Industrial information security violation behavior monitoring method and device, electronic equipment and medium
By acquiring real-time communication data from industrial control networks, the extent of damage caused by abnormal events can be identified and quantified, solving the problem of difficulty in assessing violations in industrial control systems and enabling precise monitoring and protection of these systems.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HUANENG POWER INT INC
- Filing Date
- 2023-02-06
- Publication Date
- 2026-07-03
Smart Images

Figure CN116232712B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of industrial information security, specifically to methods, devices, electronic equipment, and media for monitoring violations of industrial information security regulations. Background Technology
[0002] Industrial control system intrusion detection systems are security products designed specifically for the characteristics of current industrial control systems. Building upon traditional intrusion detection functions, they add the ability to detect intrusion behavior in industrial control systems such as PLCs, DCSs, and SCADA systems. The system is deployed in bypass mode, monitoring network data flow information in real time, analyzing network communication data, and using a vast set of rules to accurately match network attack behaviors and other illegal network activities, thereby achieving the goal of timely attack detection and early warning.
[0003] In related technologies, industrial control systems are increasingly being hacked and maliciously intruded upon. However, industrial control systems often lack suitable evaluation methods, making it difficult to assess violations during numerous access processes. Summary of the Invention
[0004] Therefore, the technical problem to be solved by the present invention is to overcome the defects in the prior art, thereby providing a method, device, electronic device and medium for monitoring violations of industrial information security.
[0005] In conjunction with the first aspect, the present invention provides a method for monitoring industrial information security violations, the method comprising:
[0006] Acquire real-time communication data from industrial control networks;
[0007] Based on the real-time communication data, determine whether any abnormal events have occurred in the industrial control network;
[0008] When an abnormal event occurs in the industrial control network, determine the type of the abnormal event;
[0009] Based on the type, the degree of damage of the abnormal event is calculated to obtain the damage assessment result of the abnormal event.
[0010] In this approach, based on real-time communication data from the industrial control network, when an abnormal event occurs in the communication data, the type of the current abnormal event is identified and confirmed, the damage value of the current abnormal event is calculated, and the degree of damage caused by the current abnormal event is quantified. This clarifies the damage caused to the industrial control network by the current abnormal event, allowing users to more clearly understand the damage to the industrial control network caused by the current abnormal event. Consequently, corresponding repairs can be taken, making the repair work more specific and targeted. This further protects the industrial control system from damage caused by unauthorized actions.
[0011] In conjunction with the first aspect, in the first embodiment of the first aspect, before acquiring the real-time communication data of the industrial control network, the method further includes:
[0012] An industrial control firewall is set up between the access device and the industrial Ethernet, and the industrial control firewall is pre-configured with a proprietary protocol for the industrial protocol between the access device and the industrial Ethernet.
[0013] Get the communication address of the currently accessed device;
[0014] Based on the communication address and the industrial control firewall, obtain the proprietary protocol of the currently accessing device;
[0015] Based on the proprietary protocol, determine whether there is an anomaly in the industrial protocol of the currently accessing device;
[0016] If an anomaly is found in the current industrial protocol, it is determined that the current industrial protocol is subject to a protocol attack.
[0017] In conjunction with the first aspect, in the second embodiment of the first aspect, before acquiring the real-time communication data of the industrial control network, the method further includes:
[0018] Establish a pre-stored database, which includes abnormal events;
[0019] Based on the pre-stored database, the features of pre-stored text data with typical abnormal events are obtained;
[0020] Based on the features of the pre-stored text data, the typical abnormal events are classified, and the typical abnormal events belonging to the same type are grouped into several standard feature sets.
[0021] In conjunction with the second embodiment of the first aspect, in the third embodiment of the first aspect, determining the type of the abnormal event includes:
[0022] Text data extraction is performed on the real-time communication data to obtain the text data features of the real-time communication data;
[0023] Perform similarity analysis on the text data features to determine the set of standard features that have the highest similarity to the text data features;
[0024] Based on the type of the abnormal event corresponding to the standard feature set, determine the type of the current abnormal event.
[0025] In conjunction with the third embodiment of the first aspect, in the fourth embodiment of the first aspect, calculating the degree of damage of the abnormal event based on the type includes:
[0026] Based on the type, obtain text data features of several different standard categories from the standard feature set corresponding to the current abnormal event;
[0027] The similarity ratio coefficients between the text data features of the current abnormal event and the text data features of the several different standard categories are calculated respectively.
[0028] Based on the similarity ratio coefficient, the degree of damage of the current abnormal event is calculated.
[0029] In conjunction with the fourth embodiment of the first aspect, in the fifth embodiment of the first aspect, the step of calculating the degree of damage of the current abnormal event based on the similarity ratio coefficient includes:
[0030] Obtain the corresponding full score values for different standard categories;
[0031] The degree of damage of the current abnormal event is calculated based on the similarity ratio coefficients of different standard categories and their corresponding full scores.
[0032] In conjunction with the first aspect, in a sixth embodiment of the first aspect, after obtaining the damage assessment result of the anomalous event, the method further includes:
[0033] The damage assessment results are sent to the host computer system, and an alarm signal is sent to the host computer system.
[0034] In a second aspect, the present invention also provides an industrial information security violation monitoring device, the device comprising:
[0035] The acquisition unit is used to acquire real-time communication data from the industrial control network.
[0036] The judgment unit is used to determine whether an abnormal event has occurred in the industrial control network based on the real-time communication data.
[0037] The determining unit is used to determine the type of abnormal event when an abnormal event occurs in the industrial control network;
[0038] The calculation unit is used to calculate the degree of damage of the abnormal event based on the type it belongs to, and to obtain the damage assessment result of the abnormal event.
[0039] In conjunction with the second aspect, in the first embodiment of the second aspect, the apparatus further includes:
[0040] A firewall configuration unit is used to configure an industrial control firewall between the access device and the industrial Ethernet, wherein the industrial control firewall is pre-configured with a proprietary protocol for the industrial protocol between the access device and the industrial Ethernet.
[0041] The first acquisition unit is used to acquire the communication address of the currently accessed device;
[0042] The second acquisition unit is used to acquire the proprietary protocol of the currently accessing device based on the communication address and the industrial control firewall.
[0043] The first judgment unit is used to determine whether there is an anomaly in the industrial protocol of the currently accessed device based on the proprietary protocol;
[0044] The protocol attack unit is used to determine that the current industrial protocol is subject to a protocol attack when an anomaly exists in the current industrial protocol.
[0045] In conjunction with the second aspect, in a second embodiment of the second aspect, the apparatus further includes:
[0046] A database creation unit is used to create a pre-stored database, which includes abnormal events.
[0047] The text data feature unit is used to obtain pre-stored text data features with typical abnormal events based on the pre-stored database.
[0048] The classification unit is used to classify the typical abnormal events based on the features of the pre-stored text data, and to group the typical abnormal events belonging to the same type into several standard feature sets.
[0049] In conjunction with the second embodiment of the second aspect, in the third embodiment of the second aspect, the determining unit includes:
[0050] An extraction unit is used to extract text data from the real-time communication data to obtain the text data features of the real-time communication data.
[0051] The similarity analysis unit is used to perform similarity analysis on the text data features and determine the set of standard features with the highest similarity to the text data features;
[0052] The type determination unit is used to determine the type of the current abnormal event based on the type of the abnormal event corresponding to the standard feature set.
[0053] In conjunction with the third embodiment of the second aspect, in the fourth embodiment of the second aspect, the computing unit includes:
[0054] The third acquisition unit is used to acquire text data features of several different standard categories in the standard feature set corresponding to the current abnormal event based on the type.
[0055] The first calculation unit is used to calculate the similarity ratio coefficient between the text data features of the current abnormal event and the text data features of the several different standard categories.
[0056] The second calculation unit is used to calculate the degree of damage of the current abnormal event based on the similarity ratio coefficient.
[0057] In conjunction with the fourth embodiment of the second aspect, in the fifth embodiment of the second aspect, the second computing unit includes:
[0058] The fourth acquisition unit is used to acquire the corresponding full score values for different standard categories;
[0059] The third calculation unit is used to calculate the degree of damage of the current abnormal event based on the similarity ratio coefficient of different standard categories and their corresponding full scores.
[0060] In conjunction with the second aspect, in a sixth embodiment of the second aspect, the apparatus further includes:
[0061] An alarm unit is used to send the damage assessment results to the host computer system and send an alarm signal to the host computer system.
[0062] According to a third aspect, embodiments of the present invention also provide an electronic device, including a memory and a processor, wherein the memory and the processor are communicatively connected to each other, the memory stores computer instructions, and the processor executes the computer instructions to perform the industrial information security violation monitoring method of any one of the first aspects and its optional embodiments.
[0063] According to a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing computer instructions for causing the computer to execute the industrial information security violation monitoring method of any one of the first aspect and its optional embodiments. Attached Figure Description
[0064] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0065] Figure 1 This is a flowchart of an industrial information security violation monitoring method proposed according to an exemplary embodiment.
[0066] Figure 2 This is a flowchart of a method for calculating the degree of damage of an abnormal event according to an exemplary embodiment.
[0067] Figure 3This is a structural block diagram of an industrial information security violation monitoring device according to an exemplary embodiment.
[0068] Figure 4 This is a schematic diagram of the hardware structure of an electronic device according to an exemplary embodiment. Detailed Implementation
[0069] The technical solution of the present invention will now be clearly and completely described with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0070] In related technologies, industrial control systems are increasingly being hacked and maliciously intruded upon. However, industrial control systems often lack suitable evaluation methods, making it difficult to assess violations during numerous access processes.
[0071] To address the aforementioned problems, this invention provides a method for monitoring industrial information security violations, used in electronic devices. It should be noted that the executing entity can be an industrial information security violation monitoring device, which can be implemented as part or all of the electronic device through software, hardware, or a combination of both. The electronic device can be a terminal, client, or server. The server can be a single server or a server cluster composed of multiple servers. In this embodiment, the terminal can be a smartphone, personal computer, tablet computer, wearable device, or other intelligent hardware device such as a smart robot. The following method embodiments all use an electronic device as the executing entity for illustration.
[0072] The electronic device in this embodiment is suitable for use scenarios involving monitoring violations in industrial control systems. Through the industrial information security violation monitoring method provided by this invention, based on real-time communication data of the industrial control network, when an abnormal event occurs in the communication data, the type of the current abnormal event is identified and confirmed, the damage value of the current abnormal event is calculated, and the degree of damage caused by the current abnormal event is quantified. This clarifies the damage caused to the industrial control network by the current abnormal event, allowing users to more clearly understand the damage to the industrial control network caused by the current abnormal event, and thus take corresponding repair measures, making the repair work more specific and targeted. This further protects the industrial control system from damage caused by violations.
[0073] Figure 1 This is a flowchart illustrating a method for monitoring industrial information security violations according to an exemplary embodiment. Figure 1As shown, the method for monitoring violations of industrial information security includes the following steps S101 to S104.
[0074] In step S101, real-time communication data of the industrial control network is acquired.
[0075] In this embodiment of the invention, since there are numerous abnormal events in the communication data, and they usually have certain characteristics that can be used for judgment, a database of abnormal events can be pre-established to record the abnormal events and provide data support for subsequent identification work. Before acquiring the real-time communication data of the industrial control network, the method further includes: establishing a pre-stored database, which includes abnormal events; obtaining pre-stored text data features with typical abnormal events based on the pre-stored database; classifying typical abnormal events based on the pre-stored text data features, and grouping typical abnormal events belonging to the same type into several standard feature sets.
[0076] In one example, anomalous events can include two main categories: self-anomaly events and unauthorized external attack events. Building a database of anomalous events can include: pre-creating a database of self-anomaly events and unauthorized external attack events; analyzing the text data of self-anomaly events and unauthorized external attack events to obtain text data features characteristic of typical self-anomaly events and unauthorized external attack events; and constructing a standard feature set from the text data features of typical self-anomaly events and typical unauthorized external attack events belonging to the same type.
[0077] In step S102, based on real-time communication data, it is determined whether any abnormal events have occurred in the industrial control network.
[0078] In step S103, when an abnormal event occurs in the industrial control network, the type of the abnormal event is determined.
[0079] In this embodiment of the invention, since abnormal events generally possess text data features corresponding to a specific category, it is necessary to determine the category to which the abnormal event belongs, providing corresponding technical support for further calculation of the destructive value of the abnormal event. Determining the category of an abnormal event includes: extracting text data from real-time communication data to obtain the text data features of the real-time communication data; performing similarity analysis on the text data features to determine the standard feature set with the highest similarity to the text data features; and determining the category to which the current abnormal event belongs based on the abnormal event category corresponding to the standard feature set.
[0080] In one example, since abnormal events can include two main categories: self-abnormal events and illegal external attack events, determining the type of an abnormal event can include: performing a similarity analysis between the text data features corresponding to the current communication data and multiple sets of standard features of different types to obtain the set of standard features with the highest similarity to the text data features of the current communication data; calling the set of standard features with the highest similarity; and resolving the type of the current event through the set of standard features with the highest similarity; wherein the type is the type of typical self-abnormal events and typical illegal external attack events.
[0081] In step S104, the degree of damage of the abnormal event is calculated based on its type to obtain the damage assessment result of the abnormal event.
[0082] In this embodiment of the invention, the damage severity value of the abnormal event is the damage assessment result of the abnormal event. The damage severity value of the abnormal event can more intuitively indicate the damage caused to the industrial control network by the current abnormal event. To enable users to be aware of the damage caused to the industrial control network by the current abnormal event more promptly, after obtaining the damage assessment result, the method further includes: sending the damage assessment result to the host computer system and sending an alarm signal to the host computer system.
[0083] Through the above embodiments, based on real-time communication data of the industrial control network, when an abnormal event occurs in the communication data, the type of the current abnormal event is identified and confirmed, the damage value of the current abnormal event is calculated, and the degree of damage caused by the current abnormal event is quantified. This clarifies the damage caused to the industrial control network by the current abnormal event, allowing users to more clearly understand the damage to the industrial control network caused by the current abnormal event. Consequently, corresponding repairs can be taken for the industrial control network, making the repair work more specific and targeted. This further protects the industrial control system from damage caused by unauthorized actions.
[0084] In one embodiment, to further ensure the information security of the industrial control network, an industrial control firewall needs to be set up between the access device communicating with the industrial control network and the industrial Ethernet. The industrial control firewall is pre-configured with a proprietary industrial protocol for communication between the access device and the industrial Ethernet. Before acquiring real-time communication data from the industrial control network, the industrial control firewall is set up between the access device and the industrial Ethernet. The industrial control firewall is pre-configured with a proprietary industrial protocol for communication between the access device and the industrial Ethernet. The communication address of the current access device is obtained. Based on the communication address and the industrial control firewall, the proprietary protocol of the current access device is obtained. Based on the proprietary protocol, it is determined whether the industrial protocol of the current access device is abnormal. If the current industrial protocol is abnormal, it is determined that the current industrial protocol has been subjected to a protocol attack.
[0085] In one example, the above process may include: obtaining the currently accessed communication address; obtaining the proprietary protocol of the currently accessed device based on the currently accessed communication address and mapping relationship; simultaneously invoking the proprietary protocol of the currently accessed device, using the corresponding parsing rules of the proprietary protocol to parse the current industrial protocol; and determining that the current industrial protocol is subject to protocol attack when an anomaly occurs during parsing. Specifically, if malformed packets of the industrial control protocol are detected, a parsing anomaly is determined to exist.
[0086] While the industrial control firewall performs proprietary protocol settings for the industrial protocol between the currently accessing device and the industrial Ethernet, it also detects abnormal communication traffic and sends an alarm signal to the host computer system when abnormal communication traffic is detected. The industrial control firewall also detects link connection vulnerabilities and TCP / IP vulnerabilities and sends an alarm signal to the host computer system when abnormal communication traffic is detected.
[0087] The above embodiments enable accurate identification and deep analysis of over a dozen industrial control protocols, such as Modbus TCP, OPC, EIP command, CIP, Profinet, Ormon FIN, Siemens S7, DNP3, 61850 GOOSE, and MMS. It can accurately identify malformed packets and high-risk commands executed by industrial control protocols (such as writing data, logical downloads, and shutdowns), achieving command-level analysis of these protocols. It possesses powerful detection capabilities, including tens of thousands of attack detection rules. It supports the detection of common attack behaviors such as penetration testing, file attacks, obfuscation attacks, operating system attacks, browser attacks, malware (Trojans, worms, etc.), port scanning, SQL injection, and NetBIOS attacks. It also supports the parsing of common protocols (such as IP, TCP, UDP, HTTP, SMTP, POP3, FTP, TELNET, DNS, etc.) and the detection of attack behaviors on common services (MySQL, IIS, etc.). Furthermore, it supports the analysis of industrial control protocols and the detection of attack behaviors on industrial control systems, as well as the detection of malformed packets in industrial control protocols. This effectively prevents attack deception and detects various attack methods. The intrusion detection rule base is compatible with the CVE and CNNVD vulnerability databases, ensuring the authority and timeliness of the detection rule base, while maintaining synchronization with authoritative rule bases. The system supports ARP attack detection and IP spoofing detection, capable of detecting address spoofing attacks originating from within the network, effectively locating the source of internal attacks, and detecting address theft within the network. It also features stateful TCP connection detection; through a state monitoring mechanism, it performs real-time monitoring of TCP connections, thereby achieving deep protection for key targets. Optimized for common anti-IDS techniques (such as stick and snot attacks). It also features intelligent and efficient packet reassembly; the IP fragment reassembly and TCP stream reassembly technologies employed by the system can analyze and reassemble IP fragments and TCP streams in the monitored network data stream, preventing IP fragment spoofing and ensuring the performance of the reassembled data stream. It also has a raw packet logging function; in addition to providing alerts for intrusion behavior, the system provides raw packet records within the alert information to help security personnel conduct detailed intrusion behavior analysis and research, providing a basis for the formulation and distribution of subsequent security policies. It also has technical capabilities for linking with authoritative vulnerability databases; the system's built-in rule base is fully linked to authoritative vulnerability databases such as CVE and CNNVD, and the alert logs list detailed information such as CVE and CNNVD vulnerability numbers, solutions, and references, helping users to promptly remediate vulnerabilities. It also offers multiple log output methods; in addition to local log export, the system supports remote output of logs in both proprietary log protocols and the standard syslog protocol formats. The content is detailed and the format is clear.
[0088] The following examples will specifically illustrate the process of calculating the degree of damage of an abnormal event when an abnormal event occurs.
[0089] Figure 2 This is a flowchart illustrating a method for calculating the degree of damage of an abnormal event, according to an exemplary embodiment. For example... Figure 2 As shown, the method for calculating the degree of damage of an abnormal event includes the following steps.
[0090] In step S201, based on the type, text data features of several different standard categories in the standard feature set corresponding to the current abnormal event are obtained.
[0091] In step S202, the similarity ratio coefficients between the text data features of the current abnormal event and the text data features of several different standard categories are calculated respectively.
[0092] In this embodiment of the invention, in order to further determine the degree of damage caused by the current abnormal event, the current abnormal event is compared with abnormal events with typical characteristics by performing a unique analysis to determine the degree of similarity between the current abnormal event and the typical abnormal event, thereby making it easier to clarify the degree of damage caused by the current abnormal event.
[0093] In one example, when the current anomalous event is its own anomalous event, calculating the similarity ratio coefficient may include: obtaining the text data features of the standard feature set with the highest current similarity corresponding to the current anomalous event, extracting the text data features under three standard categories, and calculating the similarity ratio coefficient of the text data features of the current communication data corresponding to the current anomalous event under each standard category, namely the similarity ratio coefficient of the first standard category, the similarity ratio coefficient of the second standard category, and the similarity ratio coefficient of the third standard category.
[0094] When the current abnormal event is an illegal external attack event, calculating the similarity ratio coefficient may include: obtaining the text data features of the standard feature set with the highest similarity to the current illegal external attack event, extracting the text data features under three standard categories, and calculating the similarity ratio coefficient of the text data features of the current communication data corresponding to the current illegal external attack event under each standard category, namely the similarity ratio coefficient of the first standard category, the similarity ratio coefficient of the second standard category, and the similarity ratio coefficient of the third standard category.
[0095] In step S203, the degree of damage of the current abnormal event is calculated based on the similarity ratio coefficient.
[0096] In this embodiment of the invention, to further determine the damage value of the current abnormal event, it can be calculated using a similarity ratio coefficient. Calculating the damage value of the current abnormal event can include: averaging the similarity between the current abnormal event and standard abnormal events with different weights, or summing the similarity ratio coefficients of different standard categories after multiplying them by the corresponding full score values of their respective categories. Specifically, this can include: obtaining the corresponding full score values for different standard categories; and calculating the degree of damage of the current abnormal event based on the similarity ratio coefficients of different standard categories and their corresponding full score values.
[0097] In one example, when the current anomalous event is itself, calculating the damage value of the current anomalous event may include: calculating the similarity evaluation score of the text data features of the current communication data corresponding to the current anomalous event based on the full score corresponding to the preset standard category; and recording the current similarity evaluation score as the damage assessment value of the current anomalous event. The similarity evaluation score = similarity ratio coefficient of the first standard category × full score corresponding to the corresponding standard category + similarity ratio coefficient of the second standard category × full score corresponding to the corresponding standard category + similarity ratio coefficient of the third standard category × full score corresponding to the corresponding standard category.
[0098] When the current anomaly is an unauthorized external attack, the calculated damage value of the current anomaly can include: calculating the similarity evaluation score of the text data features of the current communication data corresponding to the current unauthorized external attack, based on the full score corresponding to the preset standard category; and recording the current similarity evaluation score as the damage assessment value of the current unauthorized external attack. The similarity evaluation score = similarity ratio coefficient of the first standard category × full score corresponding to the corresponding standard category + similarity ratio coefficient of the second standard category × full score corresponding to the corresponding standard category + similarity ratio coefficient of the third standard category × full score corresponding to the corresponding standard category.
[0099] Through the above embodiments, text data feature similarity analysis is performed between the current abnormal event and the corresponding standard category typical abnormal event to determine the typical abnormal event most similar to the current abnormal event. This helps to clarify the most likely damage caused by the current abnormal event, and thus helps to determine the degree of damage caused by the current abnormal event, thereby making the assessment of industrial information security violations more accurate.
[0100] Based on the same inventive concept, the present invention also provides an industrial information security violation monitoring device.
[0101] Figure 3This is a structural block diagram of an industrial information security violation monitoring device according to an exemplary embodiment. Figure 3 As shown, the industrial information security violation monitoring device includes an acquisition unit 301, a judgment unit 302, a determination unit 303, and a calculation unit 304.
[0102] Acquisition unit 301 is used to acquire real-time communication data of the industrial control network;
[0103] The judgment unit 302 is used to determine whether an abnormal event has occurred in the industrial control network based on real-time communication data;
[0104] The determination unit 303 is used to determine the type of abnormal event when an abnormal event occurs in the industrial control network;
[0105] The calculation unit 304 is used to calculate the degree of damage of the abnormal event based on its type, and obtain the damage assessment result of the abnormal event.
[0106] In one embodiment, the industrial information security violation monitoring device provided by this invention further includes: a firewall setting unit, used to set up an industrial control firewall between the access device and the industrial Ethernet, the industrial control firewall being pre-configured with a proprietary protocol of the industrial protocol between the access device and the industrial Ethernet; a first acquisition unit, used to acquire the communication address of the current access device; a second acquisition unit, used to acquire the proprietary protocol of the current access device based on the communication address and the industrial control firewall; a first judgment unit, used to judge whether there is an anomaly in the industrial protocol of the current access device based on the proprietary protocol; and a protocol attack unit, used to determine that there is a protocol attack behavior in the current industrial protocol when there is an anomaly in the current industrial protocol.
[0107] In another embodiment, the industrial information security violation monitoring device provided by the present invention further includes: a database establishment unit for establishing a pre-stored database, the pre-stored database including abnormal events; a text data feature unit for obtaining pre-stored text data features with typical abnormal events based on the pre-stored database; and a classification unit for classifying typical abnormal events based on the pre-stored text data features, and grouping typical abnormal events belonging to the same type into several standard feature sets.
[0108] In another embodiment, the determining unit 303 includes: an extraction unit, used to extract text data from real-time communication data to obtain text data features of the real-time communication data; a similarity analysis unit, used to perform similarity analysis on the text data features to determine the standard feature set with the highest similarity to the text data features; and a type determining unit, used to determine the type of the current abnormal event based on the type of the abnormal event corresponding to the standard feature set.
[0109] In another embodiment, the calculation unit 304 includes: a third acquisition unit, configured to acquire text data features of several different standard categories in the standard feature set corresponding to the current abnormal event based on the type; a first calculation unit, configured to calculate the similarity ratio coefficient between the text data features of the current abnormal event and the text data features of several different standard categories; and a second calculation unit, configured to calculate the degree of damage of the current abnormal event based on the similarity ratio coefficient.
[0110] In another embodiment, the second calculation unit includes: a fourth acquisition unit, used to acquire the corresponding full score values of different standard categories; and a third calculation unit, used to calculate the degree of damage of the current abnormal event based on the similarity ratio coefficient of different standard categories and their corresponding full score values.
[0111] In another embodiment, the industrial information security violation monitoring device provided by the present invention further includes: an alarm unit, used to send the damage assessment results to the host computer system and send an alarm signal to the host computer system.
[0112] The specific limitations and beneficial effects of the aforementioned industrial information security violation monitoring device can be found in the limitations of the industrial information security violation monitoring method described above, and will not be repeated here. Each of the above modules can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in the electronic device, or stored in the memory of the electronic device as software, so that the processor can call and execute the corresponding operations of each module.
[0113] Figure 4 This is a schematic diagram of the hardware structure of an electronic device according to an exemplary embodiment. For example... Figure 4 As shown, the device includes one or more processors 410 and a memory 420, which includes persistent memory, volatile memory, and a hard disk. Figure 4 Taking a processor 410 as an example, the device may also include an input device 430 and an output device 440.
[0114] The processor 410, memory 420, input device 430, and output device 440 can be connected via a bus or other means. Figure 4 Taking the example of a connection between China and Israel via a bus.
[0115] Processor 410 can be a Central Processing Unit (CPU). Processor 410 can also be other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof. The general-purpose processor can be a microprocessor or any conventional processor.
[0116] The memory 420, as a non-transitory computer-readable storage medium, includes persistent memory, volatile memory, and a hard disk. It can be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as the program instructions / modules corresponding to the industrial information security violation monitoring method in this embodiment. The processor 410 executes various server functions and data processing by running the non-transitory software programs, instructions, and modules stored in the memory 420, thereby implementing any of the aforementioned industrial information security violation monitoring methods.
[0117] The memory 420 may include a program storage area and a data storage area. The program storage area may store the operating system and applications required for at least one function; the data storage area may store data that is needed and required. Furthermore, the memory 420 may include high-speed random access memory and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 420 may optionally include memory remotely located relative to the processor 410, and these remote memories can be connected to the data processing device via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
[0118] Input device 430 can receive input numerical or character information, and generate key signal inputs related to user settings and function control. Output device 440 may include display devices such as a display screen.
[0119] One or more modules are stored in memory 420, and when executed by one or more processors 410, they perform actions such as... Figures 1-2 The method shown.
[0120] The above-described product can execute the method provided in the embodiments of the present invention, and has the corresponding functional modules and beneficial effects for executing the method. Technical details not described in detail in this embodiment can be found in [reference 1]. Figures 1-2 The relevant descriptions in the illustrated embodiments.
[0121] This invention also provides a non-transitory computer storage medium storing computer-executable instructions that can execute the authentication method in any of the above method embodiments. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), random access memory (RAM), flash memory, hard disk drive (HDD), or solid-state drive (SSD), etc.; the storage medium may also include combinations of the above types of memory.
[0122] Obviously, the above embodiments are merely illustrative examples for clear explanation and are not intended to limit the implementation. Those skilled in the art will recognize that other variations or modifications can be made based on the above description. It is neither necessary nor possible to exhaustively list all possible implementations here. However, obvious variations or modifications derived therefrom are still within the scope of protection of this invention.
Claims
1. A method for monitoring violations of industrial information security, characterized in that, The method includes: An industrial control firewall is set up between the access device and the industrial Ethernet, and the industrial control firewall is pre-configured with a proprietary protocol for the industrial protocol between the access device and the industrial Ethernet. Get the communication address of the currently accessed device; Based on the communication address and the industrial control firewall, obtain the proprietary protocol of the currently accessing device; Based on the proprietary protocol, determine whether there is an anomaly in the industrial protocol of the currently accessing device; If an anomaly is found in the current industrial protocol, it is determined that the current industrial protocol is subject to a protocol attack. Establish a pre-stored database, which includes abnormal events; Based on the pre-stored database, the features of pre-stored text data with typical abnormal events are obtained; Based on the features of the pre-stored text data, the typical abnormal events are classified, and the typical abnormal events belonging to the same type are grouped into several standard feature sets. Acquire real-time communication data from industrial control networks; Based on the real-time communication data, determine whether any abnormal events have occurred in the industrial control network; When an abnormal event occurs in the industrial control network, determine the type of the abnormal event; Based on the type, the degree of damage of the abnormal event is calculated to obtain the damage assessment result of the abnormal event; The calculation of the degree of damage of the abnormal event based on its type includes: Based on the type, obtain text data features of several different standard categories from the standard feature set corresponding to the current abnormal event; The similarity ratio coefficients between the text data features of the current abnormal event and the text data features of several different standard categories were calculated respectively. Based on the similarity ratio coefficient, the degree of damage of the current abnormal event is calculated. The calculation of the degree of damage of the current abnormal event based on the similarity ratio coefficient includes: Obtain the corresponding full score values for different standard categories; The degree of damage of the current abnormal event is calculated based on the similarity ratio coefficients of different standard categories and their corresponding full scores.
2. The method according to claim 1, characterized in that, Determining the type of the abnormal event includes: Text data extraction is performed on the real-time communication data to obtain the text data features of the real-time communication data; Perform similarity analysis on the text data features to determine the set of standard features that have the highest similarity to the text data features; Based on the type of the abnormal event corresponding to the standard feature set, determine the type of the current abnormal event.
3. The method according to claim 1, characterized in that, After obtaining the damage assessment result of the abnormal event, the method further includes: The damage assessment results are sent to the host computer system, and an alarm signal is sent to the host computer system.
4. A monitoring device for industrial information security violations, characterized in that, The device includes: The firewall configuration unit is used to configure an industrial control firewall between the access device and the industrial Ethernet. The industrial control firewall is pre-configured with a proprietary protocol for the industrial protocol between the access device and the industrial Ethernet. The first acquisition unit is used to acquire the communication address of the current access device. The second acquisition unit is used to acquire the proprietary protocol of the current access device based on the communication address and the industrial control firewall. The first judgment unit is used to judge whether there is any abnormality in the industrial protocol of the current access device based on the proprietary protocol. The protocol attack unit is used to determine whether there is a protocol attack behavior in the current industrial protocol when there is an abnormality in the current industrial protocol. The database creation unit is used to create a pre-stored database, which includes abnormal events; the text data feature unit is used to obtain pre-stored text data features with typical abnormal events based on the pre-stored database; the classification unit is used to classify typical abnormal events based on the pre-stored text data features, and group typical abnormal events belonging to the same type into several standard feature sets. The acquisition unit is used to acquire real-time communication data from the industrial control network. The judgment unit is used to determine whether an abnormal event has occurred in the industrial control network based on the real-time communication data. The determining unit is used to determine the type of abnormal event when an abnormal event occurs in the industrial control network; The calculation unit is used to calculate the degree of damage of the abnormal event based on the type it belongs to, and to obtain the damage assessment result of the abnormal event; The calculation of the degree of damage of the abnormal event based on its type includes: Based on the type, obtain text data features of several different standard categories from the standard feature set corresponding to the current abnormal event; The similarity ratio coefficients between the text data features of the current abnormal event and the text data features of several different standard categories were calculated respectively. Based on the similarity ratio coefficient, the degree of damage of the current abnormal event is calculated. The calculation of the degree of damage of the current abnormal event based on the similarity ratio coefficient includes: Obtain the corresponding full score values for different standard categories; The degree of damage of the current abnormal event is calculated based on the similarity ratio coefficients of different standard categories and their corresponding full scores.
5. An electronic device, characterized in that, The method includes a memory and a processor, which are interconnected. The memory stores computer instructions, and the processor executes the computer instructions to perform the industrial information security violation monitoring method according to any one of claims 1-3.
6. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer instructions for causing the computer to execute the industrial information security violation monitoring method according to any one of claims 1-3.