CN105791027B - A kind of detection method of industrial network abnormal interrupt - Google Patents

A kind of detection method of industrial network abnormal interrupt Download PDF

Info

Publication number
CN105791027B
CN105791027B CN201610262770.2A CN201610262770A CN105791027B CN 105791027 B CN105791027 B CN 105791027B CN 201610262770 A CN201610262770 A CN 201610262770A CN 105791027 B CN105791027 B CN 105791027B
Authority
CN
China
Prior art keywords
industrial network
industrial
rule
detection device
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610262770.2A
Other languages
Chinese (zh)
Other versions
CN105791027A (en
Inventor
韩延鹏
黄敏
龙国东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wei Nu Trick Co Ltd
Original Assignee
Beijing Wei Nu Trick Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wei Nu Trick Co Ltd filed Critical Beijing Wei Nu Trick Co Ltd
Priority to CN201610262770.2A priority Critical patent/CN105791027B/en
Publication of CN105791027A publication Critical patent/CN105791027A/en
Application granted granted Critical
Publication of CN105791027B publication Critical patent/CN105791027B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of detection methods of industrial network abnormal interrupt, the described method includes: specific deployment scenario of the user according to industrial network, the rule of detection industrial network abnormal interrupt is set, and the rule is stored in the memory of industrial network detection device;Update the final updating time of rule;Industrial network detection device starts a thread or process, the timeout case of timing detected rule, and issues the alarm of industrial network abnormal interrupt according to testing result.The detection method of industrial network abnormal interrupt proposed by the present invention is applicable in the industrial networks detection device such as industrial fireproof wall, industrial audit, when industrial network is abnormal interruption, industrial network detection device issues alarm in first time, helps to position the reason of Network Abnormal interrupts and return to normal production as early as possible.

Description

A kind of detection method of industrial network abnormal interrupt
Technical field
The invention belongs to industrial network security technical fields, and in particular to a kind of detection side of industrial network abnormal interrupt Method.
Background technique
The network that industrial control system network is made of industrial automation production equipment.Different from IT network, industry is certainly Dynamicization production equipment is often being in communication with each other for long-time stable, and the communication abnormality interruption between industrial automation equipment is often anticipated Taste there is the problems such as equipment fault, large effect can be generated to entire industrial production environment.
Existing industrial network abnormality detecting apparatus, such as industrial fireproof wall, industrial audit all will test and focus on work The detections such as industry network attack, industrial network protection.Application No. is 201210008504.9 Chinese invention patents, disclose one kind Industrial control network security protection method the described method comprises the following steps: attack for external network, front host is to outside Network data carries out first layer data filtering and access control, security control host by common storage area come data cached, it is right Data perform intrusion detection, and to invalid data progress and alarm and notify two sides host, rear host carries out deep layer to data Filtering and access control, valid data enter internal network;It is attacked for internal network, rear host is to internal network data Carry out first layer data filtering and access control, security control host come by common storage area it is data cached, to data progress Intrusion detection to invalid data progress and alarm and notifies two sides host, and front host carries out in-depth filtration and visit to data Ask control, valid data enters external network.The network security that the invention can improve industrial control system is horizontal, reduces and throws Money, modernization system and the cost of management.But the invention can not achieve detection related with industrial network abnormal interrupt, work as industry Production equipment in network can not issue at the first time when being abnormal to be alerted and resumes production in time.
Summary of the invention
In order to solve the above-mentioned problems in the prior art, the present invention proposes a kind of detection of industrial network abnormal interrupt Method, this method are applicable in the industrial networks detection device such as industrial fireproof wall, industrial audit.When industrial network generation is different When often interrupting, industrial network detection device issues alarm in first time, aids in determining whether the reason of Network Abnormal interrupts and helps Restore normal production.
In order to achieve the above objectives, the present invention adopts the following technical scheme that.
A kind of detection method of industrial network abnormal interrupt, comprising the following steps:
Step 1, specific deployment scenario of the user according to industrial network, the rule of setting detection industrial network abnormal interrupt, And the rule is stored in the memory of industrial network detection device.The content of the rule includes: server ip address, Client ip address, the port that server is monitored, industrial network break period.
Step 2, when there is industrial network message to enter industrial network detection device, the industrial network detection device inspection Purpose IP address, source IP address and the source port of the message whether respectively with the client ip address of rule, server ip Location is consistent with server listening port.If be not consistent, this message and the rule are mismatched;If be consistent, rule is updated The final updating time, final updating time of the rule be the industrial network message enter industrial network detection device when Between, it is stored with the rule in the memory of industrial network detection device.If this rule has been transmitted across industrial network Network interrupts alarm, then the industrial network detection device, which sends an industrial network and interrupts, restores alarm.
Step 3, industrial network detection device starts a thread or process, the timeout case of timing detected rule.If The final updating time that current time (i.e. thread or the system time of process acquisition) subtracts rule is greater than the industry of the rule The network interruption time, then the industrial network detection device sends an industrial network abnormal interrupt alarm.
Further, the industrial network detection device is industrial fireproof wall or industrial audit network detection device.
Further, the time interval of step 3 timing detected rule timeout case is according to the property of industrial network detection device It can be determined by experiment.
Compared with prior art, the invention has the following advantages:
The detection method of industrial network abnormal interrupt proposed by the present invention, according to the specific deployment scenario of industrial network, if The rule of detection industrial network abnormal interrupt is set, and is stored in the memory of industrial network detection device, industrial network detection Equipment judges whether industrial network is abnormal interruption and issues alarm by the timeout case of timing detected rule.Energy of the present invention It is enough applied in the industrial networks detection device such as industrial fireproof wall, industrial audit, when industrial network is abnormal interruption, industry Network detection device issues alarm in first time, helps to position the reason of Network Abnormal interrupts and restores normal raw as early as possible It produces.
Detailed description of the invention
Fig. 1 is the method flow diagram of timing detected rule timeout case.
Specific embodiment
The present invention will be further described with reference to the accompanying drawings and examples.
A kind of detection method of industrial network abnormal interrupt, comprising the following steps:
Step 1, specific deployment scenario of the user according to industrial network, the rule of setting detection industrial network abnormal interrupt, And the rule is stored in the memory of industrial network detection device.The content of the rule includes: server ip address, Client ip address, the port that server is monitored, final updating time, industrial network break period.
The port that server ip address, client ip address, server in rule are monitored is used to determine what needs detected Network session;The industrial network break period is that the network session for permitting compliance with above-mentioned condition does not have message to detect by industrial network The maximum duration of equipment.For example, client ip address 192.168.1.100 in industry spot is to server ip address 192.168.1.1 the communication message of 502 port should exist for a long time, if it exceeds 10 seconds pass through without any message Industrial network detection device, then there may be Network Abnormals, and industrial network detection device is needed to alarm.So this industrial network Abnormal interrupt rule should be configured that client ip address be 192.168.1.100, server ip address 192.168.1.1, Server listening port is 502, and the industrial network break period is 10 seconds.
Step 2, when there is industrial network message to enter industrial network detection device, the industrial network detection device inspection Purpose IP address, source IP address and the source port of the message whether respectively with the client ip address of rule, server ip Location is consistent with server listening port, if be not consistent, illustrates that this message and the rule mismatch;If be consistent, rule are updated The final updating time then, the final updating time be the industrial network message enter industrial network detection device when Between, it is stored with the rule in the memory of industrial network detection device.If this rule has been transmitted across industrial network Network interrupts alarm, illustrates to interrupt before session corresponding to this rule, and the message received now is that the recovery after interrupting is logical The message of letter, then the industrial network detection device, which sends an industrial network and interrupts, restores alarm.
Step 3, industrial network detection device starts a thread or process, the timeout case of timing detected rule.If The final updating time that current time subtracts rule is greater than the industrial network break period of rule, illustrates the corresponding meeting of the rule Talk about the industrial network break period that no message has been more than regular configuration by the time of industrial network detection device, the then work Industry network detection device sends an industrial network abnormal interrupt alarm.
The industrial network detection device refers to such as industrial fireproof wall or industrial audit network detection device.
The time interval of step 3 timing detected rule timeout case passes through experiment according to the performance of industrial network detection device It determines.It, can be by this to the more demanding of industrial network communication interruption time if the better performances of industrial network detection device Time interval is set smaller than 1 second;Otherwise this time interval can suitably be increased.
The present invention is not limited to the above embodiments, made any to above embodiment aobvious of those skilled in the art and The improvement or change being clear to, all protection scope without departing from design of the invention and appended claims.

Claims (3)

1. a kind of detection method of industrial network abnormal interrupt, which comprises the following steps:
Step 1, specific deployment scenario of the user according to industrial network, the rule of setting detection industrial network abnormal interrupt, and will The rule is stored in the memory of industrial network detection device;The content of the rule includes: server ip address, client Hold IP address, the port that server is monitored, industrial network break period;
Step 2, when there is industrial network message to enter industrial network detection device, described in the industrial network detection device inspection Purpose IP address, source IP address and the source port of message whether respectively with rule client ip address, server ip address and Server listening port is consistent, if be not consistent, this message and the rule are mismatched;If be consistent, the last of rule is updated Renewal time, the final updating time of the rule are the time that the industrial network message enters industrial network detection device, It is stored with the rule in the memory of industrial network detection device, if this rule has been transmitted across in industrial network Disconnected alarm, then the industrial network detection device, which sends an industrial network and interrupts, restores alarm;
Step 3, industrial network detection device starts a thread or process, the timeout case of timing detected rule;If current The final updating time that time subtracts rule is greater than the industrial network break period of the rule, the industrial network detection device Send an industrial network abnormal interrupt alarm.
2. the detection method of industrial network abnormal interrupt according to claim 1, which is characterized in that the industrial network inspection Measurement equipment is industrial fireproof wall or industrial audit network detection device.
3. the detection method of industrial network abnormal interrupt according to claim 1, which is characterized in that step 3 periodically detects The time interval of regular timeout case is determined by experiment according to the performance of industrial network detection device.
CN201610262770.2A 2016-04-25 2016-04-25 A kind of detection method of industrial network abnormal interrupt Expired - Fee Related CN105791027B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610262770.2A CN105791027B (en) 2016-04-25 2016-04-25 A kind of detection method of industrial network abnormal interrupt

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610262770.2A CN105791027B (en) 2016-04-25 2016-04-25 A kind of detection method of industrial network abnormal interrupt

Publications (2)

Publication Number Publication Date
CN105791027A CN105791027A (en) 2016-07-20
CN105791027B true CN105791027B (en) 2019-03-15

Family

ID=56399453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610262770.2A Expired - Fee Related CN105791027B (en) 2016-04-25 2016-04-25 A kind of detection method of industrial network abnormal interrupt

Country Status (1)

Country Link
CN (1) CN105791027B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106444700A (en) * 2016-09-09 2017-02-22 郑州宇通客车股份有限公司 Automobile monitoring host and positioning module fault determination method
CN108933707B (en) * 2017-05-26 2021-03-05 西门子(中国)有限公司 Safety monitoring system and method for industrial network
CN107612760B (en) * 2017-11-03 2021-08-24 睿石网云(北京)科技有限公司 Method and system for monitoring interruption of business service
CN114697202B (en) * 2020-12-31 2023-09-29 华为技术有限公司 Detection method and device
CN116017489A (en) * 2021-10-19 2023-04-25 华为技术有限公司 Method and device for transmitting information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237357A (en) * 2008-02-04 2008-08-06 华中科技大学 Online failure detection method for industrial wireless sensor network
CN102195824A (en) * 2010-03-05 2011-09-21 ***通信集团公司 Method, device and system for out-of-service alarm of data service system
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN103944915A (en) * 2014-04-29 2014-07-23 浙江大学 Threat detection and defense device, system and method for industrial control system
CN104796283A (en) * 2015-03-18 2015-07-22 飞天诚信科技股份有限公司 Monitoring alarm method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9116531B2 (en) * 2013-02-27 2015-08-25 General Electric Company Methods and systems for current output mode configuration of universal input-output modules

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237357A (en) * 2008-02-04 2008-08-06 华中科技大学 Online failure detection method for industrial wireless sensor network
CN102195824A (en) * 2010-03-05 2011-09-21 ***通信集团公司 Method, device and system for out-of-service alarm of data service system
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN103944915A (en) * 2014-04-29 2014-07-23 浙江大学 Threat detection and defense device, system and method for industrial control system
CN104796283A (en) * 2015-03-18 2015-07-22 飞天诚信科技股份有限公司 Monitoring alarm method

Also Published As

Publication number Publication date
CN105791027A (en) 2016-07-20

Similar Documents

Publication Publication Date Title
CN105791027B (en) A kind of detection method of industrial network abnormal interrupt
CN110086810B (en) Passive industrial control equipment fingerprint identification method and device based on characteristic behavior analysis
US9130983B2 (en) Apparatus and method for detecting abnormality sign in control system
CN106789386B (en) Wrong method and the error detector for network system on detection communication bus
US10356113B2 (en) Apparatus and method for detecting abnormal behavior
EP2800024B1 (en) System and methods for identifying applications in mobile networks
US20150381642A1 (en) Abnormal traffic detection apparatus and method based on modbus communication pattern learning
CN108520187A (en) Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal
CN103973663A (en) Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack
WO2016192212A1 (en) Method and apparatus for processing power down warning information of optical network unit onu
GB2532630A (en) Network intrusion alarm method and system for nuclear power station
CN108306854B (en) Dual-mode heterogeneous redundancy industrial control security gateway system and intrusion sensing method thereof
CN101567812A (en) Method and device for detecting network attack
CN112738099B (en) Method and device for detecting slow attack, storage medium and electronic equipment
CN105227559A (en) The information security management framework that a kind of automatic detection HTTP actively attacks
US20170293537A1 (en) Management system for virtual machine failure detection and recovery
CN103634166B (en) Equipment survival detection method and equipment survival detection device
KR20160002269A (en) SDN-based ARP Spoofing Detection apparatus and method therefor
US11405411B2 (en) Extraction apparatus, extraction method, computer readable medium
CN113115314B (en) Method and device for protecting HSS (home subscriber server) signaling of 4G mobile communication network
KR101927100B1 (en) Method for analyzing risk element of network packet based on recruuent neural network and apparatus analyzing the same
EP2911362B1 (en) Method and system for detecting intrusion in networks and systems based on business-process specification
CN111935085A (en) Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN103440189A (en) Software deadlock prevention method based on forced process running control
CN103067197A (en) Method of internet gateway device dynamic loop test and protection and static loop test

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190315