CN111131325A - Data protocol anomaly identification system and method - Google Patents
Data protocol anomaly identification system and method Download PDFInfo
- Publication number
- CN111131325A CN111131325A CN202010005013.3A CN202010005013A CN111131325A CN 111131325 A CN111131325 A CN 111131325A CN 202010005013 A CN202010005013 A CN 202010005013A CN 111131325 A CN111131325 A CN 111131325A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- abnormal
- identification
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a system and a method for recognizing data protocol abnormity, wherein the system comprises: the data source selection module is used for selecting a data source; the data acquisition module is in communication connection with the data source selection module and is used for acquiring data from a data source; the data identification module is in communication connection with the data acquisition module and is used for identifying whether a communication protocol of the data is abnormal or not; and the data output module is in communication connection with the data identification module and is used for outputting the identification result of the data identification module. The invention realizes the accurate identification of the protocol abnormity in the industrial control network by analyzing the characteristics of the data transmission protocol in the industrial control network.
Description
Technical Field
The invention relates to the technical field of computer software, in particular to a data protocol anomaly identification system and a data protocol anomaly identification method.
Background
In the prior art, the objects identified by the protocol exception are generally general network application protocols, which is feasible for common network environments. However, in an industrial control network environment, there are many proprietary protocols applied to industrial control equipment, and a general protocol anomaly identification method cannot achieve protocol anomaly identification of an industrial control network.
Therefore, how to identify the abnormal conditions of the plurality of private protocols in the industrial control network environment is a problem to be solved urgently in the field.
Disclosure of Invention
In view of the above, the present invention provides a system and a method for identifying data protocol anomalies. The technical scheme is as follows:
a data protocol anomaly identification system, the system comprising:
the data source selection module is used for selecting a data source;
the data acquisition module is in communication connection with the data source selection module and is used for acquiring data from the data source;
the data identification module is in communication connection with the data acquisition module and is used for identifying whether the communication protocol of the data is abnormal or not;
and the data output module is in communication connection with the data identification module and is used for outputting the identification result of the data identification module.
Preferably, the data identification module is further configured to:
identifying whether a port number of the data is abnormal.
Preferably, the data identification module is further configured to:
and identifying whether the general protocol of the data is abnormal or not, and if the general protocol of the data is not abnormal, executing the identification whether the communication protocol of the data is abnormal or the identification whether the port number of the data is abnormal or not.
Preferably, the data identification module stores a protocol rule file in advance, and the protocol rule file contains a relational expression of a normal protocol and a port number accessed by the normal protocol; wherein the content of the first and second substances,
the relational expression of the normal protocol is a basis or basis for the data identification module to identify whether the communication protocol of the data is abnormal, and the port number accessed by the normal protocol is a basis or basis for the data identification module to identify whether the port number of the data is abnormal.
Preferably, the data identification module is further configured to:
responding to an editing operation for the protocol rule file.
Preferably, the data identification module is further configured to:
and identifying the reason of the data communication protocol abnormity when the communication protocol of the data is abnormal.
A data protocol anomaly identification method, the method comprising:
selecting a data source;
collecting data from the data source;
identifying whether a communication protocol of the data is abnormal;
and outputting the recognition result.
Preferably, the method further comprises:
identifying whether a port number of the data is abnormal.
Preferably, the method further comprises:
and identifying whether the general protocol of the data is abnormal or not, and if the general protocol of the data is not abnormal, executing the identification whether the communication protocol of the data is abnormal or the identification whether the port number of the data is abnormal or not.
Preferably, the method further comprises:
and identifying the reason of the data communication protocol abnormity when the communication protocol of the data is abnormal.
The data protocol abnormity identification system and method provided by the invention can further identify whether the communication protocol of the data is abnormal or not by selecting the data source to collect the data from the data source and outputting the identification result. The invention realizes the accurate identification of the protocol abnormity in the industrial control network by analyzing the characteristics of the data transmission protocol in the industrial control network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a data protocol anomaly identification system according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for identifying an anomaly of a data protocol according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
An embodiment of the present invention provides a data protocol anomaly identification system, a schematic structural diagram of which is shown in fig. 1, and includes:
and the data source selection module 10 is used for selecting a data source.
In the embodiment of the present invention, before the data source selection module 10 selects the data source, the initialization of the data source selection module 10, the data acquisition module, the data identification module, and the data output module may be completed by an initialization module in the system, and an initial value is set for the variable of each module.
In addition, the data source selection module 10 may present a network card list of the system to the user, and select a target network card for providing data from the network card list by interacting with the user.
A data acquisition module 20 communicatively coupled to the data source selection module 10 for acquiring data from the data source.
In the embodiment of the present invention, the data acquisition module 20 may simply pack and combine the data passing through the target network card by capturing the data.
And the data identification module 30 is in communication connection with the data acquisition module 20 and is used for identifying whether the communication protocol of the data is abnormal or not.
In the embodiment of the present invention, the data identification module 30 stores communication protocol identification rules of different communication protocols in advance, and since the communication protocol of the target network card can be determined in advance, it is possible to identify whether the communication protocol of the data satisfies the target communication protocol identification rule by matching the data acquired by the data acquisition module 20 with the target communication protocol identification rule corresponding to the target network card. If the data is not satisfied, the communication protocol of the data is determined to be normal (non-abnormal), otherwise, the communication protocol of the data is determined to be abnormal.
And the data output module 40 is connected with the data identification module 30 in a communication way and is used for outputting the identification result of the data identification module 30.
In this embodiment of the present invention, the data output module 40 may output the recognition result of the data recognition module 30 to a third party interface or device in a general data format. Certainly, the normal and abnormal communication protocols can be classified and marked, and a normal or abnormal communication protocol information output interface is provided, so that the external real-time acquisition of the identification result of the communication protocol is facilitated.
In some other embodiments, to implement port identification, the data identification module 30 is further configured to:
it is identified whether the port number of the data is abnormal.
In the embodiment of the present invention, the data identification module 30 stores in advance port number identification rules of port numbers accessed by different communication protocols, and since the communication protocol of the target network card can be determined in advance, it is possible to identify whether the port number of the data satisfies the target port number identification rule by matching the data acquired by the data acquisition module 20 with the target port number identification rule corresponding to the target network card. If yes, determining that the port number of the data is normal (non-abnormal), otherwise, if not, determining that the port number of the data is abnormal.
The method aims to solve the problems that the general identification rule is solidified in a program in a hard coding mode, the identification rule is inconvenient to modify and newly add, the industrial control network equipment is various, the proprietary protocol is multiple, and the mode of solidifying the rule is difficult to be qualified in the service environment.
The data identification module 30 stores a protocol rule file in advance, wherein the protocol rule file comprises a relational expression of a normal protocol and a port number accessed by the normal protocol; wherein the content of the first and second substances,
the relational expression of the normal protocol is a basis or basis for the data identification module 30 to identify whether the communication protocol of the data is abnormal, and the port number accessed by the normal protocol is a basis or basis for the data identification module 30 to identify whether the port number of the data is abnormal.
In the embodiment of the present invention, the data identification module 30 scans the protocol rule file in the system specific rule configuration directory during initialization, performs operations such as parsing and formatting on the protocol rule file, and establishes a binding relationship between the communication protocol and the identification rule (including the communication protocol rule and the port number identification rule). Specifically, in the embodiment of the present invention, the communication protocol rule is a normal protocol and exists in a form of a relational expression; the port number identification rule is a port number accessed by a normal protocol.
Therefore, in the process of identifying the communication protocol of the data by the data identification module 30, whether the communication protocol of the data meets the relational expression of the target normal protocol corresponding to the target network card is judged. If the data is not satisfied, the communication protocol of the data is determined to be normal (non-abnormal), otherwise, the communication protocol of the data is determined to be abnormal.
In the process of identifying the port number of the data by the data identification module 30, whether the port number of the data is the same as the normal port number corresponding to the target network card is judged. If the data are the same, determining that the port number of the data is normal (non-abnormal), and otherwise, determining that the port number of the data is abnormal if the data are not satisfied.
In addition, in the embodiment of the present invention, the data identification module 30 is further configured to:
in response to an editing operation directed to the protocol rule file.
In the embodiment of the present invention, the data identification module 30 may respond to the editing operation of the user on the protocol rule file, such as adding a new identification rule, modifying and deleting an existing identification rule. The identification rule can be separated from the software, the extensible and configurable abnormal identification rule is realized, and the method has important significance for safety monitoring of the industrial control network.
In some other embodiments, to improve the efficiency of anomaly detection, data identification module 30 is further configured to:
and identifying whether the general protocol of the data is abnormal or not, and if the general protocol of the data is not abnormal, identifying whether the communication protocol of the data is abnormal or identifying whether the port number of the data is abnormal or not is carried out.
In the embodiment of the invention, before the communication protocol or the port number of the data is identified to be abnormal, whether the general communication protocol of the data is abnormal or not is identified. The sub-data of the communication protocol part, such as information of a TCP/IP protocol header, may be analyzed specifically whether the pre-stored general communication protocol identification rule is satisfied. If the data is not satisfied, the general communication protocol of the data is determined to be normal (non-abnormal), otherwise, the general communication protocol of the data is determined to be abnormal.
In other embodiments, to provide guidance to the user, the data identification module 30 is further configured to:
in the case where the communication protocol of the data is abnormal, the cause of the abnormality of the data communication protocol is identified.
In the embodiment of the present invention, the data identification module 30 may intelligently guess the correct communication protocol of the data (i.e., the predetermined communication protocol of the target network card), match the cause of the data communication protocol abnormality through the comparison result between the abnormal communication protocol of the data and the correct communication protocol, and output the result by the data output module 40.
Based on the above disclosure, to facilitate understanding of the present application, the following examples are given for the data output module to output a general data format:
the general data format is as follows:
the data protocol anomaly identification system provided by the embodiment of the invention can further identify whether the communication protocol of the data is abnormal or not by selecting the data source to collect the data from the data source and outputting the identification result. The invention realizes the accurate identification of the protocol abnormity in the industrial control network by analyzing the characteristics of the data transmission protocol in the industrial control network.
Based on the data protocol anomaly identification system provided by the above embodiment, the embodiment of the present invention further provides a data protocol anomaly identification method, and the method flow chart of the method is shown in fig. 2, and the method comprises the following steps:
and S10, selecting a data source.
And S20, collecting data from the data source.
S30, identifying whether the communication protocol of the data is abnormal.
And S40, outputting the recognition result.
Optionally, the method further includes:
it is identified whether the port number of the data is abnormal.
Optionally, the method further includes:
and identifying whether the general protocol of the data is abnormal or not, and if the general protocol of the data is not abnormal, identifying whether the communication protocol of the data is abnormal or identifying whether the port number of the data is abnormal or not is carried out.
Optionally, the method further includes:
in the case where the communication protocol of the data is abnormal, the cause of the abnormality of the data communication protocol is identified.
The data protocol anomaly identification method provided by the embodiment of the invention can further identify whether the communication protocol of the data is abnormal or not by selecting the data source to collect the data from the data source and outputting the identification result. The invention realizes the accurate identification of the protocol abnormity in the industrial control network by analyzing the characteristics of the data transmission protocol in the industrial control network.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. A data protocol anomaly identification system, said system comprising:
the data source selection module is used for selecting a data source;
the data acquisition module is in communication connection with the data source selection module and is used for acquiring data from the data source;
the data identification module is in communication connection with the data acquisition module and is used for identifying whether the communication protocol of the data is abnormal or not;
and the data output module is in communication connection with the data identification module and is used for outputting the identification result of the data identification module.
2. The system of claim 1, wherein the data identification module is further configured to:
identifying whether a port number of the data is abnormal.
3. The system of claim 1 or 2, wherein the data identification module is further configured to:
and identifying whether the general protocol of the data is abnormal or not, and if the general protocol of the data is not abnormal, executing the identification whether the communication protocol of the data is abnormal or the identification whether the port number of the data is abnormal or not.
4. The system according to claim 2, wherein the data identification module stores a protocol rule file in advance, and the protocol rule file contains a relational expression of a normal protocol and a port number accessed by the normal protocol; wherein the content of the first and second substances,
the relational expression of the normal protocol is a basis or basis for the data identification module to identify whether the communication protocol of the data is abnormal, and the port number accessed by the normal protocol is a basis or basis for the data identification module to identify whether the port number of the data is abnormal.
5. The system of claim 4, wherein the data identification module is further configured to:
responding to an editing operation for the protocol rule file.
6. The system of claim 1, wherein the data identification module is further configured to:
and identifying the reason of the data communication protocol abnormity when the communication protocol of the data is abnormal.
7. A method for identifying data protocol anomalies, the method comprising:
selecting a data source;
collecting data from the data source;
identifying whether a communication protocol of the data is abnormal;
and outputting the recognition result.
8. The method of claim 7, further comprising:
identifying whether a port number of the data is abnormal.
9. The method of claim 8, further comprising:
and identifying whether the general protocol of the data is abnormal or not, and if the general protocol of the data is not abnormal, executing the identification whether the communication protocol of the data is abnormal or the identification whether the port number of the data is abnormal or not.
10. The method of claim 7, further comprising:
and identifying the reason of the data communication protocol abnormity when the communication protocol of the data is abnormal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010005013.3A CN111131325A (en) | 2020-01-03 | 2020-01-03 | Data protocol anomaly identification system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010005013.3A CN111131325A (en) | 2020-01-03 | 2020-01-03 | Data protocol anomaly identification system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111131325A true CN111131325A (en) | 2020-05-08 |
Family
ID=70507693
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010005013.3A Pending CN111131325A (en) | 2020-01-03 | 2020-01-03 | Data protocol anomaly identification system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131325A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491806A (en) * | 2020-11-04 | 2021-03-12 | 深圳供电局有限公司 | Cloud platform flow security analysis system and method |
| CN113595781A (en) * | 2021-07-26 | 2021-11-02 | 陕西中科启元信息技术有限公司 | Internet of things communication protocol configuration method and device |
| WO2024149297A1 (en) * | 2023-01-10 | 2024-07-18 | 杭州阿里云飞天信息技术有限公司 | Container network packet capture processing method, apparatus and device, and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014125636A1 (en) * | 2013-02-18 | 2014-08-21 | 日本電信電話株式会社 | Communication device or packet transfer method |
| CN107979567A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of abnormality detection system and method based on protocal analysis |
| CN110324199A (en) * | 2019-03-03 | 2019-10-11 | 北京立思辰安科技术有限公司 | A kind of implementation method and device of general protocol analysis frame |
| CN110401642A (en) * | 2019-07-10 | 2019-11-01 | 浙江中烟工业有限责任公司 | A kind of acquisition of industry control flow and protocol analysis method |
-
2020
- 2020-01-03 CN CN202010005013.3A patent/CN111131325A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014125636A1 (en) * | 2013-02-18 | 2014-08-21 | 日本電信電話株式会社 | Communication device or packet transfer method |
| CN107979567A (en) * | 2016-10-25 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of abnormality detection system and method based on protocal analysis |
| CN110324199A (en) * | 2019-03-03 | 2019-10-11 | 北京立思辰安科技术有限公司 | A kind of implementation method and device of general protocol analysis frame |
| CN110401642A (en) * | 2019-07-10 | 2019-11-01 | 浙江中烟工业有限责任公司 | A kind of acquisition of industry control flow and protocol analysis method |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491806A (en) * | 2020-11-04 | 2021-03-12 | 深圳供电局有限公司 | Cloud platform flow security analysis system and method |
| CN113595781A (en) * | 2021-07-26 | 2021-11-02 | 陕西中科启元信息技术有限公司 | Internet of things communication protocol configuration method and device |
| CN113595781B (en) * | 2021-07-26 | 2024-03-29 | 北京创程科技有限公司 | Internet of things communication protocol configuration method and device |
| WO2024149297A1 (en) * | 2023-01-10 | 2024-07-18 | 杭州阿里云飞天信息技术有限公司 | Container network packet capture processing method, apparatus and device, and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112235326B (en) | Internet of things equipment data analysis method and device and electronic equipment | |
| US11158143B2 (en) | Vehicle diagnostic method and device, and computer readable storage medium | |
| CN111131325A (en) | Data protocol anomaly identification system and method | |
| US6708292B1 (en) | System, method and software for protocol analyzer remote buffer management | |
| CN109327357B (en) | Feature extraction method and device of application software and electronic equipment | |
| JP2006040247A (en) | System, method and program for security policy management | |
| CN108011925B (en) | Service auditing system and method | |
| CN110932918B (en) | Log data acquisition method and device and storage medium | |
| KR101582601B1 (en) | Method for detecting malignant code of android by activity string analysis | |
| CN106294219A (en) | A kind of equipment identification, data processing method, Apparatus and system | |
| CN110708215A (en) | Deep packet inspection rule base generation method and device, network equipment and storage medium | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| CN111222547B (en) | Traffic feature extraction method and system for mobile application | |
| CN107612730A (en) | A kind of log collection analysis method, device and system | |
| CN114710369B (en) | Abnormal data detection method and device, computer equipment and storage medium | |
| CN109905292A (en) | A kind of terminal device recognition methods, system and storage medium | |
| CN110597687B (en) | Log processing method and device | |
| CN115865525A (en) | Log data processing method and device, electronic equipment and storage medium | |
| CN114338600A (en) | Equipment fingerprint selection method and device, electronic equipment and medium | |
| CN107330031B (en) | Data storage method and device and electronic equipment | |
| CN115002243B (en) | Data processing method and device | |
| CN117319001A (en) | Network security assessment method, device, storage medium and computer equipment | |
| CN114500247B (en) | Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium | |
| KR101384618B1 (en) | A system for analyzing dangerous situation using node analysis | |
| JP2016014980A (en) | Log acquisition extraction system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |