CN113721569A - Attack intrusion detection device and method for distributed control system - Google Patents
Attack intrusion detection device and method for distributed control system Download PDFInfo
- Publication number
- CN113721569A CN113721569A CN202110980608.5A CN202110980608A CN113721569A CN 113721569 A CN113721569 A CN 113721569A CN 202110980608 A CN202110980608 A CN 202110980608A CN 113721569 A CN113721569 A CN 113721569A
- Authority
- CN
- China
- Prior art keywords
- attack
- module
- confidence
- control system
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 153
- 238000000034 method Methods 0.000 title claims abstract description 16
- 208000024891 symptom Diseases 0.000 claims abstract description 43
- 230000009545 invasion Effects 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims abstract description 28
- 238000004891 communication Methods 0.000 claims abstract description 26
- 239000000284 extract Substances 0.000 claims abstract description 8
- 238000005422 blasting Methods 0.000 claims description 10
- 238000012986 modification Methods 0.000 claims description 10
- 230000004048 modification Effects 0.000 claims description 10
- 238000007405 data analysis Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000003860 storage Methods 0.000 claims description 3
- 230000002457 bidirectional effect Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 description 8
- 238000004364 calculation method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005272 metallurgy Methods 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/4184—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by fault tolerance, reliability of production system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/31—From computer integrated manufacturing till monitoring
- G05B2219/31088—Network communication between supervisor and cell, machine group
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a device and a method for detecting attack intrusion of a distributed control system, wherein the system comprises a data processing module connected with a network router of the distributed control system, the data processing module is connected with a database module, the database module is bidirectionally connected with the attack intrusion detection module, the data processing module acquires communication link data from the network router of the distributed control system and extracts attack symptom characteristic data from the communication link data; the attack intrusion detection module analyzes the attack symptom characteristic data according to a set attack intrusion confidence rule base to obtain an attack detection result; and the database module receives and stores the attack symptom characteristic data and the attack detection result. Compared with the prior art, the invention can reliably detect and early warn the attack invasion in real time by establishing the attack invasion confidence rule base which is mutually mapped with different attack invasion types, thereby ensuring the detection efficiency and the accuracy rate and effectively improving the operation safety of the distributed control system.
Description
Technical Field
The invention relates to the technical field of industrial control system security monitoring, in particular to a device and a method for detecting attack intrusion of a distributed control system.
Background
The decentralized control system is a new generation of instrument control system based on a microprocessor and adopting a design principle of decentralized control function, centralized display operation, and consideration of both autonomous and comprehensive coordination. The distributed Control system is called DCS (distributed Control System) for short, adopts the basic design idea of controlling distribution, operation and management centralization, adopts a structural form of multilayer grading and cooperative autonomy, and is mainly characterized by its centralized management and distributed Control. DCS is widely applied to various industries such as electric power, metallurgy, petrochemical industry and the like at present.
As the distributed control system gradually uses an open and generalized protocol, the network security threat and risk suffered by the distributed control system are continuously increased, and as the distributed control system directly controls the field devices to work, once the distributed control system is attacked and invaded, the distributed control system not only causes huge economic loss, but also can endanger personal safety and environment. The intrusion detection technology is one of the most important safety precautionary measures in a distributed control system, can detect known attacks and unknown attacks, and improves the capabilities of identifying the attacks and early warning, but because the distributed control system has real-time requirements and limited equipment resources, the existing intrusion detection efficiency is low, and the false alarm rate are high.
Disclosure of Invention
The present invention aims to overcome the defects of the prior art and provide a device and a method for detecting attack intrusion of a distributed control system, so as to improve the detection efficiency and accuracy of the attack intrusion.
The purpose of the invention can be realized by the following technical scheme: a distributed control system attack intrusion detection device comprises a data processing module connected with a distributed control system network router, wherein the data processing module is connected to a database module, the database module is connected with an attack intrusion detection module in a bidirectional mode, the data processing module acquires communication link data from the distributed control system network router and extracts attack symptom characteristic data from the communication link data;
the attack intrusion detection module is used for analyzing the attack symptom characteristic data according to a set attack intrusion confidence rule base to obtain an attack detection result;
and the database module is used for receiving and storing the attack symptom characteristic data output by the data processing module and receiving and storing the attack detection result output by the attack intrusion detection module.
Further, the data processing module comprises a Python packet capturing sub-module and a data analysis sub-module which are connected in sequence, wherein the Python packet capturing sub-module is used for acquiring communication link data from the network router of the distributed control system and extracting attack symptom characteristic data from the communication link data by combining with the data analysis module.
Furthermore, the attack intrusion detection module comprises an ARP attack detection unit, a DOS attack detection unit, an SSH password blasting attack detection unit, a man-in-the-middle attack detection unit and a malicious modification set value attack detection unit, so as to respectively carry out corresponding attack intrusion detection according to a set attack intrusion confidence rule base and obtain corresponding attack detection results.
Further, the database module is specifically a Mysql database.
Furthermore, the attack intrusion detection module is connected with a display module, and the display module is used for displaying the attack detection result to the user.
Further, the display module is provided with a QT5 display interface.
A distributed control system attack intrusion detection method comprises the following steps:
s1, according to the set data monitoring time period, the data processing module acquires communication link data from the network route of the distributed control system and extracts attack symptom characteristic data from the acquired communication link data;
s2, the data processing module transmits the attack sign feature data to the database module for storage;
and S3, according to the set detection start time period, the attack intrusion detection module acquires the attack symptom characteristic data from the database module, and analyzes the attack symptom characteristic data according to the set attack intrusion confidence rule base to obtain a corresponding attack detection result.
Furthermore, the attack intrusion confidence rule base is provided with detection rules, confidence degrees, semantic threshold values and limit values corresponding to five attack intrusion types, wherein the five attack intrusion types comprise ARP attacks, DOS attacks, SSH password blasting attacks, man-in-the-middle attacks and malicious modification set value attacks.
Further, the step S3 specifically includes the following steps:
s31, according to the set detection start time period, the attack intrusion detection module obtains the attack symptom characteristic data from the database module;
s32, the attack intrusion detection module compares the attack symptom characteristic data with the threshold and the limit of the five attack intrusion types respectively, and calculates the current evidence confidence corresponding to the five attack intrusion types by adopting a linear interpolation method;
s33, calculating and obtaining the corresponding establishment confidence degrees of the five attack intrusion types by combining the confidence degree of the current evidence, the confidence degree of the set corresponding precondition and the confidence degree of the set corresponding conclusion;
and S34, judging whether the confidence degree is in the range of the set corresponding threshold value, if so, indicating that the attack invasion currently occurs, otherwise, indicating that the attack invasion currently does not occur.
Further, the calculation formula of the achievement confidence level in the step S33 is:
a=[1-max{0,δ1-δ′1}]×[1-max{0,δ2-δ′2}]×…×[1-max{0,δN-δ′N}]×β
wherein a is a confidence level, delta ', of certain attack invasion type'1For the current evidence confidence value, delta, of the first symptom feature involved in the corresponding attack intrusion detection rule1A precondition confidence value given to the first symptom feature involved in the corresponding attack intrusion detection rule, and the like, delta'NFor the current evidence confidence value, δ, of the Nth operational data involved in the corresponding attack intrusion detection ruleNGiven a precondition confidence value for the Nth operating data involved in the corresponding attack intrusion detection rule, N being a symptom feature involved in the corresponding attack intrusion detection ruleThe total number, beta, is the confidence value of the conclusion in the corresponding attack intrusion detection rule.
Compared with the prior art, the invention has the following advantages:
aiming at a distributed control system, a data processing module connected with a network router of the distributed control system is arranged, the data processing module is connected to a database module, and the database module is bidirectionally connected with an attack intrusion detection module, so that the data processing module is utilized to acquire communication link data from the network router of the distributed control system, and attack symptom characteristic data are extracted from the communication link data; analyzing the attack symptom characteristic data by using an attack intrusion detection module according to a set attack intrusion confidence rule base to obtain an attack detection result; therefore, attack intrusion can be reliably and efficiently detected in real time.
The invention fully considers different attack invasion types, establishes a one-to-one mapping relation between the attack invasion types and the attack invasion characteristics based on the attack invasion characteristics, thereby presetting an attack invasion confidence rule base in an attack invasion detection module, detecting the attack invasion according to the set network attack invasion confidence rule base at regular time according to the requirements of an industrial control network, and finally obtaining the attack invasion type, thereby ensuring the detection accuracy and reducing the false alarm rate and the false alarm rate.
Thirdly, the detection rules, the confidence degrees, the semantic thresholds and the limit values corresponding to different attack invasion types are set in the attack invasion confidence rule base, in the subsequent specific detection process, the confidence degree of the current evidence is obtained through threshold value and limit value comparison, then the confidence degree of the precondition and the confidence degree of the conclusion in the detection rules are combined, the confidence degree of the establishment corresponding to the attack invasion type is obtained through calculation, and finally whether the confidence degree of the establishment is in the range of the corresponding threshold value is judged, so that the detection result of whether the attack invasion occurs can be obtained.
Drawings
FIG. 1 is a schematic diagram of the apparatus of the present invention;
FIG. 2 is a schematic flow diagram of the process of the present invention;
FIG. 3 is a schematic diagram of the working principle of the embodiment;
the notation in the figure is: 1. the system comprises a data processing module, a data base module.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments.
Examples
As shown in fig. 1, a distributed control system attack intrusion detection device includes a data processing module 1 connected to a network router of a distributed control system, the data processing module 1 is connected to a database module 2, the database module 2 is bidirectionally connected to an attack intrusion detection module 3, the data processing module 1 acquires communication link data from the network router of the distributed control system, and extracts attack symptom feature data from the communication link data;
the attack intrusion detection module 3 is used for analyzing the attack symptom characteristic data according to a set attack intrusion confidence rule base to obtain an attack detection result;
the database module 2 is used for receiving and storing the attack symptom characteristic data output by the data processing module 1 and receiving and storing the attack detection result output by the attack intrusion detection module 3;
in practical application, the attack intrusion detection module 3 is connected with a display module 4, and the display module 4 is used for displaying an attack detection result to a user.
The data processing module 1 comprises a Python packet capturing submodule 11 and a data analysis submodule 12 which are connected in sequence, wherein the Python packet capturing submodule 11 is used for acquiring communication link data from a network router of a distributed control system and extracting attack symptom characteristic data from the communication link data by combining the data analysis module 12;
the attack intrusion detection module 3 includes an ARP attack detection unit 31, a DOS attack detection unit 32, an SSH password blasting attack detection unit 33, a man-in-the-middle attack detection unit 34, and a malicious modification set value attack detection unit 35, so as to respectively perform corresponding attack intrusion detection according to a set attack intrusion confidence rule base, and obtain corresponding attack detection results.
The device is applied to realize the attack intrusion detection method of the distributed control system, and as shown in fig. 2, the method comprises the following steps:
s1, according to the set data monitoring time period, the data processing module acquires communication link data from the network route of the distributed control system and extracts attack symptom characteristic data from the acquired communication link data;
s2, the data processing module transmits the attack sign feature data to the database module for storage;
and S3, according to the set detection start time period, the attack intrusion detection module acquires the attack symptom characteristic data from the database module, and analyzes the attack symptom characteristic data according to the set attack intrusion confidence rule base to obtain a corresponding attack detection result, wherein the attack intrusion confidence rule base is provided with detection rules, confidence degrees, semantic thresholds and limit values corresponding to five attack intrusion types, and the five attack intrusion types comprise ARP attacks, DOS attacks, SSH password blasting attacks, man-in-the-middle attacks and malicious modification set value attacks.
Step S3 mainly includes the following processes:
s31, according to the set detection start time period, the attack intrusion detection module obtains the attack symptom characteristic data from the database module;
s32, the attack intrusion detection module compares the attack symptom characteristic data with the threshold and the limit of the five attack intrusion types respectively, and calculates the current evidence confidence corresponding to the five attack intrusion types by adopting a linear interpolation method;
s33, calculating the corresponding true confidence degrees of the five attack intrusion types according to the current evidence confidence degree, the set corresponding precondition confidence degree and the set corresponding conclusion confidence degree:
a=[1-max{0,δ1-δ′1}]×[1-max{0,δ2-δ′2}]×…×[1-max{0,δN-δ′N}]×β
wherein a is a confidence level, delta ', of certain attack invasion type'1For the current evidence confidence value, delta, of the first symptom feature involved in the corresponding attack intrusion detection rule1A precondition confidence value given to the first symptom feature involved in the corresponding attack intrusion detection rule, and the like, delta'NFor the current evidence confidence value, δ, of the Nth operational data involved in the corresponding attack intrusion detection ruleNGiving a precondition confidence value for the Nth operation data related to the corresponding attack intrusion detection rule, wherein N is the total number of sign features related to the corresponding attack intrusion detection rule, and beta is a conclusion confidence value in the corresponding attack intrusion detection rule;
and S34, judging whether the confidence degree is in the range of the set corresponding threshold value, if so, indicating that the attack invasion currently occurs, otherwise, indicating that the attack invasion currently does not occur.
In this embodiment, as shown in fig. 3, the Windows 10 operating system is used as a platform, the Python is used as a detection program development tool, and the Mysql database is used as a real-time database to store data information. Writing detection rules (including rules, thresholds and limit values) into a Python detection program, calculating data characteristics on a communication link by using a Python packet capturing module, storing the data characteristics into a database in real time, periodically (1s) starting an attack intrusion detection program, directly entering the corresponding detection rules for judgment if symptom characteristics occur, storing detection results into the database in real time, and displaying the detection results in a detection interface (QT5 display interface) if the detection results are true.
The specific process of this embodiment is as follows:
the method comprises the steps of firstly, periodically (1s) starting real-time monitoring on a distributed control system, monitoring transceiving data on a communication link of the distributed control system, extracting information in the data, analyzing sign characteristics of the data on the communication link, periodically (1s) starting an attack intrusion detection rule base, and executing a second step;
secondly, attack intrusion detection is carried out according to a set attack intrusion confidence rule base, and the five attack intrusion types are sequentially as follows: ARP attack, DOS attack, SSH password blasting attack, malicious tampering set value attack and man-in-the-middle attack.
The attack intrusion confidence rule base comprises detection rules, confidence degrees, semantic thresholds and limit values corresponding to five attack intrusion types:
(1) ARP attack detection method (detection period 1s):
i) ARP attack detection rules: if the packet number counts not matched with the matching relation of the system ARP table is detectedmismatch(countsmismatch=[addressARP≠addressdetected]) The increased confidence is 0.8, and the ARP table change number n in the system is detectedARPchangeThe confidence of (3) is 0.8, then the confidence of the occurrence of ARP attack is 0.95;
ii) semantization thresholds and limits:
(a) detecting the number counts of the data packets corresponding to the ARP table of the system not conforming to the ARP tablemismatchIncrease: threshold value: 1, upper limit value: 3, the number of the cells is 3;
(b) detecting the number n of times that ARP table in system is modified under illegal conditionARPchange: threshold value: 0, upper limit value: 1 time;
(2) DOS attack detection method (detection period is 1s):
i) DOS attack detection rules:
if the data transmission flow rate V of the network card is detectednetcardThe increased confidence is 0.8 and the data transmission traffic rate V of the entire networknetConfidence of increase is 0.8, and DPU load rate PloadThe confidence of the increase is 0.7, then the confidence of the DOS attack is 0.95;
ii) semantization thresholds and limits:
(a) data transmission flow rate V for detecting network cardnetcardIncreasing: threshold value: 1000byte/s, upper limit value: 10000 bytes/s;
(b) data transmission flow rate V of networknetIncreasing: threshold value: 10000 bytes/s, upper limit value: 50000 bytes/s;
(c) DPU load factor PloadIncreasing: threshold value: 10%, upper limit value: 90 percent;
(3) SSH password blasting attack detection method (detection period is 1s):
i) SSH password blasting attack detection rules:
if login fails through the login port for the number n of timesfailThe added confidence is 0.7 and the number of log port uses n in every five secondsuseThe increased confidence level is 0.8, then the confidence level of the SSH password blasting attack is 0.95;
ii) semantization thresholds and limits:
(a) number of login failures n through login portfailIncrease: threshold value: 3 times, high limit: 5 times;
(b) number of login attempts n every five secondsuseIncrease: threshold value: 10 times, upper limit value: 30 times;
(4) man-in-the-middle attack detection (detection period 1s):
i) the man-in-the-middle attack detection method comprises the following steps:
if ARP attack times N are detectedARPattackThe increased confidence is 0.7 and different ARP attack type times n are detectedARPtypeThe increased confidence is 0.8, and the ARP table change number n in the system is detectedARPchangeThe confidence of (3) is 0.8, then the confidence of the man-in-the-middle attack is 0.95;
ii) semantization thresholds and limits
(a) Detecting ARP attack times NARPattackIncrease: threshold value: 1 time, upper limit: 3 times;
(b) number n of times different ARP attack types are detectedARPtypeIncrease: threshold value: 2 times, upper limit: 10 times;
(c) detecting the number n of times of ARP table change in the systemARPchange: threshold value: 0, upper limit value: 1 time;
(5) the malicious set value modification attack detection method comprises the following steps:
i) malicious modification of set value attack detection rules:
if the set value is modified n times per 1 minuteSETchangeThe increased confidence coefficient is 0.7, and the set value is modified for the number n under the stable working condition of the system operationConditionchangeThe increased confidence is 0.9 and the number of times n that the set point is modified outside the interval of the safe operation set pointdangerThe confidence of (1) is 0.9, then the confidence of the attack of the malicious modification setting value is 1;
ii) semantization thresholds and limits:
a) number of times n of modification of set value within 1 minuteSETchangeIncrease: threshold value: 1 time, upper limit: 5 times;
b) the number n of times that the set value is modified when the system operates under the stable working conditionConditionchangeIncrease: threshold value: 1 time; high limit value: 5 times;
c) number of times n that the set value is modified outside the interval of the safe operation set valuedanger: threshold value: 1 time, upper limit: 2 times.
According to the attack intrusion confidence rule base, when attack intrusion detection is carried out, firstly real-time data on a distributed control system network are monitored in real time, abnormal features found in the monitored data are compared with threshold values and limit values of operation features related to a corresponding attack intrusion detection rule, the confidence coefficient corresponding to the limit values is set to be 1, the confidence coefficient corresponding to the threshold values is set to be 0.5, and the confidence coefficient delta' of the features related to the attack intrusion in the detection rule is obtained by adopting a linear interpolation method;
then, comparing the corresponding attack intrusion rule base, and solving the confidence coefficient of establishment of attack intrusion:
a=[1-max{0,δ1-δ′1}]×[1-max{0,δ2-δ′2}]×…×[1-max{0,δN-δ′N}]×β
wherein, delta'1For the confidence value of the current evidence of the first symptom feature, delta, involved in the corresponding attack intrusion detection rule found previously1Detecting rules for attacks involved in intrusionPrecondition confidence values given by the first symptom feature, and so on, δ'NFor obtaining a current evidence confidence value, delta, of the Nth operational data involved in the corresponding attack intrusion detection ruleNGiving a precondition confidence value for the Nth operation data related to the attack intrusion detection rule, wherein N is the total number of sign features related to the corresponding attack intrusion detection rule, and beta is a conclusion confidence value in the corresponding attack intrusion detection rule;
and finally, judging whether the confidence coefficient a of the establishment of the attack invasion meets the confidence coefficient range corresponding to the establishment of the attack invasion, and if so, determining that the detection result of the attack invasion is established.
For example, when the DOS attack is detected, the data transmission flow rate V of the network card in the communication link is monitorednetcardData transmission flow rate V of networknetAnd load factor P of DPUloadThe three real-time data characteristics are respectively compared with threshold values and limit values given by the three data in the DOS attack intrusion detection rule to respectively calculate delta'1、δ′2And delta'3,δ′1Current evidence confidence value, δ ', of the operational data for a transmission traffic rate specifying a network card'2Current evidence confidence value, δ ', for transmission traffic rate operational data of a network'3A current evidence confidence value of the DPU load rate operation data; then, the confidence coefficient of the DOS attack detection establishment is obtained, and delta is calculated during calculation1The precondition confidence value of the data flow rate transmitted by the network card related in the DOS attack detection rule is 0.8, and the analogy is that delta2Is 0.8, delta3And the confidence value beta is 0.7, the confidence value beta is a conclusion confidence value in the DOS attack detection rule and is 0.95, the confidence coefficient a of the DOS attack detection establishment is obtained through the method, whether a meets a set confidence coefficient range corresponding to the DOS attack detection establishment is judged, and if yes, the warning prompt of the DOS attack is carried out in the system.
Claims (10)
1. The device for detecting the attack intrusion of the distributed control system is characterized by comprising a data processing module (1) connected with a network router of the distributed control system, wherein the data processing module (1) is connected to a database module (2), the database module (2) is in bidirectional connection with an attack intrusion detection module (3), the data processing module (1) acquires communication link data from the network router of the distributed control system and extracts attack symptom characteristic data from the communication link data;
the attack intrusion detection module (3) is used for analyzing the attack symptom characteristic data according to a set attack intrusion confidence rule base to obtain an attack detection result;
the database module (2) is used for receiving and storing the attack symptom characteristic data output by the data processing module (1) and receiving and storing the attack detection result output by the attack intrusion detection module (3).
2. The distributed control system attack intrusion detection device according to claim 1, wherein the data processing module (1) includes a Python packet capturing sub-module (11) and a data analysis sub-module (12) connected in sequence, and the Python packet capturing sub-module (11) is configured to obtain communication link data from a network router of the distributed control system and extract attack symptom feature data from the communication link data in combination with the data analysis module.
3. The distributed control system attack intrusion detection device according to claim 1, wherein the attack intrusion detection module (3) includes an ARP attack detection unit (31), a DOS attack detection unit (32), an SSH password blasting attack detection unit (33), a man-in-the-middle attack detection unit (34), and a malicious modification setting value attack detection unit (35) to perform corresponding attack intrusion detection respectively according to a set attack intrusion confidence rule base and obtain corresponding attack detection results.
4. The intrusion detection device for attack of a decentralized control system according to any one of claims 1 to 3, characterized in that the database module (2) is specifically a Mysql database.
5. The device for detecting attack intrusion of a decentralized control system according to claim 1, wherein the attack intrusion detection module (3) is connected to a display module (4), and the display module (4) is configured to display the attack detection result to a user.
6. A decentralized control system attack intrusion detection device according to claim 5, wherein the display module (4) is provided with a QT5 display interface.
7. A distributed control system attack intrusion detection method using the distributed control system attack intrusion detection device according to claim 1, comprising the steps of:
s1, according to the set data monitoring time period, the data processing module acquires communication link data from the network route of the distributed control system and extracts attack symptom characteristic data from the acquired communication link data;
s2, the data processing module transmits the attack sign feature data to the database module for storage;
and S3, according to the set detection start time period, the attack intrusion detection module acquires the attack symptom characteristic data from the database module, and analyzes the attack symptom characteristic data according to the set attack intrusion confidence rule base to obtain a corresponding attack detection result.
8. The distributed control system attack intrusion detection method according to claim 7, wherein the attack intrusion confidence rule base is provided with detection rules, confidence degrees, semantic thresholds and limits corresponding to five attack intrusion types, the five attack intrusion types including ARP attack, DOS attack, SSH password blasting attack, man-in-the-middle attack, and malicious modification setting value attack.
9. The intrusion detection method for attack of a distributed control system according to claim 8, wherein the step S3 specifically includes the following steps:
s31, according to the set detection start time period, the attack intrusion detection module obtains the attack symptom characteristic data from the database module;
s32, the attack intrusion detection module compares the attack symptom characteristic data with the threshold and the limit of the five attack intrusion types respectively, and calculates the current evidence confidence corresponding to the five attack intrusion types by adopting a linear interpolation method;
s33, calculating and obtaining the corresponding establishment confidence degrees of the five attack intrusion types by combining the confidence degree of the current evidence, the confidence degree of the set corresponding precondition and the confidence degree of the set corresponding conclusion;
and S34, judging whether the confidence degree is in the range of the set corresponding threshold value, if so, indicating that the attack invasion currently occurs, otherwise, indicating that the attack invasion currently does not occur.
10. The intrusion detection method according to claim 9, wherein the confidence level is calculated in step S33 by:
a=[1-max{0,δ1-δ′i}]×[1-max{0,δ2-δ′2}]×…×[1-max{0,δN-δ′N}]×β
wherein a is a confidence level, delta ', of certain attack invasion type'1For the current evidence confidence value, delta, of the first symptom feature involved in the corresponding attack intrusion detection rule1A precondition confidence value given to the first symptom feature involved in the corresponding attack intrusion detection rule, and the like, delta'NFor the current evidence confidence value, δ, of the Nth operational data involved in the corresponding attack intrusion detection ruleNAnd giving a precondition confidence value for the Nth operation data related to the corresponding attack intrusion detection rule, wherein N is the total number of symptom characteristics related to the corresponding attack intrusion detection rule, and beta is a conclusion confidence value in the corresponding attack intrusion detection rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110980608.5A CN113721569A (en) | 2021-08-25 | 2021-08-25 | Attack intrusion detection device and method for distributed control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110980608.5A CN113721569A (en) | 2021-08-25 | 2021-08-25 | Attack intrusion detection device and method for distributed control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113721569A true CN113721569A (en) | 2021-11-30 |
Family
ID=78677758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110980608.5A Pending CN113721569A (en) | 2021-08-25 | 2021-08-25 | Attack intrusion detection device and method for distributed control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113721569A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114186225A (en) * | 2021-12-07 | 2022-03-15 | 北京天融信网络安全技术有限公司 | Database detection method and device, electronic equipment and storage medium |
| CN115150160A (en) * | 2022-06-29 | 2022-10-04 | 北京天融信网络安全技术有限公司 | Method and system for detecting network attack characteristics |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821007A (en) * | 2012-08-06 | 2012-12-12 | 河南科技大学 | Network security situation awareness system based on self-discipline computing and processing method thereof |
| CN108769051A (en) * | 2018-06-11 | 2018-11-06 | 中国人民解放军战略支援部队信息工程大学 | A kind of network intrusions situation intention appraisal procedure based on alert correlation |
| CN109992961A (en) * | 2019-03-07 | 2019-07-09 | 北京华安普特网络科技有限公司 | Detection system and method for the anti-hacker attacks of Database Systems |
| CN110535854A (en) * | 2019-08-28 | 2019-12-03 | 南京市晨枭软件技术有限公司 | One kind being used for industrial control system intrusion detection method and system |
-
2021
- 2021-08-25 CN CN202110980608.5A patent/CN113721569A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102821007A (en) * | 2012-08-06 | 2012-12-12 | 河南科技大学 | Network security situation awareness system based on self-discipline computing and processing method thereof |
| CN108769051A (en) * | 2018-06-11 | 2018-11-06 | 中国人民解放军战略支援部队信息工程大学 | A kind of network intrusions situation intention appraisal procedure based on alert correlation |
| CN109992961A (en) * | 2019-03-07 | 2019-07-09 | 北京华安普特网络科技有限公司 | Detection system and method for the anti-hacker attacks of Database Systems |
| CN110535854A (en) * | 2019-08-28 | 2019-12-03 | 南京市晨枭软件技术有限公司 | One kind being used for industrial control system intrusion detection method and system |
Non-Patent Citations (6)
| Title |
|---|
| 徐冲;何大可;: "基于数据挖掘的入侵检测***研究", 计算机时代, no. 05 * |
| 程超;陈梅;李治霖;: "基于置信规则库的工业控制网络入侵检测", 网络安全技术与应用, no. 05 * |
| 管廷昭;: "持续攻击下智能网络入侵主动防御***设计", 电子设计工程, no. 18 * |
| 赵钢;张剑;邹彬;: "基于模糊规则集的入侵检测模型", 信息网络安全, no. 07 * |
| 金民锁;孙秀娟;朱单;: "基于数据挖掘的异常模式入侵检测***的设计", 沈阳航空工业学院学报, no. 05 * |
| 钱虹: "基于生产数据挖掘的吹灰需求度置信规则库研究", 《热力发电》, no. 6, pages 1 - 2 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114186225A (en) * | 2021-12-07 | 2022-03-15 | 北京天融信网络安全技术有限公司 | Database detection method and device, electronic equipment and storage medium |
| CN115150160A (en) * | 2022-06-29 | 2022-10-04 | 北京天融信网络安全技术有限公司 | Method and system for detecting network attack characteristics |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106506242B (en) | Accurate positioning method and system for monitoring network abnormal behaviors and flow | |
| CN108429651B (en) | Flow data detection method and device, electronic equipment and computer readable medium | |
| US7636942B2 (en) | Method and system for detecting denial-of-service attack | |
| CN111669375B (en) | Online safety situation assessment method and system for power industrial control terminal | |
| CN101741633B (en) | Association analysis method and system for massive logs | |
| CN113721569A (en) | Attack intrusion detection device and method for distributed control system | |
| CN107579986B (en) | Network security detection method in complex network | |
| CN104506385B (en) | A kind of software defined network safety situation evaluation method | |
| CN111181971B (en) | System for automatically detecting industrial network attack | |
| CN111510436B (en) | Network security system | |
| CN110113336B (en) | Network flow abnormity analysis and identification method for transformer substation network environment | |
| CN112422554B (en) | Method, device, equipment and storage medium for detecting abnormal traffic external connection | |
| CN104734916A (en) | Efficient multistage anomaly flow detection method based on TCP | |
| CN107135183A (en) | A kind of data on flows monitoring method and device | |
| CN112333023A (en) | Intrusion detection system based on flow of Internet of things and detection method thereof | |
| CN110881034A (en) | Computer network security system based on virtualization technology | |
| CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
| CN112491849A (en) | Power terminal vulnerability attack protection method based on flow characteristics | |
| CN110266680B (en) | Industrial communication anomaly detection method based on dual similarity measurement | |
| CN107070941A (en) | The method and apparatus of abnormal traffic detection | |
| CN110636077A (en) | Network security protection system and method based on unified platform | |
| CN114844722B (en) | Network security detection method based on domain name | |
| CN111049685A (en) | Network security sensing system, network security sensing method and device of power system | |
| CN110995733A (en) | Intrusion detection system in industrial control field based on remote measuring technology | |
| CN114584356A (en) | Network security monitoring method and network security monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |