CN107404487B - Industrial control system safety detection method and device - Google Patents
Industrial control system safety detection method and device Download PDFInfo
- Publication number
- CN107404487B CN107404487B CN201710667625.7A CN201710667625A CN107404487B CN 107404487 B CN107404487 B CN 107404487B CN 201710667625 A CN201710667625 A CN 201710667625A CN 107404487 B CN107404487 B CN 107404487B
- Authority
- CN
- China
- Prior art keywords
- field
- value
- component
- change rule
- variation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/08—Protocols for interworking; Protocol conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Communication Control (AREA)
Abstract
The embodiment of the invention discloses a safety detection method and a safety detection device for an industrial control system, which are applied to the safety detection of a controller in the industrial control system and comprise the following steps: segmenting the industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message; determining a numerical change rule of field values contained in at least one component field of the industrial communication protocol message; carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field to obtain each component field after variation value taking; combining the various component fields after the variation value taking according to an industrial communication protocol message format to obtain a variation test message; and carrying out communication interaction on the variation test message and the controller, and carrying out safety detection on the controller. The invention converts the industrial communication protocol message into the variation test message, and utilizes the variation test message to carry out communication interaction with the controller so as to carry out safety detection on the controller.
Description
Technical Field
The invention relates to the technical field of information security of industrial control systems, in particular to a method and a device for detecting the security of an industrial control system.
Background
The industrial control system is a safety key system, wherein the most important component is a controller, and the industrial control system is mainly used for completing automatic control of an industrial production device object and sending the object state and a control result to an upper computer through an industrial control network so as to realize a human-computer interaction process.
In recent years, network attacks against industrial control systems have become a hotspot of information security, the attack forms of the network attacks are not limited to attacks against host computers of industrial control systems, but the network attacks go deep into the attack of the host computers directly on controllers through the industrial control networks, and the attack forms are also changed from the traditional ways of information stealing, host computer paralysis and the like to the direction of directly utilizing the controllers to attack physical entities.
Therefore, the security vulnerability detection of the controller in the industrial control system becomes a protection means, namely, before an attacker attacks, the vulnerability of the applied controller can be effectively excavated in time, and the vulnerability can be repaired in time according to the vulnerability characteristics so as to prevent the leaking hole from being utilized by the attacker. Therefore, how to perform security detection on a controller in an industrial control system is a technical problem to be solved urgently at present.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for safety detection of an industrial control system, which can perform safety detection on a controller in the industrial control system.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
a safety detection method for an industrial control system is applied to safety detection of a controller in the industrial control system, and comprises the following steps:
segmenting an industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message;
determining a numerical change rule of field values contained in at least one component field of the industrial communication protocol message;
carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field to obtain each component field after variation value taking;
combining the various component fields after the variation value taking according to an industrial communication protocol message format to obtain a variation test message;
and carrying out communication interaction on the variation test message and a controller, and carrying out safety detection on the controller.
Preferably, the process of determining a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet includes:
extracting field values contained in at least one component field of the industrial communication protocol message;
judging the change rule of the field value;
if any two field values contained in one composition field are equal, determining that the numerical value change rule of the field values contained in the composition field is a constant value change rule;
if any two adjacent field values contained in a composition field meet the condition that the field value arithmetic is increased progressively according to the time sequence transition, determining that the numerical value change rule of the field values contained in the composition field is an increasing change rule;
if the length of the industrial communication protocol message to which any field value contained in one component field belongs is in a linear relation with the field value, determining that the numerical value change rule of the field value contained in the component field is an association change rule;
if the difference value of any two field values contained in one composition field is within a preset range, determining that the numerical value change rule of the field values contained in the composition field is a fluctuation change rule;
if all field values contained in a component field are of a limited number of change values, determining that the numerical change rule of the field values contained in the component field is a limited value change rule;
if all field values contained in a component field are within the maximum value range of the number of bytes, the value change rule of the field values contained in the component field is determined to be an irregular change rule.
Preferably, after determining that a change rule of a numerical value of a field value included in the component field is a change rule of a constant value, the method further includes:
no value variation is performed on the field values contained in the component fields.
Preferably, the obtaining of each component field after the value variation by performing the value variation on the field value included in each component field according to the value variation rule corresponding to each component field includes:
under the condition that the numerical value change rule of the field value contained in one of the component fields is an increasing change rule, adopting a method of an equivalence class and a boundary value to mutate the field value contained in the component field into: 0. obtaining a varied value of a composition field by using a maximum value in the field value and half of the maximum value in the field sample value, wherein the field sample value is a group of sample values selected from the field values contained in the composition field according to a preset rule;
when a value change rule of a field value included in one of the component fields is an association change rule, the field value included in the component field is mutated into: obtaining a component field after a variation value according to the maximum length 1514 of the Ethernet message;
under the condition that the numerical value change rule of the field value contained in one of the component fields is the fluctuation change rule, changing the field value contained in the component field into 0; obtaining a composition field after a variation value is obtained;
determining the maximum value in sample values under the condition that the numerical value change rule of field values contained in one component field in each component field is a limited value change rule, fully traversing values from the maximum value of the sample to the maximum value range of the field, mutating the field values contained in the component fields into sampling values in the range part from the inverse number of the maximum value in the sample values to 0, and taking the values from 0 to the maximum value range in the sample values as the conditions of other field mutation orthogonal tests to obtain the mutated component fields, wherein the sample values are a group of sample values selected from the field values contained in the component fields according to a preset rule;
when the numerical variation rule of the field value contained in one of the component fields is irregular, the field value contained in the component field is mutated into: and randomly selecting the variation value to obtain the composition field after the variation value is obtained.
Preferably, before performing a variation value on the field value included in each component field according to the respective corresponding numerical value variation rule of each component field to obtain each component field after the variation value, the method further includes:
determining the type of each component field according to the value change rule, the length and the value range characteristics corresponding to each component field, wherein the type of each component field at least comprises the following components: at least one of a protocol number, version, command, message length, session handle, sequence number, status word, number of entries, entry address, entry length, entry data, and check code;
the process of obtaining the varied value of each component field by performing variation value of the field value contained in each component field according to the value variation rule corresponding to each component field includes:
and carrying out variation value taking on the field values contained in the composition fields according to the numerical value variation rule corresponding to each composition field and the type of each composition field to obtain the composition fields after the variation value taking.
An industrial control system safety detection device is applied to safety detection of a controller in an industrial control system, and comprises:
the segmentation module is used for segmenting the industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message;
a value change rule determining module, configured to determine a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet;
the variation value taking module is used for carrying out variation value taking on the field values contained in the composition fields according to the numerical value variation rules corresponding to the composition fields respectively to obtain the composition fields after the variation value taking;
the variation test message acquisition module is used for combining each component field after the variation value is obtained according to the message format of the industrial communication protocol to obtain a variation test message;
and the safety detection module is used for carrying out communication interaction on the variation test message and the controller and carrying out safety detection on the controller.
Preferably, the value change rule determining module includes:
the field value extraction module is used for extracting the field value contained in at least one component field of the industrial communication protocol message;
the change rule judging module is used for judging the change rule of the field value;
a constant value change rule determining module, configured to determine that a numerical value change rule of field values included in a component field is a constant value change rule if any two field values included in the component field are equal;
the incremental change rule determining module is used for determining that the numerical change rule of any two adjacent field values contained in a component field is an incremental change rule if the two adjacent field values meet the condition that the field values are subjected to arithmetic progression according to the time sequence;
the association change rule determining module is used for determining that the numerical change rule of any field value contained in a component field is an association change rule if the length of the industrial communication protocol message to which the component field belongs is in a linear relation with the field value;
the fluctuation change rule determining module is used for determining that the numerical value change rule of any two field values contained in a component field is a fluctuation change rule if the difference value of any two field values contained in the component field is within a preset range;
a finite value change rule determining module, configured to determine that a numerical change rule of field values included in a component field is a finite value change rule if all field values included in the component field are a finite number of change values;
and the irregular change rule determining module is used for determining that the value change rule of all the field values contained in a component field is an irregular change rule if the value change rule of all the field values contained in the component field is within the maximum byte number range.
Preferably, the variation value module includes:
a first variation value sub-module, configured to, when a numerical change rule of a field value included in one of the component fields is an incremental change rule, employ a method of an equivalence class and a boundary value to vary the field value included in the component field into: 0. obtaining a varied value of a composition field by using a maximum value in the field value and half of the maximum value in the field sample value, wherein the field sample value is a group of sample values selected from the field values contained in the composition field according to a preset rule;
a second mutation value sub-module, configured to mutate, when a numerical change rule of a field value included in one of the component fields is an association change rule, the field value included in the component field into: obtaining a component field after a variation value according to the maximum length 1514 of the Ethernet message;
a third variation value sub-module, configured to, in a case where a numerical change rule of a field value included in one of the component fields is a fluctuation change rule, vary the field value included in the component field to 0; obtaining a composition field after a variation value is obtained;
a fourth variation value sub-module, configured to determine a maximum value in the sample values when a numerical change rule of a field value included in one of the constituent fields is a finite value change rule, perform full traversal on values from the maximum value of the sample to the maximum value of the field, vary the field value included in the constituent field into a sample value within a range from an inverse number of the maximum value in the sample value to 0, and obtain a varied constituent field by using the value from 0 to the maximum value of the sample value as a condition for an orthogonal test of variation of other fields, where the sample value is a group of sample values selected according to a preset rule from the field values included in the constituent fields;
a fifth mutation value sub-module, configured to, in a case that a numerical change rule of a field value included in one of the component fields is an irregular change rule, mutate the field value included in the component field into: and randomly selecting the variation value to obtain the composition field after the variation value is obtained.
Preferably, the method further comprises the following steps:
a component field type determining module, configured to determine a type of each component field according to a value change rule, a length, and a value range characteristic corresponding to each component field, where the type of each component field at least includes: at least one of a protocol number, version, command, message length, session handle, sequence number, status word, number of entries, entry address, entry length, entry data, and check code;
preferably, the variation value module is specifically configured to:
and carrying out variation value taking on the field values contained in the composition fields according to the numerical value variation rule corresponding to each composition field and the type of each composition field to obtain the composition fields after the variation value taking.
Based on the technical scheme, the embodiment of the invention discloses a safety detection method and a safety detection device for an industrial control system, which are applied to the safety detection of a controller in the industrial control system, and the method comprises the following steps: segmenting an industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message; determining a numerical change rule of field values contained in at least one component field of the industrial communication protocol message; carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field to obtain each component field after variation value taking; combining the various component fields after the variation value taking according to an industrial communication protocol message format to obtain a variation test message; and carrying out communication interaction on the variation test message and a controller, and carrying out safety detection on the controller. Therefore, in the embodiment of the invention, the industrial communication protocol message can be converted into the variation test message, and the variation test message is used for carrying out communication interaction with the controller, so as to carry out safety detection on the controller.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a safety detection method for an industrial control system according to an embodiment of the present invention;
fig. 2 is a schematic segmentation diagram for segmenting an industrial communication protocol packet according to bytes according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a process of segmenting an industrial communication protocol packet according to bytes according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a change state of a change rule of six numbers according to an embodiment of the present invention;
fig. 5 is a flowchart of a method for determining a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet according to an embodiment of the present invention;
fig. 6 is a block diagram of a safety detection device of an industrial control system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows a flowchart of an industrial control system security detection method, which is applied to security detection of a controller in an industrial control system, specifically, an industrial communication protocol fuzz test process, and referring to fig. 1, the method may include:
s100, segmenting an industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message;
referring to fig. 2, a segment diagram for segmenting an industrial communication protocol message according to bytes is shown, where B is1:TSegmenting each byte in the message sequence to obtain at least one group of composition fields as follows: f1、F2....FN。
Step S110, determining a numerical value change rule of field values contained in at least one component field of the industrial communication protocol message;
it should be noted that, in the embodiment of the present invention, in combination with the process schematic diagram of segmenting an industrial communication protocol packet according to bytes shown in fig. 3, an original industrial communication protocol packet sample includes information such as an Open System Interconnection (OSI) layer type, a packet length, and a timestamp, after segmenting the industrial communication protocol packet according to bytes, contents such as a field type, a field length, and a field value can be obtained in addition to a value change rule of a field value included in each of component fields, and specifically, a field feature training method is applied to a process of segmenting the industrial communication protocol packet according to bytes.
It should be noted that the numerical change rule of the field value disclosed in the embodiment of the present invention includes: six change rules, such as a constant value change rule, a finite value change rule, an incremental change rule, a fluctuation change rule, an association change rule, an irregular change rule and the like.
In combination with the schematic diagram of the change state of the six kinds of value change rules shown in fig. 4, the change rule of the constant value is: the field value is always constant in all message samples; the finite value change rule is as follows: the value of the field is limited to a limited number of variable values in all message samples; the increasing change rule is as follows: the value of the field is increased progressively with the time sequence of the message sample; the fluctuation rule is as follows: the value of the field fluctuates around a certain constant value in the same type of message samples; the irregular change rule is as follows: the value of the field changes irregularly; the association change rule is as follows: the value of a field varies with other fields of the message.
It should be noted that, in the embodiment of the present invention, after determining a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet, the method further includes:
if the change rules of the two adjacent fields are the same or related, merging the two fields, namely synthesizing the two fields into one field; if the adjacent fields with the same change rule still exist after the fields are merged once, merging again; if the change rule of the former field is a constant value change rule and the change rule of the latter field is an incremental change rule, the two fields can be combined into one incremental field.
Step S120, carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field to obtain each component field after variation value taking;
it should be noted that, in the embodiment of the present invention, a value variation value is performed on a field value included in each component field according to a value variation rule corresponding to each component field, and a process of obtaining each component field after the value variation value specifically includes:
under the condition that the numerical value change rule of the field value contained in one of the component fields is an increasing change rule, adopting a method of an equivalence class and a boundary value to mutate the field value contained in the component field into: 0. obtaining a varied value of a composition field by using a maximum value in the field value and half of the maximum value in the field sample value, wherein the field sample value is a group of sample values selected from the field values contained in the composition field according to a preset rule;
when a value change rule of a field value included in one of the component fields is an association change rule, the field value included in the component field is mutated into: obtaining a component field after a variation value according to the maximum length 1514 of the Ethernet message;
under the condition that the numerical value change rule of the field value contained in one of the component fields is the fluctuation change rule, changing the field value contained in the component field into 0; obtaining a composition field after a variation value is obtained;
determining the maximum value in sample values under the condition that the numerical value change rule of field values contained in one component field in each component field is a limited value change rule, fully traversing values from the maximum value of the sample to the maximum value range of the field, mutating the field values contained in the component fields into sampling values in the range part from the inverse number of the maximum value in the sample values to 0, and taking the values from 0 to the maximum value range in the sample values as the conditions of other field mutation orthogonal tests to obtain the mutated component fields, wherein the sample values are a group of sample values selected from the field values contained in the component fields according to a preset rule;
when the numerical variation rule of the field value contained in one of the component fields is irregular, the field value contained in the component field is mutated into: and randomly selecting the variation value to obtain the composition field after the variation value is obtained.
It should be noted that, after determining that the value change rule of the field value included in the component field is a constant value change rule, no mutation value is performed on the field value included in the component field.
Optionally, in the embodiment of the present invention, before performing a variation value on a field value included in each component field according to a value variation rule corresponding to each component field, and obtaining each component field after the variation value, the method further includes:
determining the type of each component field according to the value change rule, the length and the value range characteristics corresponding to each component field, wherein the type of each component field at least comprises the following components: at least one of a protocol number, version, command, message length, session handle, sequence number, status word, number of entries, entry address, entry length, entry data, and check code;
the process of carrying out variation value taking on the field values contained in each component field according to the numerical value variation rule corresponding to each component field comprises the following steps:
and carrying out variation value taking on the field values contained in the component fields according to the numerical value variation rule corresponding to each component field and the type of each component field.
Specifically, different types of composition fields also have different numerical value change rules, specifically:
the field types conforming to the constant value change rule comprise a protocol number, a version, a session handle and an entry address;
the field types conforming to the finite value change rule comprise commands and status words;
the field types conforming to the increasing change rule comprise sequence numbers;
the field type conforming to the fluctuation change rule comprises entry data;
the field types conforming to the irregular change comprise check codes;
the field types conforming to the association change rule comprise message length, item number and item length.
Step S130, combining each component field after the variation value is obtained according to the format of the industrial communication protocol message to obtain a variation test message;
in the embodiment of the invention, variation value taking is carried out according to each field of a determined type, and variation test message construction is carried out according to the format of the industrial communication protocol message and the field type contained in the protocol message type; and constructing a message sequence through the constructed variation test message according to the message interaction sequence of the industrial communication protocol.
And step S140, performing communication interaction on the variation test message and the controller, and performing safety detection on the controller.
In the embodiment of the present invention, the variation test packet is communicated and interacted with the controller, and the running state of the controller is monitored, and if the state is abnormal, a suspected bug is found, which may specifically be: establishing communication connection with a controller, and performing communication interaction with the controller according to a communication process specified by an industrial communication protocol; respectively extracting constructed variant messages according to the messages required in the interaction process and sending the variant messages to a controller; if the controller does not normally respond to the received variation message and subsequent messages thereof, the controller state is determined to be abnormal, and the varied message is recorded as a suspected bug trigger condition of the controller; for the controller with the abnormal state, after the controller needs to be reset, subsequent message variation interaction can be carried out.
Optionally, fig. 5 is a flowchart illustrating a method for determining a value change rule of field values included in at least one component field of the industrial communication protocol packet, where, with reference to fig. 5, the method may include:
step S200, extracting field values contained in at least one component field of the industrial communication protocol message;
step S210, judging the change rule of the field value;
step S220, if any two field values contained in a composition field are equal, determining that the numerical value change rule of the field values contained in the composition field is a constant value change rule;
step S230, if any two adjacent field values contained in a composition field are pushed according to the time sequence and the equal difference of the field values is increased, determining that the numerical value change rule of the field values contained in the composition field is an increasing change rule;
step S240, if the length of the industrial communication protocol message of any field value contained in a component field is in a linear relation with the field value, determining that the numerical value change rule of the field value contained in the component field is an association change rule;
step S250, if the difference value of any two field values contained in a composition field is in a preset range, determining that the numerical value change rule of the field values contained in the composition field is a fluctuation change rule;
step S260, if all field values contained in a component field are the finite number of change values, determining that the numerical value change rule of the field values contained in the component field is the finite value change rule;
step S270, if all field values included in a component field are within the maximum range of the byte number, determining that the value change rule of the field values included in the component field is an irregular change rule.
In the following, the safety detection device of the industrial control system according to the embodiments of the present invention is introduced, and the safety detection device of the industrial control system described below may be referred to in correspondence with the safety detection method of the industrial control system described above. The industrial control system safety detection device described below may be regarded as a functional module architecture that is required to implement the industrial control system safety detection method provided in the embodiment of the present invention.
Fig. 6 is a block diagram of a safety detection apparatus for an industrial control system according to an embodiment of the present invention, where the apparatus is applied to perform safety detection on a controller in the industrial control system, and referring to fig. 6, the apparatus may include:
a segmenting module 100, configured to segment an industrial communication protocol packet according to bytes to obtain at least one component field of the industrial communication protocol packet;
a value change rule determining module 110, configured to determine a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet;
a variation value taking module 120, configured to perform variation value taking on field values included in each component field according to a value variation rule corresponding to each component field, so as to obtain each component field after the variation value taking;
a variation test message obtaining module 130, configured to combine the varied component fields according to an industrial communication protocol message format to obtain a variation test message;
and the security detection module 140 is configured to perform communication interaction between the variation test packet and the controller, and perform security detection on the controller.
The value change rule determining module comprises:
the field value extraction module is used for extracting the field value contained in at least one component field of the industrial communication protocol message;
the change rule judging module is used for judging the change rule of the field value;
a constant value change rule determining module, configured to determine that a numerical value change rule of field values included in a component field is a constant value change rule if any two field values included in the component field are equal;
the incremental change rule determining module is used for determining that the numerical change rule of any two adjacent field values contained in a component field is an incremental change rule if the two adjacent field values meet the condition that the field values are subjected to arithmetic progression according to the time sequence;
the association change rule determining module is used for determining that the numerical change rule of any field value contained in a component field is an association change rule if the length of the industrial communication protocol message to which the component field belongs is in a linear relation with the field value;
the fluctuation change rule determining module is used for determining that the numerical value change rule of any two field values contained in a component field is a fluctuation change rule if the difference value of any two field values contained in the component field is within a preset range;
a finite value change rule determining module, configured to determine that a numerical change rule of field values included in a component field is a finite value change rule if all field values included in the component field are a finite number of change values;
and the irregular change rule determining module is used for determining that the value change rule of all the field values contained in a component field is an irregular change rule if the value change rule of all the field values contained in the component field is within the maximum byte number range.
The variation value-taking module comprises:
a first variation value sub-module, configured to, when a numerical change rule of a field value included in one of the component fields is an incremental change rule, employ a method of an equivalence class and a boundary value to vary the field value included in the component field into: 0. obtaining a varied value of a composition field by using a maximum value in the field value and half of the maximum value in the field sample value, wherein the field sample value is a group of sample values selected from the field values contained in the composition field according to a preset rule;
a second mutation value sub-module, configured to mutate, when a numerical change rule of a field value included in one of the component fields is an association change rule, the field value included in the component field into: obtaining a component field after a variation value according to the maximum length 1514 of the Ethernet message;
a third variation value sub-module, configured to, in a case where a numerical change rule of a field value included in one of the component fields is a fluctuation change rule, vary the field value included in the component field to 0; obtaining a composition field after a variation value is obtained;
a fourth variation value sub-module, configured to determine a maximum value in the sample values when a numerical change rule of a field value included in one of the constituent fields is a finite value change rule, perform full traversal on values from the maximum value of the sample to the maximum value of the field, vary the field value included in the constituent field into a sample value within a range from an inverse number of the maximum value in the sample value to 0, and obtain a varied constituent field by using the value from 0 to the maximum value of the sample value as a condition for an orthogonal test of variation of other fields, where the sample value is a group of sample values selected according to a preset rule from the field values included in the constituent fields;
a fifth mutation value sub-module, configured to, in a case that a numerical change rule of a field value included in one of the component fields is an irregular change rule, mutate the field value included in the component field into: and randomly selecting the variation value to obtain the composition field after the variation value is obtained.
Further comprising:
a component field type determining module, configured to determine a type of each component field according to a value change rule, a length, and a value range characteristic corresponding to each component field, where the type of each component field at least includes: at least one of a protocol number, version, command, message length, session handle, sequence number, status word, number of entries, entry address, entry length, entry data, and check code;
the variation value module is specifically configured to:
and carrying out variation value taking on the field values contained in the composition fields according to the numerical value variation rule corresponding to each composition field and the type of each composition field to obtain the composition fields after the variation value taking.
In summary, the following steps:
the embodiment of the invention discloses a safety detection method and a safety detection device for an industrial control system, which are applied to the safety detection of a controller in the industrial control system and comprise the following steps: segmenting the industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message; determining a numerical change rule of field values contained in at least one component field of the industrial communication protocol message; carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field to obtain each component field after variation value taking; combining the various component fields after the variation value taking according to an industrial communication protocol message format to obtain a variation test message; and carrying out communication interaction on the variation test message and the controller, and carrying out safety detection on the controller. The invention converts the industrial communication protocol message into the variation test message, and utilizes the variation test message to carry out communication interaction with the controller so as to carry out safety detection on the controller.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. The safety detection method for the industrial control system is applied to safety detection of a controller in the industrial control system, and comprises the following steps:
segmenting an industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message;
determining a numerical change rule of field values contained in at least one component field of the industrial communication protocol message;
determining the type of each component field according to the value change rule, the length and the value range characteristics corresponding to each component field, wherein the type of each component field at least comprises the following components: at least one of a protocol number, version, command, message length, session handle, sequence number, status word, number of entries, entry address, entry length, entry data, and check code;
carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field and the type of each component field to obtain each component field after variation value taking;
combining the various component fields after the variation value taking according to an industrial communication protocol message format to obtain a variation test message;
and carrying out communication interaction on the variation test message and a controller, and carrying out safety detection on the controller.
2. The method according to claim 1, wherein the determining a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet comprises:
extracting field values contained in at least one component field of the industrial communication protocol message;
judging the change rule of the field value;
if any two field values contained in one composition field are equal, determining that the numerical value change rule of the field values contained in the composition field is a constant value change rule;
if any two adjacent field values contained in a composition field meet the condition that the field value arithmetic is increased progressively according to the time sequence transition, determining that the numerical value change rule of the field values contained in the composition field is an increasing change rule;
if the length of the industrial communication protocol message to which any field value contained in one component field belongs is in a linear relation with the field value, determining that the numerical value change rule of the field value contained in the component field is an association change rule;
if the difference value of any two field values contained in one composition field is within a preset range, determining that the numerical value change rule of the field values contained in the composition field is a fluctuation change rule;
if all field values contained in a component field are of a limited number of change values, determining that the numerical change rule of the field values contained in the component field is a limited value change rule;
if all field values contained in a component field are within the maximum value range of the number of bytes, the value change rule of the field values contained in the component field is determined to be an irregular change rule.
3. The method according to claim 1 or 2, further comprising, after determining that a change rule of a numerical value of a field value included in the component field is a change rule of a constant value:
no value variation is performed on the field values contained in the component fields.
4. The method according to claim 1 or 2, wherein the step of performing variation value calculation on the field values included in each component field according to the respective corresponding numerical variation rule of each component field to obtain each component field after the variation value calculation comprises:
under the condition that the numerical value change rule of the field value contained in one of the component fields is an increasing change rule, adopting a method of an equivalence class and a boundary value to mutate the field value contained in the component field into: 0. obtaining a varied value of a composition field by using a maximum value in the field value and half of the maximum value in the field sample value, wherein the field sample value is a group of sample values selected from the field values contained in the composition field according to a preset rule;
when a value change rule of a field value included in one of the component fields is an association change rule, the field value included in the component field is mutated into: obtaining a component field after a variation value according to the maximum length 1514 of the Ethernet message;
under the condition that the numerical value change rule of the field value contained in one of the component fields is the fluctuation change rule, changing the field value contained in the component field into 0; obtaining a composition field after a variation value is obtained;
determining the maximum value in sample values under the condition that the numerical value change rule of field values contained in one component field in each component field is a limited value change rule, fully traversing values from the maximum value of the sample to the maximum value range of the field, mutating the field values contained in the component fields into sampling values in the range part from the inverse number of the maximum value in the sample values to 0, and taking the values from 0 to the maximum value range in the sample values as the conditions of other field mutation orthogonal tests to obtain the mutated component fields, wherein the sample values are a group of sample values selected from the field values contained in the component fields according to a preset rule;
when the numerical variation rule of the field value contained in one of the component fields is irregular, the field value contained in the component field is mutated into: and randomly selecting the variation value to obtain the composition field after the variation value is obtained.
5. An industrial control system safety detection device is used for carrying out safety detection on a controller in an industrial control system, and the device comprises:
the segmentation module is used for segmenting the industrial communication protocol message according to bytes to obtain at least one component field of the industrial communication protocol message;
a value change rule determining module, configured to determine a value change rule of a field value included in each of at least one component field of the industrial communication protocol packet;
a component field type determining module, configured to determine a type of each component field according to a value change rule, a length, and a value range characteristic corresponding to each component field, where the type of each component field at least includes: at least one of a protocol number, version, command, message length, session handle, sequence number, status word, number of entries, entry address, entry length, entry data, and check code;
the variation value taking module is used for carrying out variation value taking on field values contained in each component field according to the numerical value variation rule corresponding to each component field and the type of each component field to obtain each component field after the variation value taking;
the variation test message acquisition module is used for combining each component field after the variation value is obtained according to the message format of the industrial communication protocol to obtain a variation test message;
and the safety detection module is used for carrying out communication interaction on the variation test message and the controller and carrying out safety detection on the controller.
6. The apparatus of claim 5, wherein the value change rule determining module comprises:
the field value extraction module is used for extracting the field value contained in at least one component field of the industrial communication protocol message;
the change rule judging module is used for judging the change rule of the field value;
a constant value change rule determining module, configured to determine that a numerical value change rule of field values included in a component field is a constant value change rule if any two field values included in the component field are equal;
the incremental change rule determining module is used for determining that the numerical change rule of any two adjacent field values contained in a component field is an incremental change rule if the two adjacent field values meet the condition that the field values are subjected to arithmetic progression according to the time sequence;
the association change rule determining module is used for determining that the numerical change rule of any field value contained in a component field is an association change rule if the length of the industrial communication protocol message to which the component field belongs is in a linear relation with the field value;
the fluctuation change rule determining module is used for determining that the numerical value change rule of any two field values contained in a component field is a fluctuation change rule if the difference value of any two field values contained in the component field is within a preset range;
a finite value change rule determining module, configured to determine that a numerical change rule of field values included in a component field is a finite value change rule if all field values included in the component field are a finite number of change values;
and the irregular change rule determining module is used for determining that the value change rule of all the field values contained in a component field is an irregular change rule if the value change rule of all the field values contained in the component field is within the maximum byte number range.
7. The apparatus of claim 5 or 6, wherein the variance module comprises:
a first variation value sub-module, configured to, when a numerical change rule of a field value included in one of the component fields is an incremental change rule, employ a method of an equivalence class and a boundary value to vary the field value included in the component field into: 0. obtaining a varied value of a composition field by using a maximum value in the field value and half of the maximum value in the field sample value, wherein the field sample value is a group of sample values selected from the field values contained in the composition field according to a preset rule;
a second mutation value sub-module, configured to mutate, when a numerical change rule of a field value included in one of the component fields is an association change rule, the field value included in the component field into: obtaining a component field after a variation value according to the maximum length 1514 of the Ethernet message;
a third variation value sub-module, configured to, in a case where a numerical change rule of a field value included in one of the component fields is a fluctuation change rule, vary the field value included in the component field to 0; obtaining a composition field after a variation value is obtained;
a fourth variation value sub-module, configured to determine a maximum value in the sample values when a numerical change rule of a field value included in one of the constituent fields is a finite value change rule, perform full traversal on values from the maximum value of the sample to the maximum value of the field, vary the field value included in the constituent field into a sample value within a range from an inverse number of the maximum value in the sample value to 0, and obtain a varied constituent field by using the value from 0 to the maximum value of the sample value as a condition for an orthogonal test of variation of other fields, where the sample value is a group of sample values selected according to a preset rule from the field values included in the constituent fields;
a fifth mutation value sub-module, configured to, in a case that a numerical change rule of a field value included in one of the component fields is an irregular change rule, mutate the field value included in the component field into: and randomly selecting the variation value to obtain the composition field after the variation value is obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710667625.7A CN107404487B (en) | 2017-08-07 | 2017-08-07 | Industrial control system safety detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710667625.7A CN107404487B (en) | 2017-08-07 | 2017-08-07 | Industrial control system safety detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107404487A CN107404487A (en) | 2017-11-28 |
| CN107404487B true CN107404487B (en) | 2020-07-21 |
Family
ID=60402082
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710667625.7A Active CN107404487B (en) | 2017-08-07 | 2017-08-07 | Industrial control system safety detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107404487B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108062033B (en) * | 2017-11-29 | 2021-04-30 | 杭州九略智能科技有限公司 | Industrial protocol automatic simulation test system and method based on Linux system |
| CN109698831B (en) * | 2018-12-28 | 2021-07-02 | 中电智能科技有限公司 | Data protection method and device |
| CN110912927B (en) * | 2019-12-09 | 2022-04-12 | 绿盟科技集团股份有限公司 | Method and device for detecting control message in industrial control system |
| CN111404941B (en) * | 2020-03-17 | 2022-08-09 | 广东九联科技股份有限公司 | Network security protection method and network security protection device |
| CN111627171A (en) * | 2020-04-28 | 2020-09-04 | 深圳壹账通智能科技有限公司 | Test message conversion method, device, equipment and medium of ATMP system |
| CN112311755A (en) * | 2020-06-11 | 2021-02-02 | 北京威努特技术有限公司 | Industrial control protocol reverse analysis method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247294A (en) * | 2008-03-14 | 2008-08-20 | 北京星网锐捷网络技术有限公司 | Test data generating method and device |
| CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
| CN106330601A (en) * | 2016-08-19 | 2017-01-11 | 北京匡恩网络科技有限责任公司 | Test case generating method and device |
| CN106888209A (en) * | 2017-03-02 | 2017-06-23 | 中国科学院信息工程研究所 | A kind of industry control bug excavation method based on protocol status figure extreme saturation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9954903B2 (en) * | 2015-11-04 | 2018-04-24 | Monico Monitoring, Inc. | Industrial network security translator |
-
2017
- 2017-08-07 CN CN201710667625.7A patent/CN107404487B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247294A (en) * | 2008-03-14 | 2008-08-20 | 北京星网锐捷网络技术有限公司 | Test data generating method and device |
| CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
| CN106330601A (en) * | 2016-08-19 | 2017-01-11 | 北京匡恩网络科技有限责任公司 | Test case generating method and device |
| CN106888209A (en) * | 2017-03-02 | 2017-06-23 | 中国科学院信息工程研究所 | A kind of industry control bug excavation method based on protocol status figure extreme saturation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107404487A (en) | 2017-11-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107404487B (en) | Industrial control system safety detection method and device | |
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| CN111600880A (en) | Method, system, storage medium and terminal for detecting abnormal access behavior | |
| US20030115486A1 (en) | Intrusion detection method using adaptive rule estimation in network-based instrusion detection system | |
| CN110166462B (en) | Access control method, system, electronic device and computer storage medium | |
| JP6055548B2 (en) | Apparatus, method, and network server for detecting data pattern in data stream | |
| CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| CN107332859B (en) | Industrial control system risk identification method and device | |
| CN113821793B (en) | Multi-stage attack scene construction method and system based on graph convolution neural network | |
| CN110769007B (en) | Network security situation sensing method and device based on abnormal traffic detection | |
| CN112565229B (en) | Hidden channel detection method and device | |
| CN115065623B (en) | Active and passive combined reverse analysis method for private industrial control protocol | |
| CN112437062A (en) | ICMP tunnel detection method, device, storage medium and electronic equipment | |
| CN111010387B (en) | Illegal replacement detection method, device, equipment and medium for Internet of things equipment | |
| CN112398843A (en) | Detection method and device based on http smuggling attack | |
| CN110162973A (en) | A kind of Webshell file test method and device | |
| CN114070899B (en) | Message detection method, device and readable storage medium | |
| CN113497789B (en) | Method, system and equipment for detecting violent cracking attack | |
| CN113037748A (en) | C and C channel hybrid detection method and system | |
| CN113132316A (en) | Web attack detection method and device, electronic equipment and storage medium | |
| CN107995167B (en) | Equipment identification method and server | |
| CN108509796B (en) | Method for detecting risk and server | |
| CN113709097B (en) | Network risk sensing method and defense method | |
| CN108270746B (en) | User access request processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20191206 Address after: 315000 No. 150 Yipu Road, Jishigang Town, Haishu District, Ningbo City, Zhejiang Province (Room 1-1-179) Applicant after: Zhejiang Guoli NetAn Technology Co., Ltd. Address before: 310053 10 layers, 1 buildings, No. six and 307 Road, Binjiang District, Zhejiang, Hangzhou Applicant before: Zhejiang Guoli Xin'an Technology Co. Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |