An industrial control system network security monitoring system, a monitoring method and device thereof

Abstract

This invention discloses an industrial control system network security monitoring system and its monitoring method and equipment, specifically relating to the field of network security monitoring technology. It addresses the problem of inaccurate and timely detection of short-term abnormal control behaviors due to mismatches between monitoring and control timing. By acquiring scan cycle data from the industrial control system controller and sampling timing data from monitoring nodes, a timing mapping dataset is constructed. Coverage gaps are identified to form mismatch windows, and the timing intervals of short-term control behaviors are determined. Real-time control status data and network message data are time-series merged and abnormal feature extraction is performed. Then, based on the timing position of the abnormal features, a fusion analysis is conducted to ultimately determine the start and end time intervals and communication link information, generating security monitoring alarm data. This achieves precise location and anomaly tracing of short-term control behaviors, improving the accuracy and reliability of industrial control system network security monitoring.

Description

Technical Field

[0001] This invention relates to the field of network security monitoring technology, and more specifically, to a network security monitoring system for industrial control systems, as well as its monitoring methods and equipment. Background Technology

[0002] Industrial control systems are widely used in many important industrial sectors such as energy, chemical industry, and manufacturing. The security of the control network is crucial for production stability and safety. Existing industrial control system network security monitoring technologies typically rely on fixed-period scanning monitoring modes to collect and analyze control status data and network communication messages. Because the scanning cycle of the industrial control system controller and the sampling sequence of the monitoring nodes are usually set independently, inconsistencies in timing occur during operation. This causes a time misalignment between the data collected by the monitoring nodes and the actual status data of the controller, making it difficult to effectively identify and locate short-term abnormal control behaviors.

[0003] Therefore, existing industrial control system network security monitoring methods suffer from the problem that abnormal control behaviors occurring in a short period of time cannot be detected in a timely and accurate manner due to the mismatch between monitoring timing and control timing.

[0004] To address the aforementioned problems, a technical solution is provided. Summary of the Invention

[0005] In order to overcome the above-mentioned defects of the prior art, embodiments of the present invention provide an industrial control system network security monitoring system and its monitoring method and equipment to solve the problems mentioned in the background art.

[0006] To achieve the above objectives, the present invention provides the following technical solution:

[0007] A method for network security monitoring of industrial control systems includes the following steps:

[0008] S1: Obtain the scan cycle data of the industrial control system controller and the sampling time sequence data of the monitoring node, and perform time alignment based on a unified time reference to form a time sequence mapping relationship dataset;

[0009] S2: Calculate the sampling point distribution based on the time-series mapping relationship dataset and map the coverage gaps as mismatch windows. Extract the start and end times of the mismatch windows as the time-series intervals in which short-term control and manipulation behaviors occur.

[0010] S3: Within the time interval, merge the real-time control status data output by the industrial control system controller according to the scan cycle to form interval control status sequence data, and perform adjacent difference and flip detection to obtain short-term abnormal state change data.

[0011] S4: Within the time interval, network packet data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network packet sequence data, and the packet interval and content difference are compared to obtain time sequence matching anomaly feature data;

[0012] S5: Compare the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data;

[0013] S6: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data of the time interval to determine the start and end time intervals and communication link information, and generate security monitoring alarm data.

[0014] In a preferred embodiment, S1 specifically refers to:

[0015] The scan cycle data of the industrial control system controller is calculated by extracting control program execution cycle information from the industrial control system controller's operation configuration and operation log.

[0016] Data capture trigger time information is extracted from the data acquisition configuration and data acquisition records of the network security monitoring nodes to generate sampling time sequence data of the monitoring nodes;

[0017] Based on a unified time reference, the scanning cycle data of the industrial control system controller is time-aligned with the sampling time sequence data of the monitoring node to construct a time sequence mapping relationship dataset.

[0018] In a preferred embodiment, S2 specifically refers to:

[0019] Based on the time-series mapping relationship dataset, the location of the sampling time-series data of the monitoring node in the scanning cycle data of the industrial control system controller is calculated, and sampling point distribution data is generated.

[0020] Based on the sampling point distribution data, identify the coverage gaps in the sampling time series data between adjacent sampling points that do not contain monitoring nodes;

[0021] The coverage gap is mapped as a mismatch window between the monitoring sampling timing and the industrial control system controller scan cycle;

[0022] Extract the start and end times of the mismatched window as the time interval for the occurrence of short-term control and manipulation behavior.

[0023] In a preferred embodiment, S3 specifically refers to:

[0024] Based on the timing interval of short-term control and manipulation behavior, the corresponding timing data is extracted from the real-time control status data output by the industrial control system controller.

[0025] The captured real-time control status data is merged according to the scan cycle data of the industrial control system controller to form interval control status sequence data.

[0026] Numerical difference and flip detection are performed on the real-time control state data of adjacent scan cycles in the interval control state sequence data. The end time of the scan cycle of state change and the corresponding state change amplitude information are extracted to generate short-term state abnormal change data.

[0027] In a preferred embodiment, S4 specifically refers to:

[0028] Based on the time interval of short-term control and manipulation behavior, the corresponding time sequence data is extracted from the network packet data collected by the monitoring node;

[0029] The captured network packet data are merged according to the sampling time-series data of the monitoring nodes to form time-series network packet sequence data;

[0030] The interval between the packet capture trigger times and the differences in packet content are calculated for adjacent network packets in the time-series network packet sequence data. The abnormal positions of the packet interval and the abnormal features of the packet content are extracted to generate time-series matching abnormal feature data.

[0031] In a preferred embodiment, S5 specifically refers to:

[0032] The temporal location of the abnormal state change is determined by the end time of the scan cycle of the abnormal state change in short-term state change data.

[0033] The temporal position of the message anomaly feature is determined based on the message interval anomaly position and the message content anomaly feature corresponding to the message capture trigger time in the temporal matching anomaly feature data;

[0034] The temporal location of abnormal state changes and the temporal location of abnormal message features are compared to form fused data of abnormal features of short-term control and manipulation behavior.

[0035] In a preferred embodiment, S6 specifically refers to:

[0036] The start and end times of short-term control and manipulation behavior are determined by fusing abnormal features of short-term control and manipulation behavior data.

[0037] By backtracking the network message sequence data and interval control status sequence data of the corresponding time interval using the start and end time positions as boundaries, the start and end time intervals corresponding to short-term control and manipulation behaviors are determined. The source address, destination address, port number and protocol type of the network messages within the start and end time intervals are extracted to generate communication link information and form security monitoring and alarm data.

[0038] On the other hand, the present invention provides an industrial control system network security monitoring system, comprising:

[0039] Timing Alignment Module: Acquires the scan cycle data of the industrial control system controller and the sampling timing data of the monitoring nodes, performs time alignment based on a unified time reference, and forms a timing mapping relationship dataset;

[0040] Window extraction module: Calculates the sampling point distribution based on the time-series mapping relationship dataset and maps the coverage gaps as mismatched windows, extracts the start and end times of the mismatched windows as the time-series intervals in which short-term control and manipulation behaviors occur;

[0041] State Analysis Module: Within a time interval, the real-time control state data output by the industrial control system controller is merged according to the scan cycle to form interval control state sequence data, and adjacent difference and flip detection are performed to obtain short-term state abnormal change data;

[0042] Message Analysis Module: Within a time interval, network message data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network message sequence data, and message interval and content difference are compared to obtain time sequence matching anomaly feature data;

[0043] Feature fusion module: compares the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data;

[0044] Alarm generation module: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data of the time interval, determine the start and end time interval and communication link information, and generate security monitoring alarm data.

[0045] On the other hand, the present invention provides an industrial control system network security monitoring device, comprising: a processor, a memory, and a program or instructions stored in the memory and executable on the processor, wherein the program or instructions, when executed by the processor, implement an industrial control system network security monitoring method.

[0046] The technical effects and advantages of the industrial control system network security monitoring system, monitoring method, and equipment of this invention are as follows:

[0047] By acquiring the scan cycle data of the industrial control system controller and the sampling time sequence data of the monitoring nodes, and forming a time sequence mapping relationship dataset based on a unified time reference, a unified analysis basis for control time sequence and monitoring time sequence is established. By calculating the sampling point distribution, identifying coverage gaps, and mapping them as mismatch windows, the possible time sequence intervals of short-term control and manipulation behaviors can be clearly identified. By merging real-time control state data within the time sequence interval and performing adjacent difference and flip detection, short-term abnormal state change data can be obtained from the control state side. By merging network message data within the same time sequence interval and comparing message interval and content differences, time sequence matching abnormal feature data can be obtained from the network communication side. By comparing the time sequence positions of the two types of abnormal data and forming abnormal feature fusion data, a time sequence correlation between control state abnormalities and network message abnormalities can be established. By tracing back the network message sequence data and control state sequence data within the time sequence interval, the start and end time intervals of abnormal behavior and communication link information can be determined, and security monitoring alarm data can be generated, thereby improving the positioning accuracy, alarm reliability, and anomaly tracing capability of industrial control system network security monitoring. Attached Figure Description

[0048] Figure 1 This is a schematic diagram of a network security monitoring method for an industrial control system according to the present invention;

[0049] Figure 2 This is a schematic diagram of the structure of an industrial control system network security monitoring system according to the present invention. Detailed Implementation

[0050] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present invention.

[0051] Example 1

[0052] Figure 1 This invention provides a network security monitoring method for industrial control systems, which includes the following steps:

[0053] S1: Obtain the scan cycle data of the industrial control system controller and the sampling time sequence data of the monitoring node, and perform time alignment based on a unified time reference to form a time sequence mapping relationship dataset;

[0054] S2: Calculate the sampling point distribution based on the time-series mapping relationship dataset and map the coverage gaps as mismatch windows. Extract the start and end times of the mismatch windows as the time-series intervals in which short-term control and manipulation behaviors occur.

[0055] S3: Within the time interval, merge the real-time control status data output by the industrial control system controller according to the scan cycle to form interval control status sequence data, and perform adjacent difference and flip detection to obtain short-term abnormal state change data.

[0056] S4: Within the time interval, network packet data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network packet sequence data, and the packet interval and content difference are compared to obtain time sequence matching anomaly feature data;

[0057] S5: Compare the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data;

[0058] S6: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data of the time interval to determine the start and end time intervals and communication link information, and generate security monitoring alarm data.

[0059] S1: Acquire the scan cycle data of the industrial control system controller and the sampling time sequence data of the monitoring nodes, align them based on a unified time reference, and form a time sequence mapping dataset, including:

[0060] The scan cycle data of the industrial control system controller is obtained by reading the control program execution cycle information from the industrial control system controller's operation configuration and operation log;

[0061] Specifically, the operational configuration of an industrial control system controller is typically stored in a specific configuration file, such as a scan cycle parameter setting section in the control program code file or a configuration database table for the control program. The cycle information is extracted by reading the execution cycle information field identified in the control program code file or configuration database. The control program execution cycle information is usually represented by periodic time intervals, such as the time interval set for the control program scan, like 10 milliseconds or 20 milliseconds. The industrial control system controller's operation log records the start and end times of the scan execution during actual operation. By reading the start and end times of the scan execution from the operation log file and calculating the time interval between adjacent scan cycles, the scan cycle data of the industrial control system controller can be obtained.

[0062] Data capture trigger time information is extracted from the data acquisition configuration and acquisition records of network security monitoring nodes to obtain the sampling time sequence data of the monitoring nodes;

[0063] Specifically, the data acquisition configuration of network security monitoring nodes includes, but is not limited to, the monitoring node's own sampling strategy configuration file, the time period setting file for triggering sampling, or the data acquisition trigger parameter configuration table. These files or configuration tables record the strategy for periodic or event-driven sampling by the network security monitoring node during operation, including the time interval or trigger condition information for triggering sampling. For example, the monitoring node's acquisition configuration can specify that network data packets are captured once at certain time intervals, with the set interval including but not limited to 1 second, 500 milliseconds, or 100 milliseconds. The monitoring node's acquisition records store the trigger times for network data packets acquired by the monitoring node during actual operation. Acquisition records are typically in the form of data files, such as time-series databases or log files. Each record corresponds to one trigger time, and each trigger time information is recorded with millisecond or higher precision to ensure the accuracy required to match the scanning cycle data of the industrial control system controller.

[0064] Based on a unified time reference, the scanning cycle data and sampling time sequence data are time-aligned to form a time sequence mapping relationship dataset that characterizes the correspondence between the control scanning cycle and the monitoring sampling time sequence;

[0065] Specifically, a unified time base is selected, which can be a standardized time base commonly referenced by the industrial control system controller and monitoring nodes. For example, the industrial control system may uniformly use the standard time provided by a network time protocol. This unified time base includes, but is not limited to, Greenwich Mean Time (GMT) synchronized by the network time protocol or the local time zone, with an accuracy typically reaching milliseconds or higher. Based on the unified time base, timestamp mapping is performed on the scan cycle data of the industrial control system controller and the sampling timing data of the monitoring nodes. The start and end times of each scan cycle are annotated with the unified time base's timestamp information to accurately mark the start and end boundaries of each scan cycle. Similarly, for the sampling timing data of the monitoring nodes, each data capture trigger time is timestamped according to the unified time base to determine the time when sampling occurs.

[0066] After establishing a unified time reference for both the scan cycle data and the sampling time sequence data, the timestamped scan cycle data and sampling time sequence data are aligned according to this unified time reference. Time alignment methods include, but are not limited to, matching the sampling time information of each monitoring node to the corresponding time period interval of the industrial control system controller's scan cycle data. This involves determining which scan cycle's start and end boundary interval the trigger time of each data capture by the monitoring node falls within, thereby establishing the correspondence between each sampling time sequence data point and the scan cycle data.

[0067] Through time alignment, a time-series mapping dataset is formed to characterize the correspondence between control scan cycles and monitoring sampling times. This dataset is stored in the form of a data table, where each record contains the start and end times of the scan cycle, the sampling time information of the monitoring node, and the correspondence between them. The data table structure of the time-series mapping dataset includes, but is not limited to, the following fields: control scan cycle start timestamp, control scan cycle end timestamp, monitoring node sampling trigger timestamp, and correspondence identifier. The correspondence identifier indicates whether the sampling trigger time of the monitoring node falls within the start and end boundaries of a specific scan cycle, and is represented as a Boolean data field, such as marked with "yes" or "no". Furthermore, if a monitoring node's sampling trigger time does not fall within the start and end boundaries of any scan cycle, it is marked as "mismatch" in the correspondence identifier field.

[0068] S2: Calculate the sampling point distribution based on the time-series mapping relationship dataset and map the coverage gaps as mismatch windows. Extract the start and end times of the mismatch windows as the time-series intervals where short-term control and manipulation behaviors occur, including:

[0069] Based on the time-series mapping relationship dataset, the location of the sampling time-series data of the monitoring node in the scanning cycle data of the industrial control system controller is calculated, and sampling point distribution data is generated.

[0070] Specifically, the time-series mapping dataset includes the start and end timestamps of the scan cycle for the industrial control system controller, as well as the sampling trigger timestamps of the network security monitoring nodes. The location of the sampling time-series data within the scan cycle data refers to the position of each sampling trigger timestamp of the network security monitoring node relative to the start and end timestamp interval of each scan cycle for the industrial control system controller. The sampling trigger timestamps of the network security monitoring nodes are extracted and compared cycle by cycle with the scan cycle data of the industrial control system controller, determining whether the sampling trigger timestamp of the network security monitoring node falls within the start and end timestamp interval of the industrial control system controller's scan cycle. If the sampling trigger timestamp of the network security monitoring node falls within a specific start and end timestamp interval of the industrial control system controller's scan cycle, the sampling trigger timestamp is recorded as a valid location within the scan cycle interval; if the sampling trigger timestamp of the network security monitoring node does not fall within any start and end timestamp interval of the industrial control system controller's scan cycle, the sampling trigger timestamp is marked as a mismatched location. The sampling trigger timestamps of all network security monitoring nodes are aggregated to form sampling point distribution data, which is represented as a time series set of sampling point locations. The set of sampling point locations records the scanning period interval identifier or unmatched identifier information corresponding to each sampling trigger timestamp.

[0071] Based on the sampling point distribution data, identify the coverage gaps in the sampling time series data between adjacent sampling points that do not contain monitoring nodes;

[0072] Specifically, a coverage gap between adjacent sampling points refers to multiple consecutive scan cycle intervals within the start and end intervals of the industrial control system controller's scan cycle that do not contain the sampling trigger timestamp of any network security monitoring node. The sampling point distribution data is traversed, using the start and end intervals of the industrial control system controller's scan cycle as a reference, to identify consecutive scan cycle intervals that do not contain the sampling trigger timestamp of any network security monitoring node. The scan cycle data of the industrial control system controller is scanned; if several consecutive scan cycle start and end intervals are found to lack any corresponding sampling trigger timestamp of any network security monitoring node, these consecutive scan cycle start and end intervals are defined as a coverage gap area, and the start and end timestamps of the starting and ending scan cycles of the coverage gap area are recorded.

[0073] The coverage gap is mapped as a mismatch window between the monitoring sampling timing and the industrial control system controller scan cycle;

[0074] Specifically, the time boundary information of the coverage gap area is used as the boundary information of the mismatch window between the monitoring sampling time sequence and the control scanning cycle, that is, each coverage gap area corresponds to a mismatch window.

[0075] Extract the start and end times of the mismatched window as the time interval for the occurrence of short-term control and manipulation behavior;

[0076] Specifically, short-term control manipulation refers to the act of an attacker or aberrant entity briefly and rapidly modifying or perturbing control parameters, device registers, instructions, or execution paths within the scan cycle intervals of an industrial control system. This bypasses traditional periodic sampling or polling monitoring methods, allowing the attacker to control the industrial control system. The method for extracting the start and end times of the mismatch window is as follows: the start timestamp of the initial scan cycle recorded in the covered empty area is used as the start time of the mismatch window, and the end timestamp of the final scan cycle recorded in the covered empty area is used as the end time of the mismatch window. This determines the precise start and end times of the covered empty area, which was originally measured in scan cycles. If the scan cycle of the industrial control system controller involved in the covered empty area is multiple consecutive scan cycles, then the start time of the mismatch window corresponds to the start timestamp of the earliest scan cycle, and the end time corresponds to the end timestamp of the last scan cycle. The start and end times of the mismatch window are defined as the temporal interval for the occurrence of short-term control manipulation, meaning that the temporal interval for the occurrence of short-term control manipulation uses the start and end times of the mismatch window as boundaries. For example, if the scan cycle length of the industrial control system controller is set to 10 milliseconds, and if there is no sampling trigger timestamp from the network security monitoring node within several consecutive scan cycles (e.g., three consecutive scan cycles), then these three consecutive scan cycles form a coverage gap. In this case, the start timestamp of the initial scan cycle for the coverage gap is recorded, for example, as 100 milliseconds, and the end timestamp of the final scan cycle is recorded, for example, as 130 milliseconds. Thus, the start time of the mismatch window is determined to be 100 milliseconds, and the end time to be 130 milliseconds. The timing interval for short-term control actions is defined as the interval between 100 milliseconds and 130 milliseconds, representing the mismatch between the scan cycle of the industrial control system controller and the sampling timing of the network security monitoring node.

[0077] S3: Within the time interval, merge the real-time control state data output by the industrial control system controller according to the scan cycle to form interval control state sequence data, and perform adjacent difference and flip detection to obtain short-term state abnormal change data, including:

[0078] Based on the timing interval of short-term control and manipulation behavior, the corresponding timing data is extracted from the real-time control status data output by the industrial control system controller.

[0079] Specifically, the real-time control status data output by the industrial control system controller refers to the set of all real-time process parameters, operating states, or equipment control signals output by the industrial control system controller at the end of each scan cycle. At the end of each scan cycle, the industrial control system controller outputs all control variables and status parameters that operated within that scan cycle in the form of structured data packets or status records, forming a real-time control status data record corresponding to the scan cycle. Using the start and end times of the time interval in which short-term control actions occur as time boundaries, data records whose scan cycle end timestamps fall within the time interval in which short-term control actions occur are selected from the real-time control status data set output by the industrial control system controller to obtain a subset of real-time control status data.

[0080] The captured real-time control status data is merged according to the scan cycle data of the industrial control system controller to form interval control status sequence data.

[0081] Specifically, the records in the real-time control state data subset are merged according to the start and end boundaries of the scan cycle determined by the scan cycle data of the industrial control system controller to form interval control state sequence data. The merging method is to sort one real-time control state data record corresponding to each scan cycle in order of the end time of the scan cycle, thereby forming a time-ordered state data sequence, which is defined as interval control state sequence data.

[0082] Numerical difference and flip detection are performed on the real-time control state data of adjacent scan cycles in the interval control state sequence data. The end time of the scan cycle of state change and the corresponding state change amplitude information are extracted to generate short-term state abnormal change data.

[0083] Specifically, in the interval control state sequence data, the real-time control state data records corresponding to two adjacent scan cycles are defined as the previous cycle state record and the subsequent cycle state record, respectively. For state difference calculation, the process is as follows: traverse the adjacent scan cycle records in the interval control state sequence data; for each pair of previous and subsequent cycle state records, perform numerical difference calculations on each corresponding state parameter or control signal of the previous and subsequent cycle state records. After the calculation is completed, record the difference results of each parameter in the order of the scan cycles to form a state difference data sequence.

[0084] State flip detection refers to identifying numerical abrupt changes exceeding a set threshold in a state differential data sequence to pinpoint the time point of abnormal control behavior. For each differential result in the state differential data sequence, a pre-set state flip magnitude threshold is used for comparison. If the absolute value of the differential result exceeds the set threshold, it is defined as a state flip. The threshold is determined by calculating the standard deviation of the differential results for each state parameter within a certain period based on the statistical distribution characteristics of historical process parameter data during the operation of the industrial control system. The threshold is defined as a multiple of the standard deviation, for example, three times the standard deviation. When the differential result exceeds the set threshold, a state flip event is considered to have occurred. The end time of the scan cycle of the corresponding subsequent state record for each state flip event is recorded as the state flip time, and the value of the differential result is recorded as the state flip magnitude information. Finally, all state flip times and magnitude information are summarized to obtain the state flip event set.

[0085] Short-term state anomaly change data is formed based on a set of state mutation events through aggregation, filtering, and labeling. The time of each state mutation and its corresponding magnitude within the state mutation event set are retained as the foundational information for the short-term state anomaly change data. The short-term state anomaly change data is filtered by setting rules for determining the state mutation magnitude threshold, including but not limited to: selecting the several mutation events with the largest values ​​in the state mutation magnitude information, or selecting mutation events with magnitudes greater than a second preset threshold. The second preset threshold is determined by again counting the maximum and minimum values ​​of all state mutation magnitude information in the state mutation event set, defining the second preset threshold as the median value within the range of the maximum and minimum values. When the value of the state mutation magnitude information exceeds the second preset threshold, it is determined to be a mutation event that has a significant impact on the industrial control system's process. All mutation events obtained after filtering, including mutation time and magnitude information, are aggregated to obtain the short-term state anomaly change data set. For example, the industrial control system controller scan cycle is set to 10 milliseconds, and the time interval for short-term control actions is determined to be between 100 and 130 milliseconds. Ten consecutive scan cycle termination times of 100 milliseconds, 110 milliseconds, 120 milliseconds, and 130 milliseconds are extracted from the real-time control status data output by the industrial control system controller to form an interval control status sequence data. After calculating the state difference between adjacent scan cycles, if the absolute value of the difference between the key control parameter in the state record of the subsequent cycle corresponding to the 120-millisecond time point and the state record of the preceding cycle reaches or exceeds a predetermined state change amplitude threshold (e.g., the parameter value suddenly jumps from the normal range of 100 to 150, exceeding the amplitude threshold of 30), then 120 milliseconds is recorded as the state change moment, and 50 is recorded as the state change amplitude information. A second screening is then performed on all obtained state change event sets. For example, if the second preset threshold is set to 40% of the median of all change amplitudes, then the parameter change amplitude of 50 exceeds the second preset threshold and is identified as short-term abnormal state change data.

[0086] S4: Within the time interval, network packet data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network packet sequence data, and packet interval and content difference are compared to obtain time-series matching anomaly feature data, including:

[0087] Based on the time interval of short-term control and manipulation behavior, the corresponding time sequence data is extracted from the network packet data collected by the monitoring node;

[0088] Specifically, the network packet data collected by the monitoring node refers to the collection of industrial control system network communication packets acquired by the network security monitoring node at various data capture trigger moments according to the preset acquisition configuration and acquisition records. The network security monitoring node captures the network communication packets of the industrial control system through network interfaces, including but not limited to Ethernet packets, TCP / IP protocol packets, or specific industrial control protocol packets. Each network packet data includes but is not limited to packet header information (such as source address, destination address, port number, packet length, and packet sequence number), packet payload data (such as industrial control instructions, parameter setting data, and device status information), and timestamp information (i.e., the record of the packet capture trigger moment).

[0089] The captured network packet data are merged according to the sampling time-series data of the monitoring nodes to form time-series network packet sequence data;

[0090] Specifically, from all network packet data collected by network security monitoring nodes, based on the start and end times of the time interval in which short-term control and manipulation behaviors occur, all packet data records captured within that time interval are extracted. The network packet data is then sorted and merged according to the order of the sampling time-series data from the network security monitoring nodes. The sorting and merging method involves sorting the packet data one by one according to the size of the packet capture trigger time, forming a packet record sequence, which is defined as the time-series interval network packet sequence data.

[0091] The interval between the packet capture trigger times and the differences in packet content are calculated for adjacent network packets in the time-series network packet sequence data. The abnormal positions of the packet interval and the abnormal features of the packet content are extracted to generate time-series matching abnormal feature data.

[0092] Specifically, message interval comparison refers to calculating the time interval between two adjacent message records in the time-series network message sequence data. Message content difference comparison compares the differences between the message payload data and the message header information in adjacent message records to identify whether there are abnormal differences or characteristics that do not conform to the normal communication mode of the industrial control system. The method for message interval comparison is as follows: Let the capture trigger times of two adjacent message records in the time-series network message sequence data be defined as T_k and T_(k+1), respectively. Then, the formula for calculating the message interval between adjacent message records is: ΔT_(k+1) = T_(k+1) - T_k; where ΔT_(k+1) represents the interval difference between the (k+1)th message record and the kth message record, measured in milliseconds. For the entire time-series network message sequence data, the message interval between all adjacent message records is calculated to form a message interval data sequence. For each interval difference in the message interval data sequence, a preset message interval anomaly threshold is used for detection. The method for determining the message interval anomaly threshold is as follows: it is calculated based on the statistical distribution characteristics of historical communication message intervals in the industrial control system network. The mean and standard deviation of message intervals in the industrial control system network are determined through historical data analysis, and a multiple of the mean plus the standard deviation, for example, three times the mean plus the standard deviation, is used as the message interval anomaly threshold. When a message interval in the message interval data sequence exceeds the message interval anomaly threshold, the corresponding position is marked as a message interval anomaly position, and the message sequence number or timestamp corresponding to the message interval anomaly position is recorded.

[0093] The message content difference comparison involves extracting the message payload data and header information of two adjacent message records from the time-series network message sequence data. The message payload data and header information are then compared according to their corresponding data fields. Taking message payload data as an example, industrial control instructions, parameter settings, or equipment status information in adjacent message records are compared. If differences are found in the data values ​​of the same field in adjacent message records, and the difference exceeds a preset message content difference threshold, the difference in the corresponding field is marked as an abnormal message content feature. The message content difference threshold is determined by analyzing historical industrial control network communication message data to statistically analyze the range and fluctuation of values ​​for specific fields, for example, setting it to 80% of the historical maximum value. When the field difference in the message payload data exceeds the message content difference threshold, the corresponding message record number, field identifier, and difference value are recorded, forming a set of abnormal message content features.

[0094] The abnormal message interval locations and abnormal message content features are summarized and correlated to form a time-matching abnormal feature data set that can characterize network communication timing anomalies. This time-matching abnormal feature data includes descriptions and markings of abnormal message interval locations and abnormal message content features. The abnormal message interval location is recorded as a timestamp of the time the anomaly occurred, while the abnormal message content features record the position of the abnormal field (e.g., the byte offset of the field in the message payload data), the abnormal value, and the baseline value of the normal communication data. The correlation matching rule between abnormal features is defined as follows: if the abnormal message interval location and the abnormal message content feature simultaneously appear in the same group of adjacent message records, then the abnormal message interval location and the abnormal message content feature constitute a set of correlated data items in the time-matching abnormal feature data set. For example, if the message interval between adjacent message records captured at 200 milliseconds and 210 milliseconds is greater than the message interval anomaly threshold, and a key parameter value in the load data changes (e.g., abruptly changing from 10 to 50 and exceeding the message content difference threshold), then the 200-millisecond time is recorded as the message interval anomaly position, and the field and value changes in the load data are recorded as message content anomaly features, forming time-series matching anomaly feature association data. This time-series matching anomaly feature data describes the anomaly characteristics of industrial control system network communication during short-term control and manipulation behaviors, and can characterize the temporal correlation between network communication anomalies and short-term control and manipulation behaviors.

[0095] S5: Compare the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data, including:

[0096] The temporal location of the abnormal state change is determined by the end time of the scan cycle of the abnormal state change in short-term state change data.

[0097] Specifically, short-term state anomaly change data records the end time of the scan cycle in the real-time control state data output by the industrial control system controller, along with the corresponding magnitude of the state abrupt change. Therefore, the temporal position of the state anomaly change is defined as the timestamp information represented by the end time of the corresponding scan cycle of the industrial control system controller. To determine the temporal position of the state anomaly change, the end time of the scan cycle for each state abrupt change event is extracted from the short-term state anomaly change data set, and this extracted end time is marked as the temporal position of the state anomaly change. This represents the time point within the time interval of the short-term control behavior in the real-time control state data of the industrial control system controller where the state undergoes an anomaly change. For example, if the scan cycle length of the industrial control system controller is set to 10 milliseconds, and the short-term state anomaly change data set contains state abrupt change events corresponding to the end times of two scan cycles at 120 milliseconds and 130 milliseconds, then the temporal positions of the state anomaly changes are determined to be 120 milliseconds and 130 milliseconds, respectively.

[0098] The temporal position of the message anomaly feature is determined based on the message interval anomaly position and the message content anomaly feature corresponding to the message capture trigger time in the temporal matching anomaly feature data;

[0099] Specifically, the time-series matching anomaly feature data records the abnormal positions of message intervals and the abnormal features of message content. The timestamp of the message capture trigger time associated with each set of anomaly features is extracted from the time-series matching anomaly feature data set, and this timestamp is marked as the time-series position of the message anomaly feature. The timestamps of the abnormal positions of message intervals and the abnormal features of message content are extracted separately. For example, if the timestamp corresponding to the abnormal position of a message interval is 200 milliseconds, and the message capture trigger time corresponding to the abnormal feature of message content is 210 milliseconds, then both timestamps of 200 milliseconds and 210 milliseconds are marked as the time-series positions of the message anomaly features.

[0100] The temporal location of abnormal state changes and the temporal location of abnormal message features are compared to form abnormal feature fusion data of short-term control and manipulation behavior.

[0101] Specifically, the time-series location sets of abnormal state changes and message anomaly features are obtained separately. Using the time-series location of the abnormal state changes as a benchmark, the time difference is calculated and compared with the time-series location of the message anomaly features to complete feature association matching. The time difference calculation formula is:

[0102] ΔT_(Association Matching) = |T_(State Anomaly) - T_(Message Anomaly)|; where ΔT_(Association Matching) represents the absolute time difference between the timing position of a state anomaly change and the timing position of a message anomaly feature, T_(State Anomaly) represents the timestamp of the timing position of the state anomaly change, and T_(Message Anomaly) represents the timestamp of the timing position of the message anomaly feature. After calculating the absolute time difference of all possible timing position combinations, feature association matching is determined based on a preset association matching threshold. The method for determining the association matching threshold is as follows: based on the coupling relationship between the control logic and communication logic of the industrial control system and historical data analysis, the maximum allowable delay of state changes and network message anomalies under normal operating conditions is statistically analyzed, and twice the maximum allowable delay is set as the association matching threshold. For example, if the maximum allowable delay between normal control logic and message communication logic is determined to be 20 milliseconds, then the association matching threshold is set to 40 milliseconds. When the absolute time difference is less than or equal to the association matching threshold, it is determined that there is a feature association between the corresponding abnormal state change time sequence position and the abnormal message feature time sequence position, constituting a set of data items in the abnormal feature fusion data of short-term control and manipulation behavior. For example, if the set of abnormal state change time sequence positions is 120 milliseconds and 130 milliseconds, and the set of abnormal message feature time sequence positions is 200 milliseconds and 210 milliseconds, the absolute time differences of all combinations between the two types of time sequence positions are calculated to be 80 milliseconds (200 milliseconds - 120 milliseconds), 90 milliseconds (210 milliseconds - 120 milliseconds), 70 milliseconds (200 milliseconds - 130 milliseconds), and 80 milliseconds (210 milliseconds - 130 milliseconds), respectively. If the absolute time difference is greater than the association matching threshold of 40 milliseconds, it indicates that there is no effective correlation between the abnormal state change and the abnormal message features. The above combination is not recorded in the abnormal feature fusion data of short-term control and manipulation behavior. If another abnormal message feature time position is added, for example, 135 milliseconds, the time difference between the 130 millisecond time position of the abnormal state change and the 135 millisecond time position of the abnormal message feature is 5 milliseconds, which is less than the association matching threshold of 40 milliseconds. Therefore, it is determined that there is a feature correlation between the abnormal state change and the abnormal message feature. The timestamp of the abnormal state change of 130 milliseconds, the timestamp of the abnormal message feature of 135 milliseconds, and the corresponding state change amplitude information and abnormal message content features are recorded.

[0103] S6: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data within the time interval to determine the start and end time intervals and communication link information, and generate security monitoring alarm data, including:

[0104] The start and end times of short-term control and manipulation behavior are determined by fusing abnormal features of short-term control and manipulation behavior data.

[0105] Specifically, for each data item in the fusion dataset of abnormal features of short-term control and manipulation behaviors, the temporal positions of abnormal state changes and abnormal message features are extracted, and these temporal positions are merged. Merging methods include, but are not limited to: selecting the earlier timestamp between the temporal positions of abnormal state changes and abnormal message features as the starting temporal position of the short-term control and manipulation behavior; and selecting the later timestamp between the temporal positions of abnormal state changes and abnormal message features as the ending temporal position of the short-term control and manipulation behavior; thereby determining the temporal position range of the short-term control and manipulation behavior. For example, if the temporal position of an abnormal state change in a certain data item is 130 milliseconds and the temporal position of the abnormal message feature is 135 milliseconds, then 130 milliseconds is determined as the starting temporal position of the short-term control and manipulation behavior, and 135 milliseconds is determined as the ending temporal position of the short-term control and manipulation behavior, thus defining the precise temporal position range of the short-term control and manipulation behavior.

[0106] Using the start and end time positions as boundaries, backtrack the network message sequence data and interval control status sequence data of the corresponding time interval to determine the start and end time intervals corresponding to short-term control and manipulation behaviors, and extract the source address, destination address, port number and protocol type of network messages within the start and end time intervals to generate communication link information and form security monitoring alarm data;

[0107] Specifically, using the start and end times of the short-term control and manipulation behavior as time reference points, backtracking is performed from the network message sequence data corresponding to the time interval in which the short-term control and manipulation behavior occurs: starting from the start time of the short-term control and manipulation behavior, tracing back to the start time of the time interval in which the short-term control and manipulation behavior occurs; and ending from the end time of the short-term control and manipulation behavior, extending backward to the end time of the time interval in which the short-term control and manipulation behavior occurs, thus defining the start and end time intervals corresponding to the short-term control and manipulation behavior; all network message records contained within the start and end time intervals are the associated communication message data of the short-term control and manipulation behavior.

[0108] The method for determining the associated communication link information is as follows: Analyze the header information of each network packet record within the start and end time interval. The header information includes, but is not limited to, fields such as source address, destination address, source port number, destination port number, protocol type, and communication session identifier. Classify and statistically analyze the above fields to obtain the information characteristics of each different communication link. The method for determining the information characteristics of a communication link is as follows: Group data packet records with the same source address, destination address, source port number, destination port number, and protocol type into the same communication link. For each communication link, mark the start and end times. The start time of a communication link is defined as the time when the communication link first appears in the network packet capture trigger within the start and end time interval, and the end time is defined as the time when the communication link last appears in the network packet capture trigger within the start and end time interval. Combine the above information to identify the communication link information of each communication link. For example, in scenarios where the start and end time interval for short-term control actions is between 100 and 135 milliseconds, if the network packet sequence data contains a network packet with a source address of "192.168.0.10", a destination address of "192.168.0.20", a source port number of "2000", a destination port number of "502", and a protocol type of "TCP", then this information is defined as a communication link information, and the start and end times of the communication link are determined to form the communication link information.

[0109] Furthermore, using the start and end time interval of the short-term control action as a reference, the associated control state data records are determined by backtracking from the interval control state sequence data. Using the start and end time interval of the short-term control action as the time boundary, all state records corresponding to the time interval are selected from the interval control state sequence data to form a subset of interval control state data associated with the short-term control action. This subset expresses the control state changes of the industrial control system controller during the occurrence of the short-term control action, ensuring the timing consistency between the industrial control system state data and network message data.

[0110] Security monitoring alarm data is constructed using the start and end time intervals corresponding to short-term control and manipulation behaviors as the alarm time information and the associated communication link information as the alarm object information. This data includes: alarm event type (e.g., defined as a short-term control and manipulation behavior anomaly alarm), alarm start and end times, source address, destination address, source port number, destination port number, protocol type, and alarm level representing the severity of the anomaly. The alarm level is determined by weighting the degree of anomaly based on the magnitude of sudden changes in short-term state anomaly data and the abnormal characteristics of message content. Alarm levels are then classified according to the score, for example, with levels one, two, and three, where level one represents the highest level of anomaly and level three represents the lowest level. The scoring method is as follows: assign weights to the magnitude of state change and the abnormal characteristics of message content, for example, set the weight of the magnitude of state change to 0.6 and the weight of the abnormality of message content to 0.4; then normalize the magnitude of state change and the degree of abnormality of message content to the range of 0 to 1, multiply the weights and add them together to form the total score; finally, set the alarm level according to the size of the total score, for example, a total score greater than 0.7 is set as a level 1 alarm, between 0.4 and 0.7 is set as a level 2 alarm, and less than 0.4 is set as a level 3 alarm.

[0111] Example 2

[0112] The difference between Embodiment 2 and Embodiment 1 is that this embodiment introduces a network security monitoring system for an industrial control system.

[0113] Figure 2 A schematic diagram of the structure of an industrial control system network security monitoring system according to the present invention is provided. The industrial control system network security monitoring system includes:

[0114] Timing Alignment Module: Acquires the scan cycle data of the industrial control system controller and the sampling timing data of the monitoring nodes, performs time alignment based on a unified time reference, and forms a timing mapping relationship dataset;

[0115] Window extraction module: Calculates the sampling point distribution based on the time-series mapping relationship dataset and maps the coverage gaps as mismatched windows, extracts the start and end times of the mismatched windows as the time-series intervals in which short-term control and manipulation behaviors occur;

[0116] State Analysis Module: Within a time interval, the real-time control state data output by the industrial control system controller is merged according to the scan cycle to form interval control state sequence data, and adjacent difference and flip detection are performed to obtain short-term state abnormal change data;

[0117] Message Analysis Module: Within a time interval, network message data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network message sequence data, and message interval and content difference are compared to obtain time sequence matching anomaly feature data;

[0118] Feature fusion module: compares the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data;

[0119] Alarm generation module: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data of the time interval, determine the start and end time interval and communication link information, and generate security monitoring alarm data.

[0120] Example 3

[0121] An industrial control system network security monitoring device includes: a processor, a memory, and a program or instructions stored in the memory and executable on the processor. When the program or instructions are executed by the processor, an industrial control system network security monitoring method is implemented.

[0122] The above embodiments can be implemented, in whole or in part, by software, hardware, firmware, or any other combination thereof. When implemented using software, the above embodiments can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions or computer programs. When the computer instructions or computer programs are loaded or executed on a computer, all or part of the processes or functions described in the embodiments of this application are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, the computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can access or a data storage device such as a server or data center that includes one or more sets of available media. The available medium can be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium can be a solid-state drive.

[0123] Those skilled in the art will recognize that the modules and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0124] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and modules described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0125] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or modules may be electrical, mechanical, or other forms.

[0126] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical modules; they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.

[0127] In addition, the functional modules in the various embodiments of this application can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module.

[0128] If the aforementioned functions are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0129] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0130] In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A method for network security monitoring of an industrial control system, characterized in that, Includes the following steps: S1: Obtain the scan cycle data of the industrial control system controller and the sampling time sequence data of the monitoring node, and perform time alignment based on a unified time reference to form a time sequence mapping relationship dataset; S2: Calculate the sampling point distribution based on the time-series mapping relationship dataset and map the coverage gaps as mismatch windows. Extract the start and end times of the mismatch windows as the time-series intervals in which short-term control and manipulation behaviors occur. S3: Within the time interval, merge the real-time control status data output by the industrial control system controller according to the scan cycle to form interval control status sequence data, and perform adjacent difference and flip detection to obtain short-term abnormal state change data. S4: Within the time interval, network packet data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network packet sequence data, and the packet interval and content difference are compared to obtain time sequence matching anomaly feature data; S5: Compare the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data; S6: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data of the time interval to determine the start and end time intervals and communication link information, and generate security monitoring alarm data.

2. The industrial control system network security monitoring method according to claim 1, characterized in that, S1, specifically: The scan cycle data of the industrial control system controller is calculated by extracting control program execution cycle information from the industrial control system controller's operation configuration and operation log. Data capture trigger time information is extracted from the data acquisition configuration and data acquisition records of the network security monitoring nodes to generate sampling time sequence data of the monitoring nodes; Based on a unified time reference, the scanning cycle data of the industrial control system controller is time-aligned with the sampling time sequence data of the monitoring node to construct a time sequence mapping relationship dataset.

3. The industrial control system network security monitoring method according to claim 2, characterized in that, S2, specifically: Based on the time-series mapping relationship dataset, the location of the sampling time-series data of the monitoring node in the scanning cycle data of the industrial control system controller is calculated, and sampling point distribution data is generated. Based on the sampling point distribution data, identify the coverage gaps in the sampling time series data between adjacent sampling points that do not contain monitoring nodes; The coverage gap is mapped as a mismatch window between the monitoring sampling timing and the industrial control system controller scan cycle; Extract the start and end times of the mismatched window as the time interval for the occurrence of short-term control and manipulation behavior.

4. The industrial control system network security monitoring method according to claim 3, characterized in that, S3, specifically: Based on the timing interval of short-term control and manipulation behavior, the corresponding timing data is extracted from the real-time control status data output by the industrial control system controller. The captured real-time control status data is merged according to the scan cycle data of the industrial control system controller to form interval control status sequence data. Numerical difference and flip detection are performed on the real-time control state data of adjacent scan cycles in the interval control state sequence data. The end time of the scan cycle of state change and the corresponding state change amplitude information are extracted to generate short-term state abnormal change data.

5. The industrial control system network security monitoring method according to claim 4, characterized in that, S4, specifically: Based on the time interval of short-term control and manipulation behavior, the corresponding time sequence data is extracted from the network packet data collected by the monitoring node; The captured network packet data are merged according to the sampling time-series data of the monitoring nodes to form time-series network packet sequence data; The interval between the packet capture trigger times and the differences in packet content are calculated for adjacent network packets in the time-series network packet sequence data. The abnormal positions of the packet interval and the abnormal features of the packet content are extracted to generate time-series matching abnormal feature data.

6. The industrial control system network security monitoring method according to claim 5, characterized in that, S5, specifically: The temporal location of the abnormal state change is determined by the end time of the scan cycle of the abnormal state change in short-term state change data. The temporal position of the message anomaly feature is determined based on the message interval anomaly position and the message content anomaly feature corresponding to the message capture trigger time in the temporal matching anomaly feature data; The temporal location of abnormal state changes and the temporal location of abnormal message features are compared to form fused data of abnormal features of short-term control and manipulation behavior.

7. The industrial control system network security monitoring method according to claim 6, characterized in that, S6, specifically: The start and end times of short-term control and manipulation behavior are determined by fusing abnormal features of short-term control and manipulation behavior data. By backtracking the network message sequence data and interval control status sequence data of the corresponding time interval using the start and end time positions as boundaries, the start and end time intervals corresponding to short-term control and manipulation behaviors are determined. The source address, destination address, port number and protocol type of the network messages within the start and end time intervals are extracted to generate communication link information and form security monitoring and alarm data.

8. An industrial control system network security monitoring system, used to implement the industrial control system network security monitoring method according to any one of claims 1-7, characterized in that, include: Timing Alignment Module: Acquires the scan cycle data of the industrial control system controller and the sampling timing data of the monitoring nodes, performs time alignment based on a unified time reference, and forms a timing mapping relationship dataset; Window extraction module: Calculates the sampling point distribution based on the time-series mapping relationship dataset and maps the coverage gaps as mismatched windows, extracts the start and end times of the mismatched windows as the time-series intervals in which short-term control and manipulation behaviors occur; State Analysis Module: Within a time interval, the real-time control state data output by the industrial control system controller is merged according to the scan cycle to form interval control state sequence data, and adjacent difference and flip detection are performed to obtain short-term state abnormal change data; Message Analysis Module: Within a time interval, network message data collected by monitoring nodes are merged according to the sampling time sequence to form time interval network message sequence data, and message interval and content difference are compared to obtain time sequence matching anomaly feature data; Feature fusion module: compares the temporal position of short-term abnormal state change data with the temporal position of temporally matched abnormal feature data to form abnormal feature fusion data; Alarm generation module: Based on the fusion of abnormal features, backtrack the network message sequence data and interval control status sequence data of the time interval, determine the start and end time interval and communication link information, and generate security monitoring alarm data.

9. A network security monitoring device for an industrial control system, characterized in that, include: A processor, a memory, and a program or instructions stored in the memory and executable on the processor, wherein the program or instructions, when executed by the processor, implement a network security monitoring method for an industrial control system as described in any one of claims 1-7.

Images