CN111008380B - Method and device for detecting industrial control system bugs and electronic equipment - Google Patents

Method and device for detecting industrial control system bugs and electronic equipment Download PDF

Info

Publication number
CN111008380B
CN111008380B CN201911169982.6A CN201911169982A CN111008380B CN 111008380 B CN111008380 B CN 111008380B CN 201911169982 A CN201911169982 A CN 201911169982A CN 111008380 B CN111008380 B CN 111008380B
Authority
CN
China
Prior art keywords
vulnerability
industrial control
target
information
vulnerability information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911169982.6A
Other languages
Chinese (zh)
Other versions
CN111008380A (en
Inventor
王宗三
范渊
李长彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201911169982.6A priority Critical patent/CN111008380B/en
Publication of CN111008380A publication Critical patent/CN111008380A/en
Application granted granted Critical
Publication of CN111008380B publication Critical patent/CN111008380B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Small-Scale Networks (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method, a device and electronic equipment for detecting industrial control system bugs, which relate to the technical field of network security and comprise the following steps: acquiring an IP network segment of the industrial control system to be detected; determining all open ports of each alive IP in the IP network segment; determining vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on a preset equipment identification script library and a preset vulnerability information library, and storing the vulnerability information into a vulnerability initial detection result; verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, and screening repaired vulnerability information in the vulnerability initial detection result to obtain a vulnerability detection result of the to-be-detected engineering control system. According to the method, a vulnerability verification step is added before a vulnerability detection result is fed back, and repaired vulnerability information is screened out, so that the reported vulnerability detection result is more accurate, and the technical problem of high vulnerability false alarm rate of the industrial control system vulnerability detection method in the prior art is effectively solved.

Description

Method and device for detecting industrial control system bugs and electronic equipment
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting industrial control system bugs and electronic equipment.
Background
The arrival of industry 4.0 has greatly accelerated the production efficiency in industrial control field, and more industrial control equipment is applied to production, once industrial control system suffers attack, will cause unbalancing loss, consequently, regularly scans the industrial control system leak becomes indispensable daily work. In the prior art, after information of industrial control equipment is obtained through scanning, an industrial control vulnerability scanning device directly searches vulnerability information contained in the equipment in a vulnerability library and displays the obtained vulnerability information to a user, but if some vulnerability information is repaired, a vulnerability misinformation situation occurs, and user experience is affected.
In summary, the industrial control system vulnerability detection method in the prior art has the technical problem of high vulnerability false alarm rate.
Disclosure of Invention
The invention aims to provide a method, a device and electronic equipment for detecting industrial control system bugs, so as to solve the technical problem of high bug false alarm rate of the industrial control system bug detection method in the prior art.
In a first aspect, an embodiment provides a method for detecting industrial control system bugs, including: acquiring an IP network segment of the industrial control system to be detected; determining all open ports of each alive IP in the IP network segment; determining vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on a preset equipment identification script library and a preset vulnerability information library, and storing the vulnerability information into a vulnerability initial inspection result; verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining the vulnerability detection result of the to-be-detected industrial control system after screening.
In an optional embodiment, before determining vulnerability information of the industrial control devices corresponding to all industrial control open ports based on the preset device identification script library and the preset vulnerability information library, the method further includes: judging whether a target equipment identification script matched with a target open port exists in the preset equipment identification script library or not, wherein the target open port is any one of all the open ports; and if so, taking the target open port with the target equipment identification script as an industrial control open port.
In an optional embodiment, determining vulnerability information of the industrial control devices corresponding to all industrial control open ports based on a preset device identification script library and a preset vulnerability information library includes: scanning a target industrial control open port by using an equipment identification script matched with the target industrial control open port to obtain target equipment information, wherein the target industrial control open port is any one of all the industrial control open ports; judging whether vulnerability information matched with the target equipment information exists in the preset vulnerability information base or not; and if the target industrial control open port exists, the vulnerability information is used as the vulnerability information of the industrial control equipment corresponding to the target industrial control open port.
In an optional implementation manner, verifying all vulnerability information in the vulnerability initial inspection result based on a preset vulnerability verification plug-in library, including: determining a target vulnerability verification plug-in matched with target vulnerability information in a preset vulnerability verification plug-in library, wherein the target vulnerability information is any one of all vulnerability information; and verifying whether the target vulnerability corresponding to the target vulnerability information is repaired or not by using the target vulnerability verification plug-in.
In an optional embodiment, the vulnerability detection result includes: and (5) a repairing scheme aiming at each piece of vulnerability information.
In a second aspect, an embodiment provides an apparatus for detecting industrial control system bugs, including: the first determining module is used for acquiring an IP network segment of the industrial control system to be detected; determining all open ports of each alive IP in the IP network segment; the second determination module is used for determining the vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on the preset equipment identification script library and the preset vulnerability information library, and storing the vulnerability information into a vulnerability initial detection result; and the verification module is used for verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining the vulnerability detection result of the to-be-detected engineering system after screening.
In an alternative embodiment, the apparatus further comprises: the judging module is used for judging whether a target equipment identification script matched with a target open port exists in the preset equipment identification script library or not, wherein the target open port is any one of all the open ports; and if the target equipment identification script exists, the third determining module takes the target open port with the target equipment identification script as an industrial control open port.
In an alternative embodiment, the second determining module comprises: the scanning unit is used for scanning the target industrial control open port by using the equipment identification script matched with the target industrial control open port to obtain target equipment information, wherein the target industrial control open port is any one of all the industrial control open ports; the judging unit is used for judging whether vulnerability information matched with the target equipment information exists in the preset vulnerability information base or not; and if the vulnerability information exists, the first determining unit takes the vulnerability information as the vulnerability information of the industrial control equipment corresponding to the target industrial control open port.
In a third aspect, an embodiment provides an electronic device, including a memory and a processor, where the memory stores a computer program operable on the processor, and the processor implements the steps of the method described in any one of the foregoing embodiments when executing the computer program.
In a fourth aspect, embodiments provide a computer readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of the preceding embodiments.
Compared with the prior art, the industrial control vulnerability scanning device in the prior art directly searches vulnerability information contained in industrial control equipment in a vulnerability library after scanning the information of the industrial control equipment, and displays the obtained vulnerability information to a user, if some vulnerability information is repaired, the situation of vulnerability misinformation occurs, and user experience is influenced; and determining all open ports of each surviving IP in the IP network segment, determining vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on a preset equipment identification script library and a preset vulnerability information library, storing the vulnerability information into a vulnerability initial detection result, finally verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining a vulnerability detection result of the to-be-detected industrial control system after screening. According to the method, a vulnerability verification step is added before the vulnerability detection result of the industrial control system to be detected is fed back, and repaired vulnerability information is screened out, so that the reported vulnerability detection result is more accurate, and the technical problem that the vulnerability false alarm rate is high in the industrial control system vulnerability detection method in the prior art is effectively solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a method for detecting industrial control system bugs according to an embodiment of the present invention;
fig. 2 is a flowchart of an optional method for detecting industrial control system bugs according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating the determination of vulnerability information of industrial control devices corresponding to all industrial control open ports based on a preset device identification script library and a preset vulnerability information library according to an embodiment of the present invention;
fig. 4 is a functional block diagram of an apparatus for detecting industrial control system bugs according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Icon: 100-a first determination module; 200-a second determination module; 300-a verification module; 60-a processor; 61-a memory; 62-a bus; 63-communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The embodiments and features of the embodiments described below can be combined with each other without conflict.
In order to ensure the production safety of an industrial control system, vulnerability scanning on the industrial control system is indispensable daily work, after information of industrial control equipment is obtained through scanning, an industrial control vulnerability scanning device in the prior art directly searches vulnerability information contained in the equipment in a vulnerability library and displays the obtained vulnerability information to a user, but if some vulnerability information is repaired, vulnerability misinformation occurs, and user experience is affected.
Example one
The embodiment of the invention provides a method for detecting industrial control system bugs, which specifically comprises the following steps as shown in fig. 1:
step S12, acquiring an IP network segment of the industrial control system to be detected; and determines all open ports of each surviving IP in the IP network segment.
In the embodiment of the present invention, to scan the industrial control system to be detected for bugs, an IP (Internet Protocol) network segment of the industrial control system to be detected needs to be obtained first, where the IP network segment covers IP addresses of all devices in the industrial control system to be detected, and the IP addresses in the IP network segment may be one or multiple.
Further, the IP network segments are scanned to determine all open ports of each live IP in the IP network segments, in the embodiment of the present invention, the open ports are classified, one is an industrial control open port, that is, an open port used by an industrial control device, and the other is a non-industrial control open port, that is, an open port used by other non-industrial control devices, where different open ports correspond to different protocols, for example, the port 502 corresponds to a modbus protocol, the port 1922 corresponds to a fox protocol, and the port 44818 corresponds to an enip (EtherNet/IP, industrial EtherNet) protocol.
In some embodiments, an open-source masscan tool may be invoked to scan the IP segments to obtain all live IPs and all open ports of each live IP in the scanned IP segments, and an nmap or netcat tool may be further selected to detect the live states of the IPs and the open states of the ports, and the result obtained by scanning may be stored in an activemq or other types of message queues for use in subsequent vulnerability detection.
And step S14, determining the vulnerability information of the industrial control equipment corresponding to all the industrial control open ports based on the preset equipment identification script library and the preset vulnerability information library, and storing the vulnerability information into the vulnerability initial inspection result.
In the embodiment of the invention, a preset equipment identification script library and a preset vulnerability information library are arranged, wherein the preset equipment identification script library is a database which stores equipment identification scripts of all industrial control open ports, and each industrial control open port corresponds to one equipment identification script and is stored in the preset equipment identification script library; the preset vulnerability information base is a database which stores a plurality of industrial control equipment vulnerability information, and whether vulnerabilities exist in the preset vulnerability information base can be inquired by using the industrial control equipment information. Therefore, after all port open states of the industrial control system to be detected are obtained, vulnerability information of the industrial control equipment corresponding to all industrial control open ports can be determined based on a preset equipment identification script library and a preset vulnerability information library, and then all obtained vulnerability information is stored into a vulnerability initial detection result, wherein the vulnerability information comprises: vulnerability type, cve (Common Vulnerabilities & Exposures) number of vulnerability, vulnerability risk level, etc.
When the vulnerability information of each industrial control open port is determined, a combination of a survival IP and the industrial control open port can be circularly taken out from the message queue obtained in the previous step, a corresponding equipment identification script is found out from a preset equipment identification script library, and then the subsequent steps are sequentially executed.
And step S16, verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining the vulnerability detection result of the to-be-detected engineering control system after screening.
Specifically, the embodiment of the invention further provides a preset vulnerability verification plug-in library, wherein a plurality of vulnerability verification plug-ins are stored in the preset vulnerability verification plug-in library, corresponding vulnerability verification plug-ins can be determined in the preset vulnerability verification plug-in library according to the vulnerability type of the industrial control open port, in order to avoid false alarm of a vulnerability, after an initial vulnerability detection result is obtained, all vulnerability information in the initial vulnerability detection result is verified by using the preset vulnerability verification plug-in library, repaired vulnerability information is screened from the initial vulnerability detection result, and then a vulnerability detection result of the to-be-detected industrial control system is obtained.
Compared with the prior art, the industrial control vulnerability scanning device in the prior art directly searches vulnerability information contained in industrial control equipment in a vulnerability library after scanning the information of the industrial control equipment, and displays the obtained vulnerability information to a user, if some vulnerability information is repaired, the situation of vulnerability misinformation occurs, and user experience is influenced; and determining all open ports of each live IP in the IP network segment, determining the vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on a preset equipment identification script library and a preset vulnerability information library, storing the vulnerability information into a vulnerability initial detection result, finally verifying all the vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining the vulnerability detection result of the to-be-detected industrial control system after screening. According to the method, a vulnerability verification step is added before the vulnerability detection result of the industrial control system to be detected is fed back, and repaired vulnerability information is screened out, so that the reported vulnerability detection result is more accurate, and the technical problem that the vulnerability false alarm rate is high in the industrial control system vulnerability detection method in the prior art is effectively solved.
The method for detecting industrial control system bugs has been briefly described above, and some steps involved therein are described in detail below.
In an optional embodiment, as shown in fig. 2, before determining vulnerability information of all industrial control devices corresponding to the industrial control open ports based on the preset device identification script library and the preset vulnerability information library in step S14, the method of the present invention further includes the following steps:
step S131, judging whether a target equipment identification script matched with the target open port exists in the preset equipment identification script library.
Specifically, after all the open ports of each live IP in the to-be-detected industrial control system are acquired, considering that the open ports include some non-industrial control open ports and only the equipment identification script of the industrial control equipment is stored in the preset equipment identification script library, it is possible to determine which open ports are industrial control open ports and which are non-industrial control open ports by judging whether the target equipment identification script matched with the target open ports exists in the preset equipment identification script library, where the target open port is any one of all the open ports.
If the matched target device identification script exists, executing step S132, and if the matched target device identification script does not exist, indicating that the target open port is not an industrial control open port, for example, all default ports of an RTSP (Real Time Streaming Protocol) server are 554, so that an open port with a port number of 554 is a non-industrial control open port; the port number is 848, which represents that the GDOI (Group Domain of interpretation) protocol is supported, and also belongs to a non-industrial control open port.
And step S132, taking the target open port with the target equipment identification script as an industrial control open port.
In an optional embodiment, as shown in fig. 3, in the step S14, determining vulnerability information of the industrial control devices corresponding to all industrial control open ports based on the preset device identification script library and the preset vulnerability information library specifically includes the following steps:
and step S141, scanning the target industrial control open port by using the equipment identification script matched with the target industrial control open port to obtain target equipment information.
As described above, the port capable of determining the corresponding device identification script in the preset device identification script library is the industrial control open port, so that after the corresponding device identification script is matched to each target industrial control open port, the target industrial control open port can be scanned by using the device identification script, and then target device information is obtained, where the target industrial control open port is any one of all the industrial control open ports, and the target device information includes: device name (product), device version number (version), device vendor (vendor).
Step S142, determining whether vulnerability information matched with the target device information exists in the preset vulnerability information base.
If yes, step S143 is executed, and if not, it is indicated that the industrial control device corresponding to the target device information does not have a bug.
And step S143, using the vulnerability information as vulnerability information of the industrial control equipment corresponding to the target industrial control open port.
After the target equipment information corresponding to the target industrial control open port is determined, the vulnerability information can be inquired in a preset vulnerability information base, the condition that the matching fails to show that the industrial control equipment corresponding to the target equipment information does not have a vulnerability is achieved, all the matched vulnerability information is used as the vulnerability information of the industrial control equipment corresponding to the target industrial control open port, and then the vulnerability information can be stored in a vulnerability initial detection result.
In an optional embodiment, in the step S16, verifying all vulnerability information in the vulnerability initial inspection result based on the preset vulnerability verification plug-in library specifically includes the following steps:
step S161, determining a target vulnerability verification plug-in matched with the target vulnerability information in a preset vulnerability verification plug-in library.
Specifically, a preset vulnerability verification plug-in library has been introduced, and the vulnerability type existing in the industrial control open port is identification information of each vulnerability verification plug-in, so that a target vulnerability verification plug-in matched with target vulnerability information can be determined in the preset vulnerability verification plug-in library, wherein the target vulnerability information is any one of all vulnerability information.
And step S162, verifying whether the target vulnerability corresponding to the target vulnerability information is repaired or not by using the target vulnerability verification plug-in.
After the target vulnerability verification plug-in is obtained, whether the target vulnerability corresponding to the target vulnerability information is repaired or not can be verified, and information about whether the target vulnerability really exists or not is fed back. In the embodiment of the invention, the vulnerability verification plug-in is a plug-in for simulating vulnerability attack, because the vulnerability is a known vulnerability and a scheme for simulating and restoring the vulnerability exists, the construction of the vulnerability verification plug-in is a process of scripting the process according to a known vulnerability restoration mode, different vulnerabilities have different verification processes, the vulnerability verification process is a process of communicating with the industrial control equipment corresponding to the industrial control open port, and a verification result is determined according to data fed back in the communication process.
After determining which bugs in the bug information have been repaired, screening out the repaired bugs from the initial bug detection result, and obtaining the bug detection result of the to-be-detected industrial control system after screening out.
In an optional embodiment, the vulnerability detection result includes: and a repairing scheme aiming at each piece of vulnerability information.
Specifically, in order to provide better user experience, when a vulnerability detection result is fed back, repair guidance information (repair scheme) of each piece of vulnerability information can be fed back together, and the repair scheme can be prestored in a preset vulnerability information base and stored in one-to-one correspondence with the vulnerability information.
In summary, the method for detecting the industrial control system bug provided by the embodiment of the invention helps the industrial control system to be detected to scan the real bug by adding the step of bug verification before feeding back the bug detection result of the industrial control system to be detected, reduces the situation of the existing industrial control miss scanning and false alarm, and meanwhile, the bug detection result can also provide bug repairing guidance information, assists in establishing a safer industrial control production environment, and improves user experience.
Example two
The embodiment of the invention also provides a device for detecting the industrial control system bugs, which is mainly used for executing the method for detecting the industrial control system bugs provided by the first embodiment of the invention, and the device for detecting the industrial control system bugs provided by the embodiment of the invention is specifically introduced below.
Fig. 4 is a functional block diagram of an apparatus for detecting industrial control system bugs according to an embodiment of the present invention, and as shown in fig. 4, the apparatus mainly includes: a first determination module 100, a second determination module 200, a verification module 300, wherein:
the first determining module 100 is configured to acquire an IP network segment of the industrial control system to be detected; and determines all open ports of each surviving IP in the IP network segment.
And the second determining module 200 is configured to determine vulnerability information of the industrial control devices corresponding to all industrial control open ports based on the preset device identification script library and the preset vulnerability information library, and store the vulnerability information into a vulnerability initial inspection result.
The verification module 300 is configured to verify all vulnerability information in the vulnerability initial inspection result based on a preset vulnerability verification plug-in library, screen out repaired vulnerability information in the vulnerability initial inspection result, and obtain a vulnerability detection result of the to-be-detected engineering system after screening out.
Compared with the prior art, the industrial control vulnerability scanning device provided by the invention has the advantages that after the information of industrial control equipment is obtained through scanning, vulnerability information contained in the equipment is directly inquired in a vulnerability library and the obtained vulnerability information is displayed to a user, if some vulnerability information is repaired, the situation of vulnerability misinformation occurs, and the user experience is influenced; and determining all open ports of each surviving IP in the IP network segment, determining vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on a preset equipment identification script library and a preset vulnerability information library, storing the vulnerability information into a vulnerability initial detection result, finally verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining a vulnerability detection result of the to-be-detected industrial control system after screening. The device adds the step of vulnerability verification before feeding back the vulnerability detection result of the industrial control system to be detected, screens out the repaired vulnerability information, and enables the reported vulnerability detection result to be more accurate, thereby effectively relieving the technical problem of high vulnerability false alarm rate of the industrial control system vulnerability detection method in the prior art.
Optionally, the apparatus of the present invention further comprises:
and the judging module is used for judging whether a target equipment identification script matched with the target open port exists in the preset equipment identification script library or not, wherein the target open port is any one of all open ports.
And if the target equipment identification script exists, the third determining module takes the target open port with the target equipment identification script as an industrial control open port.
Optionally, the second determining module 200 includes:
and the scanning unit is used for scanning the target industrial control open port by using the equipment identification script matched with the target industrial control open port to obtain target equipment information, wherein the target industrial control open port is any one of all industrial control open ports.
And the judging unit is used for judging whether vulnerability information matched with the target equipment information exists in the preset vulnerability information base.
And if the first determining unit exists, the vulnerability information is used as the vulnerability information of the industrial control equipment corresponding to the target industrial control open port.
Optionally, the verification module 300 includes:
and the second determination unit is used for determining a target vulnerability verification plug-in which is matched with the target vulnerability information in a preset vulnerability verification plug-in library, wherein the target vulnerability information is any one of all vulnerability information.
And the verification unit is used for verifying whether the target vulnerability corresponding to the target vulnerability information is repaired by using the target vulnerability verification plug-in.
Optionally, the vulnerability detection result includes: and (5) a repairing scheme aiming at each piece of vulnerability information.
EXAMPLE III
Referring to fig. 5, an embodiment of the present invention provides an electronic device, including: a processor 60, a memory 61, a bus 62 and a communication interface 63, wherein the processor 60, the communication interface 63 and the memory 61 are connected through the bus 62; the processor 60 is arranged to execute executable modules, such as computer programs, stored in the memory 61.
The memory 61 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 63 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 62 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
The memory 61 is used for storing a program, the processor 60 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 60, or implemented by the processor 60.
The processor 60 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 60. The Processor 60 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 61, and the processor 60 reads the information in the memory 61 and completes the steps of the method in combination with the hardware.
The method, the apparatus, and the computer program product of the electronic device for detecting industrial control system bugs provided in the embodiments of the present invention include a computer-readable storage medium storing a non-volatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and will not be described herein again.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention or a part thereof which substantially contributes to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings or the orientations or positional relationships that the products of the present invention are conventionally placed in use, and are only used for convenience in describing the present invention and simplifying the description, but do not indicate or imply that the devices or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
Furthermore, the terms "horizontal", "vertical", "overhang" and the like do not imply that the components are required to be absolutely horizontal or overhang, but may be slightly inclined. For example, "horizontal" merely means that the direction is more horizontal than "vertical" and does not mean that the structure must be perfectly horizontal, but may be slightly inclined.
In the description of the present invention, it should also be noted that, unless otherwise explicitly specified or limited, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly and may, for example, be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A method for detecting industrial control system bugs is characterized by comprising the following steps:
acquiring an IP network segment of the industrial control system to be detected; determining all open ports of each alive IP in the IP network segment;
determining vulnerability information of industrial control equipment corresponding to all industrial control open ports based on a preset equipment identification script library and a preset vulnerability information library, and storing the vulnerability information into a vulnerability initial detection result; the preset equipment identification script library is a database which stores equipment identification scripts of all industrial control open ports; the preset vulnerability information base is a database of corresponding relation between industrial control equipment information and industrial control equipment vulnerability information;
verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining the vulnerability detection result of the to-be-detected industrial control system after screening.
2. The method according to claim 1, wherein before determining vulnerability information of the industrial control devices corresponding to all industrial control open ports based on the preset device identification script library and the preset vulnerability information library, the method further comprises:
judging whether a target equipment identification script matched with a target open port exists in the preset equipment identification script library or not, wherein the target open port is any one of all the open ports;
and if so, taking the target open port with the target equipment identification script as an industrial control open port.
3. The method of claim 2, wherein determining vulnerability information of the industrial control devices corresponding to all industrial control open ports based on a preset device identification script library and a preset vulnerability information library comprises:
scanning a target industrial control open port by using an equipment identification script matched with the target industrial control open port to obtain target equipment information, wherein the target industrial control open port is any one of all the industrial control open ports;
judging whether vulnerability information matched with the target equipment information exists in the preset vulnerability information base or not;
and if the target industrial control open port exists, the vulnerability information is used as the vulnerability information of the industrial control equipment corresponding to the target industrial control open port.
4. The method of claim 3, wherein verifying all vulnerability information in the vulnerability primary inspection result based on a preset vulnerability verification plug-in library comprises:
determining a target vulnerability verification plug-in matched with target vulnerability information in a preset vulnerability verification plug-in library, wherein the target vulnerability information is any one of all vulnerability information;
and verifying whether the target vulnerability corresponding to the target vulnerability information is repaired or not by using the target vulnerability verification plug-in.
5. The method of claim 1, wherein the vulnerability detection results comprise: and (5) a repairing scheme aiming at each piece of vulnerability information.
6. The utility model provides a detect device of industrial control system leak which characterized in that includes:
the first determining module is used for acquiring an IP network segment of the industrial control system to be detected; determining all open ports of each alive IP in the IP network segment;
the second determination module is used for determining the vulnerability information of the industrial control equipment corresponding to all industrial control open ports based on the preset equipment identification script library and the preset vulnerability information library, and storing the vulnerability information into a vulnerability initial detection result; the preset equipment identification script library is a database which stores equipment identification scripts of all industrial control open ports; the preset vulnerability information base is a database of corresponding relation between industrial control equipment information and industrial control equipment vulnerability information;
and the verification module is used for verifying all vulnerability information in the vulnerability initial detection result based on a preset vulnerability verification plug-in library, screening repaired vulnerability information in the vulnerability initial detection result, and obtaining the vulnerability detection result of the to-be-detected engineering system after screening.
7. The apparatus of claim 6, further comprising:
the judging module is used for judging whether a target equipment identification script matched with a target open port exists in the preset equipment identification script library or not, wherein the target open port is any one of all the open ports;
and if the target equipment identification script exists, the third determining module takes the target open port with the target equipment identification script as an industrial control open port.
8. The apparatus of claim 7, wherein the second determining module comprises:
the scanning unit is used for scanning the target industrial control open port by using the equipment identification script matched with the target industrial control open port to obtain target equipment information, wherein the target industrial control open port is any one of all the industrial control open ports;
the judging unit is used for judging whether vulnerability information matched with the target equipment information exists in the preset vulnerability information base or not;
and if the vulnerability information exists, the first determining unit takes the vulnerability information as the vulnerability information of the industrial control equipment corresponding to the target industrial control open port.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method of any of claims 1 to 5 when executing the computer program.
10. A computer-readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the method of any of claims 1 to 5.
CN201911169982.6A 2019-11-25 2019-11-25 Method and device for detecting industrial control system bugs and electronic equipment Active CN111008380B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911169982.6A CN111008380B (en) 2019-11-25 2019-11-25 Method and device for detecting industrial control system bugs and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911169982.6A CN111008380B (en) 2019-11-25 2019-11-25 Method and device for detecting industrial control system bugs and electronic equipment

Publications (2)

Publication Number Publication Date
CN111008380A CN111008380A (en) 2020-04-14
CN111008380B true CN111008380B (en) 2022-05-31

Family

ID=70113250

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911169982.6A Active CN111008380B (en) 2019-11-25 2019-11-25 Method and device for detecting industrial control system bugs and electronic equipment

Country Status (1)

Country Link
CN (1) CN111008380B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113672929A (en) * 2020-05-14 2021-11-19 阿波罗智联(北京)科技有限公司 Vulnerability characteristic obtaining method and device and electronic equipment
CN112087462A (en) * 2020-09-11 2020-12-15 北京顶象技术有限公司 Vulnerability detection method and device of industrial control system
CN112448866A (en) * 2020-11-12 2021-03-05 国网北京市电力公司 Protocol detection method, device, computer readable storage medium and processor
CN112668010A (en) * 2020-12-17 2021-04-16 哈尔滨工大天创电子有限公司 Method, system and computing device for scanning industrial control system for bugs
CN112581027B (en) * 2020-12-29 2023-10-31 国网河北省电力有限公司电力科学研究院 Risk information management method and device, electronic equipment and storage medium
CN112699378A (en) * 2020-12-31 2021-04-23 北京航天控制仪器研究所 Industrial control equipment vulnerability detection system and method
CN112711574A (en) * 2021-01-15 2021-04-27 光通天下网络科技股份有限公司 Database security detection method and device, electronic equipment and medium
CN112883031B (en) * 2021-02-24 2023-04-18 杭州迪普科技股份有限公司 Industrial control asset information acquisition method and device
CN114095218A (en) * 2021-11-05 2022-02-25 武汉思普崚技术有限公司 Asset vulnerability management method and device
CN115021952B (en) * 2022-04-15 2024-03-12 国网智能电网研究院有限公司 Vulnerability verification method and device, storage medium and electronic equipment
CN114928495A (en) * 2022-05-31 2022-08-19 江苏保旺达软件技术有限公司 Safety detection method, device, equipment and storage medium
CN116776338B (en) * 2023-07-28 2024-05-10 上海螣龙科技有限公司 Multilayer filtering high-precision vulnerability detection method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769536A (en) * 2011-12-16 2012-11-07 北京安天电子设备有限公司 Method and system capable of presenting bug fix situation of LAN terminal
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN108200029A (en) * 2017-12-27 2018-06-22 北京知道创宇信息技术有限公司 Loophole situation detection method, device, server and readable storage medium storing program for executing
CN110008713A (en) * 2019-05-06 2019-07-12 杭州齐安科技有限公司 A kind of novel industry control system vulnerability detection method and system
CN110347700A (en) * 2019-06-28 2019-10-18 北京威努特技术有限公司 Static vulnerability database matching process, device, electronic equipment and readable storage medium storing program for executing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100125663A1 (en) * 2008-11-17 2010-05-20 Donovan John J Systems, methods, and devices for detecting security vulnerabilities in ip networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769536A (en) * 2011-12-16 2012-11-07 北京安天电子设备有限公司 Method and system capable of presenting bug fix situation of LAN terminal
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN108200029A (en) * 2017-12-27 2018-06-22 北京知道创宇信息技术有限公司 Loophole situation detection method, device, server and readable storage medium storing program for executing
CN110008713A (en) * 2019-05-06 2019-07-12 杭州齐安科技有限公司 A kind of novel industry control system vulnerability detection method and system
CN110347700A (en) * 2019-06-28 2019-10-18 北京威努特技术有限公司 Static vulnerability database matching process, device, electronic equipment and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN111008380A (en) 2020-04-14

Similar Documents

Publication Publication Date Title
CN111008380B (en) Method and device for detecting industrial control system bugs and electronic equipment
CN110708315A (en) Asset vulnerability identification method, device and system
CN109525556B (en) Lightweight method and system for determining protocol bugs in embedded system firmware
CN106828362B (en) Safety testing method and device for automobile information
CN109063486B (en) Safety penetration testing method and system based on PLC equipment fingerprint identification
US10503909B2 (en) System and method for vulnerability remediation verification
CN107888446B (en) Protocol robustness testing method and device
CN112395616A (en) Vulnerability processing method and device and computer equipment
CN113504932B (en) Firmware data updating method and device
CN112087462A (en) Vulnerability detection method and device of industrial control system
CN110874691A (en) General assembly offline control method and system
CN111030887B (en) Web server discovery method and device and electronic equipment
CN105791250B (en) Application program detection method and device
CN112153062A (en) Multi-dimension-based suspicious terminal equipment detection method and system
CN111372077A (en) Camera control method and device, terminal equipment and storage medium
CN113206849B (en) Vulnerability scanning method and device based on ghidra and related equipment
CN112464238B (en) Vulnerability scanning method and electronic equipment
CN111752819B (en) Abnormality monitoring method, device, system, equipment and storage medium
CN109711166B (en) Vulnerability detection method and device
CN111723374A (en) Vulnerability scanning method and device
CN113572826B (en) Device information binding method and system and electronic device
CN115051824A (en) Vertical override detection method, system, equipment and storage medium
CN113835954A (en) Dynamic network security monitoring method, device and equipment
CN114629686A (en) Vulnerability attack detection method and device
CN106685966B (en) Method, device and system for detecting leakage information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant