CN116108437A - Application software safety detection system in application system - Google Patents

Application software safety detection system in application system Download PDF

Info

Publication number
CN116108437A
CN116108437A CN202310157939.8A CN202310157939A CN116108437A CN 116108437 A CN116108437 A CN 116108437A CN 202310157939 A CN202310157939 A CN 202310157939A CN 116108437 A CN116108437 A CN 116108437A
Authority
CN
China
Prior art keywords
network
detection model
software
flow
anomaly detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310157939.8A
Other languages
Chinese (zh)
Inventor
吴宏
杨庆武
马瀚卿
姚健
强鹏
郭新灵
白敏�
李海杰
张昊
洪军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inner Mongolia Smart Qingcheng Technology Co ltd
Original Assignee
Inner Mongolia Smart Qingcheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inner Mongolia Smart Qingcheng Technology Co ltd filed Critical Inner Mongolia Smart Qingcheng Technology Co ltd
Priority to CN202310157939.8A priority Critical patent/CN116108437A/en
Publication of CN116108437A publication Critical patent/CN116108437A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an application software security detection system in an application system, and relates to the technical field of information security. The invention comprises a software testing hardware system and a full digital simulation platform; the software testing hardware system comprises a plurality of sensors, a plurality of execution components, an information injection module, a remote control system, a computer management module, a control computer and a power management module; the sensor and the execution assembly are connected with the control computer through a serial port; the all-digital simulation platform comprises a fault injection model library, tested software, an input interface, a CPU simulator, a virtual hardware model block and a recording interface. The invention can monitor the condition of the industrial process and the network communication instruction and behavior simultaneously by a double-view monitoring mechanism combining the industrial view and the network topology view, presents the flow and the behavior of the industrial control system, realizes the visualization of the network connection topology structure and the network running condition, carries out comparison analysis and improves the safety level of application software.

Description

Application software safety detection system in application system
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an application software security detection system in an application system.
Background
The application system generally consists of a computer hardware system, system software and application software. And computer hardware systems typically consist of operators and controllers, memory, peripheral interfaces, and peripherals. The system software includes an operating system, a compiler, a database management system, various high-level languages, and the like. The application software in the application system is generally composed of general supporting software and various application software packages, which form a software part directly used by people, such as a browser, chat software, CAD drawing software, and the like.
The security of system software in a computer system is higher, and the security of application software is much lower than that of the system software due to the restriction of factors such as different application purposes, different compiling languages, simple use functions and the like; thus, trojan horse is easily infected and loopholes occur during use. Because of this, many antivirus software in the prior art is generated, the working principle is that application software in a computer system is traversed to find Trojan horse and loopholes in the application software, but the antivirus software in the prior art is identified by comparing known viruses stored in a virus library with software codes; the method is single, and more Trojan horses and software vulnerabilities cannot be deeply identified, so that how to provide an application software security detection system in an application system with good effects of safely and efficiently removing Trojan horses and viruses is a technical problem to be solved by the person skilled in the art.
Disclosure of Invention
The invention aims to provide an application software security detection system in an application system, which is used for carrying out multidimensional and fine-grained analysis on network traffic and network behaviors through a foundation, and solves the problem that the existing application system cannot deeply identify more Trojan and software vulnerabilities through a double-view monitoring mechanism combining an industrial view and a network topology view.
In order to solve the technical problems, the invention is realized by the following technical scheme:
the invention relates to an application software safety detection system in an application system, which comprises a software testing hardware system and a full digital simulation platform;
the software testing hardware system comprises a plurality of sensors, a plurality of execution components, an information injection module, a remote control system, a computer management module, a control computer and a power management module;
the information injection module, the remote control system, the computer management module, the control computer and the power management module are sequentially connected in a bidirectional manner; the sensor and the execution assembly are connected with the control computer through a serial port;
the all-digital simulation platform comprises a fault injection model library, tested software, an input interface, a CPU simulator, a virtual hardware model block and a recording interface.
As a preferable technical scheme, the sensor is used for processing the acquired data; the execution assembly classifies data through a bus and enables the serial port to be in communication connection with the remote control system; the control host is used for inputting the required physical conditions, and the simulation interface mainly comprises a bus interface and a serial and parallel interface for computer communication, and provides sensitive data, actuator data and rocker control data for a power supply.
As a preferable technical scheme, the CPU simulator is used for simulating a real environment in which software operates; the virtual hardware model block is used for simulating bus connection and collecting serial, parallel ports and chips; the simulation model library is used for providing a dynamic simulation environment for software operation and controlling the simulated software in real time; the input interface is used for enabling a tester to set a script through the input interface so as to control the safety state of the software; the recording interface is used for realizing real-time monitoring and analysis of the test and processing data generated by the model, real-time information of the tested software and coverage rate; the fault injection model library is used for inputting fault information, setting received information through abnormal data acquired by the sensor, and then providing excitation for tested software.
As an optimal technical scheme, the fault injection model library comprises a network behavior abnormality detection model, a network traffic abnormality detection model, a network malicious code detection model and an industrial control message abnormality detection model.
As a preferable technical scheme, the network behavior anomaly detection model comprises an industrial control asset equipment anomaly detection model, an industrial control system network order anomaly detection model, a network port communication anomaly detection model and a network behavior analysis model based on protocol depth identification; the industrial control asset equipment abnormality detection model adopts an active and passive combined equipment accurate identification and topology automatic discovery technology to monitor industrial control assets and networks in real time and establish an IP asset base line; the industrial control system network order anomaly detection model is used for intelligently combing access relations among all assets of a service system through flexible black-white gray policy configuration and self-learning technology, automatically generating a service access topological graph to form a service access behavior relation base line, and analyzing and judging whether the service access behavior is abnormal or not according to different dimensionalities of relation, direction, frequency and time of the service behavior; the network port communication abnormality detection model is used for carrying out early warning on the overtime or interruption of the network port communication when a certain network port with flow of the message acquisition unit does not receive any flow within a specified time; the network behavior analysis model based on the protocol deep recognition is used for carrying out deep content analysis and recognition on the industrial control protocol, carrying out fine granularity extraction on the industrial control instruction and the user behavior in the protocol, correlating with the service and the technological process, and carrying out comparison analysis.
As a preferable technical scheme, the network flow anomaly detection model comprises a network line flow and rate anomaly detection model, a network asset equipment flow and rate anomaly detection model and a network protocol flow and rate anomaly detection model; the network line flow and speed abnormality detection model is used for carrying out statistical analysis, checking and early warning on the speed of the network flow, and counting the total flow, the maximum speed, the average speed, the maximum utilization rate and the average utilization rate of the line; the network asset equipment flow and speed anomaly detection model is used for statistically analyzing, checking and early warning network flow according to a historical flow baseline, and counting total flow, maximum speed, average speed, maximum utilization rate and average utilization rate of the asset equipment by the system; the network protocol flow and speed abnormality detection model; the network protocol flow and speed abnormality detection model is used for analyzing, checking and early warning the uplink and downlink flow based on the application layer, the transmission layer and the network layer protocols, and the system can count the total flow, total data packet number, uplink and downlink flow, data packets and the duty ratio of the data packets of the protocols.
As a preferable technical scheme, the network malicious code detection model is used for identifying and early warning device vulnerability attack behaviors, identifying and early warning software vulnerability attack behaviors in a system and identifying and early warning vulnerability attack behaviors of an industrial control protocol commonly used in the system.
As a preferable technical scheme, the industrial control message anomaly detection model is used for sending data according to the configuration of the industrial control message anomaly detection model, and early warning is carried out once the industrial control network anomaly sensing system detects that the network behavior of the equipment is inconsistent with the configuration.
The invention has the following beneficial effects:
the invention can monitor the condition of the industrial process and the network communication instruction and behavior simultaneously by a double-view monitoring mechanism combining the industrial view and the network topology view, presents the flow and the behavior of the industrial control system, realizes the visualization of the network connection topology structure and the network running condition, carries out comparison analysis and improves the safety level of application software.
Of course, it is not necessary for any one product to practice the invention to achieve all of the advantages set forth above at the same time.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a hardware architecture diagram of an application software security detection system in an application system of the present invention;
FIG. 2 is a schematic diagram of an all-digital simulation platform.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the invention is an application software security detection system in an application system, comprising a software test hardware system and an all-digital simulation platform;
the software testing hardware system comprises a plurality of sensors, a plurality of execution components, an information injection module, a remote control system, a computer management module, a control computer and a power management module;
the information injection module, the remote control system, the computer management module, the control computer and the power management module are sequentially connected in a bidirectional manner; the sensor and the execution assembly are connected with the control computer through a serial port;
referring to fig. 2, the all-digital simulation platform includes a fault injection model library, a tested software, an input interface, a CPU simulator, a virtual hardware model block and a recording interface.
The sensor is used for processing the acquired data; the execution assembly classifies data through a bus and enables the serial port to be in communication connection with a remote control system; the control host is used for inputting the required physical conditions, and the simulation interface mainly comprises a bus interface and a serial port and a parallel port for computer communication, and provides sensitive data, actuator data, rocker control data and the like for a power supply.
The CPU simulator is used for simulating the real environment of software operation; the virtual hardware model block is used for simulating bus connection and collecting serial, parallel ports and chips; the simulation model library is used for providing a dynamic simulation environment for the running of the software and controlling the simulated software in real time; the input interface is used for enabling a tester to set a script through the input interface so as to control the safety state of the software; the recording interface is used for realizing real-time monitoring and analysis of the test and processing data generated by the model, real-time information and coverage rate of the tested software; the fault injection model library is used for inputting fault information, setting received information through abnormal data acquired by the sensor, providing excitation for tested software, setting a processor, a bus and peripheral equipment to be in a fault state generally, and completing the design of a hardware part according to the design of the part as constraint conditions of an operation environment.
The fault injection model library comprises a network behavior anomaly detection model, a network traffic anomaly detection model, a network malicious code detection model and an industrial control message anomaly detection model.
The network behavior anomaly detection model comprises an industrial control asset equipment anomaly detection model, an industrial control system network order anomaly detection model, a network port communication anomaly detection model and a network behavior analysis model based on protocol depth identification; the industrial control asset equipment abnormality detection model adopts an active and passive combined equipment accurate identification and topology automatic discovery technology to monitor industrial control assets and networks in real time and establish an IP asset base line; the industrial control system network order anomaly detection model is used for intelligently combing the access relation among all the assets of the service system through flexible black-white gray policy configuration and self-learning technology, automatically generating a service access topological graph to form a service access behavior relation base line, and analyzing and judging whether the service access behavior is abnormal or not according to different dimensionalities of relation, direction, frequency and time of the service behavior; the network port communication abnormity detection model is used for carrying out early warning on the overtime or interruption of the network port communication when a certain network port with flow of the message acquisition unit does not receive any flow within the appointed time; the network behavior analysis model based on the protocol depth recognition is used for carrying out depth content analysis and recognition on the industrial control protocol, carrying out fine granularity extraction on the industrial control instruction and the user behavior in the protocol, correlating with the service and the technological process, and carrying out comparison analysis.
The network flow anomaly detection model comprises a network line flow and rate anomaly detection model, a network asset equipment flow and rate anomaly detection model and a network protocol flow and rate anomaly detection model; the network line flow and speed abnormality detection model is used for carrying out statistical analysis, checking and early warning on the speed of the network flow, and counting the total flow, the maximum speed, the average speed, the maximum utilization rate and the average utilization rate of the line; the network asset equipment flow and speed anomaly detection model is used for statistically analyzing, checking and early warning the network flow according to the historical flow baseline, and counting the total flow, the maximum speed, the average speed, the maximum utilization rate and the average utilization rate of the asset equipment; the network protocol flow and speed abnormality detection model; the network protocol flow and speed abnormality detection model is used for analyzing, checking and early warning the uplink and downlink flow based on the application layer, the transmission layer and the network layer protocols, and the system can count the total flow, total data packet number, uplink and downlink flow, data packets and the duty ratio of the data packets of the protocol.
The network malicious code detection model is used for identifying and early warning device vulnerability attack behaviors, identifying and early warning software vulnerability attack behaviors in the system and identifying and early warning vulnerability attack behaviors of an industrial control protocol commonly used in the system.
The industrial control message anomaly detection model is used for sending data according to the configuration of the industrial control message anomaly detection model, and early warning is carried out once the industrial control network anomaly sensing system detects that the network behavior of the equipment is inconsistent with the configuration.
It should be noted that, in the above system embodiment, each unit included is only divided according to the functional logic, but not limited to the above division, so long as the corresponding function can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
In addition, those skilled in the art will appreciate that all or part of the steps in implementing the methods of the embodiments described above may be implemented by a program to instruct related hardware, and the corresponding program may be stored in a computer readable storage medium.
The preferred embodiments of the invention disclosed above are intended only to assist in the explanation of the invention. The preferred embodiments are not exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.

Claims (8)

1. The utility model provides an application software safety detection system in application system, includes software test hardware system and full digital simulation platform, its characterized in that:
the software testing hardware system comprises a plurality of sensors, a plurality of execution components, an information injection module, a remote control system, a computer management module, a control computer and a power management module;
the information injection module, the remote control system, the computer management module, the control computer and the power management module are sequentially connected in a bidirectional manner; the sensor and the execution assembly are connected with the control computer through a serial port;
the all-digital simulation platform comprises a fault injection model library, tested software, an input interface, a CPU simulator, a virtual hardware model block and a recording interface.
2. The system for detecting the safety of application software in an application system according to claim 1, wherein the sensor is used for processing collected data; the execution assembly classifies data through a bus and enables the serial port to be in communication connection with the remote control system; the control host is used for inputting the required physical conditions, and the simulation interface mainly comprises a bus interface and a serial and parallel interface for computer communication, and provides sensitive data, actuator data and rocker control data for a power supply.
3. The system for detecting the safety of application software in an application system according to claim 1, wherein the CPU simulator is configured to simulate a real environment in which software is running; the virtual hardware model block is used for simulating bus connection and collecting serial, parallel ports and chips; the simulation model library is used for providing a dynamic simulation environment for software operation and controlling the simulated software in real time; the input interface is used for enabling a tester to set a script through the input interface so as to control the safety state of the software; the recording interface is used for realizing real-time monitoring and analysis of the test and processing data generated by the model, real-time information of the tested software and coverage rate; the fault injection model library is used for inputting fault information, setting received information through abnormal data acquired by the sensor, and then providing excitation for tested software.
4. The system for detecting safety of application software in an application system according to claim 1, wherein the fault injection model library comprises a network behavior anomaly detection model, a network traffic anomaly detection model, a network malicious code detection model and an industrial control message anomaly detection model.
5. The system for detecting safety of application software in an application system according to claim 4, wherein the network behavior anomaly detection model comprises an industrial control asset equipment anomaly detection model, an industrial control system network order anomaly detection model, a network port communication anomaly detection model and a network behavior analysis model based on protocol depth recognition; the industrial control asset equipment abnormality detection model adopts an active and passive combined equipment accurate identification and topology automatic discovery technology to monitor industrial control assets and networks in real time and establish an IP asset base line; the industrial control system network order anomaly detection model is used for intelligently combing access relations among all assets of a service system through flexible black-white gray policy configuration and self-learning technology, automatically generating a service access topological graph to form a service access behavior relation base line, and analyzing and judging whether the service access behavior is abnormal or not according to different dimensionalities of relation, direction, frequency and time of the service behavior; the network port communication abnormality detection model is used for carrying out early warning on the overtime or interruption of the network port communication when a certain network port with flow of the message acquisition unit does not receive any flow within a specified time; the network behavior analysis model based on the protocol deep recognition is used for carrying out deep content analysis and recognition on the industrial control protocol, carrying out fine granularity extraction on the industrial control instruction and the user behavior in the protocol, correlating with the service and the technological process, and carrying out comparison analysis.
6. The system of claim 4, wherein the network traffic anomaly detection model comprises a network line traffic and rate anomaly detection model, a network asset device traffic and rate anomaly detection model, and a network protocol traffic and rate anomaly detection model; the network line flow and speed abnormality detection model is used for carrying out statistical analysis, checking and early warning on the speed of the network flow, and counting the total flow, the maximum speed, the average speed, the maximum utilization rate and the average utilization rate of the line; the network asset equipment flow and speed anomaly detection model is used for statistically analyzing, checking and early warning network flow according to a historical flow baseline, and counting total flow, maximum speed, average speed, maximum utilization rate and average utilization rate of the asset equipment by the system; the network protocol flow and speed abnormality detection model; the network protocol flow and speed abnormality detection model is used for analyzing, checking and early warning the uplink and downlink flow based on the application layer, the transmission layer and the network layer protocols, and the system can count the total flow, total data packet number, uplink and downlink flow, data packets and the duty ratio of the data packets of the protocols.
7. The system for detecting the security of application software in an application system according to claim 4, wherein the network malicious code detection model is used for identifying and early warning device vulnerability attack behaviors, identifying and early warning the software vulnerability attack behaviors in the system, and identifying and early warning the vulnerability attack behaviors of industrial control protocols commonly used in the system.
8. The system for detecting safety of application software in an application system according to claim 4, wherein the industrial control message anomaly detection model is configured to send data according to its own configuration, and the industrial control network anomaly sensing system performs early warning once detecting that the device network behavior is inconsistent with the configuration.
CN202310157939.8A 2023-02-23 2023-02-23 Application software safety detection system in application system Pending CN116108437A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310157939.8A CN116108437A (en) 2023-02-23 2023-02-23 Application software safety detection system in application system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310157939.8A CN116108437A (en) 2023-02-23 2023-02-23 Application software safety detection system in application system

Publications (1)

Publication Number Publication Date
CN116108437A true CN116108437A (en) 2023-05-12

Family

ID=86256072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310157939.8A Pending CN116108437A (en) 2023-02-23 2023-02-23 Application software safety detection system in application system

Country Status (1)

Country Link
CN (1) CN116108437A (en)

Similar Documents

Publication Publication Date Title
CN111262722B (en) Safety monitoring method for industrial control system network
Zolanvari et al. Effect of imbalanced datasets on security of industrial IoT using machine learning
US10547634B2 (en) Non-intrusive digital agent for behavioral monitoring of cybersecurity-related events in an industrial control system
CN103443727B (en) Abnormality detection system and method for detecting abnormality
Yang et al. Anomaly-based intrusion detection for SCADA systems
KR100748246B1 (en) Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine
CN107592309B (en) Security incident detection and processing method, system, equipment and storage medium
CN112799358B (en) Industrial control safety defense system
CN109218288A (en) A kind of Network Intrusion Detection System for industrial robot control system
Awad et al. Tools, techniques, and methodologies: A survey of digital forensics for scada systems
CN108337266B (en) Efficient protocol client vulnerability discovery method and system
CN110324323A (en) A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system
CN102624721B (en) Feature code verification platform system and feature code verification method
CN113240116B (en) Wisdom fire prevention cloud system based on class brain platform
CN112994972B (en) Distributed probe monitoring platform
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
CN113536306A (en) Processing health information to determine whether an exception occurred
KR20180086919A (en) Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv
CN111786986A (en) Numerical control system network intrusion prevention system and method
Rapaka et al. Intrusion detection using radial basis function network on sequences of system calls
CN116582339B (en) Intelligent building network security monitoring method and monitoring system
KR101079036B1 (en) Apparatus and method of detecting anomaly in control system network
CN116108437A (en) Application software safety detection system in application system
WO2023181241A1 (en) Monitoring server device, system, method, and program
CN113852623B (en) Virus industrial control behavior detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination