CN109818985B - Industrial control system vulnerability trend analysis and early warning method and system - Google Patents

Abstract

The invention discloses a method and a system for analyzing and early warning industrial control system vulnerability trend, wherein the method comprises the following steps: simulating and establishing a plurality of probes with a core protocol in an industrial control system, and deploying the probes in a public network and an intranet; the probe collects attack information in an interactive mode; the simulated industrial control system probe sends the collected attack information to a data analysis module, and the data analysis module is responsible for data analysis and vulnerability mining; the data analysis module generates an attack utilization rule base and a leak base according to the results of data analysis and leak mining; and the data analysis module analyzes the attack information sent back by the matching probe by using the generated attack utilization rule base and the leak base, and reports the analysis result of the attack information to the safety equipment and the early warning display platform. The simulation industrial control system of the invention induces the simulation industrial control system to send out an attack, collects the attack means and analyzes the vulnerability, and early warns the users of the serious vulnerability information existing or to be utilized in the production environment.

Description

Industrial control system vulnerability trend analysis and early warning method and system

Technical Field

The invention relates to the field of industrial control system safety, in particular to a vulnerability trend analysis and early warning method and system for an industrial control system.

Background

The traditional information security defense system comprises: the system comprises a firewall, a UTM, an IPS, an IDS, a vulnerability scanning system, an anti-virus system, a terminal management system, a WAF, a DB-AUDIT, a security monitoring platform and the like, and from the aspect of network structure layering, a product system is sound, however, in the aspect of actual functions, the defects are obvious, and the system is mainly represented in the following three aspects:

1. these conventional security products can only defend against security threats from a certain aspect, and form individual 'security defense islands'.

2. The method lacks of carrying out effective fusion association analysis on massive multi-dimensional information safety data, and cannot generate synergistic effect.

3. These security monitoring data cannot be made an effective resource for upper-level security decisions.

Most of the traditional security defense facilities analyze and monitor the occurring attack behaviors by analyzing logs of security devices in the seven layers of the network, are basically passive defense ideas, lack of network security situation perception and linkage early warning capability, and take corresponding emergency measures after detecting a network attack event, which is usually late, because the network attack has already occurred at the moment, the attack causes irreparable loss.

Disclosure of Invention

The invention provides a method and a system for analyzing and early warning industrial control system vulnerability trend, wherein a key control part of a production environment is simulated, and the method comprises the following steps of: the industrial control system induces the industrial control system to send out an attack to the simulated industrial control system, collects the attack means, analyzes the vulnerability and warns the user in advance about the serious vulnerability information existing or to be utilized in the production environment.

In order to solve the technical problem, the invention provides an industrial control system vulnerability trend analysis and early warning method, which is characterized by comprising the following steps:

simulating and establishing a plurality of probes with a core protocol in an industrial control system, and deploying the probes in an intranet with higher completion degree of a public network and an industrial internet;

the simulated industrial control system probe collects attack information in an interactive mode;

the simulated industrial control system probe sends the collected attack information to a data analysis module, and the data analysis module is responsible for data analysis and vulnerability mining;

the data analysis module generates an attack utilization rule base and a leak base according to the results of data analysis and leak mining;

and the data analysis module analyzes the attack information sent back by the matching probe by using the generated attack utilization rule base and the leak base, and reports the analysis result of the attack information to the safety equipment and the early warning display platform.

In a preferred embodiment of the invention, the method further comprises the steps of deploying the simulated industrial control system probe in a public network in a distributed mode, inducing attack information in the public network to actively attack the probe, wherein the probe is used for collecting the attack information, sending the attack information collected in the public network to a data analysis module, carrying out data analysis and vulnerability mining on massive data returned by the public network deployment probe by the data analysis module based on a big data technology, firstly counting key characters which actually threaten the industrial control production environment in the massive data, generating an attack utilization rule base, mining behaviors which accord with the attack utilization rule base from the massive data, defining the behaviors as vulnerability utilization and generating a vulnerability base.

In a preferred embodiment of the invention, the method further comprises the steps of deploying the simulated industrial control system probe in an intranet, utilizing an attack utilization rule base and a leak base which are generated by a data analysis module, and analyzing and matching data sent back by the probe in the intranet, firstly, quickly matching the attack utilization rule base with the attack utilization rule base based on the attack utilization rule base to find out key characters causing threats, then, mining behaviors which accord with the attack utilization rules from the key characters, matching the behaviors with the leak base data, analyzing specific leak information, and reporting results and warnings to a safety device and a warning display platform to play double roles of warning and blocking.

In a preferred embodiment of the present invention, the core protocol set on the probe further includes: modbus, OPC, S7common, IEC04, EtherNet/IP, kamstrup, bacnet.

In a preferred embodiment of the present invention, the probe interaction process further comprises: the communication flow of the simulation upper computer and the industrial control system comprises read ver and wirte read-write instructions, start and stop function codes and register value modification interactive operation, wherein the deep interaction comprises function code utilization and register value modification, a probe can make actual strain response to the operations, a flow capture tool is used for monitoring and capturing flow data packets of different network request modes and storing the flow data packets into a big data middleware, the probe is packaged by using a mirror image technology, and the probe is uniformly deployed on an early warning display platform in an up-and-down mode.

In a preferred embodiment of the present invention, the probe may be deployed to an engineer station or a scada server in the intranet.

In a preferred embodiment of the invention, the method further comprises the steps of establishing an early warning display platform and a patch forwarding platform, wherein the early warning display platform intensively displays the attack trend in the monitoring range and the construction completion degree of the industrial control environment in the monitoring range; the patch forwarding platform pushes early warning information and patch repairing information to an enterprise where the user is located.

In a preferred embodiment of the invention, the attack information analysis result obtained by the data analysis module is linked with the safety equipment, the attack information is submitted to the safety equipment and recorded and stored, and meanwhile, the attack information is also linked with the abnormal log of the whole production environment, so that the consistency of abnormal presentation is achieved, and an information island type security system is broken.

In order to solve the technical problem, the invention also provides an industrial control system vulnerability trend analysis and early warning system, which comprises a data collection unit, a data storage medium, a data analysis module, an early warning display platform and a patch forwarding platform;

the data collection unit comprises distributed probes with a core protocol in an industrial control system, and the probes are deployed in an intranet with higher completion degree of a public network and an industrial internet and are used for collecting attack information in the public network or the intranet;

the data storage medium is used for storing the attack information collected by the data collection unit and forwarding the attack information to the data analysis module;

the data analysis module comprises a database generation unit and a data analysis matching unit, the database generation unit is used for generating an attack utilization rule base and a leak base, the database matching unit analyzes attack information sent back by the matching probe by using the generated attack utilization rule base and the leak base, and an attack information analysis result is reported to the safety equipment, the early warning display platform and the patch forwarding platform.

The early warning display platform is used for intensively displaying the attack trend in the monitoring range and the construction completion degree of the industrial control environment in the monitoring range; the patch forwarding platform pushes early warning information and patch repairing information to an enterprise where the user is located.

The invention has the beneficial effects that:

the invention simulates and simulates an industrial control system, induces attack information to send an attack to the simulated industrial control system, establishes an attack utilization rule base and a leakage base according to the collected attack information, analyzes the mainstream attack trend, provides threat early warning for a user in real time, and the user can be protected from the accident, repairs the hidden loophole of the production environment in time, and simultaneously avoids the production accident caused by the acceptance and detection of the production environment.

Compared with the traditional industrial control defense system: the method is mainly used for analyzing and monitoring the occurring attack behaviors, basically adopts a passive defense idea, lacks the capabilities of network security situation perception and linkage early warning, and adopts corresponding emergency measures after a network attack event is detected, so that the time is often too late, and the network attack has already occurred at the moment, so that the attack has already caused irreparable loss.

The method does not need to simply take specific vulnerability information as a fingerprint library, does not need to collect vulnerability information issued by an authoritative website in real time, ensures the authority of the fingerprint library, has various and abundant hacking means, and greatly reduces the timeliness when the vulnerability information is issued by the authority. The invention can provide a solution completely aiming at the production core for the industrial control system under the condition of the same production environment; the probe part of the invention simulates the core protocol of various PLC controllers and can be freely deployed in a public network or an intranet with higher industrial internet completion degree; when the probe is deployed in a public network, the probe is used as a target for inducing attack, a current industrial control vulnerability utilization mode is collected in real time, the latest vulnerability threat trend is pushed for a user and a database is established, when the probe is deployed in an intranet, the probe can be deployed in parallel with real industrial control equipment, when the intranet is attacked, certain buffer time is given to security personnel, vulnerability attack is captured in advance according to the established database and early warning is sent to the user, meanwhile, attack information is submitted to the security equipment and blocked, and the defense purpose that the production environment is not influenced is achieved.

Drawings

FIG. 1 is a flow chart of a vulnerability trend analysis and early warning method of an industrial control system according to the present invention;

FIG. 2 is a frame diagram of an industrial control system vulnerability trend analysis and early warning system according to the present invention;

FIG. 3 is a technical framework diagram of the present invention for deploying probes in a public network;

fig. 4 is a technical framework diagram of the present invention for deploying probes in an intranet.

The reference numbers in the figures illustrate: 10. a data collection unit; 20. a data storage medium; 30. a data analysis module; 301. a database generation unit; 302. a data analysis matching unit; 40. the early warning display platform and the patch forwarding platform; 50. a security device.

Detailed Description

The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.

Referring to fig. 1, in an embodiment of the industrial control system vulnerability trend analysis and early warning method, a plurality of probes with a core protocol in an industrial control system are established in a simulation manner, and the probes are deployed in a public network or an intranet with high industrial internet completion degree; the simulated industrial control system probe collects attack information in an interactive mode; the simulated industrial control system probe sends the collected attack information to a data analysis module, and the data analysis module is responsible for data analysis and vulnerability mining; the data analysis module generates an attack utilization rule base and a leak base according to the results of data analysis and leak mining; and the data analysis module analyzes the attack information sent back by the matching probe by using the generated attack utilization rule base and the leak base, and reports the analysis result of the attack information to the safety equipment and the early warning display platform.

In step S1, the core protocols include interface protocols, network protocols, and communication protocols in the industrial control system, such as Modbus, OPC, S7common, IEC04, EtherNet/IP, kamstrup, bacnet, and other common industrial control protocols at home and abroad.

The probe is packaged by using a mirror image technology, and distributed deployment of an upper line and a lower line is uniformly carried out on the early warning display platform, so that not only is full coverage of a probe deployment network ensured, but also the trouble of manual installation is avoided.

In the step S2, the interaction process of the probe mainly simulates the communication flow between the host computer and the PLC, including read ver, wirte read/write instructions, start, stop function code, register value modification, and other interaction operations, where deep interaction includes function code utilization and register value modification, the probe can make actual strain response to these operations to ensure the integrity of the captured data when the request time is sufficient, and a traffic capture tool is used to monitor and capture traffic data packets of various network request modes and store them in the big data middleware.

In steps S3 to S4, deploying the probe in the public network to establish a database, where the database includes an attack utilization rule base and a vulnerability base, and as shown in fig. 3, the database establishment process includes the following steps: the method comprises the steps that an artificial industrial control system probe is deployed in a public network in a distributed mode, attack information in the public network is induced to actively attack the probe, the probe is used for collecting attack information, the probe sends the attack information collected in the public network to a data analysis module, the data analysis module conducts data analysis and vulnerability mining aiming at mass data returned by the public network deployment probe based on a big data technology, firstly, key characters which actually threaten an industrial control production environment in the mass data are counted, an attack utilization rule base is generated, behaviors which accord with the attack utilization rules are mined from the attack utilization rule base, the behaviors are defined as vulnerability utilizations and a vulnerability base is generated, key characters which threaten the industrial control production environment are defined in the attack utilization rule base, specific attack behaviors which threaten the industrial control production environment are defined in the vulnerability base, and in this way, the threat information can be quickly screened out from the mass attack information through key character matching And (4) matching the screened dangerous information with the cave library to lock specific attack behaviors.

In step S5, the procedure of deploying the probe in the intranet and detecting the matching of the attack information attacking the intranet and the database information includes the following steps, as shown in fig. 4: the method comprises the steps of deploying simulated industrial control system probes in an intranet, utilizing an attack utilization rule base and a leak base which are generated by a data analysis module, combining data sent back by the probes in the intranet to carry out analysis and matching, firstly, quickly matching with the attack utilization rule base based on the attack utilization rule base to find out key characters causing threats, then, exploring behaviors meeting the attack utilization rules from the key characters, matching with the leak base data, analyzing specific leak information, reporting results and warnings to a safety device and a warning display platform, and playing double roles of warning and blocking.

In the embodiment, the attack information matched with the leak library is uploaded to the safety equipment, the attack information analysis result obtained by the data analysis module is linked with the safety equipment, the attack information is submitted to the safety equipment and recorded and stored, the performance and reliability of the safety equipment are improved, meanwhile, the attack information is communicated with an abnormal log of the whole production environment, the abnormal presentation consistency is achieved, an information island type security system is broken through, the attack information can be combined with the virtual and real conditions of an intranet real industrial control system, the method is equivalent to reconstructing a software production system which is separated from a hardware environment, and the purpose of protecting the safety of the industrial control system is achieved on the premise that a real production line is not influenced.

In the embodiment, an early warning display platform and a patch forwarding platform are established, and the early warning display platform intensively displays the attack trend in the monitoring range and the construction completion degree of the industrial control environment in the monitoring range; the patch forwarding platform pushes early warning information and patch repairing information to an enterprise where the user is located.

In another embodiment, the probes may be deployed to an engineer station or a scada server in the intranet, or the probes may be connected in series to the core route, but this is the most extreme, and it is necessary for the control system in the entire production system to add them to the trust list, which should be avoided as much as possible.

Based on the industrial control system vulnerability trend analysis and early warning method, referring to fig. 2, an embodiment of the industrial control system vulnerability trend analysis and early warning system of the present invention includes adata collection unit 10, adata storage medium 20, a data analysis module 30, an early warning display platform and a patch forwarding platform 40;

thedata collection unit 10 comprises distributed probes with a core protocol in an industrial control system, and the probes are deployed in an intranet with higher completion degree of a public network and an industrial internet and are used for collecting attack information in the public network or the intranet;

thedata storage medium 20 is configured to store the attack information collected by thedata collection unit 10, and forward the attack information to the data analysis module 30;

the data analysis module 30 comprises a database generation unit 301 and a data analysis matching unit 302, the database generation unit 301 is used for generating an attack utilization rule base and a leak base, and the database matching unit 302 is used for analyzing the attack information sent back by the matching probe by using the generated attack utilization rule base and the leak base, and reporting the analysis result of the attack information to the security device 50, the early warning display platform and the patch forwarding platform 40.

The early warning display platform is used for intensively displaying the attack trend in the monitoring range and the construction completion degree of the industrial control environment in the monitoring range; the patch forwarding platform pushes early warning information and patch repairing information to an enterprise where the user is located.

The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitution or change made by the technical personnel in the technical field on the basis of the invention is all within the protection scope of the invention. The protection scope of the invention is subject to the claims.

Claims (8)

1. A vulnerability trend analysis and early warning method for an industrial control system is characterized by comprising the following steps:

simulating and establishing a plurality of probes with a core protocol in an industrial control system, and deploying the probes in the internal networks of the public network and the industrial internet;

the simulated industrial control system probe collects attack information in an interactive mode;

the simulated industrial control system probe sends the collected attack information to a data analysis module, and the data analysis module is responsible for data analysis and vulnerability mining;

the data analysis module analyzes attack information sent back by the matching probe by using the generated attack utilization rule base and the leak base, and reports the analysis result of the attack information to the safety equipment and the early warning display platform;

the method comprises the steps of utilizing an attack utilization rule base and a leak base which are generated by a data analysis module, combining data sent back by a probe in an intranet to carry out analysis matching, firstly, quickly matching with the attack utilization rule base based on the attack utilization rule base to find out key characters causing threats, then, exploring behaviors which accord with the attack utilization rule from the key characters, matching with data in the leak base, analyzing specific leak information, reporting results and warnings to a safety device and a warning display platform, and playing double roles of warning and blocking.

2. The industrial control system vulnerability trend analysis and early warning method as claimed in claim 1, wherein the simulated industrial control system probe is deployed in the public network in a distributed manner to induce the attack information in the public network to actively attack the probe, the probe is used for collecting the attack information, the probe sends the attack information collected in the public network to the data analysis module, the data analysis module carries out data analysis and vulnerability mining on the data returned by the public network deployment probe based on big data technology, firstly, the key characters which actually threaten the industrial control production environment in the data are counted, an attack exploitation rule base is generated, the behavior which accords with the attack exploitation rule base is excavated from the data, and the behavior is defined as vulnerability exploitation and a vulnerability base is generated.

3. The industrial control system vulnerability trend analysis and early warning method of claim 1, wherein the core protocol set on the probe comprises: modbus, OPC, S7common, IEC04, EtherNet/IP, kamstrup, bacnet.

4. The industrial control system vulnerability trend analysis and early warning method of claim 3, wherein the probe interaction process comprises: the communication flow of the simulation upper computer and the industrial control system comprises read and wirte read-write instructions, start and stop function codes and register value modification interactive operation, wherein the deep interaction comprises function code utilization and register value modification, a probe can make actual strain response to the operations, a flow capture tool is used for monitoring and capturing flow data packets of different network request modes and storing the flow data packets into a big data middleware, the probe is packaged by using a mirror image technology, and the probe is uniformly deployed on an early warning display platform in an up-and-down mode.

5. The industrial control system vulnerability trend analysis and early warning method of claim 1, wherein the probes are deployed to an engineer station or scada server of an intranet.

6. The industrial control system vulnerability trend analysis and early warning method of claim 1, wherein an early warning display platform and a patch forwarding platform are established, the early warning display platform intensively displays the attack trend in the monitoring range and the construction completion degree of the industrial control environment in the monitoring range; the patch forwarding platform pushes early warning information and patch repairing information to an enterprise where the user is located.

7. The industrial control system vulnerability trend analysis and early warning method as claimed in claim 1, wherein the attack information analysis result obtained by the data analysis module is linked with the safety equipment, the attack information is submitted to the safety equipment and recorded and stored, and meanwhile the attack information is also communicated with the abnormal log of the whole production environment, so as to achieve abnormal presentation consistency and break through an information island type security system.

8. A vulnerability trend analysis and early warning system of an industrial control system is characterized by comprising a data collection unit, a data storage medium, a data analysis module, an early warning display platform and a patch forwarding platform;

the data collection unit comprises distributed probes with a core protocol in an industrial control system, and the probes are deployed in the internal networks of the public network and the industrial internet and used for collecting attack information in the public network or the internal network;

the data storage medium is used for storing the attack information collected by the data collection unit and forwarding the attack information to the data analysis module;

the data analysis module comprises a database generation unit and a data analysis matching unit, wherein the database generation unit is used for generating an attack utilization rule base and a leak base, the database matching unit is used for rapidly matching with the attack utilization rule base based on the attack utilization rule base in combination with data sent back by a probe in an intranet by using the generated attack utilization rule base and the leak base to find out key characters causing threats, then, behaviors meeting the attack utilization rules are found from the key characters and matched with the leak base data, attack information sent back by the matching probe is analyzed, and an attack information analysis result is reported to a security device, an early warning display platform and a patch forwarding platform;

the early warning display platform is used for intensively displaying the attack trend in the monitoring range and the construction completion degree of the industrial control environment in the monitoring range; the patch forwarding platform pushes early warning information and patch repairing information to an enterprise where the user is located.

Images