[go: up one dir, main page]

CN109005162B - Industrial control system security audit method and device - Google Patents

Industrial control system security audit method and device Download PDF

Info

Publication number
CN109005162B
CN109005162B CN201810792245.0A CN201810792245A CN109005162B CN 109005162 B CN109005162 B CN 109005162B CN 201810792245 A CN201810792245 A CN 201810792245A CN 109005162 B CN109005162 B CN 109005162B
Authority
CN
China
Prior art keywords
business process
business
audit
control system
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810792245.0A
Other languages
Chinese (zh)
Other versions
CN109005162A (en
Inventor
李文杰
周桂英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201810792245.0A priority Critical patent/CN109005162B/en
Publication of CN109005162A publication Critical patent/CN109005162A/en
Application granted granted Critical
Publication of CN109005162B publication Critical patent/CN109005162B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Economics (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Educational Administration (AREA)
  • Computing Systems (AREA)
  • Game Theory and Decision Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Marketing (AREA)
  • Development Economics (AREA)
  • Operations Research (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a safety audit method and a safety audit device of an industrial control system, and belongs to the technical field of communication. The safety audit method of the industrial control system comprises the following steps: configuring a standard XML rule file according to the service logic configured for each service flow interval in advance; acquiring data in a service scene where an industrial control system is located, and acquiring an acquisition time period of the data in each service flow interval; comparing the standard XML rule file according to the acquisition time period of the data of the business process interval and the acquired data of the business process interval to generate an audit log of the business process interval; and acquiring a safety risk audit log of the service scene according to a pre-established risk model and the generated audit log of the service process interval, and storing the safety risk audit log.

Description

Industrial control system security audit method and device
Technical Field
The invention belongs to the technical field of communication, and particularly relates to a safety audit method and device for an industrial control system.
Background
At the beginning of design of the industrial control system, due to the reasons of resource limitation, non-internet-oriented and the like, in order to ensure real-time performance and availability, all layers of the industrial control system generally lack of safety design, and safety audit aiming at the industrial control system is an effective means for ensuring the safety of the industrial control system.
The industrial control security audit is to collect the actual communication flow in the industrial control system network, deeply analyze the communication message, rapidly identify the abnormal behavior existing in the industrial control network through the technologies of real-time dynamic analysis, data flow monitoring, network behavior audit and the like, realize the real-time detection of the behaviors of network attack, user misoperation, user illegal operation, illegal equipment access and the propagation of malicious software such as worms, viruses and the like aiming at the industrial control system, and give an alarm in real time, record all network communication behaviors in detail, and provide a solid foundation for the security accident investigation of the industrial control system.
Disclosure of Invention
The invention aims to at least solve one of the technical problems in the prior art and provides an industrial control system security audit method and device for the safety of an industrial control system.
The technical scheme adopted for solving the technical problem of the invention is a safety audit method of an industrial control system, which comprises the following steps:
configuring a standard XML rule file according to the service logic configured for each service flow interval in advance;
acquiring data in a service scene where an industrial control system is located, and acquiring an acquisition time period of the data in each service flow interval;
comparing the standard XML rule file according to the acquisition time period of the data of the business process interval and the acquired data of the business process interval to generate an audit log of the business process interval;
and acquiring a safety risk audit log of the service scene according to a pre-established risk model and the generated audit log of the service process interval, and storing the safety risk audit log.
Preferably, before the step of generating the standard XML rule file according to the service logic configured for each service flow interval in advance, the method further includes:
configuring service logic for a service process interval; the business logic comprises business logic relations, instructions and logic relations thereof, related industrial system objects and logic relations thereof, and input/output parameters and threshold value logic relations thereof, wherein the business logic comprises the business logic relations, the instructions and the logic relations thereof, which are used by the business process intervals.
Further preferably, the audit log of the business process section includes: the audit log comprises an audit object, an audit result and an audit analysis service flow interval.
Further preferably, before the step of configuring the logical relationship for the business process interval, the method further includes:
and dividing the service scene into a plurality of service process intervals according to different auditing granularities.
Preferably, the step of acquiring data in a service scene where the industrial control system is located and acquiring an acquisition time period of the data in each service flow interval includes:
collecting data under a service scene where an industrial control system is located by adopting a DPI technology;
and reading the acquisition time of the first data in the service scene of the industrial control system, and sequentially acquiring the acquisition time period of the data of each service flow interval according to the acquisition time, the execution starting time of each service flow interval and the execution duration of each service flow interval.
Preferably, the step of acquiring the collection time period of the data of each business process interval includes:
and reading the acquisition time of the first data in the service scene of the industrial control system, and sequentially acquiring the acquisition time period of the data of each service flow interval according to the acquisition time, the execution starting time of each service flow interval and the execution duration of each service flow interval.
Preferably, the storing the security risk audit log comprises:
and uploading the security risk audit log to a cloud terminal block chain for storage.
The technical scheme adopted for solving the technical problem of the invention is a safety audit device of an industrial control system, which comprises the following steps:
the first configuration module is used for configuring a standard XML rule file according to the service logic configured for each service flow interval in advance;
the acquisition module is used for acquiring data in a service scene where the industrial control system is located and acquiring an acquisition time period of the data of each service flow interval;
the auditing module is used for comparing a standard XML rule file according to the acquisition time period of the data of the business process interval and the acquired data of the business process interval to generate an auditing log of the business process interval;
and the risk analysis module is used for acquiring the safety risk audit log of the service scene according to the pre-established risk model and the generated audit log of the service flow interval, and storing the safety risk audit log.
Preferably, the safety audit device of the industrial control system further includes:
the second configuration module is used for configuring service logic for the service process interval; the business logic comprises business logic relations, instructions and logic relations thereof, related industrial system objects and logic relations thereof, and input/output parameters and threshold value logic relations thereof, wherein the business logic comprises the business logic relations, the instructions and the logic relations thereof, which are used by the business process intervals.
Preferably, the safety audit device of the industrial control system further includes:
and the third configuration module is used for dividing the service scene into a plurality of service process intervals according to different auditing granularities.
The invention has the following beneficial effects:
in the safety auditing method of the industrial control system, the safety risk modeling of the business process section is carried out by delaying the business logic relationship, the instruction and the logic relationship thereof, the industrial object and the logic relationship thereof, the input/output parameter and the logic relationship of the threshold thereof, which are related to the business process section, and based on the auditing result, a risk model analysis log is generated, and all auditing and analysis logs are saved by a cloud terminal block chain node. The method realizes the comprehensive audit and risk analysis of the business logic under the specific scene of the specific industry, avoids the defect of the safety audit of single action, and ensures the comprehensiveness of the safety audit of the industrial control system and the traceability of the audit result.
Drawings
Fig. 1 is a flowchart of a security audit method of an industrial control system according to embodiment 1 of the present invention;
fig. 2 is a flowchart of a security audit method of an industrial control system according to embodiment 2 of the present invention;
fig. 3 is a schematic diagram of a security audit device of an industrial control system according to embodiment 3 of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Example 1:
as shown in fig. 1, this embodiment provides a security audit method for an industrial control system, where the method performs security audit according to a service scenario in which the industrial control system is located, where the service scenario is divided into a plurality of service process intervals, and the method includes the following steps:
step one, configuring a standard XML rule file according to the service logic configured for each service flow interval in advance.
The method comprises the steps that a business logic relation, an instruction and a logic relation thereof, related industrial system objects and a logic relation thereof, input/output parameters and a threshold value logic relation thereof are configured for each business process interval, and an XML rule file containing the business logic is correspondingly generated for each business process interval.
And step two, acquiring data in the service scene of the industrial control system, and acquiring the acquisition time period of the data of each service process interval.
Specifically, for this step, a DPI technology may be used to acquire data in a service scene where the industrial control system is located, read the acquisition time t0 of the first data of the service scene, and sequentially acquire acquisition time periods (t0+ S1, t0+ S1+ D1), (t0+ S2, t0+ S2+ D2), (t0+ Sn, t0+ Sn + Dn) of the data of the service flow interval according to t0, the interval execution start time S1, S2 · · Sn, and the interval execution duration D1, D2 · · Dn.
And step three, generating an audit log of the business process interval by comparing the standard XML rule file according to the acquisition time period of the data of the business process interval and the acquired data of the business process interval.
Specifically, taking the data of the ith business process interval collected according to the collection time period (t0+ Si, t0+ Si + Di) at the time t0+ Si + Di as an example, an audit log of the business process interval containing information such as an audit object, an audit result, and audit analysis is generated by comparing the configured standard XML rule file, the logic relationship of the audit business, the instruction and the logic relationship thereof, the logic relationship related to the industrial object and the logic relationship thereof, and the logic relationship of the input/output parameter and the threshold thereof.
And step four, acquiring a safety risk audit log of the service scene according to a pre-established risk model and the generated audit log of the service process interval, and storing the safety risk audit log.
Specifically, risk models are established for risks audited in all business process intervals under an audit business scene according to dimensions such as logical relations, objects, instructions and parameters, all safety risks under the business scene are analyzed through the risk models, clustering analysis is conducted on the safety risks, safety risk audit logs of the business scene are obtained, the logic interval audit logs and the safety risk audit logs are submitted to cloud block chain nodes for storage, and the fact that safety audit information of an industrial control system is prevented from being tampered and traceable is guaranteed.
In the safety auditing method of the industrial control system in the embodiment, the safety risk modeling of the business process section is performed based on the auditing result through delaying the business logic relationship, the instruction and the logic relationship thereof, the industrial object and the logic relationship thereof, and the input/output parameter and the logic relationship of the threshold thereof, which are related to the business process section, so as to generate a risk model analysis log, and all auditing and analysis logs are saved through the cloud terminal block chain node. The method realizes the comprehensive audit and risk analysis of the business logic under the specific scene of the specific industry, avoids the defect of the safety audit of single action, and ensures the comprehensiveness of the safety audit of the industrial control system and the traceability of the audit result.
Example 2:
as shown in fig. 2, this embodiment provides a security audit method for an industrial control system, where the method includes the following steps:
step one, configuration of audit equipment, extraction of a business process section and configuration of an audit rule, wherein the step one is specifically described below.
(1) And (3) configuration of audit equipment: configuring an industrial control system needing security audit;
(2) service scene configuration and service flow interval extraction: configuring a service scene, splitting the service scene into a plurality of independent action units and/or a plurality of service process intervals BL1, BL 2. cndot. BLn, wherein the independent action units and the service process intervals randomly appear according to scene characteristics, the service process intervals are extracted according to different auditing granularities, and the same operation can be divided into a plurality of service process intervals;
(3) configuring auditing rules of a business process interval: configuring a business logic relationship, an instruction and a logic relationship thereof used by a business process interval, a related industrial system object and a logic relationship thereof, an input/output parameter and a threshold value logic relationship thereof, and correspondingly generating an XML rule file containing more than one business logic for each business process interval; the execution start times S1, S2 · Sn (section start time relative to the traffic scene start time), and the execution durations D1, D2 · Dn are determined.
And step two, acquiring data in the service scene of the industrial control system, and acquiring the acquisition time period of the data of each service process interval.
Specifically, for this step, a DPI technology may be used to acquire data in a service scene where the industrial control system is located, read the acquisition time t0 of the first data of the service scene, and sequentially acquire acquisition time periods (t0+ S1, t0+ S1+ D1), (t0+ S2, t0+ S2+ D2), (t0+ Sn, t0+ Sn + Dn) of the data of the service flow interval according to t0, execution start times S1, S2 · · Sn, and execution duration D1, D2 · · Dn.
And step three, generating an audit log of the business process interval by comparing the standard XML rule file according to the acquisition time period of the data of the business process interval and the acquired data of the business process interval.
Specifically, taking the data of the ith business process interval collected according to the collection time period (t0+ Si, t0+ Si + Di) at the time t0+ Si + Di as an example, a logic interval audit log containing information such as an audit object, an audit result, and audit analysis is generated by comparing a configured standard XML rule file and auditing the logic relationship of business logic relationship, instructions and logic relationship thereof, the logic relationship related to an industrial object and logic relationship thereof, and the logic relationship of input/output parameters and threshold values thereof.
And step four, acquiring a safety risk audit log of the service scene according to a pre-established risk model and the generated audit log of the service process interval, and storing the safety risk audit log.
Specifically, risk models are established for risks audited in all business process intervals under an audit business scene according to dimensions such as logical relations, objects, instructions and parameters, all safety risks under the business scene are analyzed through the risk models, clustering analysis is conducted on the safety risks, safety risk audit logs of the business scene are obtained, the logic interval audit logs and the safety risk audit logs are submitted to cloud block chain nodes for storage, and the fact that safety audit information of an industrial control system is prevented from being tampered and traceable is guaranteed.
In the safety auditing method of the industrial control system in the embodiment, the safety risk modeling of the business process section is performed based on the auditing result through delaying the business logic relationship, the instruction and the logic relationship thereof, the industrial object and the logic relationship thereof, and the input/output parameter and the logic relationship of the threshold thereof, which are related to the business process section, so as to generate a risk model analysis log, and all auditing and analysis logs are saved through the cloud terminal block chain node. The method realizes the comprehensive audit and risk analysis of the business logic under the specific scene of the specific industry, avoids the defect of the safety audit of single action, and ensures the comprehensiveness of the safety audit of the industrial control system and the traceability of the audit result.
If a protocol library, an instruction library, an object library and a parameter library required for implementing audit are configured in the first step, then a DPI technology can be adopted to collect data of the industrial control system, the collected data messages and the collection time are uploaded to a real-time audit module in real time, the DPI technology is adopted to collect the data of the industrial control system, the real-time audit is respectively carried out on the logic interval and/or the action unit by comparing the configured protocol library, the instruction library, the object library and the parameter library through real-time reading, the protocol of the audit data, the related instructions and the safety of the parameter threshold value generate a real-time audit log containing information of an audit object, an audit result, audit analysis and the like, and then risk analysis and data storage can be carried out according to the fourth step.
Example 3:
as shown in fig. 3, this embodiment provides a security audit device for an industrial control system, which can perform security audit on the industrial control system by using the method of implementation 1 or 2. The safety audit device of the industrial control system of the embodiment comprises: the system comprises a first configuration module, an acquisition module, an audit module and a risk analysis module.
The first configuration module is used for configuring a standard XML rule file according to the service logic configured for each service flow interval in advance.
The acquisition module is used for acquiring data in a service scene where the industrial control system is located and acquiring an acquisition time period of the data in each service flow interval.
And the auditing module is used for comparing the standard XML rule file with the acquired data of the business process interval according to the acquisition time period of the data of the business process interval and the acquired data of the business process interval to generate an auditing log of the business process interval.
And the risk analysis module is used for acquiring the safety risk audit log of the service scene according to a pre-established risk model and the generated audit log of the service flow interval, and storing the safety risk audit log.
Further, the security audit device in this embodiment further includes: the second configuration module is used for configuring business logic for the business process interval; the business logic comprises business logic relations, instructions and logic relations thereof, related industrial system objects and logic relations thereof, and input/output parameters and threshold value logic relations thereof, wherein the business logic comprises the business logic relations, the instructions and the logic relations thereof, which are used by the business process intervals.
Certainly, the security audit device in this embodiment further includes: and the third configuration module is used for dividing the service scene into a plurality of service process intervals according to different auditing granularities.
In the safety auditing device of the industrial control system of the embodiment, the auditing module delays and audits the business logic relationship, the instruction and the logic relationship thereof, the industrial object and the logic relationship thereof, and the input/output parameter and the logic relationship of the threshold value thereof, which are related to the business process interval, and establishes a safety risk model for the business process interval based on the auditing result, generates a risk model analysis log, and stores all auditing and analysis logs through the cloud terminal block chain node. The method realizes the comprehensive audit and risk analysis of the business logic under the specific scene of the specific industry, avoids the defect of the safety audit of single action, and ensures the comprehensiveness of the safety audit of the industrial control system and the traceability of the audit result.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1.一种工控系统的安全审计方法,其特征在于,包括:1. a security auditing method of an industrial control system, is characterized in that, comprises: 根据预先为每个业务流程区间所配置的业务逻辑,配置标准XML规则文件;Configure the standard XML rule file according to the business logic pre-configured for each business process interval; 对工控系统所处业务场景下的数据进行采集,并获取每个业务流程区间的数据的采集时间段;Collect the data in the business scenario where the industrial control system is located, and obtain the data collection time period of each business process interval; 根据所述业务流程区间的数据的采集时间段,以及采集到的该业务流程区间的数据,对比标准XML规则文件,生成业务流程区间的审计日志;According to the collection time period of the data of the business process interval and the collected data of the business process interval, compare the standard XML rule file to generate the audit log of the business process interval; 根据预先建立的风险模型,以及所生成的业务流程区间的审计日志,获取所述业务场景的安全风险审计日志,并对所述安全风险审计日志进行存储。According to the pre-established risk model and the generated audit log of the business process interval, the security risk audit log of the business scenario is acquired, and the security risk audit log is stored. 2.根据权利要求1所述的工控系统的安全审计方法,其特征在于,在所述根据预先为每个业务流程区间所配置的业务逻辑,生成标准XML规则文件的步骤之前,还包括:2. The security audit method of industrial control system according to claim 1, is characterized in that, before the described step of generating standard XML rule file according to the business logic configured for each business process interval in advance, also comprises: 为业务流程区间配置业务逻辑;其中,所述业务逻辑包括业务流程区间其所使用的业务逻辑关系、指令及其逻辑关系、涉及到的工业系统对象及其逻辑关系、输入/输出参数及其阈值逻辑关系。Configure business logic for the business process interval; wherein, the business logic includes the business logic relationship used by the business process interval, instructions and their logical relationships, involved industrial system objects and their logical relationships, input/output parameters and their thresholds Logic. 3.根据权利要求2所述的工控系统的安全审计方法,其特征在于,所述业务流程区间的审计日志包括:包含审计对象、审计结果、审计分析的业务流程区间的审计日志。3 . The security audit method for an industrial control system according to claim 2 , wherein the audit log of the business process section includes: an audit log of the business process section including audit objects, audit results, and audit analysis. 4 . 4.根据权利要求2所述的工控系统的安全审计方法,其特征在于,所述为业务流程区间配置业务逻辑的步骤之前,还包括:4. The security audit method of an industrial control system according to claim 2, characterized in that, before the step of configuring business logic for the business process interval, further comprising: 根据不同的审计颗粒度将业务场景划分为多个所述业务流程区间。The business scenario is divided into a plurality of the business process intervals according to different audit granularities. 5.根据权利要求1所述的工控系统的安全审计方法,其特征在于,所述对工控系统所处业务场景下的数据进行采集,并获取每个业务流程区间的数据的采集时间段的步骤包括:5. The security auditing method of an industrial control system according to claim 1, wherein the step of collecting data under the business scenario where the industrial control system is located, and acquiring the data collection time period of each business process interval include: 采用DPI技术对工控系统所处业务场景下的数据进行采集;Use DPI technology to collect data in the business scenario where the industrial control system is located; 读取工控系统所处业务场景下,首个数据的采集时间,并根据该采集时间、每个业务流程区间的执行开始时间,以及业务流程区间的执行持续时间,依次获取每个业务流程区间的数据的采集时间段;Read the collection time of the first data in the business scenario where the industrial control system is located, and sequentially obtain the data of each business process interval according to the collection time, the execution start time of each business process interval, and the execution duration of the business process interval. the data collection time period; 所述读取工控系统所处业务场景下,首个数据的采集时间,并根据该采集时间、每个业务流程区间的执行开始时间,以及业务流程区间的执行持续时间,依次获取每个业务流程区间的数据的采集时间段,包括:The acquisition time of the first data in the business scenario in which the industrial control system is located is read, and each business process is sequentially acquired according to the acquisition time, the execution start time of each business process interval, and the execution duration of the business process interval The data collection time period of the interval, including: 读取所述业务场景下首个数据的采集时间t0,根据t0、业务流程区间的执行开始时间S1、S2···Sn及业务流程区间的执行持续时间D1、D2···Dn,依次获取每个业务流程区间的数据的采集时间段(t0+S1,t0+S1+D1)、(t0+S2,t0+S2+D2)、···、(t0+Sn,t0+Sn+Dn),其中,n为所述业务流程区间的个数。Read the collection time t0 of the first data in the business scenario, and obtain sequentially according to t0, the execution start time S1, S2...Sn of the business process interval, and the execution duration D1, D2...Dn of the business process interval The data collection time period of each business process interval (t0+S1, t0+S1+D1), (t0+S2, t0+S2+D2), ···, (t0+Sn, t0+Sn+Dn) , where n is the number of the business process intervals. 6.根据权利要求1所述的工控系统的安全审计方法,其特征在于,所述获取每个业务流程区间的数据的采集时间段的步骤包括:6. The security audit method of an industrial control system according to claim 1, wherein the step of obtaining the data collection time period of each business process interval comprises: 读取工控系统所处业务场景下,首个数据的采集时间,并根据该采集时间、每个业务流程区间的执行开始时间,以及每个业务流程区间的执行持续时间,依次获取每个业务流程区间的数据的采集时间段;Read the collection time of the first data in the business scenario where the industrial control system is located, and obtain each business process in turn based on the collection time, the execution start time of each business process interval, and the execution duration of each business process interval The collection time period of the data in the interval; 所述读取工控系统所处业务场景下,首个数据的采集时间,并根据该采集时间、每个业务流程区间的执行开始时间,以及业务流程区间的执行持续时间,依次获取每个业务流程区间的数据的采集时间段,包括:The acquisition time of the first data in the business scenario in which the industrial control system is located is read, and each business process is sequentially acquired according to the acquisition time, the execution start time of each business process interval, and the execution duration of the business process interval The data collection time period of the interval, including: 读取所述业务场景下首个数据的采集时间t0,根据t0、业务流程区间的执行开始时间S1、S2···Sn及业务流程区间的执行持续时间D1、D2···Dn,依次获取每个业务流程区间的数据的采集时间段(t0+S1,t0+S1+D1)、(t0+S2,t0+S2+D2)、···、(t0+Sn,t0+Sn+Dn),其中,n为所述业务流程区间的个数。Read the collection time t0 of the first data in the business scenario, and obtain sequentially according to t0, the execution start time S1, S2...Sn of the business process interval, and the execution duration D1, D2...Dn of the business process interval The data collection time period of each business process interval (t0+S1, t0+S1+D1), (t0+S2, t0+S2+D2), ···, (t0+Sn, t0+Sn+Dn) , where n is the number of the business process intervals. 7.根据权利要求1所述的工控系统的安全审计方法,其特征在于,所述对所述安全风险审计日志进行存储包括:7. The security audit method of an industrial control system according to claim 1, wherein the storing the security risk audit log comprises: 将所述安全风险审计日志上传至云端区块链进行存储。Upload the security risk audit log to the cloud blockchain for storage. 8.一种工控系统的安全审计装置,其特征在于,包括:8. A safety auditing device for an industrial control system, characterized in that, comprising: 第一配置模块,用于根据预先为每个业务流程区间所配置的业务逻辑,配置标准XML规则文件;a first configuration module, configured to configure a standard XML rule file according to the business logic pre-configured for each business process section; 采集模块,用于对工控系统所处业务场景下的数据进行采集,并获取每个业务流程区间的数据的采集时间段;The collection module is used to collect the data in the business scenario where the industrial control system is located, and obtain the data collection time period of each business process interval; 审计模块,用于根据所述业务流程区间的数据的采集时间段,以及采集到的该业务流程区间的数据,对比标准XML规则文件,生成业务流程区间的审计日志;an auditing module, configured to compare a standard XML rule file to an audit log of the business process interval according to the collection time period of the data in the business process interval and the collected data in the business process interval; 风险分析模块,用于根据预先建立的风险模型,以及所生成的业务流程区间的审计日志,获取所述业务场景的安全风险审计日志,并对所述安全风险审计日志进行存储。The risk analysis module is configured to acquire the security risk audit log of the business scenario according to the pre-established risk model and the generated audit log of the business process interval, and store the security risk audit log. 9.根据权利要求8所述的工控系统的安全审计装置,其特征在于,还包括:9. The safety audit device of an industrial control system according to claim 8, further comprising: 第二配置模块,用于为业务流程区间配置业务逻辑;其中,所述业务逻辑包括业务流程区间其所使用的业务逻辑关系、指令及其逻辑关系、涉及到的工业系统对象及其逻辑关系、输入/输出参数及其阈值逻辑关系。The second configuration module is used to configure business logic for the business process interval; wherein, the business logic includes the business logic relationship used in the business process interval, the instruction and its logical relationship, the involved industrial system objects and their logical relationship, Input/output parameters and their threshold logic relationships. 10.根据权利要求8所述的工控系统的安全审计装置,其特征在于,还包括:10. The safety audit device of an industrial control system according to claim 8, characterized in that, further comprising: 第三配置模块,用于根据不同的审计颗粒度将业务场景划分为多个所述业务流程逻辑。The third configuration module is configured to divide the business scenario into a plurality of the business process logics according to different audit granularities.
CN201810792245.0A 2018-07-18 2018-07-18 Industrial control system security audit method and device Active CN109005162B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810792245.0A CN109005162B (en) 2018-07-18 2018-07-18 Industrial control system security audit method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810792245.0A CN109005162B (en) 2018-07-18 2018-07-18 Industrial control system security audit method and device

Publications (2)

Publication Number Publication Date
CN109005162A CN109005162A (en) 2018-12-14
CN109005162B true CN109005162B (en) 2021-04-02

Family

ID=64600516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810792245.0A Active CN109005162B (en) 2018-07-18 2018-07-18 Industrial control system security audit method and device

Country Status (1)

Country Link
CN (1) CN109005162B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110719334B (en) * 2019-10-18 2021-10-26 上海华讯网络系统有限公司 Auditing system and method suitable for cloud desktop behaviors
CN111007783A (en) * 2019-12-28 2020-04-14 广东电科院能源技术有限责任公司 Safety management and control system and method
CN111541643B (en) * 2020-03-18 2022-02-01 成都中科合迅科技有限公司 Method for realizing safety audit of service system without intrusion
CN114363169B (en) * 2021-12-27 2023-10-27 紫光云(南京)数字技术有限公司 SPI-based equipment auditing method
CN114327716A (en) * 2021-12-27 2022-04-12 凌云光技术股份有限公司 Method and system for generating local language operation log based on XML language

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9124619B2 (en) * 2012-12-08 2015-09-01 International Business Machines Corporation Directing audited data traffic to specific repositories
CN105160038B (en) * 2015-10-10 2017-04-19 广东卓维网络有限公司 Data analysis method and system based on audit database
CN107274324A (en) * 2017-06-06 2017-10-20 张黎明 A kind of method that accident risk assessment is carried out based on cloud service

Also Published As

Publication number Publication date
CN109005162A (en) 2018-12-14

Similar Documents

Publication Publication Date Title
CN109005162B (en) Industrial control system security audit method and device
CN113676484B (en) Attack tracing method and device and electronic equipment
CN109587125B (en) Network security big data analysis method, system and related device
CN111935172A (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
CN110046073B (en) Log collection method and device, equipment and storage medium
Awad et al. Tools, techniques, and methodologies: A survey of digital forensics for scada systems
Bou-Harb et al. Big data behavioral analytics meet graph theory: on effective botnet takedowns
CN110009347B (en) Block chain transaction information auditing method and device
CN106452955B (en) A kind of detection method and system of abnormal network connection
CN110941632A (en) Database auditing method, device and equipment
CN113269531A (en) Cloud-end architecture-based multi-tenant internet access behavior audit control method and related equipment
CN114357445A (en) Method, device and storage medium for identifying terminal side attack path
CN115766258B (en) Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph
CN110456765A (en) Temporal model generation method, device and its detection method of industry control instruction, device
WO2025035511A1 (en) Active defense system and method for unknown threat
CN111651170B (en) Instance dynamic adjustment method and device and related equipment
CN112395357A (en) Data collection method and device and electronic equipment
CN111885088A (en) Log monitoring method and device based on block chain
CN112565232B (en) A log parsing method and system based on templates and traffic status
CN107612882B (en) User behavior identification method and device based on intermediate log
CN107332731A (en) A kind of test system and test envelope for network security monitoring device
CN114095032A (en) Data stream compression method based on Flink and RVR, edge computing system and storage medium
CN118779898A (en) Cryptographic device management method, platform, electronic device and computer storage medium
CN111901199A (en) Mass data-based quick early warning matching implementation method
CN111064637A (en) NetFlow data duplicate removal method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant