CN117234179A - Anomaly capturing and processing system and method based on trusted computing - Google Patents
Anomaly capturing and processing system and method based on trusted computing Download PDFInfo
- Publication number
- CN117234179A CN117234179A CN202311179811.8A CN202311179811A CN117234179A CN 117234179 A CN117234179 A CN 117234179A CN 202311179811 A CN202311179811 A CN 202311179811A CN 117234179 A CN117234179 A CN 117234179A
- Authority
- CN
- China
- Prior art keywords
- trusted
- controller
- semaphore
- application program
- anomaly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000005856 abnormality Effects 0.000 claims abstract description 28
- 238000012795 verification Methods 0.000 claims abstract description 19
- 238000001514 detection method Methods 0.000 claims abstract description 17
- 230000008569 process Effects 0.000 claims abstract description 15
- 230000007246 mechanism Effects 0.000 claims abstract description 13
- 230000002159 abnormal effect Effects 0.000 claims description 33
- 238000005259 measurement Methods 0.000 claims description 16
- 238000007781 pre-processing Methods 0.000 claims description 9
- 238000003672 processing method Methods 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 4
- 230000002618 waking effect Effects 0.000 claims description 4
- 238000011084 recovery Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an anomaly capturing and processing system and method based on trusted computing, wherein the method comprises the steps of semaphore detection and trusted verification; the semaphore detection is used for detecting the abnormality of the application program through a semaphore mechanism, and the trusted verification is used for verifying the application program and the file attacked by the outside through trusted computing; detecting whether an error occurs in the running process of an application program or not through a semaphore acquisition mechanism; through trusted verification: judging whether the DCS is illegally tampered in the operation process.
Description
Technical Field
The invention belongs to the field of credibility, and particularly relates to an anomaly capturing and processing system and method based on credible calculation.
Background
The trusted DCS controller is a computer control system for the power industry. The control system facing the current DCS controller has no endogenous safety protection capability, and the system is extremely easy to be injected with a series of system safety 'clamping neck' problems such as attack, tampering, permeation control and the like.
However, the existing system cannot find out that a certain file or program in the DCS controller system is abnormal, and the system abnormality can be perceived only when the whole system is damaged, so that the normal operation of the system is affected.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, and provides an anomaly capturing and processing system and method based on trusted computing, so as to solve the problem that a DCS controller cannot detect illegal tampering of system pole data in the prior art.
An anomaly capturing and processing method based on trusted computing comprises the steps of semaphore detection and trusted verification; the semaphore detection is used for detecting the abnormality of the application program through a semaphore mechanism, and the trusted verification is used for verifying the application program or the file attacked by the outside through trusted computing;
and alarming and processing after detecting the abnormality.
The invention further improves that:
preferably, the signal quantity detection process is as follows:
s11, capturing the abnormality of an application program by a semaphore mechanism, and sending abnormality information to a semaphore management thread by a semaphore interface function, wherein the semaphore management thread blocks a user thread and calls a processing function corresponding to the abnormality information;
s12, the controller preprocesses the application program through a processing function; the controller transmits the abnormal information to background equipment, and the trusted agent transmits the abnormal information to the trusted management platform;
s13, processing abnormal information;
s14, the semaphore management thread wakes up the blocked application thread.
Preferably, in S12, the controller performs preprocessing on the application program by using the processing function, and simultaneously synchronizes data of the main controller and the standby controller, so as to determine whether the abnormal application program is the main controller; if the controller corresponding to the abnormal application program is the main controller, the controller is switched to the standby controller, otherwise, the operation is not performed.
Preferably, in S12, the trusted management platform sets the controller corresponding to the abnormal application program to be in an untrusted state at the same time, and disconnects the data interaction of the controller in the untrusted state.
Preferably, the process of trusted verification comprises the steps of:
s21, the trusted agent periodically collects security policies of the application programs or files;
s22, obtaining a measurement value of a security policy through an SM3 cryptographic algorithm;
s23, comparing the measurement value with a reference value, and if the measurement value is different from the reference value, the application program or the file is in an untrusted state, and a controller corresponding to the application program or the file is in an untrusted state;
s24, returning the application program or the file to the original trusted version.
Preferably, in S22, the trusted agent calculates a hash value of the security policy by using an SM3 cryptographic algorithm, where the hash value is a metric value;
in S23, the reference value is a hash value of the security policy when the controller is powered on for the first time.
Preferably, in S23, the trusted agent sends the metric value to the trusted management platform, which displays the controlled untrusted status in the trusted management platform interface.
An anomaly capture and processing system based on trusted computing, comprising:
a semaphore detection unit for detecting an abnormality of the application itself;
the trusted verification unit is used for verifying the application programs or files attacked by the outside through trusted computing.
Preferably, the signal amount detection unit includes:
the system comprises an anomaly capturing module, a semaphore interface function, a semaphore management thread, a processing function and a control module, wherein the anomaly capturing module is used for capturing the anomaly of an application program by a semaphore mechanism, sending anomaly information to the semaphore management thread, and enabling the semaphore management thread to block a user thread and call the processing function corresponding to the anomaly information;
the preprocessing module is used for preprocessing the application program through a processing function by the controller, then transmitting the abnormal information to background equipment by the controller, and transmitting the abnormal information to the trusted management platform by the trusted agent;
the processing module is used for processing the abnormal information;
and the restoration module is used for waking up the blocked application thread by the semaphore management thread.
Preferably, the trusted verification unit includes:
the collection module is used for periodically collecting the security policies of the application programs or files by the trusted agent;
the measurement module is used for obtaining a measurement value of the security policy through an SM3 cryptographic algorithm;
the judging module is used for judging that the application program or the file is in an untrusted state if the measurement value is different from the reference value, and the controller corresponding to the application program or the file is in an untrusted state;
and the recovery module is used for returning the application program or the file to the original trusted version.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses an anomaly capturing and processing method based on trusted computing, which comprises the steps of semaphore detection and trusted verification; the semaphore detection is used for detecting the abnormality of the application program through a semaphore mechanism, and the trusted verification is used for verifying the application program and the file attacked by the outside through trusted computing; detecting whether an error occurs in the running process of an application program or not through a semaphore acquisition mechanism; through trusted verification: judging whether the DCS is illegally tampered in the operation process.
Furthermore, the method is added with a semaphore detection mechanism, so that when an application program is abnormal, the abnormal program can be captured and processed relatively quickly, and the state is synchronized to a trusted management platform, so that the normal operation of the trusted DCS can be ensured.
Further, the trusted agent in the trusted controller uses the cryptographic algorithm SM3 to calculate files, processes, and the like in the controller, and determine whether the files or programs are tampered at this time.
Drawings
FIG. 1 is a diagram of a method for implementing a semaphore function of the present invention;
FIG. 2 is a trusted state diagram of exception handling in accordance with the present invention;
FIG. 3 is a flowchart of the anomaly capture and processing of the present invention;
FIG. 4 is a flow chart of trusted data exception handling in accordance with the present invention.
Detailed Description
It should be noted that the terms "first," "second," and the like in the description and the figures of the present invention are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention discloses an exception capturing and processing method based on trusted computing, which is divided into two parts for capturing, and aims at the problems of the program in a controller and the problems of the program and the file in the controller when the program and the file in the controller are attacked by the outside, wherein the program and the file are the program and the file in the controller.
Aiming at the problem of the program itself in the controller, adding a signal quantity captured by the abnormality of the application program, and entering a corresponding processing function by a signal quantity management thread according to the message type of the abnormality information to preprocess the abnormality of the application program; the message type of the abnormal information comprises abnormal conditions such as judging whether the non-existing memory address is accessed, the memory address protected by the system is accessed, the read-only memory address is accessed and the like in the running process of the program, returning the corresponding message to the interface function of the called semaphore after the processing is completed, and waking up the blocked thread. Referring to fig. 1, 2 and 3, in particular, the method comprises the steps of:
s11, when an application program is abnormal, the semaphore mechanism captures the abnormality of the application program, the semaphore interface function sends abnormality information to the semaphore management thread, the semaphore management thread blocks the user thread after receiving the abnormality information, and a corresponding processing function is called according to the type of the received abnormality information.
S12, when the controller senses abnormal information, preprocessing is firstly carried out through a processing function, so that program operation faults are prevented; the main controller and the standby controller synchronize normal data and send an alarm to the background equipment; the controller then communicates the anomaly information, the process comprising the steps of:
s12.1, when the controller senses the abnormal information, the abnormal information is preprocessed through a processing function, so that the program operation fault is prevented; the main controller and the standby controller synchronize normal data, judge whether the abnormal application program is the main controller or not, if the abnormal controller is the main controller, the main and standby controllers are switched, if the abnormal controller is the standby controller, the main and standby controllers are not switched, and simultaneously, the alarm is given; the main controller and the standby controller are a pair of redundant trusted controllers, and the two trusted controllers are identical, one is mainly and the other is standby.
And S12.2, the controller transmits the acquired abnormal information to background equipment, and the trusted agent transmits the acquired abnormal information to the trusted management platform.
The controller uploads the collected abnormal information to background equipment, and the background equipment comprises various upper computers, such as a history station, an engineer station, an operator station and the like; and the upper computer prompts engineering personnel to process according to the alarm information display of the control at the moment.
The trusted agent transmits the collected anomaly information to the trusted management platform, which sets the controller to an untrusted state. And the trusted management platform issues an instruction to disconnect all data interaction of the controller in the non-trusted state until the controller is in the trusted state.
The controller sends a signal to the trusted agent, the trusted agent takes out the service data and encrypts the service data into an alarm message, and the alarm message is transmitted to the upper computer PC, and the upper computer PC decrypts the abnormal information to display an alarm and is processed by staff.
S13, after receiving the alarm, the operator carries out manual processing on the abnormality, after the abnormality processing (the abnormality processing comprises processing in the code and manual processing of the operator after the alarm of the upper computer, preliminary processing is carried out after the abnormality processing is detected to prevent program operation faults), processing results are reported to background equipment and a trusted management platform, the operator judges whether the alarm can be recovered or not, if so, the trusted management platform sets the controller to a trusted state, all data interaction of the controller is recovered at the moment, and if the trusted faults cannot be recovered, all data communication of the controller is cut off.
S4, after the processing is completed, the corresponding information is returned to the interface function of the called semaphore, and the blocked thread is awakened.
Since files and application programs in the controller are also often attacked or illegally tampered by the outside, security policies are configured for the files and the programs in the core of the controller. Thus, for the problem that occurs when the application program and the file in the controller are attacked by the outside, the attacked program and file are detected through periodic trusted verification, see fig. 4, and the specific process includes the following steps:
s21, the trusted agent collects security policies in application programs in the controller;
s22, the trusted agent periodically uses SM3 cryptographic algorithm to calculate hash values of all configured security policies, wherein the hash values are the most measured values
S23, the hash value measured for the first time when the controller registers on the trusted management platform is used as a reference value for judging whether the controller is trusted or not, and then the value measured for each time is compared with the reference value to judge whether the controller is trusted or not; if the values are the same, the file is not tampered illegally, if the values are inconsistent, the application program or the file is tampered illegally, the controller is judged to be in an unreliable state, at the moment, the trusted agent encrypts and sends the measurement value to the trusted management platform, and the trusted management platform displays the unreliable alarm in a trusted management platform interface and is processed by staff.
As an alternative embodiment, when the controller is powered on for the first time, the trusted agent uses the cryptographic algorithm SM3 to calculate HASH values of the important files and programs, and the HASH values are used as reference values for determining whether the controller is trusted.
S24, the trusted verification unit provides an exception handling method, and when a certain file or program in the controller is found to be untrusted, the trusted backup is restored, and the file is returned to the previous trusted version. Specifically, the trusted controller backs up all files of the configured trusted policy, and if the control is not trusted, the files can be restored to the version at the time of first power-on through a restore instruction.
The invention also discloses an anomaly capturing and processing system based on the trusted computing, which comprises a semaphore detection unit and a trusted verification unit.
A semaphore detection unit for detecting an abnormality of the application itself; comprising the following steps:
the system comprises an anomaly capturing module, a semaphore interface function and a semaphore management site, wherein the anomaly capturing module is used for capturing anomaly information of an application program by a semaphore mechanism, and the semaphore interface function sends the anomaly information to the semaphore management site;
the preprocessing module is used for blocking the application program thread by the semaphore management thread, calling a processing function according to the type of the abnormal information, and preprocessing the abnormality by the processing function;
the processing module is used for processing the exception;
and the restoration module is used for waking up the blocked application thread on the signal management site.
The trusted verification unit is used for verifying the application programs and files attacked by the outside and comprises the following components:
the collection module is used for periodically collecting the security policies of the application programs or files by the trusted agent;
the measurement module is used for obtaining a measurement value of the security policy through a hash algorithm;
and the judging module is used for judging that the application program or the file is not trusted if the measurement value is different from the reference value, and the controller corresponding to the application program or the file is in an untrusted state.
And the recovery module is used for returning the application program or the file to the original trusted version.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the invention.
Claims (10)
1. An anomaly capturing and processing method based on trusted computing is characterized by comprising semaphore detection and trusted verification; the semaphore detection is used for detecting the abnormality of the application program through a semaphore mechanism, and the trusted verification is used for verifying the application program or the file attacked by the outside through trusted computing;
and alarming and processing after detecting the abnormality.
2. The anomaly capturing and processing method based on trusted computing of claim 1, wherein the process of semaphore detection is:
s11, capturing the abnormality of an application program by a semaphore mechanism, and sending abnormality information to a semaphore management thread by a semaphore interface function, wherein the semaphore management thread blocks a user thread and calls a processing function corresponding to the abnormality information;
s12, the controller preprocesses the application program through a processing function; the controller transmits the abnormal information to background equipment, and the trusted agent transmits the abnormal information to the trusted management platform;
s13, processing abnormal information;
s14, the semaphore management thread wakes up the blocked application thread.
3. The method for capturing and processing anomalies based on trusted computing as claimed in claim 2, wherein in S12, the controller performs preprocessing on the application program by the processing function, and simultaneously synchronizes data with the main controller and the standby controller to determine whether the anomaly application program is the main controller; if the controller corresponding to the abnormal application program is the main controller, the controller is switched to the standby controller, otherwise, the operation is not performed.
4. The method for capturing and processing anomalies based on trusted computing as claimed in claim 3, wherein in S12, the trusted management platform sets the controller corresponding to the found anomaly application to an untrusted state at the same time, and disconnects the data interaction of the untrusted state controller.
5. The method for capturing and processing anomalies based on trusted computing as claimed in claim 1, wherein said process of trusted computing comprises the steps of:
s21, the trusted agent periodically collects security policies of the application programs or files;
s22, obtaining a measurement value of a security policy through an SM3 cryptographic algorithm;
s23, comparing the measurement value with a reference value, and if the measurement value is different from the reference value, the application program or the file is in an untrusted state, and a controller corresponding to the application program or the file is in an untrusted state;
s24, returning the application program or the file to the original trusted version.
6. The anomaly capturing and processing method based on trusted computing of claim 5, wherein in S22, the trusted agent calculates a hash value of the security policy by SM3 cryptographic algorithm, the hash value being a metric value;
in S23, the reference value is a hash value of the security policy when the controller is powered on for the first time.
7. The method for anomaly capture and processing based on trusted computing of claim 5, wherein in S23, the trusted agent sends the metric to the trusted management platform, and the trusted management platform displays the controlled untrusted status in the trusted management platform interface.
8. An anomaly capture and processing system based on trusted computing, comprising:
a semaphore detection unit for detecting an abnormality of the application itself;
the trusted verification unit is used for verifying the application programs or files attacked by the outside through trusted computing.
9. The anomaly capture and processing system based on trusted computing of claim 8, wherein the semaphore detection unit comprises:
the system comprises an anomaly capturing module, a semaphore interface function, a semaphore management thread, a processing function and a control module, wherein the anomaly capturing module is used for capturing the anomaly of an application program by a semaphore mechanism, sending anomaly information to the semaphore management thread, and enabling the semaphore management thread to block a user thread and call the processing function corresponding to the anomaly information;
the preprocessing module is used for preprocessing the application program through a processing function by the controller, then transmitting the abnormal information to background equipment by the controller, and transmitting the abnormal information to the trusted management platform by the trusted agent;
the processing module is used for processing the abnormal information;
and the restoration module is used for waking up the blocked application thread by the semaphore management thread.
10. The anomaly capture and processing system based on trusted computing of claim 8, wherein the trusted verification unit comprises:
the collection module is used for periodically collecting the security policies of the application programs or files by the trusted agent;
the measurement module is used for obtaining a measurement value of the security policy through an SM3 cryptographic algorithm;
the judging module is used for judging that the application program or the file is in an untrusted state if the measurement value is different from the reference value, and the controller corresponding to the application program or the file is in an untrusted state;
and the recovery module is used for returning the application program or the file to the original trusted version.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311179811.8A CN117234179A (en) | 2023-09-13 | 2023-09-13 | Anomaly capturing and processing system and method based on trusted computing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311179811.8A CN117234179A (en) | 2023-09-13 | 2023-09-13 | Anomaly capturing and processing system and method based on trusted computing |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117234179A true CN117234179A (en) | 2023-12-15 |
Family
ID=89083763
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311179811.8A Pending CN117234179A (en) | 2023-09-13 | 2023-09-13 | Anomaly capturing and processing system and method based on trusted computing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117234179A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118012725A (en) * | 2024-04-09 | 2024-05-10 | 西安热工研究院有限公司 | Trusted management platform alarm management method, system, equipment and storage medium |
-
2023
- 2023-09-13 CN CN202311179811.8A patent/CN117234179A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118012725A (en) * | 2024-04-09 | 2024-05-10 | 西安热工研究院有限公司 | Trusted management platform alarm management method, system, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101201786A (en) | Method and device for monitoring fault log | |
CN112597462A (en) | Industrial network safety system | |
CN103490919A (en) | Fault management system and fault management method | |
CN113852633A (en) | Method for generating implementation case for information security assessment | |
CN111934913A (en) | Intelligent network management system | |
CN114266081A (en) | Operation and maintenance computer safety protection system and method of power monitoring system | |
KR101214427B1 (en) | Supervisory Control and Data Acquisition System and Security management method thereof | |
CN117234179A (en) | Anomaly capturing and processing system and method based on trusted computing | |
CN112737863A (en) | Intelligent measurement and control system capable of automatically correcting errors | |
CN116540673A (en) | Software processing system for communication between automobile ECU and monitoring and diagnosing equipment | |
CN110995840A (en) | Remote terminal anti-dismantling control method suitable for excavator | |
CN116683050A (en) | Battery switching method, system, electronic device and storage medium | |
CN110647771B (en) | Mysql database storage integrity verification protection method and device | |
Kolosok et al. | Cyber resilience of SCADA at the level of energy facilities | |
JP2002236619A (en) | Security processor and its tampering resistance method | |
JP6041727B2 (en) | Management apparatus, management method, and management program | |
CN116886406B (en) | Computer network data safety intelligent protection system | |
CN111146863A (en) | Power safety detection method for transformer substation | |
CN111221680A (en) | Automatic management method and device for data center switch system | |
CN109614796A (en) | Network security system | |
CN115749738B (en) | Method and device for monitoring operation time rate of oil pumping unit | |
JPH0955735A (en) | Communication network fault diagnostic system and method therefor | |
KR20170002025A (en) | Method for prevention the error recovery in automatic computer system and system thereof | |
CN112528200A (en) | Website background safety management and control method and system | |
KR101735431B1 (en) | System and method for recovering of flight data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |