CN109164786A - A kind of anomaly detection method based on time correlation baseline, device and equipment - Google Patents
A kind of anomaly detection method based on time correlation baseline, device and equipment Download PDFInfo
- Publication number
- CN109164786A CN109164786A CN201810973981.6A CN201810973981A CN109164786A CN 109164786 A CN109164786 A CN 109164786A CN 201810973981 A CN201810973981 A CN 201810973981A CN 109164786 A CN109164786 A CN 109164786A
- Authority
- CN
- China
- Prior art keywords
- data
- time
- baseline
- network
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Alarm Systems (AREA)
Abstract
This application discloses a kind of anomaly detection method based on time correlation baseline, device and equipment, are applied to industrial control network, comprising: obtain the real-time detector data in the current preset time cycle;Real-time detector data and anticipation network baseline are compared, comparing result is obtained;Determine whether industrial control network is abnormal using comparing result;Wherein, it is contemplated that network baseline is the data obtained after being predicted using the history detection data in history preset period of time the detection data in the current preset time cycle.The comparison for passing through real-time detector data and anticipation network baseline as a result, judges whether industrial control network is abnormal, solves the problems, such as not judging that Network Abnormal, user behavior are abnormal in existing industrial control system, improves the safety of industrial control network;In addition, utilizing the anticipation network baseline based on preset period of time in the present invention, the abnormal behaviour with temporal regularity can be accurately differentiated, reduce the rate of false alarm generated by time correlation.
Description
Technical field
The present invention relates to industrial control network technical field, in particular to a kind of abnormal behaviour based on time correlation baseline
Detection method, device and equipment.
Background technique
A few days ago, with the development of information technology, industrial control network is other than the maloperation of employee, due to its opening
Property, it makes it easier to by the attack using loophole.Along with the generation of events such as " shakes net ", what industrial control network was subjected to
Attack is also more and more, has not only broken up the original normal operation of industrial control system, has also stolen industrial information, so that people
The information security of Industry Control is paid attention to further.But since there is no the detection label that can be completely dependent on, Industry Control system
The abnormality detection of system just becomes more difficult.
In the prior art, to the detection of industrial control system often only for the pulse frequency and size transmitted in system,
It can not judge Network Abnormal, user behavior exception etc., fail to judge serious, and this mode can be high because of different time sections data traffic
The influence at peak generates erroneous judgement.Therefore, the safety problem of industrial control network how is solved, while reducing the wrong report of abnormal behaviour
Rate needs those skilled in the art to pay close attention to.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of anomaly detection method based on time correlation baseline,
Device and equipment, for solving the problems, such as that the prior art can not judge that Network Abnormal, user behavior are abnormal, and avoid because when
Between the erroneous judgement that generates of relevant data traffic peak.Its concrete scheme is as follows:
In a first aspect, being applied to work the invention discloses a kind of anomaly detection method based on time correlation baseline
Industry controls network, comprising:
Obtain the real-time detector data in the current preset time cycle;Wherein, the real-time detector data is to the work
The data that industry control network obtains after being detected;
The real-time detector data and anticipation network baseline are compared, comparing result is obtained;Wherein, the expected net
Network baseline is using the history detection data in preset period of time described in history to the inspection in presently described preset period of time
The data that measured data obtains after being predicted;
Judge whether the industrial control network is abnormal using the comparing result.
Optionally, the real-time detector data obtained in the current preset time cycle, comprising:
Obtain real-time network data on flows, active user behavioral data and the real-time process control in the current preset time cycle
Behavioral data processed.
Optionally, it is described the real-time detector data and anticipation network baseline are compared before, further includes:
By way of generating data in real time or reading the modes of pre-generated data, the anticipation network baseline is obtained;
Wherein, the generating process of the anticipation network baseline, comprising:
Using the web-based history data on flows in preset period of time described in history in presently described preset period of time
Network flow data predicted, obtain anticipation network flow baseline;
Using historical user's behavioral data in preset period of time described in history in presently described preset period of time
User behavior data predicted, obtain prospective users behavior baseline;
Using the historical process controlling behavior data in preset period of time described in history to presently described preset time week
Process control behavioral data in phase is predicted, expected process control behavior baseline is obtained.
Optionally, described to compare the real-time detector data and anticipation network baseline, comparing result is obtained, is wrapped
It includes:
The real-time network data on flows and the anticipation network flow baseline are compared;
If the real-time network data on flows meets the anticipation network flow baseline, it is determined that comparing result is current number
It is predicted according to meeting.
Optionally, described to compare the real-time network data on flows and the anticipation network flow baseline, also wrap
It includes:
If the real-time network data on flows does not meet the anticipation network flow baseline, by the active user behavior
Data are compared with the prospective users behavior baseline;
If the active user behavioral data meets the prospective users behavior baseline, it is determined that comparing result is current number
It is predicted according to meeting.
It is optionally, described to compare active user behavioral data and the prospective users behavior baseline, further includes:
If the active user behavioral data does not meet the prospective users behavior baseline, by the real time planning
Behavioral data is compared with the expected process control behavior baseline;
If the real time planning behavioral data meets the expected process control behavior baseline, it is determined that comparing result
Meet prediction for current data.
Optionally, described to carry out the real-time process control behavioral data with the expected process control behavior baseline
Comparison, further includes:
If the real time planning behavioral data does not meet the expected process control behavior baseline, it is determined that comparison knot
Fruit is that current data does not meet prediction.
It is optionally, described to judge whether the industrial control network is abnormal using the comparing result, comprising:
If the comparing result is that current data does not meet prediction, it is abnormal to determine the industrial control network, and issue
Warning, is sent to administrator for data exception;
If the comparing result is that current data meets prediction, determine that the industrial control network is normal, and record phase
The time of pass event and operation behavior.
Second aspect, the invention discloses a kind of unusual checking devices based on time correlation baseline, are applied to work
Industry controls network, comprising:
Data acquisition module, for obtaining the real-time detector data in the current preset time cycle;Wherein, the real-time inspection
Measured data is the data obtained after detecting to the industrial control network;
Data comparison module obtains comparison knot for comparing the real-time detector data and anticipation network baseline
Fruit;Wherein, the anticipation network baseline is using the history detection data in preset period of time described in history to presently described
The data that detection data in preset period of time obtains after being predicted;
Abnormal judgment module, for judging whether the industrial control network is abnormal using the comparing result.
The third aspect, the invention discloses a kind of unusual checking equipment based on time correlation baseline, are applied to work
Industry controls network characterized by comprising
Memory, for storing computer program;
Processor, for executing the computer program, the step of to realize aforementioned disclosed anomaly detection method.
As it can be seen that the present invention is by obtaining the real-time detector data in the current preset time cycle;By real-time detector data with
Anticipation network baseline compares, and obtains comparing result;Determine whether the industrial control network is abnormal using comparing result;Its
In, real-time detector data is the data obtained after detecting to industrial control network;Anticipation network baseline is pre- using history
If the data that the history detection data in the time cycle obtains after predicting the detection data in the current preset time cycle.
It can be seen that judging that current industrial controls net by comparing real-time detector data and anticipation network baseline in the present invention
Whether network is abnormal, solves the problems, such as not judging that Network Abnormal, user behavior are abnormal in existing industrial control system, improve
The safety of industrial control network;In addition, anticipation network baseline is based on the history in history preset period of time in the present invention
The data that detection data obtains after predicting the detection data in the current preset time cycle, thus can accurately differentiate have
The abnormal behaviour of temporal regularity, False Rate caused by reducing because of time correlation generation data traffic peak.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of anomaly detection method flow chart based on time correlation baseline disclosed by the invention;
Fig. 2 is one kind disclosed by the invention specifically based on the anomaly detection method flow chart of time correlation baseline;
Fig. 3 is a kind of unusual checking apparatus structure schematic diagram based on time correlation baseline disclosed by the invention;
Fig. 4 is a kind of unusual checking device hardware structural representation based on time correlation baseline disclosed by the invention
Figure.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
In the prior art, it since there is no the detections that can be completely dependent on to mark for the detection to industrial control system, causes
Industrial control system can not judge that Network Abnormal, user behavior are abnormal, and can be because of the shadow on different time sections data traffic peak
It rings and generates erroneous judgement.The inspection to Network anomalous behaviors in industrial control system may be implemented in technical solution disclosed by the invention
It surveys, and reduces False Rate, improve the safety of industrial control system.
The embodiment of the invention discloses a kind of anomaly detection methods based on time correlation baseline, are applied to industry control
Network processed, it is shown in Figure 1, this method comprises:
Step S101: the real-time detector data in the current preset time cycle is obtained;Wherein, the real-time detector data is
The data obtained after being detected to the industrial control network;
In the present embodiment, the real-time detector data in the current preset time cycle is obtained, it can be by program log, net
Data in network monitor and/or application-monitoring device are acquired, and acquire real-time network data on flows, active user
Behavioral data and real time planning behavioral data.Wherein, preset period of time is the period detected, can basis
Practical business situation is configured, this does not influence realization of the invention.
It should be pointed out that the real-time network data on flows includes any of the following or any combination: source IP address
Sum, purpose IP address sum, the port TCP/UDP sum, network capacity and flow duration;The active user behavior number
According to including any of the following or any combination: survival total number of users, log in/publish total number of users and login that user executes/
Offline operation;The real time planning behavioral data includes any of the following or any combination: function code sum, every section
Character sum and the configuration variation sum of function code.
Specifically, data can be captured by network probe or acquire the number in network switch/router traffic log
According to acquisition real-time network data on flows;By the log of acquisition applications program, database journal and verification process acquisition can be identified
Active user behavioral data;It can be supervised by identification history tab or acquisition industrial control system agreement monitor/application program
The data acquisition real time planning behavioral data of visual organ.
Step S102: the real-time detector data and anticipation network baseline are compared, comparing result is obtained;Wherein,
The anticipation network baseline is using the history detection data in preset period of time described in history to presently described preset time
The data that detection data in period obtains after being predicted;
It should be noted that before comparing the real-time detector data and anticipation network baseline, the present embodiment
Also by way of generating data in real time or reading the modes of pre-generated data, the anticipation network baseline is obtained.
In a specific embodiment, before each real-time detector data and anticipation network baseline compare, all
An anticipation network baseline is generated in real time using the history detection data in preset period of time described in history.Another specific
In embodiment, the history detection data advanced in preset period of time described in history generates anticipation network baseline, at it
Pre-generated anticipation network base-line data is directly acquired in detection process afterwards, the anticipation network baseline only needs to generate once,
It may be reused later, save the working time, to further improve detection efficiency.
In the present embodiment, the real-time detector data and anticipation network baseline are compared, obtain comparing result, specifically
Include: whether comparison real-time detector data is consistent with anticipation network baseline, if met, it is determined that comparing result is current data
Meet prediction;If do not met, it is determined that comparing result is that current data does not meet prediction.
It is understood that different business scenario and system situation can be directed in specific implementation process, based on difference
The anticipation network baseline based on time correlation baseline is arranged in temporal regularity.For example, it is contemplated that the login time in employee's on Monday morning
Number can be much larger than the login times at weekend, can will be used as preset period of time on working day, and obtain working day corresponding history and examine
Measured data, to obtain working day anticipation network baseline;Or will weekend as preset period of time, obtain weekend corresponding history
Detection data further obtains weekend anticipation network baseline.When getting real-time detector data, the real-time inspection is first determined whether
Time cycle locating for measured data is weekend or working day;If the time cycle locating for the real-time detector data is weekend,
Then the real-time detector data is compared with corresponding weekend anticipation network baseline;If locating for the real-time detector data
Time cycle is working day, then compares the real-time detector data with corresponding working day anticipation network baseline, pass through
Use the anticipation network baseline being corresponding to it in the time cycle as discrimination standard the data of different time rule, it can be effective
The phenomenon that reducing wrong report, and the abnormal behaviour with temporal regularity is accurately differentiated.
Specifically, when whether comparison real-time detector data is consistent with anticipation network baseline, model can be met according to default
It encloses and is judged, the default departure degree for meeting range table sign real-time detector data and anticipation network baseline.Implementing
Cheng Zhongke meets range according to the setting of detection accuracy demand is default in a manner of setting manually in advance or in the way of default:
If the detection accuracy to abnormal behaviour is more demanding, it is smaller range setting default can will to be met;If the inspection to abnormal behaviour
Survey required precision is lower, then it is larger default can will to meet range setting.It is understood that if the detection to abnormal behaviour is smart
Spend more demanding, further ensure the accurate of detection structure, then default can will meet range setting it is smaller should not be arranged it is excessive,
It should be set in allowable range of error.
Step S103: judge whether the industrial control network is abnormal using the comparing result.
In the present embodiment, if comparing result is that current data meets prediction, then it represents that current industrial control network is normal, this
The time of the currently associated event of Shi Jilu and operation behavior generate log;If comparing result is that current data does not meet prediction,
It indicates that current industrial controls Network Abnormal, gives a warning at this time and generate log.
Specifically, prediction is not met for current data in judgement comparing result, after giving a warning and generating log, may be used also
Further to obtain accurate data by the way that the information of event in the information of log and system safety equipment is associated comparison
Exception information, and it is sent to administrator.
As it can be seen that the present invention is by obtaining the real-time detector data in the current preset time cycle;By real-time detector data with
Anticipation network baseline compares, and obtains comparing result;Determine whether the industrial control network is abnormal using comparing result;Its
In, real-time detector data is the data obtained after detecting to industrial control network;Anticipation network baseline is pre- using history
If the data that the history detection data in the time cycle obtains after predicting the detection data in the current preset time cycle.
It can be seen that judging that current industrial controls net by comparing real-time detector data and anticipation network baseline in the present invention
Whether network is abnormal, solves the problems, such as not judging that Network Abnormal, user behavior are abnormal in existing industrial control system, improve
The safety of industrial control network;In addition, anticipation network baseline is based on the history in history preset period of time in the present invention
The data that detection data obtains after predicting the detection data in the current preset time cycle, thus can accurately differentiate have
The abnormal behaviour of temporal regularity, False Rate caused by reducing because of time correlation generation data traffic peak.
The embodiment of the invention discloses a kind of specific anomaly detection methods, comprising:
Step S201: the real-time detector data in the current preset time cycle is obtained;Wherein, the real-time detector data is
The data obtained after being detected to the industrial control network;
Particular content about above-mentioned steps S201 can refer to previous embodiment, no longer be repeated herein.
Step S202: using the history detection data in preset period of time described in history to presently described preset time week
Detection data in phase is predicted, anticipation network baseline is obtained;
It, can be with using the process that history detection data obtains anticipation network baseline are as follows: to multiple and different in the present embodiment
History detection data in the history production cycle in the identical preset period of time is sampled calculating, obtains preliminary base
Line behavior;The detection data in presently described preset period of time is predicted based on actual conditions, thus to baseline behavior
It is adjusted, obtains final anticipation network baseline.Wherein, actual conditions may include that environmental change, device parameter etc. may
The factor that baseline behavior is had an impact.
Specifically, the present embodiment is to going through in the identical preset period of time in multiple and different history trendline periods
History network flow data is sampled calculating, obtains preliminary network flow baseline behavior;Based on actual conditions to presently described
Network flow data in preset period of time is predicted, is adjusted the network flow baseline behavior, is obtained final expection
Network flow baseline.
In addition, being obtained in the embodiment of the present invention using historical user's behavioral data in preset period of time described in history pre-
Phase user behavior baseline obtains being expected program-controlled using the historical process controlling behavior data in preset period of time described in history
The process of behavior baseline processed and the above-mentioned web-based history data on flows using in preset period of time described in history obtain expected net
The process of network flow baseline is similar, can refer to the generation step of anticipation network flow baseline, is no longer repeated herein.
Step S203: the real-time detector data and anticipation network baseline are compared, comparing result is obtained;
Step S204: judge whether the industrial control network is abnormal using the comparing result.
Particular content about above-mentioned steps S203 and S204 can refer to previous embodiment, no longer be repeated herein.
The embodiment of the invention discloses a kind of specific anomaly detection methods, comprising:
Step S301: obtain the current preset time cycle in real-time network data on flows, active user behavioral data and
Real time planning behavioral data;
Step S302: pre-generated anticipation network flow baseline, prospective users behavior baseline are read and was expected program-controlled
Behavior baseline processed;
Particular content about above-mentioned steps S301 and S302 can refer to previous embodiment, no longer be repeated herein.
Step S303: the real-time network data on flows and the anticipation network flow baseline are compared;
Step S304: if the real-time network data on flows meets the anticipation network flow baseline, it is determined that comparison knot
Fruit is that current data meets prediction, if the real-time network data on flows does not meet the anticipation network flow baseline, by institute
Active user behavioral data is stated to compare with the prospective users behavior baseline;
If the active user behavioral data meets the prospective users behavior baseline, it is determined that comparing result is current number
According to prediction is met, if the active user behavioral data does not meet the prospective users behavior baseline, by the real-time process
Controlling behavior data are compared with the expected process control behavior baseline;
If the real time planning behavioral data meets the expected process control behavior baseline, it is determined that comparing result
Meet prediction for current data, if the real time planning behavioral data does not meet the expected process control behavior baseline,
Then determine that comparing result is that current data does not meet prediction.
Step S305: judge whether the industrial control network is abnormal using the comparing result.
As shown in Fig. 2, all real-time detector data and corresponding anticipation network baseline are not carried out pair in the present embodiment
Than, but after first comparing the real-time network data on flows and the anticipation network flow baseline, judge Real-time Network
Whether network data on flows meets anticipation network flow baseline;If real-time network data on flows meets anticipation network flow base at this time
Line then shows that current industrial control network does not have abnormal operation, does not continue to active user behavioral data and real-time process control
Behavioral data processed is detected, and time and the operation behavior of currently associated event are recorded, and terminates this detection, starts detection next time
Process.
If real-time network data on flows does not meet anticipation network flow baseline at this time, then it represents that current industrial controls network can
Abnormal operation can occur, then continue this detection and carry out, comparison active user behavioral data and prospective users behavior baseline;If real
When user behavior data meet prospective users behavior baseline, then it represents that current industrial control network there is not abnormal operation, remember
Time and the operation behavior for recording currently associated event terminate this detection, start next detection process.
If active user behavioral data does not meet prospective users behavior baseline at this time, then it represents that current industrial controls network still
Being likely to occur abnormal operation leads to data exception, then continue this detection carry out, comparison real time planning behavioral data with
The expected process control behavior baseline;If real time planning behavioral data meets the expected process control behavior baseline,
It then indicates that abnormal operation does not occur in current industrial control network, records time and the operation behavior of currently associated event, terminate
This detection starts next detection process.
If real time planning behavioral data does not meet the expected process control behavior baseline at this time, then it represents that current work
There is abnormal operation in industry control network, leads to data exception, then gives a warning, and data exception information is sent to management
Member.
The embodiment of the invention discloses a kind of specific anomaly detection methods, comprising:
Step S401: the web-based history data on flows of identical preset period of time in the different production cycles is obtained, history is used
Family behavioral data and historical process/controlling behavior data;
Step S402: web-based history data on flows, historical user's behavioral data and historical process/controlling behavior data are utilized
Detection data in presently described preset period of time is predicted, anticipation network baseline is obtained;
Step S402: actually detected obtained each data are compared with anticipation network baseline;
Step S403: whether detection IP address sum meets the anticipation network baseline in database records if met
The time of event and operation, and continue next detection;If not meeting baseline, it assumes that be non-employee's normal operating, according to adopting
Whether the data of collection search flow and abnormal equipment occur, occur running unauthorized service in Network Search;
Step S404: detecting in the equipment, and whether the number of users of survival meets the baseline in database, if met,
Time and the operation of event are then recorded, and continues next detection;If do not met, checks that it manages log, judge whether there is
The abnormal operation that malicious user is stolen by the verification process of system, administrator's account and is illegally used by attacker etc.;
Step S405: detecting its agreement monitor, and whether function code meets the baseline in database in detection device, if
Meet, then record time and the operation of event, and continues next detection;If do not met, abnormal behaviour is alerted, data are different
Often it is sent to administrator;
Step S406: the log in acquisition safety equipment compares association to the event of system safety equipment, will generate
Abnormal data be sent to administrator.
In addition, the embodiment of the invention also discloses a kind of unusual checking device based on time correlation baseline, application
Shown in Figure 3 in industrial control network, device includes:
Data acquisition module 100, for obtaining the real-time detector data in the current preset time cycle;Wherein, the reality
When detection data be the data obtained after being detected to the industrial control network;
Data comparison module 200 is compared for comparing the real-time detector data and anticipation network baseline
As a result;Wherein, the anticipation network baseline for using the history detection data in preset period of time described in history to current institute
State the data obtained after the detection data in preset period of time is predicted;
Abnormal judgment module 300, for judging whether the industrial control network is abnormal using the comparing result.
The unusual checking device of the present embodiment is for realizing anomaly detection method above-mentioned, therefore abnormal behaviour
Specific embodiment in detection device may refer to retouching for the various pieces embodiment of anomaly detection method hereinbefore
It states, details are not described herein.
In addition, the embodiment of the invention also discloses a kind of industrial control system, including aforementioned disclosed unusual checking
Device.
In addition, the embodiment of the invention also discloses a kind of unusual checking equipment, including processor 11 and memory 12,
Wherein, it is performed the steps of when the processor 11 executes the computer program saved in the memory 12
Obtain the real-time detector data in the current preset time cycle;Wherein, the real-time detector data is to the work
The data that industry control network obtains after being detected;The real-time detector data and anticipation network baseline are compared, obtained
Comparing result;Wherein, the anticipation network baseline is using the history detection data in preset period of time described in history to working as
The data that detection data in the preceding preset period of time obtains after being predicted;The work is judged using the comparing result
Whether industry controls network abnormal.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: real-time network data on flows, active user behavioral data and the real-time mistake in the current preset time cycle are obtained
Process control behavioral data.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: using the web-based history data on flows in preset period of time described in history to presently described preset period of time
Interior network flow data is predicted, anticipation network flow baseline is obtained;Utilize going through in preset period of time described in history
History user behavior data predicts the user behavior data in presently described preset period of time, obtains prospective users behavior
Baseline;Using the historical process controlling behavior data in preset period of time described in history in presently described preset period of time
Process control behavioral data predicted, obtain expected process control behavior baseline.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: the real-time network data on flows and the anticipation network flow baseline are compared;If the Real-time Network
Network data on flows meets the anticipation network flow baseline, it is determined that comparing result is that current data meets prediction.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: if the real-time network data on flows does not meet the anticipation network flow baseline, by the active user
Behavioral data is compared with the prospective users behavior baseline;If the active user behavioral data meets the prospective users
Behavior baseline, it is determined that comparing result is that current data meets prediction.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: if the active user behavioral data does not meet the prospective users behavior baseline, by the real-time process
Controlling behavior data are compared with the expected process control behavior baseline;If the real time planning behavioral data meets
The expected process control behavior baseline, it is determined that comparing result is that current data meets prediction.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: if the real time planning behavioral data does not meet the expected process control behavior baseline, it is determined that right
It is that current data does not meet prediction than result.
In the present embodiment, the processor 11 can be specifically real when executing the computer program saved in the memory 12
Existing following steps: if the comparing result is that current data does not meet prediction, determine that the industrial control network is abnormal, concurrently
It alerts out, data exception is sent to administrator;If the comparing result is that current data meets prediction, the industry is determined
It is normal to control network, and records time and the operation behavior of dependent event.
Further, shown in Figure 4, the unusual checking equipment in the present embodiment can also include:
Input interface 13, for obtaining the computer program of extraneous importing, and the computer program that will acquire save to
In the memory 12, it can be also used for the various instructions and parameter that obtain extraneous terminal device transmission, and be transmitted to processor
In 11, so that processor 11 is handled accordingly using above-mentioned various instructions and parametric evolving.In the present embodiment, the input interface
13, which can specifically include but be not limited to USB interface, serial line interface, speech input interface, fingerprint input interface, hard disk, reads interface
Deng.
Output interface 14, the various data for generating processor 11 are exported to coupled terminal device, so as to
The various data of the generation of processor 11 can be got in other terminal devices being connected with output interface 14.In the present embodiment,
The output interface 14 can specifically include but be not limited to USB interface, serial line interface etc..
Communication unit 15 is connected for establishing telecommunication with external server, obtains the data that extraneous terminal is sent, so
After be sent to processor 11 and carry out processing analysis, in addition, processor 11 the various results obtained after processing can also be passed through it is logical
News unit 15 is sent to preset various data receivers.
Display unit 16, the data for sending over to processor 11 are shown.
In addition, the embodiment of the invention also discloses a kind of computer readable storage mediums, for saving computer program,
In, when shown computer program is executed by processor, realize the step of the anomaly detection method as disclosed in previous embodiment
Suddenly.
Specific steps about the above method can no longer carry out herein with reference to corresponding contents disclosed in previous embodiment
It repeats.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with it is other
The difference of embodiment, same or similar part may refer to each other between each embodiment.For being filled disclosed in embodiment
For setting, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part
Explanation.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The abnormal behaviour to a kind of industrial control system provided by the present invention and its based on time correlation baseline is examined above
Survey method, apparatus, equipment, medium are described in detail, specific case used herein is to the principle of the present invention and implementation
Mode is expounded, and the above description of the embodiment is only used to help understand the method for the present invention and its core ideas;Meanwhile
For those of ordinary skill in the art, according to the thought of the present invention, has change in specific embodiments and applications
Become place, in conclusion the contents of this specification are not to be construed as limiting the invention.
Claims (10)
1. a kind of anomaly detection method based on time correlation baseline is applied to industrial control network, which is characterized in that packet
It includes:
Obtain the real-time detector data in the current preset time cycle;Wherein, the real-time detector data is to control to the industry
The data that network processed obtains after being detected;
The real-time detector data and anticipation network baseline are compared, comparing result is obtained;Wherein, the anticipation network base
Line is using the history detection data in preset period of time described in history to the testing number in presently described preset period of time
According to the data obtained after being predicted;
Judge whether the industrial control network is abnormal using the comparing result.
2. anomaly detection method according to claim 1, which is characterized in that the acquisition current preset time cycle
Interior real-time detector data, comprising:
Obtain real-time network data on flows, active user behavioral data and the real time planning row in the current preset time cycle
For data.
3. anomaly detection method according to claim 2, which is characterized in that described by the real-time detector data
Before being compared with anticipation network baseline, further includes:
By way of generating data in real time or reading the modes of pre-generated data, the anticipation network baseline is obtained;
Wherein, the generating process of the anticipation network baseline, comprising:
Using the web-based history data on flows in preset period of time described in history to the net in presently described preset period of time
Network data on flows is predicted, anticipation network flow baseline is obtained;
Using historical user's behavioral data in preset period of time described in history to the use in presently described preset period of time
Family behavioral data is predicted, prospective users behavior baseline is obtained;
Using the historical process controlling behavior data in preset period of time described in history in presently described preset period of time
Process control behavioral data predicted, obtain expected process control behavior baseline.
4. anomaly detection method according to claim 3, which is characterized in that it is described by the real-time detector data with
Anticipation network baseline compares, and obtains comparing result, comprising:
The real-time network data on flows and the anticipation network flow baseline are compared;
If the real-time network data on flows meets the anticipation network flow baseline, it is determined that comparing result is current data symbol
Close prediction.
5. anomaly detection method according to claim 4, which is characterized in that described by the real-time network flow number
It is compared according to the anticipation network flow baseline, further includes:
If the real-time network data on flows does not meet the anticipation network flow baseline, by the active user behavioral data
It is compared with the prospective users behavior baseline;
If the active user behavioral data meets the prospective users behavior baseline, it is determined that comparing result is current data symbol
Close prediction.
6. anomaly detection method according to claim 5, which is characterized in that it is described by active user behavioral data with
The prospective users behavior baseline compares, further includes:
If the active user behavioral data does not meet the prospective users behavior baseline, by the real time planning behavior
Data are compared with the expected process control behavior baseline;
If the real time planning behavioral data meets the expected process control behavior baseline, it is determined that comparing result is to work as
Preceding data fit prediction.
7. anomaly detection method according to claim 6, which is characterized in that described by the real-time process control
Behavioral data is compared with the expected process control behavior baseline, further includes:
If the real time planning behavioral data does not meet the expected process control behavior baseline, it is determined that comparing result is
Current data does not meet prediction.
8. according to the described in any item anomaly detection methods of claim 4 to 7, which is characterized in that described using described right
Judge whether the industrial control network is abnormal than result, comprising:
If the comparing result is that current data does not meet prediction, it is abnormal to determine the industrial control network, and give a warning,
Data exception is sent to administrator;
If the comparing result is that current data meets prediction, determine that the industrial control network is normal, and record related thing
The time of part and operation behavior.
9. a kind of unusual checking device based on time correlation baseline is applied to industrial control network, which is characterized in that packet
It includes:
Data acquisition module, for obtaining the real-time detector data in the current preset time cycle;Wherein, the real-time detection number
According to the data to obtain after being detected to the industrial control network;
Data comparison module obtains comparing result for comparing the real-time detector data and anticipation network baseline;Its
In, the anticipation network baseline be using the history detection data in preset period of time described in history to it is presently described default when
Between detection data in the period predicted after obtained data;
Abnormal judgment module, for judging whether the industrial control network is abnormal using the comparing result.
10. a kind of unusual checking equipment based on time correlation baseline is applied to industrial control network, which is characterized in that
Include:
Memory, for storing computer program;
Processor, for executing the computer program, to realize any one of claim 1 to 8 unusual checking side
The step of method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810973981.6A CN109164786B (en) | 2018-08-24 | 2018-08-24 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810973981.6A CN109164786B (en) | 2018-08-24 | 2018-08-24 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109164786A true CN109164786A (en) | 2019-01-08 |
| CN109164786B CN109164786B (en) | 2020-05-29 |
Family
ID=64896751
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810973981.6A Active CN109164786B (en) | 2018-08-24 | 2018-08-24 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109164786B (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351307A (en) * | 2019-08-14 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on integrated study |
| CN111131290A (en) * | 2019-12-30 | 2020-05-08 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
| CN111199018A (en) * | 2019-12-27 | 2020-05-26 | 东软集团股份有限公司 | Abnormal data detection method and device, storage medium and electronic equipment |
| CN111490976A (en) * | 2020-03-24 | 2020-08-04 | 浙江中烟工业有限责任公司 | Dynamic baseline management and monitoring method for industrial control network |
| CN111835777A (en) * | 2020-07-20 | 2020-10-27 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112199243A (en) * | 2020-10-10 | 2021-01-08 | 中国建设银行股份有限公司 | System detection method, device, equipment and readable storage medium |
| CN112287390A (en) * | 2020-10-23 | 2021-01-29 | 杭州数梦工场科技有限公司 | Self-adaptive baseline adjusting method and device |
| CN112436968A (en) * | 2020-11-23 | 2021-03-02 | 恒安嘉新(北京)科技股份公司 | Network flow monitoring method, device, equipment and storage medium |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
| CN113992340A (en) * | 2021-09-09 | 2022-01-28 | 奇安信科技集团股份有限公司 | User abnormal behavior recognition method, device, equipment, storage medium and program |
| CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
| CN114866276A (en) * | 2022-03-21 | 2022-08-05 | 杭州薮猫科技有限公司 | Terminal detection method and device for abnormal transmission file, storage medium and equipment |
| CN115348339A (en) * | 2022-08-12 | 2022-11-15 | 北京威努特技术有限公司 | Industrial control abnormity detection method based on functional code and business data correlation |
| CN116027771A (en) * | 2023-03-30 | 2023-04-28 | 深圳市深蓝宇科技有限公司 | Abnormality detection method for industrial personal computer control system |
| CN116185672A (en) * | 2023-04-28 | 2023-05-30 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH11337626A (en) * | 1998-05-27 | 1999-12-10 | Nec Corp | Method for inspecting fault in mounting board |
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN101465809A (en) * | 2009-01-16 | 2009-06-24 | 中国人民解放军信息工程大学 | Method, equipment and system for managing network flux |
| US20090319330A1 (en) * | 2008-06-18 | 2009-12-24 | Microsoft Corporation | Techniques for evaluating recommendation systems |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| US7877287B1 (en) * | 1997-06-12 | 2011-01-25 | Bailey G William | System and method for selecting multiple sites using weighted bands |
| CN104734894A (en) * | 2013-12-18 | 2015-06-24 | 中国移动通信集团甘肃有限公司 | Flow data screening method and device |
| CN104954192A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Network flow monitoring method and device |
| CN105939334A (en) * | 2015-03-04 | 2016-09-14 | 费希尔-罗斯蒙特系统公司 | Anomaly detection in industrial communications networks |
| CN107038086A (en) * | 2016-11-08 | 2017-08-11 | 上海自仪泰雷兹交通自动化系统有限公司 | The hot standby control logic safety analytical method of safety computer platform |
| CN107454068A (en) * | 2017-07-21 | 2017-12-08 | 河南工程学院 | A kind of sweet net security postures cognitive method of combination Danger Immune theory |
| CN107517203A (en) * | 2017-08-08 | 2017-12-26 | 北京奇安信科技有限公司 | A kind of user behavior baseline method for building up and device |
| CN107566163A (en) * | 2017-08-10 | 2018-01-09 | 北京奇安信科技有限公司 | A kind of alarm method and device of user behavior analysis association |
| CN107733905A (en) * | 2017-10-24 | 2018-02-23 | 北京威努特技术有限公司 | A kind of detection method of industry control network unit exception flow |
| CN108306846A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团公司 | A kind of network access exception detection method and system |
-
2018
- 2018-08-24 CN CN201810973981.6A patent/CN109164786B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7877287B1 (en) * | 1997-06-12 | 2011-01-25 | Bailey G William | System and method for selecting multiple sites using weighted bands |
| JPH11337626A (en) * | 1998-05-27 | 1999-12-10 | Nec Corp | Method for inspecting fault in mounting board |
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| US20090319330A1 (en) * | 2008-06-18 | 2009-12-24 | Microsoft Corporation | Techniques for evaluating recommendation systems |
| CN101465809A (en) * | 2009-01-16 | 2009-06-24 | 中国人民解放军信息工程大学 | Method, equipment and system for managing network flux |
| CN101651568A (en) * | 2009-07-01 | 2010-02-17 | 青岛农业大学 | Method for predicting network flow and detecting abnormality |
| CN104734894A (en) * | 2013-12-18 | 2015-06-24 | 中国移动通信集团甘肃有限公司 | Flow data screening method and device |
| CN104954192A (en) * | 2014-03-27 | 2015-09-30 | 东华软件股份公司 | Network flow monitoring method and device |
| CN105939334A (en) * | 2015-03-04 | 2016-09-14 | 费希尔-罗斯蒙特系统公司 | Anomaly detection in industrial communications networks |
| CN107038086A (en) * | 2016-11-08 | 2017-08-11 | 上海自仪泰雷兹交通自动化系统有限公司 | The hot standby control logic safety analytical method of safety computer platform |
| CN108306846A (en) * | 2017-01-13 | 2018-07-20 | 中国移动通信集团公司 | A kind of network access exception detection method and system |
| CN107454068A (en) * | 2017-07-21 | 2017-12-08 | 河南工程学院 | A kind of sweet net security postures cognitive method of combination Danger Immune theory |
| CN107517203A (en) * | 2017-08-08 | 2017-12-26 | 北京奇安信科技有限公司 | A kind of user behavior baseline method for building up and device |
| CN107566163A (en) * | 2017-08-10 | 2018-01-09 | 北京奇安信科技有限公司 | A kind of alarm method and device of user behavior analysis association |
| CN107733905A (en) * | 2017-10-24 | 2018-02-23 | 北京威努特技术有限公司 | A kind of detection method of industry control network unit exception flow |
Non-Patent Citations (3)
| Title |
|---|
| 刘婷: "统计分析在网络流量监控系统中的研究与应用", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 李眩: "基于网络流量的实时入侵检测", 《信息安全与通信保密》 * |
| 赵宗涛 等: "基于基线的APT检测分析平台研究与设计", 《网络安全技术与应用》 * |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110351307B (en) * | 2019-08-14 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on ensemble learning |
| CN110351307A (en) * | 2019-08-14 | 2019-10-18 | 杭州安恒信息技术股份有限公司 | Abnormal user detection method and system based on integrated study |
| CN111199018A (en) * | 2019-12-27 | 2020-05-26 | 东软集团股份有限公司 | Abnormal data detection method and device, storage medium and electronic equipment |
| CN111199018B (en) * | 2019-12-27 | 2024-03-05 | 东软集团股份有限公司 | Abnormal data detection method and device, storage medium and electronic equipment |
| CN111131290A (en) * | 2019-12-30 | 2020-05-08 | 山石网科通信技术股份有限公司 | Flow data processing method and device |
| CN111490976A (en) * | 2020-03-24 | 2020-08-04 | 浙江中烟工业有限责任公司 | Dynamic baseline management and monitoring method for industrial control network |
| CN111490976B (en) * | 2020-03-24 | 2022-04-15 | 浙江中烟工业有限责任公司 | Dynamic baseline management and monitoring method for industrial control network |
| CN111835777A (en) * | 2020-07-20 | 2020-10-27 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN111835777B (en) * | 2020-07-20 | 2022-09-30 | 深信服科技股份有限公司 | Abnormal flow detection method, device, equipment and medium |
| CN112199243A (en) * | 2020-10-10 | 2021-01-08 | 中国建设银行股份有限公司 | System detection method, device, equipment and readable storage medium |
| CN112287390A (en) * | 2020-10-23 | 2021-01-29 | 杭州数梦工场科技有限公司 | Self-adaptive baseline adjusting method and device |
| CN112287390B (en) * | 2020-10-23 | 2024-05-10 | 杭州数梦工场科技有限公司 | Self-adaptive adjustment method and device for base line |
| CN112436968A (en) * | 2020-11-23 | 2021-03-02 | 恒安嘉新(北京)科技股份公司 | Network flow monitoring method, device, equipment and storage medium |
| CN112436968B (en) * | 2020-11-23 | 2023-10-17 | 恒安嘉新(北京)科技股份公司 | Network traffic monitoring method, device, equipment and storage medium |
| CN113765881A (en) * | 2021-07-20 | 2021-12-07 | 奇安信科技集团股份有限公司 | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium |
| CN113992340A (en) * | 2021-09-09 | 2022-01-28 | 奇安信科技集团股份有限公司 | User abnormal behavior recognition method, device, equipment, storage medium and program |
| CN113992340B (en) * | 2021-09-09 | 2024-04-16 | 奇安信科技集团股份有限公司 | User abnormal behavior identification method, device, equipment and storage medium |
| CN114615021A (en) * | 2022-02-16 | 2022-06-10 | 奇安信科技集团股份有限公司 | Real-time behavior safety baseline automatic calculation method and device for safety analysis |
| CN114615021B (en) * | 2022-02-16 | 2024-07-23 | 奇安信科技集团股份有限公司 | Automatic calculation method and device for real-time behavior safety baseline for safety analysis |
| CN114866276A (en) * | 2022-03-21 | 2022-08-05 | 杭州薮猫科技有限公司 | Terminal detection method and device for abnormal transmission file, storage medium and equipment |
| CN114866276B (en) * | 2022-03-21 | 2024-06-11 | 杭州薮猫科技有限公司 | Method, device, storage medium and equipment for detecting abnormal transmission file terminal |
| CN115348339B (en) * | 2022-08-12 | 2023-11-21 | 北京威努特技术有限公司 | Industrial control abnormity detection method based on correlation of function code and service data |
| CN115348339A (en) * | 2022-08-12 | 2022-11-15 | 北京威努特技术有限公司 | Industrial control abnormity detection method based on functional code and business data correlation |
| CN116027771A (en) * | 2023-03-30 | 2023-04-28 | 深圳市深蓝宇科技有限公司 | Abnormality detection method for industrial personal computer control system |
| CN116185672B (en) * | 2023-04-28 | 2023-08-22 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
| CN116185672A (en) * | 2023-04-28 | 2023-05-30 | 北京亿赛通科技发展有限责任公司 | Data monitoring method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109164786B (en) | 2020-05-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109164786A (en) | A kind of anomaly detection method based on time correlation baseline, device and equipment | |
| US10437831B2 (en) | Identifying insider-threat security incidents via recursive anomaly detection of user behavior | |
| ES2813065T3 (en) | Method and apparatus for detecting security using an industry internet operating system | |
| US7815106B1 (en) | Multidimensional transaction fraud detection system and method | |
| CN106033514B (en) | A kind of detection method and device of suspicious process | |
| CN110912927B (en) | Method and device for detecting control message in industrial control system | |
| CN107302547A (en) | A kind of web service exceptions detection method and device | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN113726780B (en) | Network monitoring method and device based on situation awareness and electronic equipment | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| CN106656640A (en) | Early warning method and device of network attack | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN103140859A (en) | Supervision of the security in a computer system | |
| CN111181978B (en) | Abnormal network traffic detection method and device, electronic equipment and storage medium | |
| CN108073499B (en) | Application program testing method and device | |
| CN112163198B (en) | Host login security detection method, system, device and storage medium | |
| CN110191004A (en) | A kind of port detecting method and system | |
| CN116208415A (en) | Method, device and equipment for managing API (application program interface) assets | |
| CN117501658A (en) | Evaluation of likelihood of security event alarms | |
| CN110012000A (en) | Order detection method, device, computer equipment and storage medium | |
| CN117454373B (en) | Software login identity management and access security control method | |
| CN115706669A (en) | Network security situation prediction method and system | |
| CN112650180A (en) | Safety warning method, device, terminal equipment and storage medium | |
| JP2008176634A (en) | Security level monitoring evaluation device and security level monitoring evaluation program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |