[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN116488949A - Industrial control system intrusion detection processing method, system, device and storage medium - Google Patents

Industrial control system intrusion detection processing method, system, device and storage medium Download PDF

Info

Publication number
CN116488949A
CN116488949A CN202310756573.6A CN202310756573A CN116488949A CN 116488949 A CN116488949 A CN 116488949A CN 202310756573 A CN202310756573 A CN 202310756573A CN 116488949 A CN116488949 A CN 116488949A
Authority
CN
China
Prior art keywords
terminal
detection
access terminal
access
industrial control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310756573.6A
Other languages
Chinese (zh)
Other versions
CN116488949B (en
Inventor
贺敏超
霍朝宾
王绍杰
衣然
王晔
万佳蓉
周帅
荆琛
王颐硕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Priority to CN202310756573.6A priority Critical patent/CN116488949B/en
Publication of CN116488949A publication Critical patent/CN116488949A/en
Application granted granted Critical
Publication of CN116488949B publication Critical patent/CN116488949B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Alarm Systems (AREA)

Abstract

The embodiment of the invention provides an intrusion detection processing method, an intrusion detection processing system, an intrusion detection device and a storage medium of an industrial control system. The embodiment of the invention realizes the data separation of the industrial control system and the detection system, avoids the leakage of real-time operation data of the historical access terminal in the industrial control system, improves the safety of the operation data, finally obtains the detection models with reference to different characteristic conditions by combined training as an intrusion detection model, detects the access terminal of the current access industrial control system through the intrusion detection model, determines whether the current access terminal is abnormal, ensures the identification precision of the terminal, simultaneously only transmits the detection result of the detection model to the historical access terminal among all the detection modules, does not mutually transmit the terminal characteristics of the historical access terminal, and ensures the safety of the data stored in all the detection modules.

Description

Industrial control system intrusion detection processing method, system, device and storage medium
Technical Field
The present invention relates to the field of industrial control systems, and in particular, to an intrusion detection processing method, system, device and storage medium for an industrial control system.
Background
Industrial control systems are a requirement for large data volume, high rate transmission such as image, voice signals, etc., which has driven the current popularity of combining ethernet networks with control networks in the commercial world. The networking wave of the industrial control system integrates various current technologies such as embedded technology, multi-standard industrial control network interconnection, wireless technology and the like, thereby expanding the development space of the industrial control field.
In some cases, the industrial control protocol of data trend and transmission in the network flow and the detailed content of the protocol cannot be known in the network of the industrial control system; meanwhile, for the purpose of safe production, safety protection equipment cannot be directly deployed in a specific scene, but the safety state of an industrial control system is required to be monitored, and the risk faced by the industrial control system is mastered in real time.
Disclosure of Invention
At least one embodiment of the invention provides an intrusion detection processing method, an intrusion detection processing system, an intrusion detection device and a storage medium for an industrial control system, so as to solve the problem that the risk of accessing a terminal of the industrial control system cannot be monitored in real time in the prior art.
In a first aspect, an embodiment of the present invention provides an intrusion detection processing method for an industrial control system, where each detection module is deployed on each working module of the industrial control system based on a bypass mode, and the detection modules form a detection system; the processing method comprises the following steps:
The industrial control system encrypts the terminal tag of at least one historical access terminal to generate an encrypted tag, and transmits the encrypted tag and corresponding terminal identification information to the detection system;
each detection module generates a characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information;
training and constructing a detection model through each detection module according to the terminal characteristics of the at least one historical access terminal and the encryption tag corresponding to the detection module based on a machine learning algorithm;
according to the sequence of the feature data quantity, sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model, and transmitting the detection result of the at least one historical access terminal generated by the optimized current detection model to the next detection module until the detection model of the last detection module completes optimization to obtain an intrusion detection model;
generating current terminal characteristics according to terminal data of an access terminal which currently sends an access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
Based on the above technical solution, the following improvements can be made in the embodiments of the present invention.
With reference to the first aspect, in a first embodiment of the first aspect, the processing method further includes:
when the terminal detection result is passing detection and the access terminal which currently sends the access request is a new access terminal, matching similar terminals from the history access terminals according to the detection result of the intrusion detection model on the new access terminal;
calculating authority average grade and access average validity period of each similar terminal;
taking the lower one of the basic access right and the right average level in the industrial control system as the access right of the new access terminal;
and taking the access average validity period as the access validity period of the new access terminal.
With reference to the first embodiment of the first aspect, in a second embodiment of the first aspect, the matching, according to a detection result of the intrusion detection model on the new access terminal, similar terminals from the historical access terminals includes:
determining a terminal category group to which the new access terminal belongs according to the detection result of the new access terminal; the terminal category group comprises history access terminals with the same category;
And taking the history access terminals in the corresponding terminal category group as similar terminals of the new access terminal.
With reference to the second embodiment of the first aspect, in a third embodiment of the first aspect, the processing method further includes:
detecting terminal characteristics of each historical access terminal according to the intrusion detection model to obtain corresponding terminal detection results;
and clustering the historical access terminals according to the terminal detection result to obtain a plurality of terminal category groups.
With reference to the third embodiment of the first aspect, in a fourth embodiment of the first aspect, the terminal detection result includes: terminal security scoring;
clustering the history access terminals according to the terminal detection result to obtain a plurality of terminal category groups, including:
clustering the historical access terminals according to the terminal security scoring size sorting result of each historical access terminal to obtain a plurality of terminal category groups; each terminal category group comprises at least two historical access terminals, and the terminal security score of any historical access terminal is adjacent to the ordering result of the terminal security score of at least one historical access terminal.
With reference to the first embodiment of the first aspect, in a fifth embodiment of the first aspect, the processing method further includes:
determining a terminal with illegal operation from the similar terminals as a reference terminal;
matching corresponding intrusion detection rules from a rule base according to illegal operations of the reference terminal;
and acquiring operation log information of the new access terminal in the industrial control system in real time, matching the operation log information according to the intrusion detection rule, and determining whether the new access terminal is abnormal according to a matching result.
With reference to the fifth embodiment of the first aspect, in a sixth embodiment of the first aspect, the processing method further includes:
and when the new access terminal is abnormal, sending terminal information and abnormal information of the new access terminal to a preset manager terminal.
In a second aspect, an embodiment of the present invention provides an intrusion detection processing system of an industrial control system, where each detection module is deployed on each working module of the industrial control system based on a bypass mode, and the detection modules form a detection system; the processing system includes:
the industrial control system is used for encrypting the terminal tag of at least one historical access terminal to generate an encrypted tag, and transmitting the encrypted tag and corresponding terminal identification information to the detection system;
The detection module is used for generating characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information;
the detection module is used for performing deep learning through the terminal characteristics of the at least one history access terminal and the encryption tag corresponding to the detection module to construct a detection model;
the detection system is used for sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model according to the sequence of the characteristic data quantity, generating the detection result of the at least one historical access terminal based on the optimized current detection model, and transmitting the detection result to the next detection module until the last detection model of the detection module completes optimization, so as to obtain an intrusion detection model;
the detection system is also used for generating current terminal characteristics according to the terminal data of the access terminal which currently sends the access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
In a third aspect, an embodiment of the present invention provides an intrusion detection processing device for an industrial control system, where the intrusion detection processing device is characterized by including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
A memory for storing a computer program;
a processor, configured to implement the intrusion detection processing method of the industrial control system according to any one of claims 1 to 7 when executing a program stored in a memory.
In a fourth aspect, an embodiment of the present invention provides a computer readable medium, configured to store a computer readable program, where the computer readable program is configured to execute the intrusion detection processing method of the industrial control system according to any one of the embodiments of the first aspect.
Compared with the prior art, the technical scheme of the invention has the following advantages: according to the embodiment of the invention, the industrial control system encrypts the terminal label of each historical access terminal, transmits the encrypted label and the user terminal identification information to the detection system, realizes data separation of the industrial control system and the detection system, avoids the leakage of real-time operation data of the historical access terminal in the industrial control system, improves the operation data safety, determines the terminal data recorded when the historical access terminal accesses the corresponding working module according to the terminal identification information, obtains the characteristic data quantity of the terminal characteristic by the terminal data, carries out deep learning according to the terminal characteristic of the corresponding historical access terminal and the corresponding encrypted label to construct a corresponding detection model, and then optimizes the detection model generated by the next detection module according to the detection result of each historical access terminal by the detection module in sequence until the detection model of the last detection module is optimized to be used as an intrusion detection model;
Corresponding models are respectively constructed through different historical access terminals recorded in different working modules, then the former model is sequentially used for optimizing the latter model according to the size of characteristic data quantity, finally, a detection model with reference to different characteristic conditions is obtained through joint training and is used as an intrusion detection model, the access terminal of the current access industrial control system is detected through the intrusion detection model, whether the current access terminal is abnormal or not is determined, the identification precision of the terminal is guaranteed, meanwhile, only the detection result of the detection model on the historical access terminal is transmitted among all detection modules, the terminal characteristics of the historical access terminal are not mutually transmitted, and the safety of data stored in all detection modules is guaranteed.
Drawings
FIG. 1 is a schematic flow chart of an intrusion detection processing method of an industrial control system according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of an intrusion detection processing method of an industrial control system according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of an intrusion detection processing method of an industrial control system according to another embodiment of the present invention;
FIG. 4 is a schematic flow chart of an intrusion detection processing method of an industrial control system according to another embodiment of the present invention;
FIG. 5 is a schematic flow chart of an intrusion detection processing method of an industrial control system according to another embodiment of the present invention;
FIG. 6 is a schematic diagram of an intrusion detection processing system of an industrial control system according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of an intrusion detection processing device of an industrial control system according to another embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention.
All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, in the intrusion detection processing method for an industrial control system provided by the embodiment of the invention, each detection module is deployed on each working module of the industrial control system based on a bypass mode, and a detection system is formed by the detection modules; the processing method comprises the following steps: s11, the industrial control system encrypts the terminal tag of at least one historical access terminal to generate an encrypted tag, and transmits the encrypted tag and corresponding terminal identification information to the detection system.
In this embodiment, the detection modules are deployed in a bypass manner at key nodes of the industrial control network, for example, each working module is configured with one detection module respectively, so that network bandwidth resources are not occupied.
The detection module can provide comprehensive functions such as industrial control protocol deep analysis, high-risk instruction detection, common attack behavior detection, log audit and the like.
In this embodiment, after the history access terminal obtains the access right, a related operation is performed in the industrial control system, where the terminal tag represents a tag added corresponding to the operation information of the corresponding history access terminal in the industrial control system, for example, the history access terminal illegally climbs data in the industrial control system or obtains data in an illegitimate operation manner, then the terminal tag of the illegitimate terminal is added to the history access terminal, otherwise, the terminal tag of the normal terminal is added to the normally accessed terminal; the terminal labels of illegal terminals with different grades can be added according to the severity of the operation performed by the terminal, the terminal labels of normal terminals with different grades can be added according to the time length of normal access of the terminal in the industrial control system, and the corresponding terminal labels can be added according to the authority grade of the terminal in the industrial control system, so that the scheme is not repeated.
In this embodiment, the terminal tag is encrypted to obtain an encrypted tag, in this embodiment, homomorphic encryption or symmetric encryption algorithm may be used to encrypt the terminal tag, and a corresponding decryption key is provided in the detection system or a corresponding encryption and decryption mode is stored in the detection system, so that each detection module in the detection system may decrypt to obtain the encrypted tag.
In this embodiment, the industrial control system further transmits terminal identification information to the detection system, so that each detection module in the detection system determines a history terminal corresponding to each encryption tag; the terminal identification information may be a unique identification code of the terminal or a unique identification number added in real time when the historical terminal accesses the industrial control system.
In this embodiment, the data transmitted to the detection system by the industrial control system does not include the operation information of the history access terminal in the industrial control system, so that the operation data of the history access terminal in the system is protected, the user privacy data is prevented from being leaked, and the data security is improved.
And S12, each detection module generates characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information.
In this embodiment, each detection module in the detection system determines, according to the terminal identification information, terminal data recorded when the history access terminal accesses the corresponding operation module, and obtains a feature data amount of the terminal feature from the terminal data.
In this embodiment, the history access terminals corresponding to the detection modules are not completely consistent, for example, a certain history access terminal only accesses a part of the working modules in the industrial control system, and only the detection modules corresponding to the part of the working modules correspond to the history access terminal.
In this embodiment, each detection module corresponds to a plurality of historical access terminals, generates corresponding terminal features according to terminal data of the corresponding historical access terminals, and gathers and calculates feature data amounts of the terminal features, where the terminal data includes: terminal name, terminal authority identification, terminal identity identification, terminal credit data and the like.
S13, training and constructing a detection model through each detection module according to the terminal characteristics of the corresponding at least one historical access terminal and the encryption tag based on a machine learning algorithm.
In this embodiment, each detection module performs deep learning according to the terminal characteristics of the corresponding history access terminal and the corresponding encryption tag to construct a corresponding detection model.
In this embodiment, when deep learning is performed through the encrypted tag, the encrypted tag is decrypted to obtain a corresponding tag or tag score for learning, for example, the tag of an illegal terminal is 0, the tag of a normal terminal is 1, and a detection result output by a detection model obtained through final training is a value between 0 and 1, which is used for evaluating the tendency of the detected terminal being the illegal terminal or the normal terminal; for example, based on the above expression, according to the severity of the operation performed by the terminal, adding a terminal tag with a value of 0-0.5 to represent an illegal terminal, and according to the duration of normal access of the terminal in the industrial control system, adding a terminal tag with a value of 0.5-1 to represent a normal tag, and finally, the trained detection model can more accurately identify whether different terminals are abnormal.
The detection model may also be constructed by other schemes, which are not described herein.
In this embodiment, the machine learning algorithm includes: decision trees, support vector machines, supervised learning algorithms, etc.
S14, according to the sequence of the feature data quantity, sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model, and transmitting the detection result of the at least one historical access terminal generated by the optimized current detection model to the next detection module until the last detection model of the detection module completes optimization, so as to obtain an intrusion detection model.
In this embodiment, the first detection module for sorting the first may be determined from the detection modules according to the sorting result of the feature data amount; the first detection module detects terminal data of the historical access terminal according to the constructed model, and respectively determines detection results; determining a next detection module of the first detection module as a current detection module according to the sequencing result; the current detection module detects the terminal data of the historical access terminal according to the constructed model, respectively determines detection results, refers to the detection results of the current detection module through the detection results of the terminal by the model in the first detection module, and calibrates parameters in the detection model of the current detection module; and determining the next detection module again according to the sequencing result until the detection models in the detection modules are optimized to obtain the intrusion detection model.
Compared with the mode of carrying out model training on the data fusion of each detection module, the mode of model training in the scheme can avoid terminal data transmission among the modules, improves the terminal data security of different work modules in the industrial control system, and simultaneously, because the data isolation of the work modules, the operation security of the work modules is also improved to a certain extent.
In a specific embodiment, steps S13 and S14 may further perform model training in another manner, for example, after each detection module determines the feature data amount of the terminal feature of the history access terminal, the first detection module for ordering is determined from the detection modules according to the order of the feature data amounts; the first detection module trains according to the terminal characteristics of the history access terminals and the encryption tags of the history access terminals, constructs a detection module, and outputs detection results of each history access terminal to the next detection module according to the detection model; determining a next detection module of the first detection module as a current detection module according to the sequencing result, training the terminal characteristics of the history access terminals, the encryption tags of the history access terminals and the detection results of each history access terminal output by the detection model of the first detection module, constructing a detection model of the current detection module, and outputting the detection results of each history access terminal to the next detection module according to the detection model; the steps are sequentially carried out, and the detection model of each detection module is trained until the last detection module outputs the detection model to serve as an intrusion detection model; the detection model of the data of all the detection modules can be obtained through the scheme, and the detection of the access terminal can be more effectively completed.
S15, generating current terminal characteristics according to terminal data of the access terminal which currently sends the access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
According to the embodiment of the invention, the industrial control system encrypts the terminal label of each historical access terminal, transmits the encrypted label and the user terminal identification information to the detection system, realizes the data separation of the industrial control system and the detection system, avoids the leakage of real-time operation data of the historical access terminal in the industrial control system, improves the operation data safety, determines the terminal data recorded when the historical access terminal accesses the corresponding working module according to the terminal identification information, obtains the characteristic data quantity of the terminal characteristic by the terminal data, carries out deep learning according to the terminal characteristic of the corresponding historical access terminal and the corresponding encrypted label to construct a corresponding detection model, then optimizes the detection model generated by the detection module for the next detection module according to the sequence of the characteristic data quantity of each detection module in sequence, optimizes the detection model of each historical access terminal until the detection model of the last detection module is completed, and is used as an intrusion detection model, respectively constructs a corresponding model through different historical access terminals recorded in different working modules, sequentially carries out optimization according to the size of the characteristic data quantity of the terminal, carries out the combined detection model according to the previous and later detection model, simultaneously judges whether the current intrusion condition of the terminal access terminal is not accessed by the detection model is completely, and simultaneously determines whether the current intrusion condition is detected by the current access terminal access condition is completely, and the current terminal access condition is only has been detected, and the current condition is not detected, and the current condition is only has been verified, but has been accessed by the terminal access to be completely, and the current condition is only has been detected, the security of the data stored in each detection module is ensured.
In a specific embodiment, each detection module generates a corresponding detection model, and when the corresponding working module of the detection module receives an access request of the access terminal, the detection module and the intrusion detection module trained by the detection module can detect the access terminal simultaneously; each detection model learns more data of access terminals accessed by the detection model, the better the detection performance of the access terminals with the same class of data with corresponding historical access terminals and the higher the overlap ratio is, the worse the detection result of the terminals with strange class of terminal data is, and the intrusion detection model refers to different historical access terminal data, so the better the identification effect of the intrusion detection model on the terminals with more data classes is.
In this embodiment, for the detection module corresponding to the working module accessed by the current access terminal, the detection module may adjust the weight ratio of the detection model trained by the detection module and the intrusion detection model to the detection result of the terminal feature according to the overlap ratio of the terminal feature of the access terminal currently sending the access request and the terminal feature of each historical access terminal in the detection module and the number of types of the terminal feature of the historical access terminal, so as to obtain a final terminal detection result; the terminal detection result can be obtained by referring to the following formula: The method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Representing the terminal detection result,/->Representing the maximum value in the feature type coincidence degree of the terminal features of the access terminal and the terminal features of the history access terminals corresponding to the detection module, +.>Representing the detection result of the detection model corresponding to the detection module on the terminal characteristics of the access terminal,/>Maximum value representing the number of categories of history access terminals or terminal characteristics of access terminals, +.>Terminal characteristics representing access terminals->And representing the detection result of the intrusion detection model on the terminal characteristics of the access terminal.
In this embodiment, the terminal types of the terminal features of the access terminals may be compared with the terminal types of the terminal features of the history access terminals corresponding to the detection module, so as to obtain the corresponding feature type overlap ratio, and the maximum value of the feature type overlap ratio is taken as
In this embodiment, the number of types of the type features of each history access terminal and access terminal may be counted, and the maximum value of the number of types may be taken asThe method comprises the steps of carrying out a first treatment on the surface of the It is also possible to determine the union of the category characteristics of the respective history access terminals, taking the number of category characteristics in the union as +.>
As shown in fig. 2, the embodiment of the invention provides an intrusion detection processing method for an industrial control system, and compared with the processing method shown in fig. 1, the processing method further comprises the following steps:
S21, when the terminal detection result is passing detection and the access terminal which sends the access request currently is a new access terminal, matching similar terminals from the history access terminals according to the detection result of the intrusion detection model on the new access terminal.
In this embodiment, after the current access terminal passes the detection, it is determined whether the current access terminal is a new access terminal, and whether the access terminal is a new terminal may be determined by the identification code or the added tag of the access terminal.
In this embodiment, when determining that the access terminal is a new access terminal, in order to determine the access right of the access terminal, a similar terminal in the history access terminal may be determined according to a detection result of the detection model on the new access terminal, for example, a similarity between the new access terminal and a terminal feature of the history access terminal may be calculated to determine the similar terminal, specifically, the terminal feature may be constructed according to the feature type, a vector may be calculated, a cosine value of the vector may be calculated, and the similarity value may be used as a similarity value, and a history access terminal with a similarity value greater than a preset threshold may be used as a similar terminal of the new access terminal; the Euclidean distance of the terminal characteristics can be calculated to be used as a similarity value, and the historical access terminal with the similarity value larger than a preset threshold value is used as a similar terminal of the new access terminal.
S22, calculating the authority average grade and the access average validity period of each similar terminal.
S23, taking the lower one of the basic access authority and the authority average level in the industrial control system as the access authority of the new access terminal.
S24, taking the access average validity period as the access validity period of the new access terminal.
In this embodiment, after determining the similar terminals, the average validity period of access of each similar terminal may be used as the validity period of access of the new access terminal, where the access right of the new access terminal must not exceed the basic access right set for the new terminal in the industrial control system, so that the data level accessed by the new access terminal may be effectively limited, and important data is prevented from being lost.
In this embodiment, in a specific embodiment, when the detection result of the terminal is passing detection and the access terminal is an existing history access terminal, the authority level of the access terminal is adjusted according to the detection result, for example, when the detection result is passing, but the operation behavior of the access terminal is prompted to have a risk, the access authority of the access terminal is at least adjusted to be reduced by one level, so as to improve data security.
By combining the above embodiments, if the new access terminal is similar to the history access terminal with more risks or the history access terminal with more risks, the authority level of the new access terminal is timely reduced, and the access authority can be adjusted according to the behavior change of the new access terminal.
As shown in fig. 3, in this embodiment, in step S21, according to a detection result of the intrusion detection model on the new access terminal, similar terminals are matched from the history access terminals, which specifically includes the following steps:
s31, determining a terminal category group to which the new access terminal belongs according to the detection result of the new access terminal; the terminal category group comprises history access terminals with the same category;
s32, taking the history access terminals in the corresponding terminal category group as similar terminals of the new access terminal.
In this embodiment, a terminal class group to which a new access terminal belongs is determined in this scheme, and a history access terminal in the terminal class group is used as a similar terminal of the new access terminal.
As shown in fig. 4, in this embodiment, determining the category group of the terminal in the above scheme may be implemented by the following steps:
s41, respectively detecting terminal characteristics of each historical access terminal according to the intrusion detection model to obtain corresponding terminal detection results.
In the scheme, the more the types of the terminal detection results are, namely the more the types of the tags added for the historical access terminal are, the more the terminal type groups are finally obtained.
S42, clustering the historical access terminals according to the terminal detection result to obtain a plurality of terminal category groups.
In this embodiment, in combination with the example in the above embodiment, the terminal detection result includes: and (5) grading the terminal security.
When the terminal detection result is the terminal security score, the maximum interval of the terminal security score can be equally divided to obtain a plurality of grouping intervals, and the terminal category group of each terminal is obtained according to the grouping interval of the terminal detection result of each terminal.
Of course, in this solution, the terminal category groups may also be divided according to other manners.
In this embodiment, in step S42, the history access terminals are clustered according to the terminal detection result to obtain a plurality of terminal category groups, which specifically includes the following steps:
clustering the historical access terminals according to the terminal security scoring size sorting result of each historical access terminal to obtain a plurality of terminal category groups; each terminal category group comprises at least two historical access terminals, and the terminal security score of any historical access terminal is adjacent to the ordering result of the terminal security score of at least one historical access terminal.
In this embodiment, the method clusters the historical access terminals according to the terminal security scores of the historical access terminals, so that each terminal category group includes at least two historical access terminals, and the historical access terminals in the terminal category group are adjacent terminals of the ordering result of the terminal security scores.
Compared with the method that the terminal security scores are directly cut at equal intervals, the method can effectively avoid the situation that terminal class groups without empty sets exist, but the difference of the terminal security scores of the historical access terminals in the terminal class groups clustered in the method can be too large, namely, the situation that the historical access terminals in the terminal class groups are not similar.
In this embodiment, when the difference between the terminal security scores of two history access terminals adjacent to each other in the terminal category group as a result of the ranking of the terminal security scores exceeds a preset deviation threshold, the terminal category group is marked, a key tracking tag is added to a new access terminal matched to the marked terminal category group, and operation tracking is performed on the new access terminal.
As shown in fig. 5, the embodiment of the invention also provides an intrusion detection processing method of an industrial control system, and compared with the processing method shown in fig. 2, the processing method further comprises the following steps:
s51, determining a terminal with illegal operation from the similar terminals as a reference terminal.
In this embodiment, for a new access terminal, if it is determined that an illegal terminal exists in similar terminals similar to the new access terminal, more tracking needs to be performed on the new access terminal to determine whether the illegal operation will occur in the new access terminal.
S52, matching corresponding intrusion detection rules from a rule base according to illegal operation of the reference terminal.
In this embodiment, by means of illegal operation of the determined reference terminal, a rule with higher accuracy is matched from a preset rule base to monitor a new access terminal, so that the new access terminal is prevented from being monitored by means of purposeless rule matching, a large amount of system resources are occupied, and the situation of mismatching is easy to occur, so that the identification precision and the identification efficiency of the new access terminal are effectively improved.
S53, acquiring operation log information of the new access terminal in the industrial control system in real time, matching the operation log information according to the intrusion detection rule, and determining whether the new access terminal is abnormal according to a matching result.
In this embodiment, specifically, the processing method further includes: and when the new access terminal is abnormal, sending terminal information and abnormal information of the new access terminal to a preset manager terminal.
In the embodiment, when the terminal is determined to be abnormal, the terminal information and the abnormal information are fed back in time, so that a manager can conveniently and quickly determine the position of the abnormal terminal, and the processing efficiency is improved.
As shown in fig. 6, an embodiment of the present invention provides an intrusion detection processing system for an industrial control system, where each detection module is deployed on each working module of the industrial control system based on a bypass mode, and the detection modules form a detection system; the processing system includes:
the industrial control system is used for encrypting the terminal tag of at least one historical access terminal to generate an encrypted tag, and transmitting the encrypted tag and corresponding terminal identification information to the detection system;
The detection module is used for generating characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information;
the detection module is used for performing deep learning through the terminal characteristics of the at least one history access terminal and the encryption tag corresponding to the detection module to construct a detection model;
the detection system is used for sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model according to the sequence of the characteristic data quantity, generating the detection result of the at least one historical access terminal based on the optimized current detection model, and transmitting the detection result to the next detection module until the last detection model of the detection module completes optimization, so as to obtain an intrusion detection model;
the detection system is also used for generating current terminal characteristics according to the terminal data of the access terminal which currently sends the access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
The industrial control system further comprises: the permission determining module is used for matching similar terminals from the historical access terminals according to the detection result of the intrusion detection model on the new access terminal when the detection result of the terminal is passing detection and the access terminal which sends the access request currently is the new access terminal; calculating authority average grade and access average validity period of each similar terminal; taking the lower one of the basic access right and the right average level in the industrial control system as the access right of the new access terminal; and taking the access average validity period as the access validity period of the new access terminal.
The permission determining module is further configured to determine, according to a detection result of the new access terminal, a terminal class group to which the new access terminal belongs; the terminal category group comprises history access terminals with the same category; and taking the history access terminals in the corresponding terminal category group as similar terminals of the new access terminal.
The permission determining module is further used for respectively detecting terminal characteristics of each historical access terminal according to the intrusion detection model to obtain corresponding terminal detection results; and clustering the historical access terminals according to the terminal detection result to obtain a plurality of terminal category groups.
The terminal detection result comprises: and (5) grading the terminal security.
The permission determining module is further used for clustering the historical access terminals according to the terminal security scoring size sorting results of the historical access terminals to obtain a plurality of terminal category groups; each terminal category group comprises at least two historical access terminals, and the terminal security score of any historical access terminal is adjacent to the ordering result of the terminal security score of at least one historical access terminal.
The industrial control system further comprises: and the terminal monitoring module and the rule base.
The terminal monitoring module is used for determining a terminal with illegal operation from the similar terminals and taking the terminal as a reference terminal; matching corresponding intrusion detection rules from a rule base according to illegal operations of the reference terminal; and acquiring operation log information of the new access terminal in the industrial control system in real time, matching the operation log information according to the intrusion detection rule, and determining whether the new access terminal is abnormal according to a matching result.
The terminal monitoring module is further configured to send terminal information and anomaly information of the new access terminal to a preset administrator terminal when the new access terminal is abnormal.
As shown in fig. 7, the intrusion detection processing device for an industrial control system provided by the embodiment of the invention includes a processor 1110, a communication interface 1120, a memory 1130 and a communication bus 1140, where the processor 1110, the communication interface 1120 and the memory 1130 complete communication with each other through the communication bus 1140;
a memory 1130 for storing a computer program;
the processor 1110 is configured to implement the above-mentioned intrusion detection processing method of the industrial control system when executing the program stored in the memory 1130:
In the processing device provided by the embodiment of the invention, the processor 1110 encrypts the terminal tag of at least one history access terminal through the industrial control system by executing the program stored in the memory 1130 to generate an encrypted tag, and transmits the encrypted tag and the corresponding terminal identification information to the detection system; each detection module generates a characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information; training and constructing a detection model through each detection module according to the terminal characteristics of the at least one historical access terminal and the encryption tag corresponding to the detection module based on a machine learning algorithm; according to the sequence of the feature data quantity, sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model, and transmitting the detection result of the at least one historical access terminal generated by the optimized current detection model to the next detection module until the detection model of the last detection module completes optimization to obtain an intrusion detection model; generating current terminal characteristics according to terminal data of an access terminal which currently sends an access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
The communication bus 1140 mentioned above for the electronic device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industrial Standard Architecture (EISA) bus, etc.
The communication bus 1140 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 1120 is used for communication between the electronic device and other devices described above.
The memory 1130 may include a Random Access Memory (RAM) or a nonvolatile memory 1130 (non-volatile memory), such as at least one magnetic disk 1130.
Optionally, the memory 1130 may also be at least one storage device located remotely from the processor 1110.
The processor 1110 may be a general-purpose processor 1110, including a Central Processing Unit (CPU), a network processor 1110 (NP), and the like; but may also be a digital signal processor 1110 (DSP), application Specific Integrated Circuit (ASIC), field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
An embodiment of the present invention provides a computer readable storage medium, where one or more programs are stored, where the one or more programs may be executed by one or more processors 1110 to implement the method for intrusion detection processing of an industrial control system according to any one of the embodiments above.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present invention are produced in whole or in part.
The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus.
The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.) means from one website, computer, server, or data center.
Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc., that contain an integration of one or more available media.
Usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tape), optical media (e.g., DVD), or semiconductor media (e.g., solid state disk SolidStateDisk (SSD)), among others.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. The intrusion detection processing method of the industrial control system is characterized in that detection modules are deployed on each working module of the industrial control system based on a bypass mode, and the detection modules form a detection system; the processing method comprises the following steps:
The industrial control system encrypts the terminal tag of at least one historical access terminal to generate an encrypted tag, and transmits the encrypted tag and corresponding terminal identification information to the detection system;
each detection module generates a characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information;
training and constructing a detection model through each detection module according to the terminal characteristics of the at least one historical access terminal and the encryption tag corresponding to the detection module based on a machine learning algorithm;
according to the sequence of the feature data quantity, sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model, and transmitting the detection result of the at least one historical access terminal generated by the optimized current detection model to the next detection module until the detection model of the last detection module completes optimization to obtain an intrusion detection model;
generating current terminal characteristics according to terminal data of an access terminal which currently sends an access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
2. The processing method according to claim 1, characterized in that the processing method further comprises:
when the terminal detection result is passing detection and the access terminal which currently sends the access request is a new access terminal, matching similar terminals from the history access terminals according to the detection result of the intrusion detection model on the new access terminal;
calculating authority average grade and access average validity period of each similar terminal;
taking the lower one of the basic access right and the right average level in the industrial control system as the access right of the new access terminal;
and taking the access average validity period as the access validity period of the new access terminal.
3. The processing method according to claim 2, wherein the matching similar terminals from the history access terminals according to the detection result of the intrusion detection model on the new access terminal includes:
determining a terminal category group to which the new access terminal belongs according to the detection result of the new access terminal; the terminal category group comprises history access terminals with the same category;
and taking the history access terminals in the corresponding terminal category group as similar terminals of the new access terminal.
4. A method of treatment according to claim 3, further comprising:
detecting terminal characteristics of each historical access terminal according to the intrusion detection model to obtain corresponding terminal detection results;
and clustering the historical access terminals according to the terminal detection result to obtain a plurality of terminal category groups.
5. The processing method according to claim 4, wherein the terminal detection result includes: terminal security scoring;
clustering the history access terminals according to the terminal detection result to obtain a plurality of terminal category groups, including:
clustering the historical access terminals according to the terminal security scoring size sorting result of each historical access terminal to obtain a plurality of terminal category groups; each terminal category group comprises at least two historical access terminals, and the terminal security score of any historical access terminal is adjacent to the ordering result of the terminal security score of at least one historical access terminal.
6. The processing method according to claim 2, characterized in that the processing method further comprises:
determining a terminal with illegal operation from the similar terminals as a reference terminal;
Matching corresponding intrusion detection rules from a rule base according to illegal operations of the reference terminal;
and acquiring operation log information of the new access terminal in the industrial control system in real time, matching the operation log information according to the intrusion detection rule, and determining whether the new access terminal is abnormal according to a matching result.
7. The method of processing according to claim 6, further comprising:
and when the new access terminal is abnormal, sending terminal information and abnormal information of the new access terminal to a preset manager terminal.
8. The intrusion detection processing system of the industrial control system is characterized in that detection modules are deployed on each working module of the industrial control system based on a bypass mode, and the detection modules form a detection system; the processing system includes:
the industrial control system is used for encrypting the terminal tag of at least one historical access terminal to generate an encrypted tag, and transmitting the encrypted tag and corresponding terminal identification information to the detection system;
the detection module is used for generating characteristic data quantity of terminal characteristics of the at least one historical access terminal according to the terminal identification information;
The detection module is used for performing deep learning through the terminal characteristics of the at least one history access terminal and the encryption tag corresponding to the detection module to construct a detection model;
the detection system is used for sequentially inputting the detection result of the at least one historical access terminal generated by the detection model of the last detection module into the current detection module to optimize the detection model according to the sequence of the characteristic data quantity, generating the detection result of the at least one historical access terminal based on the optimized current detection model, and transmitting the detection result to the next detection module until the last detection model of the detection module completes optimization, so as to obtain an intrusion detection model;
the detection system is also used for generating current terminal characteristics according to the terminal data of the access terminal which currently sends the access request; and inputting the current terminal characteristics into the intrusion detection model to obtain a terminal detection result.
9. The intrusion detection processing device of the industrial control system is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
A memory for storing a computer program;
a processor, configured to implement the intrusion detection processing method of the industrial control system according to any one of claims 1 to 7 when executing a program stored in a memory.
10. A computer readable medium storing a computer readable program for executing the industrial control system intrusion detection processing method according to any one of claims 1 to 7.
CN202310756573.6A 2023-06-26 2023-06-26 Industrial control system intrusion detection processing method, system, device and storage medium Active CN116488949B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310756573.6A CN116488949B (en) 2023-06-26 2023-06-26 Industrial control system intrusion detection processing method, system, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310756573.6A CN116488949B (en) 2023-06-26 2023-06-26 Industrial control system intrusion detection processing method, system, device and storage medium

Publications (2)

Publication Number Publication Date
CN116488949A true CN116488949A (en) 2023-07-25
CN116488949B CN116488949B (en) 2023-09-01

Family

ID=87223612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310756573.6A Active CN116488949B (en) 2023-06-26 2023-06-26 Industrial control system intrusion detection processing method, system, device and storage medium

Country Status (1)

Country Link
CN (1) CN116488949B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117014231A (en) * 2023-10-07 2023-11-07 北京双湃智安科技有限公司 Industrial control network intrusion protection method and system based on ensemble learning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112491643A (en) * 2020-11-11 2021-03-12 北京马赫谷科技有限公司 Deep packet inspection method, device, equipment and storage medium
CN113225313A (en) * 2021-03-26 2021-08-06 大唐三门峡发电有限责任公司 Information safety protection system for DCS system
WO2021168617A1 (en) * 2020-02-24 2021-09-02 深圳市欢太科技有限公司 Processing method and apparatus for service risk management, electronic device, and storage medium
CN113722718A (en) * 2021-08-24 2021-11-30 哈尔滨工业大学(威海) Cloud edge collaborative industrial control network security protection method based on policy base
CN115378711A (en) * 2022-08-23 2022-11-22 中国石油天然气集团有限公司 Industrial control network intrusion detection method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021168617A1 (en) * 2020-02-24 2021-09-02 深圳市欢太科技有限公司 Processing method and apparatus for service risk management, electronic device, and storage medium
CN112491643A (en) * 2020-11-11 2021-03-12 北京马赫谷科技有限公司 Deep packet inspection method, device, equipment and storage medium
CN113225313A (en) * 2021-03-26 2021-08-06 大唐三门峡发电有限责任公司 Information safety protection system for DCS system
CN113722718A (en) * 2021-08-24 2021-11-30 哈尔滨工业大学(威海) Cloud edge collaborative industrial control network security protection method based on policy base
CN115378711A (en) * 2022-08-23 2022-11-22 中国石油天然气集团有限公司 Industrial control network intrusion detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张松清;刘智国;: "一种基于半监督学习的工控网络入侵检测方法", 信息技术与网络安全, no. 01 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117014231A (en) * 2023-10-07 2023-11-07 北京双湃智安科技有限公司 Industrial control network intrusion protection method and system based on ensemble learning
CN117014231B (en) * 2023-10-07 2023-12-22 北京双湃智安科技有限公司 Industrial control network intrusion protection method and system based on ensemble learning

Also Published As

Publication number Publication date
CN116488949B (en) 2023-09-01

Similar Documents

Publication Publication Date Title
US20230086187A1 (en) Detection of anomalies associated with fraudulent access to a service platform
CN104620225B (en) Method and system for server security checking
AU2020104272A4 (en) Blockchain-based industrial internet data security monitoring method and system
CN112202817B (en) Attack behavior detection method based on multi-event association and machine learning
CN116488949B (en) Industrial control system intrusion detection processing method, system, device and storage medium
CN112385196A (en) System and method for reporting computer security incidents
CN117201131B (en) Safety management platform for informationized data transmission
CN111316272A (en) Advanced cyber-security threat mitigation using behavioral and deep analytics
CN116881948A (en) Data encryption management system and method based on general database
CN116132989A (en) Industrial Internet security situation awareness system and method
CN113938312B (en) Method and device for detecting violent cracking flow
Schuster et al. Attack and fault detection in process control communication using unsupervised machine learning
CN115801530B (en) Network management type looped network switch with modularized design
EP4145768A1 (en) Inline detection of encrypted malicious network sessions
CN113630425B (en) Financial data safe transmission method for multiple power bodies
CN110232570A (en) A kind of information monitoring method and device
CN106817364B (en) Brute force cracking detection method and device
CN116861422A (en) API interface detection and protection method, device, equipment and storage medium
CN114584370A (en) Server data interaction network security system
CN112636921A (en) Method and system for improving network information transmission security
CN113347180B (en) Risk analysis method for network security three-synchronization process of computer application system
CN118138312B (en) Intelligent payment port encryption method and system
CN118114154B (en) Risk assessment model training method, risk assessment method and risk assessment device
CN117114506B (en) Intelligent factory quality detection and analysis method
US20240089270A1 (en) Detecting malicious behavior from handshake protocols using machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant