CN111371651A - Industrial communication protocol reverse analysis method - Google Patents
Industrial communication protocol reverse analysis method Download PDFInfo
- Publication number
- CN111371651A CN111371651A CN202010168286.XA CN202010168286A CN111371651A CN 111371651 A CN111371651 A CN 111371651A CN 202010168286 A CN202010168286 A CN 202010168286A CN 111371651 A CN111371651 A CN 111371651A
- Authority
- CN
- China
- Prior art keywords
- data
- data packet
- packet
- receiving
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a reverse analysis method of an industrial communication protocol, which comprises the following steps: receiving a data acquisition instruction, acquiring a first data packet in an industrial control network data stream and obtaining data classification; receiving a data packet reconstruction instruction, and analyzing the data packet from bottom to top based on an OSI model on the first data packet to obtain a second data packet; and receiving a data packet deep analysis instruction, and analyzing a private protocol and a public protocol according to the second data packet to obtain a protocol format, so that the problem that the analysis depth of the industrial control network data packet is insufficient at present is solved.
Description
Technical Field
The invention relates to the field of industrial control system network communication, in particular to a method for deeply analyzing the content of an industrial control network data packet and carrying out binary reverse analysis on an industrial control private protocol, which can be used for comprehensively knowing the operation condition of an industrial control system from a bottom layer.
Background
Since the 2010 Isan outbreak network virus event, many important industrial control system network security events occur at home and abroad, and great influence and damage are generated on the stable operation of an industrial control system. The industrial control system is used for controlling various equipment in an industrial field to carry out cooperative production according to process requirements, and is a core center of industrial production. In-service industrial control systems generally do not consider the threat of network security, and a large number of vulnerabilities which can be utilized by attackers exist in the systems, so that great risk potential hazards exist.
Each part in the industrial control system carries out data communication through an industrial control network, and besides normal behavior data such as a control command sent by an upper computer and an operation state returned by a lower computer, communication contents also include abnormal behavior data generated when an attacker breaks down, so that monitoring network data, recognizing abnormal behaviors in the network data and carrying out appropriate processing are important means for guaranteeing the industrial control system.
Different from general network protocols such as HTTP, FTP and the like adopted by a traditional information system, industrial control network data is usually coded by adopting a special protocol, and if the deep data analysis capability is lacked, the safety equipment cannot know the communication content corresponding to a data packet. At present, abnormal behavior detection is generally performed based on a rule matching mode such as an IP (Internet protocol) mode, an MAC (media access control) address and the like, illegal instructions among legal devices are difficult to find, the protection effect is very limited, and a method capable of deeply analyzing an industrial control network data packet is urgently needed to obtain information such as a control instruction, specific parameters and the like corresponding to the data packet and provide a data analysis basis for safety equipment.
Most industrial control protocols belong to proprietary protocols, and the protocol format is defined by the manufacturer and is not disclosed. The network data packets are encoded according to the OSI model, and are transmitted as binary strings, and the data packets with similar functions also show similarity in content. For example, for a command to read the coil status, the functional code field is the same, but the coil numbers are different, so that the protocol format can be analyzed by repeating the comparison many times by using the binary inverse analysis technique.
Disclosure of Invention
The invention provides a reverse analysis method of an industrial communication protocol, which solves the problem of insufficient analysis depth of the industrial control network data packet at present.
The invention provides a reverse analysis method of an industrial communication protocol, which comprises the following steps: receiving a data acquisition instruction, acquiring a first data packet in an industrial control network data stream and obtaining data classification; receiving a data packet reconstruction instruction, and analyzing the first data packet from bottom to top based on an OSI model to obtain a second data packet; and receiving a data packet deep analysis instruction, and performing reverse analysis on the second data packet to obtain a protocol format.
Preferably, the receiving a data obtaining instruction, obtaining a first data packet in an industrial control network data stream and obtaining data classification includes the following steps: receiving a data identification instruction, and mainly checking the first data packet to obtain a required data type; receiving a data acquisition part instruction, starting a mirror image port function on a switch of the industrial control system, and acquiring a first data packet; receiving a data analysis instruction, and simply analyzing the packet header content of the first data packet; and receiving a data storage instruction, and storing the acquired first data packet and data in a database in a classified manner.
Preferably, receiving a packet reconstruction instruction, and performing a bottom-up analysis on the first packet based on the OSI model to obtain a second packet, includes: carrying out packet restoration after identifying the protocol of the network layer; and removing the network layer protocol seal head to perform layer-by-layer analysis to obtain the second data packet.
Preferably, the receiving a deep packet parsing instruction, performing inverse analysis on the second packet, and obtaining a protocol format further includes: building a simulation environment; and analyzing the data relevance and similarity of the second data packet to generate a protocol format.
Preferably, the performing data association and similarity analysis on the second data packet to generate a protocol format further includes: calculating the data relevance and similarity between the second data packets to generate character features; counting character features, and segmenting four types of fields: fixed fields, crossed fields, gradient fields and variable fields; and deducing the meanings of the fixed field, the crossed field, the gradient field and the changeable field according to the four types of fields, and analyzing and generating a protocol format.
Preferably, the statistical characteristics are rate of change, mean, variance.
The invention provides computer equipment which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and is characterized in that the processor realizes the reverse analysis method of the industrial communication protocol when executing the computer program.
The invention provides a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores a computer program for executing the above-mentioned industrial communication protocol reverse analysis method.
The invention has the following beneficial effects:
1. the invention solves the problem of insufficient analysis depth of the current industrial control network data packet, and as most industrial control protocols belong to private protocols, the protocol format is defined and not disclosed by manufacturers, a user cannot comprehensively know deep information such as instructions, parameters and the like in the industrial control network data packet;
2. the invention provides a method for analyzing a private protocol by adopting a binary reverse analysis technology so as to obtain a protocol format of an industrial control protocol, which is used for deeply analyzing an industrial control network data packet.
3. The invention can analyze various private protocols which are not disclosed, has good expansibility and is suitable for industrial control systems of different industries and different brands.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a schematic diagram illustrating a reverse analysis method for an industrial communication protocol according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an industrial communication protocol reverse analysis method according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a single TCP/IP packet reconstruction process provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of a process for reconstructing multiple TCP/IP packets according to an embodiment of the present application;
fig. 5 is a statistical result of a message history instruction operation set provided in the embodiment of the present application;
fig. 6 is a statistical result of a sample field provided in an embodiment of the present application.
DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the protocol parsing technique: for protocol parsing techniques, the main measure is the depth of the parsing. The main categories are shallow analysis and deep analysis. Shallow parsing is mainly the parsing of the basic fields and the fields that are at the bottom layer in the OSI, such as the data link layer, the network layer, the transport layer; and the deep resolution is the complete resolution of the information of the data flow field, not only aiming at the data link layer, the network layer and the transmission layer, but also aiming at all the fields including the application layer field. As well as understanding of the protocol format itself and the interpretation and translation of important field information. A fixed field: the specific identification code exists in the protocol, and the value of the specific identification code is fixed. Cross field: in the request message and the response message, the source address and the destination address are exchanged, so that the communication address belongs to the cross field. And (4) transition fields: the change rate of the field is not large and the value is stable in a certain range, such as data content and register address, which are commonly found in the latter half of the application layer. A changeable field: the field changes very frequently, for example, the check code is a common variable field.
Example one
The invention provides a reverse analysis method of an industrial communication protocol, which comprises the following steps: fig. 1 is a schematic diagram of a reverse analysis method of an industrial communication protocol according to an embodiment of the present application, and as shown in fig. 1, a data obtaining instruction is received, a first data packet in an industrial control network data stream is obtained, and data classification is obtained; receiving a data packet reconstruction instruction, and analyzing the first data packet from bottom to top based on an OSI model to obtain a second data packet; and receiving a data packet deep analysis instruction, and performing reverse analysis on the second data packet to obtain a protocol format.
It should be noted that, in the embodiment of the present invention, the first data packet may be understood as an original data packet; the second packet is an application layer packet. The first data packet and the second data packet can be understood as keeping working after the process of the method is started, and industrial control network data is continuously acquired, namely the original data packet is acquired, and data classification is carried out; obtaining data of a specified type, transmitting the data to a data packet reconstruction module, reconstructing the data packet according to an OSI7 layer model, obtaining data contents of each layer, and obtaining an application layer data packet; and transmitting the obtained application layer (OSI top layer) data to an application layer data packet deep analysis module, and analyzing according to a protocol format.
Specifically, fig. 2 is a flow chart of an industrial communication protocol reverse analysis method provided in the embodiment of the present application, and as shown in fig. 2, a binary reverse analysis technique is adopted to analyze a private protocol. Firstly, a simulation environment (a host, application software, PLC and other equipment) for target protocol operation needs to be established so as to obtain a data packet of network equipment during communication; repeatedly injecting label data with typical characteristics into the simulation environment for multiple times, acquiring a data packet in a communication network when the system executes the label data, and removing a communication protocol end socket layer by layer according to an OSI model to obtain an application layer data packet; by calculating the relevance and the similarity between different data and according to the design characteristics of a protocol, the same fixed position value of the invariant region is constrained the same, and a proper statistical quantity algorithm is designed to carry out statistics on the same statistical characteristics (such as change rate, mean value, variance and the like), four types of fields can be segmented out: fixed fields, crossed fields, gradient fields and variable fields; and finally, deducing the meaning of the data by combining the characteristic library of the protocol, and completing the analysis of the proprietary protocol format.
Example two
The invention provides a reverse analysis method of an industrial communication protocol, which comprises the following steps: receiving a data acquisition instruction, acquiring a first data packet in an industrial control network data stream and obtaining data classification; receiving a data packet reconstruction instruction, and analyzing the first data packet from bottom to top based on an OSI model to obtain a second data packet; and receiving a data packet deep analysis instruction, and performing reverse analysis on the second data packet to obtain a protocol format.
Preferably, the receiving a data obtaining instruction, obtaining a first data packet in an industrial control network data stream and obtaining data classification includes the following steps: receiving a data identification instruction, and mainly checking the first data packet to obtain a required data type; receiving a data acquisition part instruction, starting a mirror image port function on a switch of the industrial control system, and acquiring a first data packet; receiving a data analysis instruction, and simply analyzing the packet header content of the first data packet; and receiving a data storage instruction, and storing the acquired first data packet and data in a database in a classified manner.
Specifically, a data acquisition part instruction is received, a mirror image port function is started on a switch of the industrial control system, and a first data packet can be acquired through Wireshark/Savvius Omnipeek/Ettercap/Kismet/SmartSniff/EtherApe and other tools.
Preferably, receiving a packet reconstruction instruction, and performing a bottom-up analysis on the first packet based on the OSI model to obtain a second packet, includes: carrying out packet restoration after identifying the protocol of the network layer; and removing the network layer protocol seal head to perform layer-by-layer analysis to obtain the second data packet.
Specifically, fig. 3 is a schematic diagram of a reconstruction process of a single TCP/IP data packet provided in the embodiment of the present application, and fig. 4 is a schematic diagram of a reconstruction process of multiple TCP/IP data packets provided in the embodiment of the present application, as shown in fig. 3 and fig. 4, a data packet reconstruction module is used to restore and splice data packets from bottom to top according to an OSI model, so as to obtain data transmitted by a user in a network; and analyzing the contents of each field of the data packet according to different protocol formats through a deep analysis module, wherein the analysis result can be used by other subsequent applications.
Preferably, the receiving a deep packet parsing instruction, performing inverse analysis on the second packet, and obtaining a protocol format further includes: building a simulation environment; and analyzing the data relevance and similarity of the second data packet to generate a protocol format.
Preferably, the performing data association and similarity analysis on the second data packet to generate a protocol format further includes: calculating the data relevance and similarity between the second data packets to generate character features; counting character features, and segmenting four types of fields: fixed fields, crossed fields, gradient fields and variable fields; and deducing the meanings of the fixed field, the crossed field, the gradient field and the changeable field according to the four types of fields, and analyzing and generating a protocol format.
Preferably, the statistical characteristics are rate of change, mean, variance.
Specifically, the invention acquires network data flow by building a simulation environment, and analyzes the data packet by adopting a binary reverse analysis technology, thereby obtaining a protocol format of a private protocol. Because the upper computer software is embedded with the protocol format information, the module related to communication can be found by directly carrying out binary reverse analysis on the software execution code, and the protocol format of the private protocol can be reversely deduced. However, because the software of the upper computer is generally huge and the reverse binary analysis requires a large amount of workload, the protocol format is analyzed by calculating the relevance and similarity of data. In the analysis process, different algorithms can be used for implementation, for example, a multi-sequence alignment algorithm is used for field segmentation.
When the protocol is analyzed reversely, different data packets are obtained through the control tags, and different types of fields can present different statistical characteristics. For the fixed field, the fixed field generally includes a protocol type, a version number, a reserved field, and the like, and is generally located in a header of a data packet, which may be