CN107566388B - Industrial control vulnerability detection method, device and system - Google Patents
Industrial control vulnerability detection method, device and system Download PDFInfo
- Publication number
- CN107566388B CN107566388B CN201710839533.2A CN201710839533A CN107566388B CN 107566388 B CN107566388 B CN 107566388B CN 201710839533 A CN201710839533 A CN 201710839533A CN 107566388 B CN107566388 B CN 107566388B
- Authority
- CN
- China
- Prior art keywords
- data
- vulnerability
- identification
- module
- asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the field of industrial control system safety, in particular to an industrial control vulnerability detection method, device and system. The industrial control vulnerability detection method includes the steps of performing transparent network sniffing in a bypass mirror image mode to obtain asset data, integrating the asset data to obtain integrated asset data, performing filtering processing on the integrated asset data to obtain effective data, packaging the effective data to obtain packaged data, performing data identification according to the packaged data to obtain discrimination data, performing vulnerability analysis on the discrimination data according to preset vulnerability information to obtain a vulnerability detection result, and generating a vulnerability detection report. The method has good real-time performance of industrial control vulnerability detection.
Description
Technical Field
The invention relates to the field of industrial control system safety, in particular to an industrial control vulnerability detection method, device and system.
Background
Under the background of 4.0 times of the industry, the interconnection and intercommunication of everything has become the trend of the times, and an industrial control system bears the life lines of the country, such as industrial control systems of water, electricity, coal, traffic, nuclear industry and the like, and once the industrial control system is attacked, the loss is serious, and even the national security is threatened. The safety protection guide of the Industrial Control System published by the ministry of industry and telecommunication in 10 of 2016 and the national network security act formally implemented in 6 of 2017 of 1 clearly stipulate that the examination of key basic settings is required, however, the Industrial Control System (ICS) is different from the traditional information System (ICT), and the Industrial Control System has extremely high requirements on real-time performance and stability.
The prior art cannot meet the information security requirements of an industrial control system, and the vulnerability identification method in the prior art has the defects of poor real-time performance and incapability of meeting the requirements of the industrial control system due to complex process and low efficiency.
Disclosure of Invention
The invention aims to provide an industrial control vulnerability detection method, device and system, which aim to solve the existing problems.
The invention provides a technical scheme that:
the embodiment of the invention provides an industrial control vulnerability detection method, which comprises the following steps:
transparent network sniffing is carried out in a bypass mirror image mode to obtain asset data;
integrating the asset data to obtain integrated asset data;
filtering the integrated asset data to obtain effective data; packaging the effective data to obtain packaged data;
performing data identification according to the encapsulation data to obtain discrimination data;
and carrying out vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a vulnerability detection report.
As a further step, integrating the asset data to obtain integrated asset data includes:
establishing a data model;
and inputting the asset data into the data model to obtain integrated asset data.
As a further step, the step of establishing a data model comprises:
a feature set data structure is established, the feature set data structure including data attributes.
As a further step, the step of filtering the integrated asset data to obtain valid data includes:
and identifying effective data in the integrated asset data according to the data attributes, and acquiring the effective data, wherein the effective data comprises a data identifier.
As a further step, the step of performing data identification according to the encapsulation data to obtain screening data includes:
extracting a data identifier in the effective data;
and classifying the effective data according to the data identification to obtain discrimination data.
As a further step, the step of performing vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a detection vulnerability report includes:
acquiring preset vulnerability information, and extracting preset vulnerability identification from the vulnerability information;
comparing the screening data with the preset vulnerability identification, if the screening data is consistent with the preset vulnerability identification, judging that a vulnerability exists, and generating a detection vulnerability report; and if the screening data is inconsistent with the preset vulnerability identification, judging that no vulnerability exists, and generating a detection vulnerability report.
The invention also provides an industrial control vulnerability detection device, which comprises: the system comprises a data acquisition module, a data integration module, a data preprocessing module, a data discrimination module and a vulnerability analysis module;
the data acquisition module is used for performing transparent network sniffing in a bypass mirror image mode to obtain asset data and sending the asset data to the data integration module;
the data integration module is used for integrating the asset data to obtain integrated asset data and sending the integrated asset data to the data preprocessing module;
the data preprocessing module is used for filtering the integrated asset data to obtain effective data, packaging the effective data to obtain packaged data, and sending the packaged data to the data screening module;
the data screening module is used for carrying out data identification according to the packaging data to obtain screening data and sending the screening data to the vulnerability analysis module;
the vulnerability analysis module is used for carrying out vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a detection vulnerability report.
Further, the data screening module comprises an extraction identification unit and a data classification unit;
the extraction identification unit is used for extracting a data identification in the effective data and sending the data identification to the data classification unit;
the data classification unit is used for classifying the effective data according to the data identification to obtain discrimination data.
Further, the vulnerability analysis module comprises a vulnerability extraction library unit and a vulnerability discrimination unit;
the vulnerability extraction library unit is used for acquiring preset vulnerability information, extracting preset vulnerability identification from the vulnerability information, and sending the preset vulnerability identification to the vulnerability screening unit;
the vulnerability discrimination unit is used for comparing the discrimination data with the preset vulnerability identification, if the discrimination data is consistent with the preset vulnerability identification, judging that a vulnerability exists, and generating a detection vulnerability report; and if the screening data is inconsistent with the preset vulnerability identification, judging that no vulnerability exists, and generating a detection vulnerability report.
The invention also provides an industrial control vulnerability detection system which is used for detecting whether the equipment to be detected has a vulnerability or not, wherein the vulnerability detection system comprises a switch, a vulnerability detector and the industrial control vulnerability detection device;
connecting the equipment to be tested with the vulnerability detector through the switch;
industrial control vulnerability detection device save in the vulnerability detector and contain one or more by the software function module of vulnerability detector execution, it includes:
the data acquisition module is used for performing transparent network sniffing in a bypass mirror image mode to obtain asset data and sending the asset data to the data integration module;
the data integration module is used for integrating the asset data to obtain integrated asset data and sending the integrated asset data to the data preprocessing module;
the data preprocessing module is used for filtering the integrated asset data to obtain effective data, packaging the effective data to obtain packaged data, and sending the packaged data to the data discrimination module;
the data discrimination module is used for carrying out data discrimination according to the packaging data to obtain discrimination data and sending the discrimination data to the vulnerability analysis module;
and the vulnerability analysis module is used for carrying out vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a detection vulnerability report.
According to the industrial control vulnerability detection method, device and system provided by the embodiment of the invention, transparent network sniffing is carried out in a bypass mirror image mode to obtain asset data, the asset data is integrated to obtain integrated asset data, the integrated asset data is filtered to obtain effective data, the effective data is packaged to obtain packaged data, data identification is carried out according to the packaged data to obtain discrimination data, vulnerability analysis is carried out on the discrimination data according to preset vulnerability information to obtain vulnerability detection results, and a vulnerability detection report is generated. The method has good instantaneity for detecting the vulnerability.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 shows a schematic block structure diagram of an industrial control vulnerability detection system 100 provided in this embodiment.
Fig. 2 is a block diagram of the industrial control vulnerability detection apparatus 400 in fig. 1.
Fig. 3 is a schematic block diagram of the data screening module 440 in fig. 2.
Fig. 4 is a block diagram of the vulnerability analysis module 450 in fig. 2.
Fig. 5 shows a flowchart of an industrial control vulnerability detection method provided by an embodiment of the present invention.
Fig. 6 shows a flow chart of sub-steps of step S200 in fig. 5.
Fig. 7 shows a flow chart of sub-steps of step S500 in fig. 5.
Icon: 100-industrial control vulnerability detection system; 200-a switch; 300-vulnerability detectors; 400-industrial control vulnerability detection device; 410-a data acquisition module; 420-a data integration module; 430-a data preprocessing module; 440-a data screening module; 441-extracting an identification unit; 442-data classification unit; 450-vulnerability analysis module; 451-extracting a leaky library unit; 452-vulnerability screening unit; 500-a device under test; 600-network.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present invention, it is to be understood that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", and the like, indicate orientations or positional relationships that are based on the orientations or positional relationships shown in the drawings, or the orientations or positional relationships that the products of the present invention conventionally put into use, or the orientations or positional relationships that the persons skilled in the art conventionally understand, are only used for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the equipment or elements referred to must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
Furthermore, the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly and may, for example, be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Referring to fig. 1, a block diagram of an industrial vulnerability detection system 100 according to the present embodiment is shown. The industrial control vulnerability detection system 100 is used for detecting whether a vulnerability exists in the device 500 to be detected. The device under test 500 may be various, for example, an industrial control system, an industrial control device, and the like. The industrial control vulnerability detection system 100 comprises a switch 200, a vulnerability detector 300 and an industrial control vulnerability detection apparatus 400. The device 500 to be tested is connected with the vulnerability detector 300 through the switch 200. The device under test 500 and the vulnerability detector 300 may be connected to the vulnerability detector 300 in a variety of ways, such as via data transmission lines, via a network 600, etc. The vulnerability detector 300 is used for detecting whether the device under test 500 has a vulnerability. There may be a plurality of devices to be tested 500, or there may be only one device to be tested, that is, the bug detector 300 may detect bugs of a plurality of devices to be tested 500, or may detect bugs of only one device to be tested 500. The industrial control vulnerability detection apparatus 400 is stored in the vulnerability detector 300 and includes one or more software function modules executed by the vulnerability detector 300. In the embodiment of the present invention, the switch 200 acquires data of the device under test 500, for example, network data or data stored in the device under test 500, the switch 200 sends the acquired information to the vulnerability detector 300, and the vulnerability detector 300 performs vulnerability analysis according to the received data to detect whether a vulnerability exists in the device under test 500. Specifically, there are various data, such as an information identifier, an information name, an information fingerprint, etc., for acquiring the device under test 500 through the switch 200. The switch 200 is of many types, such as an ethernet switch, a fast ethernet switch, a gigabit ethernet switch, an FDDI switch, an ATM switch, a token ring switch, an industrial switch, and the like. In the embodiment of the present invention, a medium with a mirroring function may be accessed in the switch 200, and the medium and the switch 200 are maintained in the same network segment.
In an embodiment of the present invention, the vulnerability detector 300 includes a memory, a processor, and a receiver connected to the memory and the processor for receiving external information and sending the received information to the memory and the processor. The memory is used for storing one or more software functional modules included in the industrial control vulnerability detection apparatus 400, and the functional modules can be executed by the processor. There are various memories, such as Random Access Memory (RAM), Read Only Memory (ROM), Programmable Read-Only Memory (PROM), Erasable Read-Only Memory (EPROM), electrically Erasable Read-Only Memory (EEPROM), and the like. The processor may be an integrated circuit chip having signal processing capabilities. The Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), a voice Processor, a video Processor, and the like; but may also be a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Referring to fig. 2, fig. 2 is a block diagram illustrating the industrial control vulnerability detection apparatus 400 in fig. 1. Industrial control vulnerability detection apparatus 400 includes: the system comprises a data acquisition module 410, a data integration module 420, a data preprocessing module 430, a data screening module 440 and a vulnerability analysis module 450. The data acquisition module 410 is connected with the data integration module 420, the data integration module 420 is connected with the data preprocessing module 430, the data preprocessing module 430 is connected with the data screening module 440, and the data screening module 440 is connected with the vulnerability analysis module 450. The data collecting module 410 is configured to perform transparent network sniffing in a bypass mirroring manner, obtain asset data, and send the asset data to the data integrating module 420. In the embodiment of the invention, the asset data comprises fingerprints, attributes and the like of vulnerability information. In the embodiment of the present invention, the data collecting module 410 is configured to perform transparent network sniffing in a bypass mirroring manner, and may be configured to sniff data information sent out through the network 600 based on the switch 200. The data integration module 420 is configured to integrate the asset data to obtain integrated asset data, and send the integrated asset data to the data preprocessing module 430. The data preprocessing module 430 is configured to perform filtering processing on the integrated asset data to obtain valid data, package the valid data to obtain packaged data, and send the packaged data to the data discrimination module 440. The data screening module 440 is configured to perform data identification according to the encapsulation data to obtain screening data, and send the screening data to the vulnerability analysis module 450. The vulnerability analysis module 450 is configured to perform vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result, and generate a detection vulnerability report.
In the embodiment of the present invention, the obtained vulnerability detection result includes whether a vulnerability is detected and the attribute of the vulnerability, that is, the vulnerability and which part has the vulnerability. Further, the generated vulnerability detection report also contains information such as whether a vulnerability is detected, the attribute of the vulnerability, and which part has the vulnerability.
In this embodiment of the present invention, the industrial control vulnerability detection apparatus 400 may further include a storage module, and the storage module is connected to the data acquisition module 410, the data integration module 420, the data preprocessing module 430, the data screening module 440, and the vulnerability analysis module 450, and is configured to store asset data, integrated asset data, valid data, package data, screening data, vulnerability detection result, and other data, so as to utilize and obtain these data again, thereby saving time for searching data twice and generating data.
In an embodiment of the present invention, the data collecting module 410 includes a network sniffer, and is configured to sniff data in the network and send the sniffed data to the data integrating module 420. Sniffing is a search process.
Referring to fig. 3, fig. 3 is a block diagram illustrating the data screening module 440 in fig. 2. In the embodiment of the present invention, the data screening module 440 includes an extraction identification unit 441 and a data classification unit 442. The extraction identification unit 441 is connected to the data classification unit 442, where the extraction identification unit 441 is configured to extract a data identifier from valid data and send the data identifier to the data classification unit 442, and the data classification unit 442 is configured to classify the valid data according to the data identifier to obtain screening data. In the embodiment of the present invention, the data identifier may be, but is not limited to, a data fingerprint, i.e., a data unique identifier.
Referring to fig. 4, fig. 4 is a block diagram illustrating the vulnerability analysis module 450 in fig. 2. The vulnerability analysis module 450 includes an extraction vulnerability library unit 451 and a vulnerability screening unit 452. The extraction vulnerability library unit 451 is connected to the vulnerability screening unit 452, and the extraction vulnerability library unit 451 is used for acquiring preset vulnerability information, extracting a preset vulnerability identification from the vulnerability information, and sending the preset vulnerability identification to the vulnerability screening unit 452. The vulnerability screening unit 452 is configured to compare the screening data with a preset vulnerability identifier, and if the screening data is consistent with the preset vulnerability identifier, it is determined that a vulnerability exists, and a detection vulnerability report is generated; if the screening data is inconsistent with the preset vulnerability identification, judging that no vulnerability exists, and generating a detection vulnerability report.
In the embodiment of the present invention, there are various generated detection vulnerability reports, for example, a vulnerability report, a non-vulnerability report, and a detailed vulnerability report. The report with holes only shows information with holes, the report without holes only shows information without holes, and the detailed report with holes shows information such as whether holes are detected, the attribute of the holes, and which part has holes.
Referring to fig. 5, fig. 5 is a flowchart illustrating an industrial control vulnerability detection method according to an embodiment of the present invention. The industrial control vulnerability detection method shown in fig. 5 is explained in detail below.
Step S100: and transparent network sniffing is carried out in a bypass mirror image mode to obtain asset data.
In the embodiment of the present invention, the network sniffer may be used to sniff data transmitted to the device under test 500 or data stored in the device under test 500. The asset data may be expressed in various ways, for example, the asset information is SIEMENS SIMATIC S7-300V 3.3.12PLC, and the asset information includes manufacturer information, model information, type information, and version information, where the manufacturer information is SIEMENS, the model information is SIMATIC S7-300, the type information is PLC, and the version number information is V3.3.12.
Step S200: and integrating the asset data to obtain integrated asset data.
Referring to fig. 6, fig. 6 is a flowchart illustrating sub-steps of step S200 in fig. 5. Further, step S200 includes step S210 and step S220. The method comprises the following specific steps:
step S210: and establishing a data model.
In the embodiment of the present invention, the step of establishing the data model includes: a feature set data structure is established, the feature set data structure including data attributes. Specifically, a data model is established through experience, the data model comprises a feature data structure, and the feature set data structure comprises information such as data attributes, data fingerprints, data memory and data contents.
Step S220: and inputting the asset data into the data model to obtain integrated asset data. Specifically, the asset data collected by the network sniffer is input into a pre-established data model, and a characteristic data structure of the asset data collected by the network sniffer is obtained.
By adopting the scheme, the asset data collected by the network sniffer is integrated, so that standard data characteristics can be obtained, the data memory is reduced, and the memory is saved
Step S300: and filtering the integrated asset data to obtain effective data, and packaging the effective data to obtain packaged data.
As a further step, the step of filtering the integrated asset data to obtain valid data in step S300 includes: and identifying effective data in the integrated asset data according to the data attributes to obtain the effective data, wherein the effective data comprises a data identifier.
In the embodiment of the present invention, there are various expressions for encapsulating data, for example, encapsulating valid data into a block for calling, for example: and the central control DCS-ECS100 FW243X, PLC SIEMENS SIMATIC S7-300 and the like. The central control DCS-ECS100 FW243X includes manufacturer name information: central control, equipment model information: DCS-ECS100, version number information: FW 243X. PLC SIEMENS SIMATIC S7-300, containing type information: PLC, vendor information: SIEMENS, model information SIMATIC S7-300.
By adopting the scheme, the effective data in the integrated asset data is identified, the effective data is obtained, the effective data comprises the data identification, and only effective information is reserved, so that the data becomes light, the complexity is reduced for subsequent data processing and data identification, the processing time is saved, and the instantaneity of vulnerability detection can be improved.
Step S400: and performing data identification according to the encapsulation data to obtain discrimination data.
Further, the step of performing data identification according to the encapsulation data to obtain the discrimination data in step S400 includes: 1. and extracting the data identification in the valid data. 2. And classifying the effective data according to the data identification to obtain discrimination data. In the embodiment of the present invention, the data identifier may be, but is not limited to, a data fingerprint, and a unique characteristic identifier of the data. The data fingerprints in the industrial control system comprise data of manufacturers, equipment models, software versions, firmware versions and the like. And classifying the effective data according to the data identification to obtain discrimination data, wherein a machine learning method can be adopted to identify the data fingerprint. By adopting the machine learning method to identify the data fingerprints, the output identification result can be subjected to supervised or unsupervised learning training, and an excellent identification structure can be obtained.
In the embodiment of the present invention, the identified package data includes manufacturer identification, device model identification, software version identification, firmware version identification, and the like, and the identification output result, that is, the discrimination data, is various, for example, the discrimination data is: PLCSIEMENS SIMATIC S7-300V 3.3.12, wherein the screening data includes type information PLC, manufacturer information SIEMENS, model information SIMATIC S7-300, and version information V3.3.12.
Step S500: and carrying out vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a vulnerability detection report.
Referring to fig. 7, fig. 7 is a flowchart illustrating sub-steps of step S500 in fig. 5
As a further step S500 comprises two substeps, step S501 and step S502.
Step S501: and acquiring preset vulnerability information, and extracting preset vulnerability identification from the vulnerability information.
In the embodiment of the invention, a vulnerability information base is collected and stored in advance, and the vulnerability information base comprises various vulnerability information. In step S501, the preset vulnerability information is obtained, that is, all the vulnerability information in the vulnerability information base is collected and stored in advance. The vulnerability information has various expression modes, for example, PLC SIEMENS SIMATIC S7300V3.3.12Siemens SIMATIC S7-300CPU refuses service vulnerability.
Step S502: comparing the screening data with preset vulnerability identification, if the screening data is consistent with the preset vulnerability identification, judging that a vulnerability exists, and generating a vulnerability detection report; if the screening data is inconsistent with the preset vulnerability identification, judging that no vulnerability exists, and generating a detection vulnerability report.
As an implementation mode, when the acquired discrimination data is PLC SIEMENS SIMATIC S7-300 V3.3.12 and PLC SIEMENS SIMATIC S7-300V 3.3.12 is successfully matched with PLC SIEMENS SIMATIC S7300V3.3.12Siemens SIMATIC S7-300CPU, the industrial control equipment is judged to have an industrial control vulnerability Siemens SIMATIC S7-300CPU, and the system rejects the service vulnerability.
By adopting the scheme, the discrimination data is compared with the preset vulnerability identification, so that the labor is identified, and the accuracy of vulnerability detection is improved.
In summary, according to the industrial control vulnerability detection method, device and system provided by the embodiments of the present invention, asset data is obtained by performing transparent network sniffing in a bypass mirror image manner, the asset data is integrated to obtain integrated asset data, the integrated asset data is filtered to obtain effective data, the effective data is encapsulated to obtain encapsulated data, data recognition is performed according to the encapsulated data to obtain discrimination data, vulnerability analysis is performed on the discrimination data according to preset vulnerability information to obtain vulnerability detection results, and a vulnerability detection report is generated. The method has the advantages of low complexity of vulnerability detection, good real-time performance, high vulnerability detection efficiency, high accuracy and good stability. And the data are packaged, so that the memory of the data can be reduced, and the space is saved.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (5)
1. An industrial control vulnerability detection method is characterized by comprising the following steps:
transparent network sniffing is carried out in a bypass mirror image mode to obtain asset data;
integrating the asset data to obtain integrated asset data;
filtering the integrated asset data to obtain effective data; packaging the effective data to obtain packaged data; the step of filtering the integrated asset data to obtain valid data includes:
according to data attributes, identifying effective data in the integrated asset data, and acquiring the effective data, wherein the effective data comprises data identification;
performing data identification according to the encapsulation data to obtain discrimination data; the step of performing data identification according to the encapsulation data to obtain discrimination data comprises the following steps:
extracting a data identifier in the effective data;
classifying the effective data according to the data identification to obtain discrimination data;
performing vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a detection vulnerability report;
integrating the asset data to obtain integrated asset data, wherein the step of integrating the asset data comprises the following steps:
establishing a feature set data structure, wherein the feature set data structure comprises data attributes;
establishing a data model;
and inputting the asset data into the data model to obtain integrated asset data.
2. The industrial control vulnerability detection method according to claim 1, wherein the step of performing vulnerability analysis on the screening data according to preset vulnerability information to obtain vulnerability detection results and generating a detection vulnerability report comprises:
acquiring preset vulnerability information, and extracting preset vulnerability identification from the vulnerability information;
comparing the screening data with the preset vulnerability identification, if the screening data is consistent with the preset vulnerability identification, judging that a vulnerability exists, and generating a detection vulnerability report; and if the screening data is inconsistent with the preset vulnerability identification, judging that no vulnerability exists, and generating a detection vulnerability report.
3. The utility model provides an industrial control leak detection device which characterized in that includes: the system comprises a data acquisition module, a data integration module, a data preprocessing module, a data discrimination module and a vulnerability analysis module;
the data acquisition module is used for performing transparent network sniffing in a bypass mirror image mode to obtain asset data and sending the asset data to the data integration module;
the data integration module is used for integrating the asset data to obtain integrated asset data and sending the integrated asset data to the data preprocessing module;
the data preprocessing module is used for filtering the integrated asset data to obtain effective data, packaging the effective data to obtain packaged data, and sending the packaged data to the data screening module;
the data screening module is used for carrying out data identification according to the packaging data to obtain screening data and sending the screening data to the vulnerability analysis module;
the vulnerability analysis module is used for carrying out vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a detection vulnerability report;
the data integration module is also used for establishing a data model; inputting the asset data into the data model to obtain integrated asset data;
the data discrimination module comprises an extraction identification unit and a data classification unit;
the extraction identification unit is used for extracting a data identification in the effective data and sending the data identification to the data classification unit;
the data classification unit is used for classifying the effective data according to the data identification to obtain discrimination data.
4. The industrial control vulnerability detection device according to claim 3, wherein the vulnerability analysis module comprises an extraction vulnerability library unit and a vulnerability discrimination unit;
the vulnerability extraction library unit is used for acquiring preset vulnerability information, extracting preset vulnerability identification from the vulnerability information, and sending the preset vulnerability identification to the vulnerability screening unit;
the vulnerability discrimination unit is used for comparing the discrimination data with the preset vulnerability identification, if the discrimination data is consistent with the preset vulnerability identification, judging that a vulnerability exists, and generating a detection vulnerability report; and if the screening data is inconsistent with the preset vulnerability identification, judging that no vulnerability exists, and generating a detection vulnerability report.
5. An industrial control vulnerability detection system is used for detecting whether a vulnerability exists in equipment to be detected, and is characterized by comprising a switch, a vulnerability detector and an industrial control vulnerability detection device according to any one of claims 3-4;
connecting the equipment to be tested with the vulnerability detector through the switch;
industrial control vulnerability detection device save in the vulnerability detector and contain one or more by the software function module of vulnerability detector execution, it includes:
the data acquisition module is used for performing transparent network sniffing in a bypass mirror image mode to obtain asset data and sending the asset data to the data integration module;
the data integration module is used for integrating the asset data to obtain integrated asset data and sending the integrated asset data to the data preprocessing module;
the data preprocessing module is used for filtering the integrated asset data to obtain effective data, packaging the effective data to obtain packaged data, and sending the packaged data to the data discrimination module;
the data discrimination module is used for carrying out data discrimination according to the packaging data to obtain discrimination data and sending the discrimination data to the vulnerability analysis module;
the vulnerability analysis module is used for carrying out vulnerability analysis on the screening data according to preset vulnerability information to obtain a vulnerability detection result and generate a detection vulnerability report;
the data integration module is also used for establishing a data model; inputting the asset data into the data model to obtain integrated asset data;
the data discrimination module comprises an extraction identification unit and a data classification unit;
the extraction identification unit is used for extracting a data identification in the effective data and sending the data identification to the data classification unit;
the data classification unit is used for classifying the effective data according to the data identification to obtain discrimination data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710839533.2A CN107566388B (en) | 2017-09-18 | 2017-09-18 | Industrial control vulnerability detection method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710839533.2A CN107566388B (en) | 2017-09-18 | 2017-09-18 | Industrial control vulnerability detection method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107566388A CN107566388A (en) | 2018-01-09 |
| CN107566388B true CN107566388B (en) | 2020-09-04 |
Family
ID=60981501
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710839533.2A Active CN107566388B (en) | 2017-09-18 | 2017-09-18 | Industrial control vulnerability detection method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107566388B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109257348A (en) * | 2018-09-13 | 2019-01-22 | 杭州安恒信息技术股份有限公司 | A kind of cluster bug excavation method and device based on industrial control system |
| CN110008713B (en) * | 2019-05-06 | 2021-05-11 | 杭州齐安科技有限公司 | Industrial control system vulnerability detection method and system |
| CN110401662B (en) * | 2019-07-29 | 2021-12-31 | 华能阜新风力发电有限责任公司 | Industrial control equipment fingerprint identification method and storage medium |
| CN110661808A (en) * | 2019-09-29 | 2020-01-07 | 国家计算机网络与信息安全管理中心 | Asset detection-based host vulnerability rapid scanning method and device |
| CN110708315A (en) * | 2019-10-09 | 2020-01-17 | 杭州安恒信息技术股份有限公司 | Asset vulnerability identification method, device and system |
| CN112084178A (en) * | 2020-08-24 | 2020-12-15 | 上海微亿智造科技有限公司 | Data cleaning method and system, data cleaning equipment and readable storage medium |
| CN112676023A (en) * | 2020-12-08 | 2021-04-20 | 李小龙 | Network construction method for coal mill control system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582771B (en) * | 2009-07-02 | 2011-06-29 | 山东盛世光明软件技术有限公司 | Method of identity recognition of computer internet under mode of multi-stage routers |
| CN103532793A (en) * | 2013-10-28 | 2014-01-22 | 中国航天科工集团第二研究院七〇六所 | Automatic penetration testing method for information system security |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| US9467467B2 (en) * | 2014-12-08 | 2016-10-11 | Ca, Inc. | Detection of privilege escalation vulnerabilities using bag of words |
| CN104363251B (en) * | 2014-12-12 | 2016-09-28 | 北京奇虎科技有限公司 | Website security detection method and device |
| CN105897909B (en) * | 2016-05-23 | 2019-06-14 | 西安交大捷普网络科技有限公司 | The WEB service monitoring method of server protection equipment in bypass mode |
| CN106878339A (en) * | 2017-03-30 | 2017-06-20 | 国网福建省电力有限公司 | A kind of vulnerability scanning system and method based on internet-of-things terminal equipment |
-
2017
- 2017-09-18 CN CN201710839533.2A patent/CN107566388B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN107566388A (en) | 2018-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107566388B (en) | Industrial control vulnerability detection method, device and system | |
| CN107798047B (en) | Repeated work order detection method, device, server and medium | |
| CN110224874A (en) | A kind of processing method and processing device of equipment fault | |
| CN110334007A (en) | A kind of functional interface calls verification method and device, electronic equipment and storage medium | |
| CN111667476B (en) | Cloth flaw detection method and device, electronic equipment and readable storage medium | |
| CN103049373B (en) | A kind of localization method of collapse and device | |
| CN109446814A (en) | Vulnerability detection method and device | |
| CN108573228A (en) | A kind of electric line foreign matter intrusion detection method and device | |
| CN112860676B (en) | Data cleaning method applied to big data mining and business analysis and cloud server | |
| US20170149800A1 (en) | System and method for information security management based on application level log analysis | |
| CN111639073A (en) | Edge computing access method and edge computing node device | |
| CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
| CN110245077A (en) | A kind of response method and equipment of program exception | |
| CN107563205A (en) | Typical smart machine leak detection method and permeability apparatus | |
| CN113722197B (en) | Mobile terminal abnormality identification method and system | |
| CN107966648A (en) | A kind of embedded failure diagnosis method based on correlation matrix | |
| CN113132181B (en) | Method and device for detecting network protocol support degree of IPv6 mobile application program | |
| CN108804914A (en) | A kind of method and device of anomaly data detection | |
| CN112487265B (en) | Data processing method and device, computer storage medium and electronic equipment | |
| CN105653455A (en) | Program vulnerability detection method and detection system | |
| CN108650134A (en) | The method, apparatus and electronic equipment of network failure positioning | |
| CN110708286A (en) | Supervision system for testing internet | |
| CN116340044A (en) | Fault analysis method, device, equipment and storage medium | |
| CN114036314B (en) | Knowledge-graph-based permeation path identification method and system | |
| CN106559249A (en) | Check the method and device of security baseline |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310000 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Hangzhou Anheng Information Technology Co.,Ltd. Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: DBAPPSECURITY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |