An edge computing and data security protection gateway for industrial control systems

By designing an edge computing and data security protection gateway, the problem of traditional technologies being unable to identify PLC logic hijacking and attacks that violate physical laws has been solved, achieving efficient security protection for industrial control systems and avoiding system compatibility risks and high false alarm rates.

CN122339737APending Publication Date: 2026-07-03HENAN HONGRUIDA IND TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HENAN HONGRUIDA IND TECHNOLOGY CO LTD
Filing Date
2026-03-24
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing technologies cannot effectively detect PLC logic hijacking and malicious attacks that violate the laws of physics and dynamics without installing host agent software. Furthermore, traditional firewalls cannot identify abnormal instructions that conform to protocol specifications but violate the laws of physical inertia, leading to the risk of mechanical damage to industrial control systems.

Method used

Design an edge computing and data security protection gateway for industrial control systems. Through a protocol parsing module, a physical calculation module, a differential injection module, and an association adjudication module, it realizes real-time status monitoring and compliance verification of PLCs. It uses communication pairs with differential disturbances smaller than the system resolution for microsecond-level detection and combines computing power-state multidimensional fingerprint database for anomaly determination.

Benefits of technology

It effectively detects PLC logic hijacking and attacks that violate physical laws, avoiding system compatibility issues and high false alarm rates, thus ensuring the stability and security of industrial control systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339737A_ABST
    Figure CN122339737A_ABST
Patent Text Reader

Abstract

This invention relates to the fields of network security and edge computing technology for industrial control systems. It discloses an edge computing and data security protection gateway for industrial control systems, comprising protocol parsing, physical calculation, differential injection, and correlation adjudication modules. The protocol parsing module parses bidirectional messages and maintains a real-time state copy of the controlled object. The physical calculation module deduces the physical reachability set based on physical dynamics characteristics and performs compliance verification on write commands. After successful verification, the differential injection module constructs atomic communication pairs containing minute perturbations and controls their continuous microsecond-level transmission. The correlation adjudication module extracts the pure computation time based on precise interaction timing and calculates anomaly correlation indices using a computing power-state multidimensional fingerprint database to determine whether the controller is in a controlled state. This invention achieves non-intrusive logical integrity verification without installing host software, effectively defending against logical hijacking and physical violation attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security and edge computing technology for industrial control systems, specifically to an edge computing and data security protection gateway for industrial control systems. Background Technology

[0002] With the deep integration of industrial internet technology, industrial control systems are gradually moving from closed and isolated to open and interconnected. Programmable logic controllers (PLCs), as the key hub connecting digital instructions and physical actuators, face increasingly severe cybersecurity threats. In particular, malicious code injection and logic bombs targeting the controller's underlying logic can lurk within normal control programs, causing irreversible mechanical damage to high-value physical equipment such as centrifuges and generator sets by tampering with critical process parameters or hijacking execution logic. This hybrid attack, spanning both the information and physical domains, has become a key focus and challenge in current industrial security defenses.

[0003] Existing industrial control system security technologies primarily rely on a combination of network perimeter defense and terminal host protection. Common technical solutions include deploying industrial firewalls, using deep packet inspection technology to perform format parsing and access control list filtering of industrial protocols such as Modbus and S7Comm to block unauthorized network connections; or installing antivirus software and host security software on engineering workstations and host servers to prevent malware from moving laterally through the host computer and infecting the controller; in addition, some advanced auditing systems establish statistically based traffic baselines by mirroring traffic through bypass, attempting to detect abnormal behavior by analyzing traffic size, frequency, and other characteristics.

[0004] While existing technologies have improved network perimeter defense capabilities to some extent, several shortcomings remain: PLCs and other field control devices typically employ closed, proprietary embedded real-time operating systems, resulting in extremely limited hardware computing resources and stringent requirements for the deterministic nature of control cycles. This prevents the direct installation of antivirus agents or third-party monitoring processes within the device, unlike general-purpose computers. Such installations would lead to severe compatibility conflicts, warranty breaches, or even system crashes, making it difficult for defenders to perform in-depth logical integrity checks. Furthermore, traditional deep packet inspection (DPI) techniques primarily focus on the syntax and function code compliance of communication protocols, lacking an understanding of the physical dynamics of the controlled object. Attackers can construct legitimate instructions that conform to protocol specifications but violate physical inertia, thereby bypassing firewall detection and directly damaging physical devices. Additionally, passive traffic monitoring and static baseline analysis are insufficient to detect dormant logic bombs and are susceptible to network jitter, generating numerous false alarms and failing to meet the demands of high-precision real-time defense. Summary of the Invention

[0005] To address the shortcomings of existing technologies, this invention provides an edge computing and data security protection gateway for industrial control systems, solving the technical problem that existing technologies cannot effectively detect PLC logic hijacking and malicious attacks that violate the laws of physical dynamics without installing host agent software.

[0006] To achieve the above objectives, the present invention provides the following technical solution: an edge computing and data security protection gateway for industrial control systems, comprising a protocol parsing module, a physical calculation module, a differential injection module, and an association adjudication module;

[0007] The protocol parsing module is configured to parse bidirectional communication messages, maintain a copy of the real-time status data of the controlled object, and provide the physical status reference value of the previous moment.

[0008] The physical calculation module is configured to deduce the physical reachability set at the next moment based on the physical state baseline value, and thereby perform physical compliance verification on the target setting value of the write instruction.

[0009] The differential injection module is configured to construct an atomic communication pair containing a load instruction and a reference instruction after the verification is passed, and control the atomic communication pair to be continuously sent at microsecond intervals to trigger controller operation.

[0010] The association adjudication module is configured to extract the pure computation time of atomic communication pairs and calculate the abnormal association index by combining the theoretical benchmark time in the computing power-state multidimensional fingerprint database, and determine whether the controller is in a controlled state.

[0011] Preferably, the protocol parsing module maintains the real-time status data copy in the following manner:

[0012] By passively listening to response messages, function codes and device status values ​​are extracted and overwritten with old data in the status mirror table.

[0013] The status mirror table is periodically scanned. If the difference between the timestamp of a register in the monitoring address list and the current system time exceeds the preset data aging threshold, a read request message is generated and sent to the field controller. The status is filled in using the subsequent response data to ensure that an accurate physical status reference value of the previous moment is provided.

[0014] Preferably, the verification logic of the physics calculation module is as follows:

[0015] Calculate the time difference between the arrival time of the current write instruction and the timestamp corresponding to the physical state reference value of the previous time.

[0016] Based on the physical fingerprint parameters of the controlled object, including the maximum positive rate of change and the maximum negative rate of change, the upper limit value of the physical state that can be theoretically reached within the time difference and the lower limit value of the physical state are calculated, thereby defining the physical reachability set;

[0017] If the target setting value exceeds the physical reachability set, a physical violation signal is generated and the network interface unit is driven to discard the instruction message.

[0018] Preferably, the atomic communication pair constructed by the differential injection module satisfies the following characteristics:

[0019] The load command carries an injection probe value, which is the sum of the target setpoint and the differential disturbance amount, wherein the amplitude of the differential disturbance amount is less than or equal to the minimum resolution or control dead zone allowed by the system.

[0020] The baseline command carries the original target setting value;

[0021] The two frames of the atomic communication pair are sent back-to-back within the same network congestion window, and the time interval between transmissions is less than the mechanical response constant of the physical actuator of the controlled object, ensuring that the detection process has no impact on the actual physical production process.

[0022] Preferably, the differential injection module is further configured with step amplitude monitoring logic:

[0023] Before constructing the atomic communication pair, the absolute value of the difference between the target setpoint and the physical state reference value at the previous moment is calculated;

[0024] If the absolute value of the difference exceeds a preset step threshold, the differential injection module will send a second set of atomic communication pairs within a preset calculation window after sending the first set of atomic communication pairs, in order to detect the resource usage of the controller during the execution of complex operations.

[0025] Preferably, the method by which the associated adjudication module extracts the pure computation time is as follows:

[0026] Using a hardware clock coupled to the network interface, the hardware transmission time of issuing the load command is recorded, and the hardware reception time of receiving the corresponding acknowledgment message is also recorded.

[0027] The difference between the hardware receiving time and the hardware sending time is calculated, and the network transmission delay based on the link layer calibration is deducted to obtain the pure computation time required for the controlled object to process the minute disturbance.

[0028] Preferably, the computing power-state multidimensional fingerprint database in the association adjudication module stores dynamic function relationships that describe the controlled object's execution of standard control logic under different physical states;

[0029] The fingerprint benchmark management unit in the associated adjudication module constructs a continuous benchmark function using polynomial fitting or piecewise linear interpolation. The benchmark function outputs the corresponding theoretical benchmark time for the input physical state value.

[0030] Preferably, the difference calculation unit in the association adjudication module calculates the abnormal association index through the following logic:

[0031] Calculate the absolute value of the difference between the pure computation time and the theoretical baseline time;

[0032] Divide the absolute value by the denominator, which is the sum of the statistical standard deviation obtained based on historical normal data and a small regularization constant to prevent the denominator from being zero;

[0033] The anomaly correlation index is used to accurately quantify the deviation of behavior from the physical state.

[0034] Preferably, the security execution unit in the associated adjudication module generates control instructions according to the following logic:

[0035] When the abnormal correlation index is less than or equal to the preset security confidence threshold, the device is determined to be in a safe and trustworthy state, and a release command is sent.

[0036] When the abnormal correlation index is greater than the security confidence threshold, the device is determined to be in a logical hijacking state, a high-level security alarm is generated, and external write access to the controller is cut off.

[0037] Preferably, it also includes a high-precision clock unit;

[0038] The high-precision clock unit is composed of the hardware timestamp function module of the network interface controller. It is directly driven by the physical layer clock signal and is used to provide a microsecond-level transmission synchronization reference for the differential injection module to build atomic communication pairs, and to record the precise time of message entry and exit from the physical port for the association adjudication module.

[0039] This invention provides an edge computing and data security protection gateway for industrial control systems. It offers the following advantages:

[0040] 1. This invention constructs atomic communication pairs through a differential injection module, continuously transmitting load commands and reference commands carrying minute perturbations within microsecond intervals. Utilizing the characteristics that the differential perturbation is less than the system resolution and the transmission interval is less than the mechanical response constant, the controller is forced to execute operational logic without triggering physical actions of the controlled object. This non-intrusive side-channel detection method requires no installation of any proxy software or modification of the original firmware within the field controller, avoiding the risk of system downtime or warranty breaches due to third-party software compatibility issues. It is particularly suitable for logical integrity verification of existing industrial control systems with extremely high stability requirements.

[0041] 2. This invention introduces a rationality verification mechanism based on dynamic characteristics through a physical calculation module. Based on the maximum rate of change and inertial time constant of the controlled object, it deduces the physical reachability set for the next moment from the physical state baseline value of the previous moment. This mechanism overcomes the limitation of traditional industrial firewalls that can only check the compliance of message protocol formats. It can further identify abnormal commands that conform to protocol specifications but violate physical inertial laws beyond the application layer semantics, effectively preventing attackers from exploiting logical vulnerabilities to send legitimate but dangerous commands that cause substantial mechanical damage to physical equipment.

[0042] 3. This invention establishes a multi-dimensional fingerprint database of computing power and status through an association adjudication module. Combined with pure computation time extracted from hardware timestamps, it dynamically calculates the anomaly correlation index. This scheme establishes a dynamic functional mapping relationship between computational behavior and physical state. By calculating the deviation between pure computation time and theoretical baseline time, it reduces interference caused by differences in network transmission latency and instruction execution complexity. Compared to static threshold detection, this method can accurately quantify the matching degree between computing resource usage and physical conditions, significantly reducing the false alarm rate and accurately determining whether the field controller is in a controlled state hijacked by malicious code. Attached Figure Description

[0043] Figure 1 A module architecture diagram of an embodiment of the present invention;

[0044] Figure 2 A schematic diagram of the hardware architecture of an embodiment of the present invention;

[0045] Figure 3 Internal structure block diagram of the protocol parsing and state maintenance module according to an embodiment of the present invention;

[0046] Figure 4 A logical structure block diagram of a physics calculation module according to an embodiment of the present invention;

[0047] Figure 5 A block diagram of the logic structure of a differential injection module according to an embodiment of the present invention;

[0048] Figure 6 A logical structure block diagram of the association adjudication module according to an embodiment of the present invention.

[0049] Among them, 110 is the protocol parsing module; 120 is the physical calculation module; 130 is the differential injection module; and 140 is the association adjudication module. Detailed Implementation

[0050] The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0051] See attached document Figure 1 , Figure 1 This is a module architecture diagram according to an embodiment of the present invention. The present invention provides an edge computing and data security protection gateway for industrial control systems, including: a protocol parsing module 110, a physical calculation module 120, a differential injection module 130, and an association adjudication module 140.

[0052] The protocol parsing module 110 is configured to connect the host computer and the field controller, performing full-duplex monitoring and in-depth parsing of bidirectional communication messages. Bidirectional communication messages refer to all network data traffic transmitted between the host computer and the field controller. This module is used to identify and extract function codes, target register addresses, and payload values ​​from messages of various industrial protocols (such as ModbusTCP, Profinet, or OPCUA). Simultaneously, this module maintains a real-time status data copy of the controlled object in local memory, updating this copy by passively listening to response messages or actively constructing read requests. This allows it to determine the previous physical state reference value based on the current status data copy when a write command is intercepted.

[0053] The physics calculation module 120, connected to the protocol parsing module 110, is configured to use physical dynamics characteristics to verify the rationality of control commands. This module is used to read the physical fingerprint parameters of the controlled object and, based on the physical state baseline value of the previous moment and the current sampling time interval provided by the protocol parsing module 110, deduce the physical reachable set that the physical state can exist in the next moment. This module compares the target set value written in the command with the value range. If the target set value exceeds the range, a physical violation signal is immediately generated.

[0054] The differential injection module 130 is configured to build an active timing detection mechanism in the communication link. This mechanism is a side-channel analysis method that uses minute disturbances to measure the computing load of the controller. It does not rely on installing antivirus software inside the PLC, but discovers hidden malicious code by performing precise measurements on the network side. The differential injection module 130 is used to reconstruct a single write instruction into an atomic communication pair containing a load instruction and a reference instruction, and uses the underlying driver and hardware interrupt control mechanism to force the two to be sent continuously at a minimum time interval of microseconds to ensure that they are within the same network congestion window. In addition, when the step amplitude of the load instruction is determined to exceed a preset threshold, the module also sends an additional set of atomic communication pairs within the calculation window after the atomic communication pair is sent, in order to detect the resource consumption and communication jitter of the controller during the execution of complex calculations.

[0055] The associated adjudication module 140 is connected to the physical calculation module 120 and the protocol parsing module 110, respectively, and is configured to perform multi-dimensional security verification based on feedback data and high-precision time measurement. This module is used to record the precise sending and receiving times of all relevant messages through hardware interrupts or physical layer latching mechanisms, calculate the difference between the round-trip delay of the load command and the baseline command to eliminate common-mode interference in network transmission, thereby extracting the pure computation time of the controller; at the same time, this module calculates the statistical standard deviation of the response time of atomic communication to quantify the communication jitter characteristics, and finally integrates the physical violation signal, the matching degree of the pure computation time and the preset computing power model, and the statistical standard deviation judgment result to generate control commands for allowing, alarming or blocking the session.

[0056] See attached document Figure 2 , Figure 2 This is a schematic diagram of an industrial edge protection gateway hardware architecture according to an embodiment of the present invention. In this embodiment, the industrial edge protection system is built on an embedded industrial gateway architecture at the physical layer. The gateway is deployed on the critical path of the industrial control network, and the physical connection is located between the host computer and the field controller.

[0057] The central processing unit (CPU) employs a high-performance embedded multi-core processor, which integrates an independent floating-point arithmetic unit. This floating-point arithmetic unit is specifically configured to perform differential inequality solving in the physics calculation module 120 and statistical dispersion calculations in the correlation adjudication module 140. Hardware acceleration ensures that the solution latency of the aforementioned mathematical models is lower than the scan cycle of the industrial control system. The gateway is equipped with non-volatile memory and a large-capacity random access memory (RAM). The RAM is used to dynamically maintain the controlled object state image table generated by the state storage unit during runtime and to cache network data packets to be processed.

[0058] The network communication interface unit includes at least two physically isolated Gigabit Ethernet interfaces, defined as an uplink interface and a downlink interface, respectively. The uplink interface connects to a human-machine interface terminal or a monitoring and data acquisition system via a physical medium, while the downlink interface connects to a programmable logic controller (PLC). These two network interfaces are logically connected at the data link layer through a bridge driver. To achieve transparent protection, the gateway employs kernel bypass technology or zero-copy technology to take over data link layer traffic. In transparent transmission mode, although the gateway keeps the source and destination media access control addresses of the forwarded frames unchanged, it actually first maps the data frames entering the uplink interface and temporarily stores them in a pre-allocated memory pool in user space. After the protocol parsing module 110 completes content auditing and the associated adjudication module 140 outputs a pass command, the data frames are then moved to the downlink interface transmission queue through a direct memory access mechanism, thereby achieving physical-level blocking of malicious commands without changing the network topology.

[0059] The high-precision clock unit is composed of the hardware timestamp function module of the network interface controller. This unit is directly driven by the physical layer clock signal and is used to provide a microsecond-level transmission synchronization reference for the differential injection module 130 to build atomic communication pairs, and to record the precise time of message entry and exit from the physical port. This hardware timestamp mechanism reduces the random jitter introduced by operating system interrupt responses and protocol stack context switching, ensuring the accuracy of pure computation time measurement results.

[0060] In practical deployments, the gateway device is installed in an industrial control cabinet via a standard DIN rail and powered by a DC power supply. The specific circuit schematic design and electromagnetic compatibility handling of the gateway can be implemented by those skilled in the art based on existing industrial embedded hardware design standards, and will not be elaborated upon here.

[0061] See attached document Figure 3 , Figure 3 This is a block diagram of the internal structure of a protocol parsing and status maintenance module according to an embodiment of the present invention. In this embodiment, the protocol parsing module 110 serves as a communication processing unit connecting the host computer and the field controller, configured to perform full-duplex monitoring and in-depth parsing of bidirectional communication messages flowing through the hardware interface. Logically, this module includes: a message parsing unit, a status storage unit, a synchronization update unit, and a reference extraction unit.

[0062] The message parsing unit is configured to identify and parse industrial control protocols based on deep packet inspection technology. This unit has a built-in protocol feature library and can automatically identify the protocol type used in the current communication based on the transport layer port number or feature words in the application layer message header, including but not limited to Modbus TCP, Profinet, or OPCUA protocols. The message parsing unit is used to strip the header encapsulation of the data link layer and network layer, extracting key fields from the application layer payload. Specifically, for downlink control messages, this unit extracts the function code to identify write operations and parses out the target register address and target setpoint; for uplink response messages, this unit extracts the feedback function code, data length, and corresponding device status values.

[0063] The state storage unit is configured to build and maintain a state mirror table of the controlled object in the gateway's local random access memory. This state mirror table uses a hash table or direct memory mapping structure, where the keys correspond to the physical addresses of registers or variable tags within the field controller, and the values ​​contain two fields: one is the latest physical state value corresponding to that address, i.e., the actual parameters of the controlled object in the physical world; the other is the system timestamp when that value was last updated. In this way, the state storage unit establishes a real-time digital copy of the controlled object in the gateway's local memory.

[0064] The synchronization update unit is configured to ensure that the data in the state mirror table remains synchronized with the actual state of the field controller through a combination of passive listening and active probing. This unit has a pre-defined list of monitoring addresses and only maintains the status of key registers defined in this list. In passive listening mode, when the message parsing unit intercepts uplink response messages or periodic input / output data messages sent by the field controller to the host computer, the synchronization update unit directly overwrites the old data at the corresponding address in the state mirror table with the parsed feedback value and refreshes the system timestamp. In active probing mode, this unit has a preset data aging threshold. The synchronization update unit periodically scans the state mirror table; if it detects that the difference between the timestamp of a register in the monitoring address list and the current system time exceeds the data aging threshold, it determines that the data is invalid. At this time, the unit triggers the generation of a standard read request message, which is sent to the field controller via the downlink interface. The subsequent response data completes the status filling, thus ensuring that the gateway can still grasp the latest status of the controlled object when the host computer is not in operation.

[0065] The reference extraction unit is configured to provide a calculation reference before physical verification begins. When the gateway intercepts a valid write command, the reference extraction unit performs an index lookup in the state mirror table based on the target register address in the command, and extracts the physical state value currently stored at that address. This extracted value is defined as the physical state reference value. This physical state reference value represents the initial state of the controlled object before executing the current write command, and is subsequently sent to the physical calculation module 120 as the starting point for mathematical calculations to evaluate whether the current write command conforms to the laws of physical inertia. For multivariable coupled control systems, the reference extraction unit is also configured to synchronously extract the physical state reference values ​​of associated registers based on preset correlations, forming a multidimensional state vector.

[0066] See attached document Figure 4 , Figure 4 This is a logical structure block diagram of a physics calculation module 120 according to an embodiment of the present invention. In this embodiment, the physics calculation module 120 serves as a pre-logic verification unit of the system, configured to perform rationality verification of control commands using the physical dynamics and inertial characteristics of the controlled object. Logically, this module includes: a parameter configuration unit, an interval calculation unit, and a compliance verification unit.

[0067] The parameter configuration unit is configured to store and manage the physical fingerprint parameters of the controlled object. These parameters describe the controlled object's limit capability in terms of state changes in the physical world, and are typically entered by engineers during the system initialization phase based on equipment specifications or field calibration data. Physical fingerprint parameters include at least: maximum positive rate of change, maximum negative rate of change, and physical inertia time constant. For linear control systems, these rates of change are represented as fixed numerical constants; for nonlinear systems, the parameter configuration unit stores a piecewise linearization table or a rate of change curve lookup table to support querying the corresponding dynamic limit values ​​at different operating points.

[0068] The interval calculation unit is configured to deduce the physical reachability set allowed for the physical state at the next moment based on the physical state reference value of the previous moment and the current sampling time interval. Upon receiving the physical state reference value transmitted by the protocol parsing module 110, the interval calculation unit first calculates the time difference between the arrival time of the current write instruction and the timestamp corresponding to the physical state reference value. Subsequently, based on the mean value theorem of differential equations or the discretized model of a first-order inertial element, the unit calculates the theoretically achievable upper and lower limits of the controlled object's values ​​within the time difference.

[0069] The interval calculus unit constructs the following set of legality judgment inequalities:

[0070] ;

[0071] In the formula, This indicates the target setting value in the current write command. This represents the physical state reference value at the previous moment. This represents the time interval between two states. Indicates the maximum positive rate of change. (Positive values) represent the maximum negative rate of change. Indicates the time interval The upper limit of the physical states that the controlled object can reach. Indicates the time interval The upper limit of the physical states that the controlled object can reach. The interval calculus unit defines a dynamically changing set of physical reachability using the above formula. .

[0072] The compliance verification unit is configured to perform the final numerical comparison and adjudication. This unit receives the target setpoint from the write instruction and compares it with the physical reachability set generated by the interval calculation unit. If the target setpoint is within the physical reachability set (i.e., greater than or equal to the physical state limit and less than or equal to the physical state upper limit), the current instruction is determined to conform to the laws of physical inertia. The compliance verification unit sends a start trigger signal to the subsequent differential injection module 130, allowing the next step of computing power detection. If the target setpoint exceeds the range of the physical reachability set, the current instruction is determined to violate the physical constraints of the controlled object and is an abnormal control instruction. In this case, the compliance verification unit directly generates a physical violation signal and drives the network interface unit to discard the instruction message, while simultaneously sending alarm event data to the associated adjudication module 140, and no longer executing the subsequent differential injection process. This mechanism ensures that obvious physically abnormal instructions can be blocked immediately with low computational overhead.

[0073] See attached document Figure 5 , Figure 5 This is a logical structure block diagram of a differential injection module 130 according to an embodiment of the present invention. In this embodiment, the differential injection module 130 serves as the system's active detection execution unit, configured to apply a small computational load to the controlled object to detect its computational power surplus after the compliance verification unit confirms that the instruction is physically secure. Logically, this module includes: a perturbation generation unit, an atom injection unit, and a timing measurement unit.

[0074] The disturbance generation unit is configured to calculate the incremental changes in small state variables used for detection. This unit generates a differential disturbance based on the accuracy resolution or control dead zone parameters of the controlled object. The principle for selecting the value of this differential disturbance is that its amplitude should be large enough to be recognized by the registers of the field controller and trigger the operational logic, but at the same time, it should be small enough and its duration short enough that the mechanical actuators of the controlled object cannot respond due to physical inertia, thereby ensuring that the detection process has no impact on the actual physical production process.

[0075] The specific perturbation generation logic is expressed by the following formula:

[0076] (in the formula) ;

[0077] In the formula, This is represented as a differential disturbance, and its sign (positive or negative) depends on the position of the target setpoint within the range to avoid numerical overflow. This represents the target setting value for the current write command. This represents the minimum resolution allowed by the system or the control dead zone. This represents the value of the injected probe used for detection by the disturbance generation unit.

[0078] The atomic injection unit is configured to construct and send atomic communication pairs. This is the key mechanism for achieving non-destructive probing in this embodiment. An atomic communication pair consists of two consecutive message frames: the first frame is a load command carrying the injected probe value, and the second frame is a reference command carrying the original target setting value. The atomic injection unit utilizes the gateway's high-precision clock to send these two message frames back-to-back at microsecond intervals. Furthermore, the atomic injection unit is also configured with step amplitude monitoring logic. Before constructing the atomic communication pair, this unit calculates the absolute value of the difference between the current write command target setting value and the previous physical state reference value. If this difference exceeds a preset step threshold, it means the controller will perform more complex dynamic response calculations. The atomic injection unit will then send a second atomic communication pair within a preset calculation window after sending the first pair to detect the controller's continuous computing power consumption when handling large step loads. This mechanism ensures that the field controller goes through the process of "receiving disturbance - performing calculation - receiving recovery - performing calculation" within a very short time window. However, since this time window is much smaller than the mechanical response constant of the physical actuator, the physical device will not actually perform any mechanical action, thus completing a non-affected detection of the controller's computing power in the digital space.

[0079] The timing measurement unit is configured to accurately record the time consumption of the interaction process. This unit is directly coupled to the hardware layer of the network interface, recording the time difference between the sending time of the atomic communication pair and the receiving time of the acknowledgment response from the field controller. Specifically, the timing measurement unit records the hardware sending time of the "load command" and, based on the transaction identifier or sequence number in the message header, records the hardware receiving time of the corresponding acknowledgment message. Subsequently, the unit calculates the difference between the two and subtracts the network transmission delay based on the link layer calibration, thereby obtaining the pure computation time required for the controlled object to process this minor disturbance. This pure computation time data is then transmitted to the associated adjudication module 140 as the core basis for assessing whether malicious code is hijacking computing power within the controller.

[0080] See attached document Figure 6 , Figure 6 This is a logical structure block diagram of the association decision module 140 according to an embodiment of the present invention. In this embodiment, the association decision module 140, as the decision logic unit of the system, is configured to receive pure computation time data from the timing measurement unit and physical state values ​​from the protocol parsing module 110, and determine whether the field controller is in a controlled state based on the inherent correspondence between the two. Logically, this module includes: a fingerprint baseline management unit, a difference calculation unit, and a security execution unit.

[0081] The fingerprint baseline management unit is configured to store and maintain a multi-dimensional fingerprint database of computing power and state for the field controller. This fingerprint database is not a static set of fixed values, but rather a dynamic function describing the theoretical computation time required for the controlled object to execute standard control logic under different physical states. During system initialization or self-learning phases, the fingerprint baseline management unit records the baseline time distribution required by the controller CPU to process the logic as the physical state values ​​change under attack-free conditions. This unit uses polynomial fitting or piecewise linear interpolation to construct a continuous baseline function that can output a corresponding theoretical baseline time for any input physical state value.

[0082] The difference calculation unit is configured to quantify the degree of deviation between the actual measured value and the theoretical benchmark value. This unit receives the physical state value at the current moment and the measured pure calculation time. First, it calls the benchmark function in the fingerprint benchmark management unit to query the time value that should have been consumed in the current state. Then, it combines the statistical standard deviation obtained based on historical normal data to calculate the anomaly correlation index.

[0083] The specific calculation formula is expressed as follows:

[0084] ;

[0085] In the formula, This is expressed as the assumed physical state value at the current moment. To prevent small regularization constants with denominators of zero, This is expressed as the pure computation time definition from the timing measurement unit. This is represented as the definition of the baseline function. This is expressed as the definition of statistical standard deviation based on historical normal data. This is represented as the difference degree calculation unit calculating the abnormal correlation index. This formula reduces the impact of differences in the execution time of different instructions on the judgment result by normalizing the absolute error, thereby accurately quantifying the deviation of "computational behavior" from "physical state".

[0086] The security execution unit is configured to generate a final security judgment result based on an anomaly correlation index. This unit has a preset security confidence threshold. When the calculated anomaly correlation index is less than or equal to the security confidence threshold, it indicates that the actual computation time of the current controller conforms to the complex logical rules corresponding to its physical state, and the device is determined to be in a secure and trustworthy state. The security execution unit sends a pass command to the network interface, allowing subsequent normal communication packets to pass. When the anomaly correlation index is greater than the security confidence threshold, it indicates that the controller's computation time has a significant deviation from its current physical business processing, and the device is determined to be in a logical hijacking state. At this time, the unit immediately generates a high-level security alarm and, in conjunction with the gateway, executes a blocking policy, cutting off external write access permissions to the controller, while simultaneously recording a snapshot of the current physical state and anomaly time data for auditing.

[0087] This embodiment selects an industrial centrifuge speed control system as the verification object. The system hardware architecture consists of a Siemens S7-1500 programmable logic controller, a frequency converter, and a high-power centrifugal motor. The communication protocol is Modbus TCP, and the network bandwidth is 100Mbps.

[0088] Parameter settings: The centrifuge's rated speed is 3000 r / min. Field system identification shows the maximum mechanical acceleration (Aacc) of the physical system is 500 r / min / s, and the maximum mechanical deceleration (Adec) is 800 r / min / s. The controller's scan cycle is set to 10 ms. The gateway device is connected in series between the engineering station and the controller.

[0089] Physical fingerprint modeling: During system initialization, the gateway establishes a computing power fingerprint database through traversal testing. Tests show that the average CPU time for processing simple register-hold instructions is approximately 180 μs; when floating-point operations are involved, the time rises to 240 μs. The statistical standard deviation σ of the measurement data is approximately 15 μs.

[0090] When the host computer issues a write command requesting that the holding register 40001 (speed setting value) be adjusted from 1200 r / min to 2500 r / min, the gateway performs the following processing:

[0091] Physical reachability verification:

[0092] The gateway records the time difference between the arrival time of the previous instruction and the current time. The time is 50ms. According to the physical dynamics equations, the theoretical maximum increase in motor speed within 50ms is... r / min.

[0093] The upper limit of the physical reachable set at the next moment is 1225 r / min. The current instruction target value of 2500 r / min exceeds this physical boundary. The gateway determines that the instruction contains a semantic risk that would cause the physical device to operate beyond its limit and performs a blocking operation.

[0094] Computing power integrity verification: If the host computer issues a command of 1220 r / min, the gateway establishes an atomic communication pair.

[0095] First frame: Write the value 1220.1 r / min.

[0096] Second frame: Write the value 1220.0 r / min.

[0097] The gateway controls the interval between sending two message frames to be 20μs through FPGA hardware logic.

[0098] Real-time measurement feedback shows the time difference in which the controller processes the atom pair. It is 485 μs.

[0099] Combined with fingerprint database benchmark values s;

[0100] Calculate the deviation value s.

[0101] The deviation reached 8.3. Exceeding the preset 3 If the threshold is reached, it indicates that there is an unexpected additional computational load inside the controller, and the gateway will then output an alarm signal.

[0102] A test environment was built for the above system, and comparative tests were conducted using a traditional rule-based firewall, a traffic statistics-based anomaly detection system, and the edge computing protection gateway proposed in this invention. The test sample included 2,000 normal business traffic entries and 500 attack traffic entries that mixed protocol fuzzing, physical over-limit commands, and logical hijacking code.

[0103] Table 1: Comparison Test Results of Security Performance of Different Protection Schemes under Multidimensional Attack Vectors

[0104] Performance indicators Test Project Option A (Rule-based Firewall) Option B (Statistical Audit) Solution C (This invention) Detection rate (%) Protocol format error 99.8 97.2 99.9 Physical semantic violations 0.0 42.5 98.7 Logical computing power hijacking 0.0 31.4 94.2 False alarm rate (%) Sudden business traffic 0.0 14.2 1.3 Processing performance Average additional delay (μs) 42.5 580.4 115.6 Jitter variance (μs²) 5.2 120.8 18.3

[0105] Based on the test data in Table 1, the following technical conclusions can be drawn:

[0106] In the defense test against physical semantic violations, Solution A achieved a detection rate of 0.0%, confirming that traditional deep packet inspection technology cannot understand the physical meaning of application-layer data. While Solution B achieved a detection rate of 42.5%, its reliance on a statistical probability model based on large datasets means it lacks deterministic judgment capabilities for single, sudden physical violation commands. In contrast, Solution C, by introducing a physical calculation module 120, uses deterministic differential inequalities to deduce the physical reachability set, increasing the detection rate to 98.7%. The reason it didn't reach 100% is due to a slight nonlinear error between the physical model parameters and the actual equipment, but it already possesses practical value in industrial settings.

[0107] In detecting logic hijacking, data shows that Scheme C has a significant advantage. Logic hijacking typically does not alter the communication protocol format, thus Scheme A is ineffective. Scheme B attempts to detect anomalies through traffic time interval statistics, but due to the inherent transmission jitter of industrial networks, it maintains a detection rate of 31.4% while generating a false alarm rate as high as 14.2%, which can lead to frequent false alarms in actual production. This invention utilizes an atomic communication pair mechanism to effectively cancel common-mode interference on the network path by continuously sending load and baseline commands within a microsecond window, thereby accurately extracting the controller's pure computation time. Data shows that Scheme C controls the false alarm rate to 1.3% while achieving a detection rate of 94.2% for covert logic hijacking, proving that differential injection technology can still effectively quantify the controller's computing power surplus even in environments with extremely low signal-to-noise ratios.

[0108] Regarding system overhead, although Scheme C introduces physical calculations and active detection mechanisms, resulting in an average additional latency higher than Scheme A, which only performs simple forwarding, this latency is still far less than the millisecond-level scan cycle of the industrial controller. Compared to Scheme B, this invention uses FPGA-based hardware timestamps and logic acceleration, avoiding complex statistical calculations at the software level, and reducing processing latency by approximately 80%.

[0109] In summary, this invention solves the technical problems of traditional technologies being unable to identify compliant but dangerous physical commands and unable to detect tampering with underlying logic by verifying dynamic constraints at the physical level and detecting side-channel timing at the computational level, thus achieving effective protection against deep security threats to industrial control systems.

[0110] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. An edge computing and data security gateway for industrial control systems, characterized in that, include: Protocol parsing module, physics calculation module, differential injection module, and correlation adjudication module; The protocol parsing module is configured to parse bidirectional communication messages, maintain a copy of the real-time status data of the controlled object, and provide the physical status reference value of the previous moment. The physical calculation module is configured to deduce the physical reachability set at the next moment based on the physical state baseline value, and thereby perform physical compliance verification on the target setting value of the write instruction. The differential injection module is configured to construct an atomic communication pair containing a load instruction and a reference instruction after the verification is passed, and control the atomic communication pair to be continuously sent at microsecond intervals to trigger controller operation. The association adjudication module is configured to extract the pure computation time of atomic communication pairs and calculate the abnormal association index by combining the theoretical benchmark time in the computing power-state multidimensional fingerprint database, and determine whether the controller is in a controlled state.

2. The edge computing and data security gateway for industrial control system according to claim 1, wherein, The protocol parsing module maintains the real-time status data copy in the following manner: By passively listening to response messages, function codes and device status values ​​are extracted and overwritten with old data in the status mirror table. The status mirror table is periodically scanned. If the difference between the timestamp of a register in the monitoring address list and the current system time exceeds the preset data aging threshold, a read request message is generated and sent to the field controller. The status is filled in using the subsequent response data to ensure that an accurate physical status reference value of the previous moment is provided.

3. The edge computing and data security gateway for industrial control system according to claim 1, wherein, The verification logic of the physics calculation module is as follows: Calculate the time difference between the arrival time of the current write instruction and the timestamp corresponding to the physical state reference value of the previous time. Based on the physical fingerprint parameters of the controlled object, including the maximum positive rate of change and the maximum negative rate of change, the upper limit value of the physical state that can be theoretically reached within the time difference and the lower limit value of the physical state are calculated, thereby defining the physical reachability set; If the target setting value exceeds the physical reachability set, a physical violation signal is generated and the network interface unit is driven to discard the instruction message.

4. The edge computing and data security gateway for industrial control system of claim 1, wherein, The atomic communication pairs constructed by the differential injection module satisfy the following characteristics: The load command carries an injection probe value, which is the sum of the target setpoint and the differential disturbance amount, wherein the amplitude of the differential disturbance amount is less than or equal to the minimum resolution or control dead zone allowed by the system. The baseline command carries the original target setting value; The two frames of the atomic communication pair are sent back-to-back within the same network congestion window, and the time interval between transmissions is less than the mechanical response constant of the physical actuator of the controlled object, ensuring that the detection process has no impact on the actual physical production process.

5. The edge computing and data security gateway for industrial control system according to claim 4, wherein, The differential injection module is also configured with step amplitude monitoring logic: Before constructing the atomic communication pair, the absolute value of the difference between the target setpoint and the physical state reference value at the previous moment is calculated; If the absolute value of the difference exceeds a preset step threshold, the differential injection module will send a second set of atomic communication pairs within a preset calculation window after sending the first set of atomic communication pairs, in order to detect the resource usage of the controller during the execution of complex operations.

6. The edge computing and data security gateway for industrial control system of claim 1, wherein, The method by which the associated adjudication module extracts the pure computation time is as follows: Using a hardware clock coupled to the network interface, the hardware transmission time of issuing the load command is recorded, and the hardware reception time of receiving the corresponding acknowledgment message is also recorded. The difference between the hardware receiving time and the hardware sending time is calculated, and the network transmission delay based on the link layer calibration is deducted to obtain the pure computation time required for the controlled object to process minor disturbances.

7. The edge computing and data security gateway for industrial control system of claim 1, wherein, The computing power-state multidimensional fingerprint database in the associated adjudication module stores dynamic function relationships that describe the controlled object's execution of standard control logic under different physical states. The fingerprint benchmark management unit in the associated adjudication module constructs a continuous benchmark function using polynomial fitting or piecewise linear interpolation. The benchmark function outputs the corresponding theoretical benchmark time for the input physical state value.

8. The edge computing and data security gateway for industrial control system of claim 7, wherein, The difference calculation unit in the correlation adjudication module calculates the abnormal correlation index through the following logic: Calculate the absolute value of the difference between the pure computation time and the theoretical baseline time; Divide the absolute value by the denominator, which is the sum of the statistical standard deviation obtained based on historical normal data and a small regularization constant to prevent the denominator from being zero; The anomaly correlation index is used to accurately quantify the deviation of behavior from the physical state.

9. The edge computing and data security gateway for industrial control systems of claim 8, wherein, The security execution unit in the associated adjudication module generates control instructions based on the following logic: When the abnormal correlation index is less than or equal to the preset security confidence threshold, the device is determined to be in a safe and trustworthy state, and a release command is sent. When the abnormal correlation index is greater than the security confidence threshold, the device is determined to be in a logical hijacking state, a high-level security alarm is generated, and external write access to the controller is cut off.

10. The edge computing and data security gateway for industrial control system of claim 1, wherein, It also includes a high-precision clock unit; The high-precision clock unit is composed of the hardware timestamp function module of the network interface controller. It is directly driven by the physical layer clock signal and is used to provide a microsecond-level transmission synchronization reference for the differential injection module to build atomic communication pairs, and to record the precise time of message entry and exit from the physical port for the association adjudication module.