CN107493265B - A kind of network security monitoring method towards industrial control system - Google Patents

A kind of network security monitoring method towards industrial control system Download PDF

Info

Publication number
CN107493265B
CN107493265B CN201710605143.9A CN201710605143A CN107493265B CN 107493265 B CN107493265 B CN 107493265B CN 201710605143 A CN201710605143 A CN 201710605143A CN 107493265 B CN107493265 B CN 107493265B
Authority
CN
China
Prior art keywords
information
security
network
industrial control
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710605143.9A
Other languages
Chinese (zh)
Other versions
CN107493265A (en
Inventor
许洪强
黄益彬
郭建成
陶洪铸
周劼英
韩勇
程长春
朱世顺
杨维永
陈功胜
李牧野
杨雨轩
景娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NARI Group Corp
NARI Information and Communication Technology Co
State Grid Corp of China SGCC
Original Assignee
NARI Group Corp
NARI Information and Communication Technology Co
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NARI Group Corp, NARI Information and Communication Technology Co, State Grid Corp of China SGCC filed Critical NARI Group Corp
Priority to CN201710605143.9A priority Critical patent/CN107493265B/en
Publication of CN107493265A publication Critical patent/CN107493265A/en
Application granted granted Critical
Publication of CN107493265B publication Critical patent/CN107493265B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种面向工业控制系统的网络安全监控方法,包括以下步骤:采集工业控制系统内部监测对象的相关信息;对采集到的相关信息进行安全分析;当分析发现有潜在异常行为时,生成相关安全管控命令,并下发到相关监测对象进行执行,阻断异常行为。本发明通过对工业控制系统的核心联网设备进行丰富的数据采集,实现了对外设接入、人员操作、网络外联等工业控制系统主要安全隐患行为的实时监视,同时,通过对各种行为进行分析处理,及时发现并阻断异常行为,真正实现了工业控制系统的主动防御。对于难以将传统安全防护措施有效应用到工业控制系统的现状,从监控预警的角度很好的解决了当前工业控制系统面临的主要安全威胁。

The invention discloses a network security monitoring method oriented to an industrial control system, which comprises the following steps: collecting relevant information of an internal monitoring object of the industrial control system; performing security analysis on the collected relevant information; when the analysis finds potential abnormal behavior, Generate relevant security control commands and send them to relevant monitoring objects for execution to block abnormal behaviors. The present invention realizes the real-time monitoring of main safety hazard behaviors of the industrial control system, such as peripheral access, personnel operation, and network outreach, by collecting abundant data from the core networking equipment of the industrial control system. Analyze and process, discover and block abnormal behavior in time, and truly realize the active defense of industrial control systems. For the current situation that it is difficult to effectively apply traditional security protection measures to industrial control systems, from the perspective of monitoring and early warning, it has solved the main security threats faced by current industrial control systems.

Description

A kind of network security monitoring method towards industrial control system
Technical field
The present invention relates to field of information security technology more particularly to a kind of network security monitorings towards industrial control system Method.
Background technology
It is each that industrial control system based on acquisition, monitoring, control is widely used in electric power, petrochemical industry, traffic, metallurgy etc. Industry realizes the automation of Industry Control.Typical industrial control system includes SCADA (Supervisory Control And Data Acquisition, monitoring control with data acquire), DCS (Distributed Control System, distribution Formula control system), PLC (Programmable Logic Controller, programmable logic controller (PLC)) etc..With China's work Industry, information-based increasingly fusion, computer technology and network communication technology are in the extensive use of industrial control system, traditional work Industry control system has gradually broken previous closure and monopoly, standard, general communication protocol and software and hardware system application More extensively.Industrial control system is also faced with increasing safe prestige while promoting automation, the level of IT application The side of body.The industry control security incident frequently occurred in recent years is that people have beaten alarm bell.
Compared with conventional systems, industrial control system is due to real-time, reliability, work continuity etc. Particular/special requirement seldom considers safety at the beginning of design, when in use often seldom installation anti-virus Trojan software, seldom progress The upgrading of system vulnerability patch leads to the infection of industrial control system pole susceptible viral wooden horse.And in the day of industrial control system In normal operation and maintenance, the use of the mobile memory mediums such as USB flash disk, CD, the use of producer's O&M notebook, which often becomes, to be introduced The window of viral wooden horse.
For such case, part industry in management from strengthening to mobile memory medium in industrial control system and O&M The use of notebook, as remove industrial control system in unnecessary USB interface, CD-ROM drive, using special O&M notebook into Safe O&M of row etc..The application of these management measures plays good effect, but day-to-day operation and maintenance work also occurs Inconvenience, the unreachable position of management measure, the problems such as artificial malice violation operation can not be limited.
For this reason, it is necessary to technically prevent the day-to-day operation of industrial control system and the supervision for safeguarding progress overall process Only because Misuse mobile memory medium, using band malicious O&M notebook due to introduce viral wooden horse, while being also required to be subsequent Audit backtracking proposes data supporting.
Invention content
In view of the drawbacks described above of the prior art, technical problem to be solved by the invention is to provide one kind to control towards industry The network security monitoring method of system processed, so as to solve the deficiencies in the prior art.
A kind of network security monitoring method towards industrial control system of the present invention, including following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, is issued to related monitoring when analysis has found potential abnormal behaviour Object is executed, and abnormal behaviour is blocked.
In step 1, the monitoring object includes the network equipment, safety equipment, host equipment three classes, the network equipment Including industry control interchanger, the safety equipment includes fire wall, gateway isolating device, VPN encryption devices, the host equipment packet Include monitoring host computer, communication network shutdown, server, work station.
In step 1, the relevant information is divided into urgent, important, common, general from high to low from information severity Four classes.
In step 1, the relevant information is divided into access information, log-on message, operation information, shape from information type State information, network connection information, six class of security event information;The access information includes the access and notes of movable storage device This computer passes through network insertion;The log-on message includes the local and Telnet information to all monitoring objects, including is stepped on Record successful information, login failure information and information of logging off;The operation information refers to logging on to host by remote terminal The operational order carried out after equipment and the network equipment and operational order result echo message;The status information includes that CPU is utilized Rate, memory usage, disk space utilization rate, network interface flow;The network connection information refer to present on host equipment with External TCP/UDP link informations;The security event information refers to the security event information that safety equipment detects.
Above-mentioned movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone and CD.
In step 1, the monitoring object support is adopted by SNMP, SYSLOG, self-defined specialized protocol mode into row information Collection.
In step 2, the safety analysis includes statistical analysis, abnormality detection and association analysis;The statistical analysis refers to Acquisition information is counted from information source, information type, information importance level, same day information content, of that month information content; The abnormality detection refer to analysis detect that access is abnormal, log in exception, operation exception, abnormal state, network external connection exception and Exception safety event;The abnormal access for including the movable storage device, notebook not within the scope of white list of access;It is described It refers to login of the continuous login failure number more than defined threshold to log in abnormal;The operation exception refers to performing the danger of definition Dangerous operational order is modified the controlled catalogue of definition, the content of controlled file, permission;The abnormal state refers to CPU Utilization rate, memory usage, disk space utilization rate, network interface flow have been more than defined threshold value;The network external connection is extremely Point out to have showed the network connection not in security strategy allowable range;The exception safety event refers to not meeting access control plan Access Events slightly, assault;The association analysis refers to that being associated property is analyzed between discrete acquisition information, Find out the incidence relation between the acquisition information of various discrete.
The specific method is as follows for above-mentioned safety analysis:
(2-1) carries out duplicate removal, cleaning, classification, formatting processing to the information of acquisition;
(2-2) is from information source, information type, information importance level, same day information content, of that month information content to acquisition Information carries out comprehensive statistics;
(2-3) is carried out abnormality detection, and according to the type of acquisition information, detects the information with the presence or absence of abnormal;If do not deposited , and the significance level of the information is general, then return to step (2-1) otherwise turns to step (2-4);
(2-4) is associated analysis, from cluster, when things for having collected and surveyed with other of the current individual event information of ordered pair Part information is associated analysis, identifies the behavior sequence belonging to current event information, and belonging to the event information is added to Behavior sequence in;
(2-5) searches knowledge base, impends analysis to the behavior sequence;If analysis result does not threaten and the row For the sequence ends, then behavior sequence and return to step (2-1) are deleted;If not yet recognizing threat, and behavior sequence is still It is not finished, then return to step (2-1) continues;If identifying that behavior sequence exists abnormal or threatens, step (2- is turned to 6);
(2-6) carries out security alarm, and starts Subsequent secure management and control order.
In step 3, security management and control order issues support various ways, including is issued by SNMP, by self-defined special Agreement issues.
In step 3, the method for blocking abnormal behaviour includes following several:The connect USB of suspicious movable storage device is disabled to connect Mouth, the port for closing the interchanger that O&M notebook is connect prevent risky operation instruction execution, disconnect suspect login connection, add Access control policy is added to prevent unauthorized access.
The beneficial effects of the invention are as follows:
The present invention carries out abundant data by the core networked devices to industrial control system and acquires, and realizes to peripheral hardware The real-time monitoring of the industrial control systems major security risk behaviors such as access, personnel's operation, network external connection, meanwhile, by each Kind behavior carries out analyzing processing, finds and blocks abnormal behaviour in time, be truly realized the Initiative Defense of industrial control system.It is right In being difficult to effectively for conventional security safeguard procedures to be applied to the present situation of industrial control system, the method for the present invention is from the angle of monitoring and early warning Degree solves the major security threat that current industrial control system faces well.
The technique effect of the design of the present invention, concrete structure and generation is described further below with reference to attached drawing, with It is fully understood from the purpose of the present invention, feature and effect.
Description of the drawings
Fig. 1 is the structure chart of the present invention.
Fig. 2 is the safety analysis process chart of the present invention.
Specific implementation mode
As shown in Figure 1, a kind of network security monitoring method towards industrial control system, includes the following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, and be issued to related prison when analysis has found potential abnormal behaviour It surveys object to be executed, blocks abnormal behaviour.
In the present embodiment, the monitoring object includes the network equipment, safety equipment, host equipment three classes, and the network is set Standby refers to industry control interchanger, passes through snmp such as network interface status information by snmp mode active obtaining interchanger relevant informations Trap modes obtain the security incident of interchanger generation, such as network interface up, network interface down access events, illegal MAC access events, User logs in interchanger event etc..It needs to carry out Safe Transformation to industry control interchanger to support the acquisition of above- mentioned information.
Safety equipment includes fire wall, gateway isolating device, VPN encryption devices, and peace is acquired by standard SYSLOG modes Full device-dependent message, including user log in security device information, violate access control policy information, attack information, match Set modification information etc..It needs to carry out Safe Transformation to safety equipment to support the acquisition of above- mentioned information.
Host equipment includes monitoring host computer, communication network shutdown, work station.By installing agent agent ways in host Realize that the acquisition of host information, agent report information by self-defined specialized protocol.The information of agent acquisitions includes mainly using Family logs in host information, illegal external connection information, user operation commands and echo message, movable storage device or mobile phone etc. and passes through USB interface hot plug event information, risky operation information etc..Agent supports the industrial control systems such as Linux, Unix, Windows The interior common operating system of host equipment.
In the present embodiment, the relevant information includes access information, log-on message, operation information, status information, network company Connect information, security event information;Access information includes that the computer equipments such as access and the laptop of movable storage device pass through Network insertion;Log-on message includes the local and Telnet information to all monitoring objects, including logins successfully information, logs in Failure information and information of logging off;Operation information refers to being carried out after logging on to host equipment and the network equipment by remote terminal Operational order and operational order result echo message;Status information, which includes cpu busy percentage, memory usage, disk space, to be made With rate, network interface flow;Network connection information refers to present on host equipment and the TCP/UDP link informations of outside;Safe thing Part information refers to the security event information that safety equipment detects, including violates the access of access control policy, attack alarm.
In the present embodiment, movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone, CD.
In the present embodiment, the monitoring object is supported to carry out by SNMP, SYSLOG, self-defined specialized protocol various ways Information collection.
In the present embodiment, step 2 safety analysis includes statistical analysis, abnormality detection and association analysis.Primary network is attacked The combination of many different single behaviors on an attack chain is often shown as, the error of any one link may all cause to attack Failure.By the collection of these single behaviors, analyze, it can be found that its potential incidence relation, and then analyze possible Attack prevents the generation of attack from providing basis for the follow-up attack chain of cut-out in time.
The method of the present invention by being accessed to peripheral hardware, personnel's operation, the collection of the various security related informations such as network external connection, tool For the data basis of further analysis.By believing access information, log-on message, operation information, status information, network connection Breath, security event information are associated analysis, draw a portrait to the behavior of user or malicious code, are carried out pair in conjunction with historical behavior Than reaching the identification to abnormal behaviour.
As shown in Fig. 2, the specific safety analysis flow of the method for the present invention is as follows:
1) pretreatments such as duplicate removal, cleaning, classification, formatting are carried out to the information of acquisition;
2) for statistical analysis, from information source, information type, information importance level, same day information content, work as month information The dimensions such as quantity carry out comprehensive statistics to acquisition information;
3) it carries out abnormality detection, according to the type of acquisition information, detects the information with the presence or absence of abnormal.If it does not, And the significance level of the information is general, then return to step 1), otherwise, turn to step 4);
4) be associated analysis, from cluster, sequential etc. to current individual event information and other collected and surveyed Event information be associated analysis, identify the behavior sequence belonging to current event information, and the event information is added to In affiliated behavior sequence;
5) knowledge base is searched, is impended analysis to the behavior sequence;If analysis result does not threaten and the behavior The sequence ends then delete behavior sequence and return to step 1);If not yet recognizing threat, and behavior sequence is not yet tied Beam, then return to step 1) continue;If identifying that behavior sequence exists abnormal or threatens, step 6) is turned to;
6) security alarm is carried out, and starts Subsequent secure management and control order.
In the present embodiment, step 3 generates security management and control order, and is issued to related monitoring object and is executed, wherein pacifying Full management and control order issues support various ways, including is issued by SNMP, issued by self-defined specialized protocol.
In the present embodiment, the method that step 3 blocks abnormal behaviour includes following several:Disable suspicious movable storage device Connect USB interface, the port for closing the interchanger that O&M notebook is connect prevent risky operation instruction execution, disconnect suspicious step on Record connection, addition access control policy prevent unauthorized access.
For different monitoring objects, different security management and control orders is issued in different ways, is such as set for network It is standby, the switch port that suspect device is connect is closed by SNMP mode transmitting order to lower levels;For safety equipment, by self-defined special There is agreement to issue access control policy and prevents unauthorized access;For host equipment, disconnection is issued by self-defined proprietary protocol and is stepped on Record connection is disabled temporarily in the instructions to host such as suspicious account number logs in, disables USB interface temporarily, prevention risky operation executes Agent is acted on behalf of, and is executed instruction by agent agencies.
The above method has carried out real-time monitoring and pipe to the major security threat faced inside current industrial control system Reason, in the case where not carrying out big Safe Transformation to industrial control system inside, can be obviously improved in industrial control system The safety protection level in portion effectively resists the attack of virus, wooden horse.In addition, this method is versatile, it is applicable to electric power, stone The industrial control system of multiple industries such as change, traffic, metallurgy.
The preferred embodiment of the present invention has been described in detail above.It should be appreciated that those skilled in the art without It needs creative work according to the present invention can conceive and makes many modifications and variations.Therefore, all technologies in the art Personnel are available by logical analysis, reasoning, or a limited experiment on the basis of existing technology under this invention's idea Technical solution, all should be in the protection domain being defined in the patent claims.

Claims (8)

1.一种面向工业控制系统的网络安全监控方法,其特征在于,包括以下几个步骤:1. A network security monitoring method for industrial control systems, characterized in that, comprising the following steps: 步骤一,采集工业控制系统内部监测对象的相关信息;Step 1, collecting relevant information of the internal monitoring object of the industrial control system; 步骤二,对采集到的相关信息进行安全分析;Step 2, performing security analysis on the collected relevant information; 步骤三,当分析发现有潜在异常行为时,生成相关安全管控命令,下发到相关监测对象进行执行,阻断异常行为;Step 3: When the analysis finds potential abnormal behaviors, generate relevant security control commands and issue them to relevant monitoring objects for execution to block abnormal behaviors; 步骤二中,所述安全分析包括统计分析、异常检测和关联分析;所述统计分析是指从信息来源、信息类型、信息重要程度、当天信息数量、当月信息数量对采集信息进行统计;所述异常检测是指分析检测出接入异常、登录异常、操作异常、状态异常、网络外联异常和异常安全事件;所述接入异常包括不在白名单范围内的移动存储设备、笔记本的接入;所述登录异常是指连续登录失败次数超过规定阈值的登录;所述操作异常是指执行了定义的危险操作指令,对定义的受控目录、受控文件的内容、权限进行了修改;所述状态异常是指CPU利用率、内存利用率、磁盘空间使用率、网口流量超过了规定的阈值;所述网络外联异常是指出现了不在安全策略允许范围内的网络连接;所述异常安全事件是指不符合访问控制策略的访问事件、网络攻击事件;所述关联分析是指对离散的采集信息之间进行关联性分析,找出各个离散的采集信息之间的关联关系;In step 2, the security analysis includes statistical analysis, anomaly detection, and correlation analysis; the statistical analysis refers to collecting information from information sources, information types, information importance, the amount of information on the day, and the amount of information in the current month; Abnormal detection refers to the analysis and detection of abnormal access, abnormal login, abnormal operation, abnormal status, abnormal network outreach and abnormal security events; the abnormal access includes the access of mobile storage devices and notebooks that are not within the scope of the white list; The login exception refers to the login whose number of consecutive login failures exceeds the specified threshold; the operation exception refers to the execution of a defined dangerous operation instruction, and the modification of the defined controlled directory, the content and permissions of the controlled file; the described Abnormal status means that the CPU utilization, memory utilization, disk space usage, and network port traffic exceed the specified threshold; the abnormal network connection refers to a network connection that is not within the scope of the security policy; the abnormal security An event refers to an access event or a network attack event that does not conform to the access control policy; the correlation analysis refers to a correlation analysis between discrete collected information to find out the correlation between each discrete collected information; 所述安全分析具体方法如下:The specific method of the security analysis is as follows: (2-1)对采集的信息进行去重、清洗、分类、格式化处理;(2-1) Deduplication, cleaning, classification and formatting of collected information; (2-2)从信息来源、信息类型、信息重要程度、当天信息数量、当月信息数量对采集信息进行综合统计;(2-2) Make comprehensive statistics on the collected information from the source of information, information type, degree of importance of information, amount of information on the current day, and amount of information on the current month; (2-3)进行异常检测,根据采集信息的类型,检测该信息是否存在异常;如果不存在,且该信息的重要程度为一般,则返回步骤(2-1),否则,转向步骤(2-4);(2-3) Carry out anomaly detection, according to the type of collected information, detect whether there is anomaly in the information; if it does not exist, and the importance of the information is general, then return to step (2-1), otherwise, turn to step (2 -4); (2-4)进行关联分析,从聚类、时序对当前的单个事件信息与其他已收集分析的事件信息进行关联分析,识别出当前事件信息所属的行为序列,并将该事件信息添加到所属的行为序列中;(2-4) Carry out association analysis, perform association analysis on the current single event information and other collected and analyzed event information from clustering and time series, identify the behavior sequence to which the current event information belongs, and add the event information to the belonging in the sequence of behaviors; (2-5)查找知识库,对所述行为序列进行威胁分析;如果分析结果没有威胁且该行为序列结束,则删除该行为序列并返回步骤(2-1);如果尚未识别到威胁,且该行为序列尚未结束,则返回步骤(2-1)继续;如果识别出该行为序列存在异常或威胁,则转向步骤(2-6);(2-5) search knowledge base, carry out threat analysis to described behavior sequence; If analysis result does not have threat and this behavior sequence ends, then delete this behavior sequence and return to step (2-1); If not yet identified threat, and The behavior sequence has not ended, then return to step (2-1) to continue; if it is identified that there is anomaly or threat in the behavior sequence, then turn to step (2-6); (2-6)进行安全告警,并启动后续安全管控命令。(2-6) Issue security alarms and initiate follow-up security control commands. 2.如权利要求1所述的一种面向工业控制系统的网络安全监控方法,其特征在于:步骤一中,所述监测对象包括网络设备、安全设备、主机设备三类,所述网络设备包括工控交换机,所述安全设备包括防火墙、网闸隔离装置、VPN加密装置,所述主机设备包括监控主机、通信网关机、服务器、工作站。2. A network security monitoring method for industrial control systems as claimed in claim 1, wherein in step 1, the monitoring objects include network equipment, security equipment, and host equipment, and the network equipment includes In the industrial control switch, the safety equipment includes a firewall, a network gate isolation device, and a VPN encryption device, and the host equipment includes a monitoring host, a communication gateway, a server, and a workstation. 3.如权利要求1所述的一种面向工业控制系统的网络安全监控方法,其特征在于:步骤一中,所述相关信息从信息严重程度上由高到低分为紧急、重要、普通、一般四类。3. A network security monitoring method for industrial control systems as claimed in claim 1, wherein in step 1, the relevant information is divided into urgent, important, common, Generally four categories. 4.如权利要求1所述的一种面向工业控制系统的网络安全监控方法,其特征在于:步骤一中,所述相关信息从信息类型上划分为接入信息、登录信息、操作信息、状态信息、网络连接信息、安全事件信息六类;所述接入信息包括移动存储设备的接入及笔记本电脑通过网络接入;所述登录信息包括对所有监测对象的本地及远程登录信息,包括登录成功信息、登录失败信息及退出登录信息;所述操作信息是指通过远程终端登录到主机设备及网络设备后进行的操作命令与操作命令结果回显信息;所述状态信息包括CPU利用率、内存利用率、磁盘空间使用率、网口流量;所述网络连接信息是指主机设备上存在的与外部的TCP/UDP连接信息;所述安全事件信息是指安全设备检测到的安全事件信息。4. A network security monitoring method for industrial control systems as claimed in claim 1, wherein in step 1, the relevant information is divided into access information, login information, operation information, status information, network connection information, and security event information; the access information includes the access of mobile storage devices and the access of laptop computers through the network; the login information includes local and remote login information for all monitoring objects, including login Success information, login failure information and logout information; the operation information refers to the operation command and operation command result echo information after logging in to the host device and network device through the remote terminal; the status information includes CPU utilization, memory Utilization rate, disk space usage rate, network port traffic; the network connection information refers to the external TCP/UDP connection information existing on the host device; the security event information refers to the security event information detected by the security device. 5.如权利要求4所述的一种面向工业控制系统的网络安全监控方法,其特征在于:所述移动存储设备包括U盘、移动硬盘、USB光驱、USB上网卡、手机和光盘。5. A network security monitoring method for industrial control systems as claimed in claim 4, characterized in that: the mobile storage device includes a U disk, a mobile hard disk, a USB optical drive, a USB network card, a mobile phone and a CD. 6.如权利要求1所述的一种面向工业控制系统的网络安全监控方法,其特征在于:步骤一中,所述监测对象支持通过SNMP、SYSLOG、自定义专用协议方式进行信息采集。6. A network security monitoring method oriented to an industrial control system as claimed in claim 1, characterized in that: in step 1, the monitoring object supports information collection through SNMP, SYSLOG, and custom-defined special protocols. 7.如权利要求1所述的一种面向工业控制系统的网络安全监控方法,其特征在于:步骤三中,安全管控命令下发支持多种方式,包括通过SNMP下发、通过自定义专用协议下发。7. A network security monitoring method for industrial control systems as claimed in claim 1, characterized in that: in step 3, the security management and control commands are issued in a variety of ways, including through SNMP, through self-defined special protocols Issued. 8.如权利要求1所述的一种面向工业控制系统的网络安全监控方法,其特征在于:步骤三中,阻断异常行为的方法包括以下几种:禁用可疑移动存储设备所接USB接口、关闭运维笔记本所接的交换机的端口、阻止危险操作指令执行、断开可疑登录连接、添加访问控制策略阻止非法访问。8. A kind of network security monitoring method for industrial control system as claimed in claim 1, it is characterized in that: in step 3, the method for blocking abnormal behavior comprises the following several kinds: disable the USB interface connected by suspicious mobile storage device, Close the port of the switch connected to the operation and maintenance notebook, prevent the execution of dangerous operation instructions, disconnect suspicious login connections, and add access control policies to prevent illegal access.
CN201710605143.9A 2017-07-24 2017-07-24 A kind of network security monitoring method towards industrial control system Active CN107493265B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710605143.9A CN107493265B (en) 2017-07-24 2017-07-24 A kind of network security monitoring method towards industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710605143.9A CN107493265B (en) 2017-07-24 2017-07-24 A kind of network security monitoring method towards industrial control system

Publications (2)

Publication Number Publication Date
CN107493265A CN107493265A (en) 2017-12-19
CN107493265B true CN107493265B (en) 2018-11-02

Family

ID=60644738

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710605143.9A Active CN107493265B (en) 2017-07-24 2017-07-24 A kind of network security monitoring method towards industrial control system

Country Status (1)

Country Link
CN (1) CN107493265B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3933519A1 (en) * 2020-06-26 2022-01-05 Kabushiki Kaisha Yaskawa Denki Production system, production method, and program

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183920B (en) * 2018-01-23 2020-08-11 北京网藤科技有限公司 Defense method of industrial control system malicious code defense system
CN110224970B (en) * 2018-03-01 2021-11-23 西门子公司 Safety monitoring method and device for industrial control system
CN108696391A (en) * 2018-05-10 2018-10-23 浙江八方电信有限公司 One kind being applied to mobile network optimization and alerts Time Series Clustering algorithm
CN108712425A (en) * 2018-05-21 2018-10-26 南京南瑞集团公司 A kind of analysis monitoring and managing method towards industrial control system network security threats event
EP3803660B1 (en) * 2018-07-09 2024-05-08 Siemens Aktiengesellschaft Knowledge graph for real time industrial control system security event monitoring and management
CN108931968B (en) * 2018-07-25 2021-07-20 安徽三实信息技术服务有限公司 Network security protection system applied to industrial control system and protection method thereof
CN109150869B (en) * 2018-08-14 2021-06-04 南瑞集团有限公司 A system and method for collecting and analyzing switch information
CN109474620A (en) * 2018-12-17 2019-03-15 杭州安恒信息技术股份有限公司 The quickly method, apparatus and electronic equipment of protection internet security love scene
CN109462621A (en) * 2019-01-10 2019-03-12 国网浙江省电力有限公司杭州供电公司 Network safety protective method, device and electronic equipment
CN109922055A (en) * 2019-02-26 2019-06-21 深圳市信锐网科技术有限公司 A kind of detection method, system and the associated component of risk terminal
CN110011973B (en) * 2019-03-06 2021-08-03 浙江国利网安科技有限公司 Industrial control network access rule construction method and training system
CN110505215B (en) * 2019-07-29 2021-03-30 电子科技大学 Industrial control system network attack coping method based on virtual operation and state conversion
CN110661339A (en) * 2019-10-10 2020-01-07 四川洪辉电力科技有限公司 Method for monitoring running state of monitoring host of transformer substation
CN110933064B (en) * 2019-11-26 2023-10-03 云南电网有限责任公司信息中心 Method and system for determining user behavior trajectory
CN110809009A (en) * 2019-12-12 2020-02-18 江苏亨通工控安全研究院有限公司 Two-stage intrusion detection system applied to industrial control network
CN111031062B (en) * 2019-12-24 2020-12-15 四川英得赛克科技有限公司 Industrial control system panoramic perception monitoring method, device and system with self-learning function
CN111786822A (en) * 2020-06-17 2020-10-16 许昌许继软件技术有限公司 A remote management method for gateway machine
CN111698267B (en) * 2020-07-02 2022-07-26 厦门力含信息技术服务有限公司 Information security testing system and method for industrial control system
CN112187914A (en) * 2020-09-24 2021-01-05 上海思寒环保科技有限公司 Remote control robot management method and system
CN112543289A (en) * 2020-10-29 2021-03-23 中国农业银行股份有限公司福建省分行 AI (artificial intelligence) video point counting method, device, equipment and medium for pig breeding
CN112419130B (en) * 2020-11-17 2024-02-27 北京京航计算通讯研究所 Emergency response system and method based on network security monitoring and data analysis
CN112799358B (en) * 2020-12-30 2022-11-25 上海磐御网络科技有限公司 Industrial control safety defense system
CN113191917B (en) * 2021-03-09 2023-04-07 中国大唐集团科学技术研究院有限公司 Power plant industrial control system network security threat classification method based on radial basis function algorithm
CN115001877B (en) * 2022-08-08 2022-12-09 北京宏数科技有限公司 Big data-based information security operation and maintenance management system and method
CN115712540A (en) * 2022-11-17 2023-02-24 国电南瑞南京控制系统有限公司 Linux system terminal operation record real-time monitoring method and device
CN118503970B (en) * 2024-07-17 2024-10-01 烽台科技(北京)有限公司 Industrial control host Trojan horse detection method and system based on behavior characteristics
CN120930143B (en) * 2025-07-18 2026-04-21 江苏中控普惠信息科技有限公司 Security audit method and system for industrial control system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015194604A1 (en) * 2014-06-18 2015-12-23 日本電信電話株式会社 Network system, control apparatus, communication apparatus, communication control method, and communication control program
CN106209826A (en) * 2016-07-08 2016-12-07 瑞达信息安全产业股份有限公司 A kind of safety case investigation method of Network Security Device monitoring
CN106627102A (en) * 2017-02-10 2017-05-10 中国第汽车股份有限公司 Wheel hub motor driving device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3933519A1 (en) * 2020-06-26 2022-01-05 Kabushiki Kaisha Yaskawa Denki Production system, production method, and program
JP2022007436A (en) * 2020-06-26 2022-01-13 株式会社安川電機 Engineering device, host controller, engineering method, process execution method, and program
JP7147807B2 (en) 2020-06-26 2022-10-05 株式会社安川電機 Engineering device, host control device, engineering method, processing execution method, and program
US11709478B2 (en) 2020-06-26 2023-07-25 Kabushiki Kaisha Yaskawa Denki Production system, production method, and information storage medium

Also Published As

Publication number Publication date
CN107493265A (en) 2017-12-19

Similar Documents

Publication Publication Date Title
CN107493265B (en) A kind of network security monitoring method towards industrial control system
CN114978770B (en) Internet of Things security risk early warning management and control method and system based on big data
CN108931968B (en) Network security protection system applied to industrial control system and protection method thereof
CN214306527U (en) Gas pipe network scheduling monitoring network safety system
CN108712425A (en) A kind of analysis monitoring and managing method towards industrial control system network security threats event
CN113438249B (en) Attack tracing method based on strategy
EP3151152B1 (en) Non-intrusive software agent for monitoring and detection of cyber security events and cyber-attacks in an industrial control system
CN106982235A (en) A kind of power industry control network inbreak detection method and system based on IEC 61850
WO2020087781A1 (en) External connection type terminal protection device and protection system
KR101880162B1 (en) Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System
CN113596028A (en) Method and device for handling network abnormal behaviors
CN111835680A (en) Safety protection system of industry automatic manufacturing
KR101871406B1 (en) Method for securiting control system using whitelist and system for the same
CN111885020A (en) Network attack behavior real-time capturing and monitoring system with distributed architecture
CN115913606A (en) A mobile safety operation and maintenance system and method suitable for electric power industrial control systems
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
CN119966659A (en) A multi-level dynamic network attack detection and response method
Feng et al. Snort improvement on profinet RT for industrial control system intrusion detection
CN111786986A (en) A kind of numerical control system network intrusion prevention system and method
Zhang et al. Investigating the impact of cyber attacks on power system reliability
Xiang et al. Network intrusion detection method for secondary system of intelligent substation based on semantic enhancement
CN117201044A (en) Industrial Internet security protection system and method
CN112417434A (en) Program white list protection method combined with UEBA mechanism
CN111885179B (en) External terminal protection device and protection system based on file monitoring service
CN202713367U (en) Main station applicable to power utilization information acquisition system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant