Nothing Special   »   [go: up one dir, main page]

CN111695115A - Industrial control system network attack tracing method based on communication delay and security evaluation - Google Patents

Industrial control system network attack tracing method based on communication delay and security evaluation Download PDF

Info

Publication number
CN111695115A
CN111695115A CN202010451084.6A CN202010451084A CN111695115A CN 111695115 A CN111695115 A CN 111695115A CN 202010451084 A CN202010451084 A CN 202010451084A CN 111695115 A CN111695115 A CN 111695115A
Authority
CN
China
Prior art keywords
attack
source
security
node
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010451084.6A
Other languages
Chinese (zh)
Other versions
CN111695115B (en
Inventor
王宇
李俊娥
黄桂容
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202010451084.6A priority Critical patent/CN111695115B/en
Publication of CN111695115A publication Critical patent/CN111695115A/en
Application granted granted Critical
Publication of CN111695115B publication Critical patent/CN111695115B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于通信时延与安全性评估的工控系统网络攻击溯源方法,包括:S1、确定潜在攻击源地址列表L;S2、向L中所有节点发送网络状态反馈请求,若有节点网络连接断开,或预设次数请求后未收到反馈,则判为攻击源,否则转S3;S3、向L中所有节点发送系统运行状态信息反馈请求;S4、根据系统运行状态信息进行安全性评估,将安全度最低的节点作为攻击源;S5、向L中所有节点发送系统监管日志信息反馈请求;S6、根据系统监管日志信息进行安全性评估,则将安全度最低的节点作为攻击源;S7、输出与L中节点直连的交换机信息或路由器信息列表,用于非法外接终端排查。该方法实现了潜在攻击源的全面覆盖,对攻击源的准确定位。

Figure 202010451084

The invention discloses a network attack source tracing method for industrial control systems based on communication delay and security assessment, comprising: S1, determining a potential attack source address list L; S2, sending a network state feedback request to all nodes in L, if there is a node If the network connection is disconnected, or no feedback is received after the preset number of requests, it is judged as an attack source, otherwise, go to S3; S3, send a system operating status information feedback request to all nodes in L; S4, conduct security according to the system operating status information S5, send a system supervision log information feedback request to all nodes in L; S6, carry out security evaluation according to the system supervision log information, and use the node with the lowest safety degree as the attack source ; S7, output the switch information or router information list directly connected to the node in L, which is used for illegal external terminal investigation. The method achieves comprehensive coverage of potential attack sources and accurate location of attack sources.

Figure 202010451084

Description

基于通信时延与安全性评估的工控系统网络攻击溯源方法A method for tracing the source of industrial control system network attack based on communication delay and security assessment

技术领域technical field

本发明属于智能电网安全技术领域,具体涉及一种基于通信时延与安全性评估的工控系统网络攻击溯源方法。The invention belongs to the technical field of smart grid security, and in particular relates to a method for tracing the source of an industrial control system network attack based on communication delay and security assessment.

背景技术Background technique

网络攻击溯源可以帮助电力工控系统采取合适的防御策略,从源头处阻断攻击,最大程度上使电力工控系统摆脱攻击的威胁。目前,缺乏针对电力基于通信时延与安全性评估的工控系统网络攻击溯源的相关研究。由于电力工控系统中实时控制业务具有高实时性要求、部分通信协议无TCP/IP层的特点,针对传统信息网络的网络攻击溯源方法无法适用。Network attack source tracing can help the power industrial control system to adopt appropriate defense strategies, block the attack from the source, and free the power industrial control system from the threat of attack to the greatest extent. At present, there is a lack of related research on the source tracing of industrial control system network attacks based on communication delay and security assessment. Because the real-time control business in the power industrial control system has high real-time requirements and some communication protocols have no TCP/IP layer, the network attack source tracing method for traditional information networks cannot be applied.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于提供一种基于通信时延与安全性评估的工控系统网络攻击溯源方法,以解决如何有效地对电力工控系统网络攻击进行追溯,以确定攻击源的问题。The purpose of the present invention is to provide a method for tracing the source of an industrial control system network attack based on communication delay and security assessment, so as to solve the problem of how to effectively trace the network attack of an electric power industrial control system to determine the source of the attack.

本发明解决其技术问题所采用的技术方案是:The technical scheme adopted by the present invention to solve its technical problems is:

一种基于通信时延与安全性评估的工控系统网络攻击溯源方法,包括以下步骤:A method for tracing the source of an industrial control system network attack based on communication delay and security assessment, comprising the following steps:

S1、确定所有潜在攻击源,根据所有潜在攻击源,确定潜在攻击源地址列表L,所述潜在攻击源包括攻击报文,所有和攻击报文具有相同时延特征的报文,以及和捕获攻击报文的传输设备直接相连的终端;S1. Determine all potential attack sources, and determine a potential attack source address list L according to all potential attack sources. The potential attack sources include attack packets, all packets with the same delay characteristics as the attack packets, and capture attacks. The terminal directly connected to the transmission equipment of the message;

S2、向L中所有节点发送网络状态反馈请求,若有节点网络连接断开,或预设次数请求后未收到反馈,则判为攻击源,否则转至S3;S2. Send a network status feedback request to all nodes in L. If the network connection of any node is disconnected, or no feedback is received after a preset number of requests, it is judged as an attack source, otherwise, go to S3;

S3、向L中所有节点发送系统运行状态信息反馈请求;S3. Send a system operating state information feedback request to all nodes in L;

S4、根据系统运行状态信息进行安全性评估,得到一级安全度列表,若存在安全度低于第一预设阈值的节点,则将安全度最低的节点作为攻击源,否则转至S5;S4. Perform a security assessment according to the system operating state information to obtain a first-level security list. If there is a node with a security level lower than the first preset threshold, the node with the lowest security level is used as the attack source, otherwise, go to S5;

S5、向L中所有节点发送系统监管日志信息反馈请求;S5. Send a system supervision log information feedback request to all nodes in L;

S6、根据系统监管日志信息进行安全性评估,得到二级安全度列表,若存在安全度低于第二预设阈值的终端节点,则将安全度最低的节点作为攻击源,否则,转至S7;S6. Perform a security assessment according to the system supervision log information, and obtain a list of secondary security degrees. If there is a terminal node whose security degree is lower than the second preset threshold, the node with the lowest security degree is used as the attack source, otherwise, go to S7 ;

S7、输出与L中节点直连的交换机信息或路由器信息列表,用于非法外接终端的排查。S7. Output the switch information or router information list directly connected to the node in L, which is used for the investigation of illegal external terminals.

进一步地,所述步骤S1,包括:Further, the step S1 includes:

S1.1、初始化潜在攻击源地址列表L;当攻击报文为非以太网帧,则转至S1.3;当攻击报文为以太网帧但没有IP头部,则将攻击报文中的源MAC地址加入L;当报文为以太网帧且有IP头部,将源IP地址对应的设备MAC地址加入L;S1.1. Initialize the address list L of potential attack sources; when the attack packet is a non-Ethernet frame, go to S1.3; when the attack packet is an Ethernet frame without an IP header, the The source MAC address is added to L; when the packet is an Ethernet frame and has an IP header, the device MAC address corresponding to the source IP address is added to L;

S1.2、获取所有与捕获点直接相连的非传输设备的MAC地址,并加入L;S1.2. Obtain the MAC addresses of all non-transmission devices directly connected to the capture point, and add L;

S1.3、获取攻击报文的时间标签,计算攻击报文的时延信息,若无时间标签,则转S1.5S1.3. Obtain the time label of the attack packet, and calculate the delay information of the attack packet. If there is no time label, go to S1.5

S1.4、根据所述时延信息,获取所有具有相同时延特征节点的MAC地址,作为第二攻击源地址列表,若第二攻击源地址列表不为空,则加入L,S1结束;若二攻击源地址列表为空,则转至S1.5;S1.4. According to the delay information, obtain the MAC addresses of all nodes with the same delay characteristic as the second attack source address list. If the second attack source address list is not empty, add L, and end S1; 2. If the attack source address list is empty, go to S1.5;

S1.5、将L更新为所有与攻击捕获点处于同一网络的终端MAC地址列表。S1.5. Update L to a list of MAC addresses of all terminals in the same network as the attack capture point.

进一步地,所述系统运行状态信息包括:CPU利用率、内存利用率、交换分区利用率、磁盘利用率与进程数量中任意一种或多种。Further, the system running state information includes any one or more of: CPU utilization, memory utilization, swap partition utilization, disk utilization and number of processes.

进一步地,所述系统监管日志信息包括:文件增删改记录和/或进程详细信息。Further, the system supervision log information includes: file addition, deletion and modification records and/or process detailed information.

本发明的有益效果是:The beneficial effects of the present invention are:

将和攻击报文具有相同时延特征的报文,以及和捕获攻击报文的传输设备直接相连的终端,作为潜在攻击源,实现了潜在攻击源的全面覆盖,避免遗漏。根据网络连接状态反馈、系统运行状态信息反馈以及系统监管日志信息反馈,逐层级的对攻击源进行追溯,能够实现对攻击源的准确定位。The packet with the same delay characteristic as the attack packet and the terminal directly connected to the transmission device that captures the attack packet are used as potential attack sources, thus realizing comprehensive coverage of potential attack sources and avoiding omissions. According to the network connection status feedback, the system running status information feedback and the system monitoring log information feedback, the attack source can be traced back to the level by level, which can realize the accurate location of the attack source.

附图说明Description of drawings

下面将结合附图及实施方式对本发明作进一步说明,附图中:The present invention will be further described below in conjunction with the accompanying drawings and embodiments, in which:

图1为本发明实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法流程图;1 is a flowchart of a method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by an embodiment of the present invention;

图2为本发明实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法应用场景图;2 is an application scenario diagram of a method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by an embodiment of the present invention;

图3为本发明另一实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法流程图。3 is a flowchart of a method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by another embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部的实施例。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of the present invention.

图1为本发明实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法流程图,如图1所示,本发明实施例提供一种基于通信时延与安全性评估的工控系统网络攻击溯源方法,包括以下步骤:FIG. 1 is a flowchart of a method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by an embodiment of the present invention. As shown in FIG. 1 , an embodiment of the present invention provides an industrial control system based on communication delay and security assessment. The system network attack source tracing method includes the following steps:

S1、确定所有潜在攻击源,根据所有潜在攻击源,确定潜在攻击源地址列表L,所述潜在攻击源包括攻击报文,所有和攻击报文具有相同时延特征的报文,以及和捕获攻击报文的传输设备直接相连的终端。S1. Determine all potential attack sources, and determine a potential attack source address list L according to all potential attack sources. The potential attack sources include attack packets, all packets with the same delay characteristics as the attack packets, and capture attacks. The terminal directly connected to the packet transmission device.

图2为本发明实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法应用场景图,如图2所示,表示了一种针对电网嵌入式终端可能遭受的网络攻击场景。首先,攻击者将恶意代码植入运维人员设备上。之后,当运维人员将该设备连入变电站站控层网络进行运维时,通过该设备作为“跳板”,利用电网嵌入式终端即测控终端存在的漏洞向一个终端中植入恶意代码;该恶意代码可以通过篡改网络上传输的GOOSE控制报文的数据字段,实现对与该终端处于同一VLAN的其它终端所控制的断路器开断操作;最后,该恶意程序通过不断篡改控制报文实现多个断路器多次同时开/断,从而达到对电网造成持续性破坏的目的。2 is an application scenario diagram of the method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by an embodiment of the present invention, as shown in FIG. First, the attacker implants malicious code on the operator's device. After that, when the operation and maintenance personnel connect the device to the substation station control layer network for operation and maintenance, the device is used as a "springboard" to implant malicious code into a terminal by using the loopholes in the power grid embedded terminal, that is, the measurement and control terminal; the The malicious code can tamper with the data field of the GOOSE control message transmitted on the network to realize the circuit breaker operation controlled by other terminals in the same VLAN as the terminal; finally, the malicious program can continuously tamper with the control message to achieve multiple Each circuit breaker is turned on/off at the same time for many times, so as to achieve the purpose of causing continuous damage to the power grid.

入侵检测系统(intrusion detection system,简称“IDS”)是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全设备。通过IDS检测到攻击报文后,提供的网络攻击相关信息,以此确定潜在攻击源。本实施例中可以设置一台服务器,或利用现有服务器作为网络攻击溯源主机,用来执行该方法。考虑到攻击报文的时延特征,本实施例中将具有相同时延特征的报文,也作为潜在攻击源进行考虑。相同时延特征可根据预设的区间确定,例如,(0,0.2ms]为一个区间,该区间内都作为相同特征。同时,还需考虑和捕获攻击报文的传输设备直接相连的终端。例如,根据这些潜在攻击源的源MAC地址、目的MAC地址,确定最终的攻击源地址列表L。An intrusion detection system ("IDS" for short) is a network security device that monitors network transmissions in real time, and issues an alarm or takes proactive measures when suspicious transmissions are found. After the IDS detects attack packets, it provides network attack-related information to determine potential attack sources. In this embodiment, a server may be set, or an existing server may be used as a network attack source tracing host to execute the method. Considering the delay characteristics of attack packets, in this embodiment, packets with the same delay characteristics are also considered as potential attack sources. The same delay feature can be determined according to a preset interval, for example, (0, 0.2ms] is an interval, and the interval is regarded as the same feature. At the same time, it is also necessary to consider the terminal directly connected to the transmission device that captures the attack packet. For example, the final attack source address list L is determined according to the source MAC addresses and destination MAC addresses of these potential attack sources.

S2、向L中所有节点发送网络状态反馈请求,若有节点网络连接断开,或预设次数请求后未收到反馈,则判为攻击源,否则转至S3。S2. Send a network status feedback request to all nodes in L. If the network connection of any node is disconnected, or no feedback is received after a preset number of requests, it is determined as an attack source, otherwise, go to S3.

通知列表L中所有可疑节点向网络攻击溯源主机反馈当前网络连接状况,若网络攻击溯源主机在tMAX时间仍未收到某个可疑节点的网络连接状况,则重新向该节点发送通知命令,预设次数(如三次)后仍未收到,则判定该可疑节点所在位置为攻击源位置,此时,攻击设备为非法终端,根据预置的网络拓扑图,输出该节点接入的传输设备MAC地址及端口号作为攻击源的位置,网络攻击溯源结束。若某个可疑节点与IDS提供的攻击捕获点位置所在网络的连接断开,则判定该可疑节点所在位置为攻击源位置,此时,攻击设备为非法终端,输出该节点接入的传输设备MAC地址及端口号作为攻击源的位置,网络攻击溯源结束。如果网络攻击溯源主机收到所有可疑节点的网络连接状况,且所有可疑节点的网络连接状况正常,则转至S3。All suspicious nodes in the notification list L feed back the current network connection status to the network attack source tracing host. If the network attack source tracing host has not received the network connection status of a suspicious node within t MAX time, it will re-send the notification command to the node to predict After setting the number of times (such as three times) and still not received, it is determined that the location of the suspicious node is the location of the attack source. At this time, the attacking device is an illegal terminal. According to the preset network topology map, output the MAC of the transmission device accessed by the node. The address and port number are used as the location of the attack source, and the network attack source tracing ends. If a suspicious node is disconnected from the network where the attack capture point provided by the IDS is located, it is determined that the location of the suspicious node is the source of the attack. At this time, the attacking device is an illegal terminal, and the MAC of the transmission device accessed by the node is output. The address and port number are used as the location of the attack source, and the network attack source tracing ends. If the network attack source tracing host receives the network connection status of all suspicious nodes, and the network connection status of all suspicious nodes is normal, go to S3.

S3、向L中所有节点发送系统运行状态信息反馈请求。S3. Send a system operating state information feedback request to all nodes in L.

通知列表L中所有可疑节点向网络攻击溯源主机反馈系统运行状态信息。All suspicious nodes in the notification list L feed back system operating status information to the network attack source tracing host.

作为可选实施例,所述系统运行状态信息包括:CPU利用率、内存利用率、交换分区利用率、磁盘利用率与进程数量中任意一种或多种。As an optional embodiment, the system running state information includes any one or more of: CPU utilization, memory utilization, swap partition utilization, disk utilization, and number of processes.

例如,系统运行状态信息同时包括:CPU利用率、内存利用率、交换分区利用率、磁盘利用率与进程数量。For example, the system running status information also includes: CPU utilization, memory utilization, swap partition utilization, disk utilization and number of processes.

S4、根据系统运行状态信息进行安全性评估,得到一级安全度列表,若存在安全度低于第一预设阈值的节点,则将安全度最低的节点作为攻击源,否则转至S5。S4. Perform a security assessment according to the system operating state information to obtain a first-level security list. If there is a node with a security level lower than the first preset threshold, the node with the lowest security level is used as an attack source, otherwise, go to S5.

网络攻击溯源主机对所有可疑节点的系统运行状态信息进行一级安全性评估,评估基于现有方法实现,评估算法可以选用支持向量机,得到一级安全度列表Lx1,判断是否存在一级安全度低于阈值X1(第一预设阈值)的节点,X1默认为0.3,若存在,则将安全度最低的节点作为攻击源,此时,攻击设备为合法终端,输出该节点的MAC地址,并根据预置网络拓扑图,输出该节点接入的传输设备MAC地址及端口号作为攻击源的位置,网络攻击溯源结束。若不存在,转S5。The network attack source tracing host performs a first-level security evaluation on the system operating status information of all suspicious nodes. The evaluation is implemented based on the existing methods. The evaluation algorithm can use a support vector machine to obtain the first-level security list L x1 to determine whether there is a first-level security. For nodes whose degree is lower than the threshold X 1 (the first preset threshold), X 1 is 0.3 by default. If it exists, the node with the lowest security degree is used as the attack source. At this time, the attacking device is a legitimate terminal and outputs the MAC address of the node. address, and according to the preset network topology map, output the MAC address and port number of the transmission device connected to the node as the location of the attack source, and the network attack source tracing ends. If it does not exist, go to S5.

S5、向L中所有节点发送系统监管日志信息反馈请求。S5. Send a system supervision log information feedback request to all nodes in L.

通知列表L中所有可疑节点向网络攻击溯源主机反馈当前系统监管日志信息。All suspicious nodes in the notification list L feed back the current system supervision log information to the network attack source tracing host.

作为可选实施例,所述系统监管日志信息包括:文件增删改记录和/或进程详细信息。上述实施例。例如,同时包括:重要文件增删改记录和进程详细信息。As an optional embodiment, the system supervision log information includes: file addition, deletion and modification records and/or process detailed information. the above embodiment. For example, also include: important file CRUD records and process details.

S6、根据系统监管日志信息进行安全性评估,得到二级安全度列表Lx2,若存在安全度低于第二预设阈值的终端节点,则将安全度最低的节点作为攻击源,否则,转至S7。S6. Perform a security assessment according to the system supervision log information, and obtain a second-level security degree list L x2 . If there is a terminal node whose security degree is lower than the second preset threshold, the node with the lowest security degree is used as the attack source; otherwise, transfer to to S7.

网络攻击溯源主机对所有可疑节点的监管日志信息进行二级安全性评估,评估算法可以选用支持向量机,得到二级安全度列表Lx2,判断是否存在二级安全度低于阈值X2的节点,X2默认为0.5,若存在,则安全度最低的节点为攻击源,此时,攻击设备为合法终端,输出该节点的MAC地址,并根据预置网络拓扑图,输出该节点接入的传输设备MAC地址及端口号作为攻击源的位置,网络攻击溯源结束。若不存,则转至S7,此时,攻击设备为非法终端。The network attack source tracing host performs a secondary security assessment on the supervision log information of all suspicious nodes. The evaluation algorithm can use a support vector machine to obtain a secondary security list L x2 , and determine whether there is a node whose secondary security is lower than the threshold X 2 , X 2 is 0.5 by default. If it exists, the node with the lowest security degree is the attack source. At this time, the attacking device is a legitimate terminal, output the MAC address of the node, and according to the preset network topology map, output the access point of the node. The MAC address and port number of the transmission device are used as the location of the attack source, and the network attack source tracing ends. If it does not exist, go to S7. At this time, the attacking device is an illegal terminal.

S7、输出与L中节点直连的交换机信息或路由器信息列表,用于非法外接终端的排查。S7. Output the switch information or router information list directly connected to the node in L, which is used for the investigation of illegal external terminals.

基于潜在攻击源地址列表L与预置的网络拓扑图,输出列表L中的这些节点直连的交换机信息或路由器信息的列表LDTE,通知管理员排查这些交换机或路由器上是否有外接非法终端,网络攻击溯源结束。Based on the address list L of potential attack sources and the preset network topology, output the list of switch information or router information directly connected to these nodes in the list L DTE , and notify the administrator to check whether there are external illegal terminals on these switches or routers. The source tracing of cyber attacks is over.

本发明实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法,将和攻击报文具有相同时延特征的报文,以及和捕获攻击报文的传输设备直接相连的终端,作为潜在攻击源,实现了潜在攻击源的全面覆盖,避免遗漏。根据网络连接状态反馈、系统运行状态信息反馈以及系统监管日志信息反馈,逐层级的对攻击源进行追溯,能够实现对攻击源的准确定位。The method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by the embodiment of the present invention includes a packet with the same delay characteristic as an attack packet and a terminal directly connected to a transmission device that captures the attack packet, As a potential attack source, the comprehensive coverage of the potential attack source is realized to avoid omission. According to the network connection status feedback, the system running status information feedback and the system monitoring log information feedback, the attack source can be traced back to the level by level, which can realize the accurate location of the attack source.

基于上述实施例,作为可选实施例,图3为本发明另一实施例提供的基于通信时延与安全性评估的工控系统网络攻击溯源方法流程图,如图3所示,除步骤S1外与上述实施例基本相同,上述步骤S1,包括:Based on the foregoing embodiment, as an optional embodiment, FIG. 3 is a flowchart of a method for tracing the source of an industrial control system network attack based on communication delay and security assessment provided by another embodiment of the present invention. As shown in FIG. 3 , except for step S1 Basically the same as the above-mentioned embodiment, the above-mentioned step S1 includes:

S1.1、初始化潜在攻击源地址列表L;当攻击报文为非以太网帧,则转至S1.3;当攻击报文为以太网帧但没有IP头部,则将攻击报文中的源MAC地址加入L;当报文为以太网帧且有IP头部,将源IP地址对应的设备MAC地址加入L。S1.1. Initialize the address list L of potential attack sources; when the attack packet is a non-Ethernet frame, go to S1.3; when the attack packet is an Ethernet frame without an IP header, the The source MAC address is added to L; when the packet is an Ethernet frame with an IP header, the device MAC address corresponding to the source IP address is added to L.

初始化潜在攻击源地址列表L={MACsource},如果攻击报文为非以太网帧,MACsource置为空,转至S1.3。如果报文为以太网帧但不具备IP头部,判断攻击报文中的源MAC地址是否为广播MAC,如果是,则MACsource置为空,否则,MACsource为攻击报文中的源MAC地址;如果报文为以太网帧且具备IP头部,则读取报文IP头部中的源IP地址,如果IP地址为广播地址,则MACsource置为空,否则,根据预置的网络拓扑图获取该IP对应的设备MAC地址,该设备MAC地址即为MACsourceInitialize the potential attack source address list L={MAC source }. If the attack packet is a non-Ethernet frame, set the MAC source to be empty, and go to S1.3. If the packet is an Ethernet frame but does not have an IP header, determine whether the source MAC address in the attack packet is a broadcast MAC. If so, set the MAC source to null; otherwise, the MAC source is the source MAC address in the attack packet. address; if the packet is an Ethernet frame and has an IP header, read the source IP address in the IP header of the packet, if the IP address is a broadcast address, set the MAC source to null, otherwise, according to the preset network The topology map obtains the device MAC address corresponding to the IP, and the device MAC address is the MAC source .

S1.2、获取所有与捕获点直接相连的非传输设备的MAC地址,并加入L。S1.2: Acquire the MAC addresses of all non-transmission devices directly connected to the capture point, and add L.

根据入侵检测系统提供的攻击捕获点位置的MAC地址MACcapture,从预置的网络拓扑图中获取所有与MAC地址为MACcapture的传输设备直接相连的非传输设备MAC地址,并将所有MAC地址添加入可能攻击源列表L中。传输设备指通信网络上实现报文转发功能的设备,非传输设备指通信网络上进行通信的设备,即数据终端设备。According to the MAC address MAC capture of the attack capture point provided by the intrusion detection system, obtain the MAC addresses of all non-transmission devices directly connected to the transmission device whose MAC address is MAC capture from the preset network topology map, and add all MAC addresses to into the list L of possible attack sources. The transmission device refers to the device that implements the message forwarding function on the communication network, and the non-transmission device refers to the device that communicates on the communication network, that is, the data terminal device.

S1.3、获取攻击报文的时间标签,计算攻击报文的时延信息,若无时间标签,则转S1.4。S1.3. Obtain the time label of the attack packet, and calculate the delay information of the attack packet. If there is no time label, go to S1.4.

读取攻击报文中所携带的UTC时间标签tUTC与报文长度length,如果攻击报文中不存在时间标签字段,转S1.5;否则,根据IDS所提供的捕获该报文的时间tcurrent,tUTC与tcurrent的精度都为毫秒,并计算时延信息为tdelay=tcurrent-tUTCRead the UTC time tag t UTC and the message length length carried in the attack packet. If the time tag field does not exist in the attack packet, go to S1.5; otherwise, according to the time t provided by the IDS to capture the packet The precisions of current , t UTC and t current are all milliseconds, and the calculated delay information is t delay =t current -t UTC .

S1.4、根据所述时延信息,获取所有具有相同时延特征节点的MAC地址,作为第二攻击源地址列表,若第二攻击源地址列表不为空,则加入L,S1结束;若二攻击源地址列表为空,则转至S1.5。S1.4. According to the delay information, obtain the MAC addresses of all nodes with the same delay characteristic as the second attack source address list. If the second attack source address list is not empty, add L, and end S1; 2. If the attack source address list is empty, go to S1.5.

将length、MACcapture、tUTC与tDelay输入通信时延模型,获取所有符合时延特征的节点的MAC地址列表Ldelay。通信时延模型,可根据通信时延范围(或时延特征)和节点MAC地址的映射关系,预先构建得到。对于电力工控系统,在未发生故障时,同一设备的通信时延在每天同一时刻是相对稳定的(因为大部分业务是周期性的),从而可以根据攻击报文的时延,获取发送的报文具有相同时延特征的节点,将其作为潜在攻击节点,这些节点的MAC地址,作为第二攻击源地址列表。本发明考虑到时延值的误差,采用时延范围而非确定的时延值来作为不同MAC地址的映射,可以提高本发明的鲁棒性。如果Ldelay不为空,将列表Ldelay中所有MAC地址添加进L中,即L={L,Ldelay},结束S1,转至S2;否则,转S1.5。Input length, MAC capture , t UTC and t Delay into the communication delay model, and obtain the MAC address list L delay of all nodes that meet the delay characteristics. The communication delay model can be pre-built according to the mapping relationship between the communication delay range (or delay characteristics) and the node MAC address. For the power industrial control system, when no fault occurs, the communication delay of the same device is relatively stable at the same time every day (because most services are periodic), so that the sent message can be obtained according to the delay of the attack message. The nodes with the same delay characteristics are regarded as potential attack nodes, and the MAC addresses of these nodes are regarded as the second attack source address list. The present invention takes the error of the delay value into consideration, and uses the delay range instead of the determined delay value as the mapping of different MAC addresses, which can improve the robustness of the present invention. If L delay is not empty, add all the MAC addresses in the list L delay into L, that is, L={L, L delay }, end S1, and go to S2; otherwise, go to S1.5.

S1.5、将L更新为所有与攻击捕获点处于同一网络的终端MAC地址列表。S1.5. Update L to a list of MAC addresses of all terminals in the same network as the attack capture point.

根据预置的网络拓扑图,将L更新为所有与IDS提供的攻击捕获点处于同一网络的终端的MAC地址组成的列表。由于电力工控系统有些网络是物理隔离的,处于不同物理隔离的网络中的终端无法进行通信。当2个终端间可以进行通信,不被物理隔离,则认为2个终端处于同一网络。According to the preset network topology, L is updated to a list consisting of the MAC addresses of all terminals located in the same network as the attack capture point provided by the IDS. Because some networks of the power industrial control system are physically isolated, terminals in different physically isolated networks cannot communicate. When two terminals can communicate without being physically separated, the two terminals are considered to be in the same network.

基于上述各实施例,通过一个具体实例进行说明如下:Based on the above-mentioned embodiments, a specific example is described as follows:

从入侵检测系统获取网络攻击的相关信息,包括:攻击报文PG3,攻击报文的捕获点的MAC地址MAC1,报文捕获时间UTCcap1Obtain relevant information about network attacks from the intrusion detection system, including: the attack packet PG 3 , the MAC address MAC 1 of the capture point of the attack packet, and the packet capture time UTC cap1 ;

经过计算得到该攻击报文的通信时延为0.1225ms,考虑到实际情况中时延精度仅为毫秒,因此,该时延记为0ms;After calculation, the communication delay of the attack packet is 0.1225ms. Considering that the delay accuracy is only milliseconds in the actual situation, the delay is recorded as 0ms;

使用基于统计的通信时延模型获得所有可能的攻击源列表Lattack={MAC24,MAC26,MAC28,MAC30,MAC32,MAC34,MAC35,MAC36,MAC37,MAC38};Obtain a list of all possible attack sources using a statistics-based communication delay model L attack = {MAC 24 ,MAC 26 ,MAC 28 ,MAC 30 ,MAC 32 ,MAC 34 ,MAC 35 ,MAC 36 ,MAC 37 ,MAC 38 };

获取Lattack中所有终端的当前网络连接状况,经判断,这些终端的网络连接状况都为正常;Obtain the current network connection status of all terminals in L attack . After judgment, the network connection status of these terminals is normal;

获取Lattack中所有终端的系统运行状态信息,包括:CPU利用率、内存利用率、交换分区利用率、磁盘利用率与进程数量;Obtain the system running status information of all terminals in L attack , including: CPU utilization, memory utilization, swap partition utilization, disk utilization and number of processes;

对Lattack中所有终端的系统运行状态信息进行一级安全性评估,得到一级安全度列表Lx1={0.7881,0.7683,0.8233,0.7374,0.8411,0.0055,0.7833,0.4543,0.7946,0.6914},经判断,存在一级安全度低于阈值X1的终端(X1取默认值0.3),且安全度最低的终端为攻击源,此时,攻击设备为合法终端,输出该终端的MAC地址MAC34,并根据预置网络拓扑图,输出该终端接入的传输设备MAC地址MAC18及端口号2作为攻击源的网络坐标,网络攻击溯源结束The first-level security evaluation is performed on the system operating status information of all terminals in L attack , and the first-level security list L x1 = {0.7881, 0.7683, 0.8233, 0.7374, 0.8411, 0.0055, 0.7833, 0.4543, 0.7946, 0.6914} is obtained. It is judged that there is a terminal whose first-level security degree is lower than the threshold X 1 (X 1 takes the default value of 0.3), and the terminal with the lowest security degree is the attack source. At this time, the attacking device is a legitimate terminal, and the MAC address of the terminal is output MAC 34 , and according to the preset network topology map, output the transmission equipment MAC address MAC 18 and port number 2 accessed by the terminal as the network coordinates of the attack source, and the network attack source tracing ends.

已经通过参考少量实施方式描述了本发明。然而,本领域技术人员所公知的,正如附带的专利权利要求所限定的,除了本发明以上公开的其他的实施例等同地落在本发明的范围内。The present invention has been described with reference to a few embodiments. However, as is known to those skilled in the art, other embodiments than the above disclosed invention are equally within the scope of the invention, as defined by the appended patent claims.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: the present invention can still be Modifications or equivalent replacements are made to the specific embodiments of the present invention, and any modifications or equivalent replacements that do not depart from the spirit and scope of the present invention shall be included within the protection scope of the claims of the present invention.

Claims (4)

1.一种基于通信时延与安全性评估的工控系统网络攻击溯源方法,其特征在于,包括以下步骤:1. an industrial control system network attack source tracing method based on communication time delay and security assessment, is characterized in that, comprises the following steps: S1、确定所有潜在攻击源,根据所有潜在攻击源,确定潜在攻击源地址列表L,所述潜在攻击源包括攻击报文,所有和攻击报文具有相同时延特征的报文,以及和捕获攻击报文的传输设备直接相连的终端;S1. Determine all potential attack sources, and determine a potential attack source address list L according to all potential attack sources. The potential attack sources include attack packets, all packets with the same delay characteristics as the attack packets, and capture attacks. The terminal directly connected to the transmission equipment of the message; S2、向L中所有节点发送网络状态反馈请求,若有节点网络连接断开,或预设次数请求后未收到反馈,则判为攻击源,否则转至S3;S2. Send a network status feedback request to all nodes in L. If the network connection of any node is disconnected, or no feedback is received after a preset number of requests, it is judged as an attack source, otherwise, go to S3; S3、向L中所有节点发送系统运行状态信息反馈请求;S3. Send a system operating state information feedback request to all nodes in L; S4、根据系统运行状态信息进行安全性评估,得到一级安全度列表,若存在安全度低于第一预设阈值的节点,则将安全度最低的节点作为攻击源,否则转至S5;S4. Perform a security assessment according to the system operating state information to obtain a first-level security list. If there is a node with a security level lower than the first preset threshold, the node with the lowest security level is used as the attack source, otherwise, go to S5; S5、向L中所有节点发送系统监管日志信息反馈请求;S5. Send a system supervision log information feedback request to all nodes in L; S6、根据系统监管日志信息进行安全性评估,得到二级安全度列表,若存在安全度低于第二预设阈值的终端节点,则将安全度最低的节点作为攻击源,否则,转至S7;S6. Perform a security assessment according to the system supervision log information, and obtain a list of secondary security degrees. If there is a terminal node whose security degree is lower than the second preset threshold, the node with the lowest security degree is used as the attack source, otherwise, go to S7 ; S7、输出与L中节点直连的交换机信息或路由器信息列表,用于非法外接终端的排查。S7. Output the switch information or router information list directly connected to the node in L, which is used for the investigation of illegal external terminals. 2.根据权利要求1所述的基于通信时延与安全性评估的工控系统网络攻击溯源方法,其特征在于,所述步骤S1,包括:2. The method for tracing the source of an industrial control system network attack based on communication delay and security assessment according to claim 1, wherein the step S1 comprises: S1.1、初始化潜在攻击源地址列表L;当攻击报文为非以太网帧,则转至S1.3;当攻击报文为以太网帧但没有IP头部,则将攻击报文中的源MAC地址加入L;当报文为以太网帧且有IP头部,将源IP地址对应的设备MAC地址加入L;S1.1. Initialize the address list L of potential attack sources; when the attack packet is a non-Ethernet frame, go to S1.3; when the attack packet is an Ethernet frame without an IP header, the The source MAC address is added to L; when the packet is an Ethernet frame and has an IP header, the device MAC address corresponding to the source IP address is added to L; S1.2、获取所有与捕获点直接相连的非传输设备的MAC地址,并加入L;S1.2. Obtain the MAC addresses of all non-transmission devices directly connected to the capture point, and add L; S1.3、获取攻击报文的时间标签,计算攻击报文的时延信息,若无时间标签,则转S1.5S1.3. Obtain the time label of the attack packet, and calculate the delay information of the attack packet. If there is no time label, go to S1.5 S1.4、根据所述时延信息,获取所有具有相同时延特征节点的MAC地址,作为第二攻击源地址列表,若第二攻击源地址列表不为空,则加入L,S1结束;若二攻击源地址列表为空,则转至S1.5;S1.4. According to the delay information, obtain the MAC addresses of all nodes with the same delay characteristic as the second attack source address list. If the second attack source address list is not empty, add L, and end S1; 2. If the attack source address list is empty, go to S1.5; S1.5、将L更新为所有与攻击捕获点处于同一网络的终端MAC地址列表。S1.5. Update L to a list of MAC addresses of all terminals in the same network as the attack capture point. 3.根据权利要求1所述的基于通信时延与安全性评估的工控系统网络攻击溯源方法,其特征在于,所述系统运行状态信息包括:CPU利用率、内存利用率、交换分区利用率、磁盘利用率与进程数量中任意一种或多种。3. The method for tracing the source of an industrial control system network attack based on communication delay and security assessment according to claim 1, wherein the system operating state information comprises: CPU utilization, memory utilization, swap partition utilization, Any one or more of disk utilization and number of processes. 4.根据权利要求1所述的基于通信时延与安全性评估的工控系统网络攻击溯源方法,其特征在于,所述系统监管日志信息包括:文件增删改记录和/或进程详细信息。4. the industrial control system network attack source tracing method based on communication delay and security assessment according to claim 1, is characterized in that, described system supervision log information comprises: file addition, deletion and modification record and/or process detailed information.
CN202010451084.6A 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation Active CN111695115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010451084.6A CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010451084.6A CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Publications (2)

Publication Number Publication Date
CN111695115A true CN111695115A (en) 2020-09-22
CN111695115B CN111695115B (en) 2023-05-05

Family

ID=72478142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010451084.6A Active CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Country Status (1)

Country Link
CN (1) CN111695115B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738089A (en) * 2020-12-29 2021-04-30 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment
CN114866298A (en) * 2022-04-21 2022-08-05 武汉大学 A method for tracing the source of network attacks on power industrial control systems combining packet marking and packet logging

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192863A1 (en) * 2005-07-01 2007-08-16 Harsh Kapoor Systems and methods for processing data flows
US20090319659A1 (en) * 2006-12-28 2009-12-24 Hiroshi Terasaki Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192863A1 (en) * 2005-07-01 2007-08-16 Harsh Kapoor Systems and methods for processing data flows
US20090319659A1 (en) * 2006-12-28 2009-12-24 Hiroshi Terasaki Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
何金栋 等: "智能变电站嵌入式终端的网络攻击类型研究及验证" *
姜建国;王继志;孔斌;胡波;刘吉强;: "网络攻击源追踪技术研究综述" *
王启林;李小鹏;郁滨;黄一才;: "基于连接认证的低功耗蓝牙泛洪攻击防御方案" *
田红成;毕军;王虹;: "可增量部署、基于采样流的IP溯源方法" *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738089A (en) * 2020-12-29 2021-04-30 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment
CN114866298A (en) * 2022-04-21 2022-08-05 武汉大学 A method for tracing the source of network attacks on power industrial control systems combining packet marking and packet logging

Also Published As

Publication number Publication date
CN111695115B (en) 2023-05-05

Similar Documents

Publication Publication Date Title
US10681079B2 (en) Method for mitigation of cyber attacks on industrial control systems
US10135633B2 (en) Network security analysis for smart appliances
Wang et al. An entropy-based distributed DDoS detection mechanism in software-defined networking
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
US11283831B2 (en) Dynamic device isolation in a network
US11038900B2 (en) Structural command and control detection of polymorphic malware
Igbe et al. Deterministic dendritic cell algorithm application to smart grid cyber-attack detection
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CA2983429C (en) Network security analysis for smart appliances
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
Ahmed et al. Detection and prevention of DDoS attacks on software defined networks controllers for smart grid
CN111695115B (en) Industrial control system network attack tracing method based on communication time delay and security evaluation
Sahu et al. Detection of rogue nodes in AMI networks
CN108833430B (en) A topology protection method for software-defined networks
CN110995586B (en) BGP message processing method and device, electronic equipment and storage medium
CN110121866A (en) Detection and suppression loop
CN108418794B (en) Method and system for preventing ARP attack by intelligent substation communication network
CN106453367B (en) SDN-based method and system for preventing address scanning attack
CN110381082A (en) The attack detection method and device of powerline network based on Mininet
CN112968913B (en) DDOS defense method, device, equipment and medium based on programmable switch
JP2019125914A (en) Communication device and program
KR101021697B1 (en) How to Detect Botnet Attacks on 6L FOP
Hu et al. Industrial network protocol security enhancement using programmable switches
KR101932656B1 (en) Method, apparatus and computer program for defending software defined network
CN114866298B (en) Source tracing method of network attack in electric power industrial control system combined with packet marking and packet log

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant