[go: up one dir, main page]

CN111224973A - Network attack rapid detection system based on industrial cloud - Google Patents

Network attack rapid detection system based on industrial cloud Download PDF

Info

Publication number
CN111224973A
CN111224973A CN201911414868.5A CN201911414868A CN111224973A CN 111224973 A CN111224973 A CN 111224973A CN 201911414868 A CN201911414868 A CN 201911414868A CN 111224973 A CN111224973 A CN 111224973A
Authority
CN
China
Prior art keywords
alarm
correlation
association
signature
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911414868.5A
Other languages
Chinese (zh)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Liancheng Technology Development Co ltd
Original Assignee
Nanjing Liancheng Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Liancheng Technology Development Co ltd filed Critical Nanjing Liancheng Technology Development Co ltd
Priority to CN201911414868.5A priority Critical patent/CN111224973A/en
Publication of CN111224973A publication Critical patent/CN111224973A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • H04L41/065Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving logical or physical relationship, e.g. grouping and hierarchies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack rapid detection system based on industrial cloud, which comprises a data packet capturing unit, an intrusion detection unit based on signature, a honeypot, an alarm generating and processing unit, an association unit and a signature database, wherein the association unit comprises an offline association submodule, an online association submodule, an attack mode submodule and a generation rule submodule, and the attack mode submodule can discover network attack by adopting an alarm association graph aggregation algorithm and a frequent subgraph mining algorithm. The invention can ensure that the ICS industrial control network is safe and controllable.

Description

Network attack rapid detection system based on industrial cloud
Technical Field
The invention relates to the technical field of computers, network security, network management and automatic control, in particular to a network attack rapid detection system based on an industrial cloud.
Background
Industrial Control systems ICS (industrial Control systems) are used for managing and maintaining national key infrastructure, and generally, the ICS includes a Programmable Logic controller (PLC Programmable Logic Controllers), a Human Machine Interface (HMI Human Machine Interface), a Master Terminal Unit (MTU Master Terminal Unit), a Remote Terminal Unit (RTU Remote Terminal Unit), a sensor, an actuator, and an industrial Control network. They are deployed on an industrial field, or on a virtual machine VM (virtual machine) of an industrial cloud or a CVM (control VM) of the industrial cloud, and connect and deploy an industrial field device, an industrial control network for communication between the VM and the CVM, or a 5G (file Generation Mobile Communications System, Fifth Generation Mobile Communications) network with excellent performance capable of realizing everything interconnection. The PLC receives collected data of sensor devices deployed in an industrial field through an industrial control network and outputs control data through operations such as an artificial intelligence-based controller, and the output control data is output to an actuator in the industrial field through the industrial control network, thereby realizing an automation or smart factory for controlling a production process. The consequences are unreasonable if the industrial control network is not resistant to hacking, or is not able to detect and recover from a network attack in a timely manner, or is not able to respond in a timely manner to a detected network attack, particularly if the collected data and control data are once tampered with by a hacker. Therefore, an industrial cloud-based network attack rapid detection system is urgently needed to realize security prevention measures for the industrial devices covered by the ICS system.
Disclosure of Invention
In order to solve the technical problem, the invention provides a network attack rapid detection system based on an industrial cloud, so as to solve the problem that the traditional security solution is no longer suitable for the network security of the ICS based on the industrial cloud.
A network attack rapid detection system based on industrial cloud is characterized in that the system comprises data packet capture, intrusion detection based on signature, honeypot, alarm generation and processing, association unit and signature database;
the data packet capturing module captures data packets from the VMs of the industrial cloud, the captured data packets are applied to the intrusion detection module based on the signature, and each VM of the industrial cloud can be deployed with one data packet capturing module;
the signature-based intrusion detection module is characterized in that the data packet captured by the data packet capture module is applied to intrusion detection of the module, the content of the data packet is matched with a known attack signature, and if any match is found, the corresponding data packet is regarded as intrusion and an alarm is generated;
the honeypot module is a virtual honeypot device and is used for receiving the data packet from the data packet capturing module, analyzing the data packet, tracking a network attack path, generating a log file and synchronizing the log file to the alarm generating and processing module in real time;
the alarm generation and processing module receives an alarm of the intrusion detection module based on the signature and receives a log file of the honeypot module, wherein the fields of the alarm and the log file comprise occurrence time, a source IP, a source port, a target IP, a target port and an intrusion type, and the fields of the alarm and the log file are sent to the association unit when the occurrence frequency of the alarm exceeds a preset threshold value;
the association unit comprises an offline association submodule, an online association submodule, an attack mode submodule and a generation rule submodule, receives and associates the alarm from the alarm generation and processing module and the alarm of the alarm generation and processing module examples on other servers, and calculates alarm majority factors AMF (alert probability factor) by using the following formula to determine distributed attack:
AMF=
Figure 197737DEST_PATH_IMAGE001
if AMF is larger than threshold value, the association unit generates distributed attack signature of the intrusion detection module based on the signature and updates the signature to the signature database of all the examples, otherwise, the association unit generates attack signature of the intrusion detection module based on the signature and updates the attack signature to the signature database of all the examples;
the signature database is responsible for storing attack signatures and distributed attack signatures and receiving signature updates from the association unit;
further, the offline association submodule uses a group of historical alarms to construct a correlation model, and synchronizes to the online association submodule, wherein the correlation model is composed of two knowledge tables: correlation intensity table (I) and correlation constraint condition table (II), wherein the correlation intensity table represents two alarm types
Figure 36380DEST_PATH_IMAGE002
And
Figure 520451DEST_PATH_IMAGE003
strength of correlation between, more specifically, it is referred to as
Figure 786347DEST_PATH_IMAGE002
After the alarm type occurs
Figure 988658DEST_PATH_IMAGE003
The probability of the alarm type, namely: for the
Figure 630992DEST_PATH_IMAGE002
And
Figure 235149DEST_PATH_IMAGE003
these two alarm types, the correlation strength L: (
Figure 671946DEST_PATH_IMAGE004
,
Figure 361553DEST_PATH_IMAGE005
) Based on the fact that the related constraint condition is true, when there is n: n between two alarm types>1, the correlation strength between two alarm types is the minimum correlation strength of n correlation constraints: l: (L:)
Figure 541999DEST_PATH_IMAGE004
,
Figure 662DEST_PATH_IMAGE005
)
Figure 139520DEST_PATH_IMAGE006
Wherein, given the association constraint
Figure 191789DEST_PATH_IMAGE007
Below, the alarm type
Figure 34980DEST_PATH_IMAGE003
Take place in
Figure 489095DEST_PATH_IMAGE004
The probability after this can be defined as:
Figure 392329DEST_PATH_IMAGE008
=
Figure 931895DEST_PATH_IMAGE009
further, the online correlation submodule receives each input alarm in real time
Figure 578777DEST_PATH_IMAGE010
And alarm
Figure 887399DEST_PATH_IMAGE010
Before occurrence
Figure 961534DEST_PATH_IMAGE011
Alarm S = tone occurring within second
Figure 722817DEST_PATH_IMAGE012
Performing correlation analysis for determination
Figure 173389DEST_PATH_IMAGE010
And if the alarm in the S is relevant, extracting the alarm types of the alarms and using the alarm types to search relevant strength and relevant constraint conditions, wherein the relevant conditions of the two alarms are met as follows:
(1) alarm system
Figure 336518DEST_PATH_IMAGE013
And alarm
Figure 581554DEST_PATH_IMAGE010
Is greater than or equal to a threshold value
Figure 626870DEST_PATH_IMAGE014
(2) For alarms
Figure 490921DEST_PATH_IMAGE013
And alarm
Figure 633190DEST_PATH_IMAGE010
At least one isAll the relevant constraint conditions are applied to
Figure 190073DEST_PATH_IMAGE013
And
Figure 50582DEST_PATH_IMAGE010
further, the attack mode sub-module receives the alarm correlation diagram, uses an alarm correlation diagram aggregation algorithm to aggregate the alarm correlation diagram into different clusters, uses a frequent subgraph mining algorithm to extract representative features from all the clusters, and finds the attack mode;
further, the rule generation submodule generates a rule for detecting the attack according to each found attack mode and synchronizes the rule to the signature database in time.
The invention has the technical effects that:
the invention provides a network attack rapid detection system based on an industrial cloud, which comprises a data packet capture, an intrusion detection based on a signature, a honeypot, an alarm generation and processing unit, an association unit and a signature database, wherein the association unit comprises an offline association submodule, an online association submodule, an attack mode submodule and a generation rule submodule, and the attack mode submodule can discover the network attack by adopting an alarm association graph aggregation algorithm and a frequent subgraph mining algorithm. The invention can ensure that the ICS industrial control network is safe and controllable.
Drawings
FIG. 1 is a schematic diagram of an ICS system of an industrial cloud-based cyber attack rapid detection system;
FIG. 2 is a schematic diagram of an ICS system hierarchy of an industrial cloud-based cyber attack rapid detection system;
FIG. 3 is a schematic diagram of a rapid detection system for network attacks based on an industrial cloud;
FIG. 4 is a process diagram of a signature-based intrusion detection module of an industrial cloud-based cyber attack rapid detection system;
FIG. 5(1) is a warning before association of the industrial cloud-based network attack rapid detection system (warning fields: timestamp, source IP, source Port, destination IP, destination Port, and addressing type);
FIG. 5(2) is an alarm correlation diagram of an industrial cloud-based network attack rapid detection system;
FIG. 6(1) is an alarm correlation diagram of an industrial cloud-based network attack rapid detection system;
fig. 6(2) is an attack pattern diagram of an alarm association diagram of an industrial cloud-based network attack rapid detection system.
Detailed Description
The invention is described in further detail below with reference to the figures and examples:
fig. 1 is a schematic diagram of an ICS system of an industrial cloud-based network attack rapid detection system, generally, the ICS system includes an HMI (Human Machine Interface), an engineer station, a remote diagnosis tool, a controller, a sensor, and an actuator, and communication between these components depends on an industrial network protocol, for example, a 5G network. Wherein the HMI, the engineer station, the controller, and the remote diagnostic tool are deployed on an industrial cloud VM or CVM; while actuators and sensors are installed in the industrial field, for example, actuators (e.g., valves, motors, and switches) execute controller commands, and sensors (e.g., temperature and pressure sensors) can monitor and collect data in real time and transmit the data to the controller.
The HMI is used for monitoring the controlled process and displaying historical state information; the engineer station is used to configure control algorithms and adjust control parameters. Remote diagnostic tools are used to prevent, identify and recover from abnormal conditions, or to diagnose and repair faults. The controller is used to control the industrial process, for example, to adjust the opening of a gas valve. The industrial network protocol is a network protocol, e.g., 5G network, Modbus/TCP, by which the controller communicates with sub-controllers, engineer stations, HMI human machine interfaces, actuators or sensors. The control process of the controller mainly comprises the transmission of measurement data from the sensors to the controller and the collection and transmission of control data from the controller to the actuators. Subsequently, the sensor collects new measurement data according to the control process and transmits the measurement data to the controller again, forming a closed-loop control. In industrial production areas, controlled processes are typically run continuously over a period of several milliseconds to several days. Therefore, if the control data and the measurement data are attacked by a network, the control data and the collected data are falsified and cannot be detected and recovered in time, and the serious result is immeasurable.
Fig. 2 is a schematic diagram of an ICS system layer of an industrial cloud-based network attack rapid detection system, where a field device layer is located at the bottom layer and includes a data acquisition device, a video camera device, and an actuator, and these devices may be a sensor, an RFID tag, a camera, an internet of things (IOT) device, and a variable frequency motor device. They will be responsible for collecting real-time data and processing the data through an intelligent application (e.g., a controller) to make real-time decisions and output the decisions to an actuator (e.g., output the decisions to the actuator to adjust the opening of a gas valve).
The communication equipment layer is positioned in the middle layer and consists of field network equipment for communicating data between the field equipment at the lowest layer and the industrial cloud computing infrastructure at the uppermost layer, the field network equipment based on the layer closest to the field equipment layer (the field equipment layer is positioned at the lowest layer in the figure 2) can be used as edge computing, and part of collected data or all of computing can be processed, so that the industrial application performance is not influenced by network delay.
The industrial cloud is located on the uppermost layer and mainly consists of virtual machines. If the communication device layer does not have free computing resources, it can send the request directly into the industrial cloud infrastructure for computing. Even if the data processing is done in the communication device layer, the raw data, intermediate data and computation results eventually need to be stored on the industrial cloud computing infrastructure.
In an industrial ICS environment, whether the bottommost field device layer, the middle communication device layer, or the uppermost industrial cloud can be used by multiple intelligent applications in any case, and different users can cause network security problems. If a hacker attacks a field device, the sensors of the ICS system may get the wrong collected data and provide the wrong output data, which is a very dangerous event, e.g., if an application processes real-time weather data and predicts flooding or other natural disasters, the consequences of the attacked field device providing false data may be catastrophic; in addition, cyber attacks may also make confidential data unwilling to be disclosed by hackers to competitors. Currently, existing security protocols require authentication before providing data processing calculations. However, if an authenticated device is hacked, the situation becomes worse because the field devices in the ICS system have some access rights in the industrial control network. Thus, network attacks on an ICS environment can be broadly divided into two broad categories: (a) an unauthenticated network attack; (b) unauthorized network attacks. If not authenticated and attempts to attack the ICS system, then this cyber attack is referred to as an unauthenticated cyber attack or an external cyber attack. However, if a network attack that attempts to attack the ICS system is authenticated and is in a secure and trusted network of applications, it is referred to as an unauthorized or internal network attack. The authenticated users or devices are tracked because they have certain usage rights in the industrial control network. According to a survey of 2013 U.S. cyber crimes, 34% of all cyber attacks are internal cyber attacks, 31% are external cyber attacks, and the remaining 35% of cyber attacks cannot be classified as internal or external cyber attacks. Another investigation conducted by Furnell (2004) showed that system security administrators were more aware and concerned with external network attacks, regardless of most internal network attacks. Because the ICS system is a multi-user architecture, different applications can share resources, and it is difficult to identify an internal network attacker. In ICS systems, the corruption caused by internal network attacks is also high, since applications that use real-time data are critical applications. Therefore, an industrial cloud-based network attack rapid detection system is urgently needed to protect ICS services from malicious network attacks. The active prediction of the malicious network attack of the ICS system can ensure that the ICS is deployed and protected better and safely.
Kalman filtering, linear filtering and nonlinear filtering techniques in probability theory and statistics may be applied to this application, wherein Markov model (Markov) is a typical example. A markov model is a stochastic model that satisfies the markov property, indicating that the probability of a future event occurring depends on the current state rather than the past state. Whereas a hidden markov model is a markov model in which the intermediate states are not observed or hidden. Markov models are used for network security and evaluation based on current user activity. The hidden Markov model can be used for predicting the occurrence probability of the malicious network attack according to the activity of the ICS equipment.
Malicious cyber attacks can be a major bottleneck in any ICS system, and the consequences can be more serious later depending on the importance of the industrial field intelligence application. The method mainly aims to design an effective network attack rapid detection system based on the industrial cloud, and can identify malicious network attacks occurring in the ICS in time, so that the ICS industrial control network is safer and self-adaptive in nature.
Fig. 3 is a schematic diagram of a network attack rapid detection system based on an industrial cloud, which is intended to protect the national key infrastructure from network attack, in particular to protect control data and measurement data from being tampered by hackers, and to maintain the normal operation and management order of the national key infrastructure.
The honeypot is a trap set by the application, is a real bait of the ICS system, and is used for luring a network attacker on the ICS system. Honeypots can be computers, applications, or data that can simulate the true behavior of ICS systems and record the attack path of hackers. Unlike intrusion detection systems and firewalls, honeypots allow users to attack them. Correctly installing honeypots can improve the efficiency and safety of the ICS system; however, if the honeypot is static, and the attacker knows its location, its value of presence may diminish to some extent. In order to make the network attack rapid detection system based on the industrial cloud more adaptive, the honeypot is suggested to adopt virtual honeypot equipment, the position of the honeypot is dynamically changed, and the exact position of the honeypot is never known by malicious network attack. Compared with the traditional honeypots, the virtual honeypot equipment technology not only can prevent exposure of honeypot positions, but also is easy to deploy. The Virtual honeypot device is like a Virtual machine image and can be easily deployed on an industrial cloud VM (Virtual Machines) with dynamic characteristics; according to the level and the severity of the network attack, the virtual honeypot device can also automatically expand the resource capacity of the virtual honeypot device, so that the virtual honeypot device is more suitable for any level and number of network attacks of malicious network attacks.
The system is characterized by comprising data packet capture, intrusion detection based on signature, honeypot, alarm generation and processing, association unit and signature database. The modules work in series, wherein the data packet capture module is deployed and operated on an industrial cloud CVM (control VM), the honeypot is deployed and operated on the industrial cloud VM, the rest of the modules can be deployed and operated on the CVM or the VM, and the input and output of each module and its sub-modules are shown in table 1 below:
table 1: input and output of respective modules
Figure 718323DEST_PATH_IMAGE015
The data packet capturing module captures data packets from the VMs of the industrial cloud, the captured data packets are applied to the intrusion detection module based on the signature, and each VM of the industrial cloud can be deployed with one data packet capturing module;
the signature-based intrusion detection module is characterized in that the data packet captured by the data packet capture module is applied to intrusion detection of the module, the content of the data packet is matched with a known attack signature, and if any match is found, the corresponding data packet is regarded as intrusion and an alarm is generated; fig. 4 is a process diagram of a signature-based intrusion detection module of an industrial cloud-based network attack rapid detection system, in which a packet decoder performs initial analysis on a packet captured by a packet capture-based module, and a preprocessor performs required functions, such as packet defragmentation, TCP stream reassembly, and the like. The detection engine matches the package to rules configured for any association. If the match is successful, it will notify the logging and alarm system, which then outputs an alarm or a log accordingly.
The honeypot module is a virtual honeypot device and is used for receiving the data packet from the data packet capturing module, analyzing the data packet, tracking a network attack path, generating a log file and synchronizing the log file to the alarm generating and processing module in real time;
the alarm generation and processing module receives an alarm of the intrusion detection module based on the signature and receives a log file of the honeypot module, wherein fields of the alarm and the log file comprise occurrence time, a source IP, a source port, a target IP, a target port, an intrusion type and the like, and the alarm and the log file are sent to the association unit when the occurrence frequency of the alarm exceeds a preset threshold value;
the association unit comprises an offline association submodule, an online association submodule, an attack mode submodule and a generation rule submodule, receives and associates the alarm from the alarm generation and processing module and the alarm of the alarm generation and processing module examples on other servers, and calculates alarm majority factors AMF (alert probability factor) by using the following formula to determine distributed attack:
AMF=
Figure 715098DEST_PATH_IMAGE016
if AMF is larger than threshold value, the association unit generates distributed attack signature of the intrusion detection module based on the signature and updates the signature to the signature database of all the examples, otherwise, the association unit generates attack signature of the intrusion detection module based on the signature and updates the attack signature to the signature database of all the examples, which is helpful for the intrusion detection module based on the signature to quickly detect network attack;
the signature database is responsible for storing attack signatures and distributed attack signatures and receiving signature updates from the association unit.
Further, the offline correlation sub-module uses a set of historical alarms to build a correlation model. The correlation model is built by this offline correlation submodule and is provided to the online correlation submodule for periodic use and updating. The correlation model consists of two knowledge tables: and (I) a correlation strength table and (II) a correlation constraint condition table. The correlation intensity table represents two alarm types
Figure 442883DEST_PATH_IMAGE004
And
Figure 790687DEST_PATH_IMAGE003
and more particularly, it is referred to as being
Figure 996541DEST_PATH_IMAGE004
After the alarm type occurs
Figure 113401DEST_PATH_IMAGE003
Probability or probability of alarm type, i.e.: for the
Figure 12087DEST_PATH_IMAGE004
And
Figure 581609DEST_PATH_IMAGE003
these two alarm types, the associated probability L: (
Figure 122312DEST_PATH_IMAGE004
,
Figure 234624DEST_PATH_IMAGE005
) Is premised on the relevant constraint condition being true. And the correlation strength and the correlation constraint are related as follows:
L(
Figure 163266DEST_PATH_IMAGE004
,
Figure 361029DEST_PATH_IMAGE005
)=P(
Figure 33319DEST_PATH_IMAGE017
∣C)
constraint C may be a rule that captures the constraints associated with two alarms. For example, a relevant constraint (e.g. a
Figure 138DEST_PATH_IMAGE018
20 s) indicates that two alarm types occur within an interval of 20s
Figure 99681DEST_PATH_IMAGE004
And
Figure 784740DEST_PATH_IMAGE003
and performing association. Another example of a relevant constraint is
Figure 260721DEST_PATH_IMAGE019
Indicating the type of alarm for the same target IP
Figure 613205DEST_PATH_IMAGE004
And
Figure 24594DEST_PATH_IMAGE003
an association is made (in other words, the difference between their destination IP addresses is zero).
When there are n: n >1 association constraints between two alarm types, then the association strength or association likelihood or association probability between the two alarm types is the minimum association strength or association likelihood or association probability of the n association constraints:
L(
Figure 118321DEST_PATH_IMAGE020
,
Figure 7780DEST_PATH_IMAGE021
)
Figure 73825DEST_PATH_IMAGE006
wherein constraints are given in the associationCondition
Figure 390537DEST_PATH_IMAGE022
Below, the alarm type
Figure 909243DEST_PATH_IMAGE003
Take place in
Figure 133551DEST_PATH_IMAGE020
The probability after this can be defined as:
Figure 929468DEST_PATH_IMAGE023
=
Figure 807294DEST_PATH_IMAGE009
in the above equation, given a set of historical alarms, P: (
Figure 688663DEST_PATH_IMAGE024
) It is meant that in the same time window w,
Figure 44558DEST_PATH_IMAGE003
take place in
Figure 694982DEST_PATH_IMAGE020
The number of times thereafter, relative to in the same time window w
Figure 743709DEST_PATH_IMAGE002
Number of occurrences, and
Figure 112374DEST_PATH_IMAGE025
indicating that both types satisfy the association constraint
Figure 271960DEST_PATH_IMAGE007
When the temperature of the water is higher than the set temperature,
Figure 776890DEST_PATH_IMAGE003
take place in
Figure 403044DEST_PATH_IMAGE002
The number of times thereafter, relative to the occurrence in the entire historical alarm data set H
Figure 383638DEST_PATH_IMAGE002
The number of times. Finally, the process is carried out in a batch,
Figure 956702DEST_PATH_IMAGE026
is of a given type
Figure 706352DEST_PATH_IMAGE002
And
Figure 972248DEST_PATH_IMAGE027
association constraints within the same time window
Figure 186278DEST_PATH_IMAGE007
The probability of (c).
Algorithm 1 shows how the offline correlation submodule computes all correlation strengths and correlation constraints.
Figure 828612DEST_PATH_IMAGE028
Lines 1 to 5 describe the data set required to initiate the offline association process, a represents several fields of an alarm, namely: time of occurrence, source IP, source port, target IP, target port, and intrusion type, H is a historical alarm, retrieved from a log file or alarm database, used to train the model. T is a limited set of all possible values of the alarm type field, and
Figure 432769DEST_PATH_IMAGE029
is all permutations of 2 of T,
Figure 869567DEST_PATH_IMAGE030
is the ith
Figure 559174DEST_PATH_IMAGE031
And (4) carrying out pairing.
For each pair of alarm types
Figure 474040DEST_PATH_IMAGE004
And
Figure 198283DEST_PATH_IMAGE003
the getconstraints function generates a set of relevant constraints by computing all possible combinations of attributes k in a using a stepwise a priori method. First, starting from k =1 for the k combination, this means that the relevant constraints of length 1 are generated, where each constraint C contains only one attribute a ∈ a. For each relevant constraint, measure
Figure 337140DEST_PATH_IMAGE004
In that
Figure 389410DEST_PATH_IMAGE003
The probabilities of previous occurrences, assuming they have a common correlation constraint C. If the probability does not exceed a given threshold θ, it is pruned and treated as such
Figure 232601DEST_PATH_IMAGE004
And
Figure 686716DEST_PATH_IMAGE003
is not relevant. At the end of each incremental phase, the non-clipped correlation constraint is used to generate the K +1 combination: k ≦
Figure 589950DEST_PATH_IMAGE032
. Table 2 below is an example of the constraints.
TABLE 2 alarm types
Figure 129515DEST_PATH_IMAGE020
And
Figure 776397DEST_PATH_IMAGE003
examples of constraints between
Constraint conditions
Figure 85019DEST_PATH_IMAGE033
 Type of alarm
Figure 159154DEST_PATH_IMAGE020
And
Figure 920437DEST_PATH_IMAGE003
must be the same
Figure 371010DEST_PATH_IMAGE034
 Type of alarm
Figure 534138DEST_PATH_IMAGE020
And
Figure 779174DEST_PATH_IMAGE003
must be the same at least until the second octet.
Figure 824491DEST_PATH_IMAGE035
 Type of alarm
Figure 688542DEST_PATH_IMAGE002
And
Figure 830810DEST_PATH_IMAGE003
must be identical at least before the second octet, and their source IP must be identical Must be identical and their destination ports must be identical at least until the first octet.
Further, the online correlation submodule receives each input alarm in real time
Figure 387693DEST_PATH_IMAGE010
And alarm
Figure 248202DEST_PATH_IMAGE010
Before occurrence
Figure 650364DEST_PATH_IMAGE011
Alarm S = tone occurring in second
Figure 912718DEST_PATH_IMAGE012
Performing correlation analysis for determination
Figure 640503DEST_PATH_IMAGE010
And whether the alarms in S are relevant, their alarm types will be extracted and used to find the relevant correlation strengths and relevant constraints (provided by the offline correlation sub-module).
The two alarm-related conditions are met as follows:
1. alarm system
Figure 722729DEST_PATH_IMAGE013
And alarm
Figure 725320DEST_PATH_IMAGE010
Is greater than or equal to a threshold value
Figure 717546DEST_PATH_IMAGE014
2. For noticesPolice
Figure 475287DEST_PATH_IMAGE013
And alarm
Figure 185754DEST_PATH_IMAGE010
At least one relevant constraint is applicable
Figure 319932DEST_PATH_IMAGE013
And
Figure 166665DEST_PATH_IMAGE010
each historical alarm used for the correlation analysis is stored as a node in the database. If an alarm is entered
Figure 360886DEST_PATH_IMAGE010
With alarms already in the database
Figure 293070DEST_PATH_IMAGE013
Is correlated with, then
Figure 230939DEST_PATH_IMAGE010
Will be added to
Figure 197758DEST_PATH_IMAGE013
The alarm association graph belongs to. Thus, an edge is added to the alarm correlation graph to describe
Figure 297301DEST_PATH_IMAGE013
And
Figure 982360DEST_PATH_IMAGE010
the correlation of (c).
Further, the attack mode sub-module receives the alarm correlation diagram, uses an alarm correlation diagram aggregation algorithm to aggregate the alarm correlation diagram into different clusters, uses a frequent subgraph mining algorithm to extract representative features from all the clusters, and finds the attack mode;
before pattern mining, the attack pattern sub-module represents each alarm correlation graph as a less complex graph structure, which is called an attack pattern graph of the alarm correlation graph. Such an attack pattern graph is a graphical representation of an alarm association graph, where each node represents an alarm type or an attribute of an alarm type, and each edge represents a correlation between two alarm types or an association with an alarm type attribute.
The alarm correlation diagram is a high-level alarm that contains one or more alarms from intrusion detection systems IDS and honeypots. FIG. 5(1) shows a label
Figure 458341DEST_PATH_IMAGE036
To
Figure 279667DEST_PATH_IMAGE037
And (4) alarming the intrusion. After some form of correlation analysis, a logical relationship as shown in fig. 5(2) is established and is referred to as an "alarm correlation graph". The alarm correlation diagram is a weighted directed acyclic connection diagram G ═ (V, E), where V denotes nodes, and each node V represents a node
Figure 550111DEST_PATH_IMAGE038
V represents an alarm of a 6-dimensional attribute such as that shown in FIG. 5 (1). Each edge
Figure 456887DEST_PATH_IMAGE039
Representing two nodes
Figure 736559DEST_PATH_IMAGE040
And
Figure 412391DEST_PATH_IMAGE041
the meaning of the connection between is (1)
Figure 525840DEST_PATH_IMAGE040
And
Figure 44546DEST_PATH_IMAGE041
correlation, 2) represents
Figure 737696DEST_PATH_IMAGE040
In that
Figure 658247DEST_PATH_IMAGE041
A previously occurring alarm. The weight of an edge describes the strength of association or correlation between two nodes. Each alarm is represented as a multidimensional vector.
Fig. 6 shows the mapping from the alarm correlation graph to the attack pattern graph, and the node labeled "http iesecurity …" in fig. 6(1) represents an alarm. Since frequent subgraph mining is not applicable to multi-attribute nodes, each node is flattened into a single attribute labeled node. This is done by representing each attribute of the alarm as a new node. To maintain all attributes, and to associate each attribute node to an alarm type node using the edges shown in fig. 6 (2). The attribute nodes are distinguished from the alarm type nodes in that different shapes are used. And extracting frequent patterns from all the aggregation clusters by using a frequent subgraph mining algorithm (the alarm correlation graph is aggregated into clusters and is completed by an algorithm 3). And giving an alarm association graph and a minimum support threshold minSup of each cluster, and extracting frequent subgraphs. Each frequent subgraph extracted from all clusters contains at least minsupp identical alarm association graphs. Algorithm 2 below is a frequent subgraph mining algorithm.
Figure 411440DEST_PATH_IMAGE042
Suppose { A, B, C, … } represents a vertex, and { a, B, C, … } represents an edge. In lines 7-12 of Algorithm 2, the first loop will be found to contain an edge A
Figure 151862DEST_PATH_IMAGE043
A, all frequent subgraphs; the second cycle will find the inclusion of A
Figure 648703DEST_PATH_IMAGE043
B all frequent subgraphs, but one side A
Figure 423761DEST_PATH_IMAGE043
Except A; until all frequent subgraphs are found. As algorithm 2 runs (line 1 to line 10), more and more subgraphs are found (line 1 to line 8 of the subroutine, only the graph containing the subgraphs is considered,
Figure 347854DEST_PATH_IMAGE044
refers to some graphs that contain subgraph s). As the Subgraph Mining subroutine is recursively called, more and more subgraphs are found until all frequent subgraphs are found. The subword Mining stops only when the graph contains a number of common alarm correlation graphs less than minSup, or its DFS code is not the minimum code, which indicates that the graph and its subgraphs have been generated.
Here, DFS (Depth-First Search) represents Depth-First Search; in addition, algorithm 2 involves the following techniques:
(1) mapping each graph to a DFS code (sequence);
(2) establishing a new dictionary ordering between the codes;
(3) a search tree is constructed based on this dictionary ordering.
The algorithm 3 is responsible for aggregating all the alarm correlation graphs G input into the attack mode sub-module into different clusters
Figure 841153DEST_PATH_IMAGE045
If, if
Figure 876105DEST_PATH_IMAGE046
I.e. G contains at least 2 alarm correlation diagrams, one alarm correlation diagram G e
Figure 912194DEST_PATH_IMAGE045
If and only if, by clusters
Figure 131823DEST_PATH_IMAGE045
Is reachable. In addition, if the alarm association graph
Figure 722204DEST_PATH_IMAGE047
Figure 685481DEST_PATH_IMAGE045
Then there are at least k other alarm associations that are similar to this
Figure 310497DEST_PATH_IMAGE047
(e.g., for arbitrary
Figure 701027DEST_PATH_IMAGE045
Members of (1)
Figure 778705DEST_PATH_IMAGE047
And
Figure 280093DEST_PATH_IMAGE048
the difference between them should be less than
Figure 759616DEST_PATH_IMAGE049
This difference is achieved by calculating the distance between two alarm correlation graphs).
Figure 321047DEST_PATH_IMAGE050
Further, the rule generation submodule generates a rule for detecting the attack according to each found attack mode and synchronizes the rule to the signature database in time.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.

Claims (1)

1. A network attack rapid detection system based on industrial cloud is characterized in that the system comprises data packet capture, intrusion detection based on signature, honeypot, alarm generation and processing, association unit and signature database;
the data packet capturing module captures data packets from the VMs of the industrial cloud, the captured data packets are applied to the intrusion detection module based on the signature, and each VM of the industrial cloud can be deployed with one data packet capturing module;
the signature-based intrusion detection module is characterized in that the data packet captured by the data packet capture module is applied to intrusion detection of the module, the content of the data packet is matched with a known attack signature, and if any match is found, the corresponding data packet is regarded as intrusion and an alarm is generated;
the honeypot module is a virtual honeypot device and is used for receiving the data packet from the data packet capturing module, analyzing the data packet, tracking a network attack path, generating a log file and synchronizing the log file to the alarm generating and processing module in real time;
the alarm generation and processing module receives an alarm of the intrusion detection module based on the signature and receives a log file of the honeypot module, wherein the fields of the alarm and the log file comprise occurrence time, a source IP, a source port, a target IP, a target port and an intrusion type, and the fields of the alarm and the log file are sent to the association unit when the occurrence frequency of the alarm exceeds a preset threshold value;
the association unit comprises an offline association submodule, an online association submodule, an attack mode submodule and a generation rule submodule, receives and associates the alarm from the alarm generation and processing module and the alarm of the alarm generation and processing module examples on other servers, and calculates alarm majority factors AMF (alert probability factor) by using the following formula to determine distributed attack:
AMF=
Figure DEST_PATH_IMAGE001
if AMF
Figure 767491DEST_PATH_IMAGE002
If the threshold value is not reached, the correlation unit generates a distributed attack signature of the intrusion detection module based on the signature and updates the signature into the signature databases of all the instances;
the signature database is responsible for storing attack signatures and distributed attack signatures and receiving signature updates from the association unit;
the off-line association submodule uses a group of historical alarms to construct a correlation model and synchronizes to the on-line association submodule, and the correlation model consists of two knowledge tables: correlation intensity table (I) and correlation constraint condition table (II), wherein the correlation intensity table represents two alarm types
Figure DEST_PATH_IMAGE003
And
Figure 541412DEST_PATH_IMAGE004
strength of correlation between, more specifically, it is referred to as
Figure 265654DEST_PATH_IMAGE003
After the alarm type occurs
Figure 873353DEST_PATH_IMAGE004
The probability of the alarm type, namely: for the
Figure 784677DEST_PATH_IMAGE003
And
Figure 768814DEST_PATH_IMAGE004
these two alarm types, the correlation strength L: (
Figure 754087DEST_PATH_IMAGE003
,
Figure DEST_PATH_IMAGE005
) Based on the fact that the related constraint condition is true, when there is n: n between two alarm types>1, the correlation strength between two alarm types is the minimum correlation strength of n correlation constraints: l: (L:)
Figure 126163DEST_PATH_IMAGE003
,
Figure 524783DEST_PATH_IMAGE005
)
Figure 47031DEST_PATH_IMAGE006
Wherein, given the association constraint
Figure DEST_PATH_IMAGE007
Below, the alarm type
Figure 949128DEST_PATH_IMAGE004
Take place in
Figure 23263DEST_PATH_IMAGE003
The probability after this can be defined as:
Figure 50125DEST_PATH_IMAGE008
=
Figure 235119DEST_PATH_IMAGE009
the online correlation submodule receives each input alarm in real time
Figure 663826DEST_PATH_IMAGE010
And alarm
Figure 908863DEST_PATH_IMAGE010
Before occurrence
Figure 157441DEST_PATH_IMAGE011
Alarm S = tone occurring within second
Figure 146126DEST_PATH_IMAGE012
Performing correlation analysis for determination
Figure 960498DEST_PATH_IMAGE010
And if the alarm in the S is relevant, extracting the alarm types of the alarms and using the alarm types to search relevant strength and relevant constraint conditions, wherein the relevant conditions of the two alarms are met as follows:
(1) alarm system
Figure 251802DEST_PATH_IMAGE013
And alarm
Figure 112311DEST_PATH_IMAGE010
Is greater than or equal to a threshold value
Figure 780053DEST_PATH_IMAGE014
(2) For alarms
Figure 42407DEST_PATH_IMAGE013
And alarm
Figure 504612DEST_PATH_IMAGE010
At least one relevant constraint is applicable
Figure 852417DEST_PATH_IMAGE013
And
Figure 323849DEST_PATH_IMAGE010
the attack mode submodule receives the alarm association graphs, aggregates the alarm association graphs into different clusters by using an alarm association graph aggregation algorithm, extracts representative features from all the clusters by using a frequent subgraph mining algorithm and finds an attack mode;
and the rule generation submodule generates a rule for detecting the attack according to each found attack mode and synchronizes the rule to the signature database in time.
CN201911414868.5A 2019-12-31 2019-12-31 Network attack rapid detection system based on industrial cloud Pending CN111224973A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911414868.5A CN111224973A (en) 2019-12-31 2019-12-31 Network attack rapid detection system based on industrial cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911414868.5A CN111224973A (en) 2019-12-31 2019-12-31 Network attack rapid detection system based on industrial cloud

Publications (1)

Publication Number Publication Date
CN111224973A true CN111224973A (en) 2020-06-02

Family

ID=70828064

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911414868.5A Pending CN111224973A (en) 2019-12-31 2019-12-31 Network attack rapid detection system based on industrial cloud

Country Status (1)

Country Link
CN (1) CN111224973A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738115A (en) * 2020-12-31 2021-04-30 北京天融信网络安全技术有限公司 Advanced persistent attack detection method, apparatus, computer device and medium
CN113572739A (en) * 2021-06-30 2021-10-29 中国人民解放军战略支援部队信息工程大学 A kind of network organized attack intrusion detection method and device
CN113746810A (en) * 2021-08-13 2021-12-03 哈尔滨工大天创电子有限公司 Network attack inducing method, device, equipment and storage medium
CN114039761A (en) * 2021-11-04 2022-02-11 国家电网公司华中分部 Intrusion detection rule generation method and system based on honeypot attack alarm
CN114826751A (en) * 2022-05-05 2022-07-29 深圳市永达电子信息股份有限公司 Kalman filtering network prevention and control method for multi-target information fusion

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1472916A (en) * 2003-06-24 2004-02-04 北京邮电大学 Data Fusion Mechanism of Large-Scale Distributed Intrusion Detection System
US20070277242A1 (en) * 2006-05-26 2007-11-29 Microsoft Corporation Distributed peer attack alerting
CN105227559A (en) * 2015-10-13 2016-01-06 南京联成科技发展有限公司 The information security management framework that a kind of automatic detection HTTP actively attacks
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1472916A (en) * 2003-06-24 2004-02-04 北京邮电大学 Data Fusion Mechanism of Large-Scale Distributed Intrusion Detection System
US20070277242A1 (en) * 2006-05-26 2007-11-29 Microsoft Corporation Distributed peer attack alerting
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
CN105227559A (en) * 2015-10-13 2016-01-06 南京联成科技发展有限公司 The information security management framework that a kind of automatic detection HTTP actively attacks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张连华: ""基于层次的智能告警关联分析模型研究"", 《微型电脑应用》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738115A (en) * 2020-12-31 2021-04-30 北京天融信网络安全技术有限公司 Advanced persistent attack detection method, apparatus, computer device and medium
CN113572739A (en) * 2021-06-30 2021-10-29 中国人民解放军战略支援部队信息工程大学 A kind of network organized attack intrusion detection method and device
CN113746810A (en) * 2021-08-13 2021-12-03 哈尔滨工大天创电子有限公司 Network attack inducing method, device, equipment and storage medium
CN114039761A (en) * 2021-11-04 2022-02-11 国家电网公司华中分部 Intrusion detection rule generation method and system based on honeypot attack alarm
CN114826751A (en) * 2022-05-05 2022-07-29 深圳市永达电子信息股份有限公司 Kalman filtering network prevention and control method for multi-target information fusion
CN114826751B (en) * 2022-05-05 2022-10-28 深圳市永达电子信息股份有限公司 Kalman filtering network prevention and control method for multi-target information fusion

Similar Documents

Publication Publication Date Title
US12363157B2 (en) Cyber security appliance for an operational technology network
US11201882B2 (en) Detection of malicious network activity
US20230012220A1 (en) Method for determining likely malicious behavior based on abnormal behavior pattern comparison
Nagarajan et al. IADF-CPS: Intelligent anomaly detection framework towards cyber physical systems
CN111224973A (en) Network attack rapid detection system based on industrial cloud
Pan et al. Context aware intrusion detection for building automation systems
Meshram et al. Anomaly detection in industrial networks using machine learning: a roadmap
US20200285738A1 (en) Process-centric security measurement of cyber-physical systems
Efstathopoulos et al. Operational data based intrusion detection system for smart grid
CN111181971B (en) System for automatically detecting industrial network attack
CN105204487A (en) Intrusion detection method and intrusion detection system for industrial control system based on communication model
CN107370732A (en) System is found based on neutral net and the industrial control system abnormal behaviour of optimal recommendation
US11392115B2 (en) Zero-trust architecture for industrial automation
Lim et al. Network anomaly detection system: The state of art of network behaviour analysis
Buragohain et al. Anomaly based DDoS attack detection
CN117692251A (en) Processor network security defense system and method
Eid et al. IIoT network intrusion detection using machine learning
CN107479518A (en) A kind of method and system for automatically generating alarm association rule
Turcato et al. A cloud-based method for detecting intrusions in profinet communication networks based on anomaly detection
Burgetová et al. Anomaly detection of ICS communication using statistical models
Alqurashi et al. On the performance of isolation forest and multi layer perceptron for anomaly detection in industrial control systems networks
Pan et al. Anomaly behavior analysis for building automation systems
CN111338297B (en) Industrial control safety framework system based on industrial cloud
Schuster et al. Attack and fault detection in process control communication using unsupervised machine learning
Sapozhnikova et al. Intrusion detection system based on data mining technics for industrial networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200602

RJ01 Rejection of invention patent application after publication