CN114257522B - Network security attack and defense demonstration system, method, device and storage medium - Google Patents
Network security attack and defense demonstration system, method, device and storage medium Download PDFInfo
- Publication number
- CN114257522B CN114257522B CN202111574722.4A CN202111574722A CN114257522B CN 114257522 B CN114257522 B CN 114257522B CN 202111574722 A CN202111574722 A CN 202111574722A CN 114257522 B CN114257522 B CN 114257522B
- Authority
- CN
- China
- Prior art keywords
- attack
- defense
- module
- strategy
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000007123 defense Effects 0.000 title claims abstract description 149
- 238000000034 method Methods 0.000 title claims abstract description 86
- 238000003860 storage Methods 0.000 title claims abstract description 18
- 230000008569 process Effects 0.000 claims abstract description 43
- 230000000007 visual effect Effects 0.000 claims abstract description 12
- 238000004891 communication Methods 0.000 claims description 37
- 230000007246 mechanism Effects 0.000 claims description 19
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000004088 simulation Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000008901 benefit Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 7
- 230000009471 action Effects 0.000 description 5
- 230000001960 triggered effect Effects 0.000 description 5
- 238000012550 audit Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 239000004576 sand Substances 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000012258 culturing Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Human Computer Interaction (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Programmable Controllers (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application provides a network security attack and defense demonstration system, a method, a device and a storage medium, wherein the system comprises: the system comprises an attack and defense demonstration module, an industrial control hardware demonstration module and a situation demonstration module, wherein the attack and defense demonstration module responds to an attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction, sends the control instruction to the industrial control hardware demonstration module, the industrial control hardware demonstration module receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, executes attack operation corresponding to the attack strategy and protection operation corresponding to the protection strategy, monitors the operation processes of the attack and defense demonstration module and the industrial control hardware demonstration module, converts the operation process into a visual graph for demonstration, generates an attack and defense log according to the operation process, and demonstrates the attack and defense log. The method and the device improve the accuracy and intuitiveness of simulating network attack and defense on the industrial control system.
Description
Technical Field
The application relates to the field of network security attack and defense demonstration, in particular to a network security attack and defense demonstration system, a network security attack and defense demonstration method, a network security attack and defense demonstration device and a storage medium.
Background
In recent years, with the rapid increase of the level of social informatization, modern industrial control systems have become integrated control systems integrating traditional industrial control and network communication. The safety of the industrial control system directly affects the national industrial safety. However, the current complex network environment has posed a direct cyber-security threat to modern industrial control systems.
Because the structure of the industrial control system is complicated and the industrial control system maintains the normal operation of the production system, the industrial control system cannot be unfolded depending on the actual industrial control system when the network security test is performed on the industrial control system. In order to solve the problem, an attack and defense demonstration platform capable of simulating the industrial control system to suffer from network attack appears. However, the existing attack and defense demonstration platform is mainly used for culturing professional security personnel, the attack and defense exercise process has the characteristics of strong specialization and complex operation, and the whole attack and defense demonstration process relies on full-simulation operation, so that the necessity and effect of network security protection on an industrial control system cannot be intuitively displayed.
Disclosure of Invention
The embodiment of the application aims to provide a network security attack and defense demonstration system, a method, a device and a storage medium, so as to realize visual display of a network security attack and defense process of an industrial control system. The specific technical scheme is as follows:
the application provides a network security attack and defense demonstration system, which comprises:
the system comprises an attack and defense demonstration module, an industrial control hardware demonstration module and a situation demonstration module, wherein the attack and defense demonstration module is in communication connection with the industrial control hardware demonstration module, the attack and defense demonstration module is in communication connection with the situation demonstration module, the industrial control hardware demonstration module is in communication connection with the situation demonstration module,
the attack and defense demonstration module responds to an attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction comprising the attack strategy and the protection strategy, and sends the control instruction to the industrial control hardware demonstration module, wherein the attack strategy is stored in an attack sub-module in the attack and defense demonstration module, and the protection strategy is stored in a protection sub-module in the attack and defense demonstration module;
the industrial control hardware display module receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, and executes attack operation corresponding to the attack strategy and protection operation corresponding to the protection strategy;
the situation display module monitors the running processes of the attack and defense demonstration module and the industrial control hardware display module, converts the running processes into visual graphics for display, generates attack and defense logs according to the running processes, and displays the attack and defense logs.
Optionally, the industrial control hardware display module includes: the control host is in communication connection with the controller protecting device, the controller protecting device is in communication connection with the programmable logic controller, the programmable logic controller is electrically connected with the executing mechanism,
the control host receives the control instruction, sends the protection strategy to the controller protection device, reads the attack strategy in the control instruction after the controller protection device executes the protection operation corresponding to the protection strategy, calls the attack script corresponding to the attack strategy, and tamper the configuration file parameters of the programmable logic controller so that the programmable logic controller controls the execution mechanism to act according to the tampered configuration file parameters of the attack script, wherein the attack script is stored in the control host, and the protection operation is protection on or protection off.
Optionally, the industrial control hardware display module further includes: the controller reset module is in communication connection with the protection sub-module, the controller reset module is in communication connection with the programmable logic controller,
and the controller resetting module responds to a resetting instruction sent by the protection submodule, and resets the programmable logic controller subjected to the tampering operation according to a pre-stored baseline configuration file of the programmable logic controller.
Optionally, the industrial control hardware display module further includes:
the controller reset module is in communication connection with the control host, the controller reset module is in communication connection with the programmable logic controller,
wherein the controller reset module is configured to: monitoring the duration of other operations which are not performed after the control host performs the tampering operation once, judging whether the duration is greater than a preset threshold value, and if so, resetting the programmable logic controller subjected to the tampering operation according to a pre-stored baseline configuration file of the programmable logic controller;
and/or wherein the controller reset module is configured to: judging whether the reset operation is executed between the two times of tampering operation by the control host, and if not, sending out warning information.
Optionally, the controller guard is further configured to:
and when the controller protection device is in the protection opening state, monitoring the programmable logic controller, interrupting the tampering operation when the tampering operation is monitored, and sending out alarm information.
Optionally, the system further comprises: the control module is operated normally and is used for controlling the operation of the device,
the normal operation control module responds to normal operation, and sends a normal operation instruction to the attack and defense demonstration module, so that the attack and defense demonstration module responds to the normal operation instruction, and sends a normal starting instruction to the programmable logic controller, wherein the normal starting instruction is an instruction for controlling the programmable logic controller to control the execution mechanism to act according to a normal script.
The application also provides a network security attack and defense demonstration method which is applied to the network security attack and defense demonstration system, and the method comprises the following steps:
the attack and defense demonstration module responds to an attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction comprising the attack strategy and the protection strategy, and sends the control instruction to the industrial control hardware demonstration module, wherein the attack strategy is stored in an attack sub-module in the attack and defense demonstration module, and the protection strategy is stored in a protection sub-module in the attack and defense demonstration module;
the industrial control hardware display module receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, and executes attack operation corresponding to the attack strategy and protection operation corresponding to the protection strategy;
the situation display module monitors the running processes of the attack and defense demonstration module and the industrial control hardware display module, converts the running processes into visual graphics for display, generates attack and defense logs according to the running processes, and displays the attack and defense logs.
Optionally, the method further comprises:
the normal operation control module responds to normal operation, and sends a normal operation instruction to the attack and defense demonstration module, so that the attack and defense demonstration module responds to the normal operation instruction, and sends a normal starting instruction to the programmable logic controller, wherein the normal starting instruction is an instruction for controlling the programmable logic controller to control the execution mechanism to act according to a normal script.
The application also provides a network security attack and defense demonstration device, which comprises:
the electronic equipment is configured to execute instructions to realize the network security attack and defense demonstration method.
The application also proposes a computer storage medium, which when executed by a processor of an electronic device, enables the device to perform the above-described network security attack and defense demonstration method.
According to the network security attack and defense demonstration system, method, device and storage medium, the industrial control hardware display module is arranged, hardware equipment similar to an industrial control system in an actual application scene is deployed in the simulation sand table, so that when the industrial control system is subjected to network attack, the influence of the hardware equipment and the actual harm caused by the network attack are simulated, and meanwhile, the process of the network attack is displayed through the display, so that compared with a simulation display form adopted in the prior art, the accuracy and intuitiveness of simulating the network attack and defense are improved. Meanwhile, compared with the prior art, the system has the advantages that the attack strategy and the protection strategy are preset, the attack instruction or the protection instruction is not required to be manually input by an operator, the operator can click on the corresponding option through the man-machine interaction equipment, the calling of the attack strategy is realized, the complexity of system operation is reduced, and the accuracy of simulating network attack and defense is improved. Finally, the simulated industrial control system receives the network attack process through the deployment situation display module, and displays the network attack process in the form of a visual graph and an attack and defense log, so that compared with the prior art, the application improves the display intuitiveness of the whole simulation attack and defense process. Therefore, the accuracy and the intuitiveness of simulating network attack and defense on the industrial control system are improved.
Of course, it is not necessary for any of the products or methods of the present application to be practiced with all of the advantages described above.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a network security attack and defense demonstration system provided in an embodiment of the present application;
FIG. 2 is a block diagram of an industrial control hardware display module provided in an alternative embodiment of the present application;
fig. 3 is a schematic diagram of a connection manner of a network security attack and defense demonstration system according to an alternative embodiment of the present application;
fig. 4 is a signaling diagram of a network security attack and defense demonstration system according to an alternative embodiment of the present application;
fig. 5 is a flowchart of a network security attack and defense demonstration method provided in an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The embodiment of the application provides a network security attack and defense demonstration system, as shown in fig. 1, the system comprises:
the system comprises an attack and defense demonstration module 101, an industrial control hardware demonstration module 102 and a situation demonstration module 103, wherein the attack and defense demonstration module 101 is in communication connection with the industrial control hardware demonstration module 102, the attack and defense demonstration module 101 is in communication connection with the situation demonstration module 103, and the industrial control hardware demonstration module 102 is in communication connection with the situation demonstration module 103.
The attack and defense demonstration module 101 responds to the attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction comprising the attack strategy and the protection strategy, and sends the control instruction to the industrial control hardware demonstration module 102, wherein the attack strategy is stored in an attack sub-module 104 in the attack and defense demonstration module 102, and the protection strategy is stored in a protection sub-module 105 in the attack and defense demonstration module 102.
Optionally, in an optional embodiment of the present application, the attack and defense demonstration module 101 may include an attack sub-module 104 and a protection sub-module 105. The attack submodule 104 is internally packaged with a plurality of preset attack strategies, and the attack strategies can be program codes for simulating an attack industrial control system. The protection sub-module 105 may have a processor disposed therein that outputs a protection policy and outputs a reset instruction. The protection policy may be program code for indicating whether protection equipment in an industrial control system is in a protected state. Compared with the prior art, the system has the advantages that the attack strategy and the protection strategy are preset, the attack instruction or the protection instruction is not required to be manually input by an operator, the attack strategy can be invoked by clicking corresponding options by the operator only through man-machine interaction equipment, the complexity of system operation is reduced, and the accuracy of simulating network attack and defense is improved.
The industrial control hardware exhibition module 102 receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, and executes the attack operation corresponding to the attack strategy and the protection operation corresponding to the protection strategy.
Alternatively, in an alternative embodiment of the present application, the industrial control hardware display module 102 may be a hardware device integrated with a simulated industrial control system, a simulated sand table, and a display. According to the method and the device, the hardware equipment similar to the industrial control system in the actual application scene is deployed in the simulation sand table, so that when the industrial control system is subjected to network attack, the hardware equipment is affected and the actual damage caused by the network attack is simulated, and meanwhile, the process of the network attack is displayed through the display, so that the method and the device have the advantages that compared with the simulation display form adopted in the prior art, the accuracy and intuitiveness of simulating the network attack are improved.
The situation display module 103 monitors the operation process of the attack and defense demonstration module 101 and the industrial control hardware display module 102, converts the operation process into a visual graph for display, generates an attack and defense log according to the operation process, and displays the attack and defense log.
Alternatively, in an optional embodiment of the present application, the foregoing operation process may be a process that the attack and defense demonstration module 101 controls the industrial control hardware demonstration module 102 to perform attack and defense demonstration, where contents include, but are not limited to: attack path, attack policy, attack effect, etc.
Optionally, in another optional embodiment of the present application, the content of the visual graphics includes, but is not limited to: attack path topology diagram, hardware device architecture diagram, protection operation effect diagram, etc. According to the method and the device, the situation display module is deployed, the simulated industrial control system receives the network attack process, and the visual graph and the attack and defense log are displayed, so that compared with the prior art, the method and the device have the advantage that the display intuitiveness of the simulated network attack and defense process is improved.
According to the method, the industrial control hardware display module is arranged, hardware equipment similar to an industrial control system in an actual application scene is deployed in the simulation sand table, so that when the industrial control system is subjected to network attack, the hardware equipment is affected and the actual damage caused by the network attack is simulated, and meanwhile, the process of the network attack is displayed through the display, so that the method is compared with a simulation display form adopted in the prior art, and accuracy and intuitiveness of simulating the network attack are improved. Meanwhile, compared with the prior art, the system has the advantages that the attack strategy and the protection strategy are preset, the attack instruction or the protection instruction is not required to be manually input by an operator, the operator can click on the corresponding option through the man-machine interaction equipment, the calling of the attack strategy is realized, the complexity of system operation is reduced, and the accuracy of simulating network attack and defense is improved. Finally, the simulated industrial control system receives the network attack process through the deployment situation display module, and displays the network attack process in the form of a visual graph and an attack and defense log, so that compared with the prior art, the application improves the display intuitiveness of the whole simulation attack and defense process. Therefore, the accuracy and the intuitiveness of simulating network attack and defense on the industrial control system are improved.
Optionally, referring to fig. 2, the industrial control hardware display module 102 includes: the controller comprises a control host 201, a controller protection device 202, a programmable logic controller 203 and an executing mechanism 204, wherein the control host 201 is in communication connection with the controller protection device 202, the controller protection device 202 is in communication connection with the programmable logic controller 203, and the programmable logic controller 203 is electrically connected with the executing mechanism 204.
The control host 201 receives the control instruction, sends the protection policy to the controller protection device 202, reads the attack policy in the control instruction after the controller protection device 202 executes the protection operation corresponding to the protection policy, invokes the attack script corresponding to the attack policy, and performs the manipulation operation on the configuration file parameters of the programmable logic controller 203, so that the programmable logic controller 203 controls the execution mechanism 204 to perform the action according to the manipulated configuration file parameters of the attack script, where the attack script is stored in the control host, and the protection operation is protection on or protection off.
The controller guard 202 reads the protection policy and performs a protection operation corresponding to the protection policy, where the protection operation is protection on or protection off.
Optionally, in an alternative embodiment of the present application, the programmable logic controller 203 (Programmable Logic Controller, PLC) is a digital operation electronic system in an industrial environment, and has configuration file parameters and operation instructions such as logic operation, sequential control and arithmetic operation stored therein. And controls the operation of the executing mechanism according to the digital or analog input and output. The PLC203 deployed in the application is consistent with the PLC adopted by the industrial control system in the actual application scene, so that the running state of the industrial control system when the PLC receives the network attack can be accurately reflected in the actual application scene. It can be appreciated that the type selection of the PLC203 can be selected according to actual needs, and the specific type of the PLC is not limited in the present application.
Alternatively, in another alternative embodiment of the present application, the controller guard 202 may be a system with built-in industrial control detection protocols and guard operation instructions. When the controller guard 202 reads a guard policy with a guard on, the controller guard will execute a guard on guard operation, and detect the communication flow information input to the PLC203 by using the industrial control detection protocol, and block the tampered information in the communication flow information when detecting that the tampered information exists in the communication flow information.
Alternatively, in another alternative embodiment of the present application, the actuator 204 may be a hardware device with similar functions in an industrial control system in a practical application scenario, where the type of the hardware device includes, but is not limited to, a motor and an indicator light. By deploying the hardware equipment, the demonstration mode of the attack and defense process through simulation in the prior art can be converted into the demonstration mode according to the real working state of the entity hardware equipment. Meanwhile, different working states of the hardware equipment are intuitively embodied through deployment of the indicator lamp connected with the hardware equipment, so that compared with the prior art, the method and the device have the advantage that intuitiveness of simulating network attack and defense display of an industrial control system is improved.
Optionally, referring to fig. 2, the industrial control hardware display module 102 further includes: the controller reset module 205, the controller reset module 205 is in communication connection with the protection sub-module 105, and the controller reset module 205 is in communication connection with the programmable logic controller 203.
The controller reset module 205 performs a reset operation on the programmable logic controller 203 subjected to the tampering operation according to a pre-stored baseline configuration file of the programmable logic controller 203 in response to a reset instruction sent by the protection submodule.
Optionally, in an optional embodiment of the present application, the baseline configuration file is an initial configuration file in the PLC 203. The configuration file parameters of the PLC203 under network attack can be recovered by deploying the controller reset module storing the baseline configuration file. Therefore, when the attack and defense demonstration module 101 sends a control instruction to the industrial control hardware demonstration module 102 for the first time, the configuration file parameters of the PLC203 in the running state are parameters which are not tampered. And further, the accuracy of simulating network attack and defense on the industrial control system is ensured.
Alternatively, in another alternative embodiment of the present application, the specific procedure of the above reset operation may be: the controller reset module 205 sends a forced reset instruction to the controller guard 202, and the controller guard 202 blocks the communication link of the programmable logic controller 203 and the control host 201 in response to the forced reset instruction. Meanwhile, the controller reset module 205 performs parameter forced reset on the tampered configuration file parameters in the programmable logic controller 203 according to the baseline configuration file. The configuration file parameters of the programmable logic controller 203 after the forced parameter reset are parameters which are not tampered.
Optionally, referring to fig. 2, the industrial control hardware display module 102 further includes:
the controller reset module 205, the controller reset module 205 is connected with the control host 201 in a communication manner, and the controller reset module 205 is connected with the programmable logic controller 203 in a communication manner.
Wherein the controller reset module 205 is configured to: and monitoring the duration of other operations which are not performed after the control host 201 performs one tampering operation, and judging whether the duration is greater than a preset threshold value, if so, resetting the tampered programmable logic controller 203 according to a pre-stored baseline configuration file of the programmable logic controller 203.
And/or wherein the controller reset module 205 is configured to: whether the control host 201 performs the reset operation or not is judged, and if not, warning information is sent out.
Optionally, the controller guard 202 is further configured to:
when the controller guard 202 is in a guard-on state, the programmable logic controller 203 is monitored, and when a tampering operation is monitored, the tampering operation is interrupted, and an alarm message is sent.
Alternatively, in an alternative embodiment of the present application, the above-mentioned tampering operation may be that the controller guard 202 blocks the communication link between the programmable logic controller and the control network when detecting the tampering operation.
Optionally, the system further comprises: and (5) normally operating the control module.
The normal operation control module responds to the normal operation and sends a normal operation instruction to the attack and defense demonstration module 101, so that the attack and defense demonstration module 101 responds to the normal operation instruction and sends a normal starting instruction to the programmable logic controller 203, wherein the normal starting instruction is an instruction for controlling the programmable logic controller 203 to control the execution mechanism 204 to act according to a normal script.
Optionally, in an optional embodiment of the present application, the normal operation may be an operation that the man-machine interaction device of the present system detects that an operator clicks to switch pages. The operation of clicking the page switch may be an operation of jumping from the page of the other module to the page of the attack and defense demonstration module, and the other module may be a knowledge question-answering module.
To facilitate an understanding of the operation of the above system, an alternative embodiment of the present application is described herein, particularly in conjunction with the description of fig. 3 and 4:
fig. 3 is a schematic diagram of an alternative connection manner of the present system, where a switch 301 may provide a signal path, and by connecting a situation display module 103 with the switch 301, the situation display module 103 may implement monitoring of the industrial control hardware display module 102. The industrial safety audit system 302 can monitor the system of the operation states of the programmable logic controller 203 and the execution mechanism 204, and output corresponding safety levels and influence ranges according to the operation states.
The industrial security audit system 302 can be a neural network model based on behavior learning, and is used for supporting industrial control network communication and information transfer behaviors. The industrial security audit system 302 can detect network attack behaviors such as abnormal data messages, abnormal network behaviors, illegal invasion and the like, and can also provide records of security risk pre-prevention, in-process discovery and post-trace according to information such as security logs and the like.
As shown in fig. 4, an operator selects a page switching option through a man-machine interaction device, and at this time, the normal operation control module responds to the normal operation and sends a normal operation instruction to the attack and defense demonstration module.
Step S401, the attack and defense demonstration module responds to the normal operation instruction, generates a normal starting instruction and triggers step S402.
Step S402, the attack and defense demonstration module sends a normal starting instruction to the control host and triggers step S403.
Step S403, the control host sends a normal starting instruction to the programmable logic controller, and triggers step S404.
Optionally, for convenience of description, the controller guard is set in a guard-off state.
And step S404, the programmable logic controller responds to the normal starting instruction and controls the motor to act at the normal rotating speed according to the normal script.
After the step S404 is completed, an operator selects an attack and defense strategy for increasing the rotation speed and closing the protection through the man-machine interaction device, and sends an attack and defense strategy instruction to the attack and defense demonstration module.
Step S405, the attack and defense demonstration module calls an attack strategy corresponding to the attack and defense strategy instruction from the attack sub-module in response to the attack and defense strategy instruction, calls a protection strategy corresponding to the attack and defense strategy instruction from the protection sub-module, generates a control instruction comprising the attack strategy and the protection strategy, and triggers step S406.
The attack strategy in step S405 is to increase the motor speed to a dangerous speed, and the protection strategy is to close the protection.
Step S406, the attack and defense demonstration module sends a control instruction to the control host to trigger step S407.
Step S407, the control host receives and reads the control instruction, obtains the attack strategy and the protection strategy, and triggers step S408.
Step S408, the control host sends a protection policy to the controller protection device, and triggers step S409.
In step S409, the controller protection device responds to the protection policy, and executes a protection operation corresponding to the protection policy. After the guard operation is performed, step S410 is triggered.
Step S410, the controller protection device sends a status confirmation message to the control host, and triggers step S411.
Step S411, the control host receives the state confirmation information, reads the attack strategy, calls and executes the attack script corresponding to the attack strategy, and triggers step S412.
Step S412, the control host sends a control instruction for increasing the rotation speed to the programmable logic controller, and the step S413 is triggered.
In step S413, the programmable logic controller controls the motor to operate according to the dangerous rotational speed in response to the control command for increasing the rotational speed, and triggers step S414.
Step S414, after the programmable logic controller controls the motor to act according to the dangerous rotating speed, a monitoring request is sent to the controller resetting module, and step S415 is triggered.
Step 415, the controller reset module responds to the monitoring request, and judges whether the duration of the action of the motor controlled by the programmable logic controller according to the dangerous rotating speed is greater than a preset threshold value, if yes, the step S416 is triggered, and if not, the step S417 is triggered.
Step S416, the controller reset module sends a forced reset instruction to the controller protection device, triggering step S418 and step S419.
Step S417, the controller reset module repeatedly executes step S415.
In step S418, the controller protection device responds to the forced reset instruction to block the communication link between the programmable logic controller and the control host.
Step S419, the controller reset module performs parameter forced reset on the programmable logic controller, and triggers step S420.
Step S420, the programmable logic controller completes the forced parameter reset and ends the flow.
Optionally, in step S413, after the programmable logic controller responds to the control instruction for increasing the rotation speed and controls the motor to act according to the dangerous rotation speed, the industrial safety audit system 302 will call the warning information such as the safety level and the influence range corresponding to the dangerous rotation speed according to the dangerous rotation speed of the current motor operation, and send the warning information to the situation display module 103 through the switch 301.
Optionally, the situation display module 103 generates a topology map and an attack and defense log of the simulated network attack and defense process according to the simulated network attack and defense process of step S401 to step S420 shown in fig. 4 and the warning information, and displays the topology map and the attack and defense log through a display device or the man-machine interaction device.
Optionally, step S415 shown in fig. 4 is an alternative embodiment that may be performed by the controller reset module 205 shown in fig. 2.
Corresponding to the network security attack and defense demonstration system provided in the foregoing embodiment, the embodiment of the present application further provides a network security attack and defense demonstration method, where the method is applied to the foregoing network security attack and defense demonstration system, as shown in fig. 5, and the method includes:
s501, the attack and defense demonstration module responds to the attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction comprising the attack strategy and the protection strategy, and sends the control instruction to the industrial control hardware demonstration module, wherein the attack strategy is stored in an attack sub-module in the attack and defense demonstration module, and the protection strategy is stored in a protection sub-module in the attack and defense demonstration module.
S502, the industrial control hardware display module receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, and executes the attack operation corresponding to the attack strategy and the protection operation corresponding to the protection strategy.
S503, the situation display module monitors the operation process of the attack and defense demonstration module and the industrial control hardware display module, converts the operation process into a visual graph for display, generates an attack and defense log according to the operation process, and displays the attack and defense log.
Optionally, the method further comprises:
the normal operation control module responds to normal operation, and sends a normal operation instruction to the attack and defense demonstration module, so that the attack and defense demonstration module responds to the normal operation instruction, and sends a normal starting instruction to the programmable logic controller, wherein the normal starting instruction is an instruction for controlling the programmable logic controller to control the execution mechanism to act according to a normal script.
The embodiment of the application provides a network security attack and defense presentation device, and the device includes:
a plurality of electronic devices configured to execute instructions to implement a network security attack and defense demonstration method as described in any one of the above.
Embodiments of the present application provide a computer storage medium, which when executed by a processor of an electronic device, enables the device to perform a network security attack and defense demonstration method as described in any one of the above.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (9)
1. A network security attack and defense demonstration system, the system comprising:
the system comprises an attack and defense demonstration module, an industrial control hardware demonstration module and a situation demonstration module, wherein the attack and defense demonstration module is in communication connection with the industrial control hardware demonstration module, the attack and defense demonstration module is in communication connection with the situation demonstration module, the industrial control hardware demonstration module is in communication connection with the situation demonstration module,
the attack and defense demonstration module responds to an attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction comprising the attack strategy and the protection strategy, and sends the control instruction to the industrial control hardware demonstration module, wherein the attack strategy is stored in an attack sub-module in the attack and defense demonstration module, and the protection strategy is stored in a protection sub-module in the attack and defense demonstration module;
the industrial control hardware display module receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, and executes attack operation corresponding to the attack strategy and protection operation corresponding to the protection strategy; wherein, the industrial control hardware display module includes: the control system comprises a control host, a controller protection device, a programmable logic controller and an executing mechanism, wherein the control host is in communication connection with the controller protection device, the controller protection device is in communication connection with the programmable logic controller, the programmable logic controller is electrically connected with the executing mechanism, the control host receives the control instruction and sends the protection strategy to the controller protection device, after the controller protection device executes the protection operation corresponding to the protection strategy, the attack strategy in the control instruction is read, an attack script corresponding to the attack strategy is called, the configuration file parameters of the programmable logic controller are tampered, so that the programmable logic controller controls the executing mechanism to act according to the configuration file parameters tampered by the attack script, wherein the attack script is stored in the control host, and the protection operation is protection opening or protection closing;
the situation display module monitors the running processes of the attack and defense demonstration module and the industrial control hardware display module, converts the running processes into visual graphics for display, generates attack and defense logs according to the running processes, and displays the attack and defense logs.
2. The system of claim 1, wherein the industrial control hardware display module further comprises: the controller reset module is in communication connection with the protection sub-module, the controller reset module is in communication connection with the programmable logic controller,
and the controller resetting module responds to a resetting instruction sent by the protection submodule, and resets the programmable logic controller subjected to the tampering operation according to a pre-stored baseline configuration file of the programmable logic controller.
3. The system of claim 1, wherein the industrial control hardware display module further comprises:
the controller reset module is in communication connection with the control host, the controller reset module is in communication connection with the programmable logic controller,
wherein the controller reset module is configured to: monitoring the duration of other operations which are not performed after the control host performs the tampering operation once, judging whether the duration is greater than a preset threshold value, and if so, resetting the programmable logic controller subjected to the tampering operation according to a pre-stored baseline configuration file of the programmable logic controller;
and/or wherein the controller reset module is configured to: judging whether the reset operation is executed between the two times of tampering operation by the control host, and if not, sending out warning information.
4. The system of claim 1, wherein the controller guard is further configured to:
and when the controller protection device is in the protection opening state, monitoring the programmable logic controller, interrupting the tampering operation when the tampering operation is monitored, and sending out alarm information.
5. The system of claim 1, wherein the system further comprises: the control module is operated normally and is used for controlling the operation of the device,
the normal operation control module responds to normal operation, and sends a normal operation instruction to the attack and defense demonstration module, so that the attack and defense demonstration module responds to the normal operation instruction, and sends a normal starting instruction to the programmable logic controller, wherein the normal starting instruction is an instruction for controlling the programmable logic controller to control the execution mechanism to act according to a normal script.
6. A network security attack and defense demonstration method, wherein the method is applied to a network security attack and defense demonstration system according to any one of claims 1 to 5, and the method comprises:
the attack and defense demonstration module responds to an attack and defense strategy instruction, invokes an attack strategy and a protection strategy corresponding to the attack and defense strategy instruction, generates a control instruction comprising the attack strategy and the protection strategy, and sends the control instruction to the industrial control hardware demonstration module, wherein the attack strategy is stored in an attack sub-module in the attack and defense demonstration module, and the protection strategy is stored in a protection sub-module in the attack and defense demonstration module;
the industrial control hardware display module receives the control instruction, reads the attack strategy and the protection strategy in the control instruction, and executes attack operation corresponding to the attack strategy and protection operation corresponding to the protection strategy; wherein, the industrial control hardware display module includes: the control system comprises a control host, a controller protection device, a programmable logic controller and an executing mechanism, wherein the control host is in communication connection with the controller protection device, the controller protection device is in communication connection with the programmable logic controller, the programmable logic controller is electrically connected with the executing mechanism, the control host receives the control instruction and sends the protection strategy to the controller protection device, after the controller protection device executes the protection operation corresponding to the protection strategy, the attack strategy in the control instruction is read, an attack script corresponding to the attack strategy is called, the configuration file parameters of the programmable logic controller are tampered, so that the programmable logic controller controls the executing mechanism to act according to the configuration file parameters tampered by the attack script, wherein the attack script is stored in the control host, and the protection operation is protection opening or protection closing;
the situation display module monitors the running processes of the attack and defense demonstration module and the industrial control hardware display module, converts the running processes into visual graphics for display, generates attack and defense logs according to the running processes, and displays the attack and defense logs.
7. The method of claim 6, wherein the method further comprises:
the normal operation control module responds to normal operation, and sends a normal operation instruction to the attack and defense demonstration module, so that the attack and defense demonstration module responds to the normal operation instruction, and sends a normal starting instruction to the programmable logic controller, wherein the normal starting instruction is an instruction for controlling the programmable logic controller to control the execution mechanism to act according to a normal script.
8. A network security attack and defense demonstration device, the device comprising:
a plurality of electronic devices configured to execute instructions to implement the network security attack and defense demonstration method according to any one of the preceding claims 6 to 7.
9. A computer storage medium, characterized in that instructions in the computer-readable storage medium, when executed by a processor of an electronic device, enable the device to perform the network security attack and defense demonstration method according to any one of claims 6 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111574722.4A CN114257522B (en) | 2021-12-21 | 2021-12-21 | Network security attack and defense demonstration system, method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111574722.4A CN114257522B (en) | 2021-12-21 | 2021-12-21 | Network security attack and defense demonstration system, method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114257522A CN114257522A (en) | 2022-03-29 |
| CN114257522B true CN114257522B (en) | 2024-01-12 |
Family
ID=80793845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111574722.4A Active CN114257522B (en) | 2021-12-21 | 2021-12-21 | Network security attack and defense demonstration system, method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114257522B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116756233B (en) * | 2023-08-23 | 2023-11-07 | 博智安全科技股份有限公司 | Situation data processing method and device, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506202A (en) * | 2016-10-31 | 2017-03-15 | 华中科技大学 | Half visual illustration verification platform and method towards industrial control system protecting information safety |
| CN107483484A (en) * | 2017-09-13 | 2017-12-15 | 北京椰子树信息技术有限公司 | One kind attack protection drilling method and device |
| CN110378115A (en) * | 2019-07-26 | 2019-10-25 | 丁菊仙 | A kind of data layer system of information security attack-defence platform |
| CN112118272A (en) * | 2020-11-18 | 2020-12-22 | 中国人民解放军国防科技大学 | Network attack and defense deduction platform based on simulation experiment design |
| WO2021017318A1 (en) * | 2019-08-01 | 2021-02-04 | 平安科技(深圳)有限公司 | Cross-site scripting attack protection method and apparatus, device and storage medium |
| CN112615836A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息技术股份有限公司 | Industrial control network safety protection simulation system |
| CN113660265A (en) * | 2021-08-16 | 2021-11-16 | 北京天融信网络安全技术有限公司 | Network attack testing method and device, electronic equipment and storage medium |
| CN113746810A (en) * | 2021-08-13 | 2021-12-03 | 哈尔滨工大天创电子有限公司 | Network attack inducing method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11184401B2 (en) * | 2015-10-28 | 2021-11-23 | Qomplx, Inc. | AI-driven defensive cybersecurity strategy analysis and recommendation system |
-
2021
- 2021-12-21 CN CN202111574722.4A patent/CN114257522B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506202A (en) * | 2016-10-31 | 2017-03-15 | 华中科技大学 | Half visual illustration verification platform and method towards industrial control system protecting information safety |
| CN107483484A (en) * | 2017-09-13 | 2017-12-15 | 北京椰子树信息技术有限公司 | One kind attack protection drilling method and device |
| CN110378115A (en) * | 2019-07-26 | 2019-10-25 | 丁菊仙 | A kind of data layer system of information security attack-defence platform |
| WO2021017318A1 (en) * | 2019-08-01 | 2021-02-04 | 平安科技(深圳)有限公司 | Cross-site scripting attack protection method and apparatus, device and storage medium |
| CN112118272A (en) * | 2020-11-18 | 2020-12-22 | 中国人民解放军国防科技大学 | Network attack and defense deduction platform based on simulation experiment design |
| CN112615836A (en) * | 2020-12-11 | 2021-04-06 | 杭州安恒信息技术股份有限公司 | Industrial control network safety protection simulation system |
| CN113746810A (en) * | 2021-08-13 | 2021-12-03 | 哈尔滨工大天创电子有限公司 | Network attack inducing method, device, equipment and storage medium |
| CN113660265A (en) * | 2021-08-16 | 2021-11-16 | 北京天融信网络安全技术有限公司 | Network attack testing method and device, electronic equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| 万国根 ; 铁玲 ; 陈勇 ; .基于业务场景的网络攻防演练平台设计.电脑编程技巧与维护.2019,(12),全文. * |
| 基于业务场景的网络攻防演练平台设计;万国根;铁玲;陈勇;;电脑编程技巧与维护(12);全文 * |
| 张伟 ; .网络安全中攻防策略与主动防御思路探索.网络安全技术与应用.2020,(09),全文. * |
| 网络安全中攻防策略与主动防御思路探索;张伟;;网络安全技术与应用(09);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114257522A (en) | 2022-03-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2907102B1 (en) | Field device having tamper attempt reporting | |
| CN114257522B (en) | Network security attack and defense demonstration system, method, device and storage medium | |
| CN104011611A (en) | System and method for managing industrial processes | |
| CN114296406B (en) | Network attack and defense display system, method and device and computer readable storage medium | |
| CN105194829A (en) | Box door opening detection system, method thereof, and control apparatus | |
| CN113489728A (en) | Safety evaluation system and method for industrial internet | |
| CN106156621A (en) | A kind of method and device detecting virtual machine escape | |
| CN107368058A (en) | It is a kind of for the fault monitoring method of equipment, equipment and computer-readable medium | |
| US20200183340A1 (en) | Detecting an undefined action in an industrial system | |
| CN109743339A (en) | The network security monitoring method and device of electric power plant stand, computer equipment | |
| JP2021082272A (en) | Apparatus and methods for secure data logging | |
| CN103605597B (en) | Configurable computer protection system and method | |
| CN102857519A (en) | Active defensive system | |
| CN105574410A (en) | Application program safety detection method and device | |
| CN105074833A (en) | Device and method for detecting unauthorised manipulations of the system state of an open-loop and closed-loop control unit of a nuclear plant | |
| CN102549510B (en) | Method for testing the real-time capability of an operating system | |
| CN112241533A (en) | Method and system for providing safety information of application container for industrial boundary equipment | |
| CN115484175A (en) | Intelligent manufacturing network attack and defense display method, device and system and storage medium | |
| US11599443B2 (en) | System and method for assessing an impact of malicious software causing a denial of service of components of industrial automation and control systems | |
| EP3873056A1 (en) | System and method for assessing an impact of software on industrial automation and control systems | |
| CN111404917B (en) | Industrial control simulation equipment-based threat information analysis and detection method and system | |
| CN111259392A (en) | Malicious software interception method and device based on kernel module | |
| KR20160071993A (en) | Apparatus and Method for User Interface to Check Details of Sensitive Data Usage on Mobile Device | |
| CN116956310B (en) | Vulnerability protection method, device, equipment and readable storage medium | |
| CN111641663B (en) | Safety detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |