CN109361658B - Industrial control industry-based abnormal flow information storage method and device and electronic equipment - Google Patents

Industrial control industry-based abnormal flow information storage method and device and electronic equipment Download PDF

Info

Publication number
CN109361658B
CN109361658B CN201811128424.0A CN201811128424A CN109361658B CN 109361658 B CN109361658 B CN 109361658B CN 201811128424 A CN201811128424 A CN 201811128424A CN 109361658 B CN109361658 B CN 109361658B
Authority
CN
China
Prior art keywords
target
abnormal
traffic information
abnormal traffic
matching result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811128424.0A
Other languages
Chinese (zh)
Other versions
CN109361658A (en
Inventor
王宗三
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201811128424.0A priority Critical patent/CN109361658B/en
Publication of CN109361658A publication Critical patent/CN109361658A/en
Application granted granted Critical
Publication of CN109361658B publication Critical patent/CN109361658B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an industrial control industry-based abnormal flow information storage method, an industrial control industry-based abnormal flow information storage device and electronic equipment, and relates to the technical field of industrial control industry, wherein the method comprises the following steps: acquiring target abnormal flow information of industrial control equipment in an industrial control system; matching the target abnormal flow information by traversing the abnormal flow information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result is used for indicating whether the target abnormal flow information is matched in the target database; and adjusting the storage structure of the target database by combining the matching result and the target abnormal traffic information to obtain the adjusted target database, wherein the storage structure of the abnormal traffic information in the adjusted database is used for determining the traversal sequence of the abnormal traffic information in the adjusted database, and the technical problem that the processing speed of the abnormal traffic information in the abnormal traffic database is low in the prior art, so that the processing efficiency of the abnormal traffic data is low is solved.

Description

Industrial control industry-based abnormal flow information storage method and device and electronic equipment
Technical Field
The invention relates to the technical field of industrial control industry, in particular to an abnormal flow information storage method and device based on the industrial control industry and electronic equipment.
Background
With the rapid development of modern industry, the industrial control system gradually develops towards networking and scale. The development mode greatly improves the industrial development process, and the networked development of the industrial system provides rapid development for people and is accompanied with the generation of industrial control potential safety hazards. Therefore, how to quickly detect the industrial abnormality plays an important role in industrial production.
With the continuous development of networking of various industrial control systems, the requirement for abnormal flow detection speed is increased continuously. Currently, interception and data analysis of network abnormal data are well developed.
However, the processing speed of the abnormal traffic information in the abnormal traffic library is low at present, so that the processing efficiency of the abnormal traffic data is low.
Disclosure of Invention
In view of the above, the present invention provides an abnormal traffic information storage method, an abnormal traffic information storage device and an electronic device based on the industrial control industry, so as to solve the technical problem in the prior art that the processing speed of the abnormal traffic information in the abnormal traffic library is low, so that the processing efficiency of the abnormal traffic data is low.
In a first aspect, an embodiment of the present invention provides an abnormal traffic information storage method based on an industrial control industry, which is applied to a controller of an industrial control system, and includes:
acquiring target abnormal flow information of industrial control equipment in the industrial control system;
matching the target abnormal traffic information by traversing the abnormal traffic information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result is used for indicating whether the target abnormal traffic information is matched in the target database;
and adjusting a storage structure of the target database by combining the matching result and the target abnormal traffic information to obtain an adjusted target database, wherein the storage structure of the abnormal traffic information in the adjusted database is used for determining the traversal order of the abnormal traffic information in the adjusted database.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where before matching the target abnormal traffic information by traversing the abnormal traffic information stored in the target database of the industrial control system to obtain a matching result, the method further includes:
establishing a first Huffman tree according to the abnormal flow information stored in the target database, wherein each leaf node in the first Huffman tree corresponds to one type of abnormal flow information in the target database;
and determining a target storage structure of the abnormal flow information in the first Huffman tree as the storage structure of the target database.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where matching the target abnormal traffic information by traversing the abnormal traffic information stored in the target database of the industrial control system to obtain a matching result includes:
traversing the abnormal traffic information stored in the target database according to the target storage structure so as to search the abnormal traffic information matched with the target abnormal traffic information in the target database in a traversing manner;
if the abnormal traffic information matched with the target abnormal traffic information is found, obtaining a first matching result, wherein the first matching result represents that the matching is successful;
and if the abnormal traffic information matched with the target abnormal traffic information is not found, obtaining a second matching result, and after the second matching result is obtained, newly adding a leaf node in the first Huffman tree, wherein the second matching result represents that the matching fails, and the newly added leaf node corresponds to the target abnormal traffic information which is not successfully matched.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where adjusting a storage structure of the target database in combination with the matching result and the target abnormal traffic information to obtain an adjusted target database includes:
determining structural information to be adjusted of a storage structure of the first Huffman tree according to the matching result;
adjusting the storage structure of the first Huffman tree by combining the target abnormal flow information and the information of the structure to be adjusted to obtain an adjusted first Huffman tree;
and adjusting the storage structure of the target database according to the adjusted storage structure of the first Huffman tree to obtain the adjusted target database.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where determining, according to the matching result, to-be-adjusted structure information of a storage structure of the first huffman tree includes:
if the matching result is a first matching result, determining a target weight as the structural information to be adjusted, wherein the target weight is the weight of a leaf node corresponding to the abnormal traffic information matched with the target abnormal traffic information in the first Huffman tree in the target database;
if the matching result is a second matching result, determining the structural information to be adjusted as: and the newly added leaf node and/or the weight corresponding to the newly added leaf node.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where determining, according to the matching result, to-be-adjusted structure information of a storage structure of the first huffman tree, further includes:
and determining the weight of each leaf node in the first Huffman tree according to the traffic occurrence time and/or the traffic occurrence probability of the target abnormal traffic information.
With reference to the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where the method further includes:
and determining the traversal sequence of the abnormal flow information stored in the target database after the adjustment according to the storage structure of the first Huffman tree after the adjustment.
In a second aspect, an embodiment of the present invention further provides an abnormal traffic information storage device based on an industrial control industry, which is applied to a controller of an industrial control system, and includes:
the acquisition module is used for acquiring target abnormal flow information of the industrial control equipment in the industrial control system;
the matching module is used for matching the target abnormal flow information by traversing the abnormal flow information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result is used for indicating whether the target abnormal flow information is matched in the target database;
and the adjusting module is used for adjusting a storage structure of the target database by combining the matching result and the target abnormal flow information to obtain an adjusted target database, wherein the storage structure of the abnormal flow information in the adjusted database is used for determining the traversal sequence of the abnormal flow information in the adjusted database.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory stores a computer program operable on the processor, and the processor implements the steps of the method according to the first aspect when executing the computer program.
In a fourth aspect, the present invention also provides a computer-readable medium having non-volatile program code executable by a processor, where the program code causes the processor to execute the method according to the first aspect.
The technical scheme provided by the embodiment of the invention has the following beneficial effects: the embodiment of the invention provides an industrial control industry-based abnormal flow information storage method and device and electronic equipment. Firstly, acquiring target abnormal flow information of industrial control equipment in an industrial control system, then matching the target abnormal flow information by traversing the abnormal flow information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result is used for indicating whether the target abnormal flow information is matched in the target database, and then adjusting a storage structure of the target database by combining the matching result and the target abnormal flow information to obtain an adjusted target database, wherein the storage structure of the abnormal flow information in the adjusted database is used for determining the traversal sequence of the abnormal flow information in the adjusted database, so that the aim that the structure of the target database can be automatically adjusted according to a real-time state along with the increase of the acquisition of the abnormal flow information by adjusting the structure of the target database storing the abnormal flow information is realized, the method realizes continuous optimization of the target database in the storage process to achieve automatic optimization of the storage structure of the target database, thereby continuously optimizing the query traversal sequence, gradually increasing the rate of abnormal matching, and increasing the speed of querying abnormal flow information by increasing the hit rate of matching, thereby solving the technical problems that the processing speed of the abnormal flow information in the abnormal flow database is low and the processing efficiency of the abnormal flow data is low in the prior art.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart illustrating an abnormal traffic information storage method based on industrial control industry according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an abnormal traffic information storage method based on industrial control industry according to a second embodiment of the present invention;
fig. 3 shows another flowchart of an abnormal traffic information storage method based on industrial control industry according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating an abnormal traffic information storage device based on the industrial control industry according to a third embodiment of the present invention;
fig. 5 shows a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Icon: 3-abnormal flow information storage device based on industrial control industry; 31-an acquisition module; 32-a matching module; 33-an adjustment module; 4-an electronic device; 41-a memory; 42-a processor; 43-bus; 44-communication interface.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, with the rapid development of modern industry, industrial control systems gradually develop towards networking and scale. The development mode greatly improves the industrial development process, and the networked development of the industrial system provides rapid development for people and is accompanied with the generation of industrial control potential safety hazards. Therefore, how to quickly detect the industrial abnormality plays an important role in industrial production.
With the continuous development of networking of various industrial control systems, the requirement for abnormal flow detection speed is increased continuously. Currently, interception and data analysis of network abnormal data are well developed. However, the processing mechanism for the abnormal traffic library is still relatively few, or how to identify the abnormality is most concerned at present, and the internal processing problem for the abnormal traffic library is still relatively lack.
Therefore, the current processing of abnormal flow data mainly aims at a matching method, the processing of an abnormal flow library is less, and the violent scanning of the existing abnormal flow library still remains in the industrial system, which is more suitable for a relatively independent industrial system. However, common data structure storage is adopted mostly, and when an exception is detected, corresponding data is required to be met or end from the beginning of matching. However, this method is slow, and thus the processing efficiency of the abnormal traffic data is low.
Based on this, the method, the device and the electronic device for storing abnormal traffic information based on the industrial control industry provided by the embodiment of the invention can solve the technical problem that the processing speed of the abnormal traffic information in the abnormal traffic library is low in the prior art, so that the processing efficiency of abnormal traffic data is low.
For facilitating understanding of the embodiment, first, detailed descriptions are given to various abnormal traffic information storage methods, apparatuses and electronic devices based on the industrial control industry disclosed in the embodiments of the present invention.
The first embodiment is as follows:
the method for storing abnormal flow information based on industrial control industry provided by the embodiment of the invention is applied to a controller of an industrial control system, and as shown in fig. 1, the method comprises the following steps:
s11: and acquiring target abnormal flow information of the industrial control equipment in the industrial control system.
The abnormal traffic may be understood as traffic generated by an abnormal situation in the network, for example, the limited bandwidth resource carries unexpected traffic, that is, abnormal traffic (may also be referred to as abnormal data).
The method for determining abnormal traffic (i.e., abnormal traffic) may be specifically understood as follows: in an industrial network topology which is independent relative to the outside, when network vulnerability mining and scanning are carried out, scanning is carried out on an IP and a port of a certain network segment, data messages are captured, and the like, whether the data messages are in a reasonable range or not is judged according to the size of the message data obtained in unit time, and if the current data packets are too large or the same IP is continuously accessed and the like, abnormal flow can be basically judged.
S12: and matching the target abnormal flow information by traversing the abnormal flow information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result is used for indicating whether the target abnormal flow information is matched in the target database.
S13: and adjusting the storage structure of the target database by combining the matching result and the target abnormal traffic information to obtain the adjusted target database, wherein the storage structure of the abnormal traffic information in the adjusted database is used for determining the traversal sequence of the abnormal traffic information in the adjusted database.
Therefore, the abnormal traffic information storage method based on the industrial control industry provided by this embodiment adjusts the existing target database structure for storing the abnormal traffic information, and along with the increase of the abnormal traffic information of the target database, the structure of the target database can be automatically adjusted according to the real-time status, so as to achieve continuous optimization of the target database in the storage process, so as to achieve automatic optimization of the storage structure of the target database, make the system have a certain self-learning capability, gradually increase the rate of abnormal matching, and increase the scanning speed by increasing the hit rate of scanning, thereby increasing the network security.
Example two:
the method for storing abnormal flow information based on industrial control industry provided by the embodiment of the invention is applied to a controller of an industrial control system, and as shown in fig. 2, the method comprises the following steps:
s21: and acquiring target abnormal flow information of the industrial control equipment in the industrial control system.
In practical applications, the abnormal traffic may be understood as traffic generated by an abnormal situation in the network, for example, the limited bandwidth resource carries unexpected traffic, that is, abnormal traffic (also referred to as abnormal data).
The method for determining abnormal traffic (i.e., abnormal traffic) may be specifically understood as follows: in an industrial network topology which is independent relative to the outside, when network vulnerability mining and scanning are carried out, scanning is carried out on an IP and a port of a certain network segment, data messages are captured, and the like, whether the data messages are in a reasonable range or not is judged according to the size of the message data obtained in unit time, and if the current data packets are too large or the same IP is continuously accessed and the like, abnormal flow can be basically judged.
S22: and establishing a first Huffman tree according to the abnormal flow information stored in the target database, wherein each leaf node in the first Huffman tree corresponds to the abnormal flow information in the target database.
In this step, each kind of abnormal traffic information (i.e., abnormal traffic type) in the existing target database (i.e., the network abnormal matching library) is used as a leaf node to construct a huffman tree, and since the probability of each previous abnormality and the like are not known at this time, the same weight is given to the corresponding leaf nodes, and only the huffman tree needs to be constructed according to the previous sequence.
S23: and determining a target storage structure of the abnormal flow information in the first Huffman tree as a storage structure of a target database.
As a preferred implementation manner of this embodiment, a huffman code may be generated according to a storage structure of a first huffman tree (i.e. an existing huffman tree) and recorded in a fixed file, where the huffman code represents a traversal order of a plurality of abnormal traffic information in the huffman tree.
S24: and traversing the abnormal traffic information stored in the target database according to the target storage structure so as to search the abnormal traffic information matched with the target abnormal traffic information in the target database in a traversing manner.
As another implementation manner of this embodiment, the constructed huffman tree is traversed according to the huffman coding, so as to find out the leaf node corresponding to the current exception (i.e., the target exception traffic information).
S25: and if the abnormal flow information matched with the target abnormal flow information is found, obtaining a first matching result, wherein the first matching result represents that the matching is successful.
S26: and if the abnormal traffic information matched with the target abnormal traffic information is not found, obtaining a second matching result, and after the second matching result is obtained, newly adding a leaf node in the first Huffman tree, wherein the second matching result indicates that the matching fails, and the newly added leaf node corresponds to the target abnormal traffic information which is not successfully matched.
S27: and determining structural information to be adjusted of the storage structure of the first Huffman tree according to the matching result.
Specifically, the steps include the following two cases:
and if the matching result is the first matching result, determining the target weight as the structural information to be adjusted, wherein the target weight is the weight of the leaf node corresponding to the abnormal traffic information matched with the target abnormal traffic information in the first Huffman tree in the target database. That is, if there is corresponding abnormal node information (i.e. target abnormal traffic information) in the first huffman tree, the weight information of the node is directly modified.
If the matching result is the second matching result, determining the structural information to be adjusted as: and adding the weight corresponding to the leaf node and/or the newly added leaf node. That is, if there is no corresponding abnormal node information (i.e., target abnormal traffic information) in the first huffman tree, a new leaf node needs to be added, and a fixed weight value is set for the node.
Further, the method for determining the leaf node weight comprises the following steps: the weight of each leaf node in the first huffman tree can be determined according to the traffic occurrence time and/or the traffic occurrence probability of the target abnormal traffic information. Because the network attack has certain coupling, the reoccurrence probability with high frequency is also high, and secondly, the reoccurrence probability is also increased due to the recent abnormal condition.
S28: and adjusting the storage structure of the first Huffman tree by combining the target abnormal flow information and the structure information to be adjusted to obtain the adjusted first Huffman tree.
S29: and adjusting the storage structure of the target database according to the adjusted storage structure of the first Huffman tree to obtain the adjusted target database.
As another implementation manner of this embodiment, it may be determined whether the tree structure after adding the leaf node still satisfies the huffman tree structure rule. If so, no adjustment to the tree is required; if not, the tree structure is adjusted, so that the adjusted target database storage structure meets the construction rule of the Huffman tree.
And the storage structure of the abnormal traffic information in the adjusted database is used for determining the traversal sequence of the abnormal traffic information in the adjusted database.
S30: and determining the traversal sequence of the abnormal flow information stored in the target database after adjustment according to the storage structure of the first Huffman tree after adjustment.
As a preferred scheme, the traversal order of the adjusted target database can be determined by regenerating the huffman code table to provide the order of the next retrieval. Of course, the generation process of the huffman code table is also generated according to the storage structure of the first huffman tree after adjustment.
In this embodiment, the target database can automatically acquire abnormal traffic information such as malicious information intercepted each time, and meanwhile, if the information is not in the existing target database, the controller of the industrial control system can add the information into the target database after weighting processing, so that the target database becomes richer. Secondly, with the continuously adjusted data structure, the prior search with relatively short time and relatively high occurrence frequency can be carried out, so that the search efficiency is greatly improved.
Therefore, the method provided by this embodiment stores the data in the network exception library by using the huffman tree, each exception condition in the structure is a leaf node of the huffman tree, each leaf node includes the exception condition and the weight corresponding to the exception condition, and the scanning sequence can be determined according to the weight in the algorithm matching process, thereby improving the matching speed by this way.
In the implementation process of the embodiment, a huffman tree is created in a target database, abnormal traffic information is continuously acquired from industrial control equipment, leaf nodes of the huffman tree are traversed according to the abnormal traffic information, when a leaf node which can be matched is found, the weight of the leaf node is changed, if no leaf node exists, the node is added into the tree, and then the storage structure is adjusted by judging whether the structure of the huffman tree is correct. By continuously adjusting the structure of the Huffman tree, the nodes with high frequency of occurrence and the nodes which occur recently can be continuously adjusted towards the direction of increasing the weight. Therefore, the nodes can be searched and searched firstly in the traversal process, and abnormal conditions with low occurrence probability or no occurrence for a long time can be avoided from repeated narrative, so that the matching speed is increased, and the scanning speed is accelerated.
As shown in fig. 3, a huffman tree is created according to the existing information, then a huffman table is generated according to the created huffman tree, and when the abnormal flow is intercepted and acquired, the original database information is queried according to the data matching of traversing the existing huffman tree with the new huffman table. Meanwhile, the weight information of the leaf nodes is changed according to the query result, or a new leaf node is added, specifically, if the matching is successful, the node weight is adjusted; if the match fails, the leaf node is incremented. And then, adjusting the structure of the tree according to the requirement, namely adjusting the structure of the tree when the structure is required to be adjusted so as to regenerate the Huffman history table for the next traversal process. With the time, the size of the abnormal database is continuously increased, and meanwhile, the searching speed is not slowed down due to the increase of the database and is improved. Therefore, by continuously acquiring the structural information of the continuous adjustment tree for the malicious traffic information, the weight of each leaf node can be changed along with the continuous acquisition of the information, which is an idea of continuously and automatically optimizing the storage structure.
The method for storing abnormal traffic information based on the industrial control industry provided by the embodiment is used as a rapid matching method for abnormal traffic of an industrial control system, when the industrial system is attacked by abnormal data, the system can match the abnormal traffic according to an original abnormal database, and the original weight of the abnormal data is adjusted according to an abnormal traffic analysis result. If the abnormal data base has no such abnormality, the weight is calculated according to the corresponding algorithm, then the abnormal data base is added, and meanwhile, the data structure for storing the abnormal flow is adjusted. In this embodiment, the priority queue is mainly used to store the abnormal traffic information in the database, and the abnormal traffic information is automatically adjusted according to the frequency and time of various abnormal traffic attacks.
Example three:
the abnormal flow information storage device based on the industrial control industry provided by the embodiment of the invention is used as a network flow abnormal monitoring system based on the industrial control industry, is applied to a controller of an industrial control system, and as shown in fig. 4, the abnormal flow information storage device 3 based on the industrial control industry comprises: an acquisition module 31, a matching module 32 and an adjustment module 33.
As a preferred implementation manner of this embodiment, the obtaining module is configured to obtain target abnormal flow information of the industrial control device in the industrial control system.
Specifically, the matching module is configured to match the target abnormal traffic information by traversing the abnormal traffic information stored in the target database of the industrial control system, so as to obtain a matching result, where the matching result is used to indicate whether the target abnormal traffic information is matched in the target database.
Preferably, the adjusting module is configured to adjust a storage structure of the target database by combining the matching result and the target abnormal traffic information to obtain an adjusted target database, where the storage structure of the abnormal traffic information in the adjusted database is used to determine a traversal order of the abnormal traffic information in the adjusted database.
Example four:
as shown in fig. 5, the electronic device 4 includes a memory 41 and a processor 42, where the memory stores a computer program that can run on the processor, and the processor executes the computer program to implement the steps of the method provided in the first embodiment or the second embodiment.
Referring to fig. 5, the electronic device further includes: a bus 43 and a communication interface 44, the processor 42, the communication interface 44 and the memory 41 being connected by the bus 43; the processor 42 is for executing executable modules, such as computer programs, stored in the memory 41.
The Memory 41 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 44 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 43 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
The memory 41 is used for storing a program, and the processor 42 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 42, or implemented by the processor 42.
The processor 42 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 42. The Processor 42 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 41, and a processor 42 reads information in the memory 41 and performs the steps of the method in combination with hardware thereof.
Example five:
the computer-readable medium provided by the embodiment of the invention has a non-volatile program code executable by a processor, and the program code causes the processor to execute the method provided by the first embodiment or the second embodiment.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The computer-readable medium having the processor-executable nonvolatile program code provided in the embodiments of the present invention has the same technical features as the method, the apparatus, and the electronic device for storing abnormal traffic information based on the industrial control industry provided in the embodiments, so that the same technical problems can be solved, and the same technical effects can be achieved.
Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The computer program product for performing the method for storing abnormal traffic information based on the industrial control industry according to the embodiment of the present invention includes a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, and will not be described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (7)

1. An abnormal flow information storage method based on industrial control industry is applied to a controller of an industrial control system, and is characterized by comprising the following steps:
acquiring target abnormal flow information of industrial control equipment in the industrial control system;
matching the target abnormal traffic information by traversing the abnormal traffic information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result is used for indicating whether the target abnormal traffic information is matched in the target database;
adjusting a storage structure of the target database by combining the matching result and the target abnormal traffic information to obtain an adjusted target database, wherein the storage structure of the abnormal traffic information in the adjusted database is used for determining a traversal sequence of the abnormal traffic information in the adjusted database;
before the abnormal traffic information stored in the target database of the industrial control system is traversed, the target abnormal traffic information is matched to obtain a matching result, the method further comprises the following steps:
establishing a first Huffman tree according to the abnormal flow information stored in the target database, wherein each leaf node in the first Huffman tree corresponds to one type of abnormal flow information in the target database;
determining a target storage structure of abnormal flow information in the first Huffman tree as a storage structure of the target database;
matching the target abnormal flow information by traversing the abnormal flow information stored in a target database of the industrial control system to obtain a matching result, wherein the matching result comprises the following steps:
traversing the abnormal traffic information stored in the target database according to the target storage structure so as to search the abnormal traffic information matched with the target abnormal traffic information in the target database in a traversing manner;
if the abnormal traffic information matched with the target abnormal traffic information is found, obtaining a first matching result, wherein the first matching result represents that the matching is successful;
and if the abnormal traffic information matched with the target abnormal traffic information is not found, obtaining a second matching result, and after the second matching result is obtained, newly adding a leaf node in the first Huffman tree, wherein the second matching result represents that the matching fails, and the newly added leaf node corresponds to the target abnormal traffic information which is not successfully matched.
2. The method for storing abnormal traffic information according to claim 1, wherein the step of adjusting a storage structure of the target database by combining the matching result and the target abnormal traffic information to obtain an adjusted target database comprises:
determining structural information to be adjusted of a storage structure of the first Huffman tree according to the matching result;
adjusting the storage structure of the first Huffman tree by combining the target abnormal flow information and the information of the structure to be adjusted to obtain an adjusted first Huffman tree;
and adjusting the storage structure of the target database according to the adjusted storage structure of the first Huffman tree to obtain the adjusted target database.
3. The method according to claim 2, wherein determining the structure information to be adjusted for the storage structure of the first huffman tree according to the matching result comprises:
if the matching result is a first matching result, determining a target weight as the structural information to be adjusted, wherein the target weight is the weight of a leaf node corresponding to the abnormal traffic information matched with the target abnormal traffic information in the first Huffman tree in the target database;
if the matching result is a second matching result, determining the structural information to be adjusted as: and the newly added leaf node and/or the weight corresponding to the newly added leaf node.
4. The method according to claim 3, wherein the determining the structural information to be adjusted for the storage structure of the first huffman tree according to the matching result further comprises:
and determining the weight of each leaf node in the first Huffman tree according to the traffic occurrence time and/or the traffic occurrence probability of the target abnormal traffic information.
5. The abnormal traffic information storage method according to claim 2, further comprising:
and determining the traversal sequence of the abnormal flow information stored in the target database after the adjustment according to the storage structure of the first Huffman tree after the adjustment.
6. An electronic device comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and wherein the processor implements the steps of the method of any of claims 1 to 5 when executing the computer program.
7. A computer-readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the method of any of claims 1 to 5.
CN201811128424.0A 2018-09-26 2018-09-26 Industrial control industry-based abnormal flow information storage method and device and electronic equipment Active CN109361658B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811128424.0A CN109361658B (en) 2018-09-26 2018-09-26 Industrial control industry-based abnormal flow information storage method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811128424.0A CN109361658B (en) 2018-09-26 2018-09-26 Industrial control industry-based abnormal flow information storage method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN109361658A CN109361658A (en) 2019-02-19
CN109361658B true CN109361658B (en) 2021-04-23

Family

ID=65347829

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811128424.0A Active CN109361658B (en) 2018-09-26 2018-09-26 Industrial control industry-based abnormal flow information storage method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN109361658B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111111202B (en) * 2019-12-26 2023-08-29 北京像素软件科技股份有限公司 Game AI behavior logic control method and system
CN113534731B (en) * 2021-07-16 2022-03-11 珠海市鸿瑞信息技术股份有限公司 Download data security analysis system and method based on industrial control

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101727499A (en) * 2010-01-07 2010-06-09 广东国笔科技股份有限公司 Method and system for storage word library, and method and system for searching words
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
WO2017115272A1 (en) * 2015-12-28 2017-07-06 Sixgill Ltd. Dark web monitoring, analysis and alert system and method
CN107454097A (en) * 2017-08-24 2017-12-08 深圳中兴网信科技有限公司 The detection method of abnormal access, system, computer equipment, readable storage medium storing program for executing
CN107733921A (en) * 2017-11-14 2018-02-23 深圳中兴网信科技有限公司 Network flow abnormal detecting method, device, computer equipment and storage medium
CN108173708A (en) * 2017-12-18 2018-06-15 北京天融信网络安全技术有限公司 Anomalous traffic detection method, device and storage medium based on incremental learning
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034411B (en) * 2007-04-09 2016-05-11 招商银行股份有限公司 A kind of computer data processing system and processing method and application

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101727499A (en) * 2010-01-07 2010-06-09 广东国笔科技股份有限公司 Method and system for storage word library, and method and system for searching words
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
WO2017115272A1 (en) * 2015-12-28 2017-07-06 Sixgill Ltd. Dark web monitoring, analysis and alert system and method
CN107454097A (en) * 2017-08-24 2017-12-08 深圳中兴网信科技有限公司 The detection method of abnormal access, system, computer equipment, readable storage medium storing program for executing
CN107733921A (en) * 2017-11-14 2018-02-23 深圳中兴网信科技有限公司 Network flow abnormal detecting method, device, computer equipment and storage medium
CN108173708A (en) * 2017-12-18 2018-06-15 北京天融信网络安全技术有限公司 Anomalous traffic detection method, device and storage medium based on incremental learning
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于机器学习的异常流量检测;姜海东;《中国优秀硕士学位论文全文数据库》;20150531;4-27 *

Also Published As

Publication number Publication date
CN109361658A (en) 2019-02-19

Similar Documents

Publication Publication Date Title
CN108206802B (en) Method and device for detecting webpage backdoor
RU2608464C2 (en) Device, method and network server for detecting data structures in data stream
US10656981B2 (en) Anomaly detection using sequences of system calls
CN107968791B (en) Attack message detection method and device
CN109922072B (en) Distributed denial of service attack detection method and device
EP2337266A2 (en) Detecting and classifying anomalies in communication networks
CN109558727B (en) Routing security detection method and system
CN113497797B (en) Abnormality detection method and device for ICMP tunnel transmission data
CN107666468B (en) Network security detection method and device
CN109361658B (en) Industrial control industry-based abnormal flow information storage method and device and electronic equipment
CN112839017B (en) Network attack detection method and device, equipment and storage medium thereof
CN110958245B (en) Attack detection method, device, equipment and storage medium
CN112261019B (en) Distributed denial of service attack detection method, device and storage medium
CN108965318B (en) Method and device for detecting unauthorized access equipment IP in industrial control network
CN116599705A (en) Internet attack prediction method, system, equipment and medium
CN108880913B (en) traffic characteristic management method and device and central node server
CN115834229A (en) Message security detection method, device and storage medium
CN113709153B (en) Log merging method and device and electronic equipment
CN114095265B (en) ICMP hidden tunnel detection method and device and computer equipment
CN107870925B (en) Character string filtering method and related device
CN109194613B (en) Data packet detection method and device
CN113810336A (en) Data message encryption determination method and device and computer equipment
CN111935180A (en) Active defense method, device and system for security equipment
CN111667190A (en) Electric power construction grounding monitoring method and device and server
US20190158464A1 (en) Inspection context caching for deep packet inspection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province, 310000

Applicant after: Hangzhou Anheng Information Technology Co.,Ltd.

Address before: 310000 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Applicant before: Hangzhou Anheng Information Technology Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant