CN105807631A

CN105807631A - PLC simulation-based industrial control intrusion detection method and intrusion detection system

Info

Publication number: CN105807631A
Application number: CN201610131655.1A
Authority: CN
Inventors: 高为; 高一为; 周睿康; 赖英旭; 范科峰; 宋站威; 王宇盛; 姚相振; 龚洁中
Original assignee: Electronic Industrial Standardization Institute Ministry Of Industry And Information Technology Of People's Republic Of China; Beijing University of Technology
Current assignee: Electronic Industrial Standardization Institute Ministry Of Industry And Information Technology Of People's Republic Of China; Beijing University of Technology
Priority date: 2016-03-08
Filing date: 2016-03-08
Publication date: 2016-07-27
Anticipated expiration: 2036-03-08
Also published as: CN105807631B

Abstract

An industrial control intrusion detection method and an intrusion detection system based on PLC simulation. The system is composed of a PLC simulation module, a control object anomaly detection module and a controlled object anomaly detection module. The PLC simulation module is composed of a communication subsystem, an SCL language interpretation subsystem, an intermediate layer data cache subsystem, and an execution engine subsystem. The communication subsystem is connected with the industrial control network. The execution engine subsystem is connected with the middle layer cache subsystem. The abnormal detection module of the controlled object is connected with the PLC simulation module. The present invention provides users with an intrusion detection system for the control object and the controlled object without changing the structure of the industrial network and without affecting the daily production. The cost has greatly improved the level of network security of industrial control systems.

Description

Industrial control intrusion detection method and intrusion detection system based on PLC simulation

技术领域technical field

本发明涉及工业控制网络技术领域，特别涉及一种基于SCL语言编写控制逻辑的工业控制系统入侵检测的分析方法和入侵检测系统。The invention relates to the technical field of industrial control networks, in particular to an analysis method and an intrusion detection system for intrusion detection of an industrial control system based on SCL language programming of control logic.

背景技术Background technique

工业控制系统(IndustrialControlSystems，ICS)是由各种自动化控制组件和实时数据采集、监测的过程控制组件共同构成，主要实现数据采集和处理、监视和控制及远程通信和维护等功能的信息系统。随着工业化与信息化进程的不断交叉融合，越来越多的信息技术应用到了工业控制领域。Industrial Control System (Industrial Control Systems, ICS) is composed of various automation control components and real-time data acquisition and monitoring process control components. It is an information system that mainly realizes data acquisition and processing, monitoring and control, remote communication and maintenance. With the continuous integration of industrialization and informatization, more and more information technologies have been applied to the field of industrial control.

随着工业化、自动化向着网络化、信息化的转变，越来越多的工业控制系统采用标准的、通用的通信协议和软硬件系统；再这样的背景下，工业控制系统原有的封装性被打破，各种不安全因素，如病毒、木马、入侵等会随着正常的信息流进入工业控制网络，导致企业生产的不稳定，特别在我国工业控制系统已经广泛应用的电力，石油化工，食品制药，航空运输等工业领域，严重影响国家的战略安全。With the transformation of industrialization and automation towards networking and informatization, more and more industrial control systems adopt standard and general-purpose communication protocols and software and hardware systems; in this context, the original encapsulation of industrial control systems is Breaking, various unsafe factors, such as viruses, Trojan horses, intrusions, etc., will enter the industrial control network along with the normal information flow, resulting in unstable production, especially in power, petrochemical, food, etc., which have been widely used in my country's industrial control systems Industrial fields such as pharmaceuticals and air transportation seriously affect the country's strategic security.

传统IT信息安全的技术相对成熟，可以应用于企业网络如访问控制、审计、加密、杀毒软件、防火墙、入侵检测(IDS)等。但在工业控制网络环境下，由于其应用场景与控制系统存在许多不同之处，如工控系统实时性要求更强、部分传输协议不公开、工控组件程序接口不公开等原因。传统技术不能直接应用于控制网、现场总线网络的信息安全保护，需要加以修改使之适应工控网络。而现场总线网络一般是电信号传输，传感器、执行器通常是固化程序，发生异常大多是因此RTU或PLC这些逻辑控制器件受到攻击。所以研究重点应当放在工控网络中控制网的安全机制研究上。Traditional IT information security technologies are relatively mature and can be applied to enterprise networks such as access control, auditing, encryption, antivirus software, firewalls, intrusion detection (IDS), etc. However, in the industrial control network environment, there are many differences between its application scenarios and control systems, such as stronger real-time requirements for industrial control systems, partial transmission protocols are not open, and industrial control component program interfaces are not open. The traditional technology cannot be directly applied to the information security protection of the control network and the field bus network, and needs to be modified to adapt to the industrial control network. On the other hand, the fieldbus network is generally used for electrical signal transmission, and the sensors and actuators are usually solidified programs. Most of the abnormalities occur because the logic control devices such as RTU or PLC are attacked. So the research focus should be on the security mechanism of the control network in the industrial control network.

但是由于杀毒软件与某些工业应用程序不兼容，防火墙不能防止来自于ICS内部的攻击，IDS入侵检测系统成为我们应对APT攻击的最佳选择。入侵检测系统已经广泛的应用于信息安全防护中，主要采用特征检测和异常检测两种方式。特征检测无法应对未知攻击威胁，异常检测更能应对APT攻击的威胁。相比传统应用环境，ICS环境下的异常检测研究还处在刚刚起步的阶段，还有很大的发展空间。However, due to the incompatibility between antivirus software and some industrial applications, firewalls cannot prevent attacks from within ICS, and IDS intrusion detection systems have become our best choice to deal with APT attacks. Intrusion detection systems have been widely used in information security protection, mainly using feature detection and anomaly detection in two ways. Feature detection cannot cope with unknown attack threats, and anomaly detection is better able to cope with the threat of APT attacks. Compared with the traditional application environment, the anomaly detection research in the ICS environment is still in its infancy, and there is still a lot of room for development.

发明内容Contents of the invention

为了解决上述问题，本发明提供了一种基于PLC仿真的工控入侵检测方法和入侵检测系统，能够有效的对控制器(PLC)和被控对象(物理设备)进行异常检测。该系统检测准确率高，实时性强。In order to solve the above problems, the present invention provides an industrial control intrusion detection method and an intrusion detection system based on PLC simulation, which can effectively detect abnormalities of the controller (PLC) and the controlled object (physical equipment). The system has high detection accuracy and strong real-time performance.

为了达到本发明的目的，本发明提出了一种基于PLC仿真的工控入侵检测系统，该系统由PLC仿真模块、控制对象异常检测模块和被控对象异常检测模块构成。In order to achieve the purpose of the present invention, the present invention proposes an industrial control intrusion detection system based on PLC simulation, which is composed of a PLC simulation module, a control object abnormality detection module and a controlled object abnormality detection module.

所述的PLC仿真模块由通讯子系统、SCL语言解释子系统、中间层数据缓存子系统、执行引擎子系统构成。The PLC simulation module is composed of a communication subsystem, an SCL language interpretation subsystem, an intermediate layer data cache subsystem, and an execution engine subsystem.

所述的通讯子系统与工业控制网络相连。用户将编辑好的配置文件导入到异常检测系统中。系统根据用户导入的配置文件同真实PLC通讯。按照配置文件中设定的周期，循环读取PLC中配置文件中指定的内存位置上的输入输出数据信息，并将信息存储到中间层数据缓存子系统中。The communication subsystem is connected with the industrial control network. The user imports the edited configuration file into the anomaly detection system. The system communicates with the real PLC according to the configuration file imported by the user. According to the period set in the configuration file, the input and output data information on the memory location specified in the configuration file in the PLC is cyclically read, and the information is stored in the middle layer data cache subsystem.

SCL语言解释子系统同中间层数据缓存子系统相连，用户将PLC中用SCL语言编写的控制程序代码导入到本系统中。系统通过词法分析器对SCL代码按照预先设定的格式进行词法分割，并将分割后的内容按照token的形式传递给语法分析器。语法分析器按照事先设定的BNF范式进行规则过滤，将符合规则的token组合传递给解释器。解释器根据不同token组合的含义生成中间代码或将变量存入符号表，token组合的含义同SCL代码的意义一致。中间代码及符号表存储于中间层数据缓存子系统中。The SCL language interpretation subsystem is connected with the middle layer data cache subsystem, and the user imports the control program code written in the SCL language in the PLC into the system. The system performs lexical segmentation on the SCL code according to the preset format through the lexical analyzer, and passes the segmented content to the lexical analyzer in the form of token. The parser performs rule filtering according to the pre-set BNF paradigm, and passes the token combinations that meet the rules to the interpreter. The interpreter generates intermediate codes or stores variables into the symbol table according to the meanings of different token combinations, and the meanings of token combinations are consistent with the meanings of SCL codes. The intermediate code and symbol table are stored in the intermediate layer data cache subsystem.

执行引擎子系统同中间层缓存子系统相连。当SCL语言解释子系统完成对导入SCL语言的解释工作后，执行引擎子系统加载中间代码和符号表。通过循环遍历的方法对中间代码进行执行，并在执行过程中，根据执行结果改变符号表中变量的值。The execution engine subsystem is connected with the middle layer cache subsystem. After the SCL language interpretation subsystem finishes interpreting the imported SCL language, the execution engine subsystem loads the intermediate code and symbol table. The intermediate code is executed by loop traversal, and the value of the variable in the symbol table is changed according to the execution result during the execution process.

一段SCL语言程序代码在PLC仿真模块中执行的结果同在真实PLC中的执行结果一致。A piece of SCL language program code is executed in the PLC simulation module and the result is consistent with the execution result in the real PLC.

控制对象异常检测模块同PLC仿真模块相连。如果同一段SCL控制程序代码在PLC仿真模块中输出的最终结果同真实PLC中读取出的输出结果不同，则认为控制器PLC中发生了异常行为。因为PLC沙盒的结构和功能同真实PLC是一致的。The abnormal detection module of the control object is connected with the PLC simulation module. If the final result of the same piece of SCL control program code output in the PLC simulation module is different from the output result read in the real PLC, it is considered that abnormal behavior has occurred in the controller PLC. Because the structure and function of the PLC sandbox are consistent with the real PLC.

被控对象异常检测模块同PLC仿真模块相连。首先通过PLC仿真模块读取被控对象中输入输出传感器的数值。之后利用有源自回归模型ARX进行多变量系统辨识建立被控对象模型。Y(k)+a₁Y(k-1)+…+a_hY(k-n)＝B₀U(k)+B₁U(k-1)+…+B_hU(k-n)+e(k)其中Y(k)为m维输出；U(k)为r维输入；N为r维输入和m维输出的序列长度；k＝(n+1)…(n+N)；e(k)为m维噪声；a₁,a₂,…,a_h为待辨识m×m维标量参数；B₁,B₂,…,B_h为待辨识m×r矩阵；n为延时；h为模型参数的阶数。The abnormal detection module of the controlled object is connected with the PLC simulation module. First read the value of the input and output sensors in the controlled object through the PLC simulation module. Afterwards, the multivariate system identification is carried out by using the derived regression model ARX to establish the model of the controlled object. Y(k)+a ₁ Y(k-1)+…+a _h Y(kn)＝B ₀ U(k)+B ₁ U(k-1)+…+B _h U(kn)+e( k) wherein Y(k) is m-dimensional output; U(k) is r-dimensional input; N is the sequence length of r-dimensional input and m-dimensional output; k=(n+1)...(n+N); e( k) is m-dimensional noise; a ₁ , a ₂ ,…, a _h are m×m-dimensional scalar parameters to be identified; B ₁ , B ₂ ,…,B _h are m×r matrices to be identified; n is delay; h is the order of the model parameters.

${a a}_{i i} Y Y ((k k - - i i)) = = [\begin{matrix} {a a}_{1111}^{i i} & {a a}_{1212}^{i i} & ... ... & {a a}_{11 m m}^{i i} \\ {a a}_{21 twenty one}^{i i} & {a a}_{22 twenty two}^{i i} & ... ... & {a a}_{22 m m}^{i i} \\ . . & . . & . . \\ . . & . . & . . \\ . . & . . & . . \\ {a a}_{m m 11}^{i i} & {a a}_{m m 22}^{i i} & ... ... & {a a}_{m m m m}^{i i} \end{matrix}] [\begin{matrix} {y the y}_{11} ((k k - - 11)) \\ {y the y}_{22} ((k k - - 11)) \\ . . \\ . . \\ . . \\ {y the y}_{m m} ((k k - - 11)) \end{matrix}],, i i &Element; &Element; [[00,, n no]]$

${B B}_{i i} U u ((k k - - i i)) = = [\begin{matrix} {b b}_{1111}^{i i} & {b b}_{1212}^{i i} & ... ... & {b b}_{11 r r}^{i i} \\ {b b}_{21 twenty one}^{i i} & {b b}_{22 twenty two}^{i i} & ... ... & {b b}_{22 r r}^{i i} \\ . . & . . & . . \\ . . & . . & . . \\ . . & . . & .. .. \\ {b b}_{m m 11}^{i i} & {b b}_{m m 22}^{i i} & ... ... & {b b}_{m m r r}^{i i} \end{matrix}] [\begin{matrix} {u u}_{11} ((k k - - 11)) \\ {u u}_{22} ((k k - - 11)) \\ . . \\ . . \\ . . \\ {u u}_{r r} ((k k - - 11)) \end{matrix}],, i i &Element; &Element; [[00,, n no]]$

因此，被控对象模型中的一行j,j∈[1,m]可以改写为Therefore, a line j,j∈[1,m] in the plant model can be rewritten as

$\begin{matrix} {y the y}_{j j} ((k k)) = = - - {a a}_{1111}^{j j} {y the y}_{11} ((k k - - 11)) - - ... ... - - {a a}_{11 m m}^{j j} {y the y}_{m m} ((k k - - 11)) - - {a a}_{21 twenty one}^{j j} {y the y}_{11} ((k k - - 22)) - - ... ... - - {a a}_{22 m m}^{j j} {y the y}_{m m} ((k k - - 11)) - - {a a}_{n no 11}^{j j} {y the y}_{11} ((k k - - n no)) \\ - - ... ... {a a}_{n no m m}^{j j} {y the y}_{m m} ((k k - - n no)) + + {b b}_{0101}^{j j} {u u}_{11} ((k k)) + + {b b}_{0202}^{j j} {u u}_{22} ((k k)) + + ... ... + + {b b}_{00 r r}^{j j} {u u}_{r r} ((k k)) + + {b b}_{1111}^{j j} {u u}_{11} ((k k - - 11)) + + {b b}_{1212}^{j j} {u u}_{22} ((k k - - 11)) + + ... ... + + \\ {b b}_{11 r r}^{j j} {u u}_{r r} ((k k - - 11)) + + ... ... + + {b b}_{n no 11}^{j j} {u u}_{11} ((k k - - n no)) + + {b b}_{n no 22}^{j j} {u u}_{22} ((k k - - n no)) + + ... ... + + {b b}_{n no r r}^{j j} {u u}_{r r} ((k k - - n no)) + + {e e}_{j j} ((k k)) \end{matrix}$

由上式可得N个矩阵N matrices can be obtained from the above formula

${Y Y}_{j j} ((k k - - i i)) = = [\begin{matrix} {y the y}_{11} ((k k - - i i)) \\ {y the y}_{22} ((k k - - i i)) \\ . . \\ . . \\ . . \\ {y the y}_{m m} ((k k - - i i)) \end{matrix}],, i i = = 00,, 11,, ... ... n no,, {e e}_{j j} [\begin{matrix} {e e}_{j j} ((11)) \\ {e e}_{j j} ((22)) \\ . . \\ . . \\ . . \\ {e e}_{j j} ((N N)) \end{matrix}],, U u ((k k - - i i)) [\begin{matrix} {u u}_{11} ((k k - - i i)) \\ {u u}_{22} ((k k - - i i)) \\ . . \\ . . \\ . . \\ {u u}_{r r} ((k k - - i i)) \end{matrix}],, i i = = 11,, 2... 2...,, n no$

${θ θ}_{j j}^{T T} = = [\begin{matrix} {a a}_{1111}^{j j} & ... ... & {a a}_{n no m m}^{j j} & ... ... & {a a}_{n no 11}^{j j} & ... ... & {a a}_{n no m m}^{j j} & {b b}_{0101}^{j j} & ... ... & {b b}_{00 r r}^{j j} & {b b}_{1111}^{j j} & ... ... & {b b}_{11 r r}^{j j} & ... ... & {b b}_{n no 11}^{j j} & ... ... & {b b}_{n no r r}^{j j} \end{matrix}]$

被控对象模型中的一行j,j∈[1,m]可以改写为可表示为Y_j＝H_jθ_j+e_j。A line j,j∈[1,m] in the plant model can be rewritten as Y _j =H _j θ _j +e _j .

则用最小二乘法计算可得θ_j的一致性和无偏性估计令j＝1,2,…,m可得各行的参数估计值即可获得被控对象的ARX模型。a_h,b_h中的阶数h_a,h_b利用AIC准则进行选取。J(j)＝J(j-1)+z(j)ε(k)，AIC(h_a,h_b)取值最小时为a_h,b_h的确定阶数。设D(k)为模型估计值同被控对象真实值之间的误差利用小波分解的方式对D(k)进行奇异点检测。采用db6小波函数进行3层分解，其中j为小波分解层数，K＝1000为小波的移动尺度，φ_jK为小波尺度函数，ψ_jK为小波函数ψ_jk＝2^-j/2ψ₀(2^-ji-k)。当分解出的高频系数d_ig(j,k)中存在大于0.3的点时认为被控对象出现异常。Then use the least square method to calculate the consistent and unbiased estimation of θ _j Set j=1,2,...,m to get the parameter estimates of each row The ARX model of the controlled object can be obtained. The orders h _a , h _b in a _h , b _h are selected using the AIC criterion. J(j)=J(j-1)+z(j)ε(k), When AIC(h _a , h _b ) takes the smallest value, it is the definite order of a _h , b _h . Let D(k) be the error between the estimated value of the model and the real value of the controlled object Singularity detection is performed on D(k) by means of wavelet decomposition. Using db6 wavelet function for 3-layer decomposition, Where j is the number of wavelet decomposition layers, K=1000 is the moving scale of the wavelet, φ _jK is the wavelet scaling function, and ψ _jK is the wavelet function ψ _jk =2 ^-j/2 ψ ₀ (2 ^-j ik). When there is a point greater than 0.3 in the decomposed high-frequency coefficient d _ig (j,k), it is considered that the controlled object is abnormal.

本发明提供了一种基于PLC仿真的工控入侵检测方法和入侵检测系统，在不改变工业网络结构和不影响日常生产的前提下，为用户提供了对控制对象(PLC)和被控对象(物理设备)的入侵检测系统，漏报和误报的现象少，入侵识别快，从而以较低的成本大大提高了工业控制系统的网络安全水平。The invention provides an industrial control intrusion detection method and an intrusion detection system based on PLC simulation. On the premise of not changing the structure of the industrial network and not affecting the daily production, it provides the user with the control object (PLC) and the controlled object (physical Equipment) intrusion detection system, less false positives and false positives, fast intrusion recognition, thus greatly improving the network security level of industrial control systems at a lower cost.

附图说明Description of drawings

图1是本发明系统的结构示意图。Fig. 1 is a schematic structural diagram of the system of the present invention.

图2是本发明PLC仿真的流程示意图。Fig. 2 is a schematic flow chart of the PLC simulation of the present invention.

图3是本发明控制对象异常检测的流程示意图。Fig. 3 is a schematic flow chart of abnormal detection of a control object in the present invention.

图4是本发明被控对象异常检测的流程示意图。Fig. 4 is a schematic flow chart of abnormal detection of a controlled object in the present invention.

具体实施方式detailed description

以下将结合附图所示的具体实施方式对本发明进行详细描述。The present invention will be described in detail below in conjunction with specific embodiments shown in the accompanying drawings.

图1是本发明基于沙盒仿真的工控入侵检测系统的结构示意图，如图1所示，包括：Fig. 1 is a schematic structural diagram of an industrial control intrusion detection system based on sandbox simulation in the present invention, as shown in Fig. 1 , including:

PLC仿真模块同控制对象异常检测模块和被控对象检测模块相连。The PLC simulation module is connected with the abnormal detection module of the control object and the detection module of the controlled object.

PLC仿真模块的输入包括被控对象的基于SCL语言编写的控制程序代码，初始化配置文件以及控制对象和被控对象的输入输出数据。The input of the PLC simulation module includes the control program code of the controlled object based on the SCL language, the initialization configuration file, and the input and output data of the controlled object and the controlled object.

PLC仿真模块通过加载配置文件确定要获取哪些控制和被控对象数据，通讯子系统根据设置好的运行周期时间间隔、读取数据内容、内存地址进行通讯读取需要的数据。The PLC simulation module determines which control and controlled object data to obtain by loading the configuration file, and the communication subsystem communicates and reads the required data according to the set operating cycle time interval, read data content, and memory address.

所有通讯子系统获得的数据一份拷贝传输给被控对象异常检测模块，另一份拷贝传输给中间层数据缓存子系统用于更新符号表。One copy of the data obtained by all communication subsystems is transmitted to the anomaly detection module of the controlled object, and the other copy is transmitted to the middle layer data cache subsystem for updating the symbol table.

PLC仿真模块加载PID程序代码，将SCL语言编写的程序代码输入SCL语言解释子系统。SCL语言子系统经过词法分析器，语法分析器和解释器生成原始的符号表以及中间代码，并将符号表和中间代码输入到中间层数据缓存子系统。The PLC simulation module loads the PID program code, and inputs the program code written in the SCL language into the SCL language interpretation subsystem. The SCL language subsystem generates the original symbol table and intermediate code through the lexical analyzer, syntax analyzer and interpreter, and inputs the symbol table and intermediate code to the middle layer data cache subsystem.

执行引擎子系统通过加载中间层数据缓存子系统中的符号表和中间代码模拟执行SCL语言程序。执行结果传递给控制对象异常检测模块进行异常检测。The execution engine subsystem simulates the execution of the SCL language program by loading the symbol table and intermediate code in the middle layer data cache subsystem. The execution result is passed to the control object anomaly detection module for anomaly detection.

图2是本发明PLC仿真模块的执行流程示意图，如图2所示，包括：Fig. 2 is the execution flow schematic diagram of PLC emulation module of the present invention, as shown in Fig. 2, comprises:

步骤21，用户读取控制对象PLC中基于SCL语言开发的控制逻辑程序代码并保存成文件。程序代码中应包含变量声明和逻辑代码两部分。用户将文件导入到PLC仿真模块中。Step 21, the user reads the control logic program code developed based on the SCL language in the controlled object PLC and saves it as a file. The program code should include variable declaration and logic code. The user imports the file into the PLC simulation module.

步骤22，用户将需要读取的控制对象变量和被控对象传感器数据的名称、内存地址、存储类型、是否是输入变量、是否是输出变量在初始化文件中进行声明。这些变量都应当保存在PLC中。PLC仿真回根据初始化变量声明中的信息访问真实的PLC并从它的内存中读取指定的内容。用户将编写好的初始化文件导入到PLC仿真模块中。Step 22, the user declares the name, memory address, storage type, input variable, and output variable of the controlled object variable and controlled object sensor data to be read in the initialization file. These variables should all be saved in the PLC. The PLC simulation accesses the real PLC and reads the specified content from its memory according to the information in the initialization variable declaration. The user imports the prepared initialization file into the PLC simulation module.

步骤23，本发明的词法解析器中根据SCL语言的特性，将SCL语言中的关键词设定为Token，如if对应TokenT_IF，else对应T_ELSE，如果声明变量则返回V_VARToken。词法分析器会读取文件中的字符，并匹配是否符合已经定义好的Token，如发现符合的则返回Token，否则继续匹配。Step 23, in the lexical analyzer of the present invention, according to the characteristics of the SCL language, the keywords in the SCL language are set as Token, such as if corresponds to TokenT_IF, else corresponds to T_ELSE, and returns V_VARToken if a variable is declared. The lexical analyzer will read the characters in the file and match whether it matches the defined Token. If it finds a match, it will return the Token, otherwise it will continue to match.

步骤24，本法名的语法解析器根据SCL语言规则采用BNF范式方法进行了形式化的描述。如T_IFT_VART_EQUAL1的组合对应的SCL语言含义是ifvar＝＝1。In step 24, the syntax parser of this legal name is described formally by using the BNF normal form method according to the SCL language rules. For example, the SCL language meaning corresponding to the combination of T_IFT_VART_EQUAL1 is ifvar==1.

步骤25，如果语法解析器根据词法解析器获得的Token找到了已知的Token组合则跳转到步骤27，否则跳转到步骤26。In step 25, if the syntax analyzer finds a known combination of tokens according to the token obtained by the lexical analyzer, then go to step 27; otherwise, go to step 26.

步骤26，提示用户SCL程序代码存在语法错误，请用户检查SCL语言程序代码。In step 26, the user is prompted that there is a syntax error in the SCL program code, and the user is asked to check the SCL language program code.

步骤27，本发明的解释器根据Token组合的语义含义生成中间代码opcode。Opcode的原理是将SCL程序中所有的指令代码转化为二元运算的关系，opcode节点中包含两个运算数以及一个运算符还有一个节点的类型。Step 27, the interpreter of the present invention generates the intermediate code opcode according to the semantic meaning of the Token combination. The principle of Opcode is to convert all instruction codes in the SCL program into binary operations. The opcode node contains two operands, an operator and a node type.

步骤28，如果生成的opcode节点类型为变量则跳转到步骤30，否者跳转到步骤29。Step 28, if the generated opcode node type is a variable, go to step 30, otherwise go to step 29.

步骤29，将opcode节点存储到中间代码队列中，以便解释器完成全部SCL代码的解释工作后交由执行引擎子系统进行执行。Step 29, store the opcode node in the intermediate code queue, so that the interpreter completes the interpretation work of all SCL codes and hand them over to the execution engine subsystem for execution.

步骤30，如果生成的opcode节点类型为变量则将给结构体转换给变量结构提存储到符号表中。变量结构体存储变量名称、数据类型和变量值。变量类型包括REAL，TIME，DWORD，BIT四种SCL语言的数据类型。Step 30, if the type of the generated opcode node is a variable, convert the given structure to a variable structure and store it in the symbol table. Variable structures store variable names, data types, and variable values. Variable types include REAL, TIME, DWORD, BIT four data types of SCL language.

步骤31，本发明将读取初始化文件对PLC仿真的符号表中的变量值进行更新，此步骤读取控制对象PLC中的输入变量和输出变量。Step 31, the present invention reads the initialization file to update the variable values in the symbol table of the PLC simulation, and this step reads the input variables and output variables in the control object PLC.

步骤32，此步骤读取被控制对象中的输入变量和输出变量，将读取到的值传入被控对象检测模型中进行建模和检测。Step 32, this step reads the input variables and output variables in the controlled object, and transfers the read values into the controlled object detection model for modeling and detection.

步骤321，将被控对象的输入输出数据进行缓存，以供建模和小波分解检测使用。Step 321, buffering the input and output data of the controlled object for use in modeling and wavelet decomposition detection.

步骤322，此步骤判断是否已经建立被控对象模型，如果建立则跳转到步骤325利用获取的被控对象数据直接进行检测，否则跳转到步骤323。Step 322, this step judges whether the controlled object model has been established, if established, jump to step 325 and use the acquired controlled object data to directly detect, otherwise jump to step 323.

步骤323，此步骤将判断是否缓存的时间序列长度满足初始化设置时的设定，如果满足则跳转到步骤324，否则跳转到步骤321。Step 323, this step will judge whether the length of the buffered time series meets the setting during initialization, if so, go to step 324, otherwise go to step 321.

步骤324，此步骤将利用AIC准则对模型阶数进行确定，选取建模使用的阶数，并利用AIC定阶准则确定的阶数和缓存的被控对象数据建立ARX系统辨识模型。Step 324, this step will use the AIC criterion to determine the model order, select the order used for modeling, and use the order determined by the AIC order determination criterion and the cached plant data to establish an ARX system identification model.

步骤325，此步骤利用建立的ARX模型和获取的被控对象数据计算模型输出的估计值。获取估计值之后计算和实际值得误差值。Step 325, this step uses the established ARX model and the acquired data of the controlled object to calculate the estimated value of the model output. Calculate the error value from the actual value after obtaining the estimated value.

步骤326，利用db6小波对误差值序列进行3层小波分解，获取分解后的高频系数。In step 326, the db6 wavelet is used to decompose the error value sequence with three layers of wavelets to obtain decomposed high-frequency coefficients.

步骤327，此步骤遍历高频洗漱序列，如果发现存在大于0.3的值则跳转到步骤328，否则跳转到步骤329。Step 327, this step traverses the high-frequency washing sequence, if it is found that there is a value greater than 0.3, then jump to step 328, otherwise, jump to step 329.

步骤328，此步骤提示用户被控对象的数据出现异常变化，被控对象出现异常。Step 328, this step prompts the user that the data of the controlled object has abnormal changes, and the controlled object is abnormal.

步骤329，此步骤表示本个执行周期被控对象正常，未发现异常状态。Step 329, this step indicates that the controlled object is normal in this execution cycle, and no abnormal state is found.

步骤33，此步骤之前已经完成了SCL代码的解释工作，并同步了真实控制对象中的输入输出对象。此步骤遍历中间代码序列，根据中间代码中指定的运算符函数进行对晕算数进行计算，晕算数可以是常数、变量或者另一个中间代码序列。此步骤执行结束后分为两个分支一个分支跳转到步骤31继续循环执行，另一个分支跳转到步骤34。Step 33, this step has completed the interpretation of the SCL code and synchronized the input and output objects in the real control object. This step traverses the intermediate code sequence, and calculates the arithmetic number according to the operator function specified in the intermediate code. The arithmetic number can be a constant, a variable, or another intermediate code sequence. After the execution of this step is completed, it is divided into two branches, one branch jumps to step 31 to continue the loop execution, and the other branch jumps to step 34.

步骤34，此步骤将本次中间代码的执行结果传输到控制对象异常检测模块进行异常检测，并生成本个执行周期的异常检测结果。Step 34, this step transmits the execution result of this intermediate code to the control object anomaly detection module for anomaly detection, and generates an anomaly detection result of this execution cycle.

步骤341，此步骤读取PLC仿真中输出变量的计算值。Step 341, this step reads the calculated value of the output variable in the PLC simulation.

步骤342，此步骤根据初始化文件的设置，从PLC中读取全部输出变量的值。Step 342, this step reads the values of all output variables from the PLC according to the settings of the initialization file.

步骤343，此步骤将PLC仿真计算出的输出变量同从真实PLC中读取的输出变量值进行比对。Step 343, this step compares the output variable calculated by the PLC simulation with the output variable value read from the real PLC.

步骤344，如果比对一致跳转到步骤346，否则跳转到步骤345。Step 344, if the comparison is consistent, go to step 346, otherwise go to step 345.

步骤345，如果比对不一致，则表示本个执行周期中真实PLC和PLC仿真在输入变量一致的情况下，输出结果出现差异。则表示真实PLC的执行逻辑出现异常，出现故障或者人为修改。将出现差异的变量的名称、变量值输出对用户进行提示。Step 345, if the comparison is not consistent, it means that the real PLC and the PLC simulation in this execution cycle have different output results when the input variables are consistent. It means that the execution logic of the real PLC is abnormal, faulty or artificially modified. Prompt the user by outputting the name and variable value of the variable in which the difference occurs.

步骤346，如果比对一致则表示本个执行周期中，真实PLC和PLC仿真在输入变量一致的情况下，输出结果一致。控制对象PLC的控制逻辑正常。Step 346, if the comparison is consistent, it means that in this execution cycle, the output results of the real PLC and the PLC simulation are consistent under the condition that the input variables are consistent. The control logic of the control object PLC is normal.

应当理解，虽然本说明书根据实施方式加以描述，但是并非每个实施方式仅包含一个独立的技术方案，说明书的这种叙述方式仅仅是为了清楚起见，本领域的技术人员应当将说明书作为一个整体，各个实施方式中的技术方案也可以适当组合，按照本领域技术人员的理解来实施。It should be understood that although this description is described according to implementations, not each implementation includes only an independent technical solution. This description of the description is only for clarity, and those skilled in the art should take the description as a whole. The technical solutions in the various embodiments can also be properly combined and implemented according to the understanding of those skilled in the art.

上文所列出的一系列详细说明仅仅是针对本发明的可行性实施方式的具体说明，它们并非用于限制本发明的保护范围，凡是未脱离发明技艺精神所作的等效实施方式或变更均应包含在本发明的保护范围之内。The series of detailed descriptions listed above are only specific descriptions of the feasible implementation modes of the present invention, and they are not used to limit the scope of protection of the present invention. All equivalent implementation modes or changes made without departing from the spirit of the invention are Should be included within the protection scope of the present invention.

Claims

1. The industrial control intrusion detection system based on PLC simulation is characterized in that: the system is composed of PLC simulation module, control object abnormal detection module and controlled object abnormal detection module;

Described PLC emulation module is made of communication subsystem, SCL language interpretation subsystem, middle layer data cache subsystem, execution engine subsystem;

The communication subsystem is connected to the industrial control network; the user imports the edited configuration file into the abnormality detection system; the system communicates with the real PLC according to the configuration file imported by the user; according to the period set in the configuration file, the cycle reads Input and output data information on the memory location specified in the configuration file in the PLC, and store the information in the middle layer data cache subsystem;

The SCL language interpretation subsystem is connected with the middle layer data cache subsystem. The user imports the control program code written in the SCL language in the PLC into the system; the system performs lexical segmentation on the SCL code according to the preset format through the lexical analyzer. And pass the divided content to the parser in the form of token; the parser performs rule filtering according to the pre-set BNF paradigm, and passes the token combination that meets the rules to the interpreter; the interpreter generates according to the meaning of different token combinations The intermediate code or variables are stored in the symbol table, and the meaning of the token combination is consistent with the meaning of the SCL code; the intermediate code and the symbol table are stored in the intermediate layer data cache subsystem;

The execution engine subsystem is connected with the intermediate layer cache subsystem; when the SCL language interpretation subsystem completes the interpretation of the imported SCL language, the execution engine subsystem loads the intermediate code and symbol table; the intermediate code is executed by loop traversal, And during execution, change the value of the variable in the symbol table according to the execution result;

The execution result of a piece of SCL language program code in the PLC simulation module is consistent with the execution result in the real PLC;

The control object anomaly detection module is connected with the PLC simulation module; if the final result output by the same segment of SCL control program code in the PLC simulation module is different from the output result read in the real PLC, it is considered that abnormal behavior has occurred in the controller PLC; Because the structure and function of the PLC sandbox are consistent with the real PLC;

The abnormal detection module of the controlled object is connected with the PLC simulation module.

2. the industrial control intrusion detection system based on PLC simulation according to claim 1 is characterized in that: the PLC simulation module is connected with the control object abnormality detection module and the controlled object detection module;

The input of the PLC simulation module includes the control program code of the controlled object based on the SCL language, the initialization configuration file, and the input and output data of the controlled object and the controlled object;

The PLC simulation module determines which control and controlled object data to obtain by loading the configuration file, and the communication subsystem performs communication and reads the required data according to the set operation cycle time interval, read data content, and memory address;

One copy of the data obtained by all communication subsystems is transmitted to the anomaly detection module of the controlled object, and the other copy is transmitted to the middle layer data cache subsystem for updating the symbol table;

The PLC simulation module loads the PID program code, and inputs the program code written in the SCL language into the SCL language interpretation subsystem; the SCL language subsystem generates the original symbol table and intermediate code through the lexical analyzer, syntax analyzer and interpreter, and converts the symbol table and the intermediate code are input to the intermediate layer data cache subsystem;

The execution engine subsystem simulates the execution of the SCL language program by loading the symbol table and intermediate code in the middle layer data cache subsystem; the execution result is passed to the control object anomaly detection module for anomaly detection.

3. according to the industrial control intrusion detection method based on the PLC simulation of the system described in claim 1, it is characterized in that: first read the numerical value of input and output sensor in the controlled object by PLC simulation module; Variable system identification to establish the controlled object model;

Y(k)+a ₁ Y(k-1)+…+a _h Y(kn)＝B ₀ U(k)+B ₁ U(k-1)+…+B _h U(kn)+e( k) wherein Y(k) is m-dimensional output; U(k) is r-dimensional input; N is the sequence length of r-dimensional input and m-dimensional output; k=(n+1)...(n+N); e( k) is m-dimensional noise; a ₁ , a ₂ ,…, a _h are m×m-dimensional scalar parameters to be identified; B ₁ , B ₂ ,…,B _h are m×r matrices to be identified; n is delay; h is the order of the model parameters;

{a a}_{i i} Y Y ((k k - - i i)) = = [\begin{matrix} {a a}_{1111}^{i i} & {a a}_{1212}^{i i} & ... ... & {a a}_{11 m m}^{i i} \\ {a a}_{21 twenty one}^{i i} & {a a}_{22 twenty two}^{i i} & ... ... & {a a}_{22 m m}^{i i} \\ . . & . . & . . \\ . . & . . & . . \\ . . & . . & . . \\ {a a}_{m m 11}^{i i} & {a a}_{m m 22}^{i i} & ... ... & {a a}_{m m m m}^{i i} \end{matrix}] [\begin{matrix} {y the y}_{11} ((k k - - 11)) \\ {y the y}_{22} ((k k - - 11)) \\ . . \\ . . \\ . . \\ {y the y}_{m m} ((k k - - 11)) \end{matrix}],, i i &Element; &Element; [[00,, n no]]

{B B}_{i i} U u ((k k - - i i)) = = [\begin{matrix} {b b}_{1111}^{i i} & {b b}_{1212}^{i i} & ... ... & {b b}_{11 r r}^{i i} \\ {b b}_{21 twenty one}^{i i} & {b b}_{22 twenty two}^{i i} & ... ... & {b b}_{22 r r}^{i i} \\ . . & . . & . . \\ . . & . . & . . \\ . . & . . & . . \\ {b b}_{m m 11}^{i i} & {b b}_{m m 22}^{i i} & ... ... & {b b}_{m m r r}^{i i} \end{matrix}] [\begin{matrix} {u u}_{11} ((k k - - 11)) \\ {u u}_{22} ((k k - - 11)) \\ . . \\ . . \\ . . \\ {u u}_{r r} ((k k - - 11)) \end{matrix}],, i i &Element; &Element; [[00,, n no]]

Therefore, a line j,j∈[1,m] in the plant model can be rewritten as

\begin{matrix} {y the y}_{i i} ((k k)) = = - - {a a}_{1111}^{j j} {y the y}_{11} ((k k - - 11)) - - ... ... - - {a a}_{11 m m}^{j j} {y the y}_{m m} ((k k - - 11)) - - {a a}_{21 twenty one}^{j j} {y the y}_{11} ((k k - - 22)) - - ... ... - - {a a}_{22 m m}^{j j} {y the y}_{m m} ((k k)) - - {a a}_{n no 11}^{j j} {y the y}_{11} ((k k - - n no)) \\ - - ... ... {a a}_{n no m m}^{j j} {y the y}_{m m} ((k k - - n no)) + + {b b}_{0101}^{j j} {u u}_{11} ((k k)) + + {b b}_{0202}^{j j} {u u}_{22} ((k k)) + + ... ... + + {b b}_{00 r r}^{j j} {u u}_{r r} ((k k)) + + {b b}_{1111}^{j j} {u u}_{11} ((k k - - 11)) + + {b b}_{1212}^{j j} {u u}_{22} ((k k - - 11)) + + ... ... + + \\ {b b}_{11 r r}^{j j} {u u}_{r r} ((k k - - 11)) + + ... ... + + {b b}_{n no 11}^{j j} {u u}_{11} ((k k - - n no)) + + {b b}_{n no 22}^{j j} {u u}_{22} ((k k - - n no)) + + ... ... + + {b b}_{n no r r}^{j j} {u u}_{r r} ((k k - - n no)) + + {e e}_{j j} ((k k)) \end{matrix}

N matrices can be obtained from the above formula

{Y Y}_{j j} ((k k - - i i)) = = [\begin{matrix} {y the y}_{11} ((k k - - i i)) \\ {y the y}_{22} ((k k - - 11)) \\ . . \\ . . \\ . . \\ {y the y}_{m m} ((k k - - i i)) \end{matrix}],, i i = = 00,, 11,, ... ... n no,, {e e}_{j j} = = [\begin{matrix} {e e}_{j j} ((11)) \\ {e e}_{j j} ((22)) \\ . . \\ . . \\ . . \\ {e e}_{j j} ((N N)) \end{matrix}],, U u ((k k - - i i)) = = [\begin{matrix} {u u}_{11} ((k k - - i i)) \\ {u u}_{22} ((k k - - i i)) \\ . . \\ . . \\ . . \\ {u u}_{r r} ((k k - - i i)) \end{matrix}],, i i = = 11,, 2... 2...,, n no

{θ θ}_{j j}^{T T} = = [\begin{matrix} {a a}_{1111}^{j j} & ... ... & {a a}_{n no m m}^{j j} & ... ... & {a a}_{n no 11}^{j j} & ... ... & {a a}_{n no m m}^{j j} & {b b}_{0101}^{j j} & ... ... & {b b}_{00 r r}^{j j} & {b b}_{1111}^{j j} & ... ... & {b b}_{11 r r}^{j j} & ... ... & {b b}_{n no 11}^{j j} & ... ... & {b b}_{n no r r}^{j j} \end{matrix}]

A line j,j∈[1,m] in the plant model can be rewritten as Y _j =H _j θ _j +e _j ; then the consistency and unbiasedness of θ _j can be obtained by using the least square method estimate Set j=1,2,...,m to get the parameter estimates of each row The ARX model of the controlled object can be obtained; the orders h _a , h _b in a _h , b _h are selected using the AIC criterion; J(j)=J(j-1)+z(j)ε(k), When AIC(h _a , h _b ) takes the minimum value, it is the determination order of a _h , b _h ; let D(k) be the error between the estimated value of the model and the real value of the controlled object Use the wavelet decomposition method to detect the singular point of D(k); use the db6 wavelet function to perform three-layer decomposition, Where j is the number of wavelet decomposition layers, K=1000 is the wavelet moving scale, φ _jK is the wavelet scaling function, ψ _jK is the wavelet function ψ _jK = 2 ^-j/2 ψ ₀ (2 ^-j iK); when the decomposed When there is a point greater than 0.3 in the high-frequency coefficient d _ig (j, k), it is considered that the controlled object is abnormal.

4. the industrial control intrusion detection method based on PLC simulation according to claim 3 is characterized in that: the execution flow of the PLC simulation module of the method comprises,

Step 21, the user reads the control logic program code developed based on the SCL language in the control object PLC and saves it as a file; the program code should include two parts: variable declaration and logic code; the user imports the file into the PLC simulation module;

Step 22, the user declares the name, memory address, storage type, whether it is an input variable, and whether it is an output variable of the controlled object variable and the sensor data of the controlled object to be read in the initialization file; these variables should be saved in the PLC Middle; PLC simulation accesses the real PLC according to the information in the initialization variable declaration and reads the specified content from its memory; the user imports the prepared initialization file into the PLC simulation module;

Step 23, in the lexical analyzer of this method, according to the characteristics of the SCL language, the keywords in the SCL language are set as Token, such as if corresponds to TokenT_IF, else corresponds to T_ELSE, and returns V_VARToken if a variable is declared; the lexical analyzer will read Characters in the file, and match whether it matches the defined Token, if found, return the Token, otherwise continue to match;

Step 24, the grammatical analyzer of this legal name adopts the BNF paradigm method to carry out a formal description according to the SCL language rules; for example, the SCL language meaning corresponding to the combination of T_IFT_VART_EQUAL1 is ifvar==1;

Step 25, if the syntax analyzer finds a known combination of tokens according to the token obtained by the lexical analyzer, then jump to step 27, otherwise jump to step 26;

Step 26, prompting the user that there is a grammatical error in the SCL program code, and asking the user to check the SCL language program code;

Step 27, the interpreter of this method generates the intermediate code opcode according to the semantic meaning of the Token combination; the principle of Opcode is to convert all instruction codes in the SCL program into binary operations, and the opcode node contains two operands and one operation The character also has a node type;

Step 28, if the generated opcode node type is variable then jump to step 30, otherwise jump to step 29;

Step 29, storing the opcode node in the intermediate code queue, so that the interpreter completes the interpretation work of all SCL codes and hands them over to the execution engine subsystem for execution;

Step 30, if the generated opcode node type is a variable, then convert the structure to a variable structure and store it in the symbol table; the variable structure stores the variable name, data type and variable value; the variable type includes REAL, TIME, DWORD, BIT Four data types of SCL language;

Step 31, the method will read the initialization file to update the variable value in the symbol table of the PLC simulation, and this step reads the input variable and output variable in the control object PLC;

Step 32, this step reads the input variables and output variables in the controlled object, and transfers the read values into the controlled object detection model for modeling and detection;

Step 321, buffering the input and output data of the controlled object for use in modeling and wavelet decomposition detection;

Step 322, this step judges whether the controlled object model has been established, if established, then jump to step 325 and use the obtained controlled object data to directly detect, otherwise jump to step 323;

Step 323, this step will judge whether the length of the cached time series meets the setting during the initialization setting, if so, then jump to step 324, otherwise, jump to step 321;

Step 324, this step will use the AIC criterion to determine the model order, select the order used for modeling, and use the order determined by the AIC order determination criterion and the cached controlled object data to establish an ARX system identification model;

Step 325, this step uses the established ARX model and the obtained controlled object data to calculate the estimated value of the model output; after the estimated value is obtained, the error value is calculated and the actual value;

Step 326, using the db6 wavelet to perform 3-layer wavelet decomposition on the error value sequence to obtain decomposed high-frequency coefficients;

Step 327, this step traverses the high-frequency washing sequence, if it is found that there is a value greater than 0.3, then jump to step 328, otherwise jump to step 329;

Step 328, this step prompts the user that the data of the controlled object has abnormal changes, and the controlled object is abnormal;

Step 329, this step indicates that the controlled object is normal in this execution cycle, and no abnormal state is found;

Step 33, the interpretation of the SCL code has been completed before this step, and the input and output objects in the real control object have been synchronized; this step traverses the intermediate code sequence, and calculates the halo arithmetic number according to the operator function specified in the intermediate code, The halo arithmetic number can be a constant, a variable or another intermediate code sequence; after the execution of this step, it is divided into two branches, one branch jumps to step 31 to continue the loop execution, and the other branch jumps to step 34;

Step 34, this step transmits the execution result of this intermediate code to the abnormal detection module of the control object for abnormal detection, and generates the abnormal detection result of this execution cycle;

Step 341, this step reads the calculated value of the output variable in the PLC simulation;

Step 342, this step reads the value of all output variables from the PLC according to the setting of the initialization file;

Step 343, this step compares the output variable calculated by PLC simulation with the output variable value read from the real PLC;

Step 344, if the comparison is consistent, jump to step 346, otherwise jump to step 345;

Step 345, if the comparison is inconsistent, it means that in this execution cycle, the real PLC and the PLC simulation have the same input variables, and the output results are different; it means that the execution logic of the real PLC is abnormal, malfunctioning or artificially modified; The name and variable value output of the variable that has a difference will prompt the user;

Step 346, if the comparison is consistent, it means that in this execution cycle, the real PLC and the PLC simulation have the same output results when the input variables are consistent; the control logic of the control object PLC is normal.