Method and system for detecting source network load system interaction message abnormity

A detection method and technology for exchanging messages, applied in the field of information security, can solve the problems of lack of parsing and detection

Pending Publication Date: 2019-11-01
GLOBAL ENERGY INTERCONNECTION RES INST CO LTD +2
View PDF5 Cites 15 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0002] In terms of analysis of electric power industrial control messages, the current emphasis is on the analysis of the message format, but due to the closedness and complexity of the electric power industrial control system, the analysis and detection of the application layer of the electric power industrial control message data packets are relatively lacking.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for detecting source network load system interaction message abnormity
  • Method and system for detecting source network load system interaction message abnormity
  • Method and system for detecting source network load system interaction message abnormity

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0050] figure 1 It is a flow chart of the detection method for the abnormality of the interactive message of the source network load system of the present invention, such as figure 1 shown, including:

[0051] Step S101, analyzing the collected network data packet to obtain the content of the message field;

[0052] Step S102, extracting the command-level field content from the message field content;

[0053] Step S103 , matching the content of the command-level field with a preset rule based on the system packet format specification, and determining that the network data packet is abnormal when the matching is successful.

[0054] Step S101, analyzing the collected network data packet to obtain the content of the message field, including:

[0055] The network data packets include: data packets in a shared Ethernet environment or data packets in a switched Ethernet environment.

[0056] Analyze the collected network data;

[0057] Filter the parsed packets;

[0058] In t...

Embodiment 2

[0079] figure 2 It is a structural diagram of the interactive anomaly detection system of the source-network-load system, which mainly includes four parts: source-network-load system traffic collection module, source-network-load system message depth analysis module, source-network-load system command-level field extraction module and source Network load system real-time interaction detection module.

[0080] Among them, the traffic collection module of the source-network-load system, the packet depth analysis module, and the command-level field extraction module are responsible for the collection, analysis, and command-level field extraction of the real-time interactive traffic of the source-network-load system. The real-time interaction detection module of the source-network-load system completes the source network The identification of malformed packets, violations and attack behaviors in the business flow of the load system.

[0081] The 104 protocol is used in the sourc...

Embodiment 3

[0141] like Figure 4 As shown, the specific implementation flow chart of the detection method is implemented, and the specific steps include:

[0142] Step 1: The traffic collection module collects data packets in the network, and sends the captured data packets to the packet depth analysis module for analysis.

[0143] Step 2: The packet depth analysis module of the source network load system performs TCP / IP layer analysis, extracts information such as source mac address, destination mac address, source ip address, destination ip address, source port number, destination port number, etc., and analyzes the packet Perform application layer analysis.

[0144] Step 3: The command-level field extraction module of the source network load system extracts the initial character of the message header of 1 byte, the field value of the message control field of 4 bytes, and the length character of the application service data unit of 1 byte , the 7th byte type identification of the app...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and a system for detecting abnormity of an interactive message of a source network load system. The method comprises the following steps: analyzing a collected networkdata packet to obtain message field contents; extracting instruction-level field content from the message field content; based on a preset message feature rule base, a violation service instruction rule base and an attack feature base, grammatical semantics, sequentially performing a service instruction and attack feature matching on the instruction-level field content, generating an alarm when one of the instruction-level field content is successfully matched, and achieving exception detection of the instruction-level content in the real-time interaction process of the source network load system.

Description

technical field [0001] The invention relates to the field of information security, in particular to a method and system for detecting anomalies in interactive messages of source-network-load systems. Background technique [0002] In terms of the analysis of electric power industrial control messages, the current focus is on the analysis of the message format, but due to the closure and complexity of the electric power industrial control system, the analysis and detection of the application layer of the electric power industrial control message data packets are relatively lacking. In the analysis of the application layer of the power industrial control message data packet, because the data items defined by the communication message between different message type systems are very different, and there are large differences in the interaction process and semantics of the communication message, it is necessary to combine the specific industrial control system Business message ins...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L69/22H04L63/1425H04L63/1441H04L63/1416
Inventor 黄秀丽石聪聪张小建费稼轩范杰汪晨章锐王齐陈明立
Owner GLOBAL ENERGY INTERCONNECTION RES INST CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap