing when the time interval reaches the steady-state value T0. The values of T1, T0, and exponential increment can be set during the initial configuration of the data sender before GOOSE communication starts. In Figure 2, T1 is the minimum retransmission time after a new event occurs, T2 and T3 are the retransmission times before reaching the stable value T0, and T0 is the retransmission time in the stable state (no new events occur). During T0 If a new event occurs, T0 can be shortened (refer to (T0) in Figure 2, after the new event 200 occurs, T1 starts directly). It should be understood that the retransmission mechanism of the GOOSE protocol in Figure 2 should belong to the existing technology, and its details will not be described again here. For the data receiver, the different time intervals T1, T2, T3, T0, etc. can be regarded as data reception cycles.
步骤S102:利用网络流量分析工具对第一GOOSE数据包和第二GOOSE数据包进行解析,确定第一GOOSE数据包中的第一验证信息和第二GOOSE数据包中的第二验证信息,其中,第一验证信息包括第一GOOSE数据包的第一状态号值,第二验证信息包括第二GOOSE数据包的第二状态号值。Step S102: Use a network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet, and determine the first verification information in the first GOOSE data packet and the second verification information in the second GOOSE data packet, where, The first verification information includes the first status number value of the first GOOSE data packet, and the second verification information includes the second status number value of the second GOOSE data packet.
利用网络流量分析工具对第一GOOSE数据包和第二GOOSE数据包进行解析可以是通过任意的数据包解析算法进行实现,在此不进行特别限制。Using a network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet can be implemented using any data packet parsing algorithm, and is not particularly limited here.
在一些可选的实施例中,步骤S102中的“利用网络流量分析工具对第一GOOSE数据包和第二GOOSE数据包进行解析”包括:将预先建立的数据包分析插件集成在网络流量分析工具中,通过数据包分析插件对第一GOOSE数据包和第二GOOSE数据包进行解析。In some optional embodiments, "Using a network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet" in step S102 includes: integrating a pre-established data packet analysis plug-in into the network traffic analysis tool , the first GOOSE data packet and the second GOOSE data packet are analyzed through the data packet analysis plug-in.
可选地,该预先建立的数据包分析插件可以是DPA(Deep Packet Analyse,深度数据包分析)插件,其集成在网络流量分析工具(例如Zeek网络流量分析器),能够实现深度数据包分析算法,在对第一GOOSE数据包进行解析时,可以将第一GOOSE数据包中的第一验证信息和第二GOOSE数据保证的第二验证信息解析出来。通过这样的方式,可以方便地协助确定数据接收方的当前通信的安全性。Optionally, the pre-built packet analysis plug-in can be a DPA (Deep Packet Analyse) plug-in, which is integrated in a network traffic analysis tool (such as Zeek network traffic analyzer) and can implement deep packet analysis algorithms , when parsing the first GOOSE data packet, the first verification information in the first GOOSE data packet and the second verification information guaranteed by the second GOOSE data can be parsed out. In this way, it is easy to assist in determining the security of the current communication of the data recipient.
本申请中,第一验证信息至少包括第一GOOSE数据包中的第一状态号值,第二验证信息至少包括第二GOOSE数据包中的第二状态号值,第一验证信息和第二验证信息在后续步骤S103中可以用于确定数据接收方的当前通信的安全性。In this application, the first verification information at least includes the first status number value in the first GOOSE data packet, the second verification information at least includes the second status number value in the second GOOSE data packet, the first verification information and the second verification The information can be used in subsequent step S103 to determine the security of the current communication of the data recipient.
在GOOSE协议中,GOOSE的APDU(Application Protocol Data Unit,应用协议数据单元)中包括两个32位计数器,分别为状态号计数器(StNum)和序列号计数器(SqNum),这两个计数器用于支持GOOSE协议的重传机制。在进行GOOSE通信时,每个新事件(如前述新事件,例如数据发送方为一个设备,其发生开关状态改变、电机堵塞等物理事件转化为抽象的软件事件)都会导致相应数据包中的一个或多个值发生变化,在GOOSE通信时,数据发送方通过发布带有递增StNum的GOOSE消息来响应该变化,即每次有值发生变化StNum+1。在没有任何状态变化的情况下,数据发送方传输相同的GOOSE消息,并且只增加SqNum,而StNum不变。虽然StNum、SqNum和前述T0的值均在数据发送方设置,但GOOSE通信中的数据接收方仅响应StNum或SqNum(StNum不变时)高于上一条GOOSE消息的GOOSE消息。应理解,对于GOOSE协议的StNum或SqNum的相关内容应属于现有技术,在此不再对其细节进行赘述。In the GOOSE protocol, GOOSE's APDU (Application Protocol Data Unit) includes two 32-bit counters, namely the status number counter (StNum) and the sequence number counter (SqNum). These two counters are used to support The retransmission mechanism of the GOOSE protocol. When communicating with GOOSE, each new event (such as the aforementioned new event, for example, the data sender is a device, and physical events such as switch state changes and motor blockage are converted into abstract software events) will result in a corresponding data packet. Or multiple values change. During GOOSE communication, the data sender responds to the change by publishing a GOOSE message with incrementing StNum, that is, each time a value changes, StNum+1. Without any status change, the data sender transmits the same GOOSE message and only increases SqNum while StNum remains unchanged. Although the values of StNum, SqNum and the aforementioned T0 are all set on the data sender, the data receiver in GOOSE communication only responds to GOOSE messages whose StNum or SqNum (when StNum remains unchanged) is higher than the previous GOOSE message. It should be understood that the relevant content of StNum or SqNum of the GOOSE protocol should belong to the existing technology, and the details will not be described again here.
本申请中第一状态号值即第一GOOSE数据包中状态号计数器(StNum)的值,第二状态号值即第二GOOSE数据包中状态号计数器(StNum)的值。为便于表述,下文中将第一状态号值记为StNum1,将第二状态号值记为StNum2。In this application, the first status number value is the value of the status number counter (StNum) in the first GOOSE data packet, and the second status number value is the value of the status number counter (StNum) in the second GOOSE data packet. For ease of description, the first status number value is denoted as StNum1 and the second status number value is denoted as StNum2 in the following.
步骤S103:基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性。Step S103: Based on the comparison of the first verification information and the second verification information, determine the security of the current communication of the data recipient.
通过本申请中的数据处理方法,由于能够通过网络流量分析工具获取数据接收方在当 前数据接接收周期内接收的第一GOOSE数据包和数据接收方在当前数据接收周期的前一个数据接收周期内接收的第二GOOSE数据包,并能够利用网络流量分析工具对第一GOOSE数据包和第二GOOSE数据包进行解析,确定第一GOOSE数据包中的第一验证信息和第二GOOSE数据包中的第二验证信息,第一验证信息包括第一GOOSE数据包的第一状态号值,第二验证信息包括第二GOOSE数据包的第二状态号值,然后能够基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性,因此通过本申请中的数据处理方法可以实时快速的确定数据接收方在当前GOOSE通信的安全性,能够较为可靠地确定当前GOOSE通信是否存在潜在安全风险,从而便于后续令工作人员及时对安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中遭受网络安全攻击所带来的不良影响。Through the data processing method in this application, it is possible to obtain the first GOOSE data packet received by the data receiver in the current data receiving cycle and the data received by the data receiver in the previous data receiving cycle of the current data receiving cycle through the network traffic analysis tool. The second GOOSE data packet is received, and the network traffic analysis tool can be used to analyze the first GOOSE data packet and the second GOOSE data packet, and determine the first verification information in the first GOOSE data packet and the second GOOSE data packet. Second verification information, the first verification information includes the first status number value of the first GOOSE data packet, the second verification information includes the second status number value of the second GOOSE data packet, and then it can be based on the first verification information and the second verification Comparison of information determines the security of the data recipient's current communication. Therefore, the data processing method in this application can quickly determine the security of the data recipient's current GOOSE communication in real time, and can more reliably determine whether there is potential in the current GOOSE communication. Security risks, so as to facilitate subsequent staff to deal with security risks in a timely manner, or automatically take measures to deal with security risks in a timely manner, thereby reducing the adverse effects of network security attacks during the GOOSE communication process.
本申请中基于第一验证信息和第二验证信息进行比较,在确定数据接收方当前通信的安全性的同时,也可以同时确定潜在的安全风险的类型,在此不进行限制。In this application, based on the comparison between the first verification information and the second verification information, while determining the security of the current communication of the data recipient, the type of potential security risks can also be determined at the same time, which is not limited here.
在一些可选的实施方式中,步骤S103即“基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性”,包括:若第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值大于第一预定阈值,则确定数据接收方当前通信存在安全风险,并将安全风险的类型确定为GOOSE数据包的状态号值被篡改。In some optional implementations, step S103 is "determine the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information", including: if the first status number in the first verification information If the difference between the value and the second status number value in the second verification information is greater than the first predetermined threshold, it is determined that there is a security risk in the current communication of the data receiver, and the type of security risk is determined as the status number value of the GOOSE data packet been tampered with.
由于在数据发送方在与数据接收方正常进行GOOSE通信时,在状态号值发生改变的情况下,按照时间顺序状态号值应为依次递增,即第一GOOSE数据包的第一状态号值StNum1与第二GOOSE数据包的第二状态号值StNum2应满足:StNum1=StNum2+1。而当第一状态号值StNum1与第二状态号值StNum2之间的差距过大时,即第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值大于第一预定阈值时,意味着数据接收方接收的GOOSE数据包中的状态号值发生异常突变,而该异常突变往往是由外部的网络攻击者向数据接收方输入高StNum值的GOOSE数据包导致,这使得原本正常通信的GOOSE数据包被篡改。在GOOSE协议下,数据接收方将在当前数据接收周期将接收并响应高StNum值的GOOSE数据包(即外部网络攻击者输入的GOOSE数据包),而丢弃由数据发送方发送的低StNum值的GOOSE数据包(即正常通信时的GOOSE数据包),因此使得原本正常通信的GOOSE数据包被篡改。在这种情况下,会对数据发送方与数据接收方之间的通信产生严重的不良影响,外部的网络攻击者可通过篡改后的高StNum值的GOOSE数据包,直接对数据接收方后续的GOOSE通信和设备控制过程进行干扰,严重影响设备正常运行和/或工作人员的人身安全。Because when the data sender is conducting GOOSE communication with the data receiver normally, when the status number value changes, the status number value should increase sequentially according to the time sequence, that is, the first status number value of the first GOOSE data packet StNum1 The second status number value StNum2 of the second GOOSE data packet should satisfy: StNum1=StNum2+1. When the difference between the first status number value StNum1 and the second status number value StNum2 is too large, that is, the difference between the first status number value in the first verification information and the second status number value in the second verification information is When the difference is greater than the first predetermined threshold, it means that the status number value in the GOOSE data packet received by the data receiver has an abnormal mutation, and this abnormal mutation is often caused by an external network attacker inputting a GOOSE with a high StNum value to the data receiver. data packets, which caused the originally normal communication GOOSE data packets to be tampered with. Under the GOOSE protocol, the data receiver will receive and respond to GOOSE data packets with high StNum values (that is, GOOSE data packets input by external network attackers) during the current data reception cycle, and discard low StNum value packets sent by the data sender. GOOSE data packets (that is, GOOSE data packets during normal communication), thus causing the GOOSE data packets originally used for normal communication to be tampered with. In this case, it will have serious adverse effects on the communication between the data sender and the data receiver. External network attackers can directly attack the data receiver's subsequent data through tampered GOOSE data packets with high StNum values. GOOSE communications and equipment control processes are interfered with, seriously affecting the normal operation of equipment and/or the personal safety of staff.
本申请中,第一预定阈值可以依实际情况进行设置,例如可以是2、10、100、500、1000、2000等,在此不做具体限定。In this application, the first predetermined threshold can be set according to the actual situation, for example, it can be 2, 10, 100, 500, 1000, 2000, etc., and is not specifically limited here.
基于此,本申请中通过这样的方式可以有效地确定出GOOSE数据包的状态号值是否被篡改,从而便于后续令工作人员及时对该安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中这种安全风险所带来的不良影响。Based on this, this application can effectively determine whether the status number value of the GOOSE data packet has been tampered with in this way, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner. , thereby reducing the adverse effects of this security risk in the GOOSE communication process.
下面以一个实际的网络安全攻击的例子进行说明。该示例中,数据发送方为一个工厂现场的一个保护继电器,能够在工厂现场中的某一区域(例如记为第一区域)的设备发生故障时,通过继电器线圈失电使与其连接的断路器跳闸,以使该第一区域内的设备断电以保证该现场区域的设备安全;数据接收方为工厂现场的主继电器,其能够通过继电器线圈失电使与其连接的主断路器跳闸,以控制工厂现场中的更大面积的区域(例如记为第二区域,该第二区域可以包括前述的第一现场区域)的设备断电以保证该第二区域的设备安全。保护继电器(即数据发送方)可通过交换机(可以是以太网开关)与主继电器(即数据接收方)进行通信。例如,在第一区域的设备发生故障,保护继电器连接的断路器需要跳闸,保护继电器通过交换机向主继电器发送GOOSE数据包告知主继电器,以令主继电器在后续检测到故障存在后不再使主断路器跳闸,避免大范围停电。网络攻击时,网络攻击者通过截取交换机传向主继电器的GOOSE数据包,并对GOOSE数据包进行分析,对GOOSE数据包的状态号值StNum篡改为更高的值后通过交换机发送给主继电器,主继电器将依据GOOSE协议响应网络攻击者篡改后的高StNum值的GOOSE数据包,而舍弃由保护继电器发送的低StNum值的GOOSE数据包,因此主继电器在后续检测到故障存在时,将使连接的主断路器跳闸,使得第二区域内的设备断电,从而造成更大范围的停电。而显然,本申请中通过判断第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值是否大于第一预定阈值,来确定GOOSE数据包的状态号值是否被篡改,可以便于后续令工作人员及时对该安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中这种安全风险所带来的不良影响(对应于此示例,即避免主断路器跳闸以防止更大范围停电)。当然,这一示例仅用于便于理解,其并不作为对本申请中的任何限制。The following is an example of an actual network security attack. In this example, the data sender is a protective relay at a factory site. When equipment in a certain area of the factory site (for example, marked as the first area) fails, the relay coil loses power and the circuit breaker connected to it is de-energized. Trip to power off the equipment in the first area to ensure the safety of the equipment in the field area; the data receiver is the main relay at the factory site, which can trip the main circuit breaker connected to it through the loss of power in the relay coil to control The equipment in a larger area in the factory site (for example, recorded as the second area, and the second area may include the aforementioned first site area) is powered off to ensure the safety of the equipment in the second area. The protective relay (i.e. the data sender) can communicate with the main relay (i.e. the data receiver) through a switch (which can be an Ethernet switch). For example, if the equipment in the first area fails and the circuit breaker connected to the protection relay needs to trip, the protection relay sends a GOOSE data packet to the main relay through the switch to inform the main relay, so that the main relay will no longer cause the main relay to detect the fault after subsequent detection. Circuit breakers tripped to avoid widespread power outages. During a network attack, the network attacker intercepts the GOOSE data packet transmitted from the switch to the main relay, analyzes the GOOSE data packet, tamperes with the status number value StNum of the GOOSE data packet to a higher value, and then sends it to the main relay through the switch. The main relay will respond to the GOOSE data packet with a high StNum value tampered by the network attacker in accordance with the GOOSE protocol, and discard the GOOSE data packet with a low StNum value sent by the protection relay. Therefore, when the main relay subsequently detects the presence of a fault, it will make the connection The main circuit breaker tripped, causing equipment in the second area to lose power, causing a wider power outage. Obviously, in this application, the status of the GOOSE data packet is determined by determining whether the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than the first predetermined threshold. Whether the number value has been tampered with can facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner, thereby reducing the adverse effects of this security risk in the GOOSE communication process (corresponding to This example, i.e. avoid tripping the main circuit breaker to prevent a wider outage). Of course, this example is only used to facilitate understanding and does not serve as any limitation on this application.
在一些可选的实施方式中,第一验证信息还包括第一GOOSE数据包的第一序列值号,第二验证信息还包括第二GOOSE数据包的第二序列值号;步骤S103即“基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性”,包括:若第一验证信息中的第一序列号值与第二验证信息中的第二序列号值之间的差值大于第二预定阈值,且第 一验证信息中的第一状态号值与第二验证信息中的第二状态号值相等,则确定数据接收方当前通信存在安全风险,并将安全风险的类型确定为GOOSE数据包的序列号值被篡改。In some optional implementations, the first verification information also includes the first sequence value number of the first GOOSE data packet, and the second verification information also includes the second sequence value number of the second GOOSE data packet; step S103 is "based on Comparison of the first verification information and the second verification information to determine the security of the current communication of the data recipient", including: if the first serial number value in the first verification information is equal to the second serial number value in the second verification information The difference between them is greater than the second predetermined threshold, and the first status number value in the first verification information is equal to the second status number value in the second verification information, then it is determined that there is a security risk in the current communication of the data receiver, and the security The type of risk is determined to be that the sequence number value of the GOOSE packet is tampered with.
本申请中为便于表述,下文将第一GOOSE数据包的第一序列号值即为SqNum1,将第二GOOSE数据包的第二序列号值即为SqNum2。由前述,第一GOOSE数据包的第一序列号值和第二GOOSE数据包的第二序列号值,可均由前述的集成于网络流量分析工具的数据包分析插件进行解析得到。In this application, for the convenience of description, the first sequence number value of the first GOOSE data packet is referred to as SqNum1, and the second sequence number value of the second GOOSE data packet is referred to as SqNum2. From the above, the first sequence number value of the first GOOSE data packet and the second sequence number value of the second GOOSE data packet can both be obtained by parsing the aforementioned data packet analysis plug-in integrated in the network traffic analysis tool.
由于在数据发送方在与数据接收方正常进行GOOSE通信时,在状态号值不变、序列号改变的情况下,按照时间顺序列号值应为依次递增,即第一GOOSE数据包的第一序列号值SqNum1与第二GOOSE数据包的第二序列号值SqNum2应满足:SqNum1=SqNum2+1。而当第一序列号值SqNum1与第二序列号值SqNum2之间的差距过大时,即第一验证信息中的第一序列号值SqNum1与第二验证信息中的第二序列号值SqNum2之间的差值大于第一预定阈值时,意味着数据接收方接收的GOOSE数据包中的序列号值发生异常突变,而该异常突变往往是由外部的网络攻击者向数据接收方输入高SqNum值的GOOSE数据包导致。在GOOSE协议下,状态号值StNum不变时,数据接收方将在当前数据接收周期将接收并响应高SqNum值的GOOSE数据包(即外部网络攻击者输入的GOOSE数据包),而丢弃由数据发送方发送的低SqNum值的GOOSE数据包(即正常通信时的GOOSE数据包),因此使得原本正常的GOOSE数据包被篡改。在这种情况下,会对数据发送方与数据接收方之间的通信产生严重的不良影响,外部的网络攻击者通过篡改后的高SqNum值的GOOSE数据包,可直接对数据接收方后续的GOOSE通信和设备控制过程进行干扰,严重影响设备正常运行和/或工作人员的人身安全。Because when the data sender is conducting GOOSE communication with the data receiver normally, when the status number value remains unchanged and the sequence number changes, the sequence number value should increase sequentially in chronological order, that is, the first number of the first GOOSE data packet The sequence number value SqNum1 and the second sequence number value SqNum2 of the second GOOSE data packet should satisfy: SqNum1=SqNum2+1. When the difference between the first serial number value SqNum1 and the second serial number value SqNum2 is too large, that is, the difference between the first serial number value SqNum1 in the first verification information and the second serial number value SqNum2 in the second verification information is When the difference between is greater than the first predetermined threshold, it means that the sequence number value in the GOOSE data packet received by the data receiver undergoes an abnormal mutation, and this abnormal mutation is often caused by an external network attacker inputting a high SqNum value to the data receiver. Caused by GOOSE packets. Under the GOOSE protocol, when the status number value StNum remains unchanged, the data receiver will receive and respond to the GOOSE data packet with a high SqNum value (that is, the GOOSE data packet input by the external network attacker) in the current data reception cycle, and discard the data. The GOOSE data packet with a low SqNum value sent by the sender (that is, the GOOSE data packet during normal communication), thus causing the original normal GOOSE data packet to be tampered with. In this case, it will have serious adverse effects on the communication between the data sender and the data receiver. External network attackers can directly attack the data receiver's subsequent data through tampered GOOSE data packets with high SqNum values. GOOSE communications and equipment control processes are interfered with, seriously affecting the normal operation of equipment and/or the personal safety of staff.
本申请中,第二预定阈值可以依实际情况进行设置,例如可以是2、10、50、100、200、500、1000等,在此不做具体限定。In this application, the second predetermined threshold can be set according to the actual situation, for example, it can be 2, 10, 50, 100, 200, 500, 1000, etc., which is not specifically limited here.
基于此,本申请中通过这样的方式可以有效地确定出GOOSE数据包的序列号值是否被篡改,从而便于后续令工作人员及时对该安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中这种安全风险所带来的不良影响。Based on this, this application can effectively determine whether the sequence number value of the GOOSE data packet has been tampered with in this way, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner. , thereby reducing the adverse effects of this security risk in the GOOSE communication process.
在一些可选的实施方式中,该数据处理方法还包括:获取当前数据接收周期内的第一设备运行参数和当前数据接收周期的前一个数据接收周期内的第二设备运行参数;步骤S103即“基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性”,包括:若第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值大于第三预定阈值,且第一设备运行参数不等于第二设备运行参数,则确定数据接收方当前 通信存在安全风险,并将安全风险的类型确定为数据接收方被注入设备故障数据。In some optional implementations, the data processing method also includes: obtaining the first device operating parameters in the current data receiving cycle and the second device operating parameters in the previous data receiving cycle of the current data receiving cycle; step S103 is "Based on the comparison of the first verification information and the second verification information, determine the security of the current communication of the data recipient", including: if the first status number value in the first verification information and the second status number in the second verification information If the difference between the values is greater than the third predetermined threshold, and the first device operating parameter is not equal to the second device operating parameter, it is determined that there is a security risk in the current communication of the data recipient, and the type of security risk is determined to be that the data recipient is injected Equipment failure data.
如前所述,本申请中的数据接收方和数据发送方都可以是设备,例如继电器、电机等,设备运行参数可以是指继电器、电机、开关设备等的运行参数,以继电器为例,可以是表示继电器的继电器线圈是否得电的参数等,以电机为例,则可以是表示电机是否转动的参数,以开关设备为例,则可以是开关设备的开关状态参数等。As mentioned before, both the data receiver and the data sender in this application can be equipment, such as relays, motors, etc., and the equipment operating parameters can refer to the operating parameters of relays, motors, switching equipment, etc. Taking relays as an example, it can It is a parameter that indicates whether the relay coil of the relay is energized. Taking a motor as an example, it can be a parameter that indicates whether the motor is rotating. Taking a switching device as an example, it can be a switching status parameter of the switching device.
可选地,第一设备运行参数可以从第一GOOSE数据包中解析得到,第二设备运行参数可以从第二GOOSE数据包中解析得到,且均可以是由前述的集成于网络流量分析工具的数据包分析插件进行解析得到,或者也可以是通过其他方式获取,本申请在此不进行限制。可选地,第三预定阈值可以依实际情况进行设置,例如第三预定阈值可以设置为1,也可以是2、5、10等,在此不做具体限定。Optionally, the first device operating parameters can be parsed from the first GOOSE data packet, and the second device operating parameters can be parsed from the second GOOSE data packet, and both can be obtained by the aforementioned network traffic analysis tool integrated into the network traffic analysis tool. It can be obtained by parsing the data packet analysis plug-in, or it can be obtained through other methods, which is not limited by this application. Optionally, the third predetermined threshold can be set according to the actual situation. For example, the third predetermined threshold can be set to 1, or it can be 2, 5, 10, etc., which is not specifically limited here.
具体地,在数据发送方在与数据接收方正常进行GOOSE通信时,在状态号值发生改变的情况下,按照时间顺序状态号值应为依次递增,即第一GOOSE数据包的第一状态号值StNum1与第二GOOSE数据包的第二状态号值StNum2应满足:StNum1=StNum2+1。而在第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值大于第三预定阈值时,且第一设备运行参数和第二设备运行参数之间不相等时,可以认为数据接收方被外部的网络攻击方注入设备故障数据,该设备故障数据会干扰数据接收方的正常运行。基于此,本申请中通过结合应用层面的第一设备运行参数和第二设备运行参数进行比较,并结合第一状态号值和第二状态号值的比较,可以更方便准确地确定出数据接收方是否被注入设备故障数据,从而便于后续令工作人员及时对该安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中这种安全风险所带来的不良影响。Specifically, when the data sender is in normal GOOSE communication with the data receiver, when the status number value changes, the status number value should increase sequentially in chronological order, that is, the first status number of the first GOOSE data packet The value StNum1 and the second status number value StNum2 of the second GOOSE data packet should satisfy: StNum1=StNum2+1. When the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than the third predetermined threshold, and the difference between the first equipment operating parameter and the second equipment operating parameter is When the values are not equal, it can be considered that the data receiver has been injected with device fault data by an external network attacker. This device fault data will interfere with the normal operation of the data receiver. Based on this, in this application, by combining the first device operating parameters and the second device operating parameters at the application level, and combining the comparison of the first status number value and the second status number value, the data reception can be more conveniently and accurately determined. Whether the equipment failure data is injected into the party, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner, thereby reducing the adverse effects of this security risk in the GOOSE communication process.
在一些可选的实施方式中,该数据处理方法还包括:获取当前数据接收周期内的第一时间戳参数和当前数据接收周期的前一个数据接收周期内的第二时间戳参数;步骤S103即“基于第一验证信息和第二验证信息的比较,确定数据接收方当前通信的安全性”包括:若第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值大于第四预定阈值,且第一时间戳参数小于或等于第二时间戳参数,则确定数据接收方当前通信存在安全风险,并将安全风险的类型确定为数据接收方的当前通信过程的通信时序发生混乱。In some optional implementations, the data processing method also includes: obtaining the first timestamp parameter in the current data reception cycle and the second timestamp parameter in the previous data reception cycle of the current data reception cycle; step S103 is "Determining the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information" includes: if the first status number value in the first verification information and the second status number value in the second verification information If the difference between them is greater than the fourth predetermined threshold, and the first timestamp parameter is less than or equal to the second timestamp parameter, it is determined that there is a security risk in the current communication of the data receiver, and the type of security risk is determined to be the current communication of the data receiver. The communication timing of the communication process is disrupted.
本申请中,第一时间戳参数可以从第一GOOSE数据包中解析得到,第二时间戳参数可以从第二GOOSE数据包中解析得到,且均可以是由前述的集成于网络流量分析工具的 数据包分析插件进行解析得到,或者也可以是通过其他方式获取,本申请在此不进行限制。In this application, the first timestamp parameter can be obtained by parsing the first GOOSE data packet, and the second timestamp parameter can be obtained by parsing the second GOOSE data packet, and both of them can be obtained by the aforementioned network traffic analysis tool. It can be obtained by parsing the data packet analysis plug-in, or it can be obtained through other methods, which is not limited by this application.
具体地,在正常情况下,时间戳参数可以指示GOOSE数据包的发送的时间,按照时间顺序,第一GOOSE数据包的发送时刻晚于第二GOOSE数据包,第一GOOSE数据包的时间戳参数应大于第一时间戳参数。因此若第一GOOSE数据包的时间戳参数小于或等于第二时间戳参数,且第一验证信息中的第一状态号值与第二验证信息中的第二状态号值之间的差值大于第四预定阈值,则说明在数据发送方与数据接收方之间的当前通信过程的通信时序发生混乱,数据发送方向数据接收方重新发送已经发送过的GOOSE消息,这将对数据接收方进行的通信以及数据接收方依据该第一GOOSE数据包进行动作产生不良影响。Specifically, under normal circumstances, the timestamp parameter can indicate the sending time of the GOOSE data packet. According to chronological order, the sending time of the first GOOSE data packet is later than the second GOOSE data packet. The timestamp parameter of the first GOOSE data packet Should be greater than the first timestamp parameter. Therefore, if the timestamp parameter of the first GOOSE data packet is less than or equal to the second timestamp parameter, and the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than The fourth predetermined threshold indicates that the communication timing of the current communication process between the data sender and the data receiver is confused, and the data sender resends the GOOSE message that has been sent to the data receiver, which will affect the data receiver. The communication and data receiver's actions based on the first GOOSE data packet will have adverse effects.
本申请中,该第四预定阈值可以依实际情况进行设置,在此不进行限制。一般情况下,第四预定阈值可以设置为1。In this application, the fourth predetermined threshold can be set according to actual conditions, and is not limited here. Generally, the fourth predetermined threshold may be set to 1.
基于此,本申请中通过这样的方式可以有效地确定出数据接收方的当前通信过程的通信时序是否发生混乱,从而便于后续令工作人员及时对该安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中这种安全风险所带来的不良影响。Based on this, this application can effectively determine whether the communication timing of the current communication process of the data recipient is chaotic in this way, so as to facilitate the subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner. Risks are dealt with to reduce the negative impact of this security risk in the GOOSE communication process.
在一些可选的实施方式中,该数据处理方法还包括:若确定数据接收方在预定时间段内接收到相同的GOOSE数据包的次数大于预定次数阈值,则确定数据接收方当前通信存在安全风险,且将安全风险的类型确定为数据接收方受到DoS洪泛攻击。In some optional implementations, the data processing method also includes: if it is determined that the number of times the data recipient has received the same GOOSE data packet within a predetermined time period is greater than the predetermined number threshold, determining that there is a security risk in the current communication of the data recipient. , and the type of security risk is determined to be that the data recipient is subject to a DoS flood attack.
在一些实现方式中,可以通过获取并检测各GOOSE数据包中的各状态号值(StNum)是否相同且各序列号值(SqNum)是否相同,来确定多个GOOSE数据包是否为相同的数据包。或者,在另一些实施例中可通过单独检测各GOOSE数据包中的各序列号值(SqNum)是否相同来确定多个GOOSE数据包是否为相同的数据包。In some implementations, it can be determined whether multiple GOOSE data packets are the same data packet by obtaining and detecting whether each status number value (StNum) in each GOOSE data packet is the same and whether each sequence number value (SqNum) is the same. . Alternatively, in other embodiments, it can be determined whether multiple GOOSE data packets are the same data packet by individually detecting whether each sequence number value (SqNum) in each GOOSE data packet is the same.
当数据接收方受到DoS洪泛攻击时,可以是短时间内由外部网络安全攻击者恶意向数据接收方发送大量的相同GOOSE数据包,这会使得数据接收方无法正常处理与数据发送方的通信,从而导致当前通信出现安全风险。本申请中,预定时间段可以依实际情况进行设置,例如可以是10秒、30秒、1分钟、2分钟等,在此不做具体限定。预定次数阈值也可以依实际情况进行设置,例如可以是50000次、80000次、100000次等,在此不做具体限定。例如,以预定时间段为1分钟,预定次数阈值为100000次为例,则即确定数据接收方在1分钟内接收到相同的GOOSE数据包的次数大于100000次,则确定数据接收方当前通信存在安全风险,且将安全风险的类型确定为数据接收方受到DoS洪泛攻击。When the data receiver is subject to a DoS flood attack, an external network security attacker can maliciously send a large number of the same GOOSE data packets to the data receiver in a short period of time, which will prevent the data receiver from properly processing communications with the data sender. , thus causing security risks in current communications. In this application, the predetermined time period can be set according to the actual situation, for example, it can be 10 seconds, 30 seconds, 1 minute, 2 minutes, etc., and is not specifically limited here. The predetermined times threshold can also be set according to the actual situation, for example, it can be 50,000 times, 80,000 times, 100,000 times, etc., and is not specifically limited here. For example, assuming that the predetermined time period is 1 minute and the predetermined frequency threshold is 100,000 times, it is determined that the number of times the data receiver has received the same GOOSE data packet is greater than 100,000 times within 1 minute, then it is determined that the data receiver's current communication exists Security risk, and determine the type of security risk as the data recipient being subject to a DoS flood attack.
基于此,本申请通过这样的方式可以有效地确定出数据接收方是否受到DoS洪泛攻击,从而便于后续令工作人员及时对该安全风险进行处理,或者自动采取措施及时对安全风险进行处理,从而降低GOOSE通信过程中这种安全风险所带来的不良影响。Based on this, this application can effectively determine whether the data receiver is subject to a DoS flood attack in this way, so as to facilitate subsequent staff to deal with the security risk in a timely manner, or automatically take measures to deal with the security risk in a timely manner, thereby Reduce the adverse effects of this security risk during GOOSE communication.
在一些可选地实施例中,该数据处理方法还包括:根据安全风险的类型的确定结果,生成用于指示确定结果的日志文件,并将日志文件发送到外部监控单元。In some optional embodiments, the data processing method further includes: generating a log file indicating the determination result according to the determination result of the type of security risk, and sending the log file to an external monitoring unit.
基于此,本申请中通过生成用于指示安全风险的类型的确定结果的日志文件,并将日志文件发送到外部监控单元,能够方便工作人员更好地了解该安全风险,从而采取合适的措施,便于后续令工作人员及时对安全风险进行处理,从而降低GOOSE通信过程中遭受网络安全攻击所带来的不良影响。Based on this, in this application, by generating a log file indicating the type of security risk and sending the log file to an external monitoring unit, it is possible for staff to better understand the security risk and take appropriate measures. This will facilitate subsequent staff to deal with security risks in a timely manner, thereby reducing the adverse effects of network security attacks during GOOSE communication.
本申请中,外部监控单元可以是一台计算机设备(例如变电站现场的上位机、工作人员的电脑等)、便携式设备(例如工作人员的手机、PAD等)、云平台、或者也可以是一个软件监控平台,在此不进行限制。可选地,日志文件除了可以指示安全风险的类型的确定结果,还可以将确定的过程以及该安全风险的相关细节、网络安全攻击的来源等等进行详细记录,以便于工作人员进行更好的处理。In this application, the external monitoring unit can be a computer device (such as a host computer at the substation site, a worker's computer, etc.), a portable device (such as a worker's mobile phone, PAD, etc.), a cloud platform, or a software Monitoring platform is not restricted here. Optionally, in addition to indicating the determination result of the type of security risk, the log file can also record in detail the determination process and relevant details of the security risk, the source of network security attacks, etc., so that staff can conduct better analysis. deal with.
或者在其他一些实施例中,也可以是直接向外部监控单元发送用于指示安全风险的类型的确定结果的通知消息,而不生成日志文件,在此不进行限制。Or in some other embodiments, a notification message indicating the determination result of the type of security risk may be sent directly to the external monitoring unit without generating a log file, which is not limited here.
可以理解的是,上述内容仅为本申请实施例中的数据处理方法的一些示例性解释,并不作为对本申请实施例中的任何限制。It can be understood that the above content is only some exemplary explanations of the data processing methods in the embodiments of the present application, and does not serve as any limitation on the embodiments of the present application.
图3示出了根据本申请实施例的一种可选的电子设备的结构示意图。本申请实施例并不对该电子设备300的具体实现做限定,作为示例性地,参照图3,本申请实施例的第二方面提供的电子设备300包括:处理器(processor)302、通信接口(Communications Interface)304、存储器(memory)306、以及通信总线308。其中:Figure 3 shows a schematic structural diagram of an optional electronic device according to an embodiment of the present application. The embodiment of the present application does not limit the specific implementation of the electronic device 300. As an example, with reference to Figure 3, the electronic device 300 provided in the second aspect of the embodiment of the present application includes: a processor (processor) 302, a communication interface ( Communications Interface) 304, memory (memory) 306, and communication bus 308. in:
处理器302、通信接口304、以及存储器306通过通信总线308完成相互间的通信。The processor 302, the communication interface 304, and the memory 306 complete communication with each other through the communication bus 308.
通信接口304,用于与其它电子设备或服务器进行通信。Communication interface 304 is used to communicate with other electronic devices or servers.
处理器302,用于执行程序310,具体可以执行前述任一数据处理方法实施例中的相关步骤。The processor 302 is used to execute the program 310. Specifically, it can execute the relevant steps in any of the foregoing data processing method embodiments.
具体地,程序310可以包括程序代码,该程序代码包括计算机操作指令。Specifically, program 310 may include program code including computer operating instructions.
