[go: up one dir, main page]

CN109696892A - A kind of Safety Automation System and its control method - Google Patents

A kind of Safety Automation System and its control method Download PDF

Info

Publication number
CN109696892A
CN109696892A CN201811574965.6A CN201811574965A CN109696892A CN 109696892 A CN109696892 A CN 109696892A CN 201811574965 A CN201811574965 A CN 201811574965A CN 109696892 A CN109696892 A CN 109696892A
Authority
CN
China
Prior art keywords
attack
module
log
automation system
source information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811574965.6A
Other languages
Chinese (zh)
Inventor
高玮中
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Hanzhiyou Information Technology Service Co Ltd
Original Assignee
Shanghai Hanzhiyou Information Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Hanzhiyou Information Technology Service Co Ltd filed Critical Shanghai Hanzhiyou Information Technology Service Co Ltd
Priority to CN201811574965.6A priority Critical patent/CN109696892A/en
Publication of CN109696892A publication Critical patent/CN109696892A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
    • G05B19/4185Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by the network communication
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/30Nc systems
    • G05B2219/31From computer integrated manufacturing till monitoring
    • G05B2219/31088Network communication between supervisor and cell, machine group
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Manufacturing & Machinery (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明安全自动化系统及其控制方法,应用于自动化生产系统中;安全自动化系统与自动化生产系统具有相同的生产环境;安全自动化系统包括:获取模块,获取攻击行为;分类识别模块,连接获取模块,对攻击行为进行分类;多个引诱攻击模块,每个引诱攻击模块与分类识别模块连接,将对应类型的攻击行为生成对应的日志;数据分析模块,与每个引诱攻击模块连接,从日志中读取得到各个攻击行为的攻击源信息并统计;判断模块,连接数据分析模块,将超过预设阈值的攻击源整合至报警信息中输出;自动化模块,与判断模块连接,将报警信息写入自动化生产系统中。本发明的有益效果在于:提高自动化生产系统的安全性和可靠性,提高收集和审计攻击行为的效率。

The safety automation system and the control method thereof of the present invention are applied to the automatic production system; the safety automation system and the automatic production system have the same production environment; the safety automation system comprises: an acquisition module, which acquires attack behaviors; a classification and identification module, which is connected to the acquisition module, Classify attack behaviors; multiple lure attack modules, each lure attack module is connected to the classification and identification module, and generates corresponding logs for corresponding types of attack behaviors; data analysis module, connected with each lure attack module, reads from the log The attack source information of each attack behavior is obtained and counted; the judgment module is connected to the data analysis module, and the attack sources exceeding the preset threshold are integrated into the alarm information for output; the automation module is connected to the judgment module, and the alarm information is written into the automatic production in the system. The beneficial effects of the invention are: improving the security and reliability of the automated production system, and improving the efficiency of collecting and auditing attack behaviors.

Description

A kind of Safety Automation System and its control method
Technical field
The present invention relates to production safety technical field more particularly to a kind of Safety Automation System and its control methods.
Background technique
As the continuous improvement of production safety technology and the quick of Internet technology are popularized, production safety technology can be given New opportunities are brought in field, but also bring new threat.Due to the connectivity of internet, so that malefactor can be at any one In the terminal for connecting internet, precisely attack remotely is initiated to production equipment.When network safety event occurs, people are urgent Wonder the type and the attack for how preventing these malefactors that malefactor attacks the server of production equipment. And occur to be acquired these security information containing a large amount of security incident relevant informations in the production equipment of network safety event And analysis is concentrated, it can effectively obtain security incident generating process, provide direction for security incident disposition.
In the prior art, currently the work on the emergency disposal of production safety event leans on personnel to check safe letter manually Breath is checked manually and audits, to determine whether attack is malicious attack behavior to production equipment, then to evil Meaning attack is protected.However security information is checked and audited by manual type, there are security information will point Dissipate, the scale of construction it is big, manual type is time-consuming and laborious, efficiency and the low disadvantage of accuracy rate.
Summary of the invention
For the above-mentioned problems in the prior art, one kind is now provided and is intended to have by setting and mechanized production system There is the Safety Automation System of identical production environment, and attack is collected by Safety Automation System, and go to attack To be classified and being analyzed, mechanized production system is written in the attack source automation after being classified and analyzed, to improve The safety and reliability of mechanized production system, and improve the safety automation system of the efficiency for attack of collecting and audit System and its control method.
Specific technical solution is as follows:
A kind of Safety Automation System is applied in mechanized production system;Wherein, Safety Automation System and automation Production system production environment having the same;
Safety Automation System specifically includes:
Module is obtained, for obtaining the attack attacked Safety Automation System;
Classification and Identification module, connection obtain module, for being classified using preset attack type to attack;
Multiple decoy attack modules, each decoy attack module are connect with Classification and Identification module, each decoy attack module Corresponding to the attack of a type, and the object of attack for the attack as corresponding types, generate corresponding day Will simultaneously exports;
Data analysis module is connect with each decoy attack module, for receiving the day of each decoy attack module output Will, and read from the specific fields of log and obtain the attack source information of each attack and counted, data analyze mould Block exports statistical result;
Judgment module, connects data analysis module, and judgment module is used to judge attacking for each attack source according to statistical result Number is hit whether more than a preset threshold, and the attack source more than preset threshold is integrated into a warning message and is exported;
Module is automated, is connect with judgment module, for warning message to be written in mechanized production system.
Preferably, Safety Automation System, wherein data analysis module includes:
Data analysis unit receives each log, and reads from the specific fields of log and obtain each attack Attack source information;
Data statistics unit, connect with data analysis unit, unites to the same attack source information of each attack Meter, and export statistical result.
Preferably, Safety Automation System, wherein automating module includes:
Warning message is written in mechanized production system writing unit;
Warning message is generated write-in file by generation unit;
Firewall unit is connect with text generation unit, and automated production is written in the attack source information in text file In the firewall of system.
Preferably, Safety Automation System, wherein including a security audit module, security audit module and automation mould Block connection, security audit module include:
First security audit unit, the warning message in mechanized production system is written in record automation module, to generate First record content, and the first record content is sent to administrator;
Second security audit unit, real time monitoring automation module is by the behavior for attacking source information write-in firewall and prevents Second record content to generate the second record content, and is sent to pipe by the change record that wall with flues is carried out according to attack source information Reason person.
Preferably, Safety Automation System, wherein including memory module, memory module with acquisition module, is classified and known respectively Other module, each decoy attack module are connected with judgment module, for storing attack, the tag along sort of attack, day Will and warning message.
Further include a kind of control method of Safety Automation System, is applied in Safety Automation System;Wherein, safely certainly Dynamicization system is applied in mechanized production system;
Control method the following steps are included:
Step S1 obtains the attack attacked Safety Automation System;
Step S2 classifies to attack using preset attack type;
The attack of each type is generated corresponding log and exported by step S3;
Step S4, receives the log of each decoy attack module output, and reads and obtained respectively from the specific fields of log The attack source information of a attack is simultaneously counted, and data analysis module exports statistical result;
Step S5 judges whether the number of times of attack of each attack source is more than preset threshold;
It is exported if so, the attack source more than preset threshold is integrated into a warning message;
If it is not, return step S1;
Warning message is written in mechanized production system step S6.
Preferably, the control method of Safety Automation System, wherein step S4 the following steps are included:
Step S41 receives each log, and reads from the specific fields of log and obtain the attack source of each attack Information;
Step S42 counts the same attack source information of each attack, and exports statistical result.
Preferably, the control method of Safety Automation System, wherein step S6 the following steps are included:
The warning message in mechanized production system is written in step S61A, record automation module, to generate the first record Content;
First record content is sent to administrator by step S62A.
Preferably, the control method of Safety Automation System, wherein step S6 the following steps are included:
Step S61B, real time monitoring automation module will attack the behavior and firewall foundation of source information write-in firewall The change record that source information carries out is attacked, to generate the second record content;
Second record content is sent to administrator by step S62B.
Above-mentioned technical proposal have the following advantages that or the utility model has the advantages that by be arranged it is having the same with mechanized production system The Safety Automation System of production environment, and attack is collected by Safety Automation System, and divide attack Class and analysis, the attack source automation write-in mechanized production system after being classified and analyzed, to improve automatic metaplasia The safety and reliability of production system, and improve the efficiency collected and audit attack.
Detailed description of the invention
With reference to appended attached drawing, more fully to describe the embodiment of the present invention.However, appended attached drawing be merely to illustrate and It illustrates, and is not meant to limit the scope of the invention.
Fig. 1 is the structural schematic diagram of Safety Automation System embodiment of the present invention;
Fig. 2 is the structural schematic diagram of the data analysis module of Safety Automation System embodiment of the present invention;
Fig. 3 is the structural schematic diagram of the automation module of Safety Automation System embodiment of the present invention;
Fig. 4 is the flow chart of the automation module of the embodiment of the control method of Safety Automation System of the present invention;
Fig. 5 is the process of the step S4 of the automation module of the embodiment of the control method of Safety Automation System of the present invention Figure;
Fig. 6 is the process of the step S6 of the automation module of the embodiment of the control method of Safety Automation System of the present invention Scheme A;
Fig. 7 is the process of the step S6 of the automation module of the embodiment of the control method of Safety Automation System of the present invention Scheme B.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art without creative labor it is obtained it is all its His embodiment, shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the present invention can phase Mutually combination.
The present invention will be further explained below with reference to the attached drawings and specific examples, but not as the limitation of the invention.
As shown in Figure 1, the present invention includes a kind of Safety Automation System, it is applied in mechanized production system 1;Safety is certainly Dynamicization system 2 and the production environment having the same of mechanized production system 1;
Safety Automation System 2 specifically includes:
Module 21 is obtained, for obtaining the attack attacked Safety Automation System 2;
Classification and Identification module 22, connection obtain module 21, for being divided using preset attack type attack Class;
Multiple decoy attack modules 23, each decoy attack module 23 connect with Classification and Identification module 22, each lure and attack The attack that module 23 corresponds to a type, and the object of attack for the attack as corresponding types are hit, is generated Corresponding log simultaneously exports;
Data analysis module 24 is connect with each decoy attack module 23, defeated for receiving each decoy attack module 23 Log out, and read from the specific fields of log and obtain the attack source information of each attack and counted, data Analysis module 24 exports statistical result;
Judgment module 25, connects data analysis module 24, and judgment module 25 is used to judge each attack according to statistical result The number of times of attack in source whether more than a preset threshold, and by be more than preset threshold attack source be integrated into it is defeated in a warning message Out;
Module 26 is automated, is connect with judgment module 25, for warning message to be written in mechanized production system 1.
In the above-described embodiments, by the way that the safety automation with the production environment having the same of mechanized production system 1 is arranged Change system 2, and attack is collected by the acquisition module 21 of Safety Automation System 2, attacked against each other by Classification and Identification module 22 The behavior of hitting is classified, and the attack of a type is corresponded to by each decoy attack module 23, and for as correspondence The object of attack of the attack of type generates corresponding log and exports, by data analysis module 24 to the specific of log It is read in field and obtains the attack source information of each attack and counted, statistical result is carried out by judgment module 25 Judge and obtain warning message, warning message is automated by write-in mechanized production system 1 by automation module 26, to mention The safety and reliability of high mechanized production system 1, it is more time saving and energy saving by way of automation, and improve write efficiency And accuracy rate.
Further, as preferred embodiment, multiple decoy attack modules 23 can be multiple honey jar modules, each Honey jar module corresponds to the attack of a type, and attacking for the attack as corresponding types according to Honeypot Techniques Object is hit, corresponding honey jar log is generated and is exported.
Further, in above-mentioned preferred embodiment, each honey jar module includes:
First honey jar module --- Cowrie honey jar, i.e., it is interactive to be based on SSH (Secure Shell, safety shell protocol) Honey jar, scanning SSH and TELNET (remote terminal protocol) Brute Force account and password can be recorded, when user is broken After solving account and password login, saves and pass through wget (a kind of free tool for downloading file automatically from network) and curl (CommandLine Uniform Resource Locator, be one using URL (Uniform Resource Locator, Uniform resource locator) file transfer conveyance that works under order line of grammer) downloading file and pass through SFTP (Secure File TransferProtocol, secure file transportation protocol) and the file that uploads of SCP (secure copy, transmission order).
That is the targeted attack of the first honey jar module is the attack of Brute Force account and password.In other words, The system vulnerability simulated in first honey jar module is the system vulnerability for the attack.
Second honey jar module --- Honeytrap honey jar, for recording needle to transmission control protocol (Transmission Control Protocol, TCP) or User Datagram Protocol (User Datagram Protocol, UDP) service attack row For;And Honeytrap honey jar simulates some well-known services as a demons, and can analytical attack character string, Execute corresponding downloading file instruction.
That is attack in the second honey jar module be for transmission control protocol or User Datagram Protocol service (such as SMTP, pop3, remote desktop etc. service) attack.
Third honey jar module --- Elasticpot honey jar, i.e., (one kind is for distribution by a kind of simulation elastcisearch The search server of full-text search) RCE (Reverse Compile Enginering, long-range execute) loophole honey jar, pass through Forge function/, fragility ES (elastcisearch) example is responded in the request of/_ search ,/_ nodes (node) A kind of JSON (data interchange format of the lightweight based on JavaScript language) format messages.
4th honey jar module --- Glastopf honey jar, i.e., (World Wide Web, the whole world are wide by a kind of low interactive Web Domain net) honey jar is applied, it can simulate thousands of web loophole to Glastopf honey jar, for the different attack means of attack Attacker is responded, then collects data from the attack process to target web application.Its target is for automation Vulnerability scanning/utilize tool returns to corresponding conjunction for certain a kind of Land use systems by sorting out to vulnerability exploit mode Reason is as a result, realize low interaction with this.
That is attack in the 4th honey jar module is the attack for automation vulnerability scanning/utilize.
5th honey jar module --- Dionaea honey jar, Dionaea are operate in one in Linux (a kind of operating system) A application program, program is run under network environment, the default port of its open Internet (internet) general service, when When having external connection, simulation normal service, which is given, to be fed back, while recording discrepancy network data flow.Network data flow is via detection Category is handled after module detection, if there is shellcode (filling data) is then emulated;Under program meeting is automatic Carry the malicious file of the specified downloading of specified or follow-on attack order in shellcode.
That is the attack in the 5th honey jar module is the evil of the specified downloading of specified or follow-on attack order in shellcode Attack in meaning file.
Further, in above-mentioned preferred embodiment, each honey jar module generates corresponding honey jar log.
For example, Cowrie honey jar module generates corresponding cowrie honey jar log;
Honeytrap honey jar module generates corresponding honeytrap module log;
Elasticpot honey jar module generates corresponding elasticpot module log;
Glastopf honey jar module generates corresponding glastopf module log;
Dionaea honey jar module generates corresponding dionaea module log.
Further, in the above-described embodiments, as shown in Fig. 2, data analysis module 24 includes:
Data analysis unit 241 receives each log, and reads from the specific fields of log and obtain each attack Attack source information;
Data statistics unit 242 is connect with data analysis unit 241, to the same attack source information of each attack It is counted, and exports statistical result.
Further, as preferred embodiment, when attack is in the first honey jar module --- in Cowrie honey jar Attack when, Cowrie honey jar generates corresponding cowrie module log, and data analysis unit 241 receives each cowrie Module log, and from the specific fields of cowrie module log read obtain each attack attack source information (such as: Read the attack source information that specific fields in the log of cowrie module are attack in src_ip), data statistics unit 242 is right The same attack source information of each attack is counted, and exports statistical result, i.e., the same attack obtained by statistics The quantity of source information, i.e., the number of times of attack of the same attack source.
Then statistical result is exported to judgment module 25, judgment module 25 is used to judge each attack according to statistical result The number of times of attack in source is hit whether more than a preset threshold, and by be more than preset threshold attack source be integrated into it is defeated in a warning message Out.
I.e. by the embodiment above understand the first honey jar module cowrie module log in each attack source whether Carry out malicious attack.
Further, as preferred embodiment, when attack is in the second honey jar module --- Honeytrap honey jar In attack when, Honeytrap honey jar generates corresponding honeytrap module log, and data analysis unit 241 receives often A honeytrap module log, and read from the specific fields of honeytrap module log and obtain attacking for each attack Hit source information (such as: read the log of honeytrap module in specific fields be remote_ip in attack attack source letter Breath), data statistics unit 242 counts the same attack source information of each attack, and exports statistical result, i.e., logical Cross the quantity for the same attack source information that statistics obtains, i.e., the number of times of attack of the same attack source.
Then statistical result is exported to judgment module 25, judgment module 25 is used to judge each attack according to statistical result The number of times of attack in source is hit whether more than a preset threshold, and by be more than preset threshold attack source be integrated into it is defeated in a warning message Out.
The each attack source understood by the embodiment above in the honeytrap module log of the first honey jar module is No carry out malicious attack.
Further, as preferred embodiment, when attack is in third honey jar module --- Elasticpot honey When attack in tank, Elasticpot honey jar generates corresponding elasticpot module log, and data analysis unit 241 connects Each elasticpot module log is received, and is read from the specific fields of elasticpot module log and obtains each attack row For attack source information (such as: read the log of elasticpot module in specific fields be attack in src_ip attack Source information), data statistics unit 242 counts the same attack source information of each attack, and exports statistical result, The quantity of the same attack source information obtained by statistics, i.e., the number of times of attack of the same attack source.
Then statistical result is exported to judgment module 25, judgment module 25 is used to judge each attack according to statistical result The number of times of attack in source is hit whether more than a preset threshold, and by be more than preset threshold attack source be integrated into it is defeated in a warning message Out.
Each attack source in the elasticpot module log of third honey jar module is understood by the embodiment above Whether malicious attack is carried out.
Further, as preferred embodiment, when attack is in the 4th honey jar module --- Glastopf honey jar In attack when, Glastopf honey jar generates corresponding glastopf module log, and data analysis unit 241 receives each Glastopf module log, and read from the specific fields of glastopf module log and obtain the attack source of each attack Information (such as: read the attack source information that specific fields in the log of glastopf module are attack in IP), data statistics Unit 242 counts the same attack source information of each attack, and exports statistical result, i.e., is obtained by statistics The quantity of same attack source information, i.e., the number of times of attack of the same attack source.
Then statistical result is exported to judgment module 25, judgment module 25 is used to judge each attack according to statistical result The number of times of attack in source is hit whether more than a preset threshold, and by be more than preset threshold attack source be integrated into it is defeated in a warning message Out.
The each attack source understood by the embodiment above in the glastopf module log of the 4th honey jar module is No carry out malicious attack.
Further, as preferred embodiment, when attack is in the 5th honey jar module --- in Dionaea honey jar Attack when, Dionaea honey jar generates corresponding dionaea module log, and data analysis unit 241 receives each Dionaea module log, and read from the specific fields of dionaea module log and obtain the attack source letter of each attack Breath (such as: read the attack source information that specific fields in the log of dionaea module are attack in src_ip), data statistics Unit 242 counts the same attack source information of each attack, and exports statistical result, i.e., is obtained by statistics The quantity of same attack source information, i.e., the number of times of attack of the same attack source.
Then statistical result is exported to judgment module 25, judgment module 25 is used to judge each attack according to statistical result The number of times of attack in source is hit whether more than a preset threshold, and by be more than preset threshold attack source be integrated into it is defeated in a warning message Out.
I.e. by the embodiment above understand the 5th honey jar module dionaea module log in each attack source whether Carry out malicious attack.
Further, in the above-described embodiments, the attack source more than preset threshold is integrated into alarm signal by judgment module 25 While output in breath, the analysis data that judgment module 25 will meet each type of alert if generate mail and inform management Person, so that manager can be informed in time, and then can be for accurate, quickly exclusion threatens and provides the best opportunity.
Except of course that lettergram mode, can also inform manager by modes such as short message, wechats.
Further, in the above-described embodiments, as shown in figure 3, automation module 26 includes:
Warning message is written in mechanized production system 1 writing unit 261;
Warning message is generated write-in file by generation unit 262;
Firewall unit 263 is connect with text generation unit 262, the attack source information in text file is written automatic In the firewall for changing production system 1, to prevent the corresponding attack source of attack source information in text file to automated production The access of system 1.
Wherein, write-in file can be text file, or other can be written into the fire prevention of mechanized production system 1 The file of wall.
Further, in the above-described embodiments, including a security audit module 27, security audit module 27 and automation mould Block 26 connects, and security audit module 27 includes:
First security audit unit, the warning message in mechanized production system 1 is written in record automation module 26, with life Administrator is sent to by lettergram mode at the first record content, and by the first record content, for tracing change;
Second security audit unit, real time monitoring automation module 26 will attack source information and mechanized production system 1 are written Firewall behavior and firewall according to attack source information carry out change record, with generate second record content, and will Second record content is sent to administrator by lettergram mode.
Wherein, in addition to lettergram mode, manager can also be informed by modes such as short message, wechats.
Further, as preferred embodiment, mechanized production system 1 is written into source address in automation module 26 Firewall when, trigger the local log in firewall, while local log being sent in remote server, remote server In security audit module 27 in the second security audit unit generate the second record content by way of real time monitoring, and will Second record content is sent to administrator by lettergram mode, so as to carry out comprehensively and timely audit, quickly finds safety Hidden danger, positioning security problem.
Further, in the above-described embodiments, including memory module 28, memory module 28 with acquisition module 21, are divided respectively Class identification module 22, each decoy attack module 23 and judgment module 25 connect, for storing attack, point of attack Class label, log and warning message.
Memory module 28 stores the information of modules, facilitates subsequent calling and audit.
Further include a kind of control method of Safety Automation System, is applied in Safety Automation System 2;Wherein, safety Automated system 2 is applied in mechanized production system 1;
As shown in figure 4, control method the following steps are included:
Step S1 obtains the attack attacked Safety Automation System 2;
Step S2 classifies to attack using preset attack type;
The attack of each type is generated corresponding log and exported by step S3;
Step S4 receives the log that each decoy attack module 23 exports, and reads and obtain from the specific fields of log The attack source information of each attack is simultaneously counted, and data analysis module 24 exports statistical result;
Step S5 judges whether the number of times of attack of each attack source is more than preset threshold;
It is exported if so, the attack source more than preset threshold is integrated into a warning message;
If it is not, return step S1;
Warning message is written in mechanized production system 1 step S6.
In the above-described embodiments, by the way that the safety automation with the production environment having the same of mechanized production system 1 is arranged Change system 2 is classified to attack and is counted by successively collecting attack, and is judged simultaneously statistical result Warning message is obtained, warning message is finally automated into write-in mechanized production system 1, so that mechanized production system 1 is protected, It is more time saving and energy saving by way of automation, and improve write efficiency and accuracy rate.
Further, in the above-described embodiments, as shown in figure 5, step S4 the following steps are included:
Step S41 receives each log, and reads from the specific fields of log and obtain the attack source of each attack Information;
Step S42 counts the same attack source information of each attack, and exports statistical result.
Statistical result and preset threshold i.e. obtained by calculation are compared, to judge whether each attack source carries out Malicious attack.
Further, in the above-described embodiments, as shown in fig. 6, step S6 the following steps are included:
The warning message in mechanized production system 1 is written in step S61A, record automation module 26, to generate the first note Record content;
First record content is sent to administrator by step S62A.
Further, in the above-described embodiments, as shown in fig. 7, step S6 the following steps are included:
Step S61B, real time monitoring automation module 26 by attack source information write-in firewall behavior and firewall according to According to the change record that attack source information carries out, to generate the second record content;
Second record content is sent to administrator by step S62B.
First record content and the second record content by lettergram mode are sent to administrator, so as to carry out comprehensively with It timely audits, quickly finds security risk, positioning security problem.
The foregoing is merely preferred embodiments of the present invention, are not intended to limit embodiments of the present invention and protection model It encloses, to those skilled in the art, should can appreciate that all with made by description of the invention and diagramatic content Equivalent replacement and obviously change obtained scheme, should all be included within the scope of the present invention.

Claims (9)

1.一种安全自动化系统,应用于自动化生产系统中;其特征在于,所述安全自动化系统与所述自动化生产系统具有相同的生产环境;1. a safety automation system is applied in an automatic production system; it is characterized in that, the safety automation system and the automatic production system have the same production environment; 所述安全自动化系统具体包括:The safety automation system specifically includes: 获取模块,用于获取对所述安全自动化系统进行攻击得到的攻击行为;an acquisition module for acquiring the attack behavior obtained by attacking the security automation system; 分类识别模块,连接所述获取模块,用于采用预设的攻击类型对所述攻击行为进行分类;a classification and identification module, connected to the acquisition module, for classifying the attack behavior by using a preset attack type; 多个引诱攻击模块,每个所述引诱攻击模块与所述分类识别模块连接,每个所述引诱攻击模块对应于一个类型的所述攻击行为,并用于作为对应类型的所述攻击行为的攻击对象,生成对应的日志并输出;A plurality of lure attack modules, each described lure attack module is connected with the classification and identification module, each described lure attack module corresponds to a type of the attack behavior, and is used as the attack of the corresponding type of the attack behavior object, generate the corresponding log and output; 数据分析模块,与每个所述引诱攻击模块连接,用于接收各个所述引诱攻击模块输出的所述日志,并从所述日志的特定字段中读取得到各个所述攻击行为的攻击源信息并进行统计,所述数据分析模块输出统计结果;A data analysis module, connected to each of the lure and attack modules, for receiving the log output by each of the lure and attack modules, and reading specific fields of the log to obtain the attack source information of each of the attack behaviors And carry out statistics, the data analysis module outputs statistical results; 判断模块,连接所述数据分析模块,所述判断模块用于根据所述统计结果,判断各个所述攻击源的攻击次数是否超过一预设阈值,并将超过所述预设阈值的所述攻击源整合至一报警信息中输出;The judgment module is connected to the data analysis module, and the judgment module is used for judging whether the number of attacks of each of the attack sources exceeds a preset threshold according to the statistical results, and will determine whether the attack times that exceed the preset threshold will be The source is integrated into an alarm information output; 自动化模块,与所述判断模块连接,用于将所述报警信息写入所述自动化生产系统中。An automation module, connected with the judgment module, is used for writing the alarm information into the automatic production system. 2.如权利要求1所述的安全自动化系统,其特征在于,所述数据分析模块包括:2. The safety automation system of claim 1, wherein the data analysis module comprises: 数据分析单元,接收每个所述日志,并从所述日志的特定字段中读取得到各个所述攻击行为的攻击源信息;A data analysis unit, receiving each of the logs, and reading specific fields of the logs to obtain attack source information of each of the attack behaviors; 数据统计单元,与所述数据分析单元连接,对各个所述攻击行为的同一所述攻击源信息进行统计,并输出所述统计结果。A data statistics unit, connected with the data analysis unit, performs statistics on the same attack source information of each of the attack behaviors, and outputs the statistics results. 3.如权利要求1所述的安全自动化系统,其特征在于,所述自动化模块包括:3. The safety automation system of claim 1, wherein the automation module comprises: 写入单元,将所述报警信息写入所述自动化生产系统中;a writing unit, which writes the alarm information into the automated production system; 生成单元,将所述报警信息生成写入文件;generating unit, generating and writing the alarm information to a file; 防火墙单元,与所述文本生成单元连接,将文本文件中的所述攻击源信息写入所述自动化生产系统的防火墙中。The firewall unit is connected with the text generation unit, and writes the attack source information in the text file into the firewall of the automated production system. 4.如权利要求3所述的安全自动化系统,其特征在于,包括一安全审计模块,所述安全审计模块与所述自动化模块连接,所述安全审计模块包括:4. The security automation system according to claim 3, characterized in that, comprising a security audit module, the security audit module is connected with the automation module, and the security audit module comprises: 第一安全审计单元,记录所述自动化模块写入所述自动化生产系统中的所述报警信息,以生成第一记录内容,并将所述第一记录内容发送给管理员;a first security audit unit, recording the alarm information written in the automated production system by the automation module to generate first record content, and sending the first record content to an administrator; 第二安全审计单元,实时监控所述自动化模块将所述攻击源信息写入防火墙的行为以及所述防火墙依据所述攻击源信息进行的变更记录,以生成第二记录内容,并将所述第二记录内容发送给所述管理员。The second security audit unit is configured to monitor in real time the behavior of the automation module in writing the attack source information into the firewall and the change record made by the firewall according to the attack source information, so as to generate second record content, and record the first 2. Send the recorded content to the administrator. 5.如权利要求1所述的安全自动化系统,其特征在于,包括一存储模块,所述存储模块分别与所述获取模块,所述分类识别模块,每个所述引诱攻击模块和所述判断模块连接,用于存储所述攻击行为,所述攻击行为的分类标签,所述日志和所述报警信息。5. The safety automation system according to claim 1, characterized in that it comprises a storage module, the storage module is respectively connected with the acquisition module, the classification and identification module, and each of the lure and attack modules and the judgment The module is connected to store the attack behavior, the classification label of the attack behavior, the log and the alarm information. 6.一种安全自动化系统的控制方法,应用于安全自动化系统中;其特征在于,所述安全自动化系统应用于自动化生产系统中;6. A control method for a safety automation system, applied in a safety automation system; characterized in that the safety automation system is applied in an automated production system; 所述控制方法包括以下步骤:The control method includes the following steps: 步骤S1,获取对所述安全自动化系统进行攻击得到的攻击行为;Step S1, acquiring the attack behavior obtained by attacking the security automation system; 步骤S2,采用预设的攻击类型对所述攻击行为进行分类;Step S2, using a preset attack type to classify the attack behavior; 步骤S3,将每个类型的所述攻击行为生成对应的日志并输出;Step S3, generating and outputting the corresponding log of each type of the attack behavior; 步骤S4,接收各个所述引诱攻击模块输出的所述日志,并从所述日志的特定字段中读取得到各个所述攻击行为的攻击源信息并进行统计,所述数据分析模块输出统计结果;Step S4, receiving the log output by each of the lure and attack modules, and reading and obtaining the attack source information of each of the attack behaviors from a specific field of the log and performing statistics, and the data analysis module outputs the statistical results; 步骤S5,判断各个所述攻击源的攻击次数是否超过一预设阈值;Step S5, judging whether the attack times of each of the attack sources exceeds a preset threshold; 若是,将超过所述预设阈值的所述攻击源整合至一报警信息中输出;If so, integrating the attack source that exceeds the preset threshold into an alarm message for output; 若否,返回步骤S1;If not, return to step S1; 步骤S6,将所述报警信息写入所述自动化生产系统中。Step S6, writing the alarm information into the automated production system. 7.如权利要求6所述的安全自动化系统的控制方法,其特征在于,所述步骤S4包括以下步骤:7. The control method of the safety automation system as claimed in claim 6, wherein the step S4 comprises the following steps: 步骤S41,接收每个所述日志,并从所述日志的特定字段中读取得到各个所述攻击行为的攻击源信息;Step S41, receiving each of the log, and reading the attack source information of each of the attack behaviors from a specific field of the log; 步骤S42,对各个所述攻击行为的同一所述攻击源信息进行统计,并输出所述统计结果。In step S42, statistics are performed on the same attack source information of each of the attack behaviors, and the statistics result is output. 8.如权利要求6所述的安全自动化系统的控制方法,其特征在于,所述步骤S6包括以下步骤:8. The control method of the safety automation system according to claim 6, wherein the step S6 comprises the following steps: 步骤S61A,记录所述自动化模块写入所述自动化生产系统中的所述报警信息,以生成第一记录内容;Step S61A, recording the alarm information written in the automated production system by the automation module to generate the first record content; 步骤S62A,将所述第一记录内容发送给管理员。Step S62A, sending the first recorded content to the administrator. 9.如权利要求6所述的安全自动化系统的控制方法,其特征在于,所述步骤S6包括以下步骤:9. The control method of the safety automation system according to claim 6, wherein the step S6 comprises the following steps: 步骤S61B,实时监控所述自动化模块将所述攻击源信息写入防火墙的行为以及所述防火墙依据所述攻击源信息进行的变更记录,以生成第二记录内容;Step S61B, monitoring in real time the behavior of the automation module writing the attack source information into the firewall and the change record performed by the firewall according to the attack source information, so as to generate the second record content; 步骤S62B,将所述第二记录内容发送给所述管理员。Step S62B, sending the second recorded content to the administrator.
CN201811574965.6A 2018-12-21 2018-12-21 A kind of Safety Automation System and its control method Pending CN109696892A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811574965.6A CN109696892A (en) 2018-12-21 2018-12-21 A kind of Safety Automation System and its control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811574965.6A CN109696892A (en) 2018-12-21 2018-12-21 A kind of Safety Automation System and its control method

Publications (1)

Publication Number Publication Date
CN109696892A true CN109696892A (en) 2019-04-30

Family

ID=66232779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811574965.6A Pending CN109696892A (en) 2018-12-21 2018-12-21 A kind of Safety Automation System and its control method

Country Status (1)

Country Link
CN (1) CN109696892A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417772A (en) * 2019-07-25 2019-11-05 浙江大华技术股份有限公司 The analysis method and device of attack, storage medium, electronic device
CN111565199A (en) * 2020-07-14 2020-08-21 腾讯科技(深圳)有限公司 Network attack information processing method and device, electronic equipment and storage medium
CN113821792A (en) * 2021-08-23 2021-12-21 中国电子科技网络信息安全有限公司 Method and device for preventing model parameter stealing, computer equipment and storage medium

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005210601A (en) * 2004-01-26 2005-08-04 Nippon Telegr & Teleph Corp <Ntt> Intrusion detection device
US20070283436A1 (en) * 2006-06-02 2007-12-06 Nicholas Duffield Method and apparatus for large-scale automated distributed denial of service attack detection
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN102790778A (en) * 2012-08-22 2012-11-21 常州大学 DDos (distributed denial of service) attack defensive system based on network trap
CN102882884A (en) * 2012-10-13 2013-01-16 山东电力集团公司电力科学研究院 Honeynet-based risk prewarning system and method in information production environment
CN103227797A (en) * 2013-05-08 2013-07-31 上海电机学院 Distributive management system of information network security for power enterprises
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN105721417A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Honeypot apparatus carried in industrial control system, and industrial control system
CN105959250A (en) * 2015-10-22 2016-09-21 杭州迪普科技有限公司 Network attack black list management method and device
CN106027549A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Early warning method and device for ARP flood attack in local area network
CN107124332A (en) * 2017-05-25 2017-09-01 天津大学 A kind of Safety Analysis Method of wireless sensor network
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107294971A (en) * 2017-06-23 2017-10-24 西安交大捷普网络科技有限公司 The Threat sort method in server attack source
CN107404465A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Network data analysis method and server
CN107483481A (en) * 2017-09-11 2017-12-15 杭州谷逸网络科技有限公司 A kind of industrial control system attacking and defending analog platform and its implementation
CN107809321A (en) * 2016-09-08 2018-03-16 南京联成科技发展股份有限公司 A kind of security risk assessment and the implementation method of alarm generation
CN108390856A (en) * 2018-01-12 2018-08-10 北京奇艺世纪科技有限公司 A kind of ddos attack detection method, device and electronic equipment
CN108769071A (en) * 2018-07-02 2018-11-06 腾讯科技(深圳)有限公司 attack information processing method, device and internet of things honey pot system

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005210601A (en) * 2004-01-26 2005-08-04 Nippon Telegr & Teleph Corp <Ntt> Intrusion detection device
US20070283436A1 (en) * 2006-06-02 2007-12-06 Nicholas Duffield Method and apparatus for large-scale automated distributed denial of service attack detection
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN102724176A (en) * 2012-02-23 2012-10-10 北京市计算中心 Intrusion detection system facing cloud calculating environment
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
CN102790778A (en) * 2012-08-22 2012-11-21 常州大学 DDos (distributed denial of service) attack defensive system based on network trap
CN102882884A (en) * 2012-10-13 2013-01-16 山东电力集团公司电力科学研究院 Honeynet-based risk prewarning system and method in information production environment
CN103227797A (en) * 2013-05-08 2013-07-31 上海电机学院 Distributive management system of information network security for power enterprises
CN103561004A (en) * 2013-10-22 2014-02-05 西安交通大学 Cooperative type active defense system based on honey nets
CN105959250A (en) * 2015-10-22 2016-09-21 杭州迪普科技有限公司 Network attack black list management method and device
CN105721417A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Honeypot apparatus carried in industrial control system, and industrial control system
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN107404465A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Network data analysis method and server
CN106027549A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Early warning method and device for ARP flood attack in local area network
CN107809321A (en) * 2016-09-08 2018-03-16 南京联成科技发展股份有限公司 A kind of security risk assessment and the implementation method of alarm generation
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107124332A (en) * 2017-05-25 2017-09-01 天津大学 A kind of Safety Analysis Method of wireless sensor network
CN107294971A (en) * 2017-06-23 2017-10-24 西安交大捷普网络科技有限公司 The Threat sort method in server attack source
CN107483481A (en) * 2017-09-11 2017-12-15 杭州谷逸网络科技有限公司 A kind of industrial control system attacking and defending analog platform and its implementation
CN108390856A (en) * 2018-01-12 2018-08-10 北京奇艺世纪科技有限公司 A kind of ddos attack detection method, device and electronic equipment
CN108769071A (en) * 2018-07-02 2018-11-06 腾讯科技(深圳)有限公司 attack information processing method, device and internet of things honey pot system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417772A (en) * 2019-07-25 2019-11-05 浙江大华技术股份有限公司 The analysis method and device of attack, storage medium, electronic device
CN111565199A (en) * 2020-07-14 2020-08-21 腾讯科技(深圳)有限公司 Network attack information processing method and device, electronic equipment and storage medium
CN111565199B (en) * 2020-07-14 2021-10-01 腾讯科技(深圳)有限公司 Network attack information processing method and device, electronic equipment and storage medium
CN113821792A (en) * 2021-08-23 2021-12-21 中国电子科技网络信息安全有限公司 Method and device for preventing model parameter stealing, computer equipment and storage medium
CN113821792B (en) * 2021-08-23 2024-09-06 中国电子科技网络信息安全有限公司 Method, device, computer equipment and storage medium for preventing model parameter from being stolen

Similar Documents

Publication Publication Date Title
US11689557B2 (en) Autonomous report composer
US20240364728A1 (en) Cyber threat defense system and method
Dehlaghi-Ghadim et al. Anomaly detection dataset for industrial control systems
CN101447991A (en) Test device used for testing intrusion detection system and test method thereof
CN109696892A (en) A kind of Safety Automation System and its control method
CN110210213A (en) The method and device of filtering fallacious sample, storage medium, electronic device
CN114553596B (en) Multi-dimensional security condition real-time display method and system suitable for network security
CN113886829B (en) Method and device for detecting defect host, electronic equipment and storage medium
CN110166302A (en) A kind of log analysis method based on decision tree, device and storage equipment
CN110149319A (en) The method for tracing and device, storage medium, electronic device of APT tissue
CN115001934A (en) Industrial control safety risk analysis system and method
CN107454068B (en) A Honeynet Security Situational Awareness Method Combined with Immune Danger Theory
CN118214605A (en) Cross-regional group company network security management method and system
Singh et al. An approach to understand the end user behavior through log analysis
Colbert et al. A process-oriented intrusion detection method for industrial control systems
CN102209006A (en) Rule test equipment and method
CN110149318A (en) The processing method and processing device of mail metadata, storage medium, electronic device
US12413622B2 (en) System and method for generating cyber threat intelligence
CN104683378A (en) Computing and debugging system for novel cloud computing service platform adopting new technology
Moore et al. Discovering phishing dropboxes using email metadata
US12015647B2 (en) System and method for securing computer infrastructure and devices that depend on cloud platforms
Aldwairi et al. Flukes: Autonomous log forensics, intelligence and visualization tool
Lutf Threat intelligence sharing: a survey
CN113238971A (en) Automatic penetration testing system and method based on state machine
Karabiyik et al. Forensic analysis of scada/ics system with security and vulnerability assessment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190430

RJ01 Rejection of invention patent application after publication