A kind of industrial control system loophole trend analysis and method for early warning and systemTechnical field
The present invention relates to industrial control system security fields, and in particular to a kind of industrial control system loophole trend analysis and method for early warningAnd system.
Background technique
Conventional information security defensive system include: firewall, UTM, IPS, IDS, vulnerability scanning system, Anti-Virus,Terminal management system, WAF, DB-AUDIT and security monitor platform etc., from the aspect of network structure layering, product system isIt is sound, however, shortcoming is also obvious in terms of actual functional capability, it is mainly manifested in following three aspects:
1, these traditional safety products can only all resist the security threat in terms of some, form one by one" Prevention-Security isolated island ".
2, lack and effective fusion association analysis is carried out to the information security data of magnanimity various dimensions, collaboration effect can not be generatedIt answers.
3, these safety monitoring data cannot be made to become the efficient resource of upper layer security decision.
Most of these traditional Prevention-Security facilities are all by the log of safety equipment in seven layers of network of analysis toThe attack of generation is analyzed and is monitored, and the thinking of Passive Defence is substantially, and lacks network security situation awareness and connectionThe ability of dynamic early warning, takes corresponding emergency measure again after detecting assault, often late, because thusWhen network attack have occurred and that over, attack had resulted in irremediable loss.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of industrial control system loophole trend analysis and method for early warning and system,Virtual production environment key control, pass through the core of analog hacker attack concern: industrial control system induces it to emulationIndustrial control system issue attack, collect its attack means, analyze loophole, exist in advance into user's early warning production environment orThe serious loophole information that will be utilized.
In order to solve the above-mentioned technical problems, the present invention provides a kind of industrial control system loophole trend analysis and method for early warning,It is characterised by comprising:
Several probes with core protocol in industrial control system are established in emulation, and probe deployment is mutual in public network and industryIn the higher Intranet of completeness of networking;
The industrial control system probe of emulation collects attack information in interactive mode;
The industrial control system probe of emulation sends the attack information of collection in data analysis module, and data analyze mouldBlock is responsible for data analysis and bug excavation;
Data analysis module generates attack according to the result of data analysis and bug excavation and utilizes rule base and vulnerability database;
Data analysis module utilizes rule base and vulnerability database using generated attack, and what analysis matching probe was sent back attacksInformation is hit, attack information analysis result is reported into safety equipment and early warning display platform.
It further comprise the side of the industrial control system probe that will emulate in a distributed manner in a preferred embodiment of the present inventionFormula is deployed in public network, induces the attack information active attack probe in public network, for probe for collecting attack information, probe will be publicThe attack information collected in net is sent in data analysis module, the magnanimity that data analysis module is returned for public network deployment probeData are based on big data technology, carry out data analysis and bug excavation, and actually industry control is produced in statistics mass data firstThe key character that environment threatens generates attack and utilizes rule base, excavates from mass data and wherein meets attack using ruleThis kind of behavior is defined as vulnerability exploit and generates vulnerability database by the then behavior in library.
It further comprise the industrial control system probe deployment that will emulate in Intranet in a preferred embodiment of the present inventionIn, rule base and vulnerability database, the data sent back in conjunction with the probe in Intranet are utilized using the generated attack of data analysis moduleIt analysis matching is carried out, is primarily based on attack using rule base, utilizes rule base Rapid matching with attack, find out and threatenKey character, later, excavation is met attack and is analyzed using the behavior of rule with vulnerability database Data Matching from key characterSpecific vulnerability information, and result and warning are reported to safety equipment and early warning display platform, play early warning and blocked dualEffect.
In a preferred embodiment of the present invention, further comprise the core protocol being arranged on probe include: Modbus, OPC,S7common、IEC04、EtherNet/IP、kamstrup、bacnet。
In a preferred embodiment of the present invention, further comprise probe interactive process include: simulation host computer and industry controlThe communication process of system processed, including read ver, wirte read write command, start, stop function code, register value modification interactionOperation, wherein the functional code of depth interaction utilizes, register value is modified, and it is anti-that probe can make actual strain to these operationsIt answers, the data on flows packet of various heterogeneous networks request methods is monitored and captured using the flow tool of arresting, stored to big numberAccording in middleware, probe has used mirror image technology to be packaged, and is unified on early warning display platform and carries out line deployment up and down.
In a preferred embodiment of the present invention, further comprise can also by the engineer station of probe deployment to Intranet orOn scada server.
It further comprise establishing early warning display platform and patch forwarding platform, early warning in a preferred embodiment of the present inventionDisplay platform concentrates industry control environmental construction completeness in attack trend and the monitoring range shown in monitoring range;Patch forwardingPlatform pushes warning information and patch restoration information for the enterprise where user, to it.
It further comprise the attack information analysis result for obtaining data analysis module in a preferred embodiment of the present inventionWith safety linkage, attack information is submitted into safety equipment and records preservation, while also will attack information and entire productionThe abnormal log connection of environment, reaches anomalous presentation consistency, breaks " information island " formula security protection system.
In order to solve the above-mentioned technical problem, the present invention also provides a kind of industrial control system loophole trend analyses and early warning systemSystem, including data collection module, data storage medium, data analysis module, early warning display platform and patch forwarding platform;
The data collection module includes the probe with core protocol in industrial control system of distributed deployment, describedProbe deployment is in public network and the higher Intranet of industry internet completeness, for collecting the letter of the attack in public network or IntranetBreath;
The data storage medium is used to store the attack information that the data collection module is collected, and attack information is turnedIt is sent to data analysis module;
The data analysis module includes database generation unit and data analysis matching unit, and database generation unit is usedRule base and vulnerability database are utilized in generating attack, database matching unit utilizes rule base and loophole using generated attackAttack information analysis result is reported to safety equipment, early warning display platform by library, the attack information that analysis matching probe is sent backWith patch forwarding platform.
Industry control ring in the attack trend and monitoring range that the early warning display platform is used to concentrate show in monitoring rangeCompleteness is built in border;The patch forwarding platform pushes warning information and patch reparation letter for the enterprise where user, to itBreath.
Beneficial effects of the present invention:
Analogue simulation industrial control system of the present invention, inducing immune attack information are issued to the industrial control system of emulation and are attacked,According to the attack information of collection, establishes attack and utilize rule base and vulnerability database, analysis mainstream is attacked trend, provided a user in real timeThreat early warning, user can prevent trouble before it happens, and repair the implicit loophole of production environment in time, meanwhile, also avoid production environmentBecause producing contingency caused by receiving detection.
Compared to traditional industry control defense system: the attack having occurred and that is analyzed and is monitored, be substantially byThe thinking of dynamic defence lacks the ability of network security situation awareness and the early warning that links, after detecting assault againCorresponding emergency measure is taken, often late, because network attack is had occurred and that at this time, attack is had resulted inIrremediable loss.
The present invention does not need the leakage for collecting authoritative website publication in real time no longer merely using specific vulnerability information as fingerprint baseHole information, to guarantee the authority of itself fingerprint base, hacker attack means are changeable and abundant, and until authority's publication, timeliness is bigIt is big to reduce.The present invention under the same conditions, can provide one directed entirely to production for industrial control system with production environmentThe solution of core;Probe portion of the invention is to simulate the core protocol of all kinds of PLC controllers, can be freely deployed inPublic network or the higher Intranet of industry internet completeness;It is real as the target of inducing immune attack when probe deployment is in public networkWhen collect industry control vulnerability exploit mode popular at present, push newest loophole for user and threaten trend and establish database,When probe deployment is in Intranet, it can be disposed with true industrial control equipment parallel connection, when Intranet is by attacking, give Security Officer oneFixed buffer time captures loophole according to established database in advance and attacks and issue the user with early warning, at the same time willAttack information submits to safety equipment, is blocked, reaches the defence purpose for not influencing production environment.
Detailed description of the invention
Fig. 1 is the flow chart of a kind of trend analysis of industrial control system loophole and method for early warning of the invention;
Fig. 2 is the frame diagram of a kind of trend analysis of industrial control system loophole and early warning system of the invention;
Fig. 3 is the technological frame figure of the invention by probe deployment in public network;
Fig. 4 is the technological frame figure of the invention by probe deployment in Intranet.
Figure label explanation: 10, data collection module;20, data storage medium;30, data analysis module;301, dataLibrary generation unit;302, data analyze matching unit;40, early warning display platform and patch forwarding platform;50, safety equipment.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings and specific examples, so that those skilled in the art can be withIt more fully understands the present invention and can be practiced, but illustrated embodiment is not as a limitation of the invention.
Shown in referring to Fig.1, an embodiment of the trend analysis of industrial control system loophole and method for early warning of the invention, emulation is establishedSeveral probes with core protocol in industrial control system are higher in public network or industry internet completeness by probe deploymentIntranet in;The industrial control system probe of emulation collects attack information in interactive mode;The industrial control system of emulation is visitedNeedle sends the attack information of collection in data analysis module, and data analysis module is responsible for data analysis and bug excavation;Data analysis module generates attack according to the result of data analysis and bug excavation and utilizes rule base and vulnerability database;Data analyze mouldBlock utilizes rule base and vulnerability database using generated attack, and the attack information that analysis matching probe is sent back will attack informationAnalysis result reports to safety equipment and early warning display platform.
In S1 step, the core protocol includes interface protocol in industrial control system, network protocol, communication protocolsView, such as the domestic and international common industry control of Modbus, OPC, S7common, IEC04, EtherNet/IP, kamstrup, bacnetAgreement.
The probe has used mirror image technology to be packaged, and is unified on early warning display platform and carries out line distribution portion up and downAdministration, not only ensure that all standing of probe deployment network but also eliminates the worry installed manually.
In S2 step, the interactive process of the probe mainly simulates host computer and plc communication process, including readVer, wirte read write command, start, the interactive operations such as stop function code, register value modification, wherein depth interaction is functionalCode utilizes, register value is modified, and probe can make actual strain responses to these operations, enough in request time to guaranteeIn the case of the data integrity that captures, the flow number of various heterogeneous networks request methods is monitored and captured using the flow tool of arrestingAccording to packet, stored into big data middleware.
In S3~S4 step, probe deployment is established into database in public network, the database includes that attack utilizes ruleLibrary and vulnerability database, referring to shown in Fig. 3, the process of Database is the following steps are included: by the industrial control system probe of emulationIt is deployed in public network in a distributed fashion, induces the attack information active attack probe in public network, probe is for collecting attackInformation, probe send the attack information collected in public network in data analysis module, and data analysis module is disposed for public networkThe mass data that probe returns is based on big data technology, carries out data analysis and bug excavation, real in statistics mass data firstThe key character that border threatens for industry control production environment generates attack and utilizes rule base, utilizes in rule base and dig from attackPick wherein meets attack using the behavior of rule, this kind of behavior is defined as vulnerability exploit and generates vulnerability database, and attack utilizes ruleThe key character to threaten for industry control production environment is then defined in library, and specific attack is defined in vulnerability database,Such mode can quickly be filtered out from the attack information of magnanimity for industry control production environment by key character matching firstThe information to threaten matches vulnerability database by the dangerous information after screening again, locks specific attack.
In S5 step, by probe deployment in Intranet, the attack information and date library information of detection attack Intranet is than matchingProcess, referring to shown in Fig. 4, comprising the following steps: by the industrial control system probe deployment of emulation in Intranet, utilize data pointIt analyses the generated attack of module and utilizes rule base and vulnerability database, the data sent back in conjunction with the probe in Intranet carry out analysis matching,Attack is primarily based on using rule base, rule base Rapid matching is utilized with attack, finds out the key character to threaten, itAfterwards, it is excavated from key character and meets the behavior that attack utilizes rule, with vulnerability database Data Matching, analyze specific loophole letterBreath, and result and warning are reported to safety equipment and early warning display platform, play a dual role of early warning and blocked.
In the present embodiment, deployment in parallel with safety equipment, finally will be uploaded to peace with the matched attack information of vulnerability databaseAttack information is submitted to peace by full equipment, the attack information analysis result that data analysis module is obtained and safety linkageFull equipment simultaneously records preservation, facilitates the Performance And Reliability for promoting safety equipment, while also will attack information and entire productionThe abnormal log connection of environment, reaches anomalous presentation consistency, breaks " information island " formula security protection system, can be true with IntranetIndustrial control system actual situation combines, and is equivalent to the software production system of one disengaging hardware environment of reconstruction, is not influencing real productionUnder the premise of line, the purpose of protection industrial control system safety is completed.
In the present embodiment, early warning display platform and patch forwarding platform are established, early warning display platform, which is concentrated, shows monitoringIndustry control environmental construction completeness in attack trend and monitoring range in range;Patch forwarding platform is for the enterprise where userIndustry pushes warning information and patch restoration information to it.
In another embodiment, can also by the engineer station of probe deployment to Intranet or scada server, orProbe can be connected serially to key line, but such way is the most extreme, needs the control system in entire production system willIt is added to trust list, and Ying Jinliang is avoided.
Based on above-mentioned industrial control system loophole trend analysis and method for early warning, referring to shown in Fig. 2, industrial control system leakage of the inventionOne embodiment of hole trend analysis and early warning system, including data collection module 10, data storage medium 20, data analysis module30, early warning display platform and patch forwarding platform 40;
The data collection module 10 includes the probe with core protocol in industrial control system of distributed deployment, instituteProbe deployment is stated in public network and the higher Intranet of industry internet completeness, for collecting the letter of the attack in public network or IntranetBreath;
The data storage medium 20 is used to store the attack information that the data collection module 10 is collected, and attack is believedBreath is forwarded to data analysis module 30;
The 30 bag data library generation unit 301 of data analysis module and data analyze matching unit 302, and database generatesUnit 301 utilizes rule base and vulnerability database for generating attack, and database matching unit 302 utilizes rule using generated attackThen library and vulnerability database, the attack information that sends back of analysis matching probe, will attack information analysis result report to safety equipment 50,Early warning display platform and patch forwarding platform 40.
Industry control ring in the attack trend and monitoring range that the early warning display platform is used to concentrate show in monitoring rangeCompleteness is built in border;The patch forwarding platform pushes warning information and patch reparation letter for the enterprise where user, to itBreath.
Embodiment described above is only to absolutely prove preferred embodiment that is of the invention and being lifted, protection model of the inventionIt encloses without being limited thereto.Those skilled in the art's made equivalent substitute or transformation on the basis of the present invention, in the present inventionProtection scope within.Protection scope of the present invention is subject to claims.