System and method for identifying application layer behavior
First Claim
Patent Images
1. A system for identifying application layer behavior, comprising:
- a storage, being configured to store a normal behavior status list;
a transmitter, being configured to intercept a current packet which is propagated between a master device and a slave device in an industrial control system and send information of the current packet for analysis; and
a processor electrically connected with the storage and the transmitter, being configured to determine a current status of the application layer behavior of the industrial control system by analyzing application layer data of the current packet and identify whether the current status of the application layer behavior is normal according to the normal behavior status list;
wherein the processor detects from the current packet a corresponding value stored for a corresponding parameter in a corresponding memory address among a plurality of memory addresses of the slave device, and determines the current status of the application layer behavior of the industrial control system according to the corresponding value and values stored in the slave device for other parameters in the parameter group to which the corresponding parameter belongs.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for identifying application layer behavior are disclosed. In order to detect intrusion into an industrial control system, the system and method determine a current status of application layer behavior of the industrial control system by analyzing a current packet which is propagated between a master device and a slave device in the industrial control system, and identify whether the current status of the application layer behavior is normal according to a normal behavior status list.
25 Citations
12 Claims
-
1. A system for identifying application layer behavior, comprising:
-
a storage, being configured to store a normal behavior status list; a transmitter, being configured to intercept a current packet which is propagated between a master device and a slave device in an industrial control system and send information of the current packet for analysis; and a processor electrically connected with the storage and the transmitter, being configured to determine a current status of the application layer behavior of the industrial control system by analyzing application layer data of the current packet and identify whether the current status of the application layer behavior is normal according to the normal behavior status list; wherein the processor detects from the current packet a corresponding value stored for a corresponding parameter in a corresponding memory address among a plurality of memory addresses of the slave device, and determines the current status of the application layer behavior of the industrial control system according to the corresponding value and values stored in the slave device for other parameters in the parameter group to which the corresponding parameter belongs. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for identifying application layer behavior, comprising the following steps:
-
intercepting a current packet which is propagated between a master device and a slave device in an industrial control system and sending information of the current packet for analysis; and determining, by the system for identifying the application layer behavior, a current status of the application layer behavior of the industrial control system by analyzing application layer data of the current packet and identifying, by the system for identifying the application layer behavior, whether the current status of the application layer behavior is normal according to a normal behavior status list; wherein the system for identifying the application layer behavior detects from the current packet a corresponding value stored for a corresponding parameter in a corresponding memory address among a plurality of memory addresses of the slave device, and determines the current status of the application layer behavior of the industrial control system according to the corresponding value and values stored in the slave device for other parameters in the parameter group to which the corresponding parameter belongs. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification