Search

CN-121984737-A - Industrial control flow detection method and device based on behavior detection and storage medium

CN121984737ACN 121984737 ACN121984737 ACN 121984737ACN-121984737-A

Abstract

The invention discloses an industrial control flow detection method, device and storage medium based on behavior detection, and relates to the technical field of industrial control system network security. The method comprises the steps of collecting industrial control communication traffic, analyzing and extracting characteristic parameters to form a communication behavior sequence arranged according to a time sequence, carrying out matching analysis on the communication behavior sequence based on a pre-constructed normal production behavior chain to generate a behavior deviation index, marking the corresponding communication behavior sequence as abnormal candidate traffic when the behavior deviation index meets a first preset condition, constructing an attack killing behavior chain according to the association relation between communication behaviors of the abnormal candidate traffic aiming at the abnormal candidate traffic, and carrying out attack risk assessment based on the attack killing behavior chain to generate an attack risk assessment result. By constructing the double-chain model and the two-stage detection flow, unknown and complex attacks are effectively identified, and meanwhile, false alarm and resource consumption are remarkably reduced.

Inventors

  • ZHU JIONG
  • CHEN XIANGLI
  • ZHU JIANGHUI
  • MAO WEIXIN
  • CHEN GUOQIANG

Assignees

  • 珞微科技(杭州)有限公司

Dates

Publication Date
20260505
Application Date
20260127

Claims (10)

  1. 1. An industrial control flow detection method based on behavior detection is characterized by comprising the following steps: s1, collecting industrial control communication flow, analyzing and extracting characteristic parameters to form a communication behavior sequence arranged according to a time sequence; S2, carrying out matching analysis on a communication behavior sequence based on a pre-constructed normal production behavior chain to generate a behavior deviation index; S3, when the behavior deviation index meets a first preset condition, marking the corresponding communication behavior sequence as abnormal candidate flow; s4, constructing an attack killing behavior chain according to the association relation between the communication behaviors of the abnormal candidate traffic; S5, carrying out attack risk assessment based on the attack killing behavior chain, and generating an attack risk assessment result.
  2. 2. The method for detecting industrial control flow based on behavior detection according to claim 1, wherein S1 comprises: The method comprises the steps of collecting original communication flow in an industrial control network in a mirror image or network light splitting mode; Carrying out deep protocol analysis on the original communication flow, and identifying an industrial control protocol instruction; Extracting characteristic parameters of control behaviors from the parsed industrial control protocol instruction data, wherein the characteristic parameters at least comprise control behavior types, operation object identifiers, interaction directions, time stamps and time intervals; and organizing and arranging a plurality of continuously-occurring control behavior characteristic parameters according to the sequence of the time stamps to form a communication behavior sequence.
  3. 3. The method for detecting industrial control flow based on behavior detection according to claim 1, wherein S2 comprises: based on the communication behavior sequence, extracting the control behavior type, interaction direction and time interval in the characteristic parameters as multidimensional behavior characteristic parameters; Through carrying out statistical analysis on multidimensional behavior characteristic parameters in a historical normal communication behavior sequence, a normal value range, a fluctuation threshold value, a legal instruction frequency threshold value and an association rule of each characteristic parameter are determined, and a normal production behavior chain comprising a behavior characteristic parameter distribution model, an association relation model and a legal sequence mode is constructed.
  4. 4. The industrial control flow detection method based on behavior detection according to claim 3, wherein S2 further comprises: performing first matching on the behavior sequence in the communication behavior sequence and a legal sequence mode defined in a normal production behavior chain; performing second matching on the behavior combinations in the communication behavior sequence and legal combination ranges defined in a normal production behavior chain; thirdly matching the behavior time relation in the communication behavior sequence with a time rule defined in a normal production behavior chain; Based on the results of the first matching, the second matching and the third matching, the deviation value of the communication behavior sequence relative to the normal production behavior chain in each matching dimension is calculated, and the behavior deviation index is generated by integrating according to preset weights.
  5. 5. The method for detecting industrial control flow based on behavior detection according to claim 1, wherein the step S3 comprises: comparing the behavior deviation index corresponding to the communication behavior sequence with a first preset condition; and marking the corresponding communication behavior sequence as abnormal candidate traffic under the condition that the behavior deviation index meets the first preset condition.
  6. 6. The method for detecting industrial control flow based on behavior detection according to claim 1, wherein S4 comprises: Dividing the control behavior into a plurality of attack phases of an attack killing behavior chain according to the time sequence of the control behavior types in the communication behavior sequence based on the communication behavior sequence corresponding to the abnormal candidate flow; Analyzing a time sequence relation and a functional logic relation between control behaviors divided into adjacent attack phases; determining a phase evolution relationship between a plurality of attack phases based on the time sequence relationship and the functional logic relationship; and constructing an attack killing behavior chain according to the phase evolution relationship.
  7. 7. The method of claim 6, wherein the attack stage comprises at least one of a reconnaissance stage, a delivery stage, a utilization stage, a command and control stage, or a target achievement stage.
  8. 8. The method for detecting industrial control flow based on behavior detection according to claim 1, wherein S5 comprises: Analyzing the attack stage constitution contained in the attack killing behavior chain and the evolution relation among the attack stages; Comparing the attack stage composition and stage evolution sequence relation with stage structure characteristics corresponding to each attack mode in a preset attack behavior mode library; And generating an attack risk assessment result based on the comparison result.
  9. 9. An electronic device, the electronic device comprising: One or more processors; Storage means for storing one or more programs which, when executed by the one or more processors, cause the electronic device to implement an industrial control flow detection method based on behavior detection as claimed in any one of claims 1 to 7.
  10. 10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor of a computer, causes the computer to perform an industrial control flow detection method based on behavior detection as claimed in any one of claims 1 to 7.

Description

Industrial control flow detection method and device based on behavior detection and storage medium Technical Field The invention relates to the technical field of industrial control system network security, in particular to an industrial control flow detection method and device based on behavior detection and a storage medium. Background Industrial control systems are widely used in critical infrastructure areas where network security is critical. The current mainstream industrial control flow detection technology mainly faces the following limitations: firstly, the feature matching-based method relies on known attack signatures, so that the attack behaviors adopting new techniques or unknown vulnerabilities are difficult to effectively identify. Secondly, the universal network detection technology is difficult to adapt to communication characteristics of industrial control special protocols such as Modbus and S7 and tightly coupled service logic, so that the false alarm rate is high. In addition, the existing method is mostly used for single-point detection of isolated events, lacks the capability of carrying out association analysis on combined attack behaviors implemented by dispersing execution and stages, and is easy to cause missing report. Meanwhile, the industrial control environment has strict requirements on instantaneity, stability and resource occupation, and a complex detection algorithm may influence the operation of normal control service. Therefore, the prior art still has the defects in the balance of the detection capability of unknown threats, the suitability of the unknown threats to industrial control scenes, the identification accuracy of complex attacks and the performance overhead. Disclosure of Invention Based on the above-mentioned drawbacks of the prior art, an object of the present invention is to provide an industrial control flow detection method, device and storage medium based on behavior detection, so as to solve the above-mentioned technical problems. In order to achieve the purpose, the invention provides the technical scheme that the industrial control flow detection method based on behavior detection comprises the following steps: s1, collecting industrial control communication flow, analyzing and extracting characteristic parameters to form a communication behavior sequence arranged according to a time sequence; S2, carrying out matching analysis on a communication behavior sequence based on a pre-constructed normal production behavior chain to generate a behavior deviation index; S3, when the behavior deviation index meets a first preset condition, marking the corresponding communication behavior sequence as abnormal candidate flow; s4, constructing an attack killing behavior chain according to the association relation between the communication behaviors of the abnormal candidate traffic; S5, carrying out attack risk assessment based on the attack killing behavior chain, and generating an attack risk assessment result. The present invention is further configured such that the S1 includes: The method comprises the steps of collecting original communication flow in an industrial control network in a mirror image or network light splitting mode; Carrying out deep protocol analysis on the original communication flow, and identifying an industrial control protocol instruction; Extracting characteristic parameters of control behaviors from the parsed industrial control protocol instruction data, wherein the characteristic parameters at least comprise control behavior types, operation object identifiers, interaction directions, time stamps and time intervals; and organizing and arranging a plurality of continuously-occurring control behavior characteristic parameters according to the sequence of the time stamps to form a communication behavior sequence. The present invention is further configured such that the S2 includes: based on the communication behavior sequence, extracting the control behavior type, interaction direction and time interval in the characteristic parameters as multidimensional behavior characteristic parameters; Through carrying out statistical analysis on multidimensional behavior characteristic parameters in a historical normal communication behavior sequence, a normal value range, a fluctuation threshold value, a legal instruction frequency threshold value and an association rule of each characteristic parameter are determined, and a normal production behavior chain comprising a behavior characteristic parameter distribution model, an association relation model and a legal sequence mode is constructed. The present invention is further configured such that the S2 further includes: performing first matching on the behavior sequence in the communication behavior sequence and a legal sequence mode defined in a normal production behavior chain; performing second matching on the behavior combinations in the communication behavior sequence and legal combinatio