处理器302可能是中央处理器CPU,或者是特定集成电路ASIC(Application Specific Integrated Circuit),或者是被配置成实施本申请实施例的一个或多个集成电路。智能设备包括的一个或多个处理器,可以是同一类型的处理器,如一个或多个CPU;也可以是不同 类型的处理器,如一个或多个CPU以及一个或多个ASIC。The processor 302 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present application. The one or more processors included in the smart device can be the same type of processor, such as one or more CPUs; or they can be different types of processors, such as one or more CPUs and one or more ASICs.
存储器306,用于存放程序310。存储器306可能包含高速RAM存储器,也可能还包括非易失性存储器(non-volatile memory),例如至少一个磁盘存储器。 Memory 306 is used to store program 310. The memory 306 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
程序310具体可以用于使得处理器302执行前述任一实施例中的数据处理方法。The program 310 can be specifically used to cause the processor 302 to execute the data processing method in any of the foregoing embodiments.
程序310中各步骤的具体实现可以参见前述任一数据处理方法实施例中的相应步骤和单元中对应的描述,在此不赘述。所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的设备和模块的具体工作过程,可以参考前述方法实施例中的对应过程描述,在此不再赘述。For the specific implementation of each step in the program 310, please refer to the corresponding description of the corresponding steps and units in any of the foregoing data processing method embodiments, and will not be described again here. Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the above-described devices and modules can be referred to the corresponding process descriptions in the foregoing method embodiments, and will not be described again here.
根据本申请实施例中的第三方面,本申请实施例提供了一种计算机存储介质,存储用于使一机器执行如本文所述的数据处理方法的指令。具体地,可以提供配有存储介质的系统或者装置,在该存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机(或CPU或MPU)读出并执行存储在存储介质中的程序代码。According to a third aspect of the embodiments of the present application, embodiments of the present application provide a computer storage medium that stores instructions for causing a machine to execute the data processing method as described herein. Specifically, a system or device equipped with a storage medium may be provided, on which the software program code that implements the functions of any of the above embodiments is stored, and the computer (or CPU or MPU) of the system or device ) reads and executes the program code stored in the storage medium.
在这种情况下,从存储介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此程序代码和存储程序代码的存储介质构成了本申请的一部分。In this case, the program code itself read from the storage medium can implement the functions of any one of the above embodiments, and therefore the program code and the storage medium storing the program code form part of this application.
用于提供程序代码的存储介质实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD+RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上下载程序代码。Examples of storage media for providing program codes include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD+RW), Tapes, non-volatile memory cards and ROM. Alternatively, the program code can be downloaded from the server computer via the communications network.
此外,应该清楚的是,不仅可以通过执行计算机所读出的程序代码,而且可以通过基于程序代码的指令使计算机上操作的操作系统等来完成部分或者全部的实际操作,从而实现上述实施例中任意一项实施例的功能。In addition, it should be clear that the above embodiments can be implemented not only by executing the program code read by the computer, but also by causing the operating system etc. operating on the computer to complete some or all of the actual operations through instructions based on the program code. function of any embodiment.
此外,可以理解的是,将由存储介质读出的程序代码写到插入计算机内的扩展板中所设置的存储器中或者写到与计算机相连接的扩展模块中设置的存储器中,随后基于程序代码的指令使安装在扩展板或者扩展模块上的CPU等来执行部分和全部实际操作,从而实现上述实施例中任一实施例的功能。In addition, it can be understood that the program code read from the storage medium is written into the memory provided in the expansion board inserted into the computer or written into the memory provided in the expansion module connected to the computer, and then based on the program code The instructions cause the CPU installed on the expansion board or expansion module to perform part or all of the actual operations, thereby realizing the functions of any of the above embodiments.
根据本申请实施例中的第四方面,本申请实施例还提供了一种计算机程序产品,所述计算机程序产品被有形地存储在计算机可读介质上并且包括计算机可执行指令,所述计算机可执行指令在被执行时使至少一个处理器执行上述各实施例提供的数据处理方法。应理解,本实施例中的各方案具有上述方法实施例中对应的技术效果,此处不再赘述。According to the fourth aspect of the embodiments of the present application, the embodiments of the present application further provide a computer program product, the computer program product is tangibly stored on a computer-readable medium and includes computer-executable instructions, and the computer can When executed, the execution instructions cause at least one processor to execute the data processing method provided by the above embodiments. It should be understood that each solution in this embodiment has the corresponding technical effects in the above method embodiment, and will not be described again here.
对于本申请的电子设备400/计算机存储介质实施例而言,其与前述第一方面所提供的 数据处理方法实施例中的相关内容和有益效果基本类似,因此在此描述的较为简略,可以依据前述数据处理方法的实施例进行理解。The electronic device 400/computer storage medium embodiment of the present application is basically similar to the relevant content and beneficial effects in the data processing method embodiment provided in the first aspect, so the description here is relatively brief. This can be understood by referring to the embodiments of the aforementioned data processing method.
应当理解,本申请的方法实施方式中记载的各个步骤可以按照不同的顺序执行,和/或并行执行。此外,方法实施方式可以包括附加的步骤和/或省略执行示出的步骤。本申请的范围在此方面不受限制。It should be understood that the various steps described in the method embodiments of the present application can be executed in different orders and/or in parallel. Furthermore, method embodiments may include additional steps and/or omit performance of illustrated steps. The scope of the present application is not limited in this respect.
本文使用的术语“包括”及其变形是开放性包括,即“包括但不限于”。术语“基于”是“至少部分地基于”。术语“一个实施例”表示“至少一个实施例”;术语“另一实施例”表示“至少一个另外的实施例”;术语“一些实施例”表示“至少一些实施例”。需要注意,本申请中提及的“一个”、“多个”的修饰是示意性而非限制性的,本领域技术人员应当理解,除非在上下文另有明确指出,否则应该理解为“一个或多个”。As used herein, the term "include" and its variations are open-ended, ie, "including but not limited to." The term "based on" means "based at least in part on." The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; and the term "some embodiments" means "at least some embodiments". It should be noted that the modifications of "one" and "multiple" mentioned in this application are illustrative and not restrictive. Those skilled in the art will understand that unless the context clearly indicates otherwise, it should be understood as "one or Multiple”.
应当理解,在本申请实施例中所使用的类似于“第一”、“第二”的表述可修饰各种部件而与顺序和/或重要性无关,但是这些表述不限制相应部件。以上表述仅配置为将部件与其它部件区分开的目的。It should be understood that expressions similar to “first” and “second” used in the embodiments of the present application may modify various components regardless of order and/or importance, but these expressions do not limit the corresponding components. The above expressions are only provided for the purpose of distinguishing one component from another component.
最后应说明的是:以上实施例仅用以说明本申请实施例的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the embodiments of the present application, and are not intended to limit them. Although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or to make equivalent substitutions for some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and spirit of the technical solutions of the embodiments of the present application. scope.

