CN-121980630-A - Method for identifying unauthorized access intention of peripheral interface of industrial personal computer

Abstract

The invention relates to the technical field of industrial control information security, and discloses an industrial personal computer peripheral interface unauthorized access intention identification method. The method comprises the steps of collecting peripheral access records of an industrial personal computer, constructing an event sequence, a ternary authorization table and an interface number reachable object set and an object key level, reading, calibrating and obtaining switching completion time, checking the effectiveness, the differentiation and the switching time of the executed interface number based on a session right sliding window and adjacent positions to form a maximum bridging interface force chain, generating a segment migration sequence according to a newly added reachable object coverage proportion and the key level, calculating chain level relay gain, obtaining an allowable state indication quantity and key drop point times by combining an authorization state, a key interface number set, a high-value object set and a high-influence operation set, outputting an intention value, a threshold value, a conclusion and an evidence chain and dropping table, realizing the evidence, reducing false report leakage caused by time threshold distortion and single-point detection, and expanding quantization capability and accumulating risks.

Inventors

• FU ZHIQUAN
• GAO XINYOU
• XIAO TAO
• ZHAI DI
• SHI XIUGUO
• ZENG QIANMING
• GUO AO
• LU TAO

Assignees

• 上海宽域工业网络设备有限公司

Dates

Publication Date

20260505

Application Date

20260403

Claims (9)

1. 1. The method for identifying the unauthorized access intention of the peripheral interface of the industrial personal computer is characterized by comprising the following steps of: collecting peripheral access records of an industrial personal computer, and constructing an access event sequence, a ternary authorization table, an reachable object set corresponding to each interface number in the current context and key levels corresponding to each target object; Reading switching calibration test records of all interface numbers, screening the interface numbers meeting effective calibration conditions, obtaining switching completion time, and constructing a session right sliding window and a session adjacent event position pair around a current event to be judged; performing interface number validity checking, interface number difference checking and switching time checking based on the session right sliding window, and acquiring a maximum cross-connection interface force chain corresponding to the current event to be judged; Counting newly increased reachable object coverage proportion of the end interface number relative to the start interface number aiming at each jump in the current maximum bridge connection force chain, and forming each jump segment migration increment and segment migration sequence by combining key levels of the target objects corresponding to each jump end event; carrying out continuous multiplication calculation according to the sequence of the segment migration sequences to obtain the link-level relay gain corresponding to the current maximum bridge interface power link; Checking the authorized state of each event in the current maximum cross interface power chain, and acquiring an allowed state indication quantity and key drop point times by combining a high-value object set, a key interface number set and a high-influence operation set; Acquiring an override access intention value, a judgment threshold value, an override access intention recognition conclusion and a strongest abnormal evidence chain corresponding to a current event to be judged based on the allowed state indication quantity, the link level relay gain and the key drop point times; Outputting an override access intention recognition conclusion, a session identifier, an interface number sequence, an operation type and a target object number corresponding to each event, a real switching interval of each jump and an allowable switching interval of each jump, a section migration sequence, a link level relay gain, key drop point times, an override access intention value and a judgment threshold value, and writing the override access intention value and the judgment threshold value into a result record table.
2. 2. The method for identifying the override access intention of the peripheral interface of the industrial personal computer according to claim 1, wherein the step of collecting the peripheral access records of the industrial personal computer and constructing an access event sequence, a ternary authorization table, a reachable object set corresponding to each interface number in the current context and key levels corresponding to each target object specifically comprises the following steps: the peripheral access records of the industrial personal computer are arranged into an access event sequence which is arranged according to the occurrence time, so that the occurrence time of a later access event is not earlier than the occurrence time of a former access event, and session identification, interface number, operation type, target object number and occurrence time are recorded in each access event; performing authorization checking on each group of interface numbers, operation types and target object numbers according to the current personnel identity, work order task and equipment process stage, generating a ternary authorization table, and dividing the authorization state into unauthorized and authorized states; traversing all records corresponding to the current interface number in the ternary authorization table aiming at each interface number, and gathering the target objects corresponding to the authorized target object numbers in the authorization state to form an reachable object set of the current interface number under the current context; for each target object, reading a writable attribute bit, a control state change attribute bit, a continuous effective attribute bit and a security association attribute bit, and adding the four attribute bits; Dividing the addition result of the four attribute bits by four to form a key level of the current target object.
3. 3. The method for identifying the override access intention of the peripheral interface of the industrial personal computer according to claim 2, wherein the step of reading the switching calibration test record of each interface number, screening the interface number meeting the effective calibration condition, obtaining the switching completion time length, and constructing a session right sliding window and a co-session adjacent event position pair around the current event to be determined specifically comprises the following steps: For each interface number, reading all switching calibration test records corresponding to the current interface number, and reading the control takeover completion time and the first effective response time in each switching calibration test record; Each time of switching calibration test record is checked successively for each interface number, and when at least one time of switching calibration test meets the first effective response time not earlier than the control take-over completion time, the current interface number is recorded as meeting the effective calibration condition; the interface numbers which all meet the effective calibration conditions are collected to form an effective calibration interface number set; For each interface number in the effective calibration interface number set, reading the control takeover completion time and the first effective response time in all the switching calibration tests corresponding to the current interface number, and for test records of which the first effective response time is not earlier than the control takeover completion time, calculating the time difference between the first effective response time and the control takeover completion time one by one; taking the maximum value from all time differences corresponding to the same interface number to form the switching completion time of the current interface number; For a current event to be judged, reading all access events from the session starting time to the occurrence time of the current event to be judged, and forming a session right sliding window taking the current event to be judged as a right endpoint; Any two adjacent positions before and after are checked according to time sequence aiming at the access event position in the session right sliding window, when no other access event position exists between the two positions, the two positions are recorded as a group of co-session adjacent event position pairs, and a co-session adjacent event position pair set is formed.
4. 4. The method for identifying the override access intention of the peripheral interface of the industrial personal computer according to claim 3, wherein the method for identifying the override access intention of the peripheral interface of the industrial personal computer based on the session right sliding window performs an interface number validity check, an interface number difference check and a switching time check to obtain a maximum bridge interface connection force chain corresponding to a current event to be determined specifically comprises the following steps: selecting a current event sequence candidate taking the position of a current event to be judged as an end position in a session right sliding window, requiring the current event sequence candidate to at least comprise two access events, arranging the access event positions in an increasing way according to the sequence from front to back, and enabling two adjacent access event positions to form an adjacent event position pair with the session; for each hop in the current event sequence candidates, reading the occurrence time of the previous event and the occurrence time of the next event, and subtracting the occurrence time of the previous event from the occurrence time of the next event to form a real switching interval of the current hop; for each hop in the current event sequence candidate, reading the switching completion time length of the interface number corresponding to the previous event and the switching completion time length of the interface number corresponding to the next event, and adding the two switching completion time lengths to form an allowable switching interval of the current hop; For each hop in the current event sequence candidate, executing an interface number validity check, an interface number difference check and a switching time check, wherein the interface number validity check is to check whether the interface number corresponding to the previous event and the interface number corresponding to the next event are both in a valid calibration interface number set, the interface number difference check is to check whether the interface number corresponding to the next event is different from the interface number corresponding to the previous event, and the switching time check is to check whether the real switching interval of the current hop is greater than zero and not greater than the allowable switching interval of the current hop; continuously backtracking the set forwards along the positions of the event adjacent to the same session from the position of the event to be judged currently, and merging the newly detected previous event into the head end of the current event sequence candidate when the validity check of the interface number, the difference check of the interface number and the switching time check pass each time of backtracking; when there is no position pair capable of continuing backtracking, or any interface number validity check, interface number difference check or switching time check does not pass in the backtracking process, stopping current backtracking, and reserving the formed longest continuous event sequence; the method comprises the steps that the longest continuous event sequence which passes through interface number validity checking, interface number difference checking and switching time checking and is the position of the current event to be judged at the tail end is recorded as a maximum bridge interface power chain corresponding to the current event to be judged; and when a continuous event sequence passing through the interface number validity check, the interface number difference check and the switching time check does not exist, marking the maximum cross-connection interface connection force chain corresponding to the current event to be judged as empty.
5. 5. The method for identifying the unauthorized access intention of the peripheral interface of the industrial personal computer according to claim 4, wherein the step of counting the newly increased reachable object coverage ratio of the terminal interface number to the starting interface number for each hop in the current maximum bridge interface power chain and combining the key level of the target object corresponding to each hop terminal event to form each hop migration increment and each hop migration sequence specifically comprises the steps of: When the current maximum cross-over interface power chain is not empty, reading a reachable object set corresponding to the current jump starting point interface number under the current context and a reachable object set corresponding to the current jump ending point interface number under the current context aiming at each jump in the current maximum cross-over interface power chain; removing target objects which belong to the reachable object set corresponding to the current jump starting point interface number under the current context from the reachable object set corresponding to the current jump ending point interface number under the current context, and reserving target objects which are newly added and contacted by the current jump ending point interface number; counting the number of the newly added and reached target objects of the current jump terminal interface number, and counting the number of the target objects corresponding to all the target object numbers in the ternary authorization table; dividing the number of the newly increased and reached target objects of the current jump terminal interface number by the number of the target objects corresponding to all the target object numbers in the ternary authorization table to form a newly increased and reached object coverage proportion of the current jump; Reading the key level of the target object corresponding to the current jump end point event, multiplying the coverage proportion of the newly added reachable object of the current jump by the key level of the target object corresponding to the current jump end point event to form the segment migration increment of the current jump; And sequentially acquiring all segment migration increments according to the jump sequence in the current maximum cross-over interface power chain to form a segment migration sequence.
6. 6. The method for identifying the unauthorized access intention of the peripheral interface of the industrial personal computer according to claim 5, wherein the step of performing the continuous multiplication calculation according to the sequence of the segment migration sequences to obtain the link-level relay gain corresponding to the current maximum bridge interface connection force chain specifically comprises the following steps: when the current maximum bridging interface force chain is not empty, reading a segment migration sequence corresponding to the current maximum bridging interface force chain; Adding each jump segment migration increment in the segment migration sequence with a value one respectively to form a product item corresponding to each jump one by one; continuously multiplying all product items according to the jump sequence in the current maximum bridge interface power chain; Subtracting a value I from the continuous multiplication result to form a link-level relay gain corresponding to the current maximum bridge interface connection force link; When the current maximum cross-over interface power chain is empty, the chain level relay gain is recorded as zero.
7. 7. The method for identifying the unauthorized access intention of the peripheral interface of the industrial personal computer according to claim 6, wherein the step of checking the authorized state of each event in the current maximum bridge connection force chain and combining the high-value object set, the key interface number set and the high-impact operation set to obtain the allowable state indication quantity and the key drop point times specifically comprises the following steps: when the current maximum cross-over interface power chain is not empty, respectively reading interface numbers, operation types and target object numbers corresponding to the previous event and the next event aiming at each jump in the current maximum cross-over interface power chain, and checking the authorization states of the previous event and the next event in a ternary authorization table; In the same jump, when the previous event and the next event are both in an authorized state, the allowable relay state of the current jump is recorded as one, and when any unauthorized state exists, the allowable relay state of the current jump is recorded as zero; reading an interface number, an operation type and a target object number corresponding to a head-end event of a current maximum cross-connection interface power chain, checking an authorized state of the head-of-chain event in a ternary authorization table, marking an authorized state indication value of the head-of-chain event as one when the head-of-chain event is in the authorized state, and marking the authorized state indication value of the head-of-chain event as zero when the head-of-chain event is in the unauthorized state; continuously multiplying the chain head event authorized state indication value with the allowable relay state of each jump in the current maximum bridge interface connecting force chain according to the sequence of the relay chains to form an allowable state indication value of the current maximum bridge interface connecting force chain; When the allowable state indication quantity is zero, the current maximum bridge interface force chain is marked as not belonging to the allowable force chain; Adding writable attribute bits, control state change attribute bits, continuous effective attribute bits and security association attribute bits of each target object, and collecting target objects with the addition result not smaller than three to form a high-value object set; checking whether an intersection of a reachable object set corresponding to the current interface number in the current context and a high-value object set is not empty or not according to each interface number, and collecting the interface numbers with the non-empty intersection to form a key interface number set; Aggregating writing, controlling and erasing to form a high-influence operation set; When the current maximum cross-over interface power chain is not empty, each event in the current maximum cross-over interface power chain is read one by one, and when the corresponding interface number of the event belongs to a key interface number set and the corresponding operation type of the event belongs to a high influence operation set, counting is carried out once on the current event to form key drop point times in the current maximum cross-over interface power chain; when the current maximum cross-over interface power chain is empty, the allowed state indication is recorded as zero, and the critical drop point number is recorded as zero.
8. 8. The method for identifying the unauthorized access intention of the peripheral interface of the industrial personal computer according to claim 7, wherein the acquiring the unauthorized access intention value, the judgment threshold value, the unauthorized access intention identification conclusion and the strongest abnormal evidence chain corresponding to the current event to be judged based on the permission state indication quantity, the link level relay gain and the key drop point times specifically comprises the following steps: When the current maximum bridge interface connecting force chain is not empty, reading an allowable state indication quantity, a chain level relay gain and key drop point times; subtracting the allowed state indication quantity from the first value, multiplying the obtained result by the link-level relay gain, and multiplying the product by the result obtained by adding one to the key drop point times to form an override access intention value corresponding to the current event to be judged; Multiplying the allowed state indication quantity by the link relay gain, and multiplying the product by the result of adding one to the key drop point times to form a judging threshold value corresponding to the current event to be judged; comparing the override access intention value corresponding to the current event to be judged with a judgment threshold value, and marking the current event to be judged as meeting the override access intention judgment condition when the override access intention value is larger than the judgment threshold value; When the override access intention value is larger than the judging threshold value, marking the override access intention recognition conclusion as that the override access intention of the peripheral interface of the industrial personal computer exists, and marking the current maximum bridge interface connection force chain as the strongest abnormal evidence chain; When the override access intention value is not greater than the judgment threshold value, the current event to be judged is marked as not meeting the override access intention judgment condition, the override access intention recognition conclusion is marked as not recognizing the override access intention of the peripheral interface of the industrial personal computer, and the strongest abnormal evidence chain is marked as empty; When the current maximum cross interface connection force chain is empty, the override access intention value is marked as zero, the judging threshold value is marked as zero, the current event to be judged is marked as not meeting the override access intention judging condition, the override access intention recognition conclusion is marked as not recognizing the override access intention of the peripheral interface of the industrial personal computer, and the strongest abnormal evidence chain is marked as empty.
9. 9. The method for identifying the override access intention of the peripheral interface of the industrial personal computer according to claim 8, wherein the method is characterized in that the method comprises the steps of outputting an override access intention identification conclusion, a session identifier, an interface number sequence, an operation type and a target object number corresponding to each event, a real switching interval of each jump and an allowable switching interval of each jump, a segment migration sequence, a link relay gain, the number of key drop points, an override access intention value and a judgment threshold value, writing the override access intention value into a result record table, and particularly comprises outputting that the override access intention of the peripheral interface of the industrial personal computer exists when the current event to be judged meets the override access intention judgment condition; Outputting the unauthorized access intention of the external interface of the industrial personal computer which is not recognized when the current event to be judged does not meet the unauthorized access intention judgment condition; synchronously outputting a session identifier corresponding to the current event to be judged; when the strongest abnormal evidence chain is not empty, outputting an interface number sequence related to the strongest abnormal evidence chain according to the sequence of the events; when the strongest abnormal evidence chain is not empty, outputting the operation type and the target object number corresponding to each event in the strongest abnormal evidence chain according to the sequence of the events; outputting real switching intervals of each jump and allowable switching intervals of each jump according to the jump sequence when the strongest abnormal evidence chain is not empty; outputting a segment migration sequence according to a jump sequence when the strongest abnormal evidence chain is not empty, and outputting a chain level relay gain and key drop point times corresponding to the strongest abnormal evidence chain; outputting an override access intention value and a judgment threshold value corresponding to the current event to be judged; when the strongest abnormal evidence chain is empty, outputting an interface number sequence, an operation type and a target object number corresponding to each event, a real switching interval of each jump, an allowable switching interval of each jump, a segment migration sequence, a chain level relay gain and key drop point times as empty values; and writing the override access intention recognition conclusion, the session identification, the interface number sequence, the operation type and the target object number corresponding to each event, the real switching interval of each jump and the allowable switching interval of each jump, the segment migration sequence, the link level relay gain, the key drop point times, the override access intention value and the judgment threshold value into a result record table.

Description

Method for identifying unauthorized access intention of peripheral interface of industrial personal computer Technical Field The invention relates to the technical field of industrial control information security, in particular to an industrial control computer peripheral interface unauthorized access intention identification method. Background The industrial personal computer is used as a general calculation and interaction carrier in an industrial control system, and is generally integrated with a plurality of peripheral interfaces such as a USB interface, a serial port, a network port, a debugging port, a special expansion port and the like, and is used for program downloading, parameter configuration, state acquisition, equipment joint debugging and maintenance and overhaul. In practical application, different interfaces often correspond to different access capacities and operation authorities, once the access control of the interfaces fails, security problems such as tampered control parameters, unauthorized calling of key objects, abnormal switching of process states and the like are easily caused, so that the access control and abnormal recognition of peripheral interfaces surrounding an industrial personal computer become important research contents in the field of industrial control information security. In the prior art, aiming at the safety of the peripheral interfaces of the industrial personal computers, the protection is generally carried out by adopting the modes of interface whitelist, account authority allocation, access log audit, single operation rule matching, abnormal threshold alarming, physical isolation and the like. The technology can limit unauthorized direct access to a certain extent and intercept or record explicit illegal operations. However, most of the prior art is based on analysis of a single interface, a single access event or a static permission table, mainly focuses on whether a certain operation is performed on a certain object by a certain interface at a certain moment, and lacks the whole analysis capability of continuous access behaviors of multiple interfaces in the same session. In an industrial field, an operator may not directly complete unauthorized access through a single interface, but first establishes initial access by using an interface with lower authority, then switches to other interfaces in a shorter time, gradually expands the range of reachable objects, and finally reaches a high-value object or performs high-impact operation. Because the prior art lacks an identification mechanism for a cross-port switching process, an adjacent access relation, a continuous relay link structure and a chain type authority migration effect, normal multi-port cooperative operation and relay type access behaviors with obvious override intention are often difficult to distinguish. Further, in the prior art, factors such as interface switching delay, target object key degree, in-chain key drop point distribution and the like are not uniformly quantized, so that the recognition accuracy of hidden type and progressive type unauthorized behaviors is insufficient, and the problems of missing report, false report or manual review only after the fact can be relied on are easily caused. The scheme aims to provide an industrial personal computer peripheral interface override access intention recognition method, which comprises the steps of firstly uniformly organizing peripheral access behaviors into event sequences in a session, simultaneously generating authorization relations under the contexts of current personnel identities, work order tasks, equipment process stages and the like, modeling an object range which can be reached by each interface under the current context together with an object key level, constructing a session right sliding window and adjacent event position pair by combining interface switching calibration data, splicing a maximum interface connection chain under real time constraint, coupling interface capability expansion amplitude and target object sensitivity into a segment migration sequence, calculating relay gains at a chain level, simultaneously introducing elements such as an allowed state indication quantity, key drop point times and the like, obtaining an override access intention value, a judgment threshold value, a junction and a strongest abnormal evidence chain, and finally writing a traceable field into a record table. Disclosure of Invention The invention provides a method for identifying unauthorized access intention of an external interface of an industrial personal computer, which facilitates solving the problems mentioned in the background art. The invention provides a method for identifying unauthorized access intention of an external interface of an industrial personal computer, which comprises the following steps: collecting peripheral access records of an industrial personal computer, and constructing an access event sequence, a terna