| CPC G05B 23/027 (2013.01) [H04L 63/1425 (2013.01); H04L 63/1441 (2013.01); H04L 63/20 (2013.01)] | 22 Claims |
|
1. A method for monitoring network security of an industrial control system, the method comprising:
determining a network security requirement of the industrial control system based on a running environment of the industrial control system;
selecting at least one first data source related to the industrial control system based on at least the network security requirement, the at least one first data source being for measuring whether the industrial control system meets the network security requirement;
acquiring first data from the at least one first data source;
counting time-varying features of the first data to serve as a behavior model for the industrial control system;
acquiring second data from at least some of the at least one first data source;
determining whether the second data includes features described by the behavior model;
determining, upon determining that the second data includes the features described by the behavior model, that behavior of the industrial control system represented by the second data is normal behavior;
determining, upon determining that the second data does not include the features described by the behavior model, that the behavior of the industrial control system represented by the second data is abnormal behavior; and
upon determining that the behavior of the industrial control system represented by the second data is abnormal behavior,
determining a level of an alarm among a plurality of alarm levels corresponding to the behavior of the industrial control system represented by the second data, a lowest alarm priority level among the plurality of alarm levels including alarms related to a front-end firewall, and either
triggering alarm reporting, upon the level being higher than the lowest alarm priority level among the plurality of alarm levels, or
skipping the triggering of the alarm reporting, upon the level not being higher than the lowest alarm priority level among the plurality of alarm levels,
wherein the network security requirement is determined according to at least one running indicator of the industrial control system defined by a customer of the industrial control system.
|