• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A device includes a processor. The processor is configured to generate a first signal using a first communication protocol. The first signal corresponds to data received from the processor. The processor is configured to generate a second signal using a second communication protocol. The second signal includes fabricated data generated by the processor. In addition, the processor is configured to send the first signal. The processor is also configured to send the second signal.
    公开号:CH709950B1
    申请号:CH01742/15
    申请日:2014-04-21
    公开日:2018-06-29
    发明作者:Richard Schwartz Matthew
    申请人:Gen Electric;
    IPC主号:
    专利说明:

    Description The subject matter disclosed herein relates generally to network security and the security of control systems and control networks connected to a computer network.
    [0002] Computer networks and network technologies find use in new fields. For example, monitoring and / or control systems (e.g. industrial control systems) which enable the operation of machines, e.g. Monitoring and controlling wind turbines, gas turbines, compressors, motors, generators and other devices, increasingly networked. This networking can enable data to be shared between physically separate machines and, for example, a single monitoring station. However, the possible threat of cyber attacks (e.g. Macking) has also increased because previously closed (i.e. non-networked) systems were used.
    Several solutions have been proposed to improve security for industrial control systems. For example, tax hierarchy models such as the Purdue model. Although these models have provided a helpful common language for owners, operators and suppliers of Industrial Control Systems ("ICS") to be used for framework security discussions. it turns out that the implicit assumptions of static data flows, centralized control and security are out of date. Indeed, advances in ICS technology (distributed control, smart devices and interoperability) as well as the increasingly sophisticated threat can lead to a desire for more robust models and techniques for intrusion detection. In addition, emerging technologies such as virtualization, networked collaboration, and cloud-based infrastructure / services can limit the appropriateness of a defensive stance that is based only on border security (i.e., network security that is primarily focused on preventing intrusion into a system). , question.
    In addition, further security problems arise when the ICS is connected to a corporate network, for example. End point security is a technique that has been used to prevent unauthorized access to a corporate network, where a corporate network authenticates and verifies each host before granting access to the corporate network. However, the explosion of consumer products that improve productivity but require increasing network access has created a model in which protection at the network periphery can be inadequate. Accordingly, since end users demand numerous devices and continuous connectivity to the company, data often flows into and out of a network in an unsupervised and possibly unsecured manner. In addition, the use of personal cloud storage and social networks significantly increases the risk of losing or manipulating sensitive data.
    In view of the increased likelihood of cyber attacks on both an ICS and a corporate network to which the ICS can be connected, there is increased security with regard to the detection of an unauthorized intrusion both in an ICS and in one Company network required. Therefore, it would be desirable to implement a system and techniques to overcome the challenges posed by these technologies and to enable improved detection of attempted intrusion into a network.
    Brief Description of the Invention [0006] The invention is defined by means of the independent claims.
    [0007] In one aspect, an apparatus includes a processor configured to generate a first signal using a first communication protocol, the first signal corresponding to data received from the processor using a second communication protocol using a second signal generate, wherein the second signal comprises data generated by the processor and transmit the first and second signals.
    In another aspect, a non-volatile computer readable medium with code stored thereon that is executable by a computer includes code that includes instructions for receiving data to generate a first signal using a first communication protocol, the first signal being the received data, and for generating a second signal using a second communication protocol, the second signal comprising fabricated data, and for transmitting the first and second signals.
    [0009] In another embodiment, an apparatus includes a memory configured to store instructions and a processor configured to execute the stored instructions to receive data corresponding to machine operating characteristics using a generate a first signal, related to the machines, of a first signal, the first signal corresponding to the data received by the processor, using a second communication protocol, related to the machines, to generate a second signal, wherein the second signal comprises data generated by the processor and transmit the first and second signals.
    CH 709 950 B1
    Brief Description of the Drawings These and other features, aspects and advantages of the present invention will be better understood when the following detailed description is read with reference to the accompanying drawings, in which like reference numerals represent like parts, wherein:
    1 is a block diagram representation of an embodiment that includes a computer network and an industrial control system according to an embodiment;
    FIG. 2 is a block diagram of the control system of FIG. 1 according to one embodiment;
    FIG. 3 is a block diagram of a machine-operated machine interface of FIG. 1 according to one
    embodiment;
    4 is a flowchart illustrating one embodiment of a method related to the operation of the industrial control system of FIG. 1, according to one embodiment; and
    5 is a flowchart illustrating a second embodiment of a method related to the operation of the industrial control system of FIG. 1, according to one embodiment.
    Detailed Description One or more specific embodiments of the present invention will now be described. When introducing elements of various embodiments of the present invention, the articles "a", "an", "the", "the" and "that" mean that there is one or more of the elements. The terms “comprise” and “exhibit” ’are intended to be comprehensive and mean that there may be other elements than those listed.
    [0012] A system and techniques for detecting intrusion into an industrial control system ("ICS") are detailed below. The techniques include the use of honeyports and / or honeypots that allow the creation of fake services that look legitimate to attackers. Honeyports can be connection dummies, which monitor whether a connection is being made and report when the connection has been established. Honeyports can include fake services that can lead hackers' connection scanners to connect to them. A honeypot can be a subsystem or a complete system (e.g. false server or false systems) that is set up to collect information about an attacker or intruder in a network. The use of honeyports or honeypots can result in an attacker making additional interventions in the system, staying connected longer and more likely to identify himself or reveal motives. Similarly, honeyports, when used properly, can help warn system administrators of unwanted activity (e.g., network exploration). By focusing on exploration and information about threats that can be addressed, the network can detect attacks earlier and respond quickly, rather than being relatively exposed to zero-day threats.
    Successful use of honeyports in an ICS includes the ability to capture remote data that could be used to help identify the attacker regardless of the type of network scan, and to generate and present an accurate representation of a service, that would be expected in the represented operating environment. This may include, for example, displaying data from a faked or unprotected application / version and / or a pre-made or randomized string response, for example to a full TCP connection session. It can also dynamically update firewalls based on connections that are not on a white list (e.g. a list or a register of entities that have a specific privilege, service, mobility, access or detection) granted), or give a connection that triggers several honeyports, even if it is on the white list.
    Based on the above, Fig. 1 illustrates a block diagram view of an industrial control system ("ICS") 10 and a computer network 12, e.g. a corporate computer network. In some embodiments, ICS 10 may include one or more field sites 14, a control system network 16, and a communication interface 18 therebetween. The field points 14 can comprise a control system 20 and machines 22 to be monitored. In some embodiments, control system 20 may monitor one or more operating parameters of machines 22. In certain embodiments, the machines 22 may include: wind turbines, steam turbines, hydraulic turbines, gas turbines, jet-type turbines. Compressors, gears, turbo-expanders, centrifugal pumps, motors, generators, blowers, fans. Shakers, mixers, centrifuges, pulp refiners, ball mills, crushers / crushers, extruders, pelletizers, cooling towers / heat exchange blowers and / or other systems that are monitored.
    During operation of the machines 22, one or more sensors can measure one or more operating parameters of the machines 22 and send the measured values as signals to the control system. The sensors
    CH 709 950 B1 may be sensors or other suitable measuring devices that can be used to measure various parameters of the machine 22 or components therein, for example the speed of rotation of a shaft of a turbine, the operating temperature of a turbine or other similar operating parameters. The sensors can send the signals relating to the operating parameters of the machines 22 to be monitored to the control system 20.
    [0016] In some embodiments, control system 20 may be, for example, a SPEEDTRONIC ™ Mark VI Turbine Control System monitoring system available from General Electric® of Schenectady, New York, or a similar system. In one embodiment, control system 20 may receive the signal indicative of measured operating parameters of machines 22 and may, for example, record and / or analyze the signal indicative of measured operational parameters of machines 22 to generate control signals that are used to Adapt input values for the machines 22 (for example, to control the operation of the machines 22).
    [0017] In some embodiments, the control system 20 may send data related to the operation of the machines 22 to the interface 18. Interface 18 may be a router or other network device that sends communication signals. Additionally or alternatively, the interface 18 can be a communication interface that changes signals that are sent between the field points 14 and the control system network 16 (e.g., converts signals from one communication protocol to another). The interface 18 may send received signals between field sites 14 and the control system network 16 along a signal path 24, which may be a physical connection or a wireless connection. For example, signal path 24 may be a wired connection such as e.g. act an Ethernet connection and / or the like. Alternatively, signal path 24 may be a wireless signal path such as e.g. act as a local area network (LAN) (e.g. Wi-Fi), a wide area network (WAN) (e.g. 3G or 4G), a Bluetooth network and / or part of another wireless network.
    As illustrated in FIG. 1, the signal path 24 can be connected to one or more servers 26 and a machine interface 28 for the user in the control system network 16. The servers 26 can include, for example, data acquisition servers that enable the storage and / or retrieval of data from the field location 14, database servers that provide database services for other computer programs or computers, or various other servers. In addition, as already explained, the control system network 16 can comprise one or more machine interfaces 28 for the user, which can comprise, for example, a workstation computer and / or a computer. This workstation or computer can be used, for example, to display data about one or more field locations 14 to a user, in order to enable monitoring and / or control of the elements that are present at one or more of the field locations 14.
    [0019] In some embodiments, the control system network 16 may be connected to the computer network 12 along a signal path 30, for example. Signal path 30 may be a physical connection or a wireless connection, similar to signal path 24 described above. In one embodiment, signal path 30 may connect control system network 16 to a firewall 32 on computer network 12. This firewall 32 may be, for example, a software or hardware based network security system that controls incoming and outgoing network traffic by analyzing received data packets to determine whether the received data packets are authorized. That is, the firewall 32 can prevent unauthorized access to the signal path 34 of the computer network 12 as well as to one or more servers 36 and machine interface 38 for the user, which are connected to it.
    The servers 36 may include, for example, email servers that enable the storage and / or exchange of electronic messages, business servers that provide database services to other computer programs or computers, and various other servers. In addition, similar to the control system network 16, the computer network 12 can include one or more machine interfaces 38 for the user, which can comprise, for example, a workstation and / or computer. This workstation and / or computer can be used, for example, to enable one or more users to interact with the servers 36 and to provide general or mandatory access to various sections of the computer network 12.
    The machine interfaces 38 for the user cannot only be an interface to elements in the computer network 12 (e.g. via an internet connection). Indeed, the machine interfaces 38 for the user (as well as one or more of the servers 36) may also be an interface to units outside of the computer network 12. This can be achieved via a connection to the Internet 44 through the interface 40, which can be one or more routers and / or other communication infrastructures. In some embodiments, interface 40 may also allow signals from a reserve control center 42 to be sent to control system network 16 (specifically, via signal path 24) to enable secondary monitoring and / or control of the elements of one or more field sites 14. In some embodiments, a backup control center 42 may be used when problems cause portions of the control system network 16 to fail, thereby reducing or eliminating the monitoring and / or control of the elements of the various field sites 14.
    CH 709 950 B1 In this way the various elements of the computer network 12 and the control system network 16 can be connected. Access from outside can also be made possible for users and networks. However, the fact that there are networks that enable external access can also result in the desire to increase the security of those networks. One technique for increasing the security of both the computer network 12 and the control system network is to implement an intrusion detection system (IDS). An IDS is a device and / or software application (e.g. stored on a device such as a memory) that enables monitoring of a network or system activity. Specifically, the IDS can search for malicious activity, hack attempts, rule violations, or other suspicious network behavior and send signs of the activity to a management station and / or management system (which, for example, may be located in one or both of servers 26 and 36) (e.g. log the cases).
    [0023] To help identify suspicious and / or malicious network usage, the IDS may include IDS sensors 46. The IDS sensors 46 can be provided at various points in the computer network 12 and can operate in such a way that they check for attacks or unwanted intrusion, for example from the Internet 44. Attacks / malicious activity can also affect the ICS 10. Accordingly, IDS sensors 46 can also be included, for example, at the various field locations 14 and in the control system network 16. For example, an IDS sensor 46 may be in the control system 20 and in the machine interface 28 for the user. The implementation and operation of these IDS sensors 46 and of the entire IDS system itself are described in detail in conjunction with the figures described below.
    FIG. 2 illustrates the control system 20 of FIG. 1. In some embodiments, the control system 20 may include a control module 48 and one or more input / output (I / O) cards 50, for example, in a card rack are arranged. In some embodiments, the control module may include a processor or processors 52 and / or other data processing circuitry (e.g. general central processing units (CPUs), embedded CPUs, systems on a chip (SoC), application specific processors, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) and combinations thereof), which may be connected to memory 54 for operation, and to execute instructions for performing the disclosed techniques of the present invention. These instructions can be encoded in programs that can be executed by processor 52. The commands can be stored in any suitable article of manufacture, which comprises at least one computer-readable hardware medium, which stores these commands or routines at least in a combined manner, e.g. in memory 54.
    Memory 54 may include, for example, random access memory, read only memory, rewritable memory, flash memory, and / or other physical memory devices. Storage module 48 may also include an input / output (I / O) interface 56. Control system 20 can connect this I / O interface 56 to interface 18 of FIG. 1 in order to communicate via a personal data network (PAN) (for example Bluetooth), a local data network (LAN) (for example Wi-Fi) ), a wide area data network (WAN) (eg 3G or LTE), an Ethernet connection and / or the like. Accordingly, the control system 20 can communicate with the signal path 24 via the I / O interface 56, for example to enable cloud storage, processing and / or communication with other networked devices such as the servers 26 and the HMI 28.
    The control system 20 may also include an internal bus 58 that connects the control module 48 to each of the I / O cards 50, for example to enable data communication from the I / O cards 50 to the control module 48. In addition, the internal bus 58 can enable inter-card communication between the I / O cards 50. In addition, as shown, each of the I / O cards 50 may include a digital signal processor (DSP) 60, an I / O interface 62, and a memory 64. The DSP 60 can receive signals related to the operation of the machines 22 from the I / O interface 62. Specifically, the DSP 60 can be a circuit or one or more circuitry on a circuit board that includes a processor 66 and memory 68 that can be used in conjunction to receive data from the I / O interface 62 be received, digitally filter and / or process. For example, processor 66 may use a software program stored in memory 68 (e.g., random access memory, read-only memory, flash memory, or other types of memory that may reside on the disk of DSP 60) is stored to digitally filter and / or process data received from I / O interface 62. This processed data can then be sent to memory 64 (random access memory, read only memory, rewritable memory, flash memory and / or other physical memory devices) for retrieval, for example by control module 48. Furthermore, it is understood that although a DSP 60 is shown, other types of computing processing units can be used instead of the DSP 60. e.g. general purpose CPUs, embedded CPUs, SOCs, application specific processors, ASICs, FPGAs, and combinations thereof, along with their associated memory devices.
    As already noted, the field sites 14 can act as an access point for malicious intrusion into the ICS 10 and / or the computer network 12. To help identify unauthorized access, IDS sensors 46 can be used. These IDS sensors 46 can be found in each of the I / O cards 50 and / or in the control module 48. For example, the ICS 10 can use a first communication protocol (eg protocol A) for communication of actual ICS data between the machines 22, control system 20 and control network 16. In one embodiment, a second communication protocol (e.g. protocol B) can be used as a Proto5
    CH 709 950 B1 can be set up dummy, which can include generated data generated by the processor 52 or 66. These communication protocols A and B can include, for example, DM3 serial communication signals, Modbus communication signals, industrial control communication signals, automation communication signals and / or other communication protocols.
    Correspondingly, the DSP 60 can use the protocol B to generate communication dummies and transmit these communication dummies in parallel with actual communication transmissions of the protocol A. Thus, while signals transmitted with protocol A may correspond to the operation of machines 22 and the operation of ICS 10, the signals with protocol B do not correspond to actual operation of the ICS
    10. Instead, the signals include data fabricated with protocol B, which can be used to determine whether malicious attempts to access the ICS 10 are taking place.
    In one embodiment, the circuits of the DSP 60 can generate these signals using the B protocol. For example, the processor 66 running a software program stored in the memory 68 can generate protocol B signals and send the generated data signals that mimic actual signals that would typically be sent by a corresponding I / O card 50 , The processor 66 can generate these signals with the communication protocol B in conjunction with signals with the protocol A for simultaneous and / or successive transmission.
    In addition or alternatively, the circuits of the control module 48 can generate these signals using the B protocol. For example, the processor 52 running a software program stored in the memory 54 can generate protocol B signals and send the generated data signals that mimic actual signals that would typically be sent by the control module 48. The processor 52 can generate these signals with the communication protocol B in connection with signals with the protocol A for simultaneous and / or sequential transmission. Furthermore, the DSP 60 and / or the control module 48 (especially the processors 66 and 52) can recognize whether communication is started using protocol B. That is, if a malicious or unwanted attacker tries to access the control system 20 using signals that include or mirror transmission protocol B, the intruder can be detected because signals using protocol B are generated as dummy signals , This method is carried out in more detail below with reference to FIG. 5. In this way, an IDS sensor 46 is present in the control module 20, since the wrong signals with the protocol B act as honeyports, which help in the detection of unauthorized access to the ICS 10. An IDS sensor 46 can also be used in others Parts of the ICS 10 are available. For example, for the user of ICS 10, machine interface 28 may include an IDS sensor in a manner substantially similar to that described above with respect to control system 20. 3 illustrates a detailed block diagram of the machine interface 28 for humans, which may include this IDS sensor 46.
    As shown in FIG. 3, the machine interface 28 for the user includes a processor 70 and / or other data processing circuitry may be operatively connected to memory 72 and memory 74 for instructions to perform the disclosed techniques of the present invention perform. These instructions may be encoded in programs that are executed by processor 70 and / or other data processing circuitry (e.g. general CPUs, embedded CPUs, SOCs, application specific processors, ASICs, FPGAs and combinations thereof). The commands can be stored in any suitable article of manufacture, which comprises at least one computer-readable hardware medium, which stores these commands or routines at least in a combined manner, e.g. in memory 72 or memory 74. Memory 72 and memory 74 may include, for example, random access memory, read-only memory, hard disk drive, and / or optical disks.
    The machine interface 28 for the user can also include a display 76, which can display a graphic user interface (Graphic User Interface, GUI) of the machine interface 28 for the user. It is understood that the machine interface 28 may include a variety of other components for the user, e.g. a power supply, a keyboard, a mouse, a track pad and / or a touch screen interface, etc. For example, the machine interface 28 may also include input / output (I / O) ports 78 and a network interface 80 for the user. The network interface 80 can be used for communication via a personal data network (PAN) (for example Bluetooth), a local data network (LAN) (for example Wi-Fi), a wide area data network (WAN) (for example 3G or LTE), Ethernet and / or the like to care. Through the network interface 80, the machine interface 28 for humans can communicate via the signal path 24, for example, to enable processing and / or communication with other networked devices. e.g. with the servers 26 and / or the control system 20.
    As already noted, the machine interface 28 may act as an access point for the user for malicious intrusion into the ICS 10 and / or the computer network 12. To help identify unauthorized access, IDS sensors 46 can be used. These IDS sensors 46 can be found in the machine interface 28 for the user. For example, the ICS 10 may use a first communication protocol (e.g. protocol
    A) Use for communication of actual ICS data between the machines 22, the control system 20 and the control network 16. In one embodiment, a second communication protocol (e.g. protocol
    B) Set up as a dummy protocol, which may include fabricated data generated by processor 70
    CH 709 950 B1. These communication protocols A and B can include DM3 serial communication signals, Modbus communication signals, industrial control communication signals, automation communication signals and / or other communication protocols. Accordingly, processor 70 can generate communication dummies using protocol B and these communication dummies in parallel with actual ones Protocol A communication transmissions. Thus, while signals that are transmitted with protocol A can actually correspond to the operation / control of machines 22 and the operation of ICS 10, the signals with protocol B do not correspond to actual operation of ICS 10. Instead, the signals with the Protocol B is used to determine whether malicious attempts to access the ICS 10 are taking place.
    For example, in one embodiment, processor 70 running software program stored in memory 72 may generate protocol B signals and transmit dummy signals that mimic actual signals, typically from a corresponding machine interface 28 would be sent to the user. Processor 70 can generate these signals using communication protocol B in conjunction with signals using protocol A for simultaneous and / or consecutive transmission.
    [0038] In addition, the processor 70 can recognize whether communication using protocol B is started. That is, if a malicious or unwanted attacker tries to access machine interface 28 from outside using signals with transmission protocol B, the intruder can be detected since signals using protocol B are generated as dummy signals. This process is carried out in more detail below with reference to FIG. 4. In this way, an IDS sensor 46 is present in the machine interface 28 for the user, since the wrong signals with the protocol B act as a honey port, which helps in the detection of unauthorized access to the ICS 10.
    It should be noted that this technique of implementing IDS sensors 46 can also be used to detect, for example, infected / malicious devices on the control system network 16 that are infected with malicious software. For example, a host computer (e.g., machine interface 28 for humans) can be infected if an authorized user inserts an external storage device (e.g., a USB storage device) into machine interface 28 for the user. If a virus is present in the external storage device, the virus may begin to penetrate other devices on the control system network 16 and / or the computer network 12 (e.g., the machine interface 28 is typically within the security limits for the user, so that firewalls and / or intrusion prevention systems typically do not help). This virus penetration can be such that it looks for special open connections / vulnerabilities for its spread and / or the distribution of defective software. However, by recognizing this activity (through the honeyports used in connection with the machine interface 28 for humans), for example, a broadcast / multicast message can be sent to the control system network 16 and / or the computer network 12 so that everyone Devices blacklist the compromised device (e.g., do not allow write commands from the compromised device) until a special event occurs (e.g., an operator can delete the event).
    Figure 4 illustrates a flowchart 82 that describes the operation of the machine interface 28 for the user operating a honeyport (ie, includes an IDS sensor 46. In one embodiment, the steps of the flowchart 82 may be partially or fully through the machine interface 28 are executed for the user (for example by a processor 70 on which a software program runs, ie a code which is stored on a tangible machine-readable medium, for example in the memory 72 and / or the memory 74).
    At step 84, processor 70 may generate signals that use protocol B (i.e., dummy signals that are not associated with the actual operation of ICS 10) and initiate their transmission. At step 86, processor 70 may generate server socket listening device (s) that operate to recognize when signals are being received using transmission protocol B. As already described, since signals with protocol B do not indicate actual operation of the ICS 10, but rather mimic an alternative protocol that a malicious user expects to see, transmissions received / recognized by processor 70 may have unauthorized access to the Display ICS 10 and / or the computer network 12.
    As soon as the server socket listening device (s) have been generated in step 86, the ICS 10 (for example the machine interface 28 for people) can go into a permanent state of “listening” for (detection of) signals, who use protocol B. A socket connection then occurs at any time in step 88. Step 88 indicates that processor 70 has detected a transmission using protocol B.
    [0043] Thereafter, processor 70 may determine in step 90 whether the connection is a complete connection. That is, processor 70 can determine whether the connection should be considered half open (e.g., no full TCP connection has occurred). If the connection is considered to be semi-open, processor 70 may log the event in step 92. This logging of the event in step 92 may include storing an indication of the event in, for example, memory 74 and / or a server 26 (e.g., a network security server).
    CH 709 950 B1 However, if processor 70 determines in step 90 that the connection is a full connection (e.g., a full TCP connection has occurred), then the process can proceed to step 94. At step 94, the processor 70 may, for example, include data related to any connection to a remote client, an IP source address, or other data that is present in the communication. The processor 70 may also receive received data of a predetermined buffer size (e.g. the first 32 bytes, 64 bytes, 128 bytes, 256 bytes, 512 bytes, 1024 bytes, 2056 bytes or any other amount of data that is present in the received program) in order to Support identification of possible attribute data, a browser agent, or other data that is helpful in identifying the identity or source of the transfer.
    In step 96, processor 70 may determine whether any of the captured data includes an address that matches a data field on an ICS 10 and / or computer network 12 white list. For example, this data field may include a source address, a source port, a destination address, a destination port, a protocol layer (e.g. wired / wireless, IPv4, IPv6, etc.), a media access control (MAC) address, a MAC source address, a MAC destination address, signatures, checksums, a keyed hash message authentication code (HMAC), an encryption hash, a fragmentation option, a radio field count, or any combination thereof. In addition, the package usage data itself can be checked, so that the creation of a white list can be based on header / package metadata and / or on DPI (deep packet inspection).
    The processor 70 can thus check whether the identification data of the transmission (e.g. a field) can be found in a list or a register of units which are authorized for the computer network 12 and / or the control system network 16. If in step 96 the processor 70 determines that the identification data of the transmission is on a white list, the processor 70 logs the event in step 92, for example, to use it to determine whether an authorized addressee has made irregular accesses ( which may suggest intrusion).
    However, if in step 96 the processor 70 determines that the transmission identification data is not on a white list, the processor 70 tries (in step 98) to attract the attention of the unauthorized user by sending incorrect data to the sender of the detected socket -Connect yourself. This false data may include, for example, a banner (which may be zero in some embodiments), a random data response, and a random length response. This incorrect data transfer in step 98 can be an attempt to mimic the correct operation of the machine interface 28 for the user and can serve to extend the time that an unauthorized user spends in the ICS 10. By extending the time that an intruder is connected to (and attempts to access components of) the ICS 10 and / or the computer network 12, additional data can be gathered by the unauthorized user to help establish the identity of the unauthorized user to investigate. In addition, a tarpit response may be given as part of step 98, adding delays to ports that are not on a white list. This means that the connections can be deliberately delayed in order to extend the time for which unauthorized access occurs. Further delay types can also be added in step 98. For example, a decision can be made whether, for example, dynamic reconfiguration is desired. Similarly, before sending a response, data is sent to a third party who makes a decision that then comes back into the system, delaying communication.
    After wrong data has been sent in step 98, all data can be logged in step 92 that were received before and / or after the wrong data was sent. In addition, the processor 70 can send a signal which warns further elements of the ICS 10 and / or the computer network 12 that an intruder has been detected, so that in step 100 defense measures can be taken, e.g. Update a host-based firewall and / or routers to protect the ICS 10 and / or the computer network 12.
    In addition, in step 102, a security event manager (SEIM) machine can access logged data and receive all logged data and can, for example, reconfigure scripts for the ICS 10 and / or the computer network 12 or take other defense measures, to prevent access by the recognized unauthorized user. For example, in some embodiments, the SEIM machine may reside on a server 26 or 36 (e.g., a network security server). In some embodiments, the SEIM can be used in conjunction with the logged data. For example, the collected attribute data can be used to generate IDS / Intrusion Prevention System (IPS) signatures so that a network-based IDS / IPS can be updated (since, for example, the IPS can be a superset of the IDS functionality). In addition and alternatively, the logged data can be used, for example, to update a host-based IDS (for example if it is installed in connection with the machine interface for the user). Furthermore, in some embodiments, a firewall rule set may be updated, for example, in control system 20 (e.g., control module 48 and / or I / O cards 50).
    As described above, FIG. 4 illustrates how, by using fake transmissions, the machine interface 28 may include an IDS sensor 46 for the user and act as a honey port that helps detect unauthorized access to the ICS 10 , However, other elements of the ICS 10 can
    CH 709 950 B1 also include an IDS sensor 46. For example, as will be described in more detail below with reference to FIG. 5, the control system 20 can also implement one or more IDS sensors 46.
    5 illustrates a flowchart 104 that describes the operation of the control system 20 that operates a honeyport (i.e., includes an IDS sensor 46). In one embodiment, the steps of the flowchart 104 can be carried out partially or completely by the control system 20 (for example by the processor 52 on which a software program is running, ie code which is stored on a tangible machine-readable medium, for example memory 54), and / or by the processor 66 on which a software program runs, ie code which is stored on a tangible machine-readable medium, for example memory 68). However, the steps of the flowchart 104 are described for purposes of discussion only in connection with the operation of a DSP 60 of the control system 20 (however, it should be understood that these steps may also be performed by a control module 48 of the control system 20, for example).
    In step 106, processor 66 can generate and initiate transmission of protocol B using protocol B (i.e., dummy signals that are not related to the actual operation of ICS 10). At step 108, processor 66 may generate server socket listening device (s) that operate to recognize when signals are received that use transmission protocol B. As already described, since signals with protocol B do not indicate actual operation of the ICS 10, but instead mimic an alternative protocol that a malicious user would expect to see, transmissions received / recognized by processor 66 may have unauthorized access display on the ICS 10 and / or the computer network 12. Once the server socket eavesdropping device (s) are created, the ICS 10 (e.g. control system 20) can go into a continuous state of "listening" for (detection of) signals using protocol B.
    [0053] In step 110, a socket connection occurs. This step 110 indicates that processor 66 has identified a transmission using protocol B. In step 112, processor 66 can determine whether the connection is a complete connection. That is, the processor 66 can determine whether the connection should be considered semi-open (e.g., no full TCP connection has occurred). If the connection is to be considered semi-open, processor 66 may log the event in step 114. This logging of the event in step 114 may include storing an indication of the event in, for example, memory 64 and / or a server 26 (e.g., a network security server).
    However, if processor 66 determines in step 112 that the connection is a full connection (e.g., a full TCP connection has occurred), then the method may proceed to step 116. For example, in step 116, processor 66 may include data relating to any connection to a remote client, an IP source address, or other data that is present in the communication. Processor 66 may also receive received data of a predetermined buffer size (e.g., the first 32 bytes, 64 bytes, 128 bytes, 256 bytes, 512 bytes, 1024 bytes, 2056 bytes, or any other amount of data that is present in the received broadcast) in order to To assist in identifying possible attribute data, a browser agent, or other data that is helpful in identifying the identity or source of the shipment.
    In step 118, processor 66 may determine whether any of the captured data includes an address that matches an address on a whitelist of an ICS 10 and / or a computer network 12. That is, the processor 66 can check whether the identification data of the transmission (e.g. a field) can be found in a list or a register of units which are authorized for the computer network 12 and / or the control system network 16. If in step 118 the processor 66 determines that the identification data of the transmission is on a white list, the processor 66 logs the event in step 114, for example to use it to determine whether an authorized addressee has made irregular accesses ( which may suggest intrusion).
    However, if in step 118 the processor 66 determines that the identification data of the transmission is not on a white list, the processor 66 enters (in step 120) a high-security mode, whereby the control system can only accept certain types of transmissions, so that machines 22 cannot be controlled remotely. Additionally and / or alternatively, the high security mode may include restricting the control system 20 until, for example, a physical reset is triggered locally on the control system to prevent access to the control system by the detected intruder. In addition, as part of step 120, processor 64 can log the recorded data in step 114 and / or send a message in step 126 to the SIEM machine to check the logged data. Processor 66 may also and / or alternatively dynamically update ICS 10 and / or computer network 12 to expose the attacker to protect ICS 10 and / or computer network 12.
    [0057] Additionally and / or alternatively, in addition to operating the processor 66 described above with respect to step 120, the control system 20 may also perform the actions of step 122 in response to the processor 66 determining in step 118 that the identification data of the transmission are not on a white list. At step 120, processor 66 may direct interaction with the attacker to, for example, a network security server (e.g., server 26 or 36) that operates a honeypot that is configured to intercept further data from the intruder.
    CH 709 950 B1 Accordingly, server 26 and / or 36 may generate randomized responses or evasive / deceptive responses in step 124 to confuse the attacker and stop the attacker while from server 26 and / or 36 forensic and attribute -Data are collected. In addition, processor 66 and / or server 26 and / or 36 could send data to the SEIM machine, for example by logging collected data in step 114 and sending a message to the SIEM machine in step 126 check. The processor 66 and / or the server 26 and / or 36 may also and / or alternatively dynamically update the ICS 10 and / or the computer network 12 to make the attacker known to protect the ICS 10 and / or the computer network 12 ,
    In this way, the ICS 10 may include separate elements, which may include IDS sensors 46. These sensors 46, as well as the techniques in which the sensors 46 are used, can help detect unauthorized users who are trying to access the ICS 10. Thus, by using honeyports that operate to send bogus or false transmissions that mimic actual ICS 10 transmissions, attackers can be identified more easily and data related to their identity can be included, while also updating network security is enabled to protect the ICS 10 and / or the computer network 12 from the detected intrusion.
    权利要求:
    Claims (20)
    [1]
    claims
    A device for securing control systems and a control network, comprising: a processor (66) which configures for the following! is:
    Generating a first signal using a first communication protocol for communication between the control systems in the control network, the first signal corresponding to data received by the processor (66);
    Generating a second signal as a dummy protocol using a second communication protocol, the second signal comprising data generated by the processor (66); and sending the first and second signals from the control network to the control systems.
    [2]
    2. The apparatus of claim 1, wherein the processor (66) is configured to transmit the first and second signals simultaneously.
    [3]
    3. The apparatus of claim 1, wherein the processor (66) is configured to sequentially transmit the first and second signals.
    [4]
    4. The apparatus of claim 1, wherein the processor (66) is configured to recognize a transmission using the second communication protocol.
    [5]
    The apparatus of claim 4, wherein the processor (66) is configured to receive data that is in the transmission.
    [6]
    The apparatus of claim 5, wherein the processor (66) is configured to analyze the captured data to determine whether a portion of the captured data matches a portion of a set of authorized data.
    [7]
    The apparatus of claim 6, wherein the processor (66) is configured to generate and transmit a third signal using the second communication protocol when the portion of the recorded data does not match the portion of the set of authorized data.
    [8]
    The apparatus of claim 6, wherein the processor (66) is configured to generate and send an indication of unauthorized network access when the portion of the captured data does not match the portion of the set of authorized data.
    [9]
    The apparatus of claim 5, wherein the processor (66) is configured to send the captured data to a memory (54, 64, 68, 72, 74) to log the captured data.
    [10]
    The apparatus of claim 5, wherein the processor (66) is configured to receive at least 32 bytes of data as the captured data.
    [11]
    11. The apparatus of claim 1, wherein the processor (66) is configured to execute stored instructions to: receive data corresponding to operational characteristics of machines.
    [12]
    The apparatus of claim 11, wherein the processor (66) is configured to recognize a transmission in which the second communication protocol is used by a remote user.
    [13]
    The apparatus of claim 12, wherein the processor (66) is configured to forward interaction with the remote user to a server (26, 36).
    [14]
    14. Non-volatile computer-readable medium with code stored thereon, which can be executed by a computer, the code comprising commands for securing control systems and a control network for: receiving data;
    CH 709 950 B1
    Generating a first signal using a first communication protocol for communication between the control systems in the control network, the first signal corresponding to the received data;
    Generating a second signal as a dummy protocol using a second communication protocol, the second signal comprising fabricated data; and
    Send the first and second signals from the control network to the control systems.
    [15]
    15. The non-transitory computer readable medium of claim 14, wherein the code comprises commands to detect a transmission using the second communication protocol.
    [16]
    16. The non-transitory computer readable medium of claim 15, wherein the code comprises instructions for picking up data present in the transmission.
    [17]
    17. The non-transitory computer readable medium of claim 16, wherein the code comprises instructions for analyzing the captured data to determine whether a portion of the captured data matches a portion of a set of authorized data.
    [18]
    18. The non-transitory computer readable medium of claim 17, wherein the code comprises commands to generate and send a third signal using the second communication protocol when the portion of the recorded data does not match the portion of the set of authorized data.
    [19]
    19. The non-transitory computer readable medium of claim 17, wherein the code includes commands to generate and send an indication of unauthorized network access if the portion of the captured data does not match the portion of the set of authorized data.
    [20]
    20. The non-transitory computer readable medium of claim 16, wherein the code comprises instructions to send the captured data to a memory to log the captured data.
    CH 709 950 B1 i I
    L __________________ Ì
    CH 709 950 B1
    CH 709 950 B1
    类似技术:
    公开号 | 公开日 | 专利标题
    CH709950B1|2018-06-29|Active Honeyport network security.
    Bejtlich2013|The practice of network security monitoring: understanding incident detection and response
    CN105450442B|2019-02-15|A kind of network topology investigation method and its system
    US8874766B2|2014-10-28|System and method for flexible network access control policies in a network environment
    CN105227383B|2018-07-03|A kind of device of network topology investigation
    Mualfah et al.2017|Network forensics for detecting flooding attack on web server
    Rizal et al.2018|Network forensics for detecting flooding attack on internet of things | device
    Kurundkar et al.2012|Network intrusion detection using Snort
    CN109922073A|2019-06-21|Network security monitoring device, method and system
    CN112769821A|2021-05-07|Threat response method and device based on threat intelligence and ATT & CK
    Buchanan2011|Introduction to security and network forensics
    US20200133697A1|2020-04-30|Collaborative command line interface
    Azodi et al.2016|Towards better attack path visualizations based on deep normalization of host/network IDS alerts
    Akhyari et al.2014|Design of a Network Security Tool Using Open-Source Applications
    Skopik et al.2022|Blind Spots of Security Monitoring in Enterprise Infrastructures: A Survey
    CN113079185B|2021-09-24|Industrial firewall control method and equipment for realizing deep data packet detection control
    Kaur et al.2012|Implementation of portion approach in distributed firewall application for network security framework
    JP2003218949A|2003-07-31|Supervisory method for illegitimate use of network
    Kunhare et al.2019|Network packet analysis in real time traffic and study of snort IDS during the variants of DoS attacks
    Barika et al.2009|MA_IDS: mobile agents for intrusion detection system
    Silnov et al.2017|A method of detecting a malicious actions using HTTP and FTP protocols
    Srinivasarao et al.2014|A New Intrusion Detection System for Modern Web-sites
    Nonyelum et al.2016|Hybrid Incident Response Digital Traceback Technique in Network-Based Intrusion Source Detection
    Sakthipriya et al.2013|Intrusion Detection for Web Application: An Analysis
    Samalekas2010|Network Forensics: Following the Digital Trail in a Virtual Environment
    同族专利:
    公开号 | 公开日
    JP2016520237A|2016-07-11|
    US20160373483A1|2016-12-22|
    CA2913015A1|2014-12-04|
    WO2014193559A1|2014-12-04|
    CN105493060B|2019-04-09|
    JP6634009B2|2020-01-22|
    US9838426B2|2017-12-05|
    US20140359708A1|2014-12-04|
    US9436652B2|2016-09-06|
    CH709950A1|2014-12-04|
    CA2913015C|2021-12-07|
    CN105493060A|2016-04-13|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    JP3986871B2|2002-04-17|2007-10-03|株式会社エヌ・ティ・ティ・データ|Anti-profiling device and anti-profiling program|
    US7086089B2|2002-05-20|2006-08-01|Airdefense, Inc.|Systems and methods for network security|
    JP3794491B2|2002-08-20|2006-07-05|日本電気株式会社|Attack defense system and attack defense method|
    JP2004336527A|2003-05-09|2004-11-25|Pioneer Electronic Corp|Data processor, system therefor, method therefor, program therefor, and recording medium with its program recorded therein|
    MX2007013025A|2005-04-18|2008-01-11|Univ Columbia|Systems and methods for detecting and inhibiting attacks using honeypots.|
    US8479288B2|2006-07-21|2013-07-02|Research In Motion Limited|Method and system for providing a honeypot mode for an electronic device|
    WO2008011376A2|2006-07-21|2008-01-24|General Electric Company|System and method for providing network device authentication|
    JP4304249B2|2007-01-04|2009-07-29|国立大学法人大分大学|Scanning attack intrusion prevention device|
    US7962957B2|2007-04-23|2011-06-14|International Business Machines Corporation|Method and apparatus for detecting port scans with fake source address|
    US20120084866A1|2007-06-12|2012-04-05|Stolfo Salvatore J|Methods, systems, and media for measuring computer security|
    US8181249B2|2008-02-29|2012-05-15|Alcatel Lucent|Malware detection system and method|
    US20120246724A1|2009-12-04|2012-09-27|Invicta Networks, Inc.|System and method for detecting and displaying cyber attacks|
    JP5088403B2|2010-08-02|2012-12-05|横河電機株式会社|Unauthorized communication detection system|
    US8826437B2|2010-12-14|2014-09-02|General Electric Company|Intelligent system and method for mitigating cyber attacks in critical systems through controlling latency of messages in a communications network|
    JP5697206B2|2011-03-31|2015-04-08|インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation|System, method and program for protecting against unauthorized access|
    WO2013033388A1|2011-08-30|2013-03-07|Yeager C Douglas|Systems and methods for authorizing a transaction with an unexpected cryptogram|
    US8612743B2|2011-07-26|2013-12-17|The Boeing Company|Wireless network security|
    US8970317B2|2011-12-23|2015-03-03|Tyco Electronics Corporation|Contactless connector|
    US9071637B2|2012-11-14|2015-06-30|Click Security, Inc.|Automated security analytics platform|WO2015182103A1|2014-05-29|2015-12-03|パナソニックIpマネジメント株式会社|Transmission device, reception device, transmission method, and reception method|
    US10193924B2|2014-09-17|2019-01-29|Acalvio Technologies, Inc.|Network intrusion diversion using a software defined network|
    MA39351B1|2014-10-14|2017-10-31|Sicpa Holding Sa|Interface for generating data compatible with an external system in an oil and gas supply chain|
    US9602536B1|2014-12-04|2017-03-21|Amazon Technologies, Inc.|Virtualized network honeypots|
    US9462013B1|2015-04-29|2016-10-04|International Business Machines Corporation|Managing security breaches in a networked computing environment|
    US9954870B2|2015-04-29|2018-04-24|International Business Machines Corporation|System conversion in a networked computing environment|
    US9923908B2|2015-04-29|2018-03-20|International Business Machines Corporation|Data protection in a networked computing environment|
    US9553885B2|2015-06-08|2017-01-24|Illusive Networks Ltd.|System and method for creation, deployment and management of augmented attacker map|
    US10382484B2|2015-06-08|2019-08-13|Illusive Networks Ltd.|Detecting attackers who target containerized clusters|
    US10135862B1|2015-12-04|2018-11-20|Amazon Technologies, Inc.|Testing security incident response through automated injection of known indicators of compromise|
    US9998487B2|2016-04-25|2018-06-12|General Electric Company|Domain level threat detection for industrial asset control system|
    US11005863B2|2016-06-10|2021-05-11|General Electric Company|Threat detection and localization for monitoring nodes of an industrial asset control system|
    EP3291501A1|2016-08-31|2018-03-07|Siemens Aktiengesellschaft|System and method for using a virtual honeypot in an industrial automation system and cloud connector|
    US10678912B2|2016-11-15|2020-06-09|General Electric Company|Dynamic normalization of monitoring node data for threat detection in industrial asset control system|
    US10659482B2|2017-10-25|2020-05-19|Bank Of America Corporation|Robotic process automation resource insulation system|
    US10616280B2|2017-10-25|2020-04-07|Bank Of America Corporation|Network security system with cognitive engine for dynamic automation|
    US10503627B2|2017-10-30|2019-12-10|Bank Of America Corporation|Robotic process automation enabled file dissection for error diagnosis and correction|
    US10575231B2|2017-11-03|2020-02-25|Bank Of America Corporation|System for connection channel adaption using robotic automation|
    US10606687B2|2017-12-04|2020-03-31|Bank Of America Corporation|Process automation action repository and assembler|
    CN108366088A|2017-12-28|2018-08-03|广州华夏职业学院|A kind of information security early warning system for Instructing network|
    US10333976B1|2018-07-23|2019-06-25|Illusive Networks Ltd.|Open source intelligence deceptions|
    US10404747B1|2018-07-24|2019-09-03|Illusive Networks Ltd.|Detecting malicious activity by using endemic network hosts as decoys|
    US10382483B1|2018-08-02|2019-08-13|Illusive Networks Ltd.|User-customized deceptions and their deployment in networks|
    US10333977B1|2018-08-23|2019-06-25|Illusive Networks Ltd.|Deceiving an attacker who is harvesting credentials|
    US10432665B1|2018-09-03|2019-10-01|Illusive Networks Ltd.|Creating, managing and deploying deceptions on mobile devices|
    FR3087910A1|2018-10-26|2020-05-01|Serenicity|COMPUTER INTRUSION RECORDING DEVICE|
    US11205330B2|2018-11-30|2021-12-21|Indyme Solutions, Llc|Anti-theft response randomizer|
    法律状态:
    2017-03-15| NV| New agent|Representative=s name: GENERAL ELECTRIC TECHNOLOGY GMBH GLOBAL PATENT, CH |
    优先权:
    申请号 | 申请日 | 专利标题
    US13/907,867|US9436652B2|2013-06-01|2013-06-01|Honeyport active network security|
    PCT/US2014/034751|WO2014193559A1|2013-06-01|2014-04-21|Honeyport active network security|
    [返回顶部]