CN114374535B - Controller network attack defense method and system based on virtualization technology - Google Patents
Controller network attack defense method and system based on virtualization technology Download PDFInfo
- Publication number
- CN114374535B CN114374535B CN202111497236.7A CN202111497236A CN114374535B CN 114374535 B CN114374535 B CN 114374535B CN 202111497236 A CN202111497236 A CN 202111497236A CN 114374535 B CN114374535 B CN 114374535B
- Authority
- CN
- China
- Prior art keywords
- management system
- input data
- data
- simulation
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000007123 defense Effects 0.000 title claims abstract description 44
- 238000005516 engineering process Methods 0.000 title claims abstract description 27
- 238000004088 simulation Methods 0.000 claims abstract description 71
- 238000012545 processing Methods 0.000 claims abstract description 28
- 230000002159 abnormal effect Effects 0.000 claims abstract description 21
- 230000004044 response Effects 0.000 claims abstract description 20
- 230000005856 abnormality Effects 0.000 claims abstract description 12
- 230000006854 communication Effects 0.000 claims description 47
- 238000004891 communication Methods 0.000 claims description 46
- 238000004590 computer program Methods 0.000 claims description 12
- 238000001914 filtration Methods 0.000 claims description 4
- 230000026676 system process Effects 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 43
- 230000006870 function Effects 0.000 description 25
- 238000007689 inspection Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000009977 dual effect Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a controller network attack defense method and system based on a virtualization technology. The controller comprises a first management system and a second management system, wherein the first management system and the second management system operate in mutually isolated operating environments, and the mutually isolated operating environments are created by using virtualized software at a software layer of an operating system, and the method comprises the following steps: after receiving input data, the first management system carries out simulation processing on the input data by utilizing a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if no abnormality exists, the input data is sent to a second management system; the second management system receives input data, responds to the input data by utilizing a preset second data source and a preset response strategy, and outputs a response result; wherein the content of the simulation policy and the response policy are the same, and the content of the first data source and the second data source are the same.
Description
Technical Field
The embodiment of the application relates to the field of industrial control, in particular to a controller network attack defense method and system based on a virtualization technology.
Background
With the rapid development of industrial internet, new generation information technologies such as big data and cloud computing are continuously popularized and applied in industrial control systems, and network communication nodes and communication protocols in the industrial control systems are more complex and diversified. The current state of the art puts higher technical requirements on the network security of the controller device, and how to improve the network attack defense capability of the controller is a technical difficulty to be solved.
Traditional controller network security defense technical schemes include two types: one is a controller self-defense scheme and one is a flared firewall defense scheme. Either the controller self-defense scheme or the external firewall defense scheme is based on the white list technology or the black list technology. The proposal mainly establishes a white list or a black list in the defending equipment aiming at quintuple information of controller network communication, and carries out defending and auditing treatment aiming at the quintuple information (data packet source address, data packet destination address, protocol type, source port and destination port) and a key message with fixed content format in the network communication process.
In practical applications, the security protection scheme has the problems of incomplete protection scope, hysteresis of fault detection results and the like.
Disclosure of Invention
In order to solve any technical problem, the embodiment of the application provides a controller network attack defense method and system based on a virtualization technology.
In order to achieve the object of the embodiments of the present application, the embodiments of the present application provide a method for defending against a network attack of a controller based on a virtualization technology, where the controller includes a first management system and a second management system, where the first management system and the second management system operate in mutually isolated operating environments, where the mutually isolated operating environments are created at a software layer of an operating system by using virtualization software, and the method includes:
after receiving input data, the first management system carries out simulation processing on the input data by utilizing a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if the simulation result is not abnormal, the input data is sent to a second management system;
the second management system receives the input data, responds to the input data by utilizing a preset second data source and a preset response strategy, and outputs a response result;
wherein the content of the simulation strategy is the same as that of the response strategy, and the content of the first data source is the same as that of the second data source.
A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method described above when run.
An electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the method described above.
A controller network attack defense system based on virtualization technology, comprising:
a controller comprising the electronic device described above;
and the memory is used for storing an abnormality checking strategy, wherein the abnormality checking strategy is used for judging whether the simulation result is abnormal or not.
One of the above technical solutions has the following advantages or beneficial effects:
by carrying out simulation processing on the input data and checking whether the simulation result is abnormal, the correctness of the input data is judged, the response of the controller to the input data causing the abnormality is reduced, and the network attack defending capability of the controller is improved.
Additional features and advantages of embodiments of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of embodiments of the application. The objectives and other advantages of the embodiments of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the technical solutions of the embodiments of the present application, and are incorporated in and constitute a part of this specification, illustrate the technical solutions of the embodiments of the present application and not constitute a limitation to the technical solutions of the embodiments of the present application.
FIG. 1 is a schematic diagram of a prior art controller network self-defense system;
fig. 2 is a schematic diagram of a controller network attack defending method based on a virtualization technology according to an embodiment of the present application;
FIG. 3 is a schematic diagram of data processing in the system of FIG. 2;
fig. 4 is a flowchart of a controller network security management method according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in detail hereinafter with reference to the accompanying drawings. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be arbitrarily combined with each other.
Fig. 1 is a schematic diagram of a prior art controller network self-defense system. As shown in fig. 1, the system implements controller network defense based on white list technology. On the basis of the controller hardware, an embedded operating system is deployed and operated, and a control module and a network communication defense module are deployed and operated under the environment of the embedded operating system. The control module mainly completes the traditional field control function, and the main flow comprises the steps of receiving external network data, acquiring data by an input module, performing industrial control logic operation according to the acquired data, and finally outputting an output result to the field. The network defense module is responsible for completing the network defense function based on the white list and mainly comprises a communication protocol defense strategy module, a communication link defense module and a communication data receiving and transmitting module. The communication data receiving and transmitting module is mainly responsible for completing the receiving and transmitting of network data, and the communication protocol defense strategy module is responsible for defining a specific white list defense strategy and transmitting the specific white list defense strategy to the communication link defense module. And the communication link defense module returns an abnormal result to the communication defense strategy module, and if the communication link defense module is not abnormal, legal data is written into the operation control module.
In the process of implementing the application, the related technology is subjected to technical analysis, and the reasons for the problems of the related technology are found as follows:
1. the defensive range is not comprehensive. The method can only defend against the controller network communication protocol layer, but can only defend, monitor and diagnose against the characteristic information of the data packet, and can not effectively defend against the controller message command or the data legitimacy against the external network node in operation. For example: assuming that the communication server on site is controlled by virus intrusion or engineering personnel debugging and misoperation, the communication server sends a command for changing parameters for controlling the pressure of the boiler equipment on site to the controller, and the existing technology based on the communication quintuple white list or the blacklist cannot defend. Eventually, the pressure of the field boiler is too high, equipment damage and plant shutdown can be caused, and in severe cases, even life and property damage to personnel can be caused.
2. Failure check result hysteresis. Even on the basis of the existing defense scheme, the legitimacy check of the final result is added after the control logic operation. In this way, although the written error data can be detected, the written error data is taken as input to carry out control logic operation at the moment, other data are rewritten, the normal state cannot be automatically recovered, only the parking and the troubleshooting can be carried out on site, and the normal operation of the control site is influenced. Therefore, the method has hysteresis of fault detection results, and when faults are detected, the method cannot automatically recover.
Aiming at the defects of the prior controller network defense technology, the application provides a controller network attack defense method based on a virtualization technology, which can enable a controller to have a stronger network defense function, can effectively detect faults before the faults occur and can prevent misoperation of the output of the controller caused by data input errors of an external network.
The embodiment of the application provides a controller network attack defense method based on a virtualization technology, wherein the controller comprises a first management system and a second management system, the first management system and the second management system operate in mutually isolated operating environments, the mutually isolated operating environments are created by using virtualization software at a software layer of an operating system, and the method comprises the following steps:
after receiving input data, the first management system carries out simulation processing on the input data by utilizing a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if the simulation result is not abnormal, the input data is sent to a second management system;
the second management system receives the input data, responds to the input data by utilizing a preset second data source and a preset response strategy, and outputs a response result;
wherein the content of the simulation strategy is the same as that of the response strategy, and the content of the first data source is the same as that of the second data source.
Based on the original single operating system software architecture, virtual software is introduced, an isolated dual operating system software task running environment is built under the same controller hardware equipment environment, and a real operation control module is deployed in one operating environment to form a conventional control software environment. The other operating system realizes the external network attack defending function by simulating and checking the external input data, and forms a network defending software environment. The constructed network defense software environment and the conventional control software environment are mutually isolated, the conventional control function cannot be influenced due to the self fault of the defense function, the isolation of the defense function is realized, and the operation safety of the controller is improved.
When the controller receives input data from the external network, the first management system completes security check of the data written in the external network. The checking technical means is different from the white list technology, a simulation control logic operation environment is operated in the module, response operation of input data is simulated and completed on the environment, the input data is used for simulation operation, whether external network write-in data is illegal or not is judged by checking a final operation result mode, response of a second management system to illegal data is avoided, and safety of the controller is improved.
Optionally, if the simulation result is abnormal, the first management system deletes the first data, so as to avoid the second management system from responding to illegal data, and improve the safety of the controller.
Optionally, the storage areas of the simulation result and the response result are isolated from each other, so as to reduce the influence of the simulation result generated by illegally inputting data on the normal operation of the controller.
Optionally, before processing the input data, the first management system processes the input data by using a preset data filtering policy; and if the processing is passed, performing simulation processing on the input data.
Wherein the data filtering policy may be a white list determined based on quintuple information.
By filtering the data, the security risk brought by illegal data to the first management system can be reduced, and the security of the first management system is improved.
Optionally, a storage area of input data shared by the first management system and the second management system is set;
after receiving the input data, the first management system stores the input data in a storage area of the input data and marks the state of the input data as not simulated;
after the simulation result of the input data is abnormal, updating the state of the input data to pass the simulation;
the second management system detects whether the data state in the storage area of the input data is the simulated passing input data or not, and reads the data state as the simulated passing input data.
The first management system and the second management system can process the input data respectively by setting the storage area of the input data; and the triggering of the first management system and the second management system on the data processing can be realized through the data state.
Optionally, after outputting the response result, the second management system deletes the input data from the storage area of the input data.
According to the method provided by the embodiment of the application, the input data is subjected to simulation processing, whether the simulation result is abnormal or not is checked, the correctness of the input data is judged, the response of the controller to the input data causing the abnormality is reduced, and the network attack defending capability of the controller is improved.
In one exemplary embodiment, a mutually isolated operating environment is created by:
creating a communication virtual machine and a control virtual machine, wherein the communication virtual machine runs the first management system, and the control virtual machine runs the second management system, and the first virtual machine has the authority to manage the second virtual machine.
In the running virtualization software XEN of the operating systems, a dual-operating-system running environment is built based on the XEN software, wherein one operating system is an operating system OS1 with the management authority matched with XEN, and the other operating system is an operating system GuestOS with the general authority. The first operating system runs the first management system to complete the network defense function of the controller, which is called a communication virtual machine. The other operating system runs the second management system to complete the field control function of the controller system, which is called controlling the virtual machine. In XEN software, a virtual machine management function operating system with the Dom0 of XEN has the authority of managing and monitoring the running states of other virtual machines, and the level faults of the operating systems of other virtual machines can not influence the operation of the Dom 0. Therefore, the first management system is more suitable for being deployed on the Dom0, and provides a network defense function for controlling the whole operation of the virtual machine.
In the method, a virtual machine operating system is added, which inevitably leads to hardware load increase. To improve performance, a mutually isolated operating environment may be created using a scheme comprising:
the second management system is run in an operating system in the controller and a container is created in which the first management system is run.
And constructing an independent container environment through the docker container, and deploying the first management system in the independent container environment. The implementation can better improve performance relative to the operating system in the virtual machine, but reliability is also relatively reduced.
In the implementation process of a specific scheme, which scheme is adopted can be determined according to the hardware resources of the specific controller and the security requirement.
Fig. 2 is a schematic diagram of a controller network attack defending method based on a virtualization technology according to an embodiment of the present application. As shown in fig. 2, unlike the results shown in fig. 1, the structure shown in fig. 2 is modified as follows:
1. on the basis of unchanged hardware architecture of the existing controller, virtualization software XEN is introduced, and a dual-operating-system software environment is constructed on the same hardware equipment. One of the operating systems is provided with a control module for operation, the internal design of the control module is consistent with the original scheme, the conventional control function of the controller is completed, the control module is integrally called a control virtual machine, and the control module is operated and realizes the function of the second management system. The other operating system deploys the operation control simulation checking processing device and the network communication module to complete the communication function and the communication security defense function, which are collectively called a communication virtual machine, wherein a functional unit running on the communication virtual machine realizes the function of the first management system. The internal design of the network communication module still adopts a defending design scheme based on a white list technology. On the basis, a control simulation check processing module is additionally designed, and a network defense function is increased.
2. In the original hardware environment, a power-down nonvolatile storage medium Norflash is externally amplified. And the logic engineering is used for storing the data validity operation result of the output module.
3. A control simulation inspection processing device is additionally designed. The control simulation checking and processing device comprises a control logic operation simulation module and a checking and processing module. The control logic operation simulation module is used for controlling simulation operation results generated by input data, the inspection processing module is used for inspecting the simulation operation results by using operation result inspection logic engineering, and when abnormality is detected, written data are discarded. When the check passes, the write data is written to the control module.
The operation result checking logic engineering is written by engineering users on controller configuration software through industrial control language, and the main functions of the logic are checking the operation result according to the actual condition of the site and generating checking result. After the programming is completed, the operation checking logic engineering is downloaded to the controller through configuration software. The controller stores the project into a power-down nonvolatile storage medium Norflash to prevent the project from being lost after power failure.
It should be noted that, in the example shown in fig. 2, a dual operating system software operation environment is constructed on the same hardware environment basis through XEN virtualization software, and an independent operating system environment is utilized to deploy an operation control simulation module to detect and defend external network attacks. As an alternative, other virtualization software such as KVM, ACRN and the like can also be used for constructing the control simulation module running environment. Different virtualization software interfaces and using methods are different from each other, and corresponding alternative schemes are selected according to specific situations in the implementation process of the specific schemes.
Fig. 3 is a schematic diagram of data processing in the system of fig. 2. As shown in fig. 3, the control simulation module includes:
a communication receiving and transmitting data unit, configured to implement communication interaction, including the functions of: the method comprises the steps of receiving data written by a network communication unit, sending alarm data to the network communication unit and writing legal data to a control unit. It is assumed that the controller receives external write data and then transmits the data to the logic operation unit.
The data acquisition unit is used for acquiring input data; in order to ensure the consistency of logic operation input data on a communication virtual machine and a real environment, the communication virtual machine and a control virtual machine use the same data source, and all collect data from a control logic input data memory area.
And the logic operation unit is used for completing logic operation on the written data and the acquired data and outputting a logic operation result. The algorithm adopted by the logical operation is completely consistent with the algorithm for controlling the logical operation unit on the virtual machine.
And the output data unit is used for outputting the logic operation result data to the simulation logic output memory area, and the memory area is an independent division area, so that the real control output memory area is not affected, and the field control is not affected.
The inspection processing module includes:
and the result checking unit is used for completing loading the calculation result checking logic engineering from the power-down nonvolatile storage medium, calling the calculation output result checking logic to check the simulation calculation result and outputting the checking result to the exception handling unit.
And the abnormality processing unit is used for notifying the communication data receiving and transmitting module to write data into the control module when the checking result is abnormal. If the result is abnormal, the written data is discarded, and the communication module is informed to send alarm data.
Fig. 4 is a flowchart of a controller network security management method according to an embodiment of the present application. As shown in fig. 4, the method includes:
step 401, a communication data transceiver unit in the network communication module receives external network write-in data.
Step 402, a communication link defense module in the network communication module performs a whitelist defense check. If the check is not passed, step 409 is skipped; if the check passes, the network write data is passed to the control emulation module, proceeding to step 403 flow.
Step 403, controlling a communication data receiving and transmitting unit in the simulation module to receive the writing data.
And 404, a data acquisition unit in the control simulation module acquires input data, and the acquired data source is consistent with the data source acquired by the actual control module.
And 405, controlling a logic operation unit in the simulation module to operate, wherein a logic algorithm is consistent with a logic algorithm used by the actual control module.
Step 406, controlling an output data module in the simulation module to output an operation result. And outputting the operation result to the independent simulation logic output memory area, so as to ensure that the real control logic output memory area is not affected.
Step 407, a result checking unit in the checking processing module loads an operation result from the norflash to check the logic engineering.
Step 408, an exception handling unit in the inspection processing module determines whether an exception has occurred. Taking the data of the memory area output by the simulation logic as input, running an operation result checking project, and jumping to steps 409 and 410 if the checking is abnormal; if the check is normal, the process flow jumps to step 411.
Step 409, discarding the processing network write data.
Step 410, communication alarm, and ending the flow.
In step 411, the abnormality processing module in the checking processing module writes the external network data into the control module, and the process ends.
In summary, the embodiment of the application provides a controller network attack defense scheme based on a power-down nonvolatile storage medium and a virtualization technology. Has the following advantages that:
first, the protection against failure isolation is better. On the basis of the original single-operating-system software architecture, XEN virtualization software is introduced, an isolated dual-operating-system software task running environment is built under the same controller hardware equipment environment, and a real operation control module is deployed in one operating environment to form a conventional control software environment. The other operating system deploys an external communication module and a control simulation module to finish an external network attack defending function, so as to form a network defending software environment. The network defense software environment is isolated from the conventional control software environment, and the conventional control functions are not affected by the self faults of the defense functions.
Second, the defensive range is wider. Compared with the design thought of static inspection of the traditional white list, the network defense scheme is based on the design thought of the actual simulation execution result inspection. No matter which attack means exists in the external network, the simulation operation is performed in the simulation environment, and effective defense can be performed as long as the final result inspection is not passed, so that the attack means which can be defended by the scheme are more and wider. In addition, by performing analog data writing and executing the simulation operation in the simulation environment, the data area of the control module is not rewritten. Therefore, after the fault is checked, the operation data of the conventional control module cannot be influenced, and a gain effect is generated on the automatic recovery function of the network fault.
Third, the reliability of the logic engineering is checked. And an external-expansion Norflash power-down nonvolatile storage medium is added on hardware and used for storing an operation result checking logic engineering. In each detection process, the operation result checking logic engineering is loaded from the Norflash power-down nonvolatile storage medium, so that the operation result checking logic engineering can be prevented from losing faults, and memory overflow and rewriting faults existing in the memory storage checking logic engineering mode can be prevented, and the reliability is higher.
Embodiments of the present application provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method described in any of the above when run.
An embodiment of the application provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the method as described in any of the preceding claims.
The embodiment of the application provides a controller network attack defense system based on a virtualization technology, which comprises the following steps: a controller comprising the electronic device described above; and the memory is used for storing an abnormality checking strategy, wherein the abnormality checking strategy is used for judging whether the simulation result is abnormal or not.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
Claims (10)
1. A method for defending against network attacks on a controller based on virtualization technology, wherein the controller comprises a first management system and a second management system, wherein the first management system and the second management system operate in mutually isolated operating environments, wherein the mutually isolated operating environments are created at a software layer of an operating system by using virtualization software, the method comprising:
after receiving input data, the first management system carries out simulation processing on the input data by utilizing a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if the simulation result is not abnormal, sending the input data with the data state passing the simulation to a second management system;
the second management system receives the input data with the data state passing through the simulation, responds to the input data with the data state passing through the simulation by utilizing a preset second data source and a preset response strategy, and outputs a response result;
wherein the content of the simulation strategy is the same as that of the response strategy, and the content of the first data source is the same as that of the second data source.
2. The method of claim 1, wherein creating the isolated operating environment by:
creating a communication virtual machine and a control virtual machine, wherein the communication virtual machine runs the first management system, and the control virtual machine runs the second management system, and the communication virtual machine has the authority to manage the control virtual machine;
or,
the second management system is run in an operating system in the controller and a container is created in which the first management system is run.
3. The method according to claim 1, wherein the method further comprises:
and if the simulation result is abnormal, deleting the first data by the first management system.
4. The method according to claim 1, characterized in that:
the storage areas of the simulation result and the response result are isolated from each other.
5. The method according to claim 1, wherein the method further comprises:
the first management system processes the input data by utilizing a preset data filtering strategy before processing the input data; and if the processing is passed, performing simulation processing on the input data.
6. The method according to any one of claims 1 to 5, wherein,
setting a storage area of input data shared by the first management system and the second management system;
after receiving the input data, the first management system stores the input data in a storage area of the input data and marks the state of the input data as not simulated;
after the simulation result of the input data is abnormal, updating the state of the input data to pass the simulation;
the second management system detects whether the data state in the storage area of the input data is the simulated passing input data or not, and reads the data state as the simulated passing input data.
7. The method of claim 6, wherein the method further comprises:
after outputting the response result, the second management system deletes the input data from the storage area of the input data.
8. A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when run.
9. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of the claims 1 to 7.
10. A controller network attack defense system based on a virtualization technology, comprising:
a controller comprising the electronic device of claim 9;
and the memory is used for storing an abnormality checking strategy, wherein the abnormality checking strategy is used for judging whether the simulation result is abnormal or not.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111497236.7A CN114374535B (en) | 2021-12-09 | 2021-12-09 | Controller network attack defense method and system based on virtualization technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111497236.7A CN114374535B (en) | 2021-12-09 | 2021-12-09 | Controller network attack defense method and system based on virtualization technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114374535A CN114374535A (en) | 2022-04-19 |
| CN114374535B true CN114374535B (en) | 2024-01-23 |
Family
ID=81139204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111497236.7A Active CN114374535B (en) | 2021-12-09 | 2021-12-09 | Controller network attack defense method and system based on virtualization technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114374535B (en) |
Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106301911A (en) * | 2016-08-12 | 2017-01-04 | 南京大学 | Information Network based on SDN half centralized simulation platform in kind and its implementation |
| CN106844008A (en) * | 2017-01-03 | 2017-06-13 | 华为技术有限公司 | A kind of method of data manipulation, equipment and system |
| CN108140057A (en) * | 2016-07-14 | 2018-06-08 | 铁网网络安全股份有限公司 | Network behavior system based on simulation and virtual reality |
| CN108134792A (en) * | 2017-12-25 | 2018-06-08 | 四川灵通电讯有限公司 | The method for realizing defending against network virus attack in computer systems based on virtualization technology |
| CN109474605A (en) * | 2018-11-26 | 2019-03-15 | 华北电力大学 | A kind of source net lotus industrial control system composite defense method based on Autonomous Domain |
| CN109831443A (en) * | 2019-02-26 | 2019-05-31 | 武汉科技大学 | Industrial control network attacking and defending experiment porch and Hardware In The Loop Simulation Method |
| CN110098951A (en) * | 2019-03-04 | 2019-08-06 | 西安电子科技大学 | A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111258712A (en) * | 2020-01-10 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Method and system for protecting safety of virtual machine under virtual platform network isolation |
| CN111277568A (en) * | 2020-01-09 | 2020-06-12 | 武汉思普崚技术有限公司 | Isolation attack method and system for distributed virtual network |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN111984975A (en) * | 2020-07-24 | 2020-11-24 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Vulnerability attack detection system, method and medium based on mimicry defense mechanism |
| CN112073411A (en) * | 2020-09-07 | 2020-12-11 | 北京软通智慧城市科技有限公司 | Network security deduction method, device, equipment and storage medium |
| CN112134854A (en) * | 2020-09-02 | 2020-12-25 | 北京华赛在线科技有限公司 | Method, device, equipment, storage medium and system for defending attack |
| CN112398844A (en) * | 2020-11-10 | 2021-02-23 | 国网浙江省电力有限公司双创中心 | Flow analysis implementation method based on internal and external network real-time drainage data |
| CN112437077A (en) * | 2020-11-19 | 2021-03-02 | 迈普通信技术股份有限公司 | Third party ARP attack and exception handling method, VRRP network and system |
| CN112565243A (en) * | 2020-12-03 | 2021-03-26 | 重庆洞见信息技术有限公司 | Flow simulation system based on network battle |
| CN112788034A (en) * | 2021-01-13 | 2021-05-11 | 泰康保险集团股份有限公司 | Processing method and device for resisting network attack, electronic equipment and storage medium |
| CN112839052A (en) * | 2021-01-25 | 2021-05-25 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| CN113326204A (en) * | 2021-06-23 | 2021-08-31 | 鹏城实验室 | Transformer substation system testing method and device, terminal equipment and storage medium |
| CN113660282A (en) * | 2021-08-23 | 2021-11-16 | 公安部第三研究所 | Lesox virus defense method and system based on trusted computing and related equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7506170B2 (en) * | 2004-05-28 | 2009-03-17 | Microsoft Corporation | Method for secure access to multiple secure networks |
| US11184401B2 (en) * | 2015-10-28 | 2021-11-23 | Qomplx, Inc. | AI-driven defensive cybersecurity strategy analysis and recommendation system |
| US10432650B2 (en) * | 2016-03-31 | 2019-10-01 | Stuart Staniford | System and method to protect a webserver against application exploits and attacks |
-
2021
- 2021-12-09 CN CN202111497236.7A patent/CN114374535B/en active Active
Patent Citations (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108140057A (en) * | 2016-07-14 | 2018-06-08 | 铁网网络安全股份有限公司 | Network behavior system based on simulation and virtual reality |
| CN106301911A (en) * | 2016-08-12 | 2017-01-04 | 南京大学 | Information Network based on SDN half centralized simulation platform in kind and its implementation |
| CN106844008A (en) * | 2017-01-03 | 2017-06-13 | 华为技术有限公司 | A kind of method of data manipulation, equipment and system |
| CN108134792A (en) * | 2017-12-25 | 2018-06-08 | 四川灵通电讯有限公司 | The method for realizing defending against network virus attack in computer systems based on virtualization technology |
| CN109474605A (en) * | 2018-11-26 | 2019-03-15 | 华北电力大学 | A kind of source net lotus industrial control system composite defense method based on Autonomous Domain |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN109831443A (en) * | 2019-02-26 | 2019-05-31 | 武汉科技大学 | Industrial control network attacking and defending experiment porch and Hardware In The Loop Simulation Method |
| CN110098951A (en) * | 2019-03-04 | 2019-08-06 | 西安电子科技大学 | A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111277568A (en) * | 2020-01-09 | 2020-06-12 | 武汉思普崚技术有限公司 | Isolation attack method and system for distributed virtual network |
| CN111258712A (en) * | 2020-01-10 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Method and system for protecting safety of virtual machine under virtual platform network isolation |
| CN111984975A (en) * | 2020-07-24 | 2020-11-24 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Vulnerability attack detection system, method and medium based on mimicry defense mechanism |
| CN112134854A (en) * | 2020-09-02 | 2020-12-25 | 北京华赛在线科技有限公司 | Method, device, equipment, storage medium and system for defending attack |
| CN112073411A (en) * | 2020-09-07 | 2020-12-11 | 北京软通智慧城市科技有限公司 | Network security deduction method, device, equipment and storage medium |
| CN112398844A (en) * | 2020-11-10 | 2021-02-23 | 国网浙江省电力有限公司双创中心 | Flow analysis implementation method based on internal and external network real-time drainage data |
| CN112437077A (en) * | 2020-11-19 | 2021-03-02 | 迈普通信技术股份有限公司 | Third party ARP attack and exception handling method, VRRP network and system |
| CN112565243A (en) * | 2020-12-03 | 2021-03-26 | 重庆洞见信息技术有限公司 | Flow simulation system based on network battle |
| CN112788034A (en) * | 2021-01-13 | 2021-05-11 | 泰康保险集团股份有限公司 | Processing method and device for resisting network attack, electronic equipment and storage medium |
| CN112839052A (en) * | 2021-01-25 | 2021-05-25 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| CN113326204A (en) * | 2021-06-23 | 2021-08-31 | 鹏城实验室 | Transformer substation system testing method and device, terminal equipment and storage medium |
| CN113660282A (en) * | 2021-08-23 | 2021-11-16 | 公安部第三研究所 | Lesox virus defense method and system based on trusted computing and related equipment |
Non-Patent Citations (2)
| Title |
|---|
| 基于XEN的入侵检测服务研究;***;彭新光;;杭州电子科技大学学报(第06期);全文 * |
| 基于虚拟化平台Xen的内核安全监控方案;陈祝红;崔超远;王儒敬;周继冬;;计算机***应用(第07期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114374535A (en) | 2022-04-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102419574B1 (en) | Systems and methods for correcting memory corruption in computer applications | |
| CN110851241A (en) | Safety protection method, device and system for Docker container environment | |
| US20110055636A1 (en) | Systems and methods for testing results of configuration management activity | |
| US20080148399A1 (en) | Protection against stack buffer overrun exploitation | |
| CN103593608A (en) | System and method for detecting malicious codes executed by virtual machine | |
| JP2019527877A (en) | Automatic distribution of PLC virtual patches and security context | |
| US20210026947A1 (en) | Intrusion detection and prevention for unknown software vulnerabilities using live patching | |
| US20100107148A1 (en) | Check-stopping firmware implemented virtual communication channels without disabling all firmware functions | |
| CN113138836A (en) | Escape-proof honeypot system based on Docker container and method thereof | |
| US10204036B2 (en) | System and method for altering application functionality | |
| CN114374535B (en) | Controller network attack defense method and system based on virtualization technology | |
| CN114625074A (en) | Safety protection system and method for DCS (distributed control System) of thermal power generating unit | |
| KR20140087768A (en) | Method and system for checking software | |
| Negi et al. | Intrusion Detection & Prevention in Programmable Logic Controllers: A Model-driven Approach | |
| CN114329444A (en) | System safety improving method and device | |
| CN110008001B (en) | Security reinforcement method and system for virtual machine monitor and hardware security monitoring card | |
| CN114021123A (en) | Construction method, security check method, device and medium of behavior baseline library | |
| CN110188539B (en) | Method, device and system for running application | |
| CN115499144A (en) | Intrusion detection method, device and system, electronic equipment and computer readable medium | |
| Rivera et al. | Ros-immunity: Integrated approach for the security of ros-enabled robotic systems | |
| CN111488306A (en) | Attack and defense architecture system and construction method thereof | |
| WO2020109252A1 (en) | Test system and method for data analytics | |
| US20230379353A1 (en) | Virtualization-Based Controller for Industrial Control System Resiliency | |
| CN111598268B (en) | Power plant equipment detection method, system, equipment and computer storage medium | |
| CN115828246B (en) | Offline malicious program and behavior monitoring method, device, medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |