CN109144023A - A kind of safety detection method and equipment of industrial control system - Google Patents
A kind of safety detection method and equipment of industrial control system Download PDFInfo
- Publication number
- CN109144023A CN109144023A CN201710501199.XA CN201710501199A CN109144023A CN 109144023 A CN109144023 A CN 109144023A CN 201710501199 A CN201710501199 A CN 201710501199A CN 109144023 A CN109144023 A CN 109144023A
- Authority
- CN
- China
- Prior art keywords
- data
- event
- information
- event information
- call
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0213—Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24065—Real time diagnostics
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
Abstract
A kind of safety detection method and equipment of industrial control system, this method comprises: at least two item datas are obtained from an industrial control system, wherein at least two data sources of at least two item datas in the industrial control system;The event information of each item data at least two item datas is parsed respectively;The event information parsed is established into corresponding relationship with corresponding data;The event information that each item data parses is associated analysis according to correlation rule predetermined, judges whether to need to call corresponding data;If judgement needs to call, the data for needing to call are indexed according to event information;The security incident that the industrial control system occurs is determined according to the data called.This method can detect the safety of industrial control system more fully hereinafter, enhance the security protection ability of industrial control system.
Description
Technical field
The present invention relates to technical field of automation in industry more particularly to a kind of safety detection method of industrial control system and
Equipment.
Background technique
It is with the development of computer and network technology, particularly information-based with industrialization depth integration, industrial control system
(Industrial Control System, ICS) uses general agreement, hardware and software more and more, in various ways
It is connect with public networks such as internets, the threats such as internet worm, wooden horse are spread to industrial control system, industrial control system
Security issues become increasingly urgent.Attack for industrial control system is usually attacked using the security breaches of industrial control system
It hits.Generally used in industrial control system programmable logic controller (PLC) (Programmable Logic Controller,
PLC), dcs (Distributed Control System, DCS), data acquisition and supervisor control
(Supervisory Control And Data Acquisition, SCADA) and application software are found to exist a large amount of
Security breaches, there are biggish security risks for entire industrial control system.
It is directed to the safety problem of industrial control system, what is generallyd use at present is such as firewall, intruding detection system
(Intrusion Detection Systems, IDS), intrusion prevention system (Intrusion Prevention System,
IPS), it is anti-to carry out safety for the network security technology of the routine such as Virtual Private Network (Virtual Private Network, VPN)
Shield.These safety prevention measures are inherited in internet security technology, often only for specific data or equipment.For example, IDS/
IPS only detects network flow, and anti-malware tool only detects Host behavior, safety auditing system analysis system log.
As the attack for industrial control system is increasing, the complexity and concealment of attack also increasingly increase, more
Carry out more attacks using Various Complex mode, and can also be gone by simulating the operation of real technology personnel come its hidden attack
For traditional safety prevention measure has been difficult the novel attack for detecting that these are complicated.For example, famous " shake net "
(stuxnet) virus event sufficiently reflects that the safety of industrial control system faces severe situation, and " shake net " virus is directed to work
Industry control system changes the behavior of industrial control system by modification PLC parameter, and the read/write for being sent to PLC including interception is asked
It asks, modify existing PLC code block, new code block is written into PLC and hides it to PLC using Malware Rootkit
Infection etc..
Thus, how the application solutions of industrial control system are more fully detected, enhances the safety of industrial control system
Protective capacities is urgently industry research and is solved the problems, such as.
Summary of the invention
In view of this, the embodiment of the present invention provides the safety detection method and equipment of a kind of industrial control system, to more
The safety for comprehensively detecting industrial control system, enhances the security protection ability of industrial control system.
In a first aspect, the embodiment of the present invention provides a kind of safety detection method of industrial control system, comprising:
At least two item datas are obtained from an industrial control system, wherein at least two item datas are from the work
At least two data sources in industry control system;
The event information of each item data at least two item datas is parsed respectively;
The event information parsed is established into corresponding relationship with corresponding data;
The event information that each item data parses is associated analysis according to correlation rule predetermined, judgement is
It is no to need to call corresponding data;
If judgement needs to call corresponding data, the data for needing to call are indexed according to the event information;
The security incident that the industrial control system occurs is determined according to the data called.
It can be seen that in the safety detection method of industrial control system provided by the embodiment of the present invention, to Industry Control
The all data of each data source is collected and has been parsed in system, obtains the event information of all data, and establish event
The corresponding relationship of information and date, and then analysis is associated based on event information, needs are indexed on demand in association analysis
The data of calling to determine the security incident of industrial control system generation, thus can more efficiently be realized to Industry Control
The more fully detection of system safety, enhances the security protection ability of industrial control system.
Optionally, before the event information for parsing each item data at least two item datas respectively, further includes:
Each item data at least two item datas got is parsed, the data letter of each item data is obtained
Breath;Wherein, the data information of an item data includes at least one of following message: the type of the data, the number
According to the information of used agreement, the source-information of the data, the destination information of the data, the data format,
The timestamp information of the data;
The obtained data information is established into corresponding relationship with corresponding data;
The event information that each item data parses is associated analysis according to correlation rule predetermined, judgement is
It is no to need to call corresponding data, comprising:
The event information and the data information that each item data is parsed are according to correlation rule predetermined
It is associated analysis, judges whether to need to call corresponding data;
The data for needing to call are indexed according to the event information, comprising:
The data for needing to call are indexed according to the event information and the data information.
By the above-mentioned means, can first parse all data before parsing all data obtains event information and obtain respectively
The data information of item data, while the corresponding relationship of data information and data is established, thus directly parsing data can be reduced and obtained
To the complexity of event information, while the data got can also be based on data information and carry out preliminary screening, further dropped
Harmonic analysis data are to obtain the complexity of event information.
Optionally, after the event information for parsing each item data at least two item datas respectively, further includes:
The event type of corresponding data is determined according to event information;
The determining event type is established into corresponding relationship with corresponding data;
The data for needing to call are indexed according to the event information, comprising:
Call data corresponding to the same event type.
By the above-mentioned means, can determine the corresponding event of data after parsing all data obtains event information
Type, while the corresponding relationship of event type and data is established, thus when association analysis needs to call data, it can call same
The corresponding data of one event type are analyzed, and then can determine to whether there is and these data in the industrial control system
Relevant security incident.
Optionally, the event information includes Time To Event;
The data for needing to call are indexed according to the event information, comprising: call the Time To Event default
Period in the event information corresponding to data.
In this way, the event information of Time To Event within a preset time period in industrial control system can be called corresponding
Data analyzed, and then can determine in the industrial control system with the presence or absence of safe thing relevant to these data
Part.
Optionally, the event information includes the targeted object of event;It is indexed according to the event information and needs to adjust
Data, comprising: call data corresponding to the event information for the same object.
In this way, the corresponding data of event information in industrial control system for same target can be called to be analyzed,
And then it can determine in the industrial control system with the presence or absence of security incident relevant to these data.
Optionally, the event information includes the triggering object of event;It is indexed according to the event information and needs to call
Data, comprising: call as it is same it is described triggering objects trigger event information corresponding to data.
It is carried out in this way, can call in industrial control system by the corresponding data of event information of same triggering objects trigger
Analysis, and then can determine in the industrial control system with the presence or absence of security incident relevant to these data.
Second aspect, the embodiment of the present invention provide a kind of security detection equipment of industrial control system, comprising: a data
Acquisition module, an event recognition module, an association analysis module, in which:
The data acquisition module, for obtaining at least two item datas from an industrial control system, wherein it is described extremely
Few at least two data sources of two item datas in the industrial control system;
The event parsing module, for parsing the event letter of each item data at least two item datas respectively
Breath;And for the event information parsed to be established corresponding relationship with corresponding data;
The association analysis module, the event information for parsing each item data are advised according to association predetermined
It is then associated analysis, judges whether to need to call corresponding data, if desired, then index needs according to the event information
The data of calling determine the security incident that the industrial control system occurs according to the data called.
Optionally, further includes: a data resolution module, at least two for being got to the data acquisition module
Each item data in data is parsed, and the data information of each item data is obtained, and, it is used for the obtained number
It is believed that breath establishes corresponding relationship with corresponding data;Wherein, the data information of an item data include in following message extremely
It is one few: the information of agreement used by the type of the data, the data, the source-information of the data, the data
Destination information, the formats of the data, the data timestamp information;
The association analysis module, in the event information for parsing each item data according to correlation rule predetermined
It is associated analysis, when judging whether to need to call corresponding data, is specifically used for:
The event information and the data information that each item data is parsed are according to correlation rule predetermined
It is associated analysis, judges whether to need to call corresponding data;
The association analysis module is specifically used for when indexing the data for needing to call according to the event information:
The data for needing to call are indexed according to the event information and the data information.
Optionally, the event parsing module, in the thing for parsing each item data at least two item datas respectively
After part information, it is also used to:
The event type of corresponding data is determined according to event information;
The determining event type is established into corresponding relationship with corresponding data;
The association analysis module is specifically used for when indexing the data for needing to call according to the event information:
Call data corresponding to the same event type.
Optionally, the event information includes Time To Event;The association analysis module is believed according to the event
When breath indexes the data for needing to call, it is specifically used for:
Call data corresponding to the event information of the Time To Event within a preset time period.
Optionally, the event information includes the targeted object of event;The association analysis module, according to the thing
When the data that part information index is called to needs, it is specifically used for:
Call data corresponding to the event information for the same object.
Optionally, the event information includes the triggering object of event;The association analysis module, according to the event
When the data that information index is called to needs, it is specifically used for:
Call the data as corresponding to the event information of the same triggering objects trigger.
The implementation of any realization equipment of the above-mentioned second aspect of the present invention or second aspect and beneficial effect can
Implementation and beneficial effect with the above-mentioned first aspect of the present invention or any realization the method for first aspect can be mutual
Referring to overlaps will not be repeated.
The third aspect, the embodiment of the invention provides a kind of security detection equipment of industrial control system, the equipment packet
It includes:
At least one processor, the safety detection program for storage industry control system;
At least one processor, for calling the peace of the industrial control system stored in at least one processor
Full inspection ranging sequence, to execute the method that any possible implementation in first aspect or first aspect provides.
Fourth aspect is stored on the machine readable media the embodiment of the invention provides a kind of machine readable media
Machine readable instructions, the machine readable instructions make at least one described processor can when being called by least one processor
To execute the method that any possible implementation in first aspect or first aspect provides.
Detailed description of the invention
Fig. 1 is the architecture diagram of the security detection equipment of industrial control system provided in an embodiment of the present invention;
Fig. 2 is the flow chart of the safety detection method of industrial control system provided in an embodiment of the present invention;
Fig. 3 is the structure of event parsing module in the security detection equipment of industrial control system provided in an embodiment of the present invention
Figure;
Fig. 4 is the structure of association analysis module in the security detection equipment of industrial control system provided in an embodiment of the present invention
Figure;
Fig. 5 is the structure chart of the security detection equipment of industrial control system provided in an embodiment of the present invention.
Reference signs list:
100: the security detection equipment 101 of industrial control system: data acquisition module
102: event parsing module 103: association analysis module
104: data resolution module 105: resolution rules library
106: correlation rule library 107: analysis results repository
201: obtaining data 202 from industrial control system: parsing the event information of each item data respectively
203: establishing the corresponding relationship 204 of event information and corresponding data: association analysis, judge whether to need to call data
205: being indexed according to event information and need the data 206 called: determining the security incident that industrial control system occurs
301: event analysis unit 302: event recognition unit
303: cache library 401: cache analytical unit
402: data quick search unit 403: event type associative cell
404: time and address information unit 405: result output unit
500: the security detection equipment 501 of industrial control system: interface
502: at least one processor 503: bus
504: at least one processor
Specific embodiment
In order to which the purposes, technical schemes and advantages of the embodiment of the present invention are more clearly understood, referring to the drawings to this
Inventive embodiments are further described.Wherein, the embodiment of subsequent descriptions is only a part of the embodiment of the present invention, rather than
Whole embodiments.
The embodiment of the present invention provides the safety detection method and equipment of a kind of industrial control system, more fully to detect
The safety of industrial control system enhances the security protection ability of industrial control system.Wherein, since method and apparatus solves the problems, such as
Principle it is similar, therefore the implementation of apparatus and method for can be with cross-reference, and overlaps will not be repeated.
In embodiments of the present invention, the security detection equipment of industrial control system can be obtained from an industrial control system
At least two item datas, wherein at least two data sources of at least two item datas in the industrial control system;So
Afterwards, parse the event information of each item data at least two item datas respectively, and by the event information parsed with it is right
The data answered establish corresponding relationship, so the event information that each item data is parsed according to correlation rule predetermined into
Row association analysis judges whether to need to call corresponding data, when judgement needs to call corresponding data, according to event information
The data for needing to call are indexed, determine the security incident that industrial control system occurs according to the data called.
Through the above scheme, the security detection equipment of industrial control system can collect each data in industrial control system
The all data in source, and then parse and obtain the event information of all data, and set up the corresponding relationship of event information and data,
So as to be associated analysis based on event information, and can the corresponding relationship based on event information and data, index need on demand
The data to be called, to determine the security incident of industrial control system generation, thus, it is possible to realize the peace to industrial control system
It more fully detects entirely, enhances the security protection ability of industrial control system.
It should be pointed out that the security incident being related in the embodiment of the present invention is for indicating occur in industrial control system
Abnormal operation and attack etc. be related to the unconventional event of industrial control system safety.
It should be pointed out that referring to two (a) or two (a) or more involved in the application description " multinomial (a) ".
With reference to the accompanying drawing, the safety detection scheme of the possible industrial control system of the embodiment of the present invention is illustrated.
Fig. 1 is a kind of structural representation of the security detection equipment 100 of possible industrial control system of the embodiment of the present invention
Figure.Fig. 2 is a kind of flow diagram of the safety detection method of possible industrial control system of the embodiment of the present invention.
Method flow as shown in Figure 2 can specifically be held by the security detection equipment 100 of industrial control system as shown in Figure 1
Row, specifically can be with to execute each functional module of process as shown in Figure 2 in the security detection equipment 100 of the industrial control system
By hardware realization, corresponding software realization can also be executed by hardware.
It should be understood that being schematically, to be considered as a kind of logic function to the division of module in the embodiment of the present invention
It can divide, there may be another division manner in actual implementation.Each module in embodiments of the present invention can integrate at one
In processing module, it is also possible to modules individualism, can also be integrated in two or more modules in a module.
Above-mentioned integrated module both can take the form of hardware realization, can also realize in the form of software functional units.
As shown in fig.1, including a data acquisition module in the security detection equipment 100 of the industrial control system
The association analysis module 103 of event parsing module 102, one of block 101, one.
Specifically, data acquisition module 101 can be used for executing the step 201 in method flow as shown in Figure 2, from one
At least two item datas are obtained in a industrial control system, wherein at least two item datas are in the industrial control system
At least two data sources.
Wherein, the data that data acquisition module 101 can be got from an industrial control system, it may include have the industry
All data caused by control and communication process in control system as various equipment, these data can be from industry controls
Various equipment, system or application software in system processed, these equipment, system and application software may be considered Industry Control
Data source in system.
For example, all data in an industrial control system such as include: the network equipment (such as router, hand over
Change planes) on network flow, for process control communication standard (OLE for Process Control, OPC) server,
Device log in the equipment such as active station, engineer station, safety equipment (such as industrial fireproof wall) and the network equipment, and
The configuration parameter of PLC, state parameter etc..Wherein, log or also known as journal file (Log File) are in storage equipment
The file for the message that application program, service or operating system generate, these message can be used for tracking performed operation, log text
Part is usually plain text (ASCII) file and has .log extension name.
It should be pointed out that the data from distinct device may be considered the data from different data sources, come from
The data of different application software or functional module in same equipment are it is also assumed that be the data from different data sources.
It, can be with for example, the device log for the interchanger that data acquisition module 101 is got and the device log of engineer station
It is considered the data from different data sources;The device log for the interchanger that data acquisition module 101 is got and the interchanger
Network flow it is also assumed that being the data from different data sources.
Specifically, data acquisition module 101 can obtain or receive each in industrial control system set according to the setting period
It, can also each equipment, system and application in industrial control system produced by standby, system and application software or the data that have
Software generates data or occurs to obtain or receive in real time when data variation;It can specifically be used according to the difference of data type
Corresponding data acquiring mode.
For example, data acquisition module 101 can be existed by probe (probe) in some possible embodiments of the present invention
Distributed Multi is disposed in industrial control system, to acquire all data in industrial control system.Specifically, data acquire
The settable each probe being distributed in industrial control system of module 101 receives automatically supports Simple Network Management Protocol
The equipment institute of the agreements such as (Simple Network Management Protocol, SNMP), system log (syslog) agreement
The device log reported, and the current configuration parameter of PLC and state parameter are actively downloaded according to the setting period, and pass through flow
Mirror image obtains current network flow etc..
In some possible embodiments of the present invention, data acquisition module 101 gets multinomial in industrial control system
After data, the data got can be stored, such as the data that will acquire tissue and guarantor in a manner of database, file etc.
It deposits.
For example, data acquisition module 101 can store (Big Data Storage) technology based on big data, will acquire
The multinomial data storage arrived is into the library (Big Data based DB) based on big data, energy when supporting subsequent association to analyze
Corresponding data are arrived in enough backtracking evidence obtainings.
The data in industrial control system obtained based on data acquisition module 101, event parsing module 102 can be used for
The step 202 in method flow as shown in Figure 2 is executed, is parsed respectively every in the data that data acquisition module 101 is got
The event information of one item data, and step 203 is further executed, the event information parsed is corresponding with the foundation of corresponding data
Relationship.
Specifically, the data in industrial control system got due to data acquisition module 101 have a variety of data class
Type, for example include network flow, device log and configuration parameter etc., thus event parsing module 102 is acquired to data
When each item data that module 101 is got is parsed to obtain event information, respective type it can divide based on these data
It is not parsed, to obtain the event information of these data.
Specifically, the event information that the data that event parsing module 102 parses that data acquisition module 101 is got obtain can
To include action type etc. that Time To Event, the object that event is directed to, the triggering object of event and event are related to
Information.
For example, for each device log that data acquisition module 101 obtains, event parsing module 102 can be parsed first
Each log information for including in each device log out, then the content of each log information is parsed, to obtain each log
The time of origin information of various operations described in message, action type information, object information (such as the source host for implementing operation
IP address) and information such as the object information (such as destination host IP address) that is directed to of operation, and then can using these information as
The event information obtained by each log information;
As an example it is assumed that event parsing module 102 parses a log information in certain device log, the log is determined
The content of Message Record is the register of abnormal account, then event parsing module 102 parses the thing that the log information obtains
Part information may include the operational order type information for thering is the event (abnormal account register) to be related to, the facility information, with
And the event informations such as the Time To Event information.
For another example, the network flow obtained for data acquisition module 101, event parsing module 102 can be to network flow
Each data packet in amount is parsed, to obtain protocol type, the key protocol that the data that each data packet carries use
The information such as field, sending time and source destination address, and then can be using these information as the event obtained by each data packet
Information;
As an example it is assumed that event parsing module 102 parses certain data packet in the network flow of certain interchanger, determining should
The control command of modification PLC configuration parameter is carried in data packet, then event parsing module 102 parses the thing that the data packet obtains
Part information may include that the control command type information that has the event (modification PLC configuration parameter) to be related to, the order source are set
The event informations such as the facility information being directed to for information, the order and the Time To Event information.
For another example, the configuration parameter and state parameter of the PLC obtained for data acquisition module 101, event parsing module
102 can be directly based upon the PLC of the configuration parameter of currently available PLC and state parameter and historical record configuration parameter and
State parameter, to obtain corresponding event information;
As an example it is assumed that event parsing module 102 parses the PLC configuration parameter of history and matching for currently available PLC
Set parameter, determination has the configuration parameter of PLC to change, and the configuration parameter of the PLC after changing is not within a preset range, that
The event information that event parsing module 102 obtains may include the event hair for having the event (PLC configuration parameter is abnormal) to be related to
The event informations such as facility information of raw temporal information, the PLC.
Specifically, each single item of the event parsing module 102 in the data that parsing data acquisition module 101 is got respectively
After the event information of data, obtained event information can be stored into preset storage region, for subsequent association point
Analysis uses.Here the storage of event information equally can be based on modes tissue and preservations such as database, files.
In view of cache (High Speed Cache) optimize data query obtain the time required on advantage,
In some possible embodiments of the present invention, which can be located in cache, such as event parsing module
102 can create cache library (High Speed Cache DB) in the caches, to cache obtained event information.
In order to enable subsequent association can recall evidence obtaining to the data that can more reflect actual conditions, event solution on demand when analyzing
Module 102 is analysed, it, can after the event information for parsing each item data in the data that data acquisition module 101 is got respectively
The event information parsed is established into corresponding relationship with corresponding data by step 203.
For example, event parsing module 102 can be believed for the event of every item data in some possible embodiments of the present invention
Breath, create the index information for indexing the corresponding data of the event information, by the index information set up event information and
Corresponding relationship between the corresponding data of the event information.
As an example it is assumed that the library based on big data is arrived in the multinomial data storage that data acquisition module 101 will acquire
In (Big Data based DB), event parsing module 102 creates cache library (High Speed in the caches
Cache DB) for caching the event information of obtained all data, and then event parsing module 102 is obtaining every item data
Event information, and after creating index information for indexing the corresponding data of each event information, can by event information and
For indexing the index information mapped cache of the corresponding data of the event information in the above-mentioned cache in cache
In library so that subsequent association analysis is when needing to call data, can based on the event information stored in cache library and
Index information quickly recalls evidence obtaining to the data being stored in the library based on big data.
Further, in some possible embodiments of the present invention, event parsing module 102 is in parsing data acquisition respectively
After the event information of each item data in the data that module 101 is got, can also further it be determined according to event information
The event type of corresponding data, and definite event type is established into corresponding relationship with corresponding data.
For example, it is based on obtained event information, event parsing module 102 can determine all data pair to coarseness
The event type answered is divided into general communication type, state instruction type, conventional control type or suspicious type etc.;
Alternatively, event parsing module 102 can also be every to determining with being based further on obtained event information fine granularity
Action type involved in the corresponding event type to all data of data, for example, can be confirmed as the data of suspicious type into
The subdivision of one step, determines that the corresponding event type of the data is to be related to the suspicious type of sensitive operation, also relates to control operation
Suspicious type;
Further, event parsing module 102 can also be based on obtained event information, more meticulously determine each item number
According to concrete operations behavior involved in corresponding event type to all data, such as can be to being confirmed as being related to sensitive operation
The data of suspicious type are further segmented, and determine that the corresponding event type of the data is to be related to the suspicious class of network connection operation
Type also relates to the suspicious type of register, also relates to the suspicious type of snoop-operations.
Correspondingly, event parsing module 102, can also after the event type for determining corresponding data according to event information
By the storage of obtained event type into preset storage region, analyzes and use for subsequent association.For example, can according to it is upper
The identical mode of storage event information is stated, by the event type storage of data to the above-mentioned cache library in cache
In.
Evidence obtaining is recalled when for the purposes of enabling subsequent association to analyze on demand to the data for more reflecting actual conditions, thing
Part parsing module 102 is after the event information according to data determines the corresponding event type of data, the thing that can also will determine
Part type establishes corresponding relationship with corresponding data.
And it is in the above embodiment of the present invention that event information is similar with the corresponding data mode for establishing corresponding relationship,
In some possible embodiments of the present invention, event parsing module 102 can be directed to the event type of every item data, create for indexing
It is corresponding with corresponding data to set up event type by the index information for the index information of the corresponding data of the event type
Relationship when so that subsequent association analysis needing to call data, can quickly recall evidence obtaining to required event class based on index information
The corresponding data of type.
Specifically, event parsing module 102 can be based on preconfigured resolution rules, obtain to data acquisition module 101
To all data parsed, to identify the event that all data is reflected, obtain the reflected event of all data
Event information and event type.
Wherein, preconfigured resolution rules can specifically be configured based on preparatory known affair character information.For example,
Based on the control command of known general-purpose in industrial control system, it is configurable to be related to control behaviour in identification industrial control system
The resolution rules of the events such as work or snoop-operations, to obtain corresponding event information.For another example, due to such as user/password
Trial is logged in, suspicious server is connected to, may be considered sensitive operation using suspicious agreement transmitted traffic etc., thus it is configurable
It is related to the resolution rules of sensitive operation in industrial control system for identification, knows from the data such as network flow, device log
The event of sensitive operation Chu be related to, and obtain corresponding event information
As an example, it is assumed that event parsing module 102 parses a log information in certain device log, is somebody's turn to do
It include control command (being assumed to be modification PLC parameter) in the content of log information, and then event parsing module 102 can be based on pre-
If industrial control system in known general-purpose control command, quickly determine that event that the log information is reflected is to be related to
The control class event of PLC parameter manipulation is modified, and then obtains the dependent event information of the event (modification PLC parameter).
Specifically, above-mentioned preconfigured resolution rules equally can tissue and preservation in a manner of database, file etc..Than
Resolution rules library (105) as shown in Figure 1 can be such as stored as.In some possible embodiments of the present invention, event parses mould
Block 102 can carry out the collected all data of data acquisition module 101 based on the resolution rules stored in the resolution rules library
Event matches analyze (such as Fast Matching), to identify the event that all data is reflected, obtain event information and
Event type.
Optionally, it as shown in Figure 1, in some possible embodiments of the present invention, is solved to simplify event parsing module 102
The complexity of data is analysed, the security detection equipment on the industrial control system further includes having data resolution module 104, in thing
Before part parsing module 102, each item data in data got to data acquisition module 101 is parsed, and is obtained every
The data information of one item data, and obtained data information is established into corresponding relationship with corresponding data.
Wherein, the data information of an item data may include having such as: association used by the type of the item data, the item data
The information of view, the source-information of the item data, the destination information of the item data, the format of the data and the item data
Timestamp information etc..It here is the letter parsed to data coarseness by the data information that data resolution module 106 obtains
Breath, behind again by event parsing module 102 to data carry out fine granularity parsing to obtain event information.
For example, for each device log that data acquisition module 101 obtains, data resolution module 106 can be parsed first
Each device log out obtains each log information for including in each device log, and obtain each device log to be had
Journal format information, log source device information, log generation time information, the protocol type information etc. that log uses.
For another example, the network flow obtained for data acquisition module 101, data resolution module 106 can be to network flow
Amount is parsed, and each data packet for including in network flow is obtained, and is obtained data type possessed by network flow, sent
Time, network flow source address information, destination address information etc..
Further, data resolution module 104 can make after parsing all data obtains the data information of data
It is screened with all data that the configuration of preset white list data gets data acquisition module 101, it will be in these data
After meeting the data deletion of white list data configuration, it is re-fed into event parsing module 102 and is parsed, the items after being screened
The event information of data.In this way, can effectively simplify the complexity that event parsing module 102 parses data.
Such as, it is assumed that a kind of preset white list data configuration is described is considered as using the device log of the first agreement
White list data, in turn, data resolution module 104 are parsing each device log, obtain association used by each device log
After discussing type, the white list data that above-mentioned example can be used configuration will be used into setting for the first agreement in these device logs
The data of standby log are considered white list data and are deleted, then remaining device log is sent into event parsing module 102
It is parsed.
Correspondingly, data resolution module 104, can also be by gained after parsing all data obtains the data information of data
To data information memory into preset storage region, for subsequent association analyze use.For example, data resolution module 104
Can according to the identical mode of above-mentioned event parsing module 102 storage event information, by obtained data information memory to upper
Rheme is in the cache library in cache.
Equally, in order to enable subsequent association can recall evidence obtaining on demand when analyzing arrive the data for more reflecting actual conditions,
Data resolution module 104 parsing all data obtain the data information of data after, can also by obtained data information with it is right
The data answered establish corresponding relationship.
For example, data resolution module 104 can be believed for the data of every item data in some possible embodiments of the present invention
Breath, create the index information for indexing the corresponding data of the data information, by the index information set up data information and
The corresponding relationship of corresponding data when so that subsequent association analysis needing to call data, can quickly be recalled based on index information
It collects evidence data corresponding to data information.
As shown in Figure 1, event parsing module 102, which parses every item data, obtains event information, and by event information and correspondence
Data establish after corresponding relationship, can by event information transmit association analysis module 103, be executed by association analysis module 103
Subsequent step in method flow as shown in Figure 2: first by step 204, event parsing module 102 is parsed into each item data
Obtained event information is associated analysis according to correlation rule predetermined, and judges whether to need to call corresponding number
According to;In turn, step 205 is executed when judgement needs to call corresponding data, and the number for needing to call is indexed according to event information
According to then execution step 206, determines the security incident that the industrial control system occurs according to the data called.
Specifically, event parsing module 102 is being parsed the event information that each item data obtains by association analysis module 103
When being associated analysis according to correlation rule predetermined, if it is determined that do not need to call corresponding data, then, association point
Analysis module 103 can determine the security incident that the industrial network occurs according to the result of association analysis.
In some possible embodiments of the present invention, above-mentioned correlation rule predetermined be can be according to known attack
Rule that scene and abnormal operation scene are defined, for determining attack and abnormal operation behavior, can also be with
It is to construct possible Attack Scenarios or the obtained rule of abnormal operation scene by expertise, can also be by industry
All kinds of abnormal operations and attack that control system history occurs carry out learning obtained rule etc..
For example, for example, a known Attack Scenarios be characterized in that simultaneously (or can be regarded as the same period) occur from
The control of same equipment to multiple same type equipment operates, and a certain configuration parameter of this multiple same type equipment is occurred
Variation, then the correlation rule for the Attack Scenarios really can be preset according to the known Attack Scenarios, the default association rule
Include in then the characteristic informations of the Attack Scenarios can be described, such as the attack occur time, be related to equipment, relate to
And the action type arrived, configuration parameter type modified etc.;
In turn, which parses obtained event to event parsing module 102 based on the correlation rule and believes
Breath is associated analysis, if the association analysis result successful match preset correlation rule, association analysis module 103
It is believed that the industrial control system receives the described attack of the preset correlation rule, and then can be alerted.
Specifically, above-mentioned correlation rule predetermined equally can tissue and preservation in a manner of database, file etc..Than
Correlation rule library (106) as shown in Figure 1 can be such as stored as.
It is some possible in the present invention based on the above-mentioned description for parsing obtained event information to event parsing module 102
In embodiment, which can parse event parsing module 102 according to preset correlation rule and obtain
Include the event informations such as the triggering object information of Time To Event information, the object information that event is directed to, event carry out
Association analysis to obtain the relationship between each event information, and then determines the safe thing occurred in the industrial control system
Part.
As an example it is assumed that describe can be by the thing with preset first kind incidence relation for a certain preset correlation rule
Part information is determined as a kind of attack, then the association analysis module 103 is according to the preset correlation rule, to each event
After information is analyzed, if it is determined that there is the incidence relation between partial event information to meet the preset first kind association and close
System determines that this has occurred in the industrial control system presets then the association analysis module 103 can be based on this partial event information
Correlation rule indicated by attack.
Further, it is based on description above, is got since event parsing module 102 parses data acquisition module 101
Data obtain event information after, event information can also be established corresponding relationship with corresponding data, thus, in the present invention
In some possible embodiments, which may be used also when the event information to all data is associated analysis
According to the needs of association analysis, data corresponding with event information is called to carry out the relationship between each event information of depth analysis,
And then the security incident occurred in the industrial control system is determined according to the data called.
For example, being based on description above, it may include busy that event parsing module 102, which parses the event information that data obtain,
Part time of origin information, can when association analysis module 103 is associated analysis in some possible embodiments of the present invention
According to the needs of association analysis, data corresponding to the event information of Time To Event within a preset time period are called;
For example, since the data that section generates on one's own time are often more suspicious, thus association analysis module 103
It, can be according to the corresponding relationship between event information and data, when event being called to occur when being associated analysis based on event information
Between data in section on one's own time, thus from actual operational order in these data, specific ginseng is analyzed in these data
Several and specific data content determines the non-work that these data are reflected according to these actual operational orders and design parameter
Make whether the event in the period constitutes threat to industrial control network, and then determines and whether occur in the industrial control system
Security incident.
For another example, it is based on description above, it may include having that event parsing module 102, which parses the event information that data obtain,
The object information that event is directed to, in some possible embodiments of the present invention, when association analysis module 103 is associated analysis,
Data corresponding to the event information for same target will can be called according to the needs of association analysis.
For example, above-mentioned same target such as can be same equipment and perhaps the equipment of same model or same set
The equipment of standby type perhaps same type of system or same type of application software etc.;By taking same equipment as an example, by
It is often also more suspicious in the data packet for occurring being sent to same equipment in the short time, thus association analysis module 103 is based on event
When information is associated analysis, the event for being directed to same equipment can be called according to the corresponding relationship between event information and data
Data corresponding to information, thus from actual operational order in these data, design parameter and specific is analyzed in these data
Data content, determine that these data are reflected according to these actual operational orders and design parameter for the same equipment
Event whether constitute the threat to industrial control network, and then determine in the industrial control system whether security incident occurs.
For another example, it is based on description above, it may include having that event parsing module 102, which parses the event information that data obtain,
The triggering object information of event, in some possible embodiments of the present invention, when association analysis module 103 is associated analysis,
The data as corresponding to the event information of same triggering objects trigger will can be called according to the needs of association analysis.
For example, above-mentioned same triggering object be such as also possible to system of certain equipment perhaps in certain equipment or certain
Application software in equipment etc.;By taking certain equipment as an example, also tended to due to issuing mass data packet by same equipment in the short time
It is more suspicious, thus association analysis module 103 is based on event information when being associated analysis, can according to event information and data it
Between corresponding relationship, data corresponding to the event information triggered as same equipment are called, to analyze this from these data
Actual operational order, design parameter in a little data, determine that these data are reflected for being by same equipment trigger event
Threat of the no composition to industrial control network, and then determine in the industrial control system whether security incident occurs.
It should be pointed out that the triggering object of above-mentioned Time To Event information, the object information that event is directed to, event is believed
Breath etc. is the specifying information in event information, and association analysis module 103, can also be according to association analysis when being associated analysis
Needs, call Time To Event within a preset time period and for same target event information corresponding to number
According to, or can call Time To Event within a preset time period and by it is same triggering objects trigger event information institute
Corresponding data, or can call Time To Event within a preset time period, event information for same target, and
The data as corresponding to the event information of same triggering objects trigger, determine in the industrial control system according to the data called
The security incident of generation;For details, reference can be made to the above process, the application will not repeat herein.
It should be pointed out that association analysis module 103 is when being associated analysis, can also according to the needs of association analysis,
The corresponding data of event information of Time To Event within a preset time period are first called, determining according to the data called should
Number corresponding to the event information for same target is yet further called in the security incident occurred in industrial control system
According to determining the security incident occurred in the industrial control system again according to the data called.Similarly, association analysis module
103 can also first call the event information of Time To Event within a preset time period corresponding according to the needs of association analysis
Data determine the security incident occurred in the industrial control system according to the data called, yet further by same triggering
Data corresponding to the event information of objects trigger determine according to the data called again and to occur in the industrial control system
Security incident, etc., suchlike association analysis module 103 call corresponding data according to different event informations, repeatedly
The process of the security incident occurred in industrial system is determined, equally reference can be made to the above process, the application will not repeat herein.
In addition, the triggering object of the object information being directed in event information in addition to Time To Event information, event, event
Information may also include various other specifying informations, can specifically be determined by the mode that event parsing module 102 parses data, such as
Under fine-grained parsing, event information may also include the action type etc. that data are related to, thus, association analysis module
103 when being associated analysis, can also be called corresponding to other specifying informations in event information according to the needs of association analysis
Data, the security incident occurred in the industrial control system is determined according to the data called;It specifically equally can be found in above-mentioned
Process, the application will not also repeat herein.
Further, it is based on description above, is got since event parsing module 102 parses data acquisition module 101
Data obtain event information after, can also determine the event type of corresponding data according to event information, and by event type
Corresponding relationship is established with corresponding data, thus, in some possible embodiments of the present invention, which exists
When being associated analysis to the event information of all data, also same event type institute can be called according to the needs of association analysis
Corresponding data carry out each data of depth analysis, and then the peace occurred in the industrial control system is determined according to the data called
Total event.
For example, if a large amount of sensitive operation has occurred in industrial control system, it may be considered that industrial at this time
Anomalous event is likely to occur in control system, produced by these sensitive operations or the data that are related to are by event parsing module
Corresponding relationship will be established with sensitive event type after 102 parsings, in turn, association analysis module 103 can call these and sensitive thing
The corresponding data of part type carry out the security incident occurred in the depth analysis industrial control system.
For example occur in industrial control system largely for the read operation of control equipment, then it may be to steal equipment
On sensitive information;For another example, there is a large amount of system login event, and log in the event of this system specific application, then
Possible the inside may have the password cracking attack for this system, if association analysis module 103 further calls these numbers
It is found that there are the log-in events of abnormal account number, it may be considered that occurring the safety of unauthorized access system in the industrial control system
Event.In addition, even if if there is a large amount of identical normal operation behavior in industrial control system, for example, occurring big
The normal connection request of amount, then association analysis module 103 further calls these data to be analyzed, it is also possible to can obtain this
The abnormal aggression behavior for the industrial control information that a little data are reflected.
Further, it is based on description above, the peace in some possible embodiments of the present invention, on industrial control system
Full inspection measurement equipment further includes having data resolution module 104, to each single item in the data that get to data acquisition module 101
Data are parsed, and obtain the data information of each item data, and obtained data information and corresponding data are established pair
It should be related to;Thus, association analysis module 103 is associated analysis, specifically can be the event letter for parsing each item data
Breath and data information are associated analysis according to correlation rule predetermined, judge whether to need to call corresponding data, and
And it can be when judgement needs to call corresponding data, according to the needs for calling data, according to event information and data information rope
Guide to the data for needing to call.
Wherein, since data information is equivalent to the information that data are obtained in the case where parsing compared with coarseness, event information is equivalent to
The data that data obtain under finer grain, thus, event information that association analysis module 103 parses each item data and
Data information is associated analysis according to correlation rule predetermined, and according to the needs for calling data, believes according to event
Breath and data information, which index, needs the data called, specifically can with performed by association analysis module 103 as described above
Association analysis is similar with the process of data call, and the application also will not be described in great detail herein.
In addition, description above is based on, in some possible embodiments of the present invention, since data acquisition module 101 will
The data got are stored into the library based on big data, and event parsing module 102 can be directed to event information, the thing of every item data
Part type and essential information create the index information for indexing corresponding data, thus the association analysis module 103 can be based on
Above-mentioned index information generates the querying condition for inquiring the data stored in the library based on big data, so that quick search arrives
Corresponding data accelerate the speed for calling corresponding data to be analyzed.
Further, in some possible embodiments of the present invention, which passes through above-mentioned association analysis
The obtained analysis result of process can also be stored, for example be stored in a manner of database or file etc., be analyzed as shown in Figure 1
Results repository 107.The analysis result is for subsequent query analysis, or can also be used to be modified preset correlation rule.
Further, in some possible embodiments of the present invention, the association analysis module 103 is if it is determined that the industry is controlled
Security incident occurs for system processed, produces corresponding security alarm, also to carry out safety instruction.For example, the association analysis module
The interface (User Interface, UI) can be interacted by user to operator's output safety warning information, and can also be according to pass
The relevant information for the security incident that connection analysis result prompt user may occur.
It can be seen that scheme provided by above-described embodiment through the invention, the security detection equipment of industrial control system
Various isomeric datas (such as device log, the net of the various data sources in the presence of industrial control system can be collected
Network flow etc.), and then the event information of all data is analyzed and extracts, and set up event information pass corresponding with data
System, so as to be associated analysis based on event information, and can the corresponding relationship based on event information and data, index on demand
The data called to needs, due to operations or nets such as control relevant to automated production process in industrial control system and monitoring
Network behavior is relatively fixed, thus the security detection equipment of industrial control system is by carrying out the corresponding event information of all data
Association analysis, and call real data to be analyzed on demand, the exception that may occur in industrial control system will be excavated
The various suspicious operations for the different nodes or application program in industrial control system are investigated out in behavior or attack,
So that it is determined that the security incident that industrial control system occurs, realization more fully detects the safety of industrial control system, improves
It was found that the ability of complex attack, enhances the security protection ability of industrial control system.
Illustrate in the above embodiment of the present invention in the security detection equipment of possible industrial control system in order to clearer
Event parsing module 102 and association analysis module 103, be illustrated below in conjunction with Fig. 3 and Fig. 4.
As an example, Fig. 3 is event in the security detection equipment of the possible industrial control system of the embodiment of the present invention
The structural schematic diagram of parsing module.As shown in figure 3, in the event parsing module 102, include event analysis unit 301 with
And event recognition unit 302.
Wherein, event analysis unit 301 can be used for parsing respectively each in the data that data acquisition module 101 is got
The event information of item data, and the event information parsed is established into corresponding relationship with corresponding data.
As shown in Fig. 2, event analysis unit 301, specifically pre-set parsing rule analytically can be obtained in rule base 105
Then, the event information that various data are reflected then is analyzed according to resolution rules, to obtain the corresponding event letter of each data
Breath.
At this stage, which is based primarily upon resolution rules and carries out quick events matching to all data
Calculation processing, obtained event information are mainly the triggering pair of object, event that some such as Time To Events, event are directed to
The information such as the operation being related to as, event, these event informations can be used as 302 identification events type of event category unit according to
According to.
Further, event recognition unit 302, the event information that can be used for being obtained according to event analysis unit 301 determine
The event type of corresponding data, and definite event type is established into corresponding relationship with corresponding data.
As shown in Fig. 2, event recognition unit 302, it specifically can also be pre-set according to being obtained in analytically rule base 105
Resolution rules, the event type for each event information corresponding data that identification events analytical unit 301 obtains.
For example, the event information that event recognition unit 302 can be obtained based on event analysis unit 301, identification are every
Data are belonging respectively to common event type, control event type or suspicious event type etc., and can further segment can
The data of event type are doubted to being related to the suspicious event class types of sensitive operation, or be related to that exception control operates can be with event
Type etc. can specifically be determined by pre-set resolution rules.
As shown in Figure 3, the event information and thing that all data in above-mentioned parsing industrial control system obtains
Part type can be stored in cache, for example can create the cache library 303 in cache to store
State the corresponding event information of all data and event type.Also, it is directed to every item data, it can also be by the event information of the data
With the index information mapped cache for indexing the data in cache library 303, so as to be checked quickly fastly by event information
Corresponding data are found, it, will be based on the event letter stored in cache when subsequent association analysis needs to call data
Breath and index information, quick search and are accessed data, improve the speed of data call.
Above-mentioned event analysis unit 301 parses data and obtains event information, and event information is established with corresponding data
The process of corresponding relationship and above-mentioned event recognition unit 302 are based on event information, determine the thing of the corresponding data of event information
The process of part type specifically can be found in embodiment above and not make herein to the associated description of event parsing module 102, the application
It repeats.
Based on the example of event parsing module as shown in Figure 3, and assume the items that data acquisition module 101 will acquire
Data are stored in the library based on big data, and Fig. 4 is the security detection equipment of the possible industrial control system of the embodiment of the present invention
The structural schematic diagram of middle association analysis module.
As shown in fig.4, in the association analysis module 103, including cache analytical unit 401, data are checked quickly fastly
Ask unit 402, event type associative cell 403, time and address information unit 404 and result output unit 405.
Wherein, cache analytical unit 401, can be used for obtaining stored in cache library 303 with all data pair
The event information answered, and analysis is associated based on the correlation rule configured in correlation rule library 106, judge whether to need to call
Corresponding data.
Due to also corresponding to the event information of all data in cache library 303, it is stored with for indexing the event information
The index information of corresponding data, thus cache analytical unit 401 can be based on event information and for indexing the event
The index information of the corresponding data of information generates the inquiry for the query event information corresponding data from the library based on big data
Condition;
In turn, data quick search unit 402, the querying condition that can be generated according to cache analytical unit 401, retrospect
The data stored in the database based on big data corresponding with event information are obtained, are analyzed for subsequent association to determine the work
Whether industry control system, which occurs security incident, provides data support.
As shown in figure 4, include in the exemplary association analysis module 103 event type associative cell 403 and time and
Address information unit 404;Thus, on the one hand which can call corresponding number according to event type
According to being judged according to the data called security incident whether occurs in the industrial control system;Another aspect can basis
Object (i.e. address) information that the time of origin and event of event are directed to calls data, again to being in the industrial control system
No generation security incident is judged.
Specifically, cache analytical unit 401 obtains the corresponding event information of all data, and is based on correlation rule library
After the correlation rule configured in 106 is associated analysis, the inquiry for calling the data of corresponding same event type is produced
Condition is deployed into the correspondence stored in the library based on big data and is somebody's turn to do by data quick search unit 402 according to the querying condition
The data of same event type, thus by event type associative cell 403 these can be belonged to the data of same event type into
Row analysis, determines in the industrial control system whether security incident occurs.
For example, cache analytical unit 401 produces the inquiry item for calling the data of corresponding sensitive event type
Part is deployed into the data of corresponding sensitive event type, in turn, event type associative cell 403 by data quick search unit 402
It can be by analyzing the data being deployed into, such as to each caused by the operations such as login by system login, application program
The data that item is confirmed as sensitive event type are analyzed, so that it is determined that safe thing whether occurs in the industrial control system
Part.
Further, cache analytical unit 401 obtains the corresponding event information of all data, and is based on correlation rule
After the correlation rule configured in library 106 is associated analysis, also produce for calling corresponding Time To Event when default
Between the querying condition of data of section be deployed into the library based on big data by data quick search unit 402 according to the querying condition
The Time To Event of middle storage preset time period the corresponding data of event information, thus by time and address information unit
304 can analyze these data, determine in the industrial control system whether security incident occurs again;
Alternatively, cache analytical unit 401 is also produced for calling the corresponding number for being directed to same target event information
According to querying condition be deployed into and stored in the library based on big data by data quick search unit 402 according to the querying condition
For the corresponding data of event information of same target, to can be carried out to these data by time and address information unit 304
Analysis, determines in the industrial control system whether security incident occurs again;
Alternatively, cache analytical unit 401 is also produced for calling corresponding time of origin in preset time period and needle
The querying condition of the data of same target event information is deployed by data quick search unit 402 according to the querying condition
The time of origin stored in library based on big data preset time period and be directed to same target the corresponding data of event information,
These data can be analyzed by time and address information unit 304, determine in the industrial control system whether occur again
Security incident.
In turn, time and address information unit 304 pass through exchange use for the corresponding number of same target event information
According to, it will can be found that the suspicious operation for identical equipment, or can be found that the suspicious operation etc. for same type equipment,
The attack such as same class equipment can be excavated in turn, or such as safe things such as the same class attacks of multiple equipment
Part;Time and address information unit 304 are by exchanging the time of origin used in the corresponding number of event information of preset time period
According to will can be found that the suspicious actions occurred in default non-working time section, and then can excavate in industrial system and occur
Illegal operation event, to achieve the purpose that whether complete detection industrial control system occurs security incident.
It can be seen that by the above-mentioned means, association analysis module 103 will trace evidence obtaining in association analysis to more capable of
The data for reflecting actual conditions, to more accurately determine in industrial control system whether security incident occurs.
Further, which occurs to pass through when security incident in determining the industrial control system
As a result 305 output safety warning information of output unit.For example, the output unit 305 can indicate the Industry Control in analysis result
When system is under attack, output carries the security alarm information of the attack related information.
Aforementioned cache analytical unit 401, data quick search unit 402, event type associative cell 403, time
With process performed by address information unit 404 and result output unit 405, specifically can be found in above embodiment to pass
Join the associated description of analysis module 103, therefore not to repeat here by the application.
Based on the various embodiments described above of the present invention, below with reference to exemplary application scenarios, to the possible work of the embodiment of the present invention
The application of the safety detection scheme of industry control system in practice is illustrated.
Assuming that a kind of exemplary scene is an engineer station having in malicious attacker intrusion industrial control system, and lead to
Cross the fieldbus Modbus protocol modification configuration parameter of PLC: by by Industry Control system provided by the embodiment of the present invention
The safety detection scheme of system is applied in the scene, and the security detection equipment of industrial control system will be sent out by following below scheme
Now illegal operation behavior under the scene, is described in detail below:
Firstly, the security detection equipment of industrial control system obtains all data in the industrial control system;These numbers
It include (can be existed in the device log of the engineer station and be used by the device log of the engineer station of malicious attacker intrusion in
In tracking the malicious attacker correlation log message that logs in and operate on the engineer station), in the industrial control system
The configuration parameter of network flow and PLC.
In turn, the security detection equipment of industrial control system parses the data got, obtains each item data
Data information, and obtained data information is established into corresponding relationship with corresponding data;Wherein, setting for engineer station is parsed
Standby log, by the type of available device log, used agreement, each log information, source destination in device log
Location information etc.;Network flow is parsed, the temporal information that available each data packet is sent, source destination address information etc.;Solution
The configuration parameter of PLC is analysed by the current PLC configuration parameter of available PLC and current temporal information.
The security detection equipment of industrial control system (deletes it after screening according to data information to the data got
The middle data for meeting default white list data configuration), the data after screening are further parsed, the event of each item data is obtained
Information, and the event information parsed is established into corresponding relationship with corresponding data;Wherein, by the device log to engineer station
In each log information carry out deep analysis, obtain wherein documented by operation note, thus obtain these log informations (including
The log information generated from the register on the engineer station and the operational order being written using Modbus agreement to PLC
Generated log information) corresponding to event information, including occur event information, target PLC information, operational order information
Deng;Deep analysis is carried out to the data packet of network flow, the relevant information of content will be carried in available each data packet, from
And obtain the corresponding event letter of these data packets (data packet including carrying the operational order for modifying PLC configuration parameter)
Breath;The configuration parameter of PLC is analyzed, by available PLC parameter corresponding event information (PLC abnormal parameters and change
For abnormal temporal information).
It can be seen that for the exemplary scene, the security detection equipment of industrial control system by the above process can be with
The corresponding event information of log information for the register being reflected on the engineer station is obtained, reflects on the engineer station and occurs
The log information corresponding event information of modification operation, reflects the control command carried in network flow for modifying parameter
The corresponding event information of data packet, and obtain the corresponding event of PLC configuration parameter of reflection PLC configuration parameter exception and believe
Breath;
Further, the security detection equipment of industrial control system can by the event information parsed and data information according to
Correlation rule predetermined is associated analysis, judges whether that needs call corresponding ordinary person's data, needs calling pair in judgement
When the data answered, the data for needing to call are indexed according to event information and data information, determining according to the data called should
The security incident that industrial control system occurs, it is true according to the result of association analysis when judgement does not need to call corresponding data
The security incident that the fixed industrial control system occurs.
In the exemplary scene, the security detection equipment of industrial control system be based on event information obtained by the above process into
Row association analysis, and the log information to the register being reflected on the engineer station, anti-is called by above-mentioned event information
The log information that modification operation has occurred on the engineer station is reflected, reflects the control carried in network flow for modifying parameter
The configuration parameter of order and PLC will be detected accurately by analyzing these data in the Industry Control system
The intrusion event of the configuration parameter of the illegal modifications PLC occurred in system.
The security detection equipment of industrial control system determines the illegal modifications PLC configuration ginseng occurred in the industrial control system
After several intrusion events, it will can export it and pass through and be used to prompting entering for the illegal modifications PLC configuration parameter detected by it
Invade the security alarm information of event.
It can be seen that the security detection equipment of industrial control system passes through in acquisition industrial control system in the above process
All data, all data is analyzed find out may generation abnormal behaviour, excavate for industrial control system
Complex attack, thus can realize can be to the complete detection of industrial control system, by enhancing industrial control system security protection energy
The purpose of power.
In conclusion the safety detection scheme of industrial control system provided by the embodiment of the present invention, by obtaining industry
All data in control system, and to these data carry out event information extraction, by the association analysis of event information with
And corresponding data is called to be analyzed, to determine the security incident occurred in industrial control system, it is thus possible to more fully
The safety for detecting industrial control system, finds possible complex attack, excavate for node different in industrial control system or
The various abnormal behaviours of application program enhance industrial control system security protection ability;In addition, provided by the embodiment of the present invention
In the safety detection scheme of industrial control system, the event information of all data and all data are established into corresponding relationship, thus
It can accelerate analysis speed based on event information quick search to corresponding data, improve accuracy of analysis.
Based on the same technical idea, the embodiment of the invention also provides a kind of safety detection sides of industrial control system
Method.
Specifically, a kind of safety detection method of possible industrial control system of the embodiment of the present invention may include walking as follows
It is rapid: step 1: at least two item datas are obtained from an industrial control system, wherein at least two item datas are from described
At least two data sources in industrial control system;Step 2: parsing each item data at least two item datas respectively
Event information;Step 3: the event information parsed is established into corresponding relationship with corresponding data;Step 4: by each item data
The event information parsed is associated analysis according to correlation rule predetermined, judges whether to need to call corresponding number
According to;Step 5: if judgement needs to call corresponding data, the data for needing to call are indexed according to the event information;Step
6: determining the security incident that the industrial control system occurs according to the data called.
It can be seen that above method process to all data of data source each in industrial control system carried out collect and
Parsing, obtain the event information of all data, and establish the corresponding relationship of event information and data, and then based on event information into
Row association analysis indexes the data for needing to call in association analysis on demand, to determine the peace of industrial control system generation
Total event, thus can more efficiently realize the more fully detection to industrial control system safety, enhance industrial control system
Security protection ability.
Optionally, step 2 part parse respectively each item data at least two item datas event information it
Before, can also include following procedure in above method process:
Each item data at least two item datas got is parsed, the data letter of each item data is obtained
Breath;Wherein, the data information of an item data includes at least one of following message: the type of the data, the number
According to the information of used agreement, the source-information of the data, the destination information of the data, the data format,
The timestamp information of the data;Then, the obtained data information is established into corresponding relationship with corresponding data;
In turn, step 4 part in above method process specifically may is that the event for parsing each item data
Information and the data information are associated analysis according to correlation rule predetermined, judge whether to need to call corresponding number
According to;Step 5 part specifically may is that when judgement needs to call corresponding data, according to the event information and the data
The data that information index is called to needs.
By the above-mentioned means, can first parse all data before parsing all data obtains event information and obtain respectively
The data information of item data, while the corresponding relationship of data information and data is established, thus directly parsing data can be reduced and obtained
To the complexity of event information, while the data got can also be based on data information and carry out preliminary screening, further dropped
Harmonic analysis data are to obtain the complexity of event information.
Optionally, before the event information that step 2 parses each item data at least two item datas respectively, on
Stating in method flow to include following procedure: the event type of corresponding data is determined according to event information;It then, will be true
The fixed event type establishes corresponding relationship with corresponding data;
In turn, step 5 part in above method process specifically may is that when judgement needs to call corresponding data,
Call data corresponding to the same event type.
By the above-mentioned means, can determine the corresponding event of data after parsing all data obtains event information
Type, while the corresponding relationship of event type and data is established, thus when association analysis needs to call data, it can call same
The corresponding data of one event type are analyzed, and then can determine to whether there is and these data in the industrial control system
Relevant security incident.
Optionally, the event information includes Time To Event;It step 5 part in above method process specifically can be with
It is: when judgement needs to call corresponding data, calls the event of the Time To Event within a preset time period
Data corresponding to information.
In this way, the event information of Time To Event within a preset time period in industrial control system can be called corresponding
Data analyzed, and then can determine in the industrial control system with the presence or absence of safe thing relevant to these data
Part.
Optionally, the event information includes the targeted object of event;Step 5 part in above method process is specific
It may is that when judgement needs to call corresponding data, call data corresponding to the event information for the same object.
In this way, the corresponding data of event information in industrial control system for same target can be called to be analyzed,
And then it can determine in the industrial control system with the presence or absence of security incident relevant to these data.
Optionally, the event information includes the triggering object of event;Specifically may be used step 5 part in above method process
To be: when judgement needs to call corresponding data, calling as corresponding to the event information of the same triggering objects trigger
Data.
It is carried out in this way, can call in industrial control system by the corresponding data of event information of same triggering objects trigger
Analysis, and then can determine in the industrial control system with the presence or absence of security incident relevant to these data.
Specifically, above method process can be executed by the security detection equipment 100 of industrial control system as shown in Figure 1,
For example it can be implemented as process as shown in Figure 2, wherein the specific implementation of each step can be found in the description of previous embodiment, this
Therefore not to repeat here for application.
It should be understood that as shown in Figure 1 to execute the above method in the security detection equipment 100 of industrial control system
Each functional module of process is only a kind of example of logical function partition, and there may be another division manner in actual implementation.Than
Such as, each module as shown in Figure 1 is concentrated in a processing module, or in each module as shown in Figure 1 any two or
Multiple to be concentrated in a module etc., the application will will not enumerate herein.Above-mentioned integrated module can both use
Formal implementation of hardware can also be realized in the form of software functional units.
Based on the same technical idea, the embodiment of the invention also provides a kind of safety detections of industrial control system to set
It is standby.
Fig. 5 shows a kind of structure chart of the security detection equipment 500 of industrial control system provided in an embodiment of the present invention.
As shown in fig.5, the security detection equipment 500 of the industrial control system may include: interface 501, at least one processor
502, bus 503, at least one processor 504, wherein
The interface 501, at least one processor 502 and at least one processor 504 are mutual by the bus 503
Connection;It is total that the bus 503 can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, PCI)
Line or expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..This is total
Line 503 can be divided into address bus, data/address bus, control bus etc..Only to be indicated with a thick line in Fig. 5 convenient for indicating, but
It is not offered as only a bus or a type of bus.
The security detection equipment 500 of the industrial control system can using in industrial control system, by the interface 501 with
Other equipment are communicated, for example at least two item datas are obtained from the industrial control system, and wherein this at least two item data comes
From at least two data sources in the industrial control system;
At least one processor 502, can be used for realizing the safety detection method of industrial control system as shown in Figure 2,
Include:
At least two item datas are obtained from an industrial control system, wherein at least two item datas are from the work
At least two data sources in industry control system;
The event information of each item data at least two item datas is parsed respectively;
The event information parsed is established into corresponding relationship with corresponding data;
The event information that each item data parses is associated analysis according to correlation rule predetermined, judgement is
It is no to need to call corresponding data;
If judgement needs to call corresponding data, the data for needing to call are indexed according to the event information;
The security incident that the industrial control system occurs is determined according to the data called.
Optionally, which is parsing each item data at least two item datas respectively
It before event information, is also used to: each item data at least two item datas got being parsed, each item number is obtained
According to data information;Wherein, the data information of an item data includes at least one of following message: the class of the data
The information of agreement used by type, the data, the source-information of the data, the data destination information, the number
According to format, the data timestamp information;
The obtained data information is established into corresponding relationship with corresponding data;
In turn, at least one processor 502 is in the event information for parsing each item data according to predetermined
Correlation rule is associated analysis, when judging whether to need to call corresponding data, is specifically used for:
The event information and the data information that each item data is parsed are according to correlation rule predetermined
It is associated analysis, judges whether to need to call corresponding data;
In turn, at least one processor 502 is when indexing the data for needing to call according to the event information, specifically
For:
The data for needing to call are indexed according to the event information and the data information.
Optionally, which is parsing each item data at least two item datas respectively
It after event information, is also used to: determining the event type of corresponding data according to event information;
The determining event type is established into corresponding relationship with corresponding data;
In turn, at least one processor 502 is when indexing the data for needing to call according to the event information, specifically
For:
Call data corresponding to the same event type.
Optionally, the event information includes Time To Event;
At least one processor 502 is specifically used for when indexing the data for needing to call according to the event information:
Call data corresponding to the event information of the Time To Event within a preset time period.
Optionally, the event information includes the targeted object of event;
At least one processor 502 is specifically used for when indexing the data for needing to call according to the event information:
Call data corresponding to the event information for the same object.
Optionally, the event information includes the triggering object of event;
At least one processor 502 is specifically used for when indexing the data for needing to call according to the event information:
Call the data as corresponding to the event information of the same triggering objects trigger.
Optionally, at least one processor 504 can be used for the safety detection program of storage industry control system.Specifically
Ground, the program may include program code, which includes computer operation instruction.At least one processor 504 can
It can include at least one random access memory (Random Access Memory, RAM), it is also possible to further include that at least one is non-
Volatile memory (non-volatile memory), e.g. at least one disk.Wherein at least one processor 502 is adjusted
With the safety detection program of the industrial control system stored at least one processor 504, above-mentioned function may be implemented, thus real
The safety detection method of industrial control system now as shown in Figure 2.
Based on the same technical idea, the embodiment of the invention also provides a kind of machine readable media, machine readable Jie
It stores in matter for making a machine execute the machine readable instructions such as method described previously herein.Specifically, it can provide equipped with the machine
The system or device of device readable medium store on the machine readable media and realize any embodiment in above-described embodiment
The software program code of function, and make computer (or central processing unit (the Central Processing of the system or device
Unit, CPU) or microprocessor (Micro Processor Unit, MPU)) read and execute the journey being stored in a storage medium
Sequence code.
In this case, it is real that any one of above-described embodiment can be achieved in the program code itself read from storage medium
The function of example is applied, therefore the storage medium of program code and storage program code constitutes a part of the embodiment of the present invention.
Storage medium embodiment for providing program code includes floppy disk, hard disk, magneto-optic disk, CD (such as CD-ROM
Driver (Compact Disc Read-Only Memory, CD-ROM), compact disc recordable (Compact Disk-
Recordable, CD-R), erasable optical disk (Compact Disk-ReWritable, CD-RW), digital video disk (Digital
Video Disc-Read Only Memory, DVD-ROM), digital versatile disc random access memory (Digital
Versatile Disc-Random Access Memory, DVD-RAM), rewritable digital versatile disc (Digital
Versatile Disc ± ReWritable, DVD ± RW) etc.), tape, non-volatile memory card and read-only memory (Read-
Only Memory, ROM).Selectively, can by communication network download program code from server computer or on cloud.
Further, it should be apparent that not only can be by executing program code read-out by computer, but also can pass through
Operating system for calculating hands- operation etc. is set to complete partly or completely practical operation based on the instruction of program code, thus
Realize the function of any one of above-described embodiment embodiment.
Further, it is to be appreciated that the program code read by storage medium is write the expansion board in insertion computer
In in set memory or write in the memory being arranged in the expanding element being connected to a computer, be then based on journey
The instruction of sequence code makes the CPU etc. being mounted on expansion board or expanding element come execution part and whole practical operations, thus
Realize the function of any embodiment in above-described embodiment.
It should be noted that step and module not all in above-mentioned each process and each equipment structure chart is all necessary
, certain steps or module can be ignored according to the actual needs.Each step execution sequence be not it is fixed, can be according to need
It is adjusted.Device structure described in the various embodiments described above can be physical structure, be also possible to logical construction, that is, have
A little modules may be realized by same physical entity, be realized alternatively, some modules may divide by multiple physical entities, alternatively, can be with
It is realized jointly by certain components in multiple autonomous devices.
In the above various embodiments, hardware cell mechanically or can be realized electrically.For example, a hardware list
Member may include permanent dedicated circuit or logic (such as special processor, FPGA or ASIC) to complete corresponding operating.Firmly
Part unit can also include programmable logic or circuit (such as general processor or other programmable processors), can by software into
The interim setting of row is to complete corresponding operating.Concrete implementation mode (mechanical system or dedicated permanent circuit or is faced
When the circuit that is arranged) can be determined based on cost and temporal consideration.
Detailed displaying and explanation carried out to the present invention above by attached drawing and preferred embodiment, however the present invention is not limited to
These embodiments having revealed that, base could be aware that with above-mentioned multiple embodiment those skilled in the art, can combine above-mentioned difference
Code audit means in embodiment obtain the more embodiments of the present invention, these embodiments also protection scope of the present invention it
It is interior.
Claims (14)
1. the safety detection method of an industrial control system characterized by comprising
At least two item datas are obtained from the industrial control system, wherein at least two item datas are from the industry control
At least two data sources in system processed;
The event information of each item data at least two item datas is parsed respectively;
The event information parsed is established into corresponding relationship with corresponding data;
The event information that each item data parses is associated analysis according to correlation rule predetermined, judges whether to need
Call corresponding data;
If judgement needs to call corresponding data, the data for needing to call are indexed according to the event information;
The security incident that the industrial control system occurs is determined according to the data called.
2. the method as described in claim 1, which is characterized in that parse each item data at least two item datas respectively
Event information before, further includes:
Each item data at least two item datas got is parsed, the data information of each item data is obtained;Its
In, the data information of an item data includes at least one of following message: the type of the data, the data are adopted
The information of agreement, the source-information of the data, the destination information of the data, the format of the data, the number
According to timestamp information;
The obtained data information is established into corresponding relationship with corresponding data;
The event information that each item data parses is associated analysis according to correlation rule predetermined, judges whether to need
Call corresponding data, comprising:
The event information and the data information that each item data is parsed are carried out according to correlation rule predetermined
Association analysis judges whether to need to call corresponding data;
The data for needing to call are indexed according to the event information, comprising:
The data for needing to call are indexed according to the event information and the data information.
3. method according to claim 1 or 2, which is characterized in that parse each single item at least two item datas respectively
After the event information of data, further includes:
The event type of corresponding data is determined according to event information;
The determining event type is established into corresponding relationship with corresponding data;
The data for needing to call are indexed according to the event information, comprising:
Call data corresponding to the same event type.
4. method according to claim 1 or 2, which is characterized in that the event information includes Time To Event;
The data for needing to call are indexed according to the event information, comprising:
Call data corresponding to the event information of the Time To Event within a preset time period.
5. method according to claim 1 or 2, which is characterized in that the event information includes the targeted object of event;
The data for needing to call are indexed according to the event information, comprising:
Call data corresponding to the event information for the same object.
6. method according to claim 1 or 2, which is characterized in that the event information includes the triggering object of event;
The data for needing to call are indexed according to the event information, comprising:
Call the data as corresponding to the event information of the same triggering objects trigger.
7. the security detection equipment of an industrial control system characterized by comprising data acquisition module (101), one
A event recognition module (102), an association analysis module (103), in which:
The data acquisition module (101), for obtaining at least two item datas from the industrial control system, wherein it is described extremely
Few at least two data sources of two item datas in the industrial control system;
The event parsing module (102), for parsing the event letter of each item data at least two item datas respectively
Breath;And for the event information parsed to be established corresponding relationship with corresponding data;
The association analysis module (103), the event information for parsing each item data is according to association predetermined
Rule is associated analysis, judges whether to need to call corresponding data, if desired, then indexing according to the event information needs
The data to be called determine the security incident that the industrial control system occurs according to the data called.
8. equipment as claimed in claim 7, which is characterized in that
Further include: a data resolution module (104), at least two for being got to the data acquisition module (101)
Each item data in data is parsed, and the data information of each item data is obtained, and, it is used for the obtained number
It is believed that breath establishes corresponding relationship with corresponding data;Wherein, the data information of an item data include in following message extremely
It is one few: the information of agreement used by the type of the data, the data, the source-information of the data, the data
Destination information, the formats of the data, the data timestamp information;
The association analysis module (103) is advised in the event information for parsing each item data according to association predetermined
It is then associated analysis, when judging whether to need to call corresponding data, is specifically used for:
The event information and the data information that each item data is parsed are carried out according to correlation rule predetermined
Association analysis judges whether to need to call corresponding data;
The association analysis module (103) is specifically used for when indexing the data for needing to call according to the event information:
The data for needing to call are indexed according to the event information and the data information.
9. equipment as claimed in claim 7 or 8, which is characterized in that the event parsing module (102) is parsing institute respectively
After the event information for stating each item data at least two item datas, it is also used to:
The event type of corresponding data is determined according to event information;
The determining event type is established into corresponding relationship with corresponding data;
The association analysis module (103) is specifically used for when indexing the data for needing to call according to the event information:
Call data corresponding to the same event type.
10. equipment as claimed in claim 7 or 8, which is characterized in that the event information includes Time To Event;
The association analysis module (103) is specifically used for when indexing the data for needing to call according to the event information:
Call data corresponding to the event information of the Time To Event within a preset time period.
11. equipment as claimed in claim 7 or 8, which is characterized in that the event information includes the targeted object of event;
The association analysis module (103) is specifically used for when indexing the data for needing to call according to the event information:
Call data corresponding to the event information for the same object.
12. equipment as claimed in claim 7 or 8, which is characterized in that the event information includes the triggering object of event;
The association analysis module (103) is specifically used for when indexing the data for needing to call according to the event information:
Call the data as corresponding to the event information of the same triggering objects trigger.
13. the security detection equipment of an industrial control system, which is characterized in that the equipment includes:
At least one processor (504), for storing the safety detection program of the industrial control system;
At least one processor (502), for calling the Industry Control system stored in at least one processor (504)
The safety detection program of system, executes method as described in any one of claims 1 to 6.
14. machine readable media, which is characterized in that be stored with machine readable instructions, the machine on the machine readable media
Readable instruction makes at least one described processor perform claim require any one of 1~6 when being executed by least one processor
The method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710501199.XA CN109144023A (en) | 2017-06-27 | 2017-06-27 | A kind of safety detection method and equipment of industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710501199.XA CN109144023A (en) | 2017-06-27 | 2017-06-27 | A kind of safety detection method and equipment of industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109144023A true CN109144023A (en) | 2019-01-04 |
Family
ID=64805013
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710501199.XA Pending CN109144023A (en) | 2017-06-27 | 2017-06-27 | A kind of safety detection method and equipment of industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109144023A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110376957A (en) * | 2019-07-04 | 2019-10-25 | 哈尔滨工业大学(威海) | A kind of PLC security incident evidence collecting method constructed automatically based on secure protocol |
| CN111506022A (en) * | 2019-01-30 | 2020-08-07 | 中国石油天然气集团有限公司 | Industrial control system and safety auditing method in industrial control system |
| CN111897771A (en) * | 2020-07-24 | 2020-11-06 | 宁夏隆基宁光仪表股份有限公司 | Gas meter message testing method and system based on intelligent analysis model |
| CN111917686A (en) * | 2019-05-08 | 2020-11-10 | 创升益世(东莞)智能自控有限公司 | Data network communication protocol IPSCom applied to industrial Internet |
| CN112579659A (en) * | 2019-09-29 | 2021-03-30 | 北京国双科技有限公司 | Industrial real-time data correlation analysis method and device |
| CN112650180A (en) * | 2020-12-23 | 2021-04-13 | 烽台科技(北京)有限公司 | Safety warning method, device, terminal equipment and storage medium |
| WO2021217636A1 (en) * | 2020-04-30 | 2021-11-04 | 西门子股份公司 | Industrial network behavior analysis method, apparatus and system, and computer-readable medium |
| CN114355853A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Industrial control data evidence obtaining method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035855A (en) * | 2010-12-30 | 2011-04-27 | 江苏省电力公司 | Network security incident association analysis system |
| CN103036905A (en) * | 2012-12-27 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Method and device of enterprise network safety analysis |
| CN203870447U (en) * | 2014-05-15 | 2014-10-08 | 大连宝信起重技术有限公司 | Unmanned steel product reservoir area safety monitoring device |
| CN104326360A (en) * | 2014-10-21 | 2015-02-04 | 南京波思途电子科技有限公司 | Portal crane holographic detection method and safety monitoring platform |
| CN205449138U (en) * | 2015-12-25 | 2016-08-10 | 杭州易管科技有限公司 | Remote monitoring system based on internet of things |
| CN206040220U (en) * | 2016-07-07 | 2017-03-22 | 苏州东仪核电科技股份有限公司 | Main steam pipeline leak local monitoring for system acoustic emission handle rack |
-
2017
- 2017-06-27 CN CN201710501199.XA patent/CN109144023A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102035855A (en) * | 2010-12-30 | 2011-04-27 | 江苏省电力公司 | Network security incident association analysis system |
| CN103036905A (en) * | 2012-12-27 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Method and device of enterprise network safety analysis |
| CN203870447U (en) * | 2014-05-15 | 2014-10-08 | 大连宝信起重技术有限公司 | Unmanned steel product reservoir area safety monitoring device |
| CN104326360A (en) * | 2014-10-21 | 2015-02-04 | 南京波思途电子科技有限公司 | Portal crane holographic detection method and safety monitoring platform |
| CN205449138U (en) * | 2015-12-25 | 2016-08-10 | 杭州易管科技有限公司 | Remote monitoring system based on internet of things |
| CN206040220U (en) * | 2016-07-07 | 2017-03-22 | 苏州东仪核电科技股份有限公司 | Main steam pipeline leak local monitoring for system acoustic emission handle rack |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111506022A (en) * | 2019-01-30 | 2020-08-07 | 中国石油天然气集团有限公司 | Industrial control system and safety auditing method in industrial control system |
| CN111917686A (en) * | 2019-05-08 | 2020-11-10 | 创升益世(东莞)智能自控有限公司 | Data network communication protocol IPSCom applied to industrial Internet |
| CN110376957A (en) * | 2019-07-04 | 2019-10-25 | 哈尔滨工业大学(威海) | A kind of PLC security incident evidence collecting method constructed automatically based on secure protocol |
| CN112579659A (en) * | 2019-09-29 | 2021-03-30 | 北京国双科技有限公司 | Industrial real-time data correlation analysis method and device |
| WO2021217636A1 (en) * | 2020-04-30 | 2021-11-04 | 西门子股份公司 | Industrial network behavior analysis method, apparatus and system, and computer-readable medium |
| US11829122B2 (en) | 2020-04-30 | 2023-11-28 | Siemens Aktiengesellschaft | Industrial network behavior analysis method, apparatus and system, and computer-readable medium |
| CN111897771A (en) * | 2020-07-24 | 2020-11-06 | 宁夏隆基宁光仪表股份有限公司 | Gas meter message testing method and system based on intelligent analysis model |
| CN112650180A (en) * | 2020-12-23 | 2021-04-13 | 烽台科技(北京)有限公司 | Safety warning method, device, terminal equipment and storage medium |
| CN114355853A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Industrial control data evidence obtaining method and device, electronic equipment and storage medium |
| CN114355853B (en) * | 2021-12-30 | 2023-09-19 | 绿盟科技集团股份有限公司 | Industrial control data evidence obtaining method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
| WO2018218537A1 (en) | Industrial control system and network security monitoring method therefor | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US9503421B2 (en) | Security information and event management | |
| CN111245793A (en) | Method and device for analyzing abnormity of network data | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20160381070A1 (en) | Protocol based detection of suspicious network traffic | |
| US20210297427A1 (en) | Facilitating security orchestration, automation and response (soar) threat investigation using a machine-learning driven mind map approach | |
| CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN106650436A (en) | Safety detecting method and device based on local area network | |
| CN106650425B (en) | A kind of control method and device of security sandbox | |
| CN110971579A (en) | Network attack display method and device | |
| CN111181978B (en) | Abnormal network traffic detection method and device, electronic equipment and storage medium | |
| JP5739034B1 (en) | Attack detection system, attack detection device, attack detection method, and attack detection program | |
| CN110224970A (en) | A kind of security monitoring method and apparatus of industrial control system | |
| CN115150124A (en) | Fraud defense system | |
| Erlansari et al. | Early Intrusion Detection System (IDS) using Snort and Telegram approach | |
| US20230018096A1 (en) | Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program | |
| CN109462617B (en) | Method and device for detecting communication behavior of equipment in local area network | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190104 |