CN112367322B - Power station industrial control system abnormal flow identification method based on bubbling sequencing method - Google Patents
Power station industrial control system abnormal flow identification method based on bubbling sequencing method Download PDFInfo
- Publication number
- CN112367322B CN112367322B CN202011249001.1A CN202011249001A CN112367322B CN 112367322 B CN112367322 B CN 112367322B CN 202011249001 A CN202011249001 A CN 202011249001A CN 112367322 B CN112367322 B CN 112367322B
- Authority
- CN
- China
- Prior art keywords
- flow
- real
- time
- serial number
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/06—Arrangements for sorting, selecting, merging, or comparing data on individual record carriers
- G06F7/08—Sorting, i.e. grouping record carriers in numerical or other ordered sequence according to the classification of at least some of the information they carry
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for identifying abnormal flow of a power station industrial control system based on a bubbling sequencing method comprises the following steps: 1) monitoring points are created in a real-time library according to the number of the nodes of the power station industrial control system, and the monitoring points comprise flow lengths received and sent by the nodes and corresponding sequencing serial numbers; 2) acquiring network flow in a system in a port mirroring mode, classifying, counting and storing the flow length in seconds; 3) sorting the real-time receiving and sending flow lengths of each node according to two queues by a bubble sorting method and storing serial numbers; 4) updating the flow length and the sequence number data of each node in time, accumulating to obtain hourly accumulated flow, obtaining hourly accumulated sequence numbers by using a bubbling sorting method, and alarming the nodes with real-time sequence number change, hourly accumulated sequence number change and deviation of the real-time sequence numbers and the hourly accumulated sequence numbers exceeding a threshold value. The invention can identify the abnormal flow generated by the network attack of known type and unknown type in real time without affecting the system operation.
Description
Technical Field
The invention relates to the technical field of industrial control safety monitoring, in particular to a power station industrial control system abnormal flow identification method based on a bubbling sequencing method.
Background
Aiming at the network attack of hackers, monitoring and analyzing network flow is carried out, and the identification and discovery of abnormal flow is the first step of safety protection. The current flow monitoring models are mainly divided into two types: feature library based and behavioral bias based detection systems. Feature library based detection systems are used primarily to identify known types of network attacks. The invention relates to a detection system based on behavior deviation, which can be used for identifying known and unknown network attacks.
The industrial control system of the power station is a system for monitoring and controlling the production and transmission of electric power and the like, a main power station in China is a coal-fired power station, safety factors such as the action of thermal stress and the like are considered in the operation process, a unit is required to stably operate under a target load as much as possible, and sufficient buffer preparation is required even in the load increasing and load reducing processes, so that the stable and excessive process is ensured. Therefore, the change of the interactive flow among the nodes of the power station industrial control system is stable and smooth in the daily operation process. If the traffic received and sent by a certain network node has large sudden change or continuous change, a network attack event may occur in the system. The invention is based on bubble sorting method to make statistic sorting to the byte length of the receiving and sending flow packet of the network node, and identify the abnormal flow according to the change of the sequence number.
Disclosure of Invention
In order to solve the problems in the prior art, the invention aims to provide a method for identifying abnormal flow of a power station industrial control system based on a bubbling sequencing method, which is used for monitoring the abnormal flow generated by network attack in the system in real time and further identifying and alarming without constructing a network attack feature library on the premise of not influencing the operation of the industrial control system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a power station industrial control system abnormal flow identification method based on a bubbling sequencing method comprises the following steps:
1) monitoring points are created in a real-time library according to the number of nodes of the power station industrial control system, each node corresponds to a byte length of a received flow packet (called receiving flow length for short), a byte length sequencing serial number of the received flow packet (called receiving flow serial number for short), a byte length of a sent flow packet (called sending flow length for short) and a byte length sequencing serial number of the sent flow packet (called sending flow serial number for short), and the number of the monitoring points is created to be the number of the nodes of the industrial control system multiplied by 4;
2) arranging a flow packet capturing tool, acquiring network flow in an industrial control system in a port mirror image mode, classifying and counting the byte length of a flow packet according to a source IP and a target IP by taking seconds as a unit, comparing the corresponding relation between nodes and the IP, calculating the flow length received and sent by each node in real time, and storing the calculated flow length in a real-time library;
3) reading real-time receiving flow lengths of all nodes from a real-time library to form a queue, sequencing the queue according to a bubble sequencing method to obtain sequence number data corresponding to the receiving flow lengths of the nodes, storing the sequence number data into the real-time library, and processing a sending flow length queue in the same way;
4) updating the flow length received and sent by each node and the corresponding serial number data in units of seconds, comparing the flow length and the corresponding serial number data with the previous time, and finding out the node with the serial number change exceeding the threshold value to alarm in real time;
5) accumulating the received flow lengths of all nodes according to the latest hour to obtain the accumulated received flow length of the current hour, sequencing a queue formed by the accumulated received flow lengths of the current hour according to a bubbling sequencing method to obtain an accumulated received flow serial number of the current hour, processing the accumulated received flow length of the previous hour in the same way to obtain a serial number of the previous hour, and processing the accumulated sending flow in the same way to obtain two groups of serial numbers;
6) and comparing the current hour accumulated received flow serial number with the previous hour serial number, alarming by the node with the changed over threshold value, alarming by the node with the deviation of the real-time received flow serial number and the current hour accumulated received flow serial number over the threshold value, and processing the hour accumulated sent flow in the same way.
The method is suitable for identifying abnormal flow among a plurality of industrial control systems, and each industrial control system is treated as a node; the system can be further subdivided according to the communication protocol types in the industrial control system and then subjected to sequencing and alarm processing; the statistics for real-time flow may be changed to 3-5 seconds, or half an hour or two for cumulative time.
The method does not need to construct a feature library as the traditional network attack flow detection method, can identify abnormal flow generated by known and unknown network attacks at the same time, and realizes real-time monitoring and alarming.
Preferably, the alarm mode is characterized in that alarms of the real-time receiving flow serial number, the real-time sending flow serial number, the hour accumulated receiving flow serial number and the hour accumulated sending flow serial number are marked in 4 different colors, and nodes with the largest serial number change and meeting double alarms are marked in a flashing mode.
The invention has the following beneficial technical effects: the network flow is obtained in a port mirroring mode, the operation of an industrial control system is not affected, a feature library of a known attack mode is not required to be constructed, the known type and unknown type of network attack flow can be identified, and short-time centralized attack flow and long-time dispersed attack flow can be identified.
Drawings
FIG. 1 is a flow chart of the identification method of the present invention.
Detailed Description
The present invention is described in further detail below with reference to the attached drawings.
As shown in fig. 1, the method for identifying abnormal flow of the power station industrial control system based on the bubbling sequencing method of the invention comprises the following steps:
1) and monitoring points are created in a real-time library according to the number of nodes of the power station industrial control system, each node comprises a byte length of a received flow packet, a byte length sequencing serial number of the received flow packet, a byte length of a sent flow packet and a byte length sequencing serial number of the sent flow packet, and for the industrial control system with k nodes, a node set is { N } 1 ,N i ...,N k And k × 4 measuring points are required to be created, and the four monitoring points corresponding to each node are respectively N # IN _ BL _ RT, N # IN _ BL _ ON _ RT, N # OUT _ BL _ RT and N # OUT _ BL _ ON _ RT, wherein # represents the node number.
2) The network flow in the industrial control system is obtained in a port mirroring mode, a full-flow packet capturing tool is deployed at an observation port of a switch and a router, flow byte lengths are classified and counted according to a source IP and a target IP by taking seconds as a unit, one node possibly comprises a plurality of IPs, the corresponding relation between the node and the IPs is compared, and the flow byte lengths received and sent by each node in real time are calculated and stored in a real-time library. For all the flows of the source IP and the target IP inside the system, the flows of the receiving party and the sending party are increased simultaneously; and only counting the sending flow of the specific node when the target IP is the node flow outside the system, and only counting the receiving flow of the specific node when the source IP is the node flow outside the system.
3) The real-time library reads real-time receiving flow length of k nodes to form a queue which is a two-dimensional array of k rows and 2 columns, wherein the k rows represent the k nodes, the 2 columns represent a receiving flow length column and a node number column, and IL is shown in the following table k Indicating the length of the real-time received traffic of the kth node.
IL 1 | 1 |
IL 2 | 2 |
… | … |
IL k | k |
The queue is sorted by bubble sort, with a single comparison, e.g., IL, in the k-1 sorting of the algorithm, according to the top row of large length, i.e., bubbles up i+1 >IL i Then IL i+1 And IL i The positions are exchanged, the positions of the node numbers i +1 and i are also exchanged at the same time, wherein i is more than or equal to 1 and less than or equal to k-1, and the node numbers i +1 and i need to pass through at mostThe next comparison, bubble sort execution ends. Finding out the corresponding line number according to the node label is the serial number after sequencing the received flow length, and obtaining serial number data { A) corresponding to the received flow length of the node 1 ,A 2 ...,A k }。
Node N i The sequence number of the received flow length is A i A is i The time stamp corresponding to the length of the received flow is stored in the node N i The flow length sequence number measuring points are received, and the flow length queues sent by all the nodes in real time are processed in the same way to obtain sequence number data { B } corresponding to the sending flow length 1 ,B 2 ...,B k };
4) Updating the receiving and sending flow length and corresponding serial number data of k nodes by taking second as unit, and for the node N i The length sequence number of the real-time receiving flow is A i And the length sequence number of the real-time sending flow is B i And the received flow length sequence number at the previous moment is A' i And the transmission traffic length number is B' i If one of the following conditions is satisfied:
|A i -A' i if the value is greater than alpha, receiving the traffic serial number change in real time and exceeding a threshold value;
|B i -B' i if the value is greater than alpha, the change of the flow serial number is transmitted in real time and exceeds a threshold value;
to node N i And (4) performing real-time alarm, wherein alpha is a change threshold value, and generally selecting one half of the node number according to the actual network node number.
5) Accumulating the received flow lengths of the k nodes according to the latest hour to obtain the current hour accumulated received flow length, sequencing the queue formed by the current hour accumulated received flow lengths of the k nodes according to a bubble sequencing method (refer to step 3) to obtain a sequence number { C ] of the current hour accumulated received flow length 1 ,C 2 ...,C k Processing the current hour cumulative sending flow in the same way to obtain a length serial number (D) of the current hour cumulative sending flow 1 ,D 2 ...,D k }。
For node N i The length sequence number of the cumulative receiving flow in the current hour is C i The sequence number of the cumulative sending flow length in the current hour is D i The cumulative received flow length number in the previous hour is C' i D 'is the cumulative transmission flow length number of the previous hour' i If one of the following conditions is satisfied:
|C i -C' i if the value is larger than alpha, the change of the accumulated receiving flow serial number in the current hour exceeds a threshold value;
|D i -D' i if the flow rate is larger than alpha, the change of the accumulated sending flow rate sequence number in the current hour exceeds a threshold value;
|A i -C i if the value is greater than alpha, the deviation between the real-time receiving flow length serial number and the current hour accumulated receiving flow length serial number exceeds a threshold value;
|B i -D i if the value is greater than alpha, the deviation between the real-time sending flow length serial number and the current hour accumulated sending flow length serial number exceeds a threshold value;
to node N i And alarming in real time.
6) For the nodes N meeting the conditions in the steps 4) and 5) i And when real-time alarming is carried out, distinguishing according to different colors, and if the serial number changes and the deviation is k-1 or the serial number accords with a plurality of alarming nodes, carrying out key reminding in a flashing mode.
The examples of the present invention are set forth merely to help illustrate the invention and not to elaborate all details of the technical solutions, and those skilled in the art may make substitutions, modifications to some technical parameters without departing from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (4)
1. A power station industrial control system abnormal flow identification method based on a bubbling sequencing method is characterized by comprising the following steps:
1) monitoring points are created in a real-time library according to the number of nodes of the power station industrial control system, each node corresponds to a receiving flow packet byte length, a receiving flow packet byte length sequencing serial number, a sending flow packet byte length and a sending flow packet byte length sequencing serial number, and the monitoring points are created to be the number of the nodes of the industrial control system multiplied by 4;
2) arranging a traffic packet capturing tool, acquiring network traffic in an industrial control system in a port mirroring mode, classifying and counting the byte length of a traffic packet according to a source IP and a target IP by taking seconds as a unit, comparing the corresponding relation between nodes and the IP, calculating the traffic length received and sent by each node in real time, and storing the traffic length into a real-time library;
3) reading real-time receiving flow lengths of all nodes from a real-time library to form a queue, sequencing the queue according to a bubble sequencing method to obtain sequence number data corresponding to the receiving flow lengths of the nodes, storing the sequence number data into the real-time library, and processing a sending flow length queue in the same way;
4) updating the flow length received and sent by each node and the corresponding serial number data in units of seconds, comparing the flow length and the corresponding serial number data with the previous time, and finding out the node with the serial number change exceeding the threshold value to alarm in real time;
5) accumulating the received flow lengths of all nodes according to the latest hour to obtain the accumulated received flow length of the current hour, sequencing a queue formed by the accumulated received flow lengths of the current hour according to a bubbling sequencing method to obtain an accumulated received flow serial number of the current hour, processing the accumulated received flow length of the previous hour in the same way to obtain a serial number of the previous hour, and processing the accumulated sending flow in the same way to obtain two groups of serial numbers;
6) and comparing the current hour accumulated received flow serial number with the previous hour serial number, alarming by the node with the changed super-threshold value, alarming by the node with the deviation of the real-time received flow serial number and the current hour accumulated received flow serial number exceeding the threshold value, and processing the hour accumulated sending flow in the same way.
2. The power station industrial control system abnormal flow identification method based on the bubbling sorting method according to claim 1, characterized in that: the method is suitable for identifying abnormal flow among a plurality of industrial control systems, and each industrial control system is treated as a node; the system can be further subdivided according to the communication protocol types in the industrial control system and then subjected to sequencing and alarm processing; the statistics for real-time flow can be changed to 3-5 seconds and the cumulative time can be changed to half an hour or two hours.
3. The power station industrial control system abnormal flow identification method based on the bubble sorting method according to claim 1, characterized in that: the method does not need to establish a feature library as the traditional network attack flow detection method, can identify abnormal flow generated by known and unknown network attacks at the same time, and realizes real-time monitoring and alarming.
4. The power station industrial control system abnormal flow identification method based on the bubbling sorting method according to claim 1, characterized in that: and the alarm mode is characterized in that alarms of the real-time receiving flow serial number, the real-time sending flow serial number, the hour accumulated receiving flow serial number and the hour accumulated sending flow serial number are marked in 4 different colors, and nodes with the largest serial number change and meeting double alarms are marked in a flashing mode.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011249001.1A CN112367322B (en) | 2020-11-10 | 2020-11-10 | Power station industrial control system abnormal flow identification method based on bubbling sequencing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011249001.1A CN112367322B (en) | 2020-11-10 | 2020-11-10 | Power station industrial control system abnormal flow identification method based on bubbling sequencing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112367322A CN112367322A (en) | 2021-02-12 |
CN112367322B true CN112367322B (en) | 2022-09-30 |
Family
ID=74509546
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011249001.1A Active CN112367322B (en) | 2020-11-10 | 2020-11-10 | Power station industrial control system abnormal flow identification method based on bubbling sequencing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112367322B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113542268B (en) * | 2021-07-14 | 2023-07-28 | 中能融合智慧科技有限公司 | Method for obtaining single industrial control protocol flow based on network link |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7823202B1 (en) * | 2007-03-21 | 2010-10-26 | Narus, Inc. | Method for detecting internet border gateway protocol prefix hijacking attacks |
CN102271068A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
CN105306436A (en) * | 2015-09-16 | 2016-02-03 | 广东睿江科技有限公司 | Abnormal traffic detection method |
CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
CN110677386A (en) * | 2019-08-29 | 2020-01-10 | 北京孚耐尔科技有限公司 | Abnormal flow monitoring and predicting method and device based on big data |
-
2020
- 2020-11-10 CN CN202011249001.1A patent/CN112367322B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7823202B1 (en) * | 2007-03-21 | 2010-10-26 | Narus, Inc. | Method for detecting internet border gateway protocol prefix hijacking attacks |
CN102271068A (en) * | 2011-09-06 | 2011-12-07 | 电子科技大学 | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack |
CN105306436A (en) * | 2015-09-16 | 2016-02-03 | 广东睿江科技有限公司 | Abnormal traffic detection method |
CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
CN110677386A (en) * | 2019-08-29 | 2020-01-10 | 北京孚耐尔科技有限公司 | Abnormal flow monitoring and predicting method and device based on big data |
Also Published As
Publication number | Publication date |
---|---|
CN112367322A (en) | 2021-02-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017218636A1 (en) | System and method for automated network monitoring and detection of network anomalies | |
KR20180120558A (en) | System and method for predicting communication apparatuses failure based on deep learning | |
CN107888441B (en) | Network traffic baseline self-learning self-adaption method | |
CN111490975A (en) | Distributed denial of service DDoS attack tracing system and method based on software defined network | |
CN111181971B (en) | System for automatically detecting industrial network attack | |
CN109150859B (en) | Botnet detection method based on network traffic flow direction similarity | |
CN111930592A (en) | Method and system for detecting log sequence abnormity in real time | |
CN112688822B (en) | Edge computing fault or security threat monitoring system and method based on multi-point cooperation | |
CN110149239B (en) | Network flow monitoring method based on sFlow | |
CN116055413B (en) | Tunnel network anomaly identification method based on cloud edge cooperation | |
KR20210115991A (en) | Method and apparatus for detecting network anomaly using analyzing time-series data | |
CN111738308A (en) | Dynamic threshold detection method for monitoring index based on clustering and semi-supervised learning | |
CN109558727B (en) | Routing security detection method and system | |
CN111262849A (en) | Method for identifying and blocking network abnormal flow behaviors based on flow table information | |
CN114021135B (en) | LDoS attack detection and defense method based on R-SAX | |
CN116582574B (en) | Atmospheric monitoring system based on Internet of things | |
CN111935063A (en) | System and method for monitoring abnormal network access behavior of terminal equipment | |
CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
CN113660209B (en) | DDoS attack detection system based on sketch and federal learning and application | |
CN112367322B (en) | Power station industrial control system abnormal flow identification method based on bubbling sequencing method | |
CN108366065A (en) | Attack detection method and SDN switch | |
CN106713307A (en) | Method and system for detecting consistency of flow tables in SDN (Software-defined Networking) | |
CN116170208A (en) | Network intrusion real-time detection method based on semi-supervised ISODATA algorithm | |
CN116032526A (en) | Abnormal network flow detection method based on machine learning model optimization | |
CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |