An industrial computer peripheral interface unauthorized access intention recognition method
By constructing an industrial control computer peripheral access event sequence and a ternary authorization table, and combining interface switching calibration data analysis, the unauthorized access intent of the industrial control computer peripheral interface is identified, solving the problem of identifying cross-interface switching behavior in the existing technology, and realizing efficient and accurate unauthorized access detection and traceable evidence output.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANGHAI KUAN YU IND NETWORK EQUIP CO LTD
- Filing Date
- 2026-04-03
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies struggle to identify covert and progressive unauthorized access behaviors during cross-interface switching of industrial control computer peripheral interfaces. They also lack the overall analytical capability for continuous access behaviors across multiple interfaces within the same session, resulting in insufficient identification accuracy and a tendency to miss or false alarms or require manual verification.
By collecting access records of industrial control computer peripherals, an access event sequence and a ternary authorization table are constructed. A set of reachable objects with interface numbers and the key level of target objects are generated. Combined with interface switching calibration data, a session right sliding window and adjacent event position pairs are constructed. The chain-level gain and authorization status of the interface relay chain are calculated, and the conclusion and evidence chain of unauthorized access intention are output.
It enables accurate identification of unauthorized access to industrial control computer peripheral interfaces, reduces false alarms and false negatives, provides a reliable basis for context-sensitive analysis, improves the accuracy and interpretability of identifying hidden unauthorized behavior, and outputs structured evidence for easy auditing and evidence collection.
Smart Images

Figure CN121980630B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of industrial control information security technology, specifically a method for identifying unauthorized access intent of industrial control computer peripheral interfaces. Background Technology
[0002] Industrial control computers (ICCs), serving as general-purpose computing and interaction platforms in industrial control systems, typically integrate various peripheral interfaces such as USB, serial ports, network ports, debug ports, and dedicated expansion ports for program downloading, parameter configuration, status acquisition, equipment integration, and maintenance. In practical applications, different interfaces often correspond to different access capabilities and operating permissions. If interface access control fails, it can easily lead to security issues such as tampering with control parameters, unauthorized access to critical objects, and abnormal switching of process states. Therefore, access control and anomaly identification surrounding ICC peripheral interfaces have become important research topics in the field of industrial control information security.
[0003] In existing technologies, security for industrial control computer peripheral interfaces typically employs methods such as interface whitelists, account permission allocation, access log auditing, single-operation rule matching, abnormal threshold alarms, and physical isolation. These technologies can, to some extent, restrict unauthorized direct access and intercept or record explicit illegal operations. However, most existing technologies are based on single interfaces, single access events, or static permission tables, primarily focusing on whether a particular interface performed a specific operation on a particular object at a specific moment. They lack the ability to comprehensively analyze continuous access behavior across multiple interfaces within the same session. In industrial settings, operators may not directly achieve unauthorized access through a single interface. Instead, they may first establish initial access using a lower-privilege interface, then switch to other interfaces within a short period, gradually expanding the reachable object range until reaching a high-value object or performing a high-impact operation. Because existing technologies lack mechanisms to identify cross-interface switching processes, adjacent access relationships, continuous relay chain structures, and chain-like permission migration effects, it is often difficult to distinguish between normal multi-interface collaborative operations and relay-style access behavior with clear intent to escalate privileges. Furthermore, existing technologies typically do not uniformly quantify factors such as interface switching latency, the criticality of the target object, and the distribution of key landing points in the chain, resulting in insufficient accuracy in identifying covert and gradual unauthorized behaviors. This can easily lead to missed reports, false alarms, or situations where manual review is required afterward.
[0004] Therefore, this case aims to propose a method for identifying unauthorized access intentions of industrial control computer peripheral interfaces. First, peripheral access behaviors are uniformly organized into an event sequence within a session. Simultaneously, authorization relationships are generated within the context of the current personnel identity, work order task, and equipment process stage. The scope of objects reachable by each interface in the current context is modeled along with the object's criticality level. Then, combined with interface switching calibration data, a session right sliding window and adjacent event position pairs are constructed, and the maximum cross-interface relay chain is spliced together under real-time constraints. Subsequently, the "interface capability expansion range" and "target object sensitivity" are coupled into a segment migration sequence, and the relay gain is calculated at the chain level. Simultaneously, elements such as allowed status indicators and the number of critical landing points are introduced to obtain the unauthorized access intention value, judgment threshold, conclusion, and the strongest abnormal evidence chain. Finally, the traceable fields are written into a record table. Summary of the Invention
[0005] This invention provides a method for identifying unauthorized access intent of industrial control computer peripheral interfaces, which helps to solve the problems mentioned in the background art.
[0006] This invention provides the following technical solution: a method for identifying unauthorized access intent of an industrial control computer peripheral interface, comprising:
[0007] Collect access records of industrial control computer peripherals, and construct access event sequences, a ternary authorization table, a set of reachable objects corresponding to each interface number in the current context, and the critical level corresponding to each target object;
[0008] Read the switching calibration test records of each interface number, filter the interface numbers that meet the valid calibration conditions, obtain the switching completion time, and construct a right sliding window of the session and a pair of adjacent event positions in the same session around the current event to be determined;
[0009] Based on the right sliding window of the session, perform interface number validity checks, interface number difference checks, and switching time checks to obtain the maximum cross-interface relay chain corresponding to the current event to be judged;
[0010] For each hop in the current largest cross-interface relay chain, the coverage ratio of newly reachable objects relative to the starting interface number of the endpoint interface number is calculated. Combined with the criticality level of the target object corresponding to the endpoint event of each hop, the migration increment and segment migration sequence of each hop segment are formed.
[0011] Perform chain multiplication calculations in the order of the segment migration sequence to obtain the chain-level relay gain corresponding to the current maximum cross-interface relay chain;
[0012] Check the authorization status of each event in the current largest cross-interface relay chain, and combine the set of high-value objects, the set of key interface numbers, and the set of high-impact operations to obtain the allowed status indication and the number of key landing points;
[0013] Based on the allowed status indicator, chain-level relay gain, and number of key landing points, obtain the unauthorized access intent value, judgment threshold, unauthorized access intent identification conclusion, and strongest abnormal evidence chain corresponding to the current event to be judged.
[0014] Output the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of critical landing points, unauthorized access intent value and judgment threshold, and write them to the result record table.
[0015] Optionally, the step of collecting access records from industrial control computer peripherals and constructing an access event sequence, a ternary authorization table, a set of reachable objects corresponding to each interface number in the current context, and a key level corresponding to each target object specifically includes:
[0016] The peripheral access records of the industrial control computer are organized into a sequence of access events arranged in chronological order of occurrence, ensuring that the occurrence time of the later access event is no earlier than that of the earlier access event. In each access event, the session identifier, interface number, operation type, target object number, and occurrence time are recorded.
[0017] Based on the current personnel identity, work order task and equipment process stage, authorization verification is performed on each combination of interface number, operation type and target object number to generate a three-element authorization table, and the authorization status is divided into unauthorized and authorized.
[0018] For each interface number, iterate through all records in the ternary authorization table corresponding to the current interface number, and collect the target objects corresponding to the target object numbers with the authorization status of authorized, forming a set of reachable objects for the current interface number in the current context;
[0019] For each target object, read the writable attribute bits, control state change attribute bits, persistent attribute bits, and security-related attribute bits, and add the four attribute bits together;
[0020] The sum of the four attribute bits is divided by four to form the key level of the current target object.
[0021] Optionally, the step of reading the handover calibration test records of each interface number, filtering the interface numbers that meet the valid calibration conditions, obtaining the handover completion time, and constructing a session right sliding window and adjacent event position pairs within the same session around the current event to be determined specifically includes:
[0022] For each interface number, read all the switching calibration test records corresponding to the current interface number, and read the control takeover completion time and the first valid response time in each switching calibration test record;
[0023] For each interface number, check the switching calibration test records one by one. When there is at least one switching calibration test that satisfies the condition that the first valid response time is not earlier than the control takeover completion time, record the current interface number as meeting the valid calibration condition.
[0024] All interface numbers that meet the valid calibration conditions are collected to form a set of valid calibration interface numbers;
[0025] For each interface number in the set of valid calibration interface numbers, read the control takeover completion time and the first valid response time in all switching calibration tests corresponding to the current interface number. For test records where the first valid response time is not earlier than the control takeover completion time, calculate the time difference between the first valid response time and the control takeover completion time for each record.
[0026] Take the maximum value from all time differences corresponding to the same interface number to form the handover completion time for the current interface number;
[0027] For the current event to be determined, read all access events of the session to which the current event to be determined belongs from the start time of the session to the time when the current event to be determined occurs, and form a right sliding window of the session with the current event to be determined as the right endpoint;
[0028] For the access event positions within the right sliding window of the session, check any two adjacent positions in chronological order. If there are no other access event positions between the two positions, record the two positions as a pair of adjacent event positions in the same session, forming a set of adjacent event position pairs in the same session.
[0029] Optionally, the step of performing interface number validity checks, interface number difference checks, and switching time checks based on the right sliding window of the session to obtain the maximum cross-interface relay chain corresponding to the current event to be determined specifically includes:
[0030] Select the current event sequence candidate with the current location of the event to be determined as the end position in the right sliding window of the session. The current event sequence candidate must contain at least two access events, and the positions of each access event must be arranged in ascending order from front to back, and the positions of two adjacent access events must form a pair of adjacent event positions in the same session.
[0031] For each hop in the current event sequence candidate, read the occurrence time of the previous event and the occurrence time of the next event, and subtract the occurrence time of the previous event from the occurrence time of the next event to form the actual switching interval of the current hop;
[0032] For each hop in the current event sequence candidate, read the handover completion time of the interface number corresponding to the previous event and the handover completion time of the interface number corresponding to the next event, add the two handover completion times together to form the allowed handover interval for the current hop;
[0033] For each hop in the current event sequence candidate, perform interface number validity check, interface number difference check, and switching time check. The interface number validity check checks whether the interface number corresponding to the previous event and the interface number corresponding to the next event both belong to the set of valid labeled interface numbers. The interface number difference check checks whether the interface number corresponding to the next event is different from the interface number corresponding to the previous event. The switching time check checks whether the actual switching interval of the current hop is greater than zero and not greater than the allowed switching interval of the current hop.
[0034] Starting from the current location of the event to be determined, the set is continuously backtracked forward along the locations of adjacent events in the same session. When the interface number validity check, interface number difference check, and switching time check all pass during each backtracking, the newly detected previous event is merged into the beginning of the current event sequence candidate.
[0035] If there are no more position pairs that can be traced back, or if any interface number validity check, interface number difference check, or switch time check fails during the backtracking process, the current backtracking is terminated, and the longest continuous event sequence that has been formed is retained.
[0036] The longest consecutive event sequence that passes the interface number validity check, interface number difference check, and switching time check, and whose end position is the current location of the event to be judged, is denoted as the maximum cross-interface relay chain corresponding to the current event to be judged.
[0037] If there is no consecutive event sequence that passes the interface number validity check, interface number difference check, and switching time check, the maximum cross-interface relay chain corresponding to the current event to be determined is recorded as empty.
[0038] Optionally, for each hop in the current largest cross-interface relay chain, the percentage of newly reachable objects covered by the endpoint interface number relative to the starting interface number is calculated. This is combined with the criticality level of the target object corresponding to each hop's endpoint event to form the hop segment migration increment and segment migration sequence. Specifically, this includes:
[0039] When the current maximum cross-interface relay chain is not empty, for each hop in the current maximum cross-interface relay chain, read the set of reachable objects corresponding to the current hop start interface number in the current context and the set of reachable objects corresponding to the current hop end interface number in the current context;
[0040] Remove target objects that are also in the reachable object set corresponding to the current jump start point interface number in the current context from the current jump end point interface number's reachable object set in the current context, and retain target objects that are only newly reached by the current jump end point interface number;
[0041] Count the number of newly reached target objects for the current jump endpoint interface number, and count the number of target objects corresponding to all target object numbers in the three-element authorization table;
[0042] Divide the number of newly reached target objects by the current hop endpoint interface number by the total number of target objects corresponding to all target object numbers in the ternary authorization table to form the coverage ratio of newly reachable objects for the current hop;
[0043] Read the criticality level of the target object corresponding to the current jump endpoint event, multiply the coverage ratio of newly reachable objects of the current jump by the criticality level of the target object corresponding to the current jump endpoint event, and form the segment migration increment of the current jump;
[0044] According to the jump order in the current largest cross-interface relay chain, all segment migration increments are obtained in sequence to form a segment migration sequence.
[0045] Optionally, the step of performing a chain-level relay gain corresponding to the current maximum cross-interface relay chain by performing a chain-by-chain multiplication in the order of the segment migration sequence specifically includes:
[0046] If the current maximum cross-interface relay chain is not empty, read the segment migration sequence corresponding to the current maximum cross-interface relay chain;
[0047] Add the segment migration increment of each hop in the segment migration sequence to the value one to form a product term corresponding to each hop one;
[0048] Multiply all product terms consecutively according to the jump order in the current largest cross-interface relay chain;
[0049] Subtract one from the result of continuous multiplication to form the chain-level relay gain corresponding to the current maximum cross-interface relay chain.
[0050] When the current maximum cross-interface relay chain is empty, the chain-level relay gain is recorded as zero.
[0051] Optionally, the step of checking the authorization status of each event in the current largest cross-interface relay chain, and combining the set of high-value objects, the set of key interface numbers, and the set of high-impact operations to obtain the allowed status indication and the number of key landing points, specifically includes:
[0052] When the current maximum cross-interface relay chain is not empty, for each hop in the current maximum cross-interface relay chain, read the interface number, operation type and target object number corresponding to the previous event and the next event respectively, and check the authorization status of the previous event and the next event in the ternary authorization table.
[0053] In the same jump, if both the previous event and the next event are in an authorized state, the allowed relay state of the current jump is recorded as one; if either unauthorized state exists, the allowed relay state of the current jump is recorded as zero.
[0054] Read the interface number, operation type and target object number corresponding to the current largest cross-interface relay chain head event, and check the authorization status of the chain head event in the ternary authorization table. When the chain head event is in an authorized state, record the chain head event authorization status indicator value as one; when there is an unauthorized state, record the chain head event authorization status indicator value as zero.
[0055] The authorized status indicator value of the chain head event is multiplied consecutively with the allowed relay status of each hop in the current largest cross-interface relay chain in the relay chain order to form the allowed status indicator value of the current largest cross-interface relay chain.
[0056] When the allowed status indicator is 1, the current maximum cross-interface relay chain is recorded as an allowed relay chain; when the allowed status indicator is 0, the current maximum cross-interface relay chain is recorded as not belonging to the allowed relay chain.
[0057] Add up the writable attribute bits, control state change attribute bits, persistent attribute bits, and security-related attribute bits of each target object, and gather the target objects whose sum is not less than three to form a high-value object set;
[0058] For each interface number, check whether the intersection of the reachable object set and the high-value object set corresponding to the current interface number in the current context is non-empty. Interface numbers with non-empty intersections are collected to form a set of key interface numbers.
[0059] By combining write, control, and erase operations, a set of high-impact operations is formed.
[0060] When the current maximum cross-interface relay chain is not empty, each event in the current maximum cross-interface relay chain is read one by one. When the interface number corresponding to the event belongs to the set of key interface numbers and the operation type corresponding to the event belongs to the set of high-impact operations, a count is performed on the current event to form the number of key landing points in the current maximum cross-interface relay chain.
[0061] When the current maximum cross-interface relay chain is empty, the allowed status indicator is recorded as zero, and the critical landing count is recorded as zero.
[0062] Optionally, the step of obtaining the unauthorized access intent value, judgment threshold, unauthorized access intent identification conclusion, and strongest abnormal evidence chain corresponding to the current event to be judged based on the allowed state indicator, chain-level relay gain, and number of key landing points specifically includes:
[0063] When the current maximum cross-interface relay chain is not empty, read the allowed status indicator, chain-level relay gain, and number of critical landing points;
[0064] Subtract the allowed status indicator from the value, multiply the result by the chain relay gain, and then multiply the product by the result of adding one to the number of critical landing points to form the unauthorized access intent value corresponding to the current event to be judged.
[0065] Multiply the allowed state indicator by the chain relay gain, and then multiply the product by the result of adding one to the number of critical landing points to form the judgment threshold corresponding to the current event to be judged.
[0066] Compare the unauthorized access intent value corresponding to the current event to be judged with the judgment threshold. If the unauthorized access intent value is greater than the judgment threshold, the current event to be judged is recorded as meeting the unauthorized access intent judgment condition.
[0067] When the value of unauthorized access intent is greater than the judgment threshold, the conclusion of unauthorized access intent identification is recorded as the existence of unauthorized access intent on the industrial control computer peripheral interface, and the current maximum cross-interface relay chain is recorded as the strongest abnormal evidence chain.
[0068] When the value of unauthorized access intent is not greater than the judgment threshold, the current event to be judged is recorded as not meeting the unauthorized access intent judgment condition, the unauthorized access intent identification conclusion is recorded as not identifying unauthorized access intent of industrial control computer peripheral interface, and the strongest abnormal evidence chain is recorded as empty.
[0069] When the current maximum cross-interface relay chain is empty, the unauthorized access intent value is recorded as zero, the judgment threshold is recorded as zero, the current event to be judged is recorded as not meeting the unauthorized access intent judgment condition, the unauthorized access intent identification conclusion is recorded as not identifying unauthorized access intent of the industrial control computer peripheral interface, and the strongest abnormal evidence chain is recorded as empty.
[0070] Optionally, the output of the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain-level relay gain, number of key landing points, unauthorized access intent value and judgment threshold are written into the result record table, specifically including:
[0071] When the current event to be determined meets the conditions for determining unauthorized access intent, the output will show that there is an unauthorized access intent to the industrial control computer peripheral interface.
[0072] If the current event to be determined does not meet the conditions for determining unauthorized access intent, the output will be: Unauthorized access intent to the industrial control computer peripheral interface was not detected.
[0073] Synchronously output the session identifier corresponding to the event to be judged;
[0074] When the strongest abnormal evidence chain is not empty, output the sequence of interface numbers involved in the strongest abnormal evidence chain in chronological order of events;
[0075] When the strongest abnormal evidence chain is not empty, output the operation type and target object number corresponding to each event in the strongest abnormal evidence chain in chronological order.
[0076] When the strongest abnormal evidence chain is not empty, output the actual switching interval of each jump and the allowed switching interval of each jump in the jump order;
[0077] When the strongest abnormal evidence chain is not empty, output the segment migration sequence in the jump order, and output the chain-level relay gain and the number of key landing points corresponding to the strongest abnormal evidence chain.
[0078] Output the unauthorized access intent value and judgment threshold corresponding to the current event to be judged;
[0079] When the strongest abnormal evidence chain is empty, the following will be output as empty values: interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval of each hop, segment migration sequence, chain-level relay gain and number of key landing points.
[0080] Write the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of critical landing points, unauthorized access intent value and judgment threshold into the result record table.
[0081] The present invention has the following beneficial effects:
[0082] 1. Access records are organized into a time-ordered sequence of access events, and authorization relationships are solidified into a ternary authorization table. Simultaneously, a set of reachable objects is formed for the range of objects reachable by each interface number within the current context, and a critical level is established for each target object. Integrating interface capability boundaries and object sensitivity into the same structured expression eliminates reliance on fragmented rules or manual experience in subsequent link analysis. The reachable object set transforms implicit knowledge of what an interface can access into computable objects, reducing the misclassification of legitimate access as abnormal or the failure to report hidden unauthorized access. The critical level explicitly quantifies the differences in object value, focusing risk assessment on key objects and preventing alarm overload caused by treating all objects equally. This solution provides a unified foundation of context sensitivity and object sensitivity, offering a reliable reference basis for subsequent cross-interface intent identification.
[0083] 2. In industrial control environments, switching from one interface to another requires processes such as control takeover, equipment response, and link stabilization, with significant differences between interfaces. This solution filters interface numbers that meet valid calibration conditions from switchover calibration test records, calculates the switchover completion time, and constructs a right sliding window around the current event to be judged, pairing it with adjacent event positions within the same session. The objective duration of interface switchover is introduced into the detection boundary, and the right sliding window and adjacent position pairs precisely fix the close operational relationships within the same session. This can filter out a large number of false anomalies in the time dimension: for example, short-interval operations generated by a legitimate operator quickly switching interfaces are easily misjudged as abnormal relays if the interface switchover time is not considered; conversely, genuine unauthorized relays often have continuity that conforms to the switchover time constraint. This solution provides a reliable time threshold for subsequent chain splicing. This solution adaptively constrains timing with interface calibration data, improving the accuracy and interpretability of timing judgment.
[0084] 3. Within the right-side sliding window of the session, perform interface number validity checks, interface number difference checks, and switching time checks, tracing back from the current event to be judged to form the maximum cross-interface relay chain. This transforms the concept of cross-interface relay into a feasible chain construction process: events are only allowed to be included in the same relay chain if adjacent events satisfy the following conditions: the interface number belongs to the valid label set, the interface number changes, and the time interval falls within the allowed range. The resulting maximum cross-interface relay chain can depict the typical operational trajectory of attackers gradually advancing the permission boundary using multiple interfaces. The ability to reveal concealed privilege escalation: a single access may appear legitimate, but continuous actions across interfaces will exhibit obvious relay characteristics. This solution provides the ability to piece together these fragmented actions into a complete storyline. This solution enhances the depth of identification of chain-like privilege escalation through rigorous adjacency constraints and backtracking expansion.
[0085] 4. Focusing on the crucial question of the extent of capability expansion brought about by each interface switch, we statistically analyze the percentage of newly accessible objects covered by the endpoint interface number relative to the starting interface number. Combined with the criticality level of the target object in the endpoint event, we generate the migration increment and segment migration sequence for each hop. The risk sources of cross-interface relay are broken down into two interpretable factors: the extent of reachable object expansion brought about by the interface switch, and the sensitivity of the reached objects themselves. These two factors are then coupled into the segment migration increment of each hop. The risk prioritization is more consistent with actual field conditions: when a switch barely expands reachable objects, there is no need to be overly concerned even if a switch occurs; when a switch significantly expands reachable objects and falls on high-criticality objects, even if the single operation is ordinary, it should be given priority attention. This solution quantifies risk from the perspective of capability expansion, reducing false alarms and making alarm reasons more intuitive and auditable.
[0086] 5. The chain-level relay gain is obtained by performing multiplication calculations sequentially according to the migration sequence, used to characterize the overall amplification effect of the entire relay chain. A chain-level aggregation approach is adopted: the risk increment of a single hop is not viewed in isolation, but rather accumulated and amplified according to the progression sequence of the relay chain, thus distinguishing the systemic danger of multi-hop relays from the local fluctuations of occasional single hops. This approach can more effectively identify continuously advancing attacks: attackers often gradually expand their reach through multiple interface switches. While a single hop may not seem extreme, the risk accumulates significantly when linked together. The chain-level relay gain makes this accumulation explicit, causing high-risk chains to naturally rise in the ranking. The chain-level gain of this scheme better reflects the true risk structure of relay-style escalation, improving both the detection rate and the quality of alarms.
[0087] 6. Verify the authorization status of each event within the relay chain. Combine the sets of high-value objects, key interface numbers, and high-impact operations to obtain the permitted status indicator and the number of key landing points. Integrate compliance signals and high-risk business semantics into the chain evaluation: the permitted status indicator reflects whether the chain is fully within the authorized scope, while the number of key landing points reflects the frequency of landing on key interfaces and high-impact operation combinations within the chain. This not only identifies obvious unauthorized actions but also suspicious behaviors with formal authorization but abnormally concentrated risks. It is more user-friendly for real-world scenarios: Temporary authorizations, delegating operations, and emergency repairs frequently occur on-site. Simply relying on unauthorized judgments can easily miss the risk of authorization abuse; at the same time, relying solely on behavior statistics can easily lead to false alarms about normal inspections. Through the cross-constraints of high-value objects, key interfaces, and high-impact operations, this solution filters out the chains that truly require priority handling from massive logs.
[0088] 7. Based on the permitted status indicator, chain-level relay gain, and the number of key landing points, an unauthorized access intent value and a judgment threshold are generated, and an unauthorized access intent identification conclusion and the strongest abnormal evidence chain are given. A self-consistent threshold concept is introduced: the judgment threshold changes in conjunction with the permitted status of the chain, the chain-level gain, and the characteristics of key landing points, avoiding the failure of a single fixed threshold under different operating conditions; at the same time, the strongest abnormal evidence chain directly outputs the key chain leading to the conclusion, forming a traceable path from result to cause. This solves the problems of alarms being unexplainable and difficult to verify: operation and security personnel not only receive the conclusion but can also directly see the interface number sequence that triggered the conclusion, the key landing points, and the time interval structure, facilitating quick judgment on whether shutdown, isolation, or personnel operation tracing is necessary. This solution elevates the intent from a single action to a chain-level behavior pattern and solidifies the judgment process into audit assets through the evidence chain output, enhancing practical usability.
[0089] 8. Write the conclusions of unauthorized access intent identification and key process fields into the results record table. The output includes session identifier, interface number sequence, operation type and target object number corresponding to each event, actual and allowed switching intervals for each hop, segment migration sequence, chain-level relay gain, number of key landing points, unauthorized access intent value, and judgment threshold. Productize the detection results into reusable structured evidence units, containing both conclusions and the minimum sufficient information required for chain reconstruction, facilitating subsequent report statistics, correlation analysis, playback evidence collection, and rule iteration. This forms a closed-loop capability: frontline personnel can directly verify the chain's rationality based on the output fields after receiving an alert; second-line teams can use the record table for trend analysis and baseline calibration; and the audit team can use this to create compliance documentation and accountability traceability. This solution records the evidence chain and key quantitative indicators together, reducing response costs and improving handling efficiency and evidence collection quality. Attached Figure Description
[0090] Figure 1 This is a schematic diagram of the process of the present invention.
[0091] Figure 2 This is a schematic diagram of the process for switching calibration and constructing the right sliding window of the session in this invention.
[0092] Figure 3 This is a schematic diagram of the construction process of the maximum cross-interface relay chain of the present invention.
[0093] Figure 4 This is a schematic diagram of the unauthorized access intent value and judgment output process of the present invention. Detailed Implementation
[0094] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0095] Example, refer to Figure 1 A method for identifying unauthorized access intent of an industrial control computer peripheral interface, comprising:
[0096] Collect access records of industrial control computer peripherals, and construct access event sequences, a ternary authorization table, a set of reachable objects corresponding to each interface number in the current context, and the critical level corresponding to each target object;
[0097] Read the switching calibration test records of each interface number, filter the interface numbers that meet the valid calibration conditions, obtain the switching completion time, and construct a right sliding window of the session and a pair of adjacent event positions in the same session around the current event to be determined;
[0098] Based on the right sliding window of the session, perform interface number validity checks, interface number difference checks, and switching time checks to obtain the maximum cross-interface relay chain corresponding to the current event to be judged;
[0099] For each hop in the current largest cross-interface relay chain, the coverage ratio of newly reachable objects relative to the starting interface number of the endpoint interface number is calculated. Combined with the criticality level of the target object corresponding to the endpoint event of each hop, the migration increment and segment migration sequence of each hop segment are formed.
[0100] Perform chain multiplication calculations in the order of the segment migration sequence to obtain the chain-level relay gain corresponding to the current maximum cross-interface relay chain;
[0101] Check the authorization status of each event in the current largest cross-interface relay chain, and combine the set of high-value objects, the set of key interface numbers, and the set of high-impact operations to obtain the allowed status indication and the number of key landing points;
[0102] Based on the allowed status indicator, chain-level relay gain, and number of key landing points, obtain the unauthorized access intent value, judgment threshold, unauthorized access intent identification conclusion, and strongest abnormal evidence chain corresponding to the current event to be judged.
[0103] Output the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of critical landing points, unauthorized access intent value and judgment threshold, and write them to the result record table.
[0104] By first collecting peripheral access records and constructing access event sequences, a ternary authorization table, the set of reachable objects for each interface number in the current context, and the critical level of the target object, this solves the problem in existing technologies where relying on a single log entry or static permission table makes it difficult to interpret whether access is compliant and whether risks are concentrated. Then, by reading interface switching calibration test records, filtering valid calibration interface numbers, and calculating the switching completion time, a session right sliding window and adjacent event position pairs are constructed around the event to be judged, resolving the problem of time threshold distortion, false positives, and false negatives caused by differences in switching times between different interfaces. Finally, through interface number validity checks, difference checks, and switching time checks, a maximum value is formed through backtracking. The cross-interface relay chain addresses the issue that unauthorized actions often occur in stages and across interfaces, making it difficult for single-point detection to capture continuity. Furthermore, by combining the coverage ratio of newly accessible objects with the critical level of the target object in the endpoint event to form a segment migration sequence and calculating the chain-level relay gain, it solves the problem of not being able to quantify the capability expansion and risk accumulation brought about by interface switching. Simultaneously, by obtaining the permitted status indication and the number of critical landing points through authorization status, key interface number sets, high-value object sets, and high-impact operation sets, it solves the problem that relying solely on unauthorized judgment will miss authorized abuse or abnormally concentrated risk landing points. Finally, the output conclusion, threshold, evidence chain, and a full set of traceable fields are written to the record table. Alarms are verifiable, traceable, and verifiable, and the risk ranking more closely reflects the actual operation chain in industrial control scenarios. Compared to common rule triggers or single-event scoring, it has stronger chain interpretability and audit implementability.
[0105] The process of collecting access records from industrial control computer peripherals involves constructing an access event sequence, a ternary authorization table, a set of reachable objects corresponding to each interface number in the current context, and a key level corresponding to each target object. Specifically, this includes:
[0106] The peripheral access records of the industrial control computer are organized into a sequence of access events arranged in chronological order of occurrence, ensuring that the occurrence time of the later access event is no earlier than that of the earlier access event. In each access event, the session identifier, interface number, operation type, target object number, and occurrence time are recorded.
[0107] Based on the current personnel identity, work order task and equipment process stage, authorization verification is performed on each combination of interface number, operation type and target object number to generate a three-element authorization table, and the authorization status is divided into unauthorized and authorized.
[0108] For each interface number, iterate through all records in the ternary authorization table corresponding to the current interface number, and collect the target objects corresponding to the target object numbers with the authorization status of authorized, forming a set of reachable objects for the current interface number in the current context;
[0109] For each target object, read the writable attribute bits, control state change attribute bits, persistent attribute bits, and security-related attribute bits, and add the four attribute bits together;
[0110] The sum of the four attribute bits is divided by four to form the key level of the current target object.
[0111] The peripheral access records of the industrial control computer are uniformly organized into an event sequence ordered by time: , , ;in, This is the total set of access events for the current batch to be analyzed. For the first One access event; For the event location index; This represents the total number of events currently awaiting analysis. For the first The session identifier to which the event belongs; For the first The interface number corresponding to each event; For the first The operation type corresponding to each event; For the first The target object number corresponding to each event; For the first The moment when the event occurs;
[0112] Based on the current personnel identity, work order task, and equipment process stage, generate a three-element authorization table: ;in, This indicates that in the current context, the interface For the target object Execute operation Whether it is authorized, 0 indicates unauthorized, 1 indicates authorized; The function argument represents the interface number; This is the function's argument, representing the type of operation. The function's independent variable represents the target object's ID;
[0113] For each interface Construct a set of reachable objects in the current context, specifically: ;in, For interface The set of target objects that can be reached in the current context;
[0114] For each target object Read four binary properties , , , The key level for constructing objects is: ;in, For the target object Key level; For the target object The writable attribute bit can take the value 0 or 1; For the target object The control state changes the attribute bit, which can take the value of 0 or 1; For the target object The persistent attribute bit, with a value of 0 or 1; For the target object The security association attribute bit takes a value of 0 or 1.
[0115] Reference Figure 2 The step of reading the switching calibration test records of each interface number, filtering the interface numbers that meet the valid calibration conditions, obtaining the switching completion time, and constructing a session right sliding window and adjacent event position pairs around the current event to be determined, specifically includes:
[0116] For each interface number, read all the switching calibration test records corresponding to the current interface number, and read the control takeover completion time and the first valid response time in each switching calibration test record;
[0117] For each interface number, check the switching calibration test records one by one. When there is at least one switching calibration test that satisfies the condition that the first valid response time is not earlier than the control takeover completion time, record the current interface number as meeting the valid calibration condition.
[0118] All interface numbers that meet the valid calibration conditions are collected to form a set of valid calibration interface numbers;
[0119] For each interface number in the set of valid calibration interface numbers, read the control takeover completion time and the first valid response time in all switching calibration tests corresponding to the current interface number. For test records where the first valid response time is not earlier than the control takeover completion time, calculate the time difference between the first valid response time and the control takeover completion time for each record.
[0120] Take the maximum value from all time differences corresponding to the same interface number to form the handover completion time for the current interface number;
[0121] For the current event to be determined, read all access events of the session to which the current event to be determined belongs from the start time of the session to the time when the current event to be determined occurs, and form a right sliding window of the session with the current event to be determined as the right endpoint;
[0122] For the access event positions within the right sliding window of the session, check any two adjacent positions in chronological order. If there are no other access event positions between the two positions, record the two positions as a pair of adjacent event positions in the same session, forming a set of adjacent event position pairs in the same session.
[0123] For each type of interface The effective calibration conditions are as follows: ;in, For interface Does it meet the valid calibration conditions? It is an existential quantifier; Assign test sequence number to interface switching calibration; For interface Total number of switching calibration tests; For interface In the The first valid response time in the switching calibration test; For interface In the The control takeover completion time during the next switching calibration test;
[0124] The set of valid calibration interfaces is constructed as follows: ;in, The set of interface numbers that all satisfy the valid calibration conditions;
[0125] Belonging to interface Read the control takeover completion time and the first valid response time of all handover tests from the interface calibration record, and calculate the handover completion time, specifically:
[0126] ;in, For interface The duration of the switchover completion;
[0127] For the current event to be determined The right-side sliding window retrieves all events from the start time of the session to the current time.
[0128] ;in, For the first The right-side sliding window of the session is the right endpoint of the event; For the first One access event; This is the index for the event location within the right sliding window; Session identifier The corresponding session start time; For the first The moment the event occurred; For the first The moment the event occurred;
[0129] Right sliding window The set of adjacent event location pairs within the same session is as follows:
[0130] ;in, For right sliding window The set of adjacent event locations within; This is the index of the previous event position in the position pair; This is the position index of the next event in the position pair; This is a non-existent quantifier; For the location With position Index of intermediate event positions.
[0131] Reference Figure 3 The step of performing interface number validity checks, interface number difference checks, and switching time checks based on the right sliding window of the session to obtain the maximum cross-interface relay chain corresponding to the current event to be determined specifically includes:
[0132] Select the current event sequence candidate with the current location of the event to be determined as the end position in the right sliding window of the session. The current event sequence candidate must contain at least two access events, and the positions of each access event must be arranged in ascending order from front to back, and the positions of two adjacent access events must form a pair of adjacent event positions in the same session.
[0133] For each hop in the current event sequence candidate, read the occurrence time of the previous event and the occurrence time of the next event, and subtract the occurrence time of the previous event from the occurrence time of the next event to form the actual switching interval of the current hop;
[0134] For each hop in the current event sequence candidate, read the handover completion time of the interface number corresponding to the previous event and the handover completion time of the interface number corresponding to the next event, add the two handover completion times together to form the allowed handover interval for the current hop;
[0135] For each hop in the current event sequence candidate, perform interface number validity check, interface number difference check, and switching time check. The interface number validity check checks whether the interface number corresponding to the previous event and the interface number corresponding to the next event both belong to the set of valid labeled interface numbers. The interface number difference check checks whether the interface number corresponding to the next event is different from the interface number corresponding to the previous event. The switching time check checks whether the actual switching interval of the current hop is greater than zero and not greater than the allowed switching interval of the current hop.
[0136] Starting from the current location of the event to be determined, the set is continuously backtracked forward along the locations of adjacent events in the same session. When the interface number validity check, interface number difference check, and switching time check all pass during each backtracking, the newly detected previous event is merged into the beginning of the current event sequence candidate.
[0137] If there are no more position pairs that can be traced back, or if any interface number validity check, interface number difference check, or switch time check fails during the backtracking process, the current backtracking is terminated, and the longest continuous event sequence that has been formed is retained.
[0138] The longest consecutive event sequence that passes the interface number validity check, interface number difference check, and switching time check, and whose end position is the current location of the event to be judged, is denoted as the maximum cross-interface relay chain corresponding to the current event to be judged.
[0139] If there is no consecutive event sequence that passes the interface number validity check, interface number difference check, and switching time check, the maximum cross-interface relay chain corresponding to the current event to be determined is recorded as empty.
[0140] Right sliding window sequence of events within Construct the event sequence conditions, specifically as follows:
[0141] , , , ;in, This refers to the sequence of events currently under discussion; This is an event sequence expansion. The first event in the current sequence of events discussed The position number of each event in the overall event sequence; The order of events within an event sequence; The first event position is numbered, indicating the position of the first event in the current event sequence under discussion; For the first Each event position number indicates the position of the last event in the current event sequence under discussion; This represents the number of events in the current event sequence under discussion. This is the skip index for the current sequence of events being discussed; A conditional function, representing a sequence of events. Does it meet the sequence structure conditions?
[0142] For the first Jump, construct the actual handover interval as: ;in, For the first The actual switching interval of the jump; The first event in the current sequence of events discussed Location of the event The corresponding time of occurrence;
[0143] when and At that time, the allowed switching interval is:
[0144] ;in, For the first Allowable switching interval for jumps; Position in the current sequence of events under discussion The interface number corresponding to the event; For the first The time taken to complete the switch to the starting point interface;
[0145] The conditions for establishing cross-interface relay are as follows:
[0146] ;in, For the first Does the jump meet the conditions for cross-interface relay?
[0147] Perform steps S301 to S307 to form the current largest candidate relay chain:
[0148] S301, from the termination position The event begins, and the set is arranged along the adjacent event positions within the same session. Backtracking continuously forward;
[0149] S302. For any established event sequence, record the position of the beginning of the current sequence as... ;
[0150] S603, in Search and location Corresponding position pair ;
[0151] S304, When a position pair exists First, verify , , ;in, For position The interface number corresponding to the event; Position of the first event in the current sequence The interface number corresponding to the event;
[0152] S305, in , , After it is established, verify it again:
[0153] ;in, For position The time when the corresponding event occurred; Position of the first event in the current sequence The time when the corresponding event occurred; For position The switching completion time for the corresponding interface; For position The switching completion time for the corresponding interface;
[0154] S306. When all conditions are met, the event will be... As a new initial event, it continues to trace back forward;
[0155] S307, When no position pair exists ,or , , , If any of the conditions is not met, terminate the current extension and retain the current maximum consecutive event sequence;
[0156] Set the termination position to the current event. Satisfying the event sequence condition And all jumps meet the cross-interface relay conditions. The maximum continuous event sequence is denoted as ;in, For the current event The corresponding maximum cross-interface relay chain;
[0157] When there is no event sequence condition that is satisfied And all jumps meet the cross-interface relay conditions. When taking the longest continuous event sequence, take .
[0158] For each hop in the current largest cross-interface relay chain, the percentage of newly reachable objects covered by the endpoint interface number relative to the starting interface number is calculated. This, combined with the criticality level of the target object corresponding to each hop's endpoint event, forms the hop segment migration increment and segment migration sequence, specifically including:
[0159] When the current maximum cross-interface relay chain is not empty, for each hop in the current maximum cross-interface relay chain, read the set of reachable objects corresponding to the current hop start interface number in the current context and the set of reachable objects corresponding to the current hop end interface number in the current context;
[0160] Remove target objects that are also in the reachable object set corresponding to the current jump start point interface number in the current context from the current jump end point interface number's reachable object set in the current context, and retain target objects that are only newly reached by the current jump end point interface number;
[0161] Count the number of newly reached target objects for the current jump endpoint interface number, and count the number of target objects corresponding to all target object numbers in the three-element authorization table;
[0162] Divide the number of newly reached target objects by the current hop endpoint interface number by the total number of target objects corresponding to all target object numbers in the ternary authorization table to form the coverage ratio of newly reachable objects for the current hop;
[0163] Read the criticality level of the target object corresponding to the current jump endpoint event, multiply the coverage ratio of newly reachable objects of the current jump by the criticality level of the target object corresponding to the current jump endpoint event, and form the segment migration increment of the current jump;
[0164] According to the jump order in the current largest cross-interface relay chain, all segment migration increments are obtained in sequence to form a segment migration sequence.
[0165] when At that time, The first in Jump, from the interface Switch to interface When calculating the proportion of reachable surfaces of newly added objects to all objects, the specific steps are as follows:
[0166] ;in, For the first The interface expansion ratio of the jump; For the first The collection of objects reachable from the jump start interface; This is a base function for a set; the input is a set, and the output is the number of elements in the set. Let be the set difference, representing the th set. The jump-to-end interface adds a new set of reachable objects compared to the start-point interface;
[0167] For the first The purpose of the jump The calculation of segment migration increments is as follows:
[0168] ;in, For the first Jump segment migration increment; For the first The target object number corresponding to the jump endpoint event; For the first The critical level of the target object of the jump endpoint event;
[0169] Chain Calculate all jumps sequentially Forming a segment migration sequence .
[0170] The step-by-step multiplication calculation, performed sequentially according to the segment migration sequence, yields the chain-level relay gain corresponding to the current maximum cross-interface relay chain. Specifically, this includes:
[0171] If the current maximum cross-interface relay chain is not empty, read the segment migration sequence corresponding to the current maximum cross-interface relay chain;
[0172] Add the segment migration increment of each hop in the segment migration sequence to the value one to form a product term corresponding to each hop one;
[0173] Multiply all product terms consecutively according to the jump order in the current largest cross-interface relay chain;
[0174] Subtract one from the result of continuous multiplication to form the chain-level relay gain corresponding to the current maximum cross-interface relay chain.
[0175] When the current maximum cross-interface relay chain is empty, the chain-level relay gain is recorded as zero.
[0176] when At that time, for the current longest relay chain The chain relay gain is calculated as follows:
[0177] ;in, The longest relay chain at present Chain-level relay gain;
[0178] when At that time, take .
[0179] The process of checking the authorization status of each event in the current largest cross-interface relay chain, combined with the set of high-value objects, the set of key interface numbers, and the set of high-impact operations, to obtain the permitted status indication and the number of key landing points, specifically includes:
[0180] When the current maximum cross-interface relay chain is not empty, for each hop in the current maximum cross-interface relay chain, read the interface number, operation type and target object number corresponding to the previous event and the next event respectively, and check the authorization status of the previous event and the next event in the ternary authorization table.
[0181] In the same jump, if both the previous event and the next event are in an authorized state, the allowed relay state of the current jump is recorded as one; if either unauthorized state exists, the allowed relay state of the current jump is recorded as zero.
[0182] Read the interface number, operation type and target object number corresponding to the current largest cross-interface relay chain head event, and check the authorization status of the chain head event in the ternary authorization table. When the chain head event is in an authorized state, record the chain head event authorization status indicator value as one; when there is an unauthorized state, record the chain head event authorization status indicator value as zero.
[0183] The authorized status indicator value of the chain head event is multiplied consecutively with the allowed relay status of each hop in the current largest cross-interface relay chain in the relay chain order to form the allowed status indicator value of the current largest cross-interface relay chain.
[0184] When the allowed status indicator is 1, the current maximum cross-interface relay chain is recorded as an allowed relay chain; when the allowed status indicator is 0, the current maximum cross-interface relay chain is recorded as not belonging to the allowed relay chain.
[0185] Add up the writable attribute bits, control state change attribute bits, persistent attribute bits, and security-related attribute bits of each target object, and gather the target objects whose sum is not less than three to form a high-value object set;
[0186] For each interface number, check whether the intersection of the reachable object set and the high-value object set corresponding to the current interface number in the current context is non-empty. Interface numbers with non-empty intersections are collected to form a set of key interface numbers.
[0187] By combining write, control, and erase operations, a set of high-impact operations is formed.
[0188] When the current maximum cross-interface relay chain is not empty, each event in the current maximum cross-interface relay chain is read one by one. When the interface number corresponding to the event belongs to the set of key interface numbers and the operation type corresponding to the event belongs to the set of high-impact operations, a count is performed on the current event to form the number of key landing points in the current maximum cross-interface relay chain.
[0189] When the current maximum cross-interface relay chain is empty, the allowed status indicator is recorded as zero, and the critical landing count is recorded as zero.
[0190] when At that time, The Middle Jump, construct the relay indicator, specifically:
[0191] ;in, For the first The allowable relay jump; This is an indicator function; it takes the value 1 if the condition inside the parentheses is true, and 0 if it is false.
[0192] Construct the first The conditions for a jump relay are as follows: ;in, For the first Does the jump meet the conditions for a permitted relay?
[0193] The conditions for authorizing the chain head event are as follows: ;in, The longest relay chain at present Whether the chain head event was authorized; This is the interface number corresponding to the current largest relay chain head event; The operation type corresponding to the first event of the current largest relay chain; The target object number corresponding to the current largest relay chain's first event;
[0194] when At that time, construct the allowed state indicator of the current maximum relay chain, specifically as follows:
[0195] ;in, This is the current maximum allowable state indicator for the relay chain.
[0196] when When the current longest relay chain is determined to be an allowed relay chain;
[0197] when When this happens, the current longest relay chain is determined not to be an allowed relay chain;
[0198] when At that time, take ;
[0199] First, construct a collection of high-value objects based on their key attributes:
[0200] ;in, A collection of high-value objects;
[0201] The set of key interfaces is reconstructed as follows: ;in, A set of key interfaces;
[0202] when At the same time, construct a set of high-impact operations. ;
[0203] For the current largest relay chain The critical landing point count is calculated as follows:
[0204] ;in, The longest relay chain at present The number of key landing points in the text; The current longest relay chain The interface number corresponding to each event; The current longest relay chain The operation type corresponding to each event;
[0205] when At that time, take .
[0206] Reference Figure 4 The process of obtaining the unauthorized access intent value, judgment threshold, unauthorized access intent identification conclusion, and strongest abnormal evidence chain corresponding to the current event to be judged, based on the allowed state indicator, chain-level relay gain, and number of key landing points, specifically includes:
[0207] When the current maximum cross-interface relay chain is not empty, read the allowed status indicator, chain-level relay gain, and number of critical landing points;
[0208] Subtract the allowed status indicator from the value, multiply the result by the chain relay gain, and then multiply the product by the result of adding one to the number of critical landing points to form the unauthorized access intent value corresponding to the current event to be judged.
[0209] Multiply the allowed state indicator by the chain relay gain, and then multiply the product by the result of adding one to the number of critical landing points to form the judgment threshold corresponding to the current event to be judged.
[0210] Compare the unauthorized access intent value corresponding to the current event to be judged with the judgment threshold. If the unauthorized access intent value is greater than the judgment threshold, the current event to be judged is recorded as meeting the unauthorized access intent judgment condition.
[0211] When the value of unauthorized access intent is greater than the judgment threshold, the conclusion of unauthorized access intent identification is recorded as the existence of unauthorized access intent on the industrial control computer peripheral interface, and the current maximum cross-interface relay chain is recorded as the strongest abnormal evidence chain.
[0212] When the value of unauthorized access intent is not greater than the judgment threshold, the current event to be judged is recorded as not meeting the unauthorized access intent judgment condition, the unauthorized access intent identification conclusion is recorded as not identifying unauthorized access intent of industrial control computer peripheral interface, and the strongest abnormal evidence chain is recorded as empty.
[0213] When the current maximum cross-interface relay chain is empty, the unauthorized access intent value is recorded as zero, the judgment threshold is recorded as zero, the current event to be judged is recorded as not meeting the unauthorized access intent judgment condition, the unauthorized access intent identification conclusion is recorded as not identifying unauthorized access intent of the industrial control computer peripheral interface, and the strongest abnormal evidence chain is recorded as empty.
[0214] Construct the unauthorized access intent value for the current event location, specifically as follows:
[0215] ;in, For the first The value of the unauthorized access intent at each event point;
[0216] The threshold for determining the current event location is constructed as follows:
[0217] ;in, For the first The threshold for determining an event;
[0218] The conditions for determining unauthorized access intent are as follows: ;in, For the first Does the event meet the criteria for determining unauthorized access intent?
[0219] The construction determination result is: ;in, For the first The final judgment result at each event;
[0220] The strongest chain of evidence for anomalies is constructed as follows: ;in, For the first The strongest chain of unusual evidence at the point of the event;
[0221] when ,Pick: , , , .
[0222] The output includes the conclusion of unauthorized access intent identification, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of key landing points, unauthorized access intent value and judgment threshold, and is written into the result record table. Specifically, when the current event to be judged meets the unauthorized access intent judgment condition, the output shows that there is an unauthorized access intent of the industrial control computer peripheral interface.
[0223] If the current event to be determined does not meet the conditions for determining unauthorized access intent, the output will be: Unauthorized access intent to the industrial control computer peripheral interface was not detected.
[0224] Synchronously output the session identifier corresponding to the event to be judged;
[0225] When the strongest abnormal evidence chain is not empty, output the sequence of interface numbers involved in the strongest abnormal evidence chain in chronological order of events;
[0226] When the strongest abnormal evidence chain is not empty, output the operation type and target object number corresponding to each event in the strongest abnormal evidence chain in chronological order.
[0227] When the strongest abnormal evidence chain is not empty, output the actual switching interval of each jump and the allowed switching interval of each jump in the jump order;
[0228] When the strongest abnormal evidence chain is not empty, output the segment migration sequence in the jump order, and output the chain-level relay gain and the number of key landing points corresponding to the strongest abnormal evidence chain.
[0229] Output the unauthorized access intent value and judgment threshold corresponding to the current event to be judged;
[0230] When the strongest abnormal evidence chain is empty, the following will be output as empty values: interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval of each hop, segment migration sequence, chain-level relay gain and number of key landing points.
[0231] Write the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of critical landing points, unauthorized access intent value and judgment threshold into the result record table.
[0232] When the conditions for determining unauthorized access intent are met At that time, the output indicates an unauthorized access attempt to the industrial control computer's peripheral interface;
[0233] When the conditions for determining unauthorized access intent are not met At that time, the output did not detect any unauthorized access attempt to the industrial control computer's peripheral interface;
[0234] The following content will be output synchronously: S801, session identifier. S802, Chain of Evidence The interface sequence involved S803, Operation types of each event in the chain of evidence and target object S804, actual switching interval for each hop With allowed handover interval S805, incremental migration of each hop segment S806, the chain-level relay gain corresponding to the chain of evidence S807, the number of key points corresponding to the chain of evidence. S808, Current unauthorized access intent value With the judgment threshold ;
[0235] when At that time, S802 to S807 output null values;
[0236] Write the identification conclusion and the evidence chain field together into the results record table.
[0237] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0238] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.
Claims
1. A method for identifying unauthorized access intent of an industrial control computer peripheral interface, characterized in that, include: Collect access records of industrial control computer peripherals, and construct access event sequences, a ternary authorization table, a set of reachable objects corresponding to each interface number in the current context, and the critical level corresponding to each target object; Read the switching calibration test records of each interface number, filter the interface numbers that meet the valid calibration conditions, obtain the switching completion time, and construct a right sliding window of the session and a pair of adjacent event positions in the same session around the current event to be determined; Based on the right sliding window of the session, perform interface number validity checks, interface number difference checks, and switching time checks to obtain the maximum cross-interface relay chain corresponding to the current event to be judged; For each hop in the current largest cross-interface relay chain, the coverage ratio of newly reachable objects relative to the starting interface number of the endpoint interface number is calculated. Combined with the criticality level of the target object corresponding to the endpoint event of each hop, the migration increment and migration sequence of each hop segment are formed. Perform chain multiplication calculations in the order of the segment migration sequence to obtain the chain-level relay gain corresponding to the current maximum cross-interface relay chain; Check the authorization status of each event in the current largest cross-interface relay chain, and combine the set of high-value objects, the set of key interface numbers, and the set of high-impact operations to obtain the allowed status indication and the number of key landing points; Based on the allowed status indicator, chain-level relay gain, and number of key landing points, obtain the unauthorized access intent value, judgment threshold, unauthorized access intent identification conclusion, and strongest abnormal evidence chain corresponding to the current event to be judged. Output the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of critical landing points, unauthorized access intent value and judgment threshold, and write them to the result record table.
2. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 1, characterized in that, The process of collecting access records from industrial control computer peripherals involves constructing an access event sequence, a ternary authorization table, a set of reachable objects corresponding to each interface number in the current context, and a key level corresponding to each target object. Specifically, this includes: The peripheral access records of the industrial control computer are organized into a sequence of access events arranged in chronological order of occurrence, ensuring that the occurrence time of the later access event is no earlier than that of the earlier access event. In each access event, the session identifier, interface number, operation type, target object number, and occurrence time are recorded. Based on the current personnel identity, work order task and equipment process stage, authorization verification is performed on each combination of interface number, operation type and target object number to generate a three-element authorization table, and the authorization status is divided into unauthorized and authorized. For each interface number, iterate through all records in the ternary authorization table corresponding to the current interface number, and collect the target objects corresponding to the target object numbers with the authorization status of authorized, forming a set of reachable objects for the current interface number in the current context; For each target object, read the writable attribute bits, control state change attribute bits, persistent attribute bits, and security-related attribute bits, and add the four attribute bits together; The sum of the four attribute bits is divided by four to form the key level of the current target object.
3. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 2, characterized in that, The process of reading the handover calibration test records for each interface number, filtering interface numbers that meet the valid calibration conditions, obtaining the handover completion time, and constructing a session right sliding window and adjacent event position pairs within the same session around the current event to be determined includes: For each interface number, read all the switching calibration test records corresponding to the current interface number, and read the control takeover completion time and the first valid response time in each switching calibration test record; For each interface number, check the switching calibration test records one by one. When there is at least one switching calibration test that satisfies the condition that the first valid response time is not earlier than the control takeover completion time, record the current interface number as meeting the valid calibration condition. All interface numbers that meet the valid calibration conditions are collected to form a set of valid calibration interface numbers; For each interface number in the set of valid calibration interface numbers, read the control takeover completion time and the first valid response time in all switching calibration tests corresponding to the current interface number. For test records where the first valid response time is not earlier than the control takeover completion time, calculate the time difference between the first valid response time and the control takeover completion time for each record. Take the maximum value from all time differences corresponding to the same interface number to form the handover completion time for the current interface number; For the current event to be determined, read all access events of the session to which the current event to be determined belongs from the start time of the session to the time when the current event to be determined occurs, and form a right sliding window of the session with the current event to be determined as the right endpoint; For the access event positions within the right sliding window of the session, check any two adjacent positions in chronological order. If there are no other access event positions between the two positions, record the two positions as a pair of adjacent event positions in the same session, forming a set of adjacent event position pairs in the same session.
4. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 3, characterized in that, The process of performing interface number validity checks, interface number difference checks, and switching time checks based on the right sliding window of the session to obtain the maximum cross-interface relay chain corresponding to the current event to be determined specifically includes: Select the current event sequence candidate with the current location of the event to be determined as the end position in the right sliding window of the session. The current event sequence candidate must contain at least two access events, and the positions of each access event must be arranged in ascending order from front to back, and the positions of two adjacent access events must form a pair of adjacent event positions in the same session. For each hop in the current event sequence candidate, read the occurrence time of the previous event and the occurrence time of the next event, and subtract the occurrence time of the previous event from the occurrence time of the next event to form the actual switching interval of the current hop; For each hop in the current event sequence candidate, read the handover completion time of the interface number corresponding to the previous event and the handover completion time of the interface number corresponding to the next event, add the two handover completion times together to form the allowed handover interval for the current hop; For each hop in the current event sequence candidate, perform interface number validity check, interface number difference check, and switching time check. The interface number validity check checks whether the interface number corresponding to the previous event and the interface number corresponding to the next event both belong to the set of valid labeled interface numbers. The interface number difference check checks whether the interface number corresponding to the next event is different from the interface number corresponding to the previous event. The switching time check checks whether the actual switching interval of the current hop is greater than zero and not greater than the allowed switching interval of the current hop. Starting from the current location of the event to be determined, the set is continuously backtracked forward along the locations of adjacent events in the same session. When the interface number validity check, interface number difference check, and switching time check all pass during each backtracking, the newly detected previous event is merged into the beginning of the current event sequence candidate. If there are no more position pairs that can be traced back, or if any interface number validity check, interface number difference check, or switch time check fails during the backtracking process, the current backtracking is terminated, and the longest continuous event sequence that has been formed is retained. The longest consecutive event sequence that passes the interface number validity check, interface number difference check, and switching time check, and whose end position is the current location of the event to be judged, is denoted as the maximum cross-interface relay chain corresponding to the current event to be judged. If there is no consecutive event sequence that passes the interface number validity check, interface number difference check, and switching time check, the maximum cross-interface relay chain corresponding to the current event to be determined is recorded as empty.
5. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 4, characterized in that, For each hop in the current largest cross-interface relay chain, the percentage of newly reachable objects covered by the endpoint interface number relative to the starting interface number is calculated. This, combined with the criticality level of the target object corresponding to each hop's endpoint event, forms the hop segment migration increment and segment migration sequence, specifically including: When the current maximum cross-interface relay chain is not empty, for each hop in the current maximum cross-interface relay chain, read the set of reachable objects corresponding to the current hop start interface number in the current context and the set of reachable objects corresponding to the current hop end interface number in the current context; Remove target objects that are also in the reachable object set corresponding to the current jump start point interface number in the current context from the current jump end point interface number's reachable object set in the current context, and retain target objects that are only newly reached by the current jump end point interface number; Count the number of newly reached target objects for the current jump endpoint interface number, and count the number of target objects corresponding to all target object numbers in the three-element authorization table; Divide the number of newly reached target objects by the current hop endpoint interface number by the total number of target objects corresponding to all target object numbers in the ternary authorization table to form the coverage ratio of newly reachable objects for the current hop; Read the criticality level of the target object corresponding to the current jump endpoint event, multiply the coverage ratio of newly reachable objects of the current jump by the criticality level of the target object corresponding to the current jump endpoint event, and form the segment migration increment of the current jump; According to the jump order in the current largest cross-interface relay chain, all segment migration increments are obtained in sequence to form a segment migration sequence.
6. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 5, characterized in that, The step-by-step multiplication calculation, performed sequentially according to the segment migration sequence, yields the chain-level relay gain corresponding to the current maximum cross-interface relay chain. Specifically, this includes: If the current maximum cross-interface relay chain is not empty, read the segment migration sequence corresponding to the current maximum cross-interface relay chain; Add the segment migration increment of each hop in the segment migration sequence to the value one to form a product term corresponding to each hop one; Multiply all product terms consecutively according to the jump order in the current largest cross-interface relay chain; Subtract one from the result of continuous multiplication to form the chain-level relay gain corresponding to the current maximum cross-interface relay chain. When the current maximum cross-interface relay chain is empty, the chain-level relay gain is recorded as zero.
7. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 6, characterized in that, The process of verifying the authorization status of each event in the current largest cross-interface relay chain, combined with the set of high-value objects, the set of key interface numbers, and the set of high-impact operations, to obtain the permitted status indication and the number of key landing points, specifically includes: When the current maximum cross-interface relay chain is not empty, for each hop in the current maximum cross-interface relay chain, read the interface number, operation type and target object number corresponding to the previous event and the next event respectively, and check the authorization status of the previous event and the next event in the ternary authorization table. In the same jump, if both the previous event and the next event are in an authorized state, the allowed relay state of the current jump is recorded as one; if either unauthorized state exists, the allowed relay state of the current jump is recorded as zero. Read the interface number, operation type and target object number corresponding to the current largest cross-interface relay chain head event, and check the authorization status of the chain head event in the ternary authorization table. When the chain head event is in an authorized state, record the chain head event authorization status indicator value as one; when there is an unauthorized state, record the chain head event authorization status indicator value as zero. The authorized status indicator value of the chain head event is multiplied consecutively with the allowed relay status of each hop in the current largest cross-interface relay chain in the relay chain order to form the allowed status indicator value of the current largest cross-interface relay chain. When the allowed status indicator is 1, the current maximum cross-interface relay chain is recorded as an allowed relay chain; when the allowed status indicator is 0, the current maximum cross-interface relay chain is recorded as not belonging to the allowed relay chain. Add up the writable attribute bits, control state change attribute bits, persistent attribute bits, and security-related attribute bits of each target object, and gather the target objects whose sum is not less than three to form a high-value object set; For each interface number, check whether the intersection of the reachable object set and the high-value object set corresponding to the current interface number in the current context is non-empty. Interface numbers with non-empty intersections are collected to form a set of key interface numbers. By combining write, control, and erase operations, a set of high-impact operations is formed. When the current maximum cross-interface relay chain is not empty, each event in the current maximum cross-interface relay chain is read one by one. When the interface number corresponding to the event belongs to the set of key interface numbers and the operation type corresponding to the event belongs to the set of high-impact operations, a count is performed on the current event to form the number of key landing points in the current maximum cross-interface relay chain. When the current maximum cross-interface relay chain is empty, the allowed status indicator is recorded as zero, and the critical landing count is recorded as zero.
8. The method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 7, characterized in that, The process of obtaining the unauthorized access intent value, judgment threshold, unauthorized access intent identification conclusion, and strongest abnormal evidence chain corresponding to the current event to be judged, based on the allowed state indicator, chain-level relay gain, and number of key landing points, specifically includes: When the current maximum cross-interface relay chain is not empty, read the allowed status indicator, chain-level relay gain, and number of critical landing points; Subtract the allowed status indicator from the value, multiply the result by the chain relay gain, and then multiply the product by the result of adding one to the number of critical landing points to form the unauthorized access intent value corresponding to the current event to be judged. Multiply the allowed state indicator by the chain relay gain, and then multiply the product by the result of adding one to the number of critical landing points to form the judgment threshold corresponding to the current event to be judged. Compare the unauthorized access intent value corresponding to the current event to be judged with the judgment threshold. If the unauthorized access intent value is greater than the judgment threshold, the current event to be judged is recorded as meeting the unauthorized access intent judgment condition. When the value of unauthorized access intent is greater than the judgment threshold, the conclusion of unauthorized access intent identification is recorded as the existence of unauthorized access intent on the industrial control computer peripheral interface, and the current maximum cross-interface relay chain is recorded as the strongest abnormal evidence chain. When the value of unauthorized access intent is not greater than the judgment threshold, the current event to be judged is recorded as not meeting the unauthorized access intent judgment condition, the unauthorized access intent identification conclusion is recorded as not identifying unauthorized access intent of industrial control computer peripheral interface, and the strongest abnormal evidence chain is recorded as empty. When the current maximum cross-interface relay chain is empty, the unauthorized access intent value is recorded as zero, the judgment threshold is recorded as zero, the current event to be judged is recorded as not meeting the unauthorized access intent judgment condition, the unauthorized access intent identification conclusion is recorded as not identifying unauthorized access intent of the industrial control computer peripheral interface, and the strongest abnormal evidence chain is recorded as empty.
9. A method for identifying unauthorized access intent of an industrial control computer peripheral interface according to claim 8, characterized in that, The output includes the conclusion of unauthorized access intent identification, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of key landing points, unauthorized access intent value and judgment threshold, and is written into the result record table. Specifically, when the current event to be judged meets the unauthorized access intent judgment condition, the output shows that there is an unauthorized access intent of the industrial control computer peripheral interface. If the current event to be determined does not meet the conditions for determining unauthorized access intent, the output will be: Unauthorized access intent to the industrial control computer peripheral interface was not detected. Synchronously output the session identifier corresponding to the event to be judged; When the strongest abnormal evidence chain is not empty, output the sequence of interface numbers involved in the strongest abnormal evidence chain in chronological order of events; When the strongest abnormal evidence chain is not empty, output the operation type and target object number corresponding to each event in the strongest abnormal evidence chain in chronological order. When the strongest abnormal evidence chain is not empty, output the actual switching interval of each jump and the allowed switching interval of each jump in the jump order; When the strongest abnormal evidence chain is not empty, output the segment migration sequence in the jump order, and output the chain-level relay gain and the number of key landing points corresponding to the strongest abnormal evidence chain. Output the unauthorized access intent value and judgment threshold corresponding to the current event to be judged; When the strongest abnormal evidence chain is empty, the following will be output as empty values: interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval of each hop, segment migration sequence, chain-level relay gain and number of key landing points. Write the unauthorized access intent identification conclusion, session identifier, interface number sequence, operation type and target object number corresponding to each event, actual switching interval and allowed switching interval for each hop, segment migration sequence, chain relay gain, number of critical landing points, unauthorized access intent value and judgment threshold into the result record table.