Industrial control information safety monitoring system adopting black and white lists for analysis

Abstract

The invention relates to the field of industrial control system information safety, in particular to an industrial control information safety monitoring system adopting a black list and a white list for analysis, which comprises the following steps of: (1) collecting an initial sample library; (2) blacklist rule formation and alarm generation; (3) white list rule formation and alarm generation; (4) intelligently generating a communication white list; (5) protocol rule formation and alarm generation; and (6) performing visual alarm and report display. The beneficial effects of the invention arethat the system carries out the credible monitoring of assets in the industrial control network, carries out the credible monitoring of communication in the industrial control network, carries out the deep analysis of a plurality of industrial protocols, carries out the visual display of a topological structure of the industrial control network, and carries out the report statistics of a threat form in the industrial control network; the method is beneficial to realization of abnormal monitoring in the network, is beneficial to realization of quick positioning and troubleshooting of problem assets and problem communication behaviors, is beneficial to avoiding human operation errors, improves the accuracy of a white list, reduces missing reports and false reports, and constructs a monitoring system easy to operate and capable of quickly positioning problems.

Description

technical field [0001] The present invention relates to the field of information security of industrial control systems, in particular to an industrial control information security monitoring system that uses black and white lists for analysis. Background technique [0002] The control network composed of control systems such as DCS, PLC and SCADA has shown an overall open trend in the past few decades of development. With the application of information technology in enterprises, a large number of common TCP / IP and OPC protocol technologies are used in industrial control networks, and the connection between ICS network and enterprise management network is getting closer. The traditional industrial control system uses dedicated hardware, software and communication protocols, and basically does not consider the communication security issues of interconnection and intercommunication in the design. [0003] In general industrial system security protection, a single blacklist or...

AI Technical Summary

Problems solved by technology

However, the traditional industrial control system uses dedicated hardware, software and communication protocols, and basically does not consider the communication security issues of interconnection and intercommunication in the design.

[0003] In general industrial system security protection, a single blacklist or whitelist mechanism is used, and the combination of the two is not used as a defense system, and there are a lot of manual operations, which are time-consuming and laborious

In the industrial system security protection system using a single blacklist, because the blacklist itself is restricted by the rules, it cannot monitor and judge new attacks. In addition, there are many false positives in the blacklist mechanism, which can judge whether it is a real attack for the user. bring inconvenience

[0004] In the industrial system security protection system using a single whitelist, the whitelist mechanism cannot give specific details of the attack, so that it is impossible to conduct targeted investigation and removal of security risks in the network