CN105847249A - Safety protection system and method for Modbus network - Google Patents

Safety protection system and method for Modbus network Download PDF

Info

Publication number
CN105847249A
CN105847249A CN201610164736.1A CN201610164736A CN105847249A CN 105847249 A CN105847249 A CN 105847249A CN 201610164736 A CN201610164736 A CN 201610164736A CN 105847249 A CN105847249 A CN 105847249A
Authority
CN
China
Prior art keywords
modbus
byte stream
frame
complete
function code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610164736.1A
Other languages
Chinese (zh)
Inventor
陈惠欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Master Technology (beijing) Co Ltd
Original Assignee
Master Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Master Technology (beijing) Co Ltd filed Critical Master Technology (beijing) Co Ltd
Priority to CN201610164736.1A priority Critical patent/CN105847249A/en
Publication of CN105847249A publication Critical patent/CN105847249A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/004Arrangements for detecting or preventing errors in the information received by using forward error control
    • H04L1/0056Systems characterized by the type of code used
    • H04L1/0061Error detection codes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a safety protection method for a Modbus network. The method comprises the following steps that: a Modbus protocol-based byte stream transmitted by an external request port is received; the byte stream is packetized according to a frame structure of a Modbus protocol type so as to form a corresponding complete Modbus frame structure; and corresponding processing is carried out according to a packetization result. In addition, the invention also provides a safety protection system for the Modbus network. According to the safety protection system and method for the Modbus network provided by the invention, integrity verification of Modbus frames is introduced through packetization, and therefore, attacks at an industrial control device or system adopting the Modbus protocol can be effectively resisted, and the confidentiality, integrity and availability of the industrial control device or system adopting the Modbus protocol can be ensured.

Description

A kind of security protection system for Modbus network and method
Technical field
The present invention relates to network safety prevention field, particularly for security protection system and the side of Modbus network Method.
Background technology
Modbus agreement is a kind of all-purpose language being applied on electronic controller.By this agreement, controller mutually it Between, controller can communicate via between network (such as Ethernet) and miscellaneous equipment, different vendor produce control equipment can To be linked to be industrial network, carry out Centralized Monitoring.
Modbus agreement has advantages such as standard, opening, frame format be simple, compact, therefore industrial control system, It is widely used in long distance control system (SCADA system) and discrete control system (DCS system), is used not only for local intelligent and sets Communication between standby and controller (PLC), the communication of smart machine and man machine interface (HMI), and be also applied in some scene In the telecommunication of industrial equipment remote centralized monitoring system.
But, owing to Modbus frame structure lacks basic cryptographic means, therefore there is obvious security breaches, main body Present:
1. data security is poor.Owing to not having mechanism to distinguish the scope of data that different main frame (client) accesses, therefore net Main frame (client) in network can access any data provided from machine (service end).
2. data integrity is easily destroyed.Owing to there is no machine-processed restricting host (client) executable order and parameter thereof Scope, any main frame (client) in network can be by sending the function code that support from machine (service end), and amendment is from machine The data of (service end).
3. availability it is difficult to ensure that.In addition to facing the tcp/ip layer network attack of routine, in Modbus application layer, attack The person of hitting is easy to, by sending incomplete Modbus frame, make to carry out substantial amounts of invalidation from machine (server), cause its property Can decline.Additionally, its configuration protocol of the most a lot of smart machines and data communication protocol all use Modbus agreement, but lack and protect Protect the mechanism of configuration data, it is easy to the person of being hacked utilizes, revise smart machine configuration parameter, even delete the pass of smart machine Key content, such as firmware program, thus cause serious consequence.
Summary of the invention
In view of problems of the prior art, 1, a kind of safety protecting method for Modbus network, including: S1. Receive the byte stream based on Modbus agreement of external request port transmission, by the frame structure of Modbus protocol type to described word Throttling packages to form the most complete Modbus frame structure, carries out respective handling according to group inclusion fruit.
In certain embodiments of the present invention, described step S1 includes: for the Modbus ASCII protocol received Whether type-byte stream, have starting character and end mark according to described bag and whether can pass through CRC check, judges described Whether bag has complete Modbus frame structure;Or the byte stream of the Modbus rtu protocol type for receiving: a. is in advance The byte stream of measured length carries out CRC check, and b. judge by the function code in the described byte stream of CRC check be whether The function code that Modbus RTU frame structure is allowed, if not being the function code allowed, then returns after changing described byte stream length Step a carries out CRC check.
In certain embodiments of the present invention, described step a farther includes: for Modbus rtu protocol type Byte stream, proceeds by described CRC check from byte stream minimum length, as verification is not passed through, then described byte stream length is increased CRC check is carried out again after adding predetermined bite, if until current byte stream length reaches greatest length not yet by CRC check, Then remove described byte stream.
In certain embodiments of the present invention, described step S1 also includes: c. is according to data corresponding to described function code Structure, checks whether the data structure in described current byte stream mates with described function code;If not mating, then by described byte Stream length increases predetermined bite, returns step a.
In certain embodiments of the present invention, described step S1 may also include that when the initial and end of described Modbus frame structure Part includes the illegal byte stream in addition to complete Modbus frame structure, then remove described illegal byte stream, retains complete Modbus frame structure.
In certain embodiments of the present invention, the described safety protecting method for Modbus network, may also include that S2. check whether comprise slave addresses in described complete Modbus frame be the slave addresses allowing to access, check described completely Modbus frame in comprise function code whether in default function code white list.
In one embodiment of the present invention, its slave addresses scope being able to access that by setting and judge complete Whether the function code in Modbus frame structure is effective function code, carries out the complete Modbus frame through group bag further Filter, the slave addresses that even Modbus frame comprises not in allowing access profile and the illegal function being not belonging to Modbus agreement Code, then abandoned.This mode can effectively avoid the attack for equipment or system, reduces equipment or system simultaneously Workload, improves operational efficiency.
In certain embodiments of the present invention, the described safety protecting method for Modbus network may also include that S3. for read data functions code, check the register range comprised in described complete Modbus frame whether in allowed band In;S4. for writing data function code, check the register range comprised in described complete Modbus frame whether in allowed band In, extract the technological parameter comprised in described complete Modbus frame, according in described technological parameter and described register range The corresponding relation of depositor and type of coding, generate corresponding controlling value, and judge whether described controlling value is permission Value.
Owing to the type of function code is different, its operational order generated is the most different, therefore in embodiments of the present invention, logical Cross the type of arbitration functions code, complete Modbus frame is divided into write order and read command.For read command, can limit The register range being able to access that from machine, and then control it and can be able to be effectively protected by the data read in depositor The technological parameter being stored in depositor, it is to avoid technological parameter and technological process are illegally accessed.For write order, pass through Depositor is associated with technological parameter, the method using configuration (User Defined), establishes reflecting of depositor and technological parameter Penetrate relation, can effectively ensure the correctness of technical process.It addition, the controlling value generating technological parameter filters, can The address of device, illegal upload configuration file etc. are illegally changed being effectively prevented industry control device or system by write order.
In certain embodiments of the present invention, described step S4 comprises in comprising the steps that the described complete Modbus frame of extraction Multiple technological parameters, according to each depositor in the plurality of technological parameter and described register range or each The corresponding relation of the Bit position of depositor and type of coding, generate corresponding controlling value, and judge that each described controlling value is No for permissible value.
The present invention also provides for a kind of security protection system for Modbus network, including: integrity check module, receive The byte stream based on Modbus agreement of external request port transmission, by the frame structure of Modbus protocol type to described byte stream Package to form the most complete Modbus frame structure, carry out respective handling according to group inclusion fruit;
The Modbus frame inspection module of the function code containing read/write data, for read data function code, check described completely Modbus frame in the register range that comprises whether in allowed band;For writing the function code of data, check described completely Modbus frame in the register range that comprises whether in allowed band, extract the work comprised in described complete Modbus frame Skill parameter, according to corresponding relation and the type of coding of the depositor in described technological parameter and described register range, generates Corresponding controlling value, and judge whether described controlling value is permissible value.
In certain embodiments of the present invention, the described security protection system for Modbus network may also include that Slave addresses inspection module, for check described complete Modbus frame comprises slave addresses be whether allow to access from machine Address;Whether function code legitimacy inspection module, comprise function code default for checking in described complete Modbus frame In function code white list
The safety protecting method and the system that present invention provide for Modbus network carry out Modbus by group packet mode The integrity check of frame, can be effectively prevented from using non-Modbus agreement to continue to industrial control equipment or system and device and initiate data Request (byte stream) is to cause industrial control equipment and systematic function decline.
Can effectively resist for employing according to the above-mentioned safety protecting method for Modbus network and system The industrial control equipment of Modbus agreement or the attack of system, it is ensured that use the industrial control equipment of Modbus agreement and the confidentiality of system, Integrity and availability.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, it is briefly described as follows embodiment Or the accompanying drawing used in description of the prior art.
Fig. 1 a show schematically show the Modbus ASCII/RTU frame structure of routine;
Fig. 1 b show schematically show the Modbus TCP frame structure of routine;
Fig. 2 a is the Modbus data model of band independent data block;
Fig. 2 b is the Modbus data model of only one data block;
Fig. 3 a show schematically show Modbus RTU unicast mode;
Fig. 3 b show schematically show Modbus RTU multicasting mode;
Fig. 4 show schematically show the typical application scenarios of Modbus TCP;
Fig. 5 show schematically show the safety protecting method of an embodiment of the present invention;
Fig. 6 a show schematically show the mapping pass of self-defined analogue type process control parameter and Modbus register model System;
Fig. 6 b show schematically show the mapping pass of self-defined Boolean type process control parameter and Modbus register model System;
Fig. 7 show schematically show the security protection system for Modbus network of an embodiment of the present invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described.Explanation at this, it is clear that shown in accompanying drawing It is only some embodiments of the present invention, it is therefore an objective to make skilled artisans appreciate that the inner characteristic of the present invention.This area Those of ordinary skill can make amendment or the modification of other equivalents or replacement scheme according to disclosed accompanying drawing and explanation thereof. Therefore, the scope of the present invention is not limited by these accompanying drawings and explanation.
Before elaborating embodiments of the invention, first in the explanation present invention, involved some are correlated with general Read.
Modbus agreement mainly contains both of which, is respectively adapted to serial link and TCP/IP link.Wherein, Modbus serial mode has two kinds of coded formats, respectively ASCII (USA standard code for information interchange) and RTU (remote terminal Equipment), former is called for short Modbus ASCII in the application, and latter is called for short Modbus RTU in the application.Based on TCP/IP The Modbus of agreement uses the binary coded format of RTU, is called for short Modbus TCP in the application.
One simple protocol data cell (PDU) unrelated with Base communication layer of Modbus protocol definition.Specific bus Or the Modbus agreement on network maps and can above introduce some additional fields at application data (ADU).As shown in Fig. 1 (a) For the frame structure of Modbus ASCII/RTU, Fig. 1 (b) show the frame structure of Modbus TCP.
Modbus agreement use four types data definition data model:
Fig. 2 (a) and Fig. 2 (b) respectively illustrate the Modbus data model of band independent data block and only one data block Modbus data model.
Modbus network:
Modbus RTU operates on serial link, supports that a main frame (client) is multiple from machine (service end) structure (1-N structure), sees Fig. 3 (a) and Fig. 3 (b), and its communication mode supports unicast and multicast both of which.
Unicast mode: main frame (client) sends request in the way of specifying address, appropriate address from machine (service end) Data are returned to main frame (client) according to request.In this case, Modbus communication affairs only comprise 2 message (clients End request message and service end response message).Service end address in unicast mode must on network be unique (1~ 247)。
Multicasting mode: main frame (client) sends request to all from machine (service end), reticent from machine (service end), only The request sent according to main frame (client) completes self function corresponding.In this case, Modbus communication affairs are only wrapped Containing 1 message (client request message).Can consider from machine (service end) address in multicast mode, but it must Must the request of response address 0.0 is defined as multicast address in the protocol.
Modbus TCP operates on ICP/IP protocol stack, uses multi-multipoint connection TCP communication, supports multiple main frame (client) is multiple from machine (service end) structure (N-N structure), and typical case's application scenarios is as shown in Figure 4.In the diagram, there is a class Being referred to as the equipment of Modbus TCP/IP gateway, it is responsible for Modbus rtu protocol is converted to Modbus Transmission Control Protocol, right Modbus PDU unpacks and organizes bag.Therefore, Modbus TCP/IP gateway is protocol conversion device.
With reference to Fig. 5, an embodiment of the present invention provides a kind of safety protecting method for Modbus network, including:
S1.Modbus frame structure integrity check step:
Modbus protocol type includes Modbus ASCII, Modbus RTU and Modbus TCP.
Wherein, shown in the frame structure of Modbus ASCII and Modbus rtu protocol such as Fig. 1 (a), by address field, function Code, data and error checking and correction composition.In one example, the size of address field is 8bits, and the size of function code is 8bits, The size of data is N × 8bits, and the size of CRC error verification is 16bits.
Shown in the frame structure of Modbus Transmission Control Protocol such as Fig. 1 (b), it is made up of MBAP heading, function code and data.
It is common function code, title and effect as shown in table 1:
Table 1
Specifically, the integrity check of Modbus frame structure can comprise the steps:
S11. the byte stream that external request port (serial ports or tcp port or udp port) transmits is received;
S12. attempt by the frame structure of Modbus protocol type (ASCII/RTU/TCP), above-mentioned byte stream being packaged;
S13. judge whether to can make up complete Modbus frame structure corresponding with Modbus protocol type.
If complete Modbus frame structure can not be formed, when i.e. group is wrapped unsuccessfully, then show that this byte stream is illegal Modbus claim frame, produces log recording and alarm output, abandons this bag.
Below for causing organizing several situations wrapped unsuccessfully:
(1) for the frame structure of Modbus ASCII protocol, can not find starting character and end mark, or find starting character and End mark, but CRC check cannot be passed through;
(2) for the frame structure of Modbus rtu protocol, carry out CRC calculating by its minimum frame length, arrive maximum frame length Degree still can not pass through CRC check, or pass through CRC check but do not meet the frame structure of corresponding function code.
Owing to the frame structure of Modbus rtu protocol does not has starting character and end mark, and frame length is variable, therefore, for The integrity checking of Modbus RTU frame, can use the method that following CRC check and frame structure inspection combine:
A. the byte stream of reception is saved in relief area;
B. for the byte stream in relief area, CRC school is proceeded by from minimum Modbus RTU frame length (such as 3 byte) Test.If CRC check is not passed through, then inspection current byte stream length, if the most maximum Modbus of current byte stream length RTU frame length (such as 255 bytes), then add 1 byte by current byte stream length, proceed CRC check;If current byte stream Length reaches maximum Modbus RTU frame length, then remove this section of byte stream from relief area;C. for by the word of CRC check Throttling, extracts the function code byte in this byte stream, it is judged that whether described function code is allowed by Modbus RTU frame structure Function code, function code as listed in Table 1, if not the function code allowed, then by currently processed byte stream length Add predetermined length (such as 1 byte), return step b;
D. for the byte stream verified by function code, according to the data structure that this function code is corresponding, current byte is checked Whether the data structure in stream mates with this function code.If by checking, then explanation has conjunction for currently processed byte stream The frame structure of method;Otherwise, currently processed byte stream length is increased predetermined length (such as 1 byte), return step b.
(3) for the frame structure of Modbus Transmission Control Protocol, the TCP application frame receiving each, by Modbus TCP Bag organized one by one by frame structure, and the stipulations parameter (function code) in Modbus TCP frame is corresponding with data length, therefore contains The frame of specific stipulations parameter should have certain frame length.When the stipulations parameter in Modbus TCP frame and frame length not Join, i.e. can not be by verification, then group is wrapped unsuccessfully.
S2. if able to form complete Modbus frame structure, i.e. group is bundled into merit, then carry out slave addresses inspection and merit Energy code check step, including:
S21. slave addresses and the function code of Modbus frame of Modbus frame are extracted.
S22. check whether this slave addresses is the slave addresses allowing to access.If do not allow access from machine ground Location, then produce log recording and alarm output, abandon this bag.
S23. if allowing the slave addresses accessed, then according to the default function code white list function code to extracting Filter, if the function code extracted is not in white list, then produces log recording and alarm output, abandon this bag.
When being not desired to so that any main frame (client) in network is by sending the function code supported from machine (service end), repair Change the data from machine (service end), then can be got rid of some in white list and have the function code of " writing " function.Such as, white name List does not include 05,06,15,16.
It is similar to, it is also possible to by the way of white list is set, control user-defined other kinds of function code, example As function code 22~64 can be made to be included among white list, function code 65~72 is made to be not included among white list.Use this Plant method to set up, main frame (client) Xiang Congji (service end) can be controlled and send what type of function code.
Illustrate, when extract Modbus frame function code for 22 time, then produce log recording and alarm output, lose Abandon this bag.When the function code of the Modbus frame extracted is 65, continue executing with step S3.
S3.Modbus frame type testing sequence:
The function code type of inspection Modbus frame, if read data functions code (i.e. this order is reading order), holds Row step S4;If writing data function code (i.e. this order is write order), perform step S5.
S4., when the function code comprised in complete Modbus frame is read data functions code, inspection Modbus frame wraps Whether the register range contained is in allowed band:
S41. the register range comprised in Modbus frame is extracted;
S42. whether within the register range allowing reading, (register range is white for the register range that judgement is extracted In list).
According to the register range of predefined permission, Modbus frame is filtered, if the depositing of this Modbus frame Device scope not in allowing the register range read, then produces log recording and alarm output, abandons this bag;Otherwise, by chain Road floor and transport layer information are forwarded to internal communication port (serial ports or tcp port or udp port) together with Modbus frame.
S5., when the function code comprised in complete Modbus frame is for writing data function code, inspection Modbus frame comprises Register range whether in allowed band and and generate corresponding process parameter control value:
S51. the register range comprised in extraction Modbus frame and technological parameter:
S52. judge that register range is whether within the register range allowed (in register range white list);
S53. by predefined technological parameter (tag entry as in Fig. 6 a and 6b) and the depositor in register range Corresponding relation and type of coding, generate and the controlling value of described processing parameter matching;
The type of coding of technological parameter can be Boolean type, have symbol integer, unsigned int, floating type or BCD type.
Technological parameter and depositor corresponding relation and type of coding are made and being illustrated as follows:
The method using User Defined (configuration), self-defined technological parameter and Modbus depositor mould in configuration tool The mapping relations of type:
For analogue type process control parameter (having symbol integer, unsigned int, floating type or BCD type etc.), map and close System includes originating register address that process control parameter is corresponding, start byte in a register, the byte length of data, volume Code type.Fig. 6 (a) shows showing of the self-defining analogue type process control parameter mapping relations with Modbus depositor Example.
For Boolean type process control parameter, mapping relations include register address that technological parameter is corresponding, at depositor In Bit position side-play amount, Bit figure place.Fig. 6 (b) shows a self-defining Boolean type technological parameter and Modbus depositor The example of the mapping relations of model.
Wherein, technological parameter can be that corresponding one or more of technological parameter is deposited with the corresponding relation of depositor Device, it is also possible to be one or several Bit positions of the corresponding depositor of a technological parameter, it is also possible to be multiple technological parameters Share certain depositor.
The length of technological parameter can be one or more byte, for have symbol integer, unsigned int, floating type or BCD type, its technological parameter length at most can reach 8 bytes.For floating type, its technological parameter length can be 4 bytes Or 8 bytes.Can define transformational relation between original value and the engineering value of technological parameter, described transformational relation can be ratio Relation, it is also possible to be for self-defining technical coefficient relation.
S54. judge whether process parameter control value is permissible value:
According to the process parameter control value scope (process parameter control value scope white list) of predefined permission, right Modbus frame filters, if one or more process parameter control value that Modbus frame comprises is not in white list, then Produce log recording and alarm output, abandon this bag;Otherwise, by link layer and transport layer information and filtered Modbus frame one Rise and be forwarded to internal communication port (serial ports or tcp port or udp port).
In another embodiment of the present invention, after performing step S13, if the data request packet received successfully is pressed Frame structure according to corresponding Modbus protocol type packages, but the initial and end of this frame structure also includes illegal byte Stream (the complete byte stream outside Modbus frame structure), then remove illegal byte stream, retain legal, complete Modbus Frame, and perform S2~S5 step it is analyzed.
According to a further aspect in the invention, a kind of embodiment for the security protection system 1 of Modbus network includes:
Integrity check module 11, receives the byte stream based on Modbus agreement of external request port transmission, presses Described byte stream is packaged to form the most complete Modbus frame structure by the frame structure of Modbus protocol type, according to Group inclusion fruit carries out respective handling;
The Modbus frame inspection module 12 of the function code containing read/write data, for containing read data functions code, inspection institute State the register range comprised in complete Modbus frame whether in allowed band;For writing data function code, inspection is described Whether the register range comprised in complete Modbus frame, in allowed band, is extracted in described complete Modbus frame and is comprised Technological parameter, according to corresponding relation and the type of coding of the depositor in described technological parameter and described register range, Generate corresponding controlling value, and judge whether described controlling value is permissible value.
With reference to Fig. 7, in another embodiment, the security protection system 1 of Modbus network includes:
Integrity check module 11, receives the byte stream based on Modbus agreement of external request port transmission, presses Described byte stream is packaged to form the most complete Modbus frame structure by the frame structure of Modbus protocol type, according to Group inclusion fruit carries out respective handling;
Slave addresses inspection module 12, comprises whether slave addresses is permission for checking in described complete Modbus frame The slave addresses accessed;
Whether function code legitimacy inspection module 13, comprise function code in advance for checking in described complete Modbus frame If function code white list in;
Modbus frame inspection module 14 containing read data functions code, for containing read data functions code, inspection is described Whether the register range comprised in complete Modbus frame is in allowed band;
Containing writing the Modbus frame inspection module 15 of data function code, for writing data function code, check described complete The register range comprised in Modbus frame, whether in allowed band, extracts the technique comprised in described complete Modbus frame Parameter, according to corresponding relation and the type of coding of the depositor in described technological parameter and described register range, generates phase The controlling value answered, and judge whether described controlling value is permissible value.
Device embodiment described above is only schematically, and the wherein said unit illustrated as separating component can To be or to may not be physically separate, the parts shown as unit can be or may not be physics list Unit, i.e. may be located at a place, or can also be distributed on multiple NE.Can be selected it according to the actual needs In some or all of module realize the purpose of the present embodiment scheme.Those of ordinary skill in the art are not paying creativeness Work in the case of, be i.e. appreciated that and implement.
Through the above description of the embodiments, those skilled in the art it can be understood that to each embodiment can The mode adding required general hardware platform by software realizes, naturally it is also possible to pass through hardware.Based on such understanding, on State the part that prior art contributes by technical scheme the most in other words to embody with the form of software product, should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD etc., including some fingers Make with so that a computer equipment (can be personal computer, server, or the network equipment etc.) performs each and implements The method described in some part of example or embodiment.
Last it is noted that above example is only in order to illustrate technical scheme, it is not intended to limit;Although With reference to previous embodiment, the present invention is described in detail, it will be understood by those within the art that: it still may be used So that the technical scheme described in foregoing embodiments to be modified, or wherein portion of techniques feature is carried out equivalent; And these amendment or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and Scope.

Claims (10)

1. for a safety protecting method for Modbus network, including:
S1. the byte stream based on Modbus agreement of external request port transmission is received, by the frame structure of Modbus protocol type Package to described byte stream to form the most complete Modbus frame structure, carry out respective handling according to group inclusion fruit.
Safety protecting method for Modbus network the most according to claim 1, wherein, described step S1 includes:
For the Modbus ASCII protocol type-byte stream received, according to described bag whether have starting character and end mark with And whether can pass through CRC check, judge whether described bag has complete Modbus frame structure;Or
The byte stream of the Modbus rtu protocol type for receiving:
A. the byte stream to predetermined length carries out CRC check, and
B. the function whether allowed by Modbus RTU frame structure by the function code in the described byte stream of CRC check is judged Code, if not being the function code allowed, then returns step a and carries out CRC check after changing described byte stream length.
Safety protecting method for Modbus network the most according to claim 1, wherein, described step a is wrapped further Include: for the byte stream of Modbus rtu protocol type, proceed by described CRC check from byte stream minimum length, such as verification Do not pass through, then carry out CRC check again after described byte stream length being increased predetermined bite, if until current byte stream length reaches To greatest length not yet by CRC check, then remove described byte stream.
Safety protecting method for Modbus network the most according to claim 3, wherein, described step S1 also includes:
C. according to the data structure that described function code is corresponding, check the data structure in described current byte stream whether with described merit Can code coupling;If not mating, then described byte stream length being increased predetermined bite, returning step a.
5., according to the safety protecting method for Modbus network described in any one of claim 1-4, described step S1 is also wrapped Include:
When the initial and end part of described Modbus frame structure includes the illegal byte stream in addition to complete Modbus frame structure, Then remove described illegal byte stream, retain complete Modbus frame structure.
6., according to the safety protecting method for Modbus network described in any one of claim 1-5, also include:
S2. checking and comprise in described complete Modbus frame whether slave addresses is the slave addresses allowing to access, inspection is described Complete Modbus frame comprises function code whether in default function code white list.
Safety protecting method for Modbus network the most according to claim 6, also includes:
S3. for read data functions code, check whether the register range comprised in described complete Modbus frame is allowing In the range of;
S4. for writing data function code, check whether the register range comprised in described complete Modbus frame is allowing model In enclosing, extract the technological parameter comprised in described complete Modbus frame, according to described technological parameter and described register range The corresponding relation of interior depositor and type of coding, generate corresponding controlling value, and judge whether described controlling value is fair Permitted value.
Safety protecting method for Modbus network the most according to claim 7, wherein, described step S4 also includes:
Extract the multiple technological parameters comprised in described complete Modbus frame, according to the plurality of technological parameter and described depositor In the range of each depositor or the corresponding relation of Bit position of each depositor and type of coding, generate corresponding Controlling value, and judge whether each described controlling value is permissible value.
9. for a security protection system for Modbus network, including:
Integrity check module, receives the byte stream based on Modbus agreement of external request port transmission, by Modbus agreement Described byte stream is packaged to form the most complete Modbus frame structure by the frame structure of type, enters according to group inclusion fruit Row respective handling;
The Modbus frame inspection module of the function code containing read/write data, for reading the function code of data, checks described complete Whether the register range comprised in Modbus frame is in allowed band;For writing the function code of data, check described complete The register range comprised in Modbus frame, whether in allowed band, extracts the technique comprised in described complete Modbus frame Parameter, according to corresponding relation and the type of coding of the depositor in described technological parameter and described register range, generates phase The controlling value answered, and judge whether described controlling value is permissible value.
Security protection system for Modbus network the most according to claim 9, also includes:
For checking, slave addresses inspection module, comprises in described complete Modbus frame whether slave addresses is to allow to access Slave addresses;
Whether function code legitimacy inspection module, comprise function code in default merit for checking in described complete Modbus frame In energy code white list.
CN201610164736.1A 2016-03-22 2016-03-22 Safety protection system and method for Modbus network Pending CN105847249A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610164736.1A CN105847249A (en) 2016-03-22 2016-03-22 Safety protection system and method for Modbus network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610164736.1A CN105847249A (en) 2016-03-22 2016-03-22 Safety protection system and method for Modbus network

Publications (1)

Publication Number Publication Date
CN105847249A true CN105847249A (en) 2016-08-10

Family

ID=56587795

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610164736.1A Pending CN105847249A (en) 2016-03-22 2016-03-22 Safety protection system and method for Modbus network

Country Status (1)

Country Link
CN (1) CN105847249A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948195A (en) * 2017-12-25 2018-04-20 杭州迪普科技股份有限公司 A kind of method and device of protection Modbus attacks
CN108306865A (en) * 2018-01-15 2018-07-20 厦门科灿信息技术有限公司 Modbus packet splicings processing method based on Netty frames, device
CN109639624A (en) * 2018-10-08 2019-04-16 上海大学 Lopsided data filtering method in a kind of Modbus Transmission Control Protocol fuzz testing
CN110166646A (en) * 2018-02-12 2019-08-23 南京南瑞继保电气有限公司 The method of more host fire alarm system access track traffic synthetic monitoring systems
CN110351235A (en) * 2019-01-30 2019-10-18 清华大学 Monitoring method and device, industrial control system and computer-readable medium
CN110545226A (en) * 2018-05-28 2019-12-06 中国石油天然气集团有限公司 device communication method and communication system
CN111723181A (en) * 2020-06-17 2020-09-29 国家计算机网络与信息安全管理中心 Industrial control protocol reverse analysis method based on active learning
CN114567649A (en) * 2021-12-24 2022-05-31 浙江中控技术股份有限公司 Communication protocol suitable for transmission of Internet of things
CN114584630A (en) * 2020-11-18 2022-06-03 中移物联网有限公司 Communication method and device based on field bus protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771700A (en) * 2010-01-06 2010-07-07 哈尔滨工业大学 Modbus protocol communication node based on FPGA
CN103546467A (en) * 2013-10-23 2014-01-29 上海爱控自动化设备有限公司 Method for transmitting Modbus RTU protocol on TCP/IP network
CN104702584A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Modbus communication access control method based on rule self-learning
CN105278437A (en) * 2014-06-16 2016-01-27 上海宝信软件股份有限公司 Modbus RTU/ASCII protocol realization method based on S7-300/400 PLC

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771700A (en) * 2010-01-06 2010-07-07 哈尔滨工业大学 Modbus protocol communication node based on FPGA
CN103546467A (en) * 2013-10-23 2014-01-29 上海爱控自动化设备有限公司 Method for transmitting Modbus RTU protocol on TCP/IP network
CN104702584A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Modbus communication access control method based on rule self-learning
CN105278437A (en) * 2014-06-16 2016-01-27 上海宝信软件股份有限公司 Modbus RTU/ASCII protocol realization method based on S7-300/400 PLC

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张盛山等: "基于区域/边界规则的Modbus TCP通讯安全防御模型", 《计算机工程与设计》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948195A (en) * 2017-12-25 2018-04-20 杭州迪普科技股份有限公司 A kind of method and device of protection Modbus attacks
CN107948195B (en) * 2017-12-25 2020-12-04 杭州迪普科技股份有限公司 Method and device for protecting Modbus attack
CN108306865B (en) * 2018-01-15 2021-02-12 厦门科灿信息技术有限公司 Modbus packet-sticking processing method and device based on Netty framework
CN108306865A (en) * 2018-01-15 2018-07-20 厦门科灿信息技术有限公司 Modbus packet splicings processing method based on Netty frames, device
CN110166646A (en) * 2018-02-12 2019-08-23 南京南瑞继保电气有限公司 The method of more host fire alarm system access track traffic synthetic monitoring systems
CN110545226B (en) * 2018-05-28 2021-12-17 中国石油天然气集团有限公司 Device communication method and communication system
CN110545226A (en) * 2018-05-28 2019-12-06 中国石油天然气集团有限公司 device communication method and communication system
CN109639624A (en) * 2018-10-08 2019-04-16 上海大学 Lopsided data filtering method in a kind of Modbus Transmission Control Protocol fuzz testing
CN110351235B (en) * 2019-01-30 2021-04-30 清华大学 Monitoring method and device, industrial control system and computer readable medium
CN110351235A (en) * 2019-01-30 2019-10-18 清华大学 Monitoring method and device, industrial control system and computer-readable medium
CN111723181A (en) * 2020-06-17 2020-09-29 国家计算机网络与信息安全管理中心 Industrial control protocol reverse analysis method based on active learning
CN114584630A (en) * 2020-11-18 2022-06-03 中移物联网有限公司 Communication method and device based on field bus protocol
CN114584630B (en) * 2020-11-18 2023-10-27 中移物联网有限公司 Communication method and device based on field bus protocol
CN114567649A (en) * 2021-12-24 2022-05-31 浙江中控技术股份有限公司 Communication protocol suitable for transmission of Internet of things

Similar Documents

Publication Publication Date Title
CN105847249A (en) Safety protection system and method for Modbus network
CN100550889C (en) Stream of packets filter method and filter, state monitoring method and digital calculating equipment
CN105847251B (en) Using the industrial control system safety protecting method and system of S7 agreements
EP2945350B1 (en) Protocol splitter and corresponding communication method
Eden et al. A forensic taxonomy of SCADA systems and approach to incident response
CN104734903B (en) The safety protecting method of OPC agreements based on Dynamic Tracing Technology
JPH07503347A (en) Method and device for digitizing information transmitted between interconnected lines
CN105812387A (en) Unidirectional safe data exchange device
CN105939284B (en) The matching process and device of message control strategy
CN109739203A (en) A kind of industrial network Border Protection system
KR20200118887A (en) Network probes and methods for handling messages
CN104767748A (en) OPC server safety defending system
US20140298008A1 (en) Control System Security Appliance
CN105245555A (en) Communication protocol security defending system for electric power serial server
Al-Dalky et al. A Modbus traffic generator for evaluating the security of SCADA systems
CN108363588A (en) Realize method, electronic device and readable storage medium storing program for executing that web is interacted with primary function
CN107992771A (en) A kind of data desensitization method and device
CN104994094A (en) Virtualization platform safety protection method, device and system based on virtual switch
CN112688932A (en) Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium
CN105577705B (en) For the safety protecting method and system of IEC60870-5-104 agreements
Ovaz Akpinar et al. Development of the ECAT preprocessor with the trust communication approach
CN114205340A (en) Fuzzy test method and device based on intelligent power equipment
CN103001954B (en) A kind of web server document protection method and system
CN109756483A (en) A kind of safety protecting method for MELSEC agreement
CN113347168B (en) Protection method and system based on zero trust model

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160810