Safety data acquisition and anomaly detection method and system facing industrial control network

Abstract

The invention discloses a safety data acquisition and anomaly detection method and system facing an industrial control network. The safety data acquisition and anomaly detection method comprises two parts: safety data acquisition and anomaly detection, wherein for the safety data acquisition part, the multi-layer and multi-type of safety data in the industrial control network is acquired based on an elastic acquisition strategy, and a safety message with a unified format is formed; and for the anomaly detection part, the safety message is analyzed and anomaly of asset allocation in the industrial control network is discovered through detection by means of configuration of a baseline, and anomaly of the operation behavior in the industrial control network is discovered through control and operation of consistency detection. The safety data acquisition and anomaly detection method and system face the industrial control network, and can improve the capability of the industrial control network of opposing APT attack, on the basis of guaranteeing the availability and reliability of the industrial control network.

Description

technical field [0001] The present invention relates to the field of computer networks, and more specifically, to a method and system for safe data collection and anomaly detection oriented to industrial control networks. Background technique [0002] In the context of Industry 4.0, a large number of IT network technologies have been introduced into the industrial control network, and the previous independent and closed situation of the industrial control network has been gradually broken. The Stuxnet incident in 2010 has drawn widespread attention to the security of industrial control networks, and various countries have launched research on the security of industrial control networks. However, the characteristics of industrial control networks that emphasize availability and reliability determine that traditional network security devices cannot be directly deployed in industrial control networks, and traditional network security devices cannot cope with the threat of APT a...

AI Technical Summary

Problems solved by technology

[0004] To sum up, the existing security solutions for industrial control networks generally have four problems: (1) The scope of security data collection is limited--some solutions are based on data generated by firewalls, IDS and other security devices for analysis, but the security The equipment is deployed on the control layer, and the real state of the on-site control equipment cannot be obtained; (2) The security data collection does not fully consider the characteristics of the industrial control network--some solutions only consider how to improve the security of the industrial control network, but ignore The implementation of the scheme will have a negative impact on the availability and reliability of the industrial control network, thus seriously restricting the implementation and promotion of the security scheme; (3) Anomaly detection requires preconditions - the premise of some schemes is that there is no abnormality (4) Anomaly detection cannot cope with APT attacks--some solutions limit the detection scope to certain types of devices or certain network paths, and the detection of isolated data points cannot detect APT attacks in time

Images