A kind of network security monitoring method towards industrial control system
Technical field
The present invention relates to field of information security technology more particularly to a kind of network security monitorings towards industrial control system
Method.
Background technology
It is each that industrial control system based on acquisition, monitoring, control is widely used in electric power, petrochemical industry, traffic, metallurgy etc.
Industry realizes the automation of Industry Control.Typical industrial control system includes SCADA (Supervisory Control
And Data Acquisition, monitoring control with data acquire), DCS (Distributed Control System, distribution
Formula control system), PLC (Programmable Logic Controller, programmable logic controller (PLC)) etc..With China's work
Industry, information-based increasingly fusion, computer technology and network communication technology are in the extensive use of industrial control system, traditional work
Industry control system has gradually broken previous closure and monopoly, standard, general communication protocol and software and hardware system application
More extensively.Industrial control system is also faced with increasing safe prestige while promoting automation, the level of IT application
The side of body.The industry control security incident frequently occurred in recent years is that people have beaten alarm bell.
Compared with conventional systems, industrial control system is due to real-time, reliability, work continuity etc.
Particular/special requirement seldom considers safety at the beginning of design, when in use often seldom installation anti-virus Trojan software, seldom progress
The upgrading of system vulnerability patch leads to the infection of industrial control system pole susceptible viral wooden horse.And in the day of industrial control system
In normal operation and maintenance, the use of the mobile memory mediums such as USB flash disk, CD, the use of producer's O&M notebook, which often becomes, to be introduced
The window of viral wooden horse.
For such case, part industry in management from strengthening to mobile memory medium in industrial control system and O&M
The use of notebook, as remove industrial control system in unnecessary USB interface, CD-ROM drive, using special O&M notebook into
Safe O&M of row etc..The application of these management measures plays good effect, but day-to-day operation and maintenance work also occurs
Inconvenience, the unreachable position of management measure, the problems such as artificial malice violation operation can not be limited.
For this reason, it is necessary to technically prevent the day-to-day operation of industrial control system and the supervision for safeguarding progress overall process
Only because Misuse mobile memory medium, using band malicious O&M notebook due to introduce viral wooden horse, while being also required to be subsequent
Audit backtracking proposes data supporting.
Invention content
In view of the drawbacks described above of the prior art, technical problem to be solved by the invention is to provide one kind to control towards industry
The network security monitoring method of system processed, so as to solve the deficiencies in the prior art.
A kind of network security monitoring method towards industrial control system of the present invention, including following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, is issued to related monitoring when analysis has found potential abnormal behaviour
Object is executed, and abnormal behaviour is blocked.
In step 1, the monitoring object includes the network equipment, safety equipment, host equipment three classes, the network equipment
Including industry control interchanger, the safety equipment includes fire wall, gateway isolating device, VPN encryption devices, the host equipment packet
Include monitoring host computer, communication network shutdown, server, work station.
In step 1, the relevant information is divided into urgent, important, common, general from high to low from information severity
Four classes.
In step 1, the relevant information is divided into access information, log-on message, operation information, shape from information type
State information, network connection information, six class of security event information;The access information includes the access and notes of movable storage device
This computer passes through network insertion;The log-on message includes the local and Telnet information to all monitoring objects, including is stepped on
Record successful information, login failure information and information of logging off;The operation information refers to logging on to host by remote terminal
The operational order carried out after equipment and the network equipment and operational order result echo message;The status information includes that CPU is utilized
Rate, memory usage, disk space utilization rate, network interface flow;The network connection information refer to present on host equipment with
External TCP/UDP link informations;The security event information refers to the security event information that safety equipment detects.
Above-mentioned movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone and CD.
In step 1, the monitoring object support is adopted by SNMP, SYSLOG, self-defined specialized protocol mode into row information
Collection.
In step 2, the safety analysis includes statistical analysis, abnormality detection and association analysis;The statistical analysis refers to
Acquisition information is counted from information source, information type, information importance level, same day information content, of that month information content;
The abnormality detection refer to analysis detect that access is abnormal, log in exception, operation exception, abnormal state, network external connection exception and
Exception safety event;The abnormal access for including the movable storage device, notebook not within the scope of white list of access;It is described
It refers to login of the continuous login failure number more than defined threshold to log in abnormal;The operation exception refers to performing the danger of definition
Dangerous operational order is modified the controlled catalogue of definition, the content of controlled file, permission;The abnormal state refers to CPU
Utilization rate, memory usage, disk space utilization rate, network interface flow have been more than defined threshold value;The network external connection is extremely
Point out to have showed the network connection not in security strategy allowable range;The exception safety event refers to not meeting access control plan
Access Events slightly, assault;The association analysis refers to that being associated property is analyzed between discrete acquisition information,
Find out the incidence relation between the acquisition information of various discrete.
The specific method is as follows for above-mentioned safety analysis:
(2-1) carries out duplicate removal, cleaning, classification, formatting processing to the information of acquisition;
(2-2) is from information source, information type, information importance level, same day information content, of that month information content to acquisition
Information carries out comprehensive statistics;
(2-3) is carried out abnormality detection, and according to the type of acquisition information, detects the information with the presence or absence of abnormal;If do not deposited
, and the significance level of the information is general, then return to step (2-1) otherwise turns to step (2-4);
(2-4) is associated analysis, from cluster, when things for having collected and surveyed with other of the current individual event information of ordered pair
Part information is associated analysis, identifies the behavior sequence belonging to current event information, and belonging to the event information is added to
Behavior sequence in;
(2-5) searches knowledge base, impends analysis to the behavior sequence;If analysis result does not threaten and the row
For the sequence ends, then behavior sequence and return to step (2-1) are deleted;If not yet recognizing threat, and behavior sequence is still
It is not finished, then return to step (2-1) continues;If identifying that behavior sequence exists abnormal or threatens, step (2- is turned to
6);
(2-6) carries out security alarm, and starts Subsequent secure management and control order.
In step 3, security management and control order issues support various ways, including is issued by SNMP, by self-defined special
Agreement issues.
In step 3, the method for blocking abnormal behaviour includes following several:The connect USB of suspicious movable storage device is disabled to connect
Mouth, the port for closing the interchanger that O&M notebook is connect prevent risky operation instruction execution, disconnect suspect login connection, add
Access control policy is added to prevent unauthorized access.
The beneficial effects of the invention are as follows:
The present invention carries out abundant data by the core networked devices to industrial control system and acquires, and realizes to peripheral hardware
The real-time monitoring of the industrial control systems major security risk behaviors such as access, personnel's operation, network external connection, meanwhile, by each
Kind behavior carries out analyzing processing, finds and blocks abnormal behaviour in time, be truly realized the Initiative Defense of industrial control system.It is right
In being difficult to effectively for conventional security safeguard procedures to be applied to the present situation of industrial control system, the method for the present invention is from the angle of monitoring and early warning
Degree solves the major security threat that current industrial control system faces well.
The technique effect of the design of the present invention, concrete structure and generation is described further below with reference to attached drawing, with
It is fully understood from the purpose of the present invention, feature and effect.
Description of the drawings
Fig. 1 is the structure chart of the present invention.
Fig. 2 is the safety analysis process chart of the present invention.
Specific implementation mode
As shown in Figure 1, a kind of network security monitoring method towards industrial control system, includes the following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, and be issued to related prison when analysis has found potential abnormal behaviour
It surveys object to be executed, blocks abnormal behaviour.
In the present embodiment, the monitoring object includes the network equipment, safety equipment, host equipment three classes, and the network is set
Standby refers to industry control interchanger, passes through snmp such as network interface status information by snmp mode active obtaining interchanger relevant informations
Trap modes obtain the security incident of interchanger generation, such as network interface up, network interface down access events, illegal MAC access events,
User logs in interchanger event etc..It needs to carry out Safe Transformation to industry control interchanger to support the acquisition of above- mentioned information.
Safety equipment includes fire wall, gateway isolating device, VPN encryption devices, and peace is acquired by standard SYSLOG modes
Full device-dependent message, including user log in security device information, violate access control policy information, attack information, match
Set modification information etc..It needs to carry out Safe Transformation to safety equipment to support the acquisition of above- mentioned information.
Host equipment includes monitoring host computer, communication network shutdown, work station.By installing agent agent ways in host
Realize that the acquisition of host information, agent report information by self-defined specialized protocol.The information of agent acquisitions includes mainly using
Family logs in host information, illegal external connection information, user operation commands and echo message, movable storage device or mobile phone etc. and passes through
USB interface hot plug event information, risky operation information etc..Agent supports the industrial control systems such as Linux, Unix, Windows
The interior common operating system of host equipment.
In the present embodiment, the relevant information includes access information, log-on message, operation information, status information, network company
Connect information, security event information;Access information includes that the computer equipments such as access and the laptop of movable storage device pass through
Network insertion;Log-on message includes the local and Telnet information to all monitoring objects, including logins successfully information, logs in
Failure information and information of logging off;Operation information refers to being carried out after logging on to host equipment and the network equipment by remote terminal
Operational order and operational order result echo message;Status information, which includes cpu busy percentage, memory usage, disk space, to be made
With rate, network interface flow;Network connection information refers to present on host equipment and the TCP/UDP link informations of outside;Safe thing
Part information refers to the security event information that safety equipment detects, including violates the access of access control policy, attack alarm.
In the present embodiment, movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone, CD.
In the present embodiment, the monitoring object is supported to carry out by SNMP, SYSLOG, self-defined specialized protocol various ways
Information collection.
In the present embodiment, step 2 safety analysis includes statistical analysis, abnormality detection and association analysis.Primary network is attacked
The combination of many different single behaviors on an attack chain is often shown as, the error of any one link may all cause to attack
Failure.By the collection of these single behaviors, analyze, it can be found that its potential incidence relation, and then analyze possible
Attack prevents the generation of attack from providing basis for the follow-up attack chain of cut-out in time.
The method of the present invention by being accessed to peripheral hardware, personnel's operation, the collection of the various security related informations such as network external connection, tool
For the data basis of further analysis.By believing access information, log-on message, operation information, status information, network connection
Breath, security event information are associated analysis, draw a portrait to the behavior of user or malicious code, are carried out pair in conjunction with historical behavior
Than reaching the identification to abnormal behaviour.
As shown in Fig. 2, the specific safety analysis flow of the method for the present invention is as follows:
1) pretreatments such as duplicate removal, cleaning, classification, formatting are carried out to the information of acquisition;
2) for statistical analysis, from information source, information type, information importance level, same day information content, work as month information
The dimensions such as quantity carry out comprehensive statistics to acquisition information;
3) it carries out abnormality detection, according to the type of acquisition information, detects the information with the presence or absence of abnormal.If it does not,
And the significance level of the information is general, then return to step 1), otherwise, turn to step 4);
4) be associated analysis, from cluster, sequential etc. to current individual event information and other collected and surveyed
Event information be associated analysis, identify the behavior sequence belonging to current event information, and the event information is added to
In affiliated behavior sequence;
5) knowledge base is searched, is impended analysis to the behavior sequence;If analysis result does not threaten and the behavior
The sequence ends then delete behavior sequence and return to step 1);If not yet recognizing threat, and behavior sequence is not yet tied
Beam, then return to step 1) continue;If identifying that behavior sequence exists abnormal or threatens, step 6) is turned to;
6) security alarm is carried out, and starts Subsequent secure management and control order.
In the present embodiment, step 3 generates security management and control order, and is issued to related monitoring object and is executed, wherein pacifying
Full management and control order issues support various ways, including is issued by SNMP, issued by self-defined specialized protocol.
In the present embodiment, the method that step 3 blocks abnormal behaviour includes following several:Disable suspicious movable storage device
Connect USB interface, the port for closing the interchanger that O&M notebook is connect prevent risky operation instruction execution, disconnect suspicious step on
Record connection, addition access control policy prevent unauthorized access.
For different monitoring objects, different security management and control orders is issued in different ways, is such as set for network
It is standby, the switch port that suspect device is connect is closed by SNMP mode transmitting order to lower levels;For safety equipment, by self-defined special
There is agreement to issue access control policy and prevents unauthorized access;For host equipment, disconnection is issued by self-defined proprietary protocol and is stepped on
Record connection is disabled temporarily in the instructions to host such as suspicious account number logs in, disables USB interface temporarily, prevention risky operation executes
Agent is acted on behalf of, and is executed instruction by agent agencies.
The above method has carried out real-time monitoring and pipe to the major security threat faced inside current industrial control system
Reason, in the case where not carrying out big Safe Transformation to industrial control system inside, can be obviously improved in industrial control system
The safety protection level in portion effectively resists the attack of virus, wooden horse.In addition, this method is versatile, it is applicable to electric power, stone
The industrial control system of multiple industries such as change, traffic, metallurgy.
The preferred embodiment of the present invention has been described in detail above.It should be appreciated that those skilled in the art without
It needs creative work according to the present invention can conceive and makes many modifications and variations.Therefore, all technologies in the art
Personnel are available by logical analysis, reasoning, or a limited experiment on the basis of existing technology under this invention's idea
Technical solution, all should be in the protection domain being defined in the patent claims.