Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present inventionEach embodiment be explained in detail.However, it will be understood by those skilled in the art that in each embodiment party of the present inventionIn formula, in order to make the reader understand this application better, many technical details are proposed.But even if without these technical detailsAnd various changes and modifications based on the following respective embodiments, the application technical solution claimed also may be implemented.
The first embodiment of the present invention is related to a kind of industrial control network monitoring devices, as shown in Figure 1, comprising: strategyExecution module 11 and safety monitoring module 12;Policy enforcement module 11, for according to the communication data in industrial control networkThe parsing result that deep analysis obtains is carried out, obtains preset business game, and safety monitoring operation is executed according to business game;Wherein, different parsing results corresponds to different business games;Safety monitoring module 12 is connect with policy enforcement module 11, is used forAcquisition strategy execution module 11 executes monitoring data obtained in safety monitoring operating process, and analyzes monitoring data,To determine whether there is exception.
In present embodiment, parsing knot is being obtained by carrying out deep analysis to the communication data in industrial control networkFruit, then business game corresponding with parsing result is got, and in the step of executing safety monitoring operation according to business game, byDifferent business games is corresponded in different parsing results, and the safety monitoring operation of policy enforcement module 11 is specifically basisBusiness game is performed, so that can execute different safety monitoring operations according to different business games, i.e., safelyThe specific aim of monitoring operation is stronger, so as to improve the security protection ability of industrial control system.
The realization details of the industrial control network monitoring device of present embodiment is specifically described below, it is interior belowHold only for convenience of the realization details provided is understood, not implements the necessary of this programme.
Specifically, policy enforcement module 11, for carrying out depth solution according to the communication data in industrial control networkObtained parsing result is analysed, obtains preset business game, and safety monitoring operation is executed according to business game;Wherein, differentParsing result correspond to different business games.Communication data in industrial control network mentioned here may include but notIt is limited to following one of any or any combination thereof: the input value and output valve of function code, register address and controller.
Industrial control network monitoring device in present embodiment can also include: data acquisition module 13 and agreement solutionModule 14 is analysed, as shown in Figure 2.Data acquisition module 13 and protocol resolution module 14 connect, for acquiring in industrial control networkCommunication data, and the communication data in industrial control network is sent to protocol resolution module 14;Protocol resolution module 14 withPolicy enforcement module 11 connects, for obtaining parsing result to the communication data progress deep analysis in industrial control network, andParsing result is sent to policy enforcement module 11.
Wherein, the protocol resolution module 14 in present embodiment can be supported to carry out depth to the communication data of several agreementsParsing, agreement mentioned here can include but is not limited to: Modbus communication protocol, OPC communication protocol, IEC104 communication protocolsView, DNP3 communication protocol, IEC61850-GOOSE communication protocol, Fins communication protocol.
In addition, the protocol resolution module 14 in present embodiment, specifically for determining the protocol type of industrial control network,And after determining the protocol type of industrial control network, based on identified protocol type to the communication number in industrial control networkAccording to progress deep analysis.Wherein, since the form of the function code of different communication protocol is different, protocol resolution module 14 can be combinedPort diagnostic and function code feature in data packet determine the protocol type of industrial control network, are determining industrial control networkProtocol type after, based on identified protocol type in industrial control network communication data carry out deep analysis.
In the present embodiment, protocol resolution module 14 can be also used in the protocol type for determining industrial control networkBefore, safety filtering is carried out to the communication data in industrial control network;If filter result meets early warning requirement, alarm is issuedInformation, and forbid determining the protocol type of industrial control network.
Specifically, data acquisition module 13 can store facility information all in industrial control network, protocol analysis mouldCommunication data in the industrial control network that block 14 acquires data acquisition module 13 carries out layered security filtering.For example, agreementParsing module 14 first can be in the IP address and MAC Address of the communication data in link layer parsing industrial control network, inquiryThe facility information whether IP address and MAC Address belong to the storage of data acquisition module 13 issues alarm signal if be not belonging toBreath, does not need to determine the protocol type of industrial control network, if the IP address and MAC Address belong to the storage of data acquisition module 13Facility information, then the IP address and MAC Address are legal, then continue determine industrial control network protocol type.This realityIt applies in mode, by carrying out safety filtering to the communication data in industrial control network in advance, and meets early warning in filter resultIt is required that when alert, do not need to determine the protocol type of industrial control network, relevant staff's timely learning can be madeIndustrial control system is by security threat, to improve safety monitoring efficiency, further enhances the safety of industrial control systemProtective capacities.
It will be understood by those skilled in the art that by being carried out to the communication data in industrial control network in present embodimentDeep analysis, host computer is to the instruction operation of slave computer, engineer station to situ industrial control in available Industry Control sceneThe configuration change of device processed and to parsing results such as the inputs of live switching value and process variable threshold value.Policy enforcement module 11According to preset business game acquired in parsing result, can include but is not limited to: based on intelligent material transhipment business game withAnd the business game based on intelligent security guard.
It is illustrated by taking the business game transported based on intelligent material as an example:
Intelligent material transhipment is based on three-dimensional workshop map and industry internet, using high-definition monitoring camera, to intelligenceCan floor truck, the position of intelligent machine arm, movement, process flow carry out intelligent monitoring and control, realize to material fromMain carrying and self-loading and unloading.
The business game based on intelligent material transhipment in present embodiment may include: to obtain to pre-establish workshopThreedimensional model obtains high accuracy three-dimensional workshop map, and executes safety prison according to the planning path and Navigation Control presetSurvey operation.In present embodiment, policy enforcement module 11 is operated according to the safety monitoring that business game executes, and mainly may includeSafety monitoring operation to Intelligent carrier and intelligent machine arm.
In practical applications, high-definition monitoring can be passed through according to the unique encodings index point being arranged on Intelligent carrierCamera carries out real-time monitoring to Intelligent carrier;Vehicle-mounted vision, radar, laser sensor be can be combined with simultaneously to ring aroundBorder is perceived;According to three-dimensional workshop map realizing route planning, automatic obstacle avoiding, more Che Xiezuo, real-time holding and Industry ControlThe location updating of network monitor device.The loading information of Intelligent carrier itself, such as weight, class can also be obtained simultaneouslyType, volume etc..Intelligent machine arm is equipped with visual sensor, so as in limited range to Intelligent carrier and objectMaterial carries out perception identification, finds Intelligent carrier and material level postpones, and material is grabbed in guidance intelligent machine arm handgrip completionIt takes or piles up, while material information being uploaded to the safety monitoring module 12 of industrial control network monitoring device, and in real time by intelligenceCan mechanical arm itself working condition, such as will identify, grab, grab completions, operate completion etc. states pass through industryInternet is uploaded to safety monitoring module 12, executes safety monitoring so that safety monitoring module 12 gets policy enforcement module 11Monitoring data obtained in operating process.
In present embodiment, due to safety monitoring module 12 can also be obtained by industry internet it is each intelligence carry it is smallVehicle and the essential information (such as number, model, current working status, loading information, seized condition) of intelligent machine arm etc. are matchedConfidence breath, therefore, safety monitoring module 12 can be obtained based on these configuration informations acquired and from policy enforcement module 11The monitoring data got, analyze monitoring data, to determine whether there is exception.
It is illustrated by taking the business game based on intelligent security guard as an example:
Intelligent security guard refers to the monitoring to circumference, the people of warning line or object progress is invaded in factory, enterprise.
The business game based on intelligent security guard in present embodiment may include: to obtain intelligent safety and defence system software frameStructure, and safety monitoring operation is executed based on obtained intelligent safety and defence system software architecture.In present embodiment, policy enforcement module11 operate according to the safety monitoring that business game executes, and mainly may include to the access in intelligent safety and defence system software architectureLayer, basal layer, data Layer and the safety monitoring of service layer operation.
Wherein, access layer is mainly used for providing unified interface service system, controls with camera, off-line data and industryThe external equipments such as network monitor device processed carry out video image data acquisition with dock.
Basal layer is mainly used for providing Computational frame, such as off-line calculation, calculating and streaming computing etc. in real time, meets intelligenceThe big datas such as all kinds of batch datas processing, online business diagnosis and real time monitoring, early warning calculate demand in energy security protection.
Data Layer can be divided into face special topic library and (refer to the face snap based on face picture corresponding to different applicationsLibrary, face registration library and face blacklist library etc.), vehicle special topic library (referred to vehicle information bank, vehicle library, vehicle registration library and vehicleBlacklist library), dangerous cargo warehouse etc..
Service layer: mainly including the functions such as recognition of face, vehicle identification and dangerous material identification.It is primarily implemented in data LayerOn the basis of, identified and compared using intelligent algorithms such as deep learnings, extract video and face in image, vehicle orThe features such as article.
In present embodiment, have since safety monitoring module 12 can also be got in factory, enterprise by industry internetPermission enters the relevant information of circumference, the people of warning line or object, therefore, safety monitoring module 12 can based on these have permission intoEnter the monitoring data that circumference, the relevant information of the people of warning line or object and policy enforcement module 11 are got, to monitoring dataIt is analyzed, to determine whether there is exception.
It should be noted that industrial control network monitoring device can be built-in with database, which has severalBusiness game carries out deep analysis to the communication data in industrial control network in protocol resolution module 14, obtains parsing resultAfterwards, policy enforcement module 11 can search business game corresponding with the parsing result according to the parsing result from database,And safety monitoring operation is executed according to obtained business game.
In addition, it is necessary to illustrate, the preset business game in present embodiment, although providing only based on intelligent objectExpect the business game of transhipment and the specific example of the business game based on intelligent security guard, however in practical applications should not be with thisIt is limited.
Specifically, safety monitoring module 12 is connect with policy enforcement module 11, is held for acquisition strategy execution module 11Monitoring data obtained in row safety monitoring operating process, and monitoring data are analyzed, to determine whether there is exception.?In practical application, it can execute every the preset time and once the analysis of monitoring data is operated, and analysis can be automatically generatedReport carries out statistical management convenient for relevant staff.Industrial control network monitoring device is built-in assessment template, to prisonAfter measured data is analyzed, assessment marking is carried out to analysis result automatically, if score is lower than preset threshold, it is determined that there are differentOften;If score is more than or equal to preset threshold, it is determined that there is no abnormal.
It is not difficult to find that a kind of industrial control network monitoring device that present embodiment provides, by industrial control networkCommunication data in network carries out deep analysis and obtains parsing result, then gets business game corresponding with parsing result, and rootIn the step of executing safety monitoring operation according to business game, since different parsing results corresponds to different business games, andThe safety monitoring operation of policy enforcement module 11 is specifically to be performed according to business game, so that can be according to differentBusiness game executes different safety monitoring operations, i.e. the specific aim of safety monitoring operation is stronger, so as to improve industrial controlThe security protection ability of system processed.
Second embodiment of the present invention is related to a kind of industrial control network monitoring device.Second embodiment is firstIt is further improved on the basis of embodiment, specifically thes improvement is that: in the present embodiment, industrial control network prisonSurvey device, further includes: state generation module 21, as shown in Figure 3.
Industrial control network monitoring device in present embodiment, can also include: state generation module 21, and state generatesModule 21 and data acquisition module 13 connect, the communication number in industrial control network for being provided according to data acquisition module 13According to, be automatically generated for characterization industrial control network in each equipment working state network structure.
Specifically, data acquisition module 13 can store the facility information of all devices in industrial control network, hereDescribed equipment refers to all equipment for having IP address in industrial control network.State generation module 21 can be controlled according to industryThese equipment that the facility information of all devices and data acquisition module 13 provide in network processed are in industrial control networkCommunication data generates the network structure of each equipment working state, for characterizing each equipment working state in industrial control network,So as to show the information such as the ongoing course of work of each equipment in industrial control network, communications status, security incident,Relevant staff is facilitated to carry out information combing.
It should be noted that the network structure generated in present embodiment, can be network topology structure figure;In addition,Relevant staff can carry out drafting adjustment to the network structure, form adjusted, final network structure.
It is not difficult to find that a kind of industrial control network monitoring device that present embodiment provides, since network structure can be withEach equipment working state in industrial control network is showed, facilitates relevant staff to the work of equipment each in industrial control networkMake the information such as process, communications status to be combed, so that determining that industrial control system deposits when abnormal, it is quick to anomaliesGround carries out precise positioning, to improve safety monitoring efficiency.
Third embodiment of the invention is related to a kind of industrial control network monitoring device, and third embodiment is real firstIt applies and is further improved on the basis of mode, specifically the improvement is that: in the present embodiment, industrial control network monitoringIt is additionally provided on device: expansion interface 31, as shown in Figure 4.
Specifically, expansion interface 31 and data acquisition module 13 connect;Expansion interface 31 is for supporting privately owned industry controlAgreement processed;Data acquisition module 13 is also used to acquire the communication data of the transmission of expansion interface 31, and expansion interface 31 is transmittedCommunication data is sent to protocol resolution module 14.
That is, the industrial control network monitoring device in present embodiment is in addition to supporting Modbus communication protocol, OPCCommunication protocol, IEC104 communication protocol, DNP3 communication protocol, IEC61850-GOOSE communication protocol, Fins communication protocol etc. are mainFlow industrial control protocols.
It should be noted that present embodiment is also possible to the improvement made on the basis of second embodiment.
It is not difficult to find that a kind of industrial control network monitoring device that present embodiment provides, by industrial control networkMonitoring device setting expansion interface 31, the secondary development of convenient privately owned being customized of industrial control protocols to different user,More flexible extension and customization function can be provided, the individual demand of user is met.
It is noted that each module involved in present embodiment is logic module, and in practical applications, oneA logic unit can be a physical unit, be also possible to a part of a physical unit, can also be multiple physics listsThe combination of member is realized.In addition, in order to protrude innovative part of the invention, it will not be with solution institute of the present invention in present embodimentThe technical issues of proposition, the less close unit of relationship introduced, but this does not indicate that there is no other single in present embodimentMember.
Four embodiment of the invention is related to a kind of industrial control network monitoring method.As shown in Figure 5, comprising:
Step 101, the parsing result that deep analysis obtains is carried out according to the communication data in industrial control network, obtainedPreset business game.
Step 102, safety monitoring operation is executed according to business game.Wherein, different parsing results corresponds to different industryBusiness strategy.
Step 103, it obtains and executes monitoring data obtained in safety monitoring operating process.
Step 104, monitoring data are analyzed, to determine whether there is exception.
Compared with prior art, a kind of industrial control network monitoring method that present embodiment provides, by industryCommunication data in control network carries out deep analysis and obtains parsing result, then gets business plan corresponding with parsing resultSlightly, in the step of and executing safety monitoring operation according to business game, since different parsing results corresponds to different business plansSlightly, and the safety monitoring of policy enforcement module operation is specifically to be performed according to business game, so that can basisDifferent business games executes different safety monitoring operations, i.e. the specific aim of safety monitoring operation is stronger, so as to improveThe security protection ability of industrial control system.
It is not difficult to find that present embodiment is embodiment of the method corresponding with first embodiment, present embodiment can be withFirst embodiment is worked in coordination implementation.The relevant technical details mentioned in first embodiment still have in the present embodimentEffect, in order to reduce repetition, which is not described herein again.Correspondingly, the relevant technical details mentioned in present embodiment are also applicable inIn first embodiment.
The step of various methods divide above, be intended merely to describe it is clear, when realization can be merged into a step orCertain steps are split, multiple steps are decomposed into, as long as including identical logical relation, all in the protection scope of this patentIt is interior;To adding inessential modification in algorithm or in process or introducing inessential design, but its algorithm is not changedCore design with process is all in the protection scope of the patent.
It will be understood by those skilled in the art that implementing the method for the above embodiments is that can pass throughProgram is completed to instruct relevant hardware, which is stored in a storage medium, including some instructions are used so that oneA equipment (can be single-chip microcontroller, chip etc.) or processor (processor) execute each embodiment the method for the applicationAll or part of the steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journeyThe medium of sequence code.
It will be understood by those skilled in the art that the respective embodiments described above are to realize specific embodiments of the present invention,And in practical applications, can to it, various changes can be made in the form and details, without departing from the spirit and scope of the present invention.