Claims (11)

  1. 一种数据处理方法,其特征在于,包括:A data processing method, characterized by including:
    通过网络流量分析工具获取数据接收方在当前数据接接收周期内接收的第一GOOSE数据包和所述数据接收方在所述当前数据接收周期的前一个数据接收周期内接收的第二GOOSE数据包;Use the network traffic analysis tool to obtain the first GOOSE data packet received by the data receiver in the current data reception cycle and the second GOOSE data packet received by the data receiver in the previous data reception cycle of the current data reception cycle. ;
    利用所述网络流量分析工具对所述第一GOOSE数据包和所述第二GOOSE数据包进行解析,确定所述第一GOOSE数据包中的第一验证信息和所述第二GOOSE数据包中的第二验证信息,其中,所述第一验证信息包括所述第一GOOSE数据包的第一状态号值,所述第二验证信息包括所述第二GOOSE数据包的第二状态号值;Use the network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet to determine the first verification information in the first GOOSE data packet and the second GOOSE data packet. Second verification information, wherein the first verification information includes the first status number value of the first GOOSE data packet, and the second verification information includes the second status number value of the second GOOSE data packet;
    基于第一验证信息和第二验证信息的比较,确定所述数据接收方当前通信的安全性。Based on the comparison of the first verification information and the second verification information, the security of the current communication of the data recipient is determined.
  2. 根据权利要求1所述的数据处理方法,所述利用所述网络流量分析工具对所述第一GOOSE数据包和所述第二GOOSE数据包进行解析,包括:The data processing method according to claim 1, using the network traffic analysis tool to analyze the first GOOSE data packet and the second GOOSE data packet includes:
    将预先建立的数据包分析插件集成在所述网络流量分析工具中,通过所述数据包分析插件对所述第一GOOSE数据包和所述第二GOOSE数据包进行解析。Integrate a pre-established data packet analysis plug-in into the network traffic analysis tool, and use the data packet analysis plug-in to analyze the first GOOSE data packet and the second GOOSE data packet.
  3. 根据权利要求1所述的数据处理方法,其特征在于,所述基于第一验证信息和第二验证信息的比较,确定所述数据接收方当前通信的安全性,包括:The data processing method according to claim 1, wherein determining the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information includes:
    若所述第一验证信息中的第一状态号值与所述第二验证信息中的第二状态号值之间的差值大于第一预定阈值,则确定所述数据接收方当前通信存在安全风险,并将安全风险的类型确定为GOOSE数据包的状态号值被篡改。If the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than the first predetermined threshold, it is determined that the current communication of the data recipient is safe. Risk, and determine the type of security risk as the status number value of the GOOSE data packet being tampered with.
  4. 根据权利要求1所述的方法,其特征在于,所述第一验证信息还包括第一GOOSE数据包的第一序列值号,所述第二验证信息还包括第二GOOSE数据包的第二序列值号;The method of claim 1, wherein the first verification information further includes a first sequence number of the first GOOSE data packet, and the second verification information further includes a second sequence of the second GOOSE data packet. value number;
    所述基于第一验证信息和第二验证信息的比较,确定所述数据接收方当前通信的安全性,包括:Determining the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information includes:
    若所述第一验证信息中的第一序列号值与所述第二验证信息中的第二序列号值之间的差值大于第二预定阈值,且所述第一验证信息中的第一状态号值与所述第二验证信息中的第二状态号值相等,则确定所述数据接收方当前通信存在安全风险,并将安全风险的类 型确定为GOOSE数据包的序列号值被篡改。If the difference between the first serial number value in the first verification information and the second serial number value in the second verification information is greater than a second predetermined threshold, and the first serial number value in the first verification information If the status number value is equal to the second status number value in the second verification information, it is determined that there is a security risk in the current communication of the data receiver, and the type of security risk is determined to be that the sequence number value of the GOOSE data packet has been tampered with.
  5. 根据权利要求1所述的方法,其特征在于,所述方法还包括:获取所述当前数据接收周期内的第一设备运行参数和所述当前数据接收周期的前一个数据接收周期内的第二设备运行参数;The method according to claim 1, characterized in that the method further includes: obtaining the first device operating parameter in the current data receiving cycle and the second device operating parameter in the previous data receiving cycle of the current data receiving cycle. Equipment operating parameters;
    所述基于第一验证信息和第二验证信息的比较,确定所述数据接收方当前通信的安全性,包括:Determining the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information includes:
    若所述第一验证信息中的第一状态号值与所述第二验证信息中的第二状态号值之间的差值大于第三预定阈值,且所述第一设备运行参数不等于所述第二设备运行参数,则确定所述数据接收方当前通信存在安全风险,并将安全风险的类型确定为所述数据接收方被注入设备故障数据。If the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than the third predetermined threshold, and the first equipment operating parameter is not equal to the If the second device operating parameter is determined, it is determined that there is a security risk in the current communication of the data recipient, and the type of the security risk is determined to be equipment failure data injected into the data recipient.
  6. 根据权利要求1所述的方法,其特征在于,所述方法还包括:获取所述当前数据接收周期内的第一时间戳参数和所述当前数据接收周期的前一个数据接收周期内的第二时间戳参数;The method according to claim 1, characterized in that the method further includes: obtaining the first timestamp parameter in the current data reception cycle and the second time stamp parameter in the previous data reception cycle of the current data reception cycle. timestamp parameter;
    所述基于第一验证信息和第二验证信息的比较,确定所述数据接收方当前通信的安全性,包括:Determining the security of the current communication of the data recipient based on the comparison of the first verification information and the second verification information includes:
    若所述第一验证信息中的第一状态号值与所述第二验证信息中的第二状态号值之间的差值大于第四预定阈值,且所述第一时间戳参数小于或等于所述第二时间戳参数,则确定所述数据接收方当前通信存在安全风险,并将安全风险的类型确定为所述数据接收方的当前通信过程的通信时序发生混乱。If the difference between the first status number value in the first verification information and the second status number value in the second verification information is greater than the fourth predetermined threshold, and the first timestamp parameter is less than or equal to If the second timestamp parameter is used, it is determined that there is a security risk in the current communication of the data recipient, and the type of the security risk is determined to be confusion in the communication timing of the current communication process of the data recipient.
  7. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1, further comprising:
    若确定所述数据接收方在预定时间段内接收到相同的GOOSE数据包的次数大于预定次数阈值,则确定所述数据接收方当前通信存在安全风险,且将安全风险的类型确定为所述数据接收方受到DoS洪泛攻击。If it is determined that the number of times the data recipient has received the same GOOSE data packet within a predetermined time period is greater than the predetermined number threshold, it is determined that there is a security risk in the current communication of the data recipient, and the type of security risk is determined as the data The receiver is subject to a DoS flood attack.
  8. 根据权利要求3-7任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 3-7, characterized in that the method further includes:
    根据安全风险的类型的确定结果,生成用于指示所述确定结果的日志文件,并将所述日志文件发送到外部监控单元。According to the determination result of the type of security risk, a log file indicating the determination result is generated, and the log file is sent to the external monitoring unit.
  9. 一种电子设备(300),其特征在于,包括:处理器(302)、通信接口(304)、存储器(306)和通信总线(308),所述处理器(302)、所述通信接口(304)和所述存储器(306)通过所述通信总线(308)完成相互间的通信;An electronic device (300), characterized by including: a processor (302), a communication interface (304), a memory (306) and a communication bus (308), the processor (302), the communication interface (308) 304) and the memory (306) complete communication with each other through the communication bus (308);
    所述存储器(306)用于存放至少一可执行指令,所述可执行指令使所述处理器(302)执行如权利要求1-8中任一项所述的方法对应的操作。The memory (306) is used to store at least one executable instruction, and the executable instruction causes the processor (302) to perform operations corresponding to the method described in any one of claims 1-8.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机指令,所述计算机指令在被处理器执行时,使所述处理器执行权利要求1-8中任一项所述的方法。A computer-readable storage medium, characterized in that computer instructions are stored on the computer-readable storage medium. When executed by a processor, the computer instructions cause the processor to execute any one of claims 1-8. method described in the item.
  11. 一种计算机程序产品,其特征在于,所述计算机程序产品被有形地存储在计算机可读介质上并且包括计算机可执行指令,所述计算机可执行指令在被执行时使至少一个处理器执行根据权利要求1-8中任一项所述的方法。A computer program product, characterized in that the computer program product is tangibly stored on a computer-readable medium and includes computer-executable instructions that, when executed, cause at least one processor to perform according to the rights The method described in any one of claims 1-8.
PCT/CN2022/116365 2022-08-31 2022-08-31 Data processing method, electronic device, and storage medium WO2024045095A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/116365 WO2024045095A1 (en) 2022-08-31 2022-08-31 Data processing method, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/116365 WO2024045095A1 (en) 2022-08-31 2022-08-31 Data processing method, electronic device, and storage medium

Publications (1)

Publication Number Publication Date
WO2024045095A1 true WO2024045095A1 (en) 2024-03-07

Family

ID=90100023

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/116365 WO2024045095A1 (en) 2022-08-31 2022-08-31 Data processing method, electronic device, and storage medium

Country Status (1)

Country Link
WO (1) WO2024045095A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932167A (en) * 2012-10-10 2013-02-13 华南理工大学 Information stream control method and system for improving relay protection reliability of intelligent substation
CN103746962A (en) * 2013-12-12 2014-04-23 华南理工大学 GOOSE electric real-time message encryption and decryption method
CN106953813A (en) * 2017-03-14 2017-07-14 哈尔滨工业大学 A kind of GOOSE message receive-transmit system and its control method
US9894080B1 (en) * 2016-10-04 2018-02-13 The Florida International University Board Of Trustees Sequence hopping algorithm for securing goose messages
CN110138773A (en) * 2019-05-14 2019-08-16 北京天地和兴科技有限公司 A kind of means of defence for goose attack
CN114124538A (en) * 2021-11-25 2022-03-01 国网四川省电力公司眉山供电公司 Intrusion detection method for GOOSE and SV messages of intelligent substation
CN114745152A (en) * 2022-02-28 2022-07-12 国网江苏省电力有限公司淮安供电分公司 Intrusion detection method and system based on IEC61850GOOSE message operation situation model

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932167A (en) * 2012-10-10 2013-02-13 华南理工大学 Information stream control method and system for improving relay protection reliability of intelligent substation
CN103746962A (en) * 2013-12-12 2014-04-23 华南理工大学 GOOSE electric real-time message encryption and decryption method
US9894080B1 (en) * 2016-10-04 2018-02-13 The Florida International University Board Of Trustees Sequence hopping algorithm for securing goose messages
CN106953813A (en) * 2017-03-14 2017-07-14 哈尔滨工业大学 A kind of GOOSE message receive-transmit system and its control method
CN110138773A (en) * 2019-05-14 2019-08-16 北京天地和兴科技有限公司 A kind of means of defence for goose attack
CN114124538A (en) * 2021-11-25 2022-03-01 国网四川省电力公司眉山供电公司 Intrusion detection method for GOOSE and SV messages of intelligent substation
CN114745152A (en) * 2022-02-28 2022-07-12 国网江苏省电力有限公司淮安供电分公司 Intrusion detection method and system based on IEC61850GOOSE message operation situation model

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DING XIU-LING, ZHANG YAN-XU, CAI ZE-XIANG, WANG HAI-ZHU, LI YI-QUAN, ZHANG CHI, : "A protection method of abnormal information flow in process layer network based on packet analysis", POWER SYSTEM PROTECTION AND CONTROL., vol. 41, no. 13, 1 July 2013 (2013-07-01), pages 58 - 63, XP093144932 *

Similar Documents

Publication Publication Date Title
US11050786B2 (en) Coordinated detection and differentiation of denial of service attacks
US10681079B2 (en) Method for mitigation of cyber attacks on industrial control systems
Yang et al. Intrusion detection system for IEC 60870-5-104 based SCADA networks
KR101977731B1 (en) Apparatus and method for detecting anomaly in a controller system
KR102030837B1 (en) Apparatus and method for intrusion detection
Yang et al. Stateful intrusion detection for IEC 60870-5-104 SCADA security
WO2006020882A1 (en) Anomaly-based intrusion detection
KR102112587B1 (en) Packet monitoring device and packet monitoring method for communication packet
CN103051597A (en) Method for realizing address resolution protocol (ARP) deception detection on switch
CN103929334A (en) Network abnormity notification method and apparatus
US20170208083A1 (en) Network management device at network edge
WO2019136954A1 (en) Method for detecting network compliance, apparatus, device and medium
CN111669371B (en) Network attack restoration system and method suitable for power network
Bohara et al. Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations
WO2019085923A1 (en) Data processing method and device, and computer
CN110113290B (en) Network attack detection method, device, host and storage medium
WO2014161205A1 (en) Method, system and device for processing network congestion
WO2024045095A1 (en) Data processing method, electronic device, and storage medium
JP2014147066A (en) Method and system for providing redundancy in data network communication
Lima et al. BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures
CN104660584A (en) Trojan virus analysis technique based on network conversation
CN104579836A (en) Method for monitoring state of storage server through receiving and transmitting of trap data packet
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
CN115022078A (en) Controller built-in network safety protection method and device and electronic equipment
CN114285633A (en) Computer network security monitoring method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22956921

Country of ref document: EP

Kind code of ref document: A1