[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN117749614A - Protocol rule determining method and device, electronic equipment and storage medium - Google Patents

Protocol rule determining method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117749614A
CN117749614A CN202311761502.1A CN202311761502A CN117749614A CN 117749614 A CN117749614 A CN 117749614A CN 202311761502 A CN202311761502 A CN 202311761502A CN 117749614 A CN117749614 A CN 117749614A
Authority
CN
China
Prior art keywords
target
information
protocol
determining
network server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311761502.1A
Other languages
Chinese (zh)
Inventor
曾子峰
莫嘉永
张佳发
邹洪
许伟杰
江家伟
金浩
陈锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Digital Power Grid Group Information Communication Technology Co ltd
Original Assignee
China Southern Power Grid Digital Power Grid Group Information Communication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Digital Power Grid Group Information Communication Technology Co ltd filed Critical China Southern Power Grid Digital Power Grid Group Information Communication Technology Co ltd
Priority to CN202311761502.1A priority Critical patent/CN117749614A/en
Publication of CN117749614A publication Critical patent/CN117749614A/en
Pending legal-status Critical Current

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Communication Control (AREA)

Abstract

The invention discloses a protocol rule determining method, a protocol rule determining device, electronic equipment and a storage medium. The method comprises the following steps: acquiring a plurality of target interaction information sent by a target network server in an industrial control network environment, and determining information acquisition rates corresponding to the plurality of target interaction information; analyzing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server; screening each candidate transmission information, and determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information; if the information acquisition rate is smaller than or equal to the preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information. By the technical scheme, the protocol rule adapted to the network server in the industrial control network environment can be automatically determined, and the determination efficiency of the protocol rule is improved.

Description

Protocol rule determining method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of computing technologies, and in particular, to a method and apparatus for determining a protocol rule, an electronic device, and a storage medium.
Background
With the development of the internet, users pay more and more attention to network security, and secure interaction of information between network servers in an industrial control network environment is an important basic work of network security.
Currently, various industrial control network environments exist, and protocol rules of universal information interaction cannot be applied to all network servers in each industrial control network environment. For the above inapplicable situation, manual maintenance or updating is usually performed on protocol rules related to all network servers in each industrial control network environment in a manual manner.
However, with the rapid upgrade and function change of the network server, the manual mode cannot maintain or update the protocol rule in time, so that the protocol rule cannot be timely and accurately applied to all the network servers after the upgrade and change, and the security of the network server and the industrial control network environment is reduced.
Disclosure of Invention
The invention provides a protocol rule determining method, a device, electronic equipment and a storage medium, which can automatically determine the protocol rule adapted to a network server in an industrial control network environment without manual participation, improve the determining efficiency of the protocol rule, and improve the accuracy and applicability of the protocol rule, thereby improving the safety of the network server and the industrial control network environment.
According to an aspect of the present invention, there is provided a protocol rule determining method, the method comprising:
acquiring a plurality of target interaction information sent by a target network server in an industrial control network environment, and determining information acquisition rates corresponding to the plurality of target interaction information;
analyzing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server;
screening each candidate transmission information, and determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information;
and if the information acquisition rate is smaller than or equal to a preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information.
According to another aspect of the present invention, there is provided a protocol rule determining apparatus including:
the target interaction information acquisition module is used for acquiring a plurality of target interaction information sent by a target network server in the industrial control network environment and determining information acquisition rates corresponding to the plurality of target interaction information;
The candidate information determining module is used for analyzing and processing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server;
the target information determining module is used for screening each candidate transmission information and determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information;
and the target protocol rule determining module is used for determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information if the information acquisition rate is smaller than or equal to a preset rate threshold.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the protocol rule determination method according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the protocol rule determining method according to any one of the embodiments of the present invention when executed.
According to the technical scheme, the information acquisition rates corresponding to the target interaction information are determined by acquiring the target interaction information sent by the target network server in the industrial control network environment; analyzing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server; screening each candidate transmission information, determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information, thereby automatically determining target transmission information and target protocol information which can be integrated into a protocol rule corresponding to a target network server, and automatically determining the target protocol rule based on preset conditions; if the information acquisition rate is smaller than or equal to a preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information, so that the protocol rule adapted to the network server in the industrial control network environment is automatically determined, manual participation is not needed, the determination efficiency of the protocol rule is improved, the accuracy and the applicability of the protocol rule are improved, and the safety of the network server and the industrial control network environment is improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a protocol rule determination method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a protocol rule determination method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a protocol rule determining apparatus according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing a protocol rule determining method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," "target," "initial," and the like in the description and claims of the present invention and in the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a protocol rule determining method according to an embodiment of the present invention, where the method may be applied to a case of constructing a target protocol rule corresponding to each target network server in an industrial control network environment, and the method may be performed by a protocol rule determining apparatus, where the protocol rule determining apparatus may be implemented in a form of hardware and/or software, and the protocol rule determining apparatus may be configured in an electronic device. As shown in fig. 1, the method includes:
S110, acquiring a plurality of target interaction information sent by a target network server in an industrial control network environment, and determining information acquisition rates corresponding to the plurality of target interaction information.
The industrial control network environment may refer to a network environment formed by an industrial control server and a network. The industrial control network environment can provide a network foundation for information communication between various network servers in the industrial control network environment. For example, industrial network environments may be suitable for use in manufacturing, power systems, smart grids, and transportation systems. A network server may refer to a network asset in an industrial control network environment. The target web server may refer to a web server that needs to build or update protocol rules, or a monitored web server. The interaction information may refer to interaction information between network servers in an industrial control network environment. The target interaction information may refer to interaction information that the target network server participates in. The information acquisition rate may characterize the number of acquisitions of the target interaction information within a preset duration.
Specifically, a plurality of target interaction information sent by a target network server in an industrial control network environment within a preset time period is obtained through a port mirror image mode and/or a light splitter mode and the like, wherein the target interaction information comprises interaction protocol flow, the number of the target interaction information sent by the target network server within the preset time period is obtained, and therefore the information obtaining rate corresponding to the target network server is determined based on the obtained number of the target interaction information and the preset time period.
S120, analyzing and processing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server.
Wherein the candidate transmission information includes: an information transmitting server address, an information receiving server address, and a transmission information type; the candidate protocol information includes: protocol type and protocol content; wherein, the protocol content includes: at least one of a function code, a data field, and a check code. For example, the information sending server address may refer to a source IP, the information receiving server address may refer to a destination IP, and the various fields in the protocol content may refer to the function code, data field, and check code in the modbus protocol.
Specifically, deep packet inspection (Deep Packet Inspection, DPI) is used for carrying out deep analysis and engine analysis on each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server. The deep analysis model can be built by using a basic framework (Deep Inspect Management, DIM) realized by the DPI technology, and each target interaction information is input into the built deep analysis model to carry out deep analysis and engine analysis, so that a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server are obtained.
S130, screening each candidate transmission information, and determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information.
The preset information transmission relationship may refer to a preset server master-slave relationship of information transmission. Server master-slave relationship may refer to allowing a master server to send interaction information to a slave server.
Specifically, screening is performed on each candidate transmission information, and a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information are determined. For example, the preset information transmission relationship includes: allowing the a-network server to send the interaction information to the B-network server, and allowing the C-network server to send the interaction information to the a-network server. The candidate transmission information indicates that the A network server sends the interaction information to the B network server and the A network server sends the interaction information to the C network server, and then the A network server sends the interaction information to the B network server as target transmission information meeting the preset information transmission relation.
And S140, if the information acquisition rate is smaller than or equal to a preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information.
The preset rate threshold may be used to characterize the target network server's need to build or update protocol rules. Specifically, if the information acquisition rate is less than or equal to the preset rate threshold, a protocol rule table is constructed based on the target transmission information and the target protocol information, so as to determine a target protocol rule corresponding to the target network server. If the information acquisition rate is greater than the preset rate threshold, compliance detection can be performed on the target transmission information and the target protocol information based on the existing target protocol rule, so that monitoring of the target network server is achieved.
Illustratively, S140 may include: combining the target protocol information corresponding to the same target transmission information to determine a target protocol information set corresponding to each target transmission information; taking each target transmission information and each target protocol information set as each candidate protocol rule corresponding to the target network server; and repeatedly detecting each candidate protocol rule, and determining a target protocol rule corresponding to the target network server.
Specifically, combining the target protocol information corresponding to the same target transmission information to determine a target protocol information set corresponding to each target transmission information; it can be understood that all the target protocol information sent from the a network server to the B network server is combined, and a target protocol information set corresponding to each target transmission information is determined, that is, an information set formed by all the target protocol information used in the interactive information sent from the a network server to the B network server is determined. And determining each candidate protocol rule corresponding to the target network server based on each target transmission information and the target protocol information set corresponding to each target transmission information, repeatedly detecting each candidate protocol rule, and determining the target protocol rule after duplicate removal.
According to the technical scheme, the information acquisition rates corresponding to the target interaction information are determined by acquiring the target interaction information sent by the target network server in the industrial control network environment; analyzing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server; screening each candidate transmission information, determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information, thereby automatically determining the target transmission information and the target protocol information which can be integrated into a protocol rule corresponding to a target network server, and automatically determining the target protocol rule based on preset conditions; if the information acquisition rate is smaller than or equal to the preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information, thereby automatically determining the protocol rule adapted to the network server in the industrial control network environment without manual participation, improving the determination efficiency of the protocol rule, improving the accuracy and the applicability of the protocol rule, and improving the safety of the network server and the industrial control network environment.
Based on the above technical solution, "detecting the repeatability of each candidate protocol rule, determining the target protocol rule corresponding to the target network server" may include: if the historical protocol rules corresponding to the target network server exist, performing de-duplication processing on each candidate protocol rule based on the historical protocol rules to obtain a first protocol rule after de-duplication processing, and performing integration processing based on the historical protocol rules and the first protocol rule to determine the target protocol rules corresponding to the target network server; and if the historical protocol rules corresponding to the target network server do not exist, carrying out de-duplication processing on each candidate protocol rule to obtain a second protocol rule to be selected after de-duplication, and determining the second protocol rule to be selected as the target protocol rule corresponding to the target network server.
The historical protocol rule may refer to a protocol rule that is pre-constructed at a historical time. Specifically, whether to update the historical protocol rule or construct the target protocol rule is determined based on whether the historical protocol rule corresponding to the target network server exists. For example, if a historical protocol rule corresponding to the target network server exists, performing de-duplication processing on each candidate protocol rule based on the historical protocol rule to obtain a first de-duplicated protocol rule, thereby ensuring that no repeated protocol rule exists in the first protocol rule and the historical protocol rule, and performing integration processing based on the historical protocol rule and the first protocol rule, thereby accurately determining the target protocol rule corresponding to the target network server; and if the historical protocol rules corresponding to the target network server do not exist, carrying out de-duplication processing on each candidate protocol rule to obtain a second protocol rule to be selected after de-duplication, and determining the second protocol rule to be selected as the target protocol rule corresponding to the target network server. Wherein the second candidate protocol rule may be the same as the candidate protocol rule.
On the basis of the technical scheme, after determining the target protocol rule corresponding to the target network server, the method further comprises the following steps: based on a target protocol rule corresponding to a target network server in an industrial control network environment, performing interactive monitoring on current interactive information corresponding to the target network server; if at least one piece of current interaction information is detected to not meet the target protocol rule corresponding to the target network server, generating interaction alarm information based on the current interaction information, and displaying the interaction alarm information; and determining whether to update the target protocol rule corresponding to the target network server based on feedback information of the user on the interaction alarm information.
Specifically, after determining a target protocol rule corresponding to a target network server, performing interactive monitoring on current interaction information corresponding to the target network server based on the target protocol rule corresponding to the target network server in the industrial control network environment; if all the current interaction information is detected to meet the target protocol rule corresponding to the target network server, the target network server is indicated to interact information within the range allowed by the target protocol rule, then the current interaction information of the target network server is continuously monitored, so that abnormal monitoring is carried out through the accurate target protocol rule, the false alarm condition is reduced, and the monitoring is more accurate and reliable; if at least one piece of current interaction information is detected to not meet the target protocol rule corresponding to the target network server, generating interaction alarm information based on the current interaction information, and displaying the interaction alarm information; based on feedback information of the interaction alarm information by the user, whether to update the target protocol rule corresponding to the target network server is determined, so that the updating efficiency of the protocol rule can be improved, the protocol rule can be dynamically adjusted, and the instantaneity and the adaptability of the protocol rule are improved. For example, if the feedback information indicates that the current interaction information is the interaction information related to the temporarily added service, updating the target protocol rule corresponding to the target network server based on the current interaction information; and if the feedback information indicates that the current interaction information is the interaction information sent by using the forbidden protocol, carrying out information tracing based on the current interaction information.
Example two
Fig. 2 is a flowchart of a protocol rule determining method according to a second embodiment of the present invention, and the process of determining the target transmission information and the target protocol information is described in detail on the basis of the foregoing embodiment. Wherein the explanation of the same or corresponding terms as those of the above embodiments is not repeated herein. As shown in fig. 2, the method includes:
s210, acquiring a plurality of target interaction information sent by a target network server in an industrial control network environment, and determining information acquisition rates corresponding to the plurality of target interaction information.
S220, analyzing and processing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server.
S230, detecting whether the transmission information type in each piece of candidate transmission information is an active transmission type, and acquiring the transmission information to be selected which is the active transmission type.
The transmission information types may include, but are not limited to, active transmission types and passive transmission types. The method has the advantages that the transmission information of active transmission and the transmission information of passive response can be distinguished, the transmission information of active transmission type is utilized to treat the transmission information, and the situation that the passive transmission type has adverse effects on the construction of protocol rules due to confusion of the transmission information type is avoided, for example, the constructed target protocol rules corresponding to a plurality of target network servers are overlapped, and when the target protocol rules are maintained, the target protocol rules corresponding to all the target network servers are not maintained, so that contradiction exists in the target protocol rules corresponding to each target network server.
S240, screening the address of the information receiving server in the transmission information to be selected based on a preset information transmission relation, and determining target transmission information and target protocol information corresponding to the target transmission information.
Specifically, the target interaction information is sent by the target network server, and only the target transmission information and the target protocol information corresponding to the target transmission information are determined by screening the information receiving server address in the to-be-selected transmission information based on the transmission relation of which the target network server is the main server (the information sending server address is the main server) in the preset information transmission relation.
Illustratively, S240 may include: determining a preset receiving server address corresponding to the target network server based on a preset information transmission relation; and determining the to-be-selected transmission information corresponding to the information receiving server address which is the same as the preset receiving server address as target transmission information, and determining target protocol information corresponding to the target transmission information.
The preset receiving server address may refer to an information receiving server address corresponding to an information sending server address of the target network server in a preset information transmission relationship.
S250, if the information acquisition rate is smaller than or equal to a preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information.
According to the technical scheme, whether the transmission information type in each candidate transmission information is the active transmission type or not is detected, and the transmission information to be selected which is the active transmission type is obtained; based on a preset information transmission relation, the information receiving server address in the to-be-selected transmission information is screened, and the target transmission information and the target protocol information corresponding to the target transmission information are determined, so that the transmission information of active transmission and the transmission information of passive response can be distinguished, the transmission information of active transmission type is utilized to treat the selected transmission information, the situation that the passive transmission type has adverse effects on the construction of the protocol rules due to confusion of the transmission information type is avoided, for example, the situation that the constructed target protocol rules corresponding to a plurality of target network servers overlap, and when the target protocol rules are maintained, the target protocol rules corresponding to all the target network servers are not maintained, so that contradiction exists in the target protocol rules corresponding to each target network server, the determination efficiency of the protocol rules is further improved, the accuracy and the applicability of the protocol rules are improved, and the safety of the network servers and the industrial control network environment is improved.
The following is an embodiment of a protocol rule determining apparatus provided in the embodiment of the present invention, which belongs to the same inventive concept as the protocol rule determining method of the above embodiments, and reference may be made to the embodiment of the protocol rule determining method for details that are not described in detail in the embodiment of the protocol rule determining apparatus.
Example III
Fig. 3 is a schematic structural diagram of a protocol rule determining apparatus according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: the target interaction information acquisition module 310, the candidate information determination module 320, the target information determination module 330, and the target protocol rule determination module 340.
The target interaction information obtaining module 310 is configured to obtain a plurality of target interaction information sent by a target network server in an industrial control network environment, and determine an information obtaining rate corresponding to the plurality of target interaction information; the candidate information determining module 320 is configured to analyze each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server; the target information determining module 330 is configured to perform screening processing on each candidate transmission information, and determine a plurality of target transmission information that satisfy a preset information transmission relationship and target protocol information corresponding to each target transmission information; the target protocol rule determining module 340 is configured to determine, based on the target transmission information and the target protocol information, a target protocol rule corresponding to the target network server if the information acquisition rate is less than or equal to the preset rate threshold.
According to the technical scheme, the information acquisition rates corresponding to the target interaction information are determined by acquiring the target interaction information sent by the target network server in the industrial control network environment; analyzing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server; screening each candidate transmission information, determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information, thereby automatically determining the target transmission information and the target protocol information which can be integrated into a protocol rule corresponding to a target network server, and automatically determining the target protocol rule based on preset conditions; if the information acquisition rate is smaller than or equal to the preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information, thereby automatically determining the protocol rule adapted to the network server in the industrial control network environment without manual participation, improving the determination efficiency of the protocol rule, improving the accuracy and the applicability of the protocol rule, and improving the safety of the network server and the industrial control network environment.
Optionally, the candidate transmission information includes: an information transmitting server address, an information receiving server address, and a transmission information type; the candidate protocol information includes: protocol type and protocol content; wherein, the protocol content includes: at least one of a function code, a data field, and a check code.
Optionally, the target information determining module 330 may include:
the to-be-selected transmission information acquisition sub-module is used for detecting whether the transmission information type in each candidate transmission information is an active transmission type or not and acquiring to-be-selected transmission information which is the active transmission type;
the target information determining sub-module is used for screening the address of the information receiving server in the transmission information to be selected based on a preset information transmission relation, and determining target transmission information and target protocol information corresponding to the target transmission information.
Optionally, the target information determining submodule is specifically configured to: determining a preset receiving server address corresponding to the target network server based on a preset information transmission relation; and determining the to-be-selected transmission information corresponding to the information receiving server address which is the same as the preset receiving server address as target transmission information, and determining target protocol information corresponding to the target transmission information.
Optionally, the target protocol rule determining module 340 may include:
the target protocol information set determining submodule is used for combining the target protocol information corresponding to the same target transmission information and determining a target protocol information set corresponding to each target transmission information;
the candidate protocol rule determining submodule is used for taking each target transmission information and each target protocol information set as each candidate protocol rule corresponding to the target network server;
and the target protocol rule determining submodule is used for repeatedly detecting each candidate protocol rule and determining the target protocol rule corresponding to the target network server.
Optionally, the target protocol rule determining submodule is specifically configured to: if the historical protocol rules corresponding to the target network server exist, performing de-duplication processing on each candidate protocol rule based on the historical protocol rules to obtain a first protocol rule after de-duplication processing, and performing integration processing based on the historical protocol rules and the first protocol rule to determine the target protocol rules corresponding to the target network server; and if the historical protocol rules corresponding to the target network server do not exist, carrying out de-duplication processing on each candidate protocol rule to obtain a second protocol rule to be selected after de-duplication, and determining the second protocol rule to be selected as the target protocol rule corresponding to the target network server.
Optionally, the apparatus further comprises:
the interaction monitoring module is used for carrying out interaction monitoring on the current interaction information corresponding to the target network server based on the target protocol rule corresponding to the target network server in the industrial control network environment after the target protocol rule corresponding to the target network server is determined;
the interactive alarm information generation module is used for generating interactive alarm information based on the current interactive information and displaying the interactive alarm information if at least one piece of current interactive information is detected to not meet the target protocol rule corresponding to the target network server;
and the protocol rule updating module is used for determining whether to update the target protocol rule corresponding to the target network server based on feedback information of the user on the interaction alarm information.
The protocol rule determining device provided by the embodiment of the invention can execute the protocol rule determining method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the protocol rule determining method.
It should be noted that, in the embodiment of determining the protocol rule, each unit and module included are only divided according to the functional logic, but not limited to the above division, so long as the corresponding function can be implemented; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
Example IV
Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the respective methods and processes described above, such as the protocol rule determination method.
In some embodiments, the protocol rule determination method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the protocol rule determination method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the protocol rule determination method in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (10)

1. A method for determining protocol rules, comprising:
acquiring a plurality of target interaction information sent by a target network server in an industrial control network environment, and determining information acquisition rates corresponding to the plurality of target interaction information;
analyzing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server;
Screening each candidate transmission information, and determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information;
and if the information acquisition rate is smaller than or equal to a preset rate threshold, determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information.
2. The method of claim 1, wherein the candidate transmission information comprises: an information transmitting server address, an information receiving server address, and a transmission information type; the candidate protocol information includes: protocol type and protocol content; wherein, the protocol content includes: at least one of a function code, a data field, and a check code.
3. The method according to claim 2, wherein the filtering each candidate transmission information to determine a plurality of target transmission information satisfying a preset information transmission relationship and target protocol information corresponding to each target transmission information includes:
detecting whether the transmission information type in each candidate transmission information is an active transmission type or not, and acquiring to-be-selected transmission information which is the active transmission type;
And screening the address of the information receiving server in the transmission information to be selected based on a preset information transmission relation, and determining target transmission information and target protocol information corresponding to the target transmission information.
4. The method of claim 3, wherein the screening the address of the information receiving server in the transmission information to be selected based on the preset information transmission relationship, and determining the target transmission information and the target protocol information corresponding to the target transmission information, includes:
determining a preset receiving server address corresponding to the target network server based on a preset information transmission relation;
and determining the to-be-selected transmission information corresponding to the information receiving server address which is the same as the preset receiving server address as target transmission information, and determining target protocol information corresponding to the target transmission information.
5. The method of claim 1, wherein determining the target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information comprises:
combining the target protocol information corresponding to the same target transmission information to determine a target protocol information set corresponding to each target transmission information;
Taking each target transmission information and each target protocol information set as each candidate protocol rule corresponding to the target network server;
and repeatedly detecting each candidate protocol rule, and determining a target protocol rule corresponding to the target network server.
6. The method of claim 5, wherein the repeatedly detecting each candidate protocol rule to determine the target protocol rule corresponding to the target network server comprises:
if a historical protocol rule corresponding to a target network server exists, carrying out de-duplication processing on each candidate protocol rule based on the historical protocol rule to obtain a first protocol rule after de-duplication, and carrying out integration processing based on the historical protocol rule and the first protocol rule to determine the target protocol rule corresponding to the target network server;
and if the historical protocol rules corresponding to the target network server do not exist, performing de-duplication processing on each candidate protocol rule to obtain a second protocol rule to be selected after de-duplication, and determining the second protocol rule to be selected as the target protocol rule corresponding to the target network server.
7. The method of claim 1, wherein after determining the target protocol rule corresponding to the target network server, the method further comprises:
based on a target protocol rule corresponding to a target network server in an industrial control network environment, performing interactive monitoring on current interactive information corresponding to the target network server;
if at least one piece of current interaction information is detected to not meet the target protocol rule corresponding to the target network server, generating interaction alarm information based on the current interaction information, and displaying the interaction alarm information;
and determining whether to update the target protocol rule corresponding to the target network server based on feedback information of the user on the interaction alarm information.
8. A protocol rule determining apparatus, comprising:
the target interaction information acquisition module is used for acquiring a plurality of target interaction information sent by a target network server in the industrial control network environment and determining information acquisition rates corresponding to the plurality of target interaction information;
the candidate information determining module is used for analyzing and processing each target interaction information to obtain a plurality of candidate transmission information and a plurality of candidate protocol information corresponding to the target network server;
The target information determining module is used for screening each candidate transmission information and determining a plurality of target transmission information meeting a preset information transmission relation and target protocol information corresponding to each target transmission information;
and the target protocol rule determining module is used for determining a target protocol rule corresponding to the target network server based on the target transmission information and the target protocol information if the information acquisition rate is smaller than or equal to a preset rate threshold.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the protocol rule determination method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the protocol rule determination method of any one of claims 1-7 when executed.
CN202311761502.1A 2023-12-20 2023-12-20 Protocol rule determining method and device, electronic equipment and storage medium Pending CN117749614A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311761502.1A CN117749614A (en) 2023-12-20 2023-12-20 Protocol rule determining method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311761502.1A CN117749614A (en) 2023-12-20 2023-12-20 Protocol rule determining method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117749614A true CN117749614A (en) 2024-03-22

Family

ID=90282730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311761502.1A Pending CN117749614A (en) 2023-12-20 2023-12-20 Protocol rule determining method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117749614A (en)

Similar Documents

Publication Publication Date Title
CN115396289B (en) Fault alarm determining method and device, electronic equipment and storage medium
CN116225769B (en) Method, device, equipment and medium for determining root cause of system fault
CN113037489B (en) Data processing method, device, equipment and storage medium
CN117424850B (en) Abnormal link aggregation method, query method, device, equipment and medium
CN117608904A (en) Fault positioning method and device, electronic equipment and storage medium
CN116545905A (en) Service health detection method and device, electronic equipment and storage medium
CN117749614A (en) Protocol rule determining method and device, electronic equipment and storage medium
CN116668264A (en) Root cause analysis method, device, equipment and storage medium for alarm clustering
CN115906135A (en) Tracing method and device for target data leakage path, electronic equipment and storage medium
CN115687406A (en) Sampling method, device and equipment of call chain data and storage medium
CN114661562A (en) Data warning method, device, equipment and medium
CN116185765B (en) Alarm processing method and device, electronic equipment and storage medium
CN117608877B (en) Data transmission method, device, equipment and storage medium
CN116882724B (en) Method, device, equipment and medium for generating business process optimization scheme
CN117729005A (en) Network asset mapping method
CN117742900B (en) Method, device, equipment and storage medium for constructing service call graph
CN118945046A (en) Log processing method, device, equipment and medium
CN118540200A (en) Alarm compression noise reduction strategy arrangement method and device, electronic equipment and medium
CN118170606A (en) Log data detection method and device, electronic equipment and storage medium
CN117081939A (en) Traffic data processing method, device, equipment and storage medium
CN116414999A (en) Knowledge graph-based management method and device, electronic equipment and storage medium
CN117194471A (en) Data blood edge analysis method, device, medium, electronic equipment and product
CN115766260A (en) Method, device, equipment and storage medium for generating network access white list
CN117455684A (en) Data processing method, device, electronic equipment, storage medium and product
CN117009111A (en) Data processing method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination