CN117040788A - Data pipeline filtering method and device implemented in DCS domain separator - Google Patents
Data pipeline filtering method and device implemented in DCS domain separator Download PDFInfo
- Publication number
- CN117040788A CN117040788A CN202310827451.1A CN202310827451A CN117040788A CN 117040788 A CN117040788 A CN 117040788A CN 202310827451 A CN202310827451 A CN 202310827451A CN 117040788 A CN117040788 A CN 117040788A
- Authority
- CN
- China
- Prior art keywords
- data packet
- filtering
- data
- dcs
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001914 filtration Methods 0.000 title claims abstract description 118
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000001514 detection method Methods 0.000 claims description 17
- 125000006850 spacer group Chemical group 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 238000011217 control strategy Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a data pipeline filtering method and device implemented in a DCS domain spacer, and belongs to the technical field of industrial control information safety. The method comprises the following steps: acquiring a network data packet to be processed; filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet output by filtering; and sending the data packet output by filtering to a destination interface. The method of the embodiment of the application not only improves the whole filtering and forwarding efficiency of the DCS inter-domain isolator, but also improves the control granularity of the data access among the DCS domains, and can refine and minimize the network access strategy.
Description
Technical Field
The application relates to the technical field of industrial control information safety, in particular to a data pipeline filtering method implemented in a DCS domain spacer, a data pipeline filtering device implemented in the DCS domain spacer, a machine-readable storage medium and a processor.
Background
When the DCS is applied to a power generation control system, the control domain is divided according to the association degree of the controlled object, usually one unit is one domain, the public system is one domain, and the auxiliary control system is one domain. The domains are independent of each other and have certain logic association, data interaction is not needed between each unit set, the public system and each unit set need to interact data, and the auxiliary control system domain and each unit set need to interact data.
At present, logic isolation between DCS control domains is realized through a switch ACL function or industrial control firewall policy control. Switch ACLs and industrial control firewalls typically use five-tuple information such as source/destination IP address, source/destination MAC address, destination port, protocol type for access control. The industrial control firewall can identify application protocols and common industrial protocols and perform application layer data filtering.
However, when the network white list addresses are discontinuous, a plurality of ACL strategies are required to be configured to cover all release requirements, the configuration is complex, and errors are easy to occur; the increase of ACL entries also increases the data processing load of the industrial control firewall, and reduces the filtering forwarding efficiency. The scheme in the prior art has the problems of low filtering and forwarding efficiency and low filtering precision.
Disclosure of Invention
The embodiment of the application aims to provide a data pipeline filtering method and device realized in a DCS domain inter-isolator, which can improve the overall filtering and forwarding efficiency of the DCS domain inter-isolator and the control granularity of data access among DCS domains.
To achieve the above object, a first aspect of the present application provides a data pipeline filtering method implemented in a DCS domain separator, including:
acquiring a network data packet to be processed;
filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet output by filtering;
and sending the data packet output by filtering to a destination interface.
In the embodiment of the present application, the filtering the network data packet to be processed by using a preset filtering rule includes:
disassembling the message header of the network data packet to be processed to obtain a two-layer protocol ID;
matching the two-layer protocol ID with a preset two-layer protocol white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the two-layer protocol.
In an embodiment of the present application, the method further includes: judging the data packet filtered by the two-layer protocol according to a set attack detection strategy;
if the attack packet is judged, the data packet is put into a data packet garbage can;
and if the data packet is judged to be a non-attack packet, the data packet is released, and the data packet filtered through attack detection is obtained.
In an embodiment of the present application, the method further includes:
disassembling the message header of the data packet filtered by attack detection to obtain quintuple information; the five-tuple information includes: a source IP address, a source port, a destination IP address, a destination port and a protocol type;
matching the quintuple information with a preset ACL white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the ACL quintuple.
In an embodiment of the present application, the method further includes:
determining the IP address of the data packet filtered by the ACL quintuple; the IP address includes: a source IP address and a destination IP address;
matching the IP address with a preset IP address blacklist;
if the matching is successful, the data packet is put into a data packet garbage can;
and if the matching is unsuccessful, releasing the data packet to obtain the data packet filtered by the address black name.
In an embodiment of the present application, the method further includes:
disassembling the application layer data of the data packet filtered by the address black name to obtain an industrial control protocol ID;
judging whether the industrial control protocol is a defined industrial control protocol or not through the industrial control protocol ID;
if the data packet is not the defined industrial control protocol, judging whether the data packet is a data packet which is allowed to pass according to a preset rule, releasing the data packet which is allowed to pass to a destination interface, and putting the data packet which is not allowed to pass into a data packet garbage can.
In an embodiment of the present application, the method further includes:
if the industrial control protocol is defined, entering an industrial control protocol filtering link;
the industrial control protocol filtering link comprises: matching the characteristic words of the industrial control protocol with the characteristic words of the industrial control protocol based on the preset characteristic words of the industrial control protocol; the preset industrial control protocol feature word comprises a customized industrial control protocol feature;
if the matching is successful, judging whether the data packet is a data packet allowing the data packet to pass through according to a preset rule; passing the data packets allowed to pass to a destination interface, and putting the data packets not allowed to pass into a data packet garbage can;
if the matching is unsuccessful, the data packet is put into a data packet garbage can.
A second aspect of the present application provides a data pipeline filtering apparatus implemented in a DCS domain separator, comprising:
the acquisition module is used for acquiring the network data packet to be processed;
the filtering module is used for filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet which is filtered and output;
and the sending module is used for sending the data packet which is filtered and output to a target interface.
A third aspect of the application provides a processor configured to perform the above-described data pipeline filtering method implemented in a DCS domain isolator.
A fourth aspect of the application provides a machine-readable storage medium having stored thereon instructions that, when executed by a processor, cause the processor to be configured to perform the data pipeline filtering method implemented in a DCS domain separator as described above.
Compared with the prior art, the technical scheme of the application has the following beneficial effects:
the application provides a data pipeline filtering method and a device implemented in a DCS inter-domain isolator, wherein the method filters the network data packet to be processed by using a preset filtering rule, and then sends the filtered data packet to a target interface, so that the overall filtering efficiency of the DCS inter-domain isolator is improved, the control granularity of data access among the DCS domains is also improved, and the network access strategy is refined and minimized.
Additional features and advantages of embodiments of the application will be set forth in the detailed description which follows.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain, without limitation, the embodiments of the application. In the drawings:
FIG. 1 schematically illustrates a prior art process for filtering a data pipeline of a DCS inter-domain isolator;
FIG. 2 schematically illustrates a flow diagram of a data pipeline filtering method implemented in a DCS domain isolator according to an embodiment of the present application;
FIG. 3 schematically illustrates a flowchart of a particular implementation of a data pipeline filtering method implemented in a DCS domain isolator according to an embodiment of the present application;
fig. 4 schematically shows a block diagram of a data pipeline filtering device implemented in a DCS domain separator according to an embodiment of the application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the detailed description described herein is merely for illustrating and explaining the embodiments of the present application, and is not intended to limit the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The distributed control system (Distributed Control System, DCS), which is abbreviated as DCS, is a new generation instrument control system based on a microprocessor and adopting the design principles of decentralized control function, centralized display operation, and simultaneous separate and autonomous and comprehensive coordination.
An access control list (Access Control Lists, ACL), abbreviated as ACL, is a list of instructions applied to the router interface. These instruction lists are used to tell the router which packets can be received and which packets need to be rejected. As to whether the packet is received or rejected, it may be determined by specific indication conditions like source address, destination address, port number, etc.
FIG. 1 schematically illustrates a prior art process for filtering a data pipeline of a DCS inter-domain isolator. As shown in fig. 1, the logical isolation between DCS control domains is performed by the switch ACL function and the industrial control firewall. The whitelist filtering set by the switch ACL and the industrial control firewall typically uses network quintuple for access control. The application protocol and the published common industrial protocol can be identified through the industrial control firewall, and application layer feature word filtering is carried out on the published industrial control protocol. When the network white list addresses are discontinuous, a plurality of ACL strategies are required to be configured to cover all release requirements. Complicated configuration and easy error; the increase of ACL entries also increases the data processing load of the industrial control firewall and reduces the forwarding rate. Aiming at special access control requirements among DCS control domains, the prior art has the following defects: 1. the filtering of the second layer data link layer protocol in the OSI seven layer model cannot be achieved. 2. The access control policy for black and white list combinations cannot be configured. 3. Access control based on a proprietary industrial control protocol is not possible.
Therefore, the application designs a data pipeline filtering method realized in the DCS inter-domain isolator, solves the problems, and achieves the aim of rapidly configuring a DCS high-precision access control strategy.
Fig. 2 schematically shows a flow diagram of a data pipeline filtering method implemented in a DCS domain separator according to an embodiment of the application. As shown in fig. 2, in an embodiment of the present application, there is provided a data pipeline filtering method implemented in a DCS domain isolator, including the steps of:
step 110, obtaining a network data packet to be processed.
Specifically, the network data packet to be processed refers to a network data packet sent when data is interacted between DCS control domains, and the network data packet can reach the destination interface after being filtered and detected by the policy detection interface.
And 120, filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet output by filtering.
Fig. 3 schematically shows a flowchart of a specific implementation of a data pipeline filtering method implemented in a DCS domain separator according to an embodiment of the application. As shown in fig. 3, after the network data packet to be processed arrives at the policy detection interface, the header is disassembled, and the upper layer protocol type encapsulated by the IP, that is, the two layer protocol ID, is obtained from the protocol type area in the header.
As shown in fig. 3, the two-layer protocol ID is compared with a set two-layer protocol white list, if the two-layer protocol ID is the protocol type in the white list, the two-layer protocol ID is released, and if the two-layer protocol ID is not the protocol type in the white list, the two-layer protocol ID enters the data packet garbage can. The embodiment increases the white list filtering of the second layer data link layer protocol type, can filter out a large amount of irrelevant data such as ARP broadcast, LLDP, STP and the like of the link layer in advance, increases the management and control of the link layer protocol and improves the overall filtering efficiency of the DCS domain spacer. The embodiment provides independent configuration of the filtering rule of the link layer protocol type, and can easily realize the filtering of the two-layer protocol type in the DCS network.
As shown in fig. 3, the data packet filtered by the two-layer protocol enters an attack detection link, is judged according to a set attack detection threshold, and enters a data packet garbage can if the data packet is judged to be an attack packet, and is released if the data packet is not the attack packet.
As shown in fig. 3, the data packet detected by the attack enters an ACL five-tuple filtering link, ACL filtering is further performed according to source/destination IP, source/destination port and protocol type five-tuple information of the header, the release of the ACL white list rule is matched, and if the ACL white list rule is not matched, the data packet enters a data packet garbage can.
As shown in fig. 3, in this embodiment, filtering of the IP address blacklist is added after filtering of the ACL five-tuple whitelist, that is, the IP address is matched with a preset IP address blacklist; if the matching is successful, the data packet is put into a data packet garbage can; and if the matching is unsuccessful, releasing the data packet. In this embodiment, a full address segment white list policy is configured in the ACL, and then addresses which are not expected to be released in the white list address segment are configured in the address blacklist, so that the processing mode of individual special addresses in a large segment of continuous addresses is simplified, the user can understand and simplify the configuration process, the ACL policy entries can be effectively reduced, and the filtering and forwarding efficiency is improved.
The industrial control access control strategy is mostly a white list strategy mode. If the strategy configuration is too severe, the use flexibility is small, and the strategy setting is complex; if the policy configuration is too loose, the security is not enough, and the isolation effect is not accurate enough. According to the embodiment, the blacklist control strategy is embedded on the basis of the whitelist, so that the strategy setting mode can be greatly simplified under the condition that the filtering accuracy is not sacrificed.
As shown in fig. 3, the message application layer data is disassembled, and the protocol identifier, i.e. the industrial control protocol ID, is obtained from the application layer data. Judging whether the protocol identifier is a defined industrial control protocol or not, if so, entering an industrial control protocol filtering link, and if not, releasing the industrial control protocol to a target interface or entering a data packet garbage can according to the setting.
As shown in fig. 3, comparing the application layer data values of the messages entering the industrial control protocol filtering link according to the defined address offset and byte length, matching the data packets with the appointed field characteristics of the application layer, and if the matching is successful, releasing the data packets to a target interface or entering a data packet garbage can according to the setting; if the matching is unsuccessful, entering a data packet garbage can. According to the embodiment, access control based on the DCS private industrial control protocol is realized, the characteristics of DCS intranet data are attached, UDP and TCP application protocols used by the DCS are further deeply analyzed, instruction words are filtered on the DCS private data area according to the custom characteristic word dictionary, the control granularity of inter-domain data access is improved, and the network access strategy can be refined and minimized.
And 130, transmitting the data packet output by filtering to a destination interface.
FIG. 2 is a flow diagram of a data pipeline filtering method implemented in a DCS domain isolator in one embodiment. It should be understood that, although the steps in the flowchart of fig. 2 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 2 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
As shown in fig. 3, compared with the prior art shown in fig. 1, the data pipeline filtering method implemented in the DCS domain isolator in the embodiment of the present application adds the following functions in the original filtering method:
1. before attack detection and filtration, the white list filtration of the second layer data link layer protocol type is added, and a large amount of irrelevant data such as ARP broadcast, LLDP, STP and the like of the link layer are filtered in advance, so that the management and control of the link layer protocol are increased, and the overall filtration efficiency of the DCS domain isolator is improved.
2. The filtering of the address blacklist is added after the filtering of the original ACL five-tuple whitelist, and for the whitelist with discontinuous policy addresses, the embodiment configures the full-address-segment whitelist policy in the ACL first, and then configures the address which is not expected to be released in the whitelist address segment in the address blacklist, so that the processing mode of individual special case addresses in a large segment of continuous addresses is simplified, the user can understand and simplify the configuration process, ACL policy entries can be effectively reduced, and the filtering forwarding efficiency is improved.
3. In the matching stage of industrial control protocol feature words, a function of distinguishing private protocol feature words is added, DCS private protocol feature words are obtained according to address offset and byte length, and a feature word dictionary is customized. The deep analysis of the application layer of the private protocol is added on the basis of the original five-tuple filtering rule, so that the characteristic filtering of the appointed field of the application layer is realized, the access control based on the DCS private industrial control protocol is further realized, and the pipeline filtering granularity is improved compared with the original method.
In one embodiment, as shown in fig. 4, there is provided a data pipeline filtering apparatus implemented in a DCS domain separator, including an acquisition module, a filtering module, and a sending module, wherein:
the acquiring module 210 is configured to acquire a network data packet to be processed.
And the filtering module 220 is configured to filter the network data packet to be processed by using a preset filtering rule, so as to obtain a data packet output by filtering.
And the sending module 230 is configured to send the data packet output by filtering to a destination interface.
In one embodiment, the filtering the network data packet to be processed using a preset filtering rule includes:
disassembling the message header of the network data packet to be processed to obtain a two-layer protocol ID;
matching the two-layer protocol ID with a preset two-layer protocol white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the two-layer protocol.
In one embodiment, further comprising:
judging the data packet filtered by the two-layer protocol according to a set attack detection strategy;
if the attack packet is judged, the data packet is put into a data packet garbage can;
and if the data packet is judged to be a non-attack packet, the data packet is released, and the data packet filtered through attack detection is obtained.
In one embodiment, further comprising:
disassembling the message header of the data packet filtered by attack detection to obtain quintuple information; the five-tuple information includes: a source IP address, a source port, a destination IP address, a destination port and a protocol type;
matching the quintuple information with a preset ACL white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the ACL quintuple.
In one embodiment, further comprising:
determining the IP address of the data packet filtered by the ACL quintuple; the IP address includes: a source IP address and a destination IP address;
matching the IP address with a preset IP address blacklist;
if the matching is successful, the data packet is put into a data packet garbage can;
and if the matching is unsuccessful, releasing the data packet to obtain the data packet filtered by the address black name.
In one embodiment, further comprising:
disassembling the application layer data of the data packet filtered by the address black name to obtain an industrial control protocol ID;
judging whether the industrial control protocol is a defined industrial control protocol or not through the industrial control protocol ID;
if the data packet is not the defined industrial control protocol, judging whether the data packet is a data packet which is allowed to pass according to a preset rule, releasing the data packet which is allowed to pass to a destination interface, and putting the data packet which is not allowed to pass into a data packet garbage can.
In one embodiment, further comprising:
if the industrial control protocol is defined, entering an industrial control protocol filtering link;
the industrial control protocol filtering link comprises: matching the characteristic words of the industrial control protocol with the characteristic words of the industrial control protocol based on the preset characteristic words of the industrial control protocol; the preset industrial control protocol feature word comprises a customized industrial control protocol feature;
if the matching is successful, judging whether the data packet is a data packet allowing the data packet to pass through according to a preset rule; passing the data packets allowed to pass to a destination interface, and putting the data packets not allowed to pass into a data packet garbage can;
if the matching is unsuccessful, the data packet is put into a data packet garbage can.
The data pipeline filtering device implemented in the DCS domain isolator comprises a processor and a memory, wherein the acquisition module, the filtering module, the sending module and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel can be provided with one or more data pipeline filtering methods which are realized in the DCS domain isolator by adjusting kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
The embodiment of the application provides a storage medium, wherein a program is stored on the storage medium, and the program is executed by a processor to realize the data pipeline filtering method realized in the DCS domain isolator.
The embodiment of the application provides a processor which is used for running a program, wherein the data pipeline filtering method realized in a DCS domain isolator is executed when the program runs.
The embodiment of the application provides equipment, which comprises a processor, a memory and a program stored in the memory and capable of running on the processor, wherein the processor realizes the following steps when executing the program:
step 110, obtaining a network data packet to be processed.
And 120, filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet output by filtering.
And 130, transmitting the data packet output by filtering to a destination interface.
In one embodiment, the filtering the network data packet to be processed using a preset filtering rule includes:
disassembling the message header of the network data packet to be processed to obtain a two-layer protocol ID;
matching the two-layer protocol ID with a preset two-layer protocol white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the two-layer protocol.
In one embodiment, further comprising:
judging the data packet filtered by the two-layer protocol according to a set attack detection strategy;
if the attack packet is judged, the data packet is put into a data packet garbage can;
and if the data packet is judged to be a non-attack packet, the data packet is released, and the data packet filtered through attack detection is obtained.
In one embodiment, further comprising:
disassembling the message header of the data packet filtered by attack detection to obtain quintuple information; the five-tuple information includes: a source IP address, a source port, a destination IP address, a destination port and a protocol type;
matching the quintuple information with a preset ACL white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the ACL quintuple.
In one embodiment, further comprising:
determining the IP address of the data packet filtered by the ACL quintuple; the IP address includes: a source IP address and a destination IP address;
matching the IP address with a preset IP address blacklist;
if the matching is successful, the data packet is put into a data packet garbage can;
and if the matching is unsuccessful, releasing the data packet to obtain the data packet filtered by the address black name.
In one embodiment, further comprising:
disassembling the application layer data of the data packet filtered by the address black name to obtain an industrial control protocol ID;
judging whether the industrial control protocol is a defined industrial control protocol or not through the industrial control protocol ID;
if the data packet is not the defined industrial control protocol, judging whether the data packet is a data packet which is allowed to pass according to a preset rule, releasing the data packet which is allowed to pass to a destination interface, and putting the data packet which is not allowed to pass into a data packet garbage can.
In one embodiment, further comprising:
if the industrial control protocol is defined, entering an industrial control protocol filtering link;
the industrial control protocol filtering link comprises: matching the characteristic words of the industrial control protocol with the characteristic words of the industrial control protocol based on the preset characteristic words of the industrial control protocol; the preset industrial control protocol feature word comprises a customized industrial control protocol feature;
if the matching is successful, judging whether the data packet is a data packet allowing the data packet to pass through according to a preset rule; passing the data packets allowed to pass to a destination interface, and putting the data packets not allowed to pass into a data packet garbage can;
if the matching is unsuccessful, the data packet is put into a data packet garbage can.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.
Claims (10)
1. A method for filtering a data pipeline implemented in a DCS domain separator, comprising:
acquiring a network data packet to be processed;
filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet output by filtering;
and sending the data packet output by filtering to a destination interface.
2. The method for filtering a data pipeline implemented in a DCS domain separator according to claim 1, wherein the filtering the network data packet to be processed using a preset filtering rule comprises:
disassembling the message header of the network data packet to be processed to obtain a two-layer protocol ID;
matching the two-layer protocol ID with a preset two-layer protocol white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the two-layer protocol.
3. The method of data pipeline filtering implemented in a DCS domain separator of claim 2, further comprising:
judging the data packet filtered by the two-layer protocol according to a set attack detection strategy;
if the attack packet is judged, the data packet is put into a data packet garbage can;
and if the data packet is judged to be a non-attack packet, the data packet is released, and the data packet filtered through attack detection is obtained.
4. A data pipeline filtering method implemented in a DCS domain separator as claimed in claim 3, further comprising:
disassembling the message header of the data packet filtered by attack detection to obtain quintuple information; the five-tuple information includes: a source IP address, a source port, a destination IP address, a destination port and a protocol type;
matching the quintuple information with a preset ACL white list;
if the matching is unsuccessful, the data packet is put into a data packet garbage can;
and if the matching is successful, releasing the data packet to obtain the data packet filtered by the ACL quintuple.
5. The method of data pipeline filtering implemented in a DCS domain separator of claim 4, further comprising:
determining the IP address of the data packet filtered by the ACL quintuple; the IP address includes: a source IP address and a destination IP address;
matching the IP address with a preset IP address blacklist;
if the matching is successful, the data packet is put into a data packet garbage can;
and if the matching is unsuccessful, releasing the data packet to obtain the data packet filtered by the address black name.
6. The method of data pipeline filtering implemented in a DCS domain separator of claim 5, further comprising:
disassembling the application layer data of the data packet filtered by the address black name to obtain an industrial control protocol ID;
judging whether the industrial control protocol is a defined industrial control protocol or not through the industrial control protocol ID;
if the data packet is not the defined industrial control protocol, judging whether the data packet is a data packet which is allowed to pass according to a preset rule, releasing the data packet which is allowed to pass to a destination interface, and putting the data packet which is not allowed to pass into a data packet garbage can.
7. The method of data pipeline filtering implemented in a DCS domain separator of claim 6, further comprising:
if the industrial control protocol is defined, entering an industrial control protocol filtering link;
the industrial control protocol filtering link comprises: matching the characteristic words of the industrial control protocol with the characteristic words of the industrial control protocol based on the preset characteristic words of the industrial control protocol; the preset industrial control protocol feature word comprises a customized industrial control protocol feature;
if the matching is successful, judging whether the data packet is a data packet allowing the data packet to pass through according to a preset rule; passing the data packets allowed to pass to a destination interface, and putting the data packets not allowed to pass into a data packet garbage can;
if the matching is unsuccessful, the data packet is put into a data packet garbage can.
8. A data pipeline filtering device implemented in a DCS domain separator, comprising:
the acquisition module is used for acquiring the network data packet to be processed;
the filtering module is used for filtering the network data packet to be processed by using a preset filtering rule to obtain a data packet which is filtered and output;
and the sending module is used for sending the data packet which is filtered and output to a target interface.
9. A processor configured to perform the data pipeline filtering method implemented in the DCS domain isolator of any one of claims 1 to 7.
10. A machine-readable storage medium having instructions stored thereon, which when executed by a processor cause the processor to be configured to perform the data pipeline filtering method implemented in a DCS domain isolator of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310827451.1A CN117040788A (en) | 2023-07-06 | 2023-07-06 | Data pipeline filtering method and device implemented in DCS domain separator |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310827451.1A CN117040788A (en) | 2023-07-06 | 2023-07-06 | Data pipeline filtering method and device implemented in DCS domain separator |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117040788A true CN117040788A (en) | 2023-11-10 |
Family
ID=88623351
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310827451.1A Pending CN117040788A (en) | 2023-07-06 | 2023-07-06 | Data pipeline filtering method and device implemented in DCS domain separator |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040788A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117278660A (en) * | 2023-11-21 | 2023-12-22 | 华信咨询设计研究院有限公司 | Protocol analysis method for flow filtering based on DPDK technology |
-
2023
- 2023-07-06 CN CN202310827451.1A patent/CN117040788A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117278660A (en) * | 2023-11-21 | 2023-12-22 | 华信咨询设计研究院有限公司 | Protocol analysis method for flow filtering based on DPDK technology |
| CN117278660B (en) * | 2023-11-21 | 2024-03-29 | 华信咨询设计研究院有限公司 | Protocol analysis method for flow filtering based on DPDK technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230388200A1 (en) | Service operation chaining | |
| CN105337986B (en) | Credible protocol conversion method and system | |
| US10999220B2 (en) | Context aware middlebox services at datacenter edge | |
| CN109361608B (en) | Message processing method, system and storage medium | |
| US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
| WO2017100365A1 (en) | Directing data traffic between intra-server virtual machines | |
| US20120047573A1 (en) | Methods and apparatus for detecting invalid ipv6 packets | |
| US8842539B2 (en) | Method of limiting the amount of network traffic reaching a local node operating according to an industrial ethernet protocol | |
| CN117040788A (en) | Data pipeline filtering method and device implemented in DCS domain separator | |
| US20200067851A1 (en) | Smart software-defined network (sdn) switch | |
| CN113992341B (en) | Message processing method and device | |
| CN103023914B (en) | Firewall system and implementation method thereof | |
| US20120047572A1 (en) | Decapsulation of data packet tunnels to process encapsulated ipv4 or ipv6 packets | |
| US10594604B1 (en) | End to end application identification and analytics of tunnel encapsulated traffic in the underlay | |
| CN111629082A (en) | Address jump system, method, device, storage medium and processor | |
| US11909768B2 (en) | Methods, systems, and devices related to managing in-home network security using artificial intelligence service to select among a plurality of security functions for processing | |
| CN111698168B (en) | Message processing method, device, storage medium and processor | |
| JP5760012B2 (en) | Method and system for common group behavior filtering in a communication network environment | |
| EP3133790B1 (en) | Message sending method and apparatus | |
| CN111030970A (en) | Distributed access control method and device and storage equipment | |
| US20240171484A1 (en) | Methods and Apparatuses for Providing an Analytic Result Relating to Tunneling Traffic to a Consumer Network Function | |
| CN111683063B (en) | Message processing method, system, device, storage medium and processor | |
| US11711292B2 (en) | Pre-filtering of traffic subject to service insertion | |
| CN105812274B (en) | Service data processing method and related equipment | |
| CN113132387A (en) | Processing method and device for vulnerability scanning flow, storage medium and processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |