CN103888282A - Network intrusion alarm method and system based on nuclear power plant - Google Patents
Network intrusion alarm method and system based on nuclear power plant Download PDFInfo
- Publication number
- CN103888282A CN103888282A CN201310361837.4A CN201310361837A CN103888282A CN 103888282 A CN103888282 A CN 103888282A CN 201310361837 A CN201310361837 A CN 201310361837A CN 103888282 A CN103888282 A CN 103888282A
- Authority
- CN
- China
- Prior art keywords
- early warning
- warning information
- module
- access object
- nuclear power
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/18—Network protocols supporting networked applications, e.g. including control of end-device applications over a network
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Medical Informatics (AREA)
- Testing And Monitoring For Control Systems (AREA)
- Alarm Systems (AREA)
- Monitoring And Testing Of Nuclear Reactors (AREA)
Abstract
The invention discloses a network intrusion alarm method based on a nuclear power plant. The method comprises the steps that data information sent by a visit object is detected, wherein the detection comprises misuse detection and protocol anomaly data detection; if the detection result of the data information is abnormal, real-time early warning information is generated; the real-time early warning information and historical early warning information in a database are matched; and if the matching result of the real-time early warning information and the historical early warning information does not accord with a preset matching value, intrusion alarm information is issued. The network intrusion alarm method based on the nuclear power plant, which is provided by the invention, can effectively meet the requirement of network security protection of an industrial network of the nuclear power plant. In addition, the invention further discloses a network intrusion alarm system based on the nuclear power station.
Description
Technical field
The invention belongs to nuclear power station security protection field, more particularly, the present invention relates to a kind of network intrusions alarm method and system based on nuclear power station.
Background technology
Intruding detection system (Intrusion Detection System, IDS) refers to be identified and the system of respective handling the malice usage behavior of cyber-net resource.Along with the scale of network is more and more huger, the resource on network is also more and more abundanter, and the threat coming from network is more and more, more and more secret of attack also.The data relationship of nuclear power operation is to national security and social stability, and therefore, tectonic network security system is imperative to ensure the safety of data center.Industrial control system comprises that control systems of nuclear power plant is owing to not being connected with internet network, and it is an independently network.Be not have virus to exist under normal circumstances, the hacker of outside also cannot attack.In addition common hacker and internet worm attack are all for computer equipment, the general virus not having for the control appliance in industrial control system network.
In nuclear power control system, along with the development of information technology, due to the convenience that nuclear power system is integrated and use, use in a large number industrial ethernet ring network and (OLE for Process Control, OPC) communication protocol to carry out the integrated of nuclear power control system.Meanwhile, also used in a large number PC server and end product, nuclear power operating system and database also a large amount of use general system, although Nuclear Power Industry net is not connected with internet net, nuclear power station has also been formulated a lot of specifications.But, in reality, often there is people not abide by the regulations, for example use USB flash disk to use alternately in the Internet and Nuclear Power Industry net, use not the behaviors such as CD after testing, be easy to cause the attack from the virus of business administration net or the Internet, wooden horse, hacker, and may cause thus the actual physics system failure.The data relationship of nuclear power operation is to national security and social stability, and therefore, tectonic network security system is imperative to ensure the safety of data center.
Existing network security system is conventionally by fire compartment wall, antivirus software and intruding detection system (Intrusion Detection System, or intrusion prevention system (Intrusion Prevention System, IPS) composition IDS).But, in nuclear power control system, does not dispose business intruding detection system and carry out cyber-defence, or the business intruding detection system of disposing is also that misuse detects as basic intruding detection system.Because Nuclear Power Industry net is not connected with the Internet, so the virus base of the intrusion detection that cannot upgrade in time in Nuclear Power Industry net utilizes business intruding detection system to detect for new virus or for the virus of particular industry Control System Design.
How to detect and early warning for the poisoning intrusion that carrys out automatic network, be Nuclear Safety problem demanding prompt solution.
Summary of the invention
The object of the invention is to: nuclear power control system is for the poisoning intrusion that may carry out automatic network, a kind of network intrusions alarm method and system based on nuclear power station is provided, by being combined with abnormality detection technology and misuse detection technique, improve control systems of nuclear power plant to the detectability of network intrusions and improve intrusion alarm mechanism, effectively having met the requirement of nuclear power station industry net to network safety prevention.
In order to realize foregoing invention object, the invention provides a kind of network intrusions alarm method based on nuclear power station, it comprises:
The data message that access object is sent detects, and described detection comprises that misuse detects and protocol anomaly Data Detection;
If detect the result of described data message for abnormal, generate instant early warning information;
Described instant early warning information is mated with the historical early warning information in database;
If the matching result of described instant early warning information and described historical early warning information does not meet the matching value setting in advance, send intrusion alarm information.
One as the network intrusions alarm method that the present invention is based on nuclear power station is improved, and described method also comprises:
Receive the data message that access object sends.
One as the network intrusions alarm method that the present invention is based on nuclear power station is improved, described historical early warning information comprises the field of early warning number of times, if the matching result of described instant early warning information and described historical early warning information meets the matching value setting in advance, the increase of described early warning number of times once.
One as the network intrusions alarm method that the present invention is based on nuclear power station is improved, and described method also comprises:
Described instant early warning information and described historical early warning information are carried out to association analysis, judge the access object of described access object according to the correlation rule setting in advance.
One as the network intrusions alarm method that the present invention is based on nuclear power station is improved, and described method also comprises:
If cannot judge the access object of described access object according to the correlation rule setting in advance, set up new correlation rule according to described instant early warning information, and immediate updating correlation rule.
One as the network intrusions alarm method that the present invention is based on nuclear power station is improved, and described method also comprises:
Described instant early warning information is saved to database, and upgrades described database.
One as the network intrusions alarm method that the present invention is based on nuclear power station is improved, and described method also comprises:
According to IP address or port access under described intrusion alarm information and executing blocking-up access object.
In order to realize foregoing invention object, the present invention also provides a kind of network intrusions warning system based on nuclear power station, and it comprises:
Detection module, detects for the data message that access object is sent, and described detection comprises that misuse detects and protocol anomaly Data Detection;
Warning module, if the result that detects described data message for described detection module is for abnormal, generates instant early warning information;
Matching module, mates with the historical early warning information of database for described warning module is generated to described instant early warning information;
Alarm module, if do not meet the matching value setting in advance for the matching result of described instant early warning information and described historical early warning information, sends intrusion alarm information.
One as the network intrusions warning system that the present invention is based on nuclear power station is improved, and described system also comprises:
Receiver module, the data message sending for receiving access object.
One as the network intrusions warning system that the present invention is based on nuclear power station is improved, and described system also comprises:
Database, for keeping track of history early warning information, described historical early warning information comprises the field of early warning number of times, if the matching result of described instant early warning information and described historical early warning information meets the matching value setting in advance, the increase of described early warning number of times is once.
One as the network intrusions warning system that the present invention is based on nuclear power station is improved, and described system also comprises:
Analysis module, for described instant early warning information and described historical early warning information are carried out to association analysis, judges the access object of described access object according to the correlation rule setting in advance.
One as the network intrusions warning system that the present invention is based on nuclear power station is improved, and described system also comprises:
Adaptation module, for preserving the correlation rule setting in advance, if described analysis module cannot judge the access object of described access object according to the correlation rule setting in advance, set up new correlation rule according to described instant early warning information, and immediate updating correlation rule.
One as the network intrusions warning system that the present invention is based on nuclear power station is improved, and described system also comprises:
Update module, for described instant early warning information is saved to database, and upgrades described database.
One as the network intrusions warning system that the present invention is based on nuclear power station is improved, and described system also comprises:
Executive Module, for according to IP address or port access under described intrusion alarm information and executing blocking-up access object.
Compared with prior art, the network intrusions alarm method and the system that the present invention is based on nuclear power station have following useful technique effect: misapplied and detected and protocol anomaly Data Detection by the data message that access object is sent, on the basis of above-mentioned detection, analyze coupling, and report to the police according to matching result, realize the invasion of the adaptive network environment of control systems of nuclear power plant; Simultaneously, owing to passing through in conjunction with abnormality detection technology and misuse detection technique, improve detectability and the alarm mechanism of control systems of nuclear power plant to network intrusions, effectively met the requirement of nuclear power station industry net to network safety prevention, obtained good technique effect.
Brief description of the drawings
Below in conjunction with the drawings and specific embodiments, the network intrusions alarm method and the system that the present invention is based on nuclear power station are elaborated, wherein:
Fig. 1 provides the flow chart of an embodiment of the network intrusions alarm method that the present invention is based on nuclear power station.
Fig. 2 provides the schematic diagram of an embodiment of the network intrusions warning system that the present invention is based on nuclear power station.
Fig. 3 provides the schematic diagram of another embodiment of the network intrusions warning system that the present invention is based on nuclear power station.
Embodiment
In order to make goal of the invention of the present invention, technical scheme and useful technique effect thereof more clear, below in conjunction with the drawings and specific embodiments, the present invention is further elaborated.Should be understood that, the embodiment of describing in this specification is only used to explain the present invention, is not intended to limit the present invention.
By its operation principle, Intrusion Detection can be divided into misuse detection technique and abnormality detection technology two classes, and wherein, misuse detection technique is basis based on data message characteristic matching, this detection technique accuracy rate is high, but its problem is can not find new intrusion model and occur failing to report situation.Abnormality detection technology, as protocol anomaly detects (Protocol Anomaly Detection System, PADS), taking data such as network connection features, system call feature, network flow characteristic and Time Delay of Systems features as basis, set up the descriptive model of proper network behavior, be considered to invasion in the time that User Activity and normal behaviour have great departing from, this detection technique can be found new network invasion, but exist rate of false alarm high, need the problem of a large amount of training samples.At present, misuse detection technique and the combination of abnormality detection technology are applied to nuclear power control system field, or blank.
Incorporated by reference to referring to Fig. 1, Fig. 1 provides a kind of network intrusions alarm method based on nuclear power station, specifically comprises:
Step 101, the data message that access object is sent detects, and detects and comprises that misuse detects and protocol anomaly Data Detection.
Nuclear power intrusion alarm management system receives the data message that access object sends.Concrete, the data message of access is through switch metering-in control system application server.Nuclear power intrusion alarm management system (Intrusion Detection Alert Management System, the IDAMS) ND-IDAMS installing in computer server obtains the data message of access object by switch.
Nuclear power intrusion alarm management system receives the data message that access object sends.Optionally, access object also can send data message to control systems of nuclear power plant by server.
The data message that nuclear power intrusion alarm management system sends access object detects, and comprising: detect and comprise that misuse detects and protocol anomaly Data Detection.Concrete, nuclear power intrusion alarm management system is called misuse detection module data message is detected; Further, data message is carried out to protocol anomaly Data Detection PADS, PADS can use the agreement in Markov model Sampling network data.
Optionally, nuclear power intrusion alarm management system can detect data message by the commercial intruding detection system of networking (IPS or IDS).Nuclear power intrusion alarm management system can connect multiple commercial intruding detection systems (IPS or IDS).
Step 103, is abnormal if detect the result of data message, generates instant early warning information.
Can normally access related system by the normal data detecting, be abnormal if detect the result of data message, and nuclear power intrusion alarm management system generates instant early warning information.
Step 105, mates instant early warning information with the historical early warning information in database.
Concrete, nuclear power intrusion alarm management system is mated instant early warning information with the historical early warning information of storing in database, and sorting algorithm determines that history of existence early warning information is identical with this instant early warning information in database.
Optionally, can set in advance the matching value that instant early warning information is mated with historical early warning information.For example, it is 75% that matching value is set, and (comprises 75%) if instant early warning information and historical early warning information have more than 75%, assert that instant early warning information mates with historical early warning information, and matching value can constantly be adjusted as required.
If find the historical early warning information of instant early warning information coupling, be classified as same class early warning, no matter had how many instant early warning information, as long as mate with this history early warning information, what return to early warning information fusion is exactly this historical early warning information, can significantly reduce like this repeatability of similar early warning.
Optionally, historical early warning information comprises the field of early warning number of times, if the matching result of instant early warning information and historical early warning information meets the matching value setting in advance, the increase of early warning number of times once.For example, historical early warning information at least comprises early warning content and early warning number of times, mates with historical early warning information when instant early warning information, and early warning content is constant, and the increase of early warning number of times once.
Further, instant early warning information and historical early warning information are carried out to association analysis, judge the access object of access object according to the correlation rule setting in advance.
Step 107, if the matching result of instant early warning information and historical early warning information does not meet the matching value setting in advance, sends intrusion alarm information.
For example, it is 75% that matching value is set, and does not mate with historical early warning information if instant early warning information and historical early warning information lower than 75% matching value, are assert instant early warning information.If the matching result of instant early warning information and historical early warning information does not meet the matching value setting in advance, nuclear power intrusion alarm management system is sent intrusion alarm information.
If cannot judge the access object of access object according to the correlation rule setting in advance, set up new correlation rule according to instant early warning information, and immediate updating correlation rule.
The instant early warning information receiving cannot find the historical early warning information of similar or the matching value that conforms in database.Confirmed by keeper, and set up new early warning integrated classification, correlation rule for it.Check the attack early warning contingency table having occurred, keeper can upgrade the correlation rule having occurred.
Further, instant early warning information is saved to database, and upgrades described database.Set up new early warning integrated classification and correlation rule, and immediate updating database.
Further, according to IP address or port access under intrusion alarm information and executing blocking-up access object.With fire compartment wall or IPS interlock, IP address or port access under blocking-up access object.
Misapply and detect and protocol anomaly Data Detection by the data message that access object is sent, on the basis of above-mentioned detection, analyze coupling, and report to the police according to matching result.Realize the invasion of the adaptive network environment of control systems of nuclear power plant; Simultaneously, owing to passing through in conjunction with abnormality detection technology and misuse detection technique, improve detectability and the alarm mechanism of control systems of nuclear power plant to network intrusions, effectively met the requirement of nuclear power station industry net to network safety prevention, obtained good technique effect.
Fig. 2 provides the schematic diagram of an a kind of embodiment of the network intrusions warning system based on nuclear power station, and it comprises: detection module 201, warning module 203, matching module 205 and alarm module 207.
The implementation method of system and flow process can, referring to the embodiment of the method for introducing in previous embodiment, repeat no more herein.
Incorporated by reference to referring to Fig. 3, Fig. 3 provides the schematic diagram of an a kind of embodiment of the network intrusions warning system based on nuclear power station, and it comprises: receiver module 301, detection module 303, warning module 305, matching module 307, alarm module, update module 311, database 313, analysis module 315, adaptation module 317 and Executive Module 319.
Concrete, receiver module 301, the data message sending for receiving access object;
Concrete, the data message of access is through switch metering-in control system application server.Receiver module 301 in the nuclear power intrusion alarm management system ND-IDAMS installing in computer server obtains the data message of access object by switch.
Receiver module 301 receives the data message that access object sends.Optionally, access object also can send data message to control systems of nuclear power plant by server, then has receiver module 301 to receive.
Detection module 303, detects for the data message that access object is sent, and detects and comprises that misuse detects and protocol anomaly Data Detection;
The data message that the access object that detection module 303 receives receiver module 301 sends detects, and comprising: detection module 303 detects and comprises that misuse detects and protocol anomaly Data Detection.Concrete, further, detection module 303 carries out protocol anomaly Data Detection PADS to data message, and PADS can use the agreement in Markov model Sampling network data.
Optionally, detection module 303 can detect data message by the commercial intruding detection system of networking (IPS or IDS), and detection module 303 can connect multiple commercial intruding detection systems (IPS or IDS).
Warning module 305, if be abnormal for the result of detection module detection data message, generates instant early warning information;
Detection module 303 detects the normal data of passing through can normally access related system, is abnormal if detect the result of data message, and warning module 305 generates instant early warning information.
Matching module 307, mates with the historical early warning information of database for warning module 35 being generated to instant early warning information;
Concrete, matching module 307 mates instant early warning information with the historical early warning information of storing in database, determine that by sorting algorithm history of existence early warning information is identical with this instant early warning information in database 313.
Optionally, matching module 307 can set in advance the matching value that instant early warning information is mated with historical early warning information.For example, it is 75% that matching value is set, and (comprises 75%) if instant early warning information and historical early warning information have more than 75%, assert that instant early warning information mates with historical early warning information, and matching value can constantly be adjusted as required.
If find the historical early warning information of instant early warning information coupling, be classified as same class early warning, no matter had how many instant early warning information, as long as mate with this history early warning information, what return to early warning information fusion is exactly this historical early warning information, can significantly reduce like this repeatability of similar early warning.
Database 313, for keeping track of history early warning information, historical early warning information comprises the field of early warning number of times, if the matching result of instant early warning information and historical early warning information meets the matching value setting in advance, the increase of early warning number of times is once.For example, historical early warning information at least comprises early warning content and early warning number of times, mates with historical early warning information when instant early warning information, and early warning content is constant, and the increase of early warning number of times once.
If instant early warning information is not mated with historical early warning information, update module 311 is for instant early warning information is saved to database 313, and new database 313 more.
Analysis module 315, for instant early warning information and historical early warning information are carried out to association analysis, judges the access object of access object according to the correlation rule setting in advance.
Adaptation module 317, for preserving the correlation rule setting in advance, if analysis module 315 cannot judge the access object of access object according to the correlation rule setting in advance, adaptation module 317 is set up new correlation rule according to instant early warning information, and immediate updating correlation rule.
Alarm module 309, if judge that for matching module 307 matching result of instant early warning information and historical early warning information does not meet the matching value setting in advance, and sends intrusion alarm information.
Executive Module 319, for according to IP address or port access under intrusion alarm information and executing blocking-up access object.
Can find out in conjunction with above detailed description of the present invention, with respect to prior art, the present invention at least has following useful technique effect: misapplied and detected and protocol anomaly Data Detection by the data message that access object is sent, on the basis of above-mentioned detection, analyze coupling, and report to the police according to matching result, realize the invasion of the adaptive network environment of control systems of nuclear power plant; Meanwhile, due to by conjunction with abnormality detection technology and misuse detection technique, improve detectability and the alarm mechanism of control systems of nuclear power plant to network intrusions, effectively met the requirement of nuclear power station industry net to network safety prevention; In addition, owing to finding in time after intrusion alarm information, can constantly update database and invasion type by self adaptation, and carry out strategy processing and report to the police, as blocking-up IP or port, nuclear power station control is protected safely, obtain good technique effect.
According to above-mentioned principle, the present invention can also carry out suitable change and amendment to above-mentioned execution mode.Therefore, the present invention is not limited to embodiment disclosed and described above, also should fall in the protection range of claim of the present invention modifications and changes more of the present invention.In addition,, although used some specific terms in this specification, these terms just for convenience of description, do not form any restriction to the present invention.
Claims (14)
1. the network intrusions alarm method based on nuclear power station, is characterized in that, described method comprises:
The data message that access object is sent detects, and described detection comprises that misuse detects and protocol anomaly Data Detection;
If detect the result of described data message for abnormal, generate instant early warning information;
Described instant early warning information is mated with the historical early warning information in database;
If the matching result of described instant early warning information and described historical early warning information does not meet the matching value setting in advance, send intrusion alarm information.
2. method according to claim 1, is characterized in that, described method also comprises:
Receive the data message that access object sends.
3. method according to claim 2, it is characterized in that, described historical early warning information comprises the field of early warning number of times, if the matching result of described instant early warning information and described historical early warning information meets the matching value setting in advance, the increase of described early warning number of times once.
4. method according to claim 2, is characterized in that, described method also comprises:
Described instant early warning information and described historical early warning information are carried out to association analysis, judge the access object of described access object according to the correlation rule setting in advance.
5. method according to claim 4, is characterized in that, described method also comprises:
If cannot judge the access object of described access object according to the correlation rule setting in advance, set up new correlation rule according to described instant early warning information, and immediate updating correlation rule.
6. method according to claim 5, is characterized in that, described method also comprises:
Described instant early warning information is saved to database, and upgrades described database.
7. method according to claim 6, is characterized in that, described method also comprises:
According to IP address or port access under described intrusion alarm information and executing blocking-up access object.
8. the network intrusions warning system based on nuclear power station, is characterized in that, described system comprises:
Detection module, detects for the data message that access object is sent, and described detection comprises that misuse detects and protocol anomaly Data Detection;
Warning module, if the result that detects described data message for described detection module is for abnormal, generates instant early warning information;
Matching module, mates with the historical early warning information of database for described warning module is generated to described instant early warning information;
Alarm module, if do not meet the matching value setting in advance for the matching result of described instant early warning information and described historical early warning information, sends intrusion alarm information.
9. system according to claim 8, is characterized in that, described system also comprises:
Receiver module, the data message sending for receiving access object.
10. system according to claim 8, is characterized in that, described system also comprises:
Database, for keeping track of history early warning information, described historical early warning information comprises the field of early warning number of times, if the matching result of described instant early warning information and described historical early warning information meets the matching value setting in advance, the increase of described early warning number of times is once.
11. systems according to claim 10, is characterized in that, described system also comprises:
Analysis module, for described instant early warning information and described historical early warning information are carried out to association analysis, judges the access object of described access object according to the correlation rule setting in advance.
12. systems according to claim 11, is characterized in that, described system also comprises:
Adaptation module, for preserving the correlation rule setting in advance, if described analysis module cannot judge the access object of described access object according to the correlation rule setting in advance, set up new correlation rule according to described instant early warning information, and immediate updating correlation rule.
13. systems according to claim 12, is characterized in that, described system also comprises:
Update module, for described instant early warning information is saved to database, and upgrades described database.
14. systems according to claim 13, is characterized in that, described system also comprises:
Executive Module, for according to IP address or port access under described intrusion alarm information and executing blocking-up access object.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310361837.4A CN103888282A (en) | 2013-08-19 | 2013-08-19 | Network intrusion alarm method and system based on nuclear power plant |
| PCT/CN2013/087737 WO2015024315A1 (en) | 2013-08-19 | 2013-11-24 | Network intrusion alarm method and system for nuclear power station |
| GB1602102.4A GB2532630B (en) | 2013-08-19 | 2013-11-24 | Network intrusion alarm method and system for nuclear power plant |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310361837.4A CN103888282A (en) | 2013-08-19 | 2013-08-19 | Network intrusion alarm method and system based on nuclear power plant |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103888282A true CN103888282A (en) | 2014-06-25 |
Family
ID=50957009
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310361837.4A Pending CN103888282A (en) | 2013-08-19 | 2013-08-19 | Network intrusion alarm method and system based on nuclear power plant |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN103888282A (en) |
| GB (1) | GB2532630B (en) |
| WO (1) | WO2015024315A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106571886A (en) * | 2016-11-03 | 2017-04-19 | 福建宁德核电有限公司 | DCS (data collection system) and radio broadcasting system DTP linkage implementation method |
| CN106921676A (en) * | 2017-04-20 | 2017-07-04 | 电子科技大学 | A kind of intrusion detection method based on OPCClassic |
| CN108693391A (en) * | 2018-05-19 | 2018-10-23 | 安徽国电京润电力科技有限公司 | A kind of nuclear power station electric energy amount detection systems |
| CN112235304A (en) * | 2020-10-15 | 2021-01-15 | 唐琪林 | Dynamic security protection method and system for industrial internet |
| CN113708959A (en) * | 2021-08-11 | 2021-11-26 | 新华三技术有限公司 | Rule base updating method, device and equipment |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111325463A (en) * | 2020-02-18 | 2020-06-23 | 深圳前海微众银行股份有限公司 | Data quality detection method, device, equipment and computer readable storage medium |
| CN112118141B (en) * | 2020-09-21 | 2021-12-17 | 中山大学 | Communication network-oriented alarm event correlation compression method and device |
| CN113904811B (en) * | 2021-09-16 | 2023-11-24 | 深圳供电局有限公司 | Abnormality detection method, abnormality detection device, computer device, and storage medium |
| CN113985226A (en) * | 2021-10-25 | 2022-01-28 | 广东电网有限责任公司 | Cable processing method and system |
| CN114742247B (en) * | 2022-04-08 | 2024-10-22 | 广东电网有限责任公司 | Feature extraction method and device based on distribution network distribution variation normal alarm information |
| CN116401157B (en) * | 2023-03-29 | 2024-04-02 | 中国铁道科学研究院集团有限公司 | Test evaluation method and system for perimeter intrusion detection equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1909488A (en) * | 2006-08-30 | 2007-02-07 | 北京启明星辰信息技术有限公司 | Virus detection and invasion detection combined method and system |
| CN101399710A (en) * | 2007-09-29 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Detection method and system for protocol format exception |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| WO2011077013A1 (en) * | 2009-12-23 | 2011-06-30 | Teknologian Tutkimuskeskus Vtt | Intrusion detection in communication networks |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075516A (en) * | 2010-11-26 | 2011-05-25 | 哈尔滨工程大学 | Method for identifying and predicting network multi-step attacks |
| JP5731223B2 (en) * | 2011-02-14 | 2015-06-10 | インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation | Abnormality detection device, monitoring control system, abnormality detection method, program, and recording medium |
-
2013
- 2013-08-19 CN CN201310361837.4A patent/CN103888282A/en active Pending
- 2013-11-24 GB GB1602102.4A patent/GB2532630B/en active Active
- 2013-11-24 WO PCT/CN2013/087737 patent/WO2015024315A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1909488A (en) * | 2006-08-30 | 2007-02-07 | 北京启明星辰信息技术有限公司 | Virus detection and invasion detection combined method and system |
| CN101399710A (en) * | 2007-09-29 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Detection method and system for protocol format exception |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| WO2011077013A1 (en) * | 2009-12-23 | 2011-06-30 | Teknologian Tutkimuskeskus Vtt | Intrusion detection in communication networks |
Non-Patent Citations (2)
| Title |
|---|
| 李文龙: "基于Snort的混合入侵检测系统的研究与实现", 《智能计算机与应用》 * |
| 杨智君: "入侵检测技术研究综述", 《计算机工程与设计》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106571886A (en) * | 2016-11-03 | 2017-04-19 | 福建宁德核电有限公司 | DCS (data collection system) and radio broadcasting system DTP linkage implementation method |
| CN106571886B (en) * | 2016-11-03 | 2019-02-01 | 福建宁德核电有限公司 | A kind of implementation method of data collection system DCS and wired broadcast system DTP linkage |
| CN106921676A (en) * | 2017-04-20 | 2017-07-04 | 电子科技大学 | A kind of intrusion detection method based on OPCClassic |
| CN106921676B (en) * | 2017-04-20 | 2020-05-08 | 电子科技大学 | Intrusion detection method based on OPCClasic |
| CN108693391A (en) * | 2018-05-19 | 2018-10-23 | 安徽国电京润电力科技有限公司 | A kind of nuclear power station electric energy amount detection systems |
| CN112235304A (en) * | 2020-10-15 | 2021-01-15 | 唐琪林 | Dynamic security protection method and system for industrial internet |
| CN113708959A (en) * | 2021-08-11 | 2021-11-26 | 新华三技术有限公司 | Rule base updating method, device and equipment |
| CN113708959B (en) * | 2021-08-11 | 2023-08-25 | 新华三技术有限公司 | Rule base updating method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| GB201602102D0 (en) | 2016-03-23 |
| GB2532630A (en) | 2016-05-25 |
| GB2532630B (en) | 2018-04-25 |
| WO2015024315A1 (en) | 2015-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103888282A (en) | Network intrusion alarm method and system based on nuclear power plant | |
| Caselli et al. | Sequence-aware intrusion detection in industrial control systems | |
| US8839430B2 (en) | Intrusion detection in communication networks | |
| CN100448203C (en) | System and method for identifying and preventing malicious intrusions | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN103034807B (en) | Malware detection methods and device | |
| CN106664297B (en) | Method for detecting attacks on an operating environment connected to a communication network | |
| Robles-Durazno et al. | PLC memory attack detection and response in a clean water supply system | |
| CN101668012A (en) | Method and device for detecting security event | |
| Waskita et al. | A simple statistical analysis approach for intrusion detection system | |
| CN111835680A (en) | Safety protection system of industry automatic manufacturing | |
| CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
| CN111786986B (en) | Numerical control system network intrusion prevention system and method | |
| US11405411B2 (en) | Extraction apparatus, extraction method, computer readable medium | |
| CN114189361B (en) | Situation awareness method, device and system for defending threat | |
| CN111212055A (en) | Non-invasive website remote detection system and detection method | |
| EP2469479A1 (en) | Intrusion detection | |
| CN104883349A (en) | Network security regulation learning method and system | |
| CN106899977B (en) | Abnormal flow detection method and device | |
| EP2911362B1 (en) | Method and system for detecting intrusion in networks and systems based on business-process specification | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| TW202335468A (en) | Method and apparatus for detecting anomalies of an infrastructure in a network | |
| KR20220117866A (en) | Security compliance automation method | |
| Tabrizi et al. | Intrusion detection system for embedded systems | |
| CN106411816B (en) | Industrial control system, safety interconnection system and processing method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20151104 Address after: Futian District Shenzhen City, Guangdong province 518023 Shennan Road No. 69 Applicant after: China Nuclear Power Engineering Co., Ltd. Applicant after: Lingao Nuclear Power Co., Ltd. Applicant after: China General Nuclear Power Corporation Address before: Futian District Shenzhen City, Guangdong province 518023 Shennan Road No. 69 Applicant before: China Nuclear Power Engineering Co., Ltd. Applicant before: China General Nuclear Power Corporation |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140625 |
|
| RJ01 | Rejection of invention patent application after publication |