[go: up one dir, main page]

CN114301645A - Abnormal behavior detection method, device, terminal device and storage medium - Google Patents

Abnormal behavior detection method, device, terminal device and storage medium Download PDF

Info

Publication number
CN114301645A
CN114301645A CN202111557971.2A CN202111557971A CN114301645A CN 114301645 A CN114301645 A CN 114301645A CN 202111557971 A CN202111557971 A CN 202111557971A CN 114301645 A CN114301645 A CN 114301645A
Authority
CN
China
Prior art keywords
behavior
baseline
abnormal
network
control protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111557971.2A
Other languages
Chinese (zh)
Inventor
韩鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing 6Cloud Technology Co Ltd
Beijing 6Cloud Information Technology Co Ltd
Original Assignee
Beijing 6Cloud Technology Co Ltd
Beijing 6Cloud Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing 6Cloud Technology Co Ltd, Beijing 6Cloud Information Technology Co Ltd filed Critical Beijing 6Cloud Technology Co Ltd
Priority to CN202111557971.2A priority Critical patent/CN114301645A/en
Publication of CN114301645A publication Critical patent/CN114301645A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, terminal equipment and a storage medium for detecting abnormal behaviors, which are used for detecting abnormal behaviors by acquiring flow information of network equipment; establishing a behavior baseline according to the flow information; and monitoring network behaviors based on the behavior baselines, and taking the network behaviors which are not accordant with the behavior baselines as abnormal behaviors. The invention improves the network security of the industrial field.

Description

异常行为检测方法、装置、终端设备以及存储介质Abnormal behavior detection method, device, terminal device and storage medium

技术领域technical field

本发明涉及网络安全领域,尤其涉及异常行为检测方法、装置、终端设备以及存储介质。The present invention relates to the field of network security, and in particular, to a method, device, terminal device and storage medium for detecting abnormal behavior.

背景技术Background technique

目前以工业控制系统为代表的关键基础设施,越来越多地采用互联网的通用协议,并通过互联网进行数据交换和运行管理,使得网络安全风险渗透到了工业控制系统的方方面面。网络攻击对工业领域的影响持续加剧,工业信息安全俨然已经成为网络安全保障的重要组成部分。At present, the key infrastructure represented by the industrial control system increasingly adopts the general protocol of the Internet, and conducts data exchange and operation management through the Internet, which makes the network security risk penetrate into all aspects of the industrial control system. The impact of cyber attacks on the industrial field continues to intensify, and industrial information security has become an important part of cyber security assurance.

对工业现场的攻击最为有效且致命的,便是基于工业协议的攻击,此类攻击,轻则引起设备异常、重则引起设备损坏,甚至发生重大安全事故,导致人员伤亡、财力损失等。因此,对工业现场的异常行为检测,提供可靠的异常发现手段,成为工业安全必不可少的一环。The most effective and deadly attacks on industrial sites are those based on industrial protocols. Such attacks can cause equipment abnormalities in light cases, equipment damage in heavy cases, and even major security incidents, resulting in casualties and financial losses. Therefore, it has become an indispensable part of industrial security to provide reliable abnormal detection methods for abnormal behavior detection in industrial sites.

因此,有必要提出一种提升工业现场的网络安全性的解决方案。Therefore, it is necessary to propose a solution to enhance the network security of industrial sites.

发明内容SUMMARY OF THE INVENTION

本发明的主要目的在于提供一种异常行为检测方法、装置、终端设备以及存储介质,旨在提升工业现场的网络安全性。The main purpose of the present invention is to provide an abnormal behavior detection method, device, terminal device and storage medium, aiming at improving the network security of the industrial site.

为实现上述目的,本发明提供一种异常行为检测方法,所述异常行为检测方法包括:In order to achieve the above object, the present invention provides a method for detecting abnormal behavior, and the method for detecting abnormal behavior includes:

获取网络设备的流量信息;Obtain traffic information of network devices;

根据所述流量信息建立行为基线;establishing a behavioral baseline based on the traffic information;

基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。The network behavior is monitored based on the behavior baseline, and network behaviors inconsistent with the behavior baseline are regarded as abnormal behaviors.

可选地,所述根据所述流量信息建立行为基线的步骤包括:Optionally, the step of establishing a behavior baseline according to the traffic information includes:

读取所述流量信息中的数据包,得到工控协议;Read the data packets in the traffic information to obtain the industrial control protocol;

对所述工控协议进行深度解析,得到所述工控协议中的各操作指令;Perform in-depth analysis on the industrial control protocol, and obtain each operation instruction in the industrial control protocol;

根据各所述操作指令拟合出各行为趋势;Fit each behavior trend according to each of the operation instructions;

基于各所述行为趋势建立所述行为基线。The behavioral baseline is established based on each of the behavioral trends.

可选地,所述根据各所述操作指令拟合出各行为趋势的步骤包括:Optionally, the step of fitting each behavior trend according to each of the operation instructions includes:

计算各所述操作指令在预设操作时间内的平均操作次数;Calculate the average number of operations of each of the operation instructions within the preset operation time;

根据各所述操作指令在预设操作时间内的平均操作次数拟合出各所述行为趋势,其中各所述行为趋势中包括各所述操作指令的执行次数允许偏差。Each of the behavioral trends is fitted according to the average number of operations of each of the operation instructions within a preset operation time, wherein each of the behavioral trends includes an allowable deviation of the execution times of each of the operation instructions.

可选地,所述基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为的步骤包括:Optionally, the step of monitoring network behavior based on the behavior baseline, and using the network behavior inconsistent with the behavior baseline as abnormal behavior includes:

读取所述网络行为的行为数据,得到控制协议;Read the behavior data of the network behavior to obtain a control protocol;

将所述行为基线与所述控制协议进行协议匹配,判断所述控制协议是否与所述行为基线相符;Perform protocol matching between the behavioral baseline and the control protocol, and determine whether the control protocol is consistent with the behavioral baseline;

若所述控制协议与所述行为基线不相符,则判定所述控制协议对应的网络行为为第一异常行为;If the control protocol is inconsistent with the behavior baseline, determine that the network behavior corresponding to the control protocol is the first abnormal behavior;

若所述控制协议与所述行为基线相符,则对所述控制协议进行深度解析后与所述行为基线进行功能码匹配,将与所述行为基线不相符的功能码对应的网络行为作为第二异常行为。If the control protocol matches the behavior baseline, perform in-depth analysis on the control protocol and then perform function code matching with the behavior baseline, and take the network behavior corresponding to the function code that does not match the behavior baseline as the second Abnormal behavior.

可选地,所述对所述控制协议进行深度解析后与所述行为基线进行功能码匹配,将与所述行为基线不相符的功能码对应的网络行为作为第二异常行为,并根据所述第二异常行为提供详细告警的步骤包括:Optionally, after performing in-depth analysis on the control protocol, perform function code matching with the behavior baseline, and use the network behavior corresponding to the function code that does not match the behavior baseline as the second abnormal behavior, and according to the The steps of providing a detailed alarm for the second abnormal behavior include:

对所述控制协议进行深度解析,得到所述控制协议的功能码,其中,所述功能码包括控制指令的执行次数与执行时间;Perform in-depth analysis on the control protocol to obtain a function code of the control protocol, wherein the function code includes the execution times and execution time of the control instruction;

将所述控制指令与所述行为基线中的行为趋势进行匹配,判断所述控制指令是否与所述行为基线中的行为趋势相符;Matching the control instruction with the behavior trend in the behavior baseline, and judging whether the control instruction is consistent with the behavior trend in the behavior baseline;

若所述控制指令与所述行为基线中的行为趋势不相符,则将所述控制指令对应的网络行为作为第二异常行为,并根据所述第二异常行为提供详细告警。If the control instruction does not match the behavior trend in the behavior baseline, the network behavior corresponding to the control instruction is regarded as the second abnormal behavior, and a detailed alarm is provided according to the second abnormal behavior.

可选地,所述基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为的步骤之后还包括:Optionally, after the step of monitoring the network behavior based on the behavior baseline, and taking the network behavior inconsistent with the behavior baseline as abnormal behavior, the method further includes:

根据所述第一异常行为提供初步告警;provide a preliminary warning according to the first abnormal behavior;

根据所述第二异常行为提供详细告警。A detailed alert is provided based on the second abnormal behavior.

可选地,所述将所述控制指令与所述行为基线中的行为趋势进行匹配,判断所述控制指令是否与所述行为基线中的行为趋势相符的步骤包括:Optionally, the step of matching the control instruction with the behavior trend in the behavior baseline, and judging whether the control instruction is consistent with the behavior trend in the behavior baseline includes:

计算所述控制指令在所述执行时间内的平均执行次数;calculating the average number of executions of the control instruction within the execution time;

将所述控制指令在所述执行时间内的平均执行次数与所述行为基线进行对比,得到所述控制指令的执行次数偏差;Comparing the average execution times of the control instruction within the execution time with the behavior baseline, to obtain the deviation of the execution times of the control instruction;

判断所述执行次数偏差是否超出所述行为趋势的执行次数允许偏差,即判断所述控制指令是否与所述行为基线中的行为趋势相符。It is judged whether the deviation of the execution times exceeds the allowable deviation of the execution times of the behavior trend, that is, it is judged whether the control instruction is consistent with the behavior trend in the behavior baseline.

此外,为实现上述目的,本发明还提供一种异常行为检测方法装置,所述异常行为检测方法装置包括:In addition, in order to achieve the above purpose, the present invention also provides a method and device for detecting abnormal behavior, and the method device for detecting abnormal behavior includes:

获取模块,用于获取网络设备的流量信息;The acquisition module is used to acquire the traffic information of the network device;

建立基线模块,用于根据所述流量信息建立行为基线;establishing a baseline module for establishing a behavioral baseline according to the flow information;

监测模块,用于基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。The monitoring module is configured to monitor network behavior based on the behavior baseline, and regard network behavior that is inconsistent with the behavior baseline as abnormal behavior.

此外,为实现上述目的,本发明还提供一种终端设备,所述终端设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的异常行为检测方法程序,所述异常行为检测方法程序被所述处理器执行时实现如上所述的异常行为检测方法的步骤。In addition, in order to achieve the above object, the present invention also provides a terminal device, the terminal device includes a memory, a processor, and an abnormal behavior detection method program stored on the memory and executable on the processor, the When the abnormal behavior detection method program is executed by the processor, the steps of the abnormal behavior detection method as described above are implemented.

此外,为实现上述目的,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有异常行为检测方法程序,所述异常行为检测方法程序被处理器执行时实现如上所述的异常行为检测方法的步骤。In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium, on which an abnormal behavior detection method program is stored, and the abnormal behavior detection method program is executed by a processor to achieve the above-mentioned The steps of the abnormal behavior detection method described above.

本发明实施例提出的一种异常行为检测方法、装置、终端设备以及存储介质,通过获取网络设备的流量信息;根据所述流量信息建立行为基线;基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。通过根据网络设备的流量信息建立行为基线,可以为网络行为的分析提供判断标准;通过将与行为基线不相符的网络行为作为异常行为并提供相应告警,可以准确检测出异常行为并确定行为内容,从而提高工业现场的网络安全性。An abnormal behavior detection method, device, terminal device, and storage medium proposed by the embodiments of the present invention obtain traffic information of network devices; establish a behavior baseline according to the traffic information; monitor network behavior based on the behavior baseline, Network behaviors that do not conform to the behavioral baseline are considered abnormal behaviors. By establishing a behavior baseline based on the traffic information of network devices, it can provide judgment criteria for the analysis of network behavior; by taking network behaviors inconsistent with the behavior baselines as abnormal behaviors and providing corresponding alarms, abnormal behaviors can be accurately detected and the content of the behaviors can be determined. Thereby improving the network security of the industrial site.

附图说明Description of drawings

图1为本发明异常行为检测方法装置所属终端设备的功能模块示意图;1 is a schematic diagram of functional modules of a terminal device to which a method and apparatus for detecting abnormal behavior according to the present invention belongs;

图2为本发明异常行为检测方法一示例性实施例的流程示意图;2 is a schematic flowchart of an exemplary embodiment of an abnormal behavior detection method of the present invention;

图3为本发明实施例中基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为的细化流程示意图;3 is a schematic diagram of a refinement process of monitoring network behavior based on the behavior baseline, and taking network behaviors inconsistent with the behavior baseline as abnormal behaviors in an embodiment of the present invention;

图4为本发明实施例中提供详细告警的示意图;FIG. 4 is a schematic diagram of providing a detailed alarm in an embodiment of the present invention;

图5为本发明实施例中建立基线并根据基线进行异常监测的流程示意图。FIG. 5 is a schematic flowchart of establishing a baseline and performing abnormality monitoring according to the baseline in an embodiment of the present invention.

本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics and advantages of the present invention will be further described with reference to the accompanying drawings in conjunction with the embodiments.

具体实施方式Detailed ways

应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

本发明实施例的主要解决方案是:通过获取网络设备的流量信息;根据所述流量信息建立行为基线;基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。通过根据网络设备的流量信息建立行为基线,可以为网络行为的分析提供判断标准;通过将与行为基线不相符的网络行为作为异常行为并提供相应告警,可以准确检测出异常行为并确定行为内容,从而提高工业现场的网络安全性。The main solutions of the embodiments of the present invention are: by acquiring traffic information of network devices; establishing a behavior baseline according to the traffic information; monitoring network behaviors based on the behavior baselines, and taking network behaviors inconsistent with the behavior baselines as Abnormal behavior. By establishing a behavior baseline based on the traffic information of network devices, it can provide judgment criteria for the analysis of network behavior; by taking network behaviors inconsistent with the behavior baselines as abnormal behaviors and providing corresponding alarms, abnormal behaviors can be accurately detected and the content of the behaviors can be determined. Thereby improving the network security of the industrial site.

具体地,参照图1,图1为本发明异常行为检测方法装置所属终端设备的功能模块示意图。该异常行为检测方法装置可以为独立于终端设备的、能够进行异常行为检测方法的装置,其可以通过硬件或软件的形式承载于终端设备上。该终端设备可以为手机、平板电脑等具有数据处理功能的智能移动终端,还可以为具有数据处理功能的固定终端设备或服务器等。Specifically, referring to FIG. 1 , FIG. 1 is a schematic diagram of functional modules of a terminal device to which a method and apparatus for detecting abnormal behavior according to the present invention belongs. The abnormal behavior detection method apparatus may be an apparatus independent of the terminal device and capable of performing the abnormal behavior detection method, which may be carried on the terminal device in the form of hardware or software. The terminal device may be an intelligent mobile terminal with a data processing function, such as a mobile phone or a tablet computer, or a fixed terminal device or a server with a data processing function.

在本实施例中,该异常行为检测方法装置所属终端设备至少包括输出模块110、处理器120、存储器130以及通信模块140。In this embodiment, the terminal device to which the apparatus for detecting abnormal behavior belongs at least includes an output module 110 , a processor 120 , a memory 130 and a communication module 140 .

存储器130中存储有操作系统以及异常行为检测方法程序,异常行为检测方法装置可以将获取的网络设备的流量信息、根据所述流量信息建立的行为基线、基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为,并根据所述异常行为提供的相应告警等信息存储于该存储器130中;输出模块110可为显示屏等。通信模块140可以包括WIFI模块、移动通信模块以及蓝牙模块等,通过通信模块140与外部设备或服务器进行通信。The memory 130 stores the operating system and the abnormal behavior detection method program, and the abnormal behavior detection method device can monitor the network behavior based on the acquired traffic information of the network device, the behavior baseline established according to the traffic information, and the behavior baseline, The network behavior that does not conform to the behavior baseline is regarded as abnormal behavior, and corresponding alarms and other information provided according to the abnormal behavior are stored in the memory 130; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a Bluetooth module, etc., and communicate with an external device or a server through the communication module 140 .

其中,存储器130中的异常行为检测方法程序被处理器执行时实现以下步骤:Wherein, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are implemented:

获取网络设备的流量信息;Obtain traffic information of network devices;

根据所述流量信息建立行为基线;establishing a behavioral baseline based on the traffic information;

基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。The network behavior is monitored based on the behavior baseline, and network behaviors inconsistent with the behavior baseline are regarded as abnormal behaviors.

进一步地,存储器130中的异常行为检测方法程序被处理器执行时还实现以下步骤:Further, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are also implemented:

读取所述流量信息中的数据包,得到工控协议;Read the data packets in the traffic information to obtain the industrial control protocol;

对所述工控协议进行深度解析,得到所述工控协议中的各操作指令;Perform in-depth analysis on the industrial control protocol, and obtain each operation instruction in the industrial control protocol;

根据各所述操作指令拟合出各行为趋势;Fit each behavior trend according to each of the operation instructions;

基于各所述行为趋势建立所述行为基线。The behavioral baseline is established based on each of the behavioral trends.

进一步地,存储器130中的异常行为检测方法程序被处理器执行时还实现以下步骤:Further, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are also implemented:

计算各所述操作指令在预设操作时间内的平均操作次数;Calculate the average number of operations of each of the operation instructions within the preset operation time;

根据各所述操作指令在预设操作时间内的平均操作次数拟合出各所述行为趋势,其中各所述行为趋势中包括各所述操作指令的执行次数允许偏差。Each of the behavioral trends is fitted according to the average number of operations of each of the operation instructions within a preset operation time, wherein each of the behavioral trends includes an allowable deviation of the execution times of each of the operation instructions.

进一步地,存储器130中的异常行为检测方法程序被处理器执行时还实现以下步骤:Further, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are also implemented:

读取所述网络行为的行为数据,得到控制协议;Read the behavior data of the network behavior to obtain a control protocol;

将所述行为基线与所述控制协议进行协议匹配,判断所述控制协议是否与所述行为基线相符;Perform protocol matching between the behavioral baseline and the control protocol, and determine whether the control protocol is consistent with the behavioral baseline;

若所述控制协议与所述行为基线不相符,则判定所述控制协议对应的网络行为为第一异常行为;If the control protocol is inconsistent with the behavior baseline, determine that the network behavior corresponding to the control protocol is the first abnormal behavior;

若所述控制协议与所述行为基线相符,则对所述控制协议进行深度解析后与所述行为基线进行功能码匹配,将与所述行为基线不相符的功能码对应的网络行为作为第二异常行为。If the control protocol matches the behavior baseline, perform in-depth analysis on the control protocol and then perform function code matching with the behavior baseline, and take the network behavior corresponding to the function code that does not match the behavior baseline as the second Abnormal behavior.

进一步地,存储器130中的异常行为检测方法程序被处理器执行时还实现以下步骤:Further, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are also implemented:

对所述控制协议进行深度解析,得到所述控制协议的功能码,其中,所述功能码包括控制指令的执行次数与执行时间;Perform in-depth analysis on the control protocol to obtain a function code of the control protocol, wherein the function code includes the execution times and execution time of the control instruction;

将所述控制指令与所述行为基线中的行为趋势进行匹配,判断所述控制指令是否与所述行为基线中的行为趋势相符;Matching the control instruction with the behavior trend in the behavior baseline, and judging whether the control instruction is consistent with the behavior trend in the behavior baseline;

若所述控制指令与所述行为基线中的行为趋势不相符,则将所述控制指令对应的网络行为作为第二异常行为。If the control instruction does not match the behavior trend in the behavior baseline, the network behavior corresponding to the control instruction is regarded as the second abnormal behavior.

进一步地,存储器130中的异常行为检测方法程序被处理器执行时还实现以下步骤:Further, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are also implemented:

根据所述第一异常行为提供初步告警;provide a preliminary warning according to the first abnormal behavior;

根据所述第二异常行为提供详细告警。A detailed alert is provided based on the second abnormal behavior.

进一步地,存储器130中的异常行为检测方法程序被处理器执行时还实现以下步骤:Further, when the abnormal behavior detection method program in the memory 130 is executed by the processor, the following steps are also implemented:

计算所述控制指令在所述执行时间内的平均执行次数;calculating the average number of executions of the control instruction within the execution time;

将所述控制指令在所述执行时间内的平均执行次数与所述行为基线进行对比,得到所述控制指令的执行次数偏差;Comparing the average execution times of the control instruction within the execution time with the behavior baseline, to obtain the deviation of the execution times of the control instruction;

判断所述执行次数偏差是否超出所述行为趋势的执行次数允许偏差,即判断所述控制指令是否与所述行为基线中的行为趋势相符。It is judged whether the deviation of the execution times exceeds the allowable deviation of the execution times of the behavior trend, that is, it is judged whether the control instruction is consistent with the behavior trend in the behavior baseline.

本实施例通过上述方案,具体通过获取网络设备的流量信息;根据所述流量信息建立行为基线;基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。通过根据网络设备的流量信息建立行为基线,可以为网络行为的分析提供判断标准;通过将与行为基线不相符的网络行为作为异常行为并提供相应告警,可以准确检测出异常行为并确定行为内容,从而提高工业现场的网络安全性。This embodiment adopts the above solution, specifically by acquiring traffic information of network devices; establishing a behavior baseline according to the traffic information; monitoring network behaviors based on the behavior baselines, and taking network behaviors inconsistent with the behavior baselines as abnormal behaviors . By establishing a behavior baseline based on the traffic information of network devices, it can provide judgment criteria for the analysis of network behavior; by taking network behaviors inconsistent with the behavior baselines as abnormal behaviors and providing corresponding alarms, abnormal behaviors can be accurately detected and the content of the behaviors can be determined. Thereby improving the network security of the industrial site.

基于上述终端设备架构但不限于上述架构,提出本发明方法实施例。Based on the above-mentioned terminal device architecture but not limited to the above-mentioned architecture, the method embodiments of the present invention are proposed.

本实施例方法的执行主体可以为一种异常行为检测方法装置或终端设备等,本实施例以异常行为检测方法装置进行举例。The execution subject of the method in this embodiment may be an abnormal behavior detection method apparatus or a terminal device, etc. This embodiment takes the abnormal behavior detection method apparatus as an example.

参照图2,图2为本发明异常行为检测方法一示例性实施例的流程示意图。所述异常行为检测方法包括:Referring to FIG. 2 , FIG. 2 is a schematic flowchart of an exemplary embodiment of an abnormal behavior detection method of the present invention. The abnormal behavior detection method includes:

步骤S10,获取网络设备的流量信息;Step S10, obtaining traffic information of the network device;

以工业控制系统为代表的关键基础设施中网络设备的运用越来越普遍,各网络设备可通过互联网进行数据交换和运行管理,因此会产生大量的流量信息,例如各业务操作过程中和工艺操作过程中产生的流量信息等,根据所述流量信息可以分析出各操作指令的行为趋势。The use of network equipment in key infrastructures represented by industrial control systems is becoming more and more common. Each network equipment can exchange data and manage operations through the Internet, so a large amount of traffic information will be generated, such as during various business operations and technological operations. Traffic information generated in the process, etc., according to the traffic information, the behavior trend of each operation instruction can be analyzed.

步骤S20,根据所述流量信息建立行为基线;Step S20, establishing a behavior baseline according to the traffic information;

通过对网络中所有设备的流量进行分析,重点是关注工业协议相关行为,以此建立一种通用的,基于设备行为的基线。By analyzing the traffic of all devices in the network, focusing on industrial protocol-related behavior, a common, device-based behavior-based baseline is established.

具体地,通过读取所述流量信息中的数据包可以得到工控协议,所述工控协议包括大多数的周知工控协议、少量的工控协议,例如公有的Modbus、IEC104、OPC_UA、OPC_DA等,以及私有的UMAS、GE EGD、CIP、S7、OmronFINS等。通过对所述工控协议进行深度解析,可以得到所述工控协议中的各操作指令,根据各所述操作指令可以拟合出各行为趋势,具体步骤包括:Specifically, an industrial control protocol can be obtained by reading the data packets in the flow information, and the industrial control protocol includes most of the well-known industrial control protocols and a small number of industrial control protocols, such as public Modbus, IEC104, OPC_UA, OPC_DA, etc., as well as private UMAS, GE EGD, CIP, S7, OmronFINS, etc. Through in-depth analysis of the industrial control protocol, various operation instructions in the industrial control protocol can be obtained, and each behavior trend can be fitted according to each of the operation instructions. The specific steps include:

计算各所述操作指令在预设操作时间内的平均操作次数;Calculate the average number of operations of each of the operation instructions within the preset operation time;

根据各所述操作指令在预设操作时间内的平均操作次数拟合出各所述行为趋势,其中各所述行为趋势中包括各所述操作指令的执行次数允许偏差。Each of the behavioral trends is fitted according to the average number of operations of each of the operation instructions within a preset operation time, wherein each of the behavioral trends includes an allowable deviation of the execution times of each of the operation instructions.

对解析出来的操作指令,根据时间,计算出其平均操作次数,即可拟合成行为趋势。基于各所述行为趋势建立所述行为基线,所述行为基线可以视为集合,集合下有相应的设备,对每个设备建立各自的行为基线,通过设备的行为基线可以对针对设备的网络行为进行监测。For the parsed operation instructions, according to the time, the average number of operations can be calculated, and then the behavior trend can be fitted. The behavior baseline is established based on each behavior trend. The behavior baseline can be regarded as a collection. There are corresponding devices under the collection. Each device establishes its own behavior baseline. Through the behavior baseline of the device, the network behavior of the device can be determined. monitor.

基线学习的方案可以通过对网络中的二进制流进行分析,也可考虑通过各自的技术积累对其做相应的替代。The baseline learning scheme can be based on the analysis of the binary flow in the network, or it can be replaced by the accumulation of their respective technologies.

步骤S30,基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。Step S30 , monitor network behavior based on the behavior baseline, and regard network behavior that is inconsistent with the behavior baseline as abnormal behavior.

通过分析设备的网络流量建立行为基线后,根据行为基线对网络行为进行监测,通过读取网络行为的行为数据可以获得对应的控制协议,先根据控制协议与行为基线进行协议匹配,如果所述控制协议与行为基线不符,则提出初步告警;如果所述控制协议与行为基线相符,则进一步对所述控制协议进行深度解析,将解析出来的功能码与所述行为基线进行功能码匹配,如果所述功能码中的操作指令与行为基线中的行为趋势不符,则判定为异常行为并提出详细告警。After the behavior baseline is established by analyzing the network traffic of the device, the network behavior is monitored according to the behavior baseline, and the corresponding control protocol can be obtained by reading the behavior data of the network behavior. If the protocol does not conform to the behavior baseline, a preliminary alarm is raised; if the control protocol conforms to the behavior baseline, the control protocol is further analyzed in depth, and the parsed function code is matched with the behavior baseline. If the operation instruction in the function code does not match the behavior trend in the behavior baseline, it will be judged as abnormal behavior and a detailed alarm will be raised.

在本实施例中,通过获取网络设备的流量信息;根据所述流量信息建立行为基线;基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为,并根据所述异常行为提供相应告警。通过根据网络设备的流量信息建立行为基线,可以为网络行为的分析提供判断标准;通过将与行为基线不相符的网络行为作为异常行为并提供相应告警,可以准确检测出异常行为并确定行为内容,从而提高工业现场的网络安全性。In this embodiment, the traffic information of network devices is obtained; a behavior baseline is established according to the traffic information; network behavior is monitored based on the behavior baseline, and network behaviors inconsistent with the behavior baseline are regarded as abnormal behaviors, and A corresponding alarm is provided according to the abnormal behavior. By establishing a behavior baseline based on the traffic information of network devices, it can provide judgment criteria for the analysis of network behavior; by taking network behaviors inconsistent with the behavior baselines as abnormal behaviors and providing corresponding alarms, abnormal behaviors can be accurately detected and the content of the behaviors can be determined. Thereby improving the network security of the industrial site.

参照图3,图3为本发明实施例中基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为,并根据所述异常行为提供相应告警的细化流程示意图。Referring to FIG. 3, FIG. 3 is a refinement of monitoring network behavior based on the behavior baseline in an embodiment of the present invention, taking network behaviors inconsistent with the behavior baseline as abnormal behaviors, and providing corresponding alarms according to the abnormal behaviors Schematic diagram of the process.

本实施例基于上述图2所示的实施例,在本实施例中,上述步骤S30,基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为,并根据所述异常行为提供相应告警的步骤包括:This embodiment is based on the embodiment shown in FIG. 2. In this embodiment, in the above step S30, the network behavior is monitored based on the behavior baseline, and the network behavior inconsistent with the behavior baseline is regarded as abnormal behavior, and The step of providing a corresponding alarm according to the abnormal behavior includes:

步骤S301,读取所述网络行为的行为数据,得到控制协议;Step S301, read the behavior data of the network behavior to obtain a control protocol;

通过读取网络行为的报文数据,可以得到所述网络行为中的工业控制协议,例如公有的Modbus、IEC104、OPC_UA、OPC_DA等,以及私有的UMAS、GE EGD、CIP、S7、OmronFINS等工控协议。By reading the message data of the network behavior, the industrial control protocols in the network behavior can be obtained, such as public Modbus, IEC104, OPC_UA, OPC_DA, etc., as well as private UMAS, GE EGD, CIP, S7, OmronFINS and other industrial control protocols .

步骤S302,将所述行为基线与所述控制协议进行协议匹配,判断所述控制协议是否与所述行为基线相符;Step S302, performing protocol matching between the behavioral baseline and the control protocol, and judging whether the control protocol is consistent with the behavioral baseline;

得到所述网络行为的控制协议后,先将所述控制协议与行为基线进行协议匹配,判断所述控制协议是否在基线内,如果所述控制协议不在基线内,则说明所述控制协议对应的网络行为与基线不符,如果所述控制协议在基线内,说明所述控制协议与基线相符。After obtaining the control protocol of the network behavior, first perform protocol matching between the control protocol and the behavior baseline, and determine whether the control protocol is within the baseline. If the control protocol is not within the baseline, it indicates that the control protocol corresponds to Network behavior does not conform to the baseline, if the control protocol is within the baseline, the control protocol conforms to the baseline.

步骤S303,若所述控制协议与所述行为基线不相符,则判定所述控制协议对应的网络行为为第一异常行为;Step S303, if the control protocol is inconsistent with the behavior baseline, determine that the network behavior corresponding to the control protocol is the first abnormal behavior;

如果所述控制协议不在所述行为基线内,则判定该控制协议对应的网络行为为第一异常行为,根据所述网络行为提供初步告警,告警内容包括协议名、危险等级、源IP、目的IP、源端口与目的端口等。If the control protocol is not within the behavior baseline, determine that the network behavior corresponding to the control protocol is the first abnormal behavior, and provide a preliminary alarm according to the network behavior. The alarm content includes the protocol name, risk level, source IP, and destination IP. , source port and destination port, etc.

步骤S304,若所述控制协议与所述行为基线相符,则对所述控制协议进行深度解析后与所述行为基线进行功能码匹配,将与所述行为基线不相符的功能码对应的网络行为作为第二异常行为。Step S304, if the control protocol is consistent with the behavior baseline, perform in-depth analysis on the control protocol and then perform function code matching with the behavior baseline, and compare the network behavior corresponding to the function code that does not match the behavior baseline. as the second abnormal behavior.

如果所述控制协议在所述行为基线内,则需要进一步进行匹配。先对所述控制协议进行深度解析,将功能码解析到值域,确保其后续识别的准确性,根据功能码中包含的操作指令是否符合行为基线中的行为趋势确定操作行为是否存在异常,具体包括:If the control protocol is within the behavioral baseline, further matching is required. The control protocol is firstly analyzed in depth, the function code is parsed into the value range to ensure the accuracy of subsequent identification, and whether the operation behavior is abnormal is determined according to whether the operation instruction contained in the function code conforms to the behavior trend in the behavior baseline. include:

对所述控制协议进行深度解析,得到所述控制协议的功能码,其中,所述功能码包括控制指令的执行次数与执行时间;Perform in-depth analysis on the control protocol to obtain a function code of the control protocol, wherein the function code includes the execution times and execution time of the control instruction;

具体地,对所述控制协议提供深度解析功能,将功能码解析到值域,可以确保其后续识别的准确性,解析出的功能码中包括控制指令的执行次数以及对应的执行时间。Specifically, a deep parsing function is provided for the control protocol, and the function code is parsed into the value range to ensure the accuracy of subsequent identification. The parsed function code includes the execution times of the control instruction and the corresponding execution time.

将所述控制指令与所述行为基线中的行为趋势进行匹配,判断所述控制指令是否与所述行为基线中的行为趋势相符;Matching the control instruction with the behavior trend in the behavior baseline, and judging whether the control instruction is consistent with the behavior trend in the behavior baseline;

具体地,通过计算所述控制指令的平均执行次数,并将该次数与行为基线中的行为趋势进行比较,可以判断出该控制指令是否与行为基线中的行为趋势相符,具体包括:Specifically, by calculating the average number of executions of the control instruction and comparing the number of times with the behavioral trend in the behavioral baseline, it can be determined whether the control instruction is consistent with the behavioral trend in the behavioral baseline, specifically including:

计算所述控制指令在所述执行时间内的平均执行次数;calculating the average number of executions of the control instruction within the execution time;

将所述控制指令在所述执行时间内的平均执行次数与所述行为基线进行对比,得到所述控制指令的执行次数偏差;Comparing the average execution times of the control instruction within the execution time with the behavior baseline, to obtain the deviation of the execution times of the control instruction;

判断所述执行次数偏差是否超出所述行为趋势的执行次数允许偏差,即判断所述控制指令是否与所述行为基线中的行为趋势相符。It is judged whether the deviation of the execution times exceeds the allowable deviation of the execution times of the behavior trend, that is, it is judged whether the control instruction is consistent with the behavior trend in the behavior baseline.

若所述控制指令与所述行为基线中的行为趋势不相符,则将所述控制指令对应的网络行为作为第二异常行为。If the control instruction does not match the behavior trend in the behavior baseline, the network behavior corresponding to the control instruction is regarded as the second abnormal behavior.

进一步地,如果判断出所述控制指令与行为基线中的行为趋势不相符,则认为该控制指令对应的操作行为异常,将其判定为第二异常行为,并根据解析结果提供所述第二异常行为的详细告警,参照图4,图4为本发明实施例中提供详细告警的示意图,如图4所示,所述详细告警内容包括事件内容与事件协议,其中,事件内容包括源IP、目的IP、源mac、目的mac、危险等级、源端口以及目的端口等,事件协议包括协议名、操作指令、操作地址以及操作值等。根据告警内容可以进一步确定异常行为,以达到精准识别异常行为的目的。Further, if it is judged that the control instruction is inconsistent with the behavioral trend in the behavioral baseline, it is considered that the operation behavior corresponding to the control instruction is abnormal, and it is judged as the second abnormal behavior, and the second abnormal behavior is provided according to the analysis result. 4 is a schematic diagram of providing a detailed alarm in an embodiment of the present invention. As shown in FIG. 4, the detailed alarm content includes event content and event protocol, wherein the event content includes source IP, destination IP, source mac, destination mac, danger level, source port, and destination port, etc. The event protocol includes protocol name, operation command, operation address, and operation value. The abnormal behavior can be further determined according to the alarm content, so as to achieve the purpose of accurately identifying the abnormal behavior.

本实施例通过上述方案,具体通过读取所述网络行为的行为数据,得到控制协议;将所述行为基线与所述控制协议进行协议匹配,判断所述控制协议是否与所述行为基线相符;若所述控制协议与所述行为基线不相符,则判定所述控制协议对应的网络行为为第一异常行为;若所述控制协议与所述行为基线相符,则对所述控制协议进行深度解析后与所述行为基线进行功能码匹配,将与所述行为基线不相符的功能码对应的网络行为作为第二异常行为。通过基于所述行为基线对网络行为进行监测,可以准确识别出网络行为中的异常行为,通过提供相应的告警,可以根据告警内容进一步确定异常行为,以达到精准识别异常行为的目的,从而提高工业现场的网络安全性。This embodiment obtains a control protocol through the above solution, specifically by reading the behavior data of the network behavior; performing protocol matching between the behavior baseline and the control protocol, and judging whether the control protocol is consistent with the behavior baseline; If the control protocol does not conform to the behavior baseline, determine that the network behavior corresponding to the control protocol is the first abnormal behavior; if the control protocol conforms to the behavior baseline, perform in-depth analysis on the control protocol Then, function code matching is performed with the behavior baseline, and the network behavior corresponding to the function code that does not match the behavior baseline is regarded as the second abnormal behavior. By monitoring network behaviors based on the behavior baseline, abnormal behaviors in network behaviors can be accurately identified, and by providing corresponding alarms, abnormal behaviors can be further determined according to the content of the alarms, so as to achieve the purpose of accurately identifying abnormal behaviors, thereby improving industrial performance. On-site cybersecurity.

此外,本发明实施例还提出一种异常行为检测方法装置,所述异常行为检测方法装置包括:In addition, an embodiment of the present invention also provides a method and apparatus for detecting abnormal behavior, and the method and apparatus for detecting abnormal behavior includes:

获取模块,用于获取网络设备的流量信息;The acquisition module is used to acquire the traffic information of the network device;

建立基线模块,用于根据所述流量信息建立行为基线;establishing a baseline module for establishing a behavioral baseline according to the flow information;

监测模块,用于基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为。The monitoring module is configured to monitor network behavior based on the behavior baseline, and regard network behavior that is inconsistent with the behavior baseline as abnormal behavior.

通过对网络中所有设备的流量进行分析,重点是关注工业协议相关行为,以此建立一种通用的,基于设备行为的基线。By analyzing the traffic of all devices in the network, focusing on industrial protocol-related behavior, a common, device-based behavior-based baseline is established.

参照图5,图5为本发明实施例中建立基线并根据基线进行异常监测的流程示意图,如图5所示,在基线学习过程中,获取网络设备的流量并进行分析,对其中的工控协议进行解析,即对大多数的周知工控协议、少量的工控协议提供深度解析功能,确保其识别的准确性,对解析出来的操作指令,根据时间,计算出其行为频率,拟合成行为趋势,由各个行为趋势构成行为基线。在基线匹配过程中,先进行协议匹配,如果网络行为的工控协议不在基线内部,则直接提出告警,如果网络行为的工控协议在基线内部,则需要进一步检测其中的操作指令的执行频次是否符合基线中的行为趋势,如果与行为趋势不符,则对不符合行为趋势的数据做出详细告警,以达到精准识别异常行为的目的。Referring to FIG. 5 , FIG. 5 is a schematic flowchart of establishing a baseline and performing abnormality monitoring according to the baseline in an embodiment of the present invention. As shown in FIG. 5 , during the baseline learning process, the traffic of network equipment is acquired and analyzed, and the industrial control protocol therein is analyzed. To analyze, that is, to provide in-depth analysis function for most well-known industrial control protocols and a small number of industrial control protocols to ensure the accuracy of their identification, and to calculate the behavior frequency of the analyzed operation instructions according to time, and fit them into behavior trends. A behavioral baseline is formed by individual behavioral trends. In the baseline matching process, the protocol matching is performed first. If the industrial control protocol of the network behavior is not within the baseline, an alarm will be raised directly. If the industrial control protocol of the network behavior is within the baseline, it is necessary to further check whether the execution frequency of the operation instructions conforms to the baseline. If the behavior trend in the data does not match the behavior trend, a detailed alarm will be issued for the data that does not conform to the behavior trend, so as to achieve the purpose of accurately identifying abnormal behavior.

此外,通过异常行为分析技术,可以进一步核对资产设备的IP地址网络信息、活跃状态、协议流量分布、应用信息、会话信息等信息,使工业现场的网络环境的部署更加方便和安全。In addition, through the abnormal behavior analysis technology, it is possible to further check the IP address network information, active status, protocol traffic distribution, application information, session information and other information of asset equipment, making the deployment of the network environment in the industrial site more convenient and safe.

本实施例通过上述方案,具体通过对工控协议进行深度内容解析和识别,对协议中的工控指令和用户行为进行细粒度抽取,以时间为参量,对工控协议的操作指令进行行为基线的建模,与业务和工艺过程进行关联,并进行对比分析,从而有效支撑对不符合业务流程的行为进行检测,提高工控异常行为检测的准确性和有效性。在协议识别的基础上,对每个单独的设备,建立一套独立的行为基线分析,可以极大的避免通用的规则所导致的事件误报严重等问题。为当前工业现场的网络安全提供一种,可靠的、有效的威胁监测手段,对提升工业现场的网络安全性有较强的指导性作用。In this embodiment, through the above solution, in-depth content analysis and identification of the industrial control protocol, fine-grained extraction of industrial control instructions and user behaviors in the protocol, and time as a parameter, the operation instructions of the industrial control protocol are modeled for the behavior baseline , correlate with business and technological process, and carry out comparative analysis, so as to effectively support the detection of behaviors that do not conform to business processes, and improve the accuracy and effectiveness of industrial control abnormal behavior detection. On the basis of protocol identification, a set of independent behavioral baseline analysis is established for each individual device, which can greatly avoid problems such as serious event false positives caused by common rules. It provides a reliable and effective threat monitoring method for the network security of the current industrial site, and has a strong guiding role in improving the network security of the industrial site.

此外,本发明实施例还提出一种终端设备,所述终端设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的异常行为检测方法程序,所述异常行为检测方法程序被所述处理器执行时实现如上所述的异常行为检测方法的步骤。In addition, an embodiment of the present invention further provides a terminal device, the terminal device includes a memory, a processor, and an abnormal behavior detection method program stored on the memory and executable on the processor, the abnormal behavior detection method program When the method program is executed by the processor, the steps of the abnormal behavior detection method described above are implemented.

由于本异常行为检测方法程序被处理器执行时,采用了前述所有实施例的全部技术方案,因此至少具有前述所有实施例的全部技术方案所带来的所有有益效果,在此不再一一赘述。Since the program of the abnormal behavior detection method is executed by the processor, it adopts all the technical solutions of all the foregoing embodiments, so it has at least all the beneficial effects brought by all the technical solutions of the foregoing embodiments, and will not be repeated here. .

此外,本发明实施例还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有异常行为检测方法程序,所述异常行为检测方法程序被处理器执行时实现如上所述的异常行为检测方法的步骤。In addition, an embodiment of the present invention also provides a computer-readable storage medium, where an abnormal behavior detection method program is stored, and the abnormal behavior detection method program is executed by a processor to realize the above abnormality The steps of the behavior detection method.

由于本异常行为检测方法程序被处理器执行时,采用了前述所有实施例的全部技术方案,因此至少具有前述所有实施例的全部技术方案所带来的所有有益效果,在此不再一一赘述。Since the program of the abnormal behavior detection method is executed by the processor, it adopts all the technical solutions of all the foregoing embodiments, so it has at least all the beneficial effects brought by all the technical solutions of the foregoing embodiments, and will not be repeated here. .

相比现有技术,本发明实施例提出的异常行为检测方法、装置、终端设备以及存储介质,通过获取网络设备的流量信息;根据所述流量信息建立行为基线;基于所述行为基线对网络行为进行监测,将与所述行为基线不相符的网络行为作为异常行为,并根据所述异常行为提供相应告警。通过对工控协议进行深度内容解析和识别,对协议中的工控指令和用户行为进行细粒度抽取,以时间为参量,对工控协议的操作指令进行行为基线的建模,与业务和工艺过程进行关联,并进行对比分析,从而有效支撑对不符合业务流程的行为进行检测,提高工控异常行为检测的准确性和有效性。在协议识别的基础上,对每个单独的设备,建立一套独立的行为基线分析,可以极大的避免通用的规则所导致的事件误报严重等问题。为当前工业现场的网络安全提供一种,可靠的、有效的威胁监测手段,对提升工业现场的网络安全性有较强的指导性作用。Compared with the prior art, the abnormal behavior detection method, device, terminal device, and storage medium proposed by the embodiments of the present invention obtain traffic information of network devices; establish a behavior baseline according to the traffic information; and analyze network behavior based on the behavior baseline. Monitoring is performed, network behaviors inconsistent with the behavior baseline are regarded as abnormal behaviors, and corresponding alarms are provided according to the abnormal behaviors. Through in-depth content analysis and identification of industrial control protocols, fine-grained extraction of industrial control instructions and user behaviors in the protocol, taking time as a parameter, modeling behavior baselines for the operation instructions of industrial control protocols, and correlating them with business and process processes , and carry out comparative analysis to effectively support the detection of behaviors that do not conform to business processes, and improve the accuracy and effectiveness of industrial control abnormal behavior detection. On the basis of protocol identification, a set of independent behavioral baseline analysis is established for each individual device, which can greatly avoid problems such as serious event false positives caused by common rules. It provides a reliable and effective threat monitoring method for the network security of the current industrial site, and has a strong guiding role in improving the network security of the industrial site.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or system comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or system. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system that includes the element.

上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present application are only for description, and do not represent the advantages or disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在如上的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,被控终端,或者网络设备等)执行本申请每个实施例的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation. Based on such understanding, the technical solutions of the present application can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products are stored in the above storage medium (such as ROM/RAM, magnetic CD, CD), including several instructions to make a terminal device (which may be a mobile phone, a computer, a server, a controlled terminal, or a network device, etc.) to execute the method of each embodiment of the present application.

以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present invention, or directly or indirectly applied in other related technical fields , are similarly included in the scope of patent protection of the present invention.

Claims (10)

1. An abnormal behavior detection method, characterized by comprising the steps of:
acquiring flow information of network equipment;
establishing a behavior baseline according to the flow information;
and monitoring network behaviors based on the behavior baselines, and taking the network behaviors which are not accordant with the behavior baselines as abnormal behaviors.
2. The abnormal behavior detection method of claim 1, wherein the step of establishing a behavior baseline based on the traffic information comprises:
reading a data packet in the flow information to obtain an industrial control protocol;
carrying out deep analysis on the industrial control protocol to obtain each operation instruction in the industrial control protocol;
fitting each behavior trend according to each operation instruction;
establishing the behavioral baseline based on each of the behavioral trends.
3. The abnormal behavior detection method according to claim 2, wherein the step of fitting each behavior trend according to each of the operation instructions comprises:
calculating the average operation times of each operation instruction in preset operation time;
and fitting each behavior trend according to the average operation times of each operation instruction in a preset operation time, wherein each behavior trend comprises the allowable deviation of the execution times of each operation instruction.
4. The abnormal behavior detection method according to claim 1, wherein the step of monitoring the network behavior based on the behavior baseline, and the step of regarding the network behavior that does not match the behavior baseline as the abnormal behavior comprises:
reading the behavior data of the network behavior to obtain a control protocol;
carrying out protocol matching on the behavior baseline and the control protocol, and judging whether the control protocol is consistent with the behavior baseline;
if the control protocol does not accord with the behavior baseline, determining that the network behavior corresponding to the control protocol is a first abnormal behavior;
and if the control protocol is in accordance with the behavior baseline, performing deep analysis on the control protocol, then performing function code matching on the control protocol and the behavior baseline, and taking the network behavior corresponding to the function code which is not in accordance with the behavior baseline as a second abnormal behavior.
5. The abnormal behavior detection method according to any one of claims 3 to 4, wherein the step of performing function code matching with the behavior baseline after performing deep parsing on the control protocol, and taking a network behavior corresponding to a function code that does not conform to the behavior baseline as a second abnormal behavior comprises:
deeply analyzing the control protocol to obtain a function code of the control protocol, wherein the function code comprises execution times and execution time of a control instruction;
matching the control command with the behavior trend in the behavior baseline, and judging whether the control command is consistent with the behavior trend in the behavior baseline;
and if the control instruction does not accord with the behavior trend in the behavior baseline, taking the network behavior corresponding to the control instruction as a second abnormal behavior.
6. The abnormal behavior detection method according to claim 4, wherein the step of monitoring the network behavior based on the behavior baseline and determining the network behavior that does not match the behavior baseline as the abnormal behavior further comprises:
providing a preliminary warning according to the first abnormal behavior;
and providing detailed alarm according to the second abnormal behavior.
7. The abnormal behavior detection method according to claim 5, wherein the step of matching the control command with the behavior trend in the behavior baseline and determining whether the control command matches the behavior trend in the behavior baseline comprises:
calculating the average execution times of the control instructions in the execution time;
comparing the average execution times of the control instruction in the execution time with the behavior baseline to obtain the execution time deviation of the control instruction;
and judging whether the execution time deviation exceeds the execution time allowable deviation of the behavior trend, namely judging whether the control instruction is consistent with the behavior trend in the behavior baseline.
8. An abnormal behavior detection apparatus, characterized by comprising:
the acquisition module is used for acquiring the flow information of the network equipment;
the base line establishing module is used for establishing a behavior base line according to the flow information;
and the monitoring module is used for monitoring the network behavior based on the behavior baseline and taking the network behavior which is not accordant with the behavior baseline as abnormal behavior.
9. A terminal device, characterized in that the terminal device comprises a memory, a processor and an abnormal behavior detection method program stored on the memory and executable on the processor, the abnormal behavior detection method program, when executed by the processor, implementing the steps of the abnormal behavior detection method according to any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon an abnormal behavior detection method program, which when executed by a processor implements the steps of the abnormal behavior detection method according to any one of claims 1 to 7.
CN202111557971.2A 2021-12-16 2021-12-16 Abnormal behavior detection method, device, terminal device and storage medium Pending CN114301645A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111557971.2A CN114301645A (en) 2021-12-16 2021-12-16 Abnormal behavior detection method, device, terminal device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111557971.2A CN114301645A (en) 2021-12-16 2021-12-16 Abnormal behavior detection method, device, terminal device and storage medium

Publications (1)

Publication Number Publication Date
CN114301645A true CN114301645A (en) 2022-04-08

Family

ID=80966744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111557971.2A Pending CN114301645A (en) 2021-12-16 2021-12-16 Abnormal behavior detection method, device, terminal device and storage medium

Country Status (1)

Country Link
CN (1) CN114301645A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115473671A (en) * 2022-08-01 2022-12-13 博瑞得科技有限公司 A method and system for abnormal detection of electric power terminals based on flow baseline

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429824A (en) * 2015-12-18 2016-03-23 中国电子信息产业集团有限公司第六研究所 Self-adaptive depth detection device of industrial control protocol and method
WO2019021922A1 (en) * 2017-07-26 2019-01-31 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality detection device, and abnormality detection method
CN110809009A (en) * 2019-12-12 2020-02-18 江苏亨通工控安全研究院有限公司 Two-stage intrusion detection system applied to industrial control network
US20200304532A1 (en) * 2017-12-15 2020-09-24 Panasonic Intellectual Property Corporation Of America Anomaly detection device, in-vehicle network system, and anomaly detection method
CN112306019A (en) * 2020-10-28 2021-02-02 北京珞安科技有限责任公司 Industrial control safety audit system based on protocol deep analysis and application thereof
CN112351035A (en) * 2020-11-06 2021-02-09 杭州安恒信息技术股份有限公司 Industrial control security situation sensing method, device and medium
CN112637220A (en) * 2020-12-25 2021-04-09 中能融合智慧科技有限公司 Industrial control system safety protection method and device
CN113098846A (en) * 2021-03-17 2021-07-09 苏州三六零智能安全科技有限公司 Industrial control flow monitoring method, equipment, storage medium and device
CN113630409A (en) * 2021-08-05 2021-11-09 哈尔滨工业大学(威海) An abnormal traffic identification method based on the fusion analysis of DNS resolution traffic and IP traffic

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429824A (en) * 2015-12-18 2016-03-23 中国电子信息产业集团有限公司第六研究所 Self-adaptive depth detection device of industrial control protocol and method
WO2019021922A1 (en) * 2017-07-26 2019-01-31 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality detection device, and abnormality detection method
US20200304532A1 (en) * 2017-12-15 2020-09-24 Panasonic Intellectual Property Corporation Of America Anomaly detection device, in-vehicle network system, and anomaly detection method
CN110809009A (en) * 2019-12-12 2020-02-18 江苏亨通工控安全研究院有限公司 Two-stage intrusion detection system applied to industrial control network
CN112306019A (en) * 2020-10-28 2021-02-02 北京珞安科技有限责任公司 Industrial control safety audit system based on protocol deep analysis and application thereof
CN112351035A (en) * 2020-11-06 2021-02-09 杭州安恒信息技术股份有限公司 Industrial control security situation sensing method, device and medium
CN112637220A (en) * 2020-12-25 2021-04-09 中能融合智慧科技有限公司 Industrial control system safety protection method and device
CN113098846A (en) * 2021-03-17 2021-07-09 苏州三六零智能安全科技有限公司 Industrial control flow monitoring method, equipment, storage medium and device
CN113630409A (en) * 2021-08-05 2021-11-09 哈尔滨工业大学(威海) An abnormal traffic identification method based on the fusion analysis of DNS resolution traffic and IP traffic

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
唐文;王志华;马俊;雷宇;: "一种基于PCM数字信号的传真控制协议软件检测方案", 通信技术, no. 05 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115473671A (en) * 2022-08-01 2022-12-13 博瑞得科技有限公司 A method and system for abnormal detection of electric power terminals based on flow baseline
CN115473671B (en) * 2022-08-01 2025-05-13 博瑞得科技有限公司 A method and system for detecting abnormality of power terminals based on flow baseline

Similar Documents

Publication Publication Date Title
CN109164786B (en) Abnormal behavior detection method, device and equipment based on time-dependent baseline
CN105191257B (en) Method and apparatus for detecting multistage event
CN108848067B (en) OPC protocol safety protection method for intelligently learning and presetting read-only white list rule
CN112787992A (en) Method, device, equipment and medium for detecting and protecting sensitive data
CN111935172A (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
CN117834308B (en) A network security situation awareness method, system and medium
US20230018096A1 (en) Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program
CN112926942A (en) Internet asset exposure information checking method
CN107483472A (en) Method, device, storage medium and server for network security monitoring
CN107579986A (en) A method of network security detection in complex network
CN111327601A (en) Abnormal data response method, system, device, computer equipment and storage medium
US20180183819A1 (en) System to detect machine-initiated events in time series data
CN115618353A (en) Identification system and method for industrial production safety
CN116318934A (en) Security early warning method and system based on behavior modeling of Internet of things equipment
CN110351237A (en) Honey jar method and device for numerically-controlled machine tool
CN114301645A (en) Abnormal behavior detection method, device, terminal device and storage medium
CN116208415A (en) Method, device and equipment for managing API (application program interface) assets
CN116226837A (en) Method and system for intelligently monitoring behavior of intrusion industrial monitoring audit system
CN114779737A (en) A New Cyber-Physical Security Architecture of Industrial Control System
CN116668051A (en) Alarm information processing method, device, program, electronic and medium for attack behavior
CN114244571A (en) Illegal external connection monitoring method and device based on data flow analysis and computer equipment
CN108307414A (en) Wi-Fi connection abnormity processing method and device of application program, terminal and storage medium
CN116861422A (en) API interface detection and protection method, device, equipment and storage medium
CN113660291B (en) Method and device for preventing malicious tampering of intelligent large-screen display information
CN116049822A (en) Supervision method, system, electronic device and storage medium for application program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220408

RJ01 Rejection of invention patent application after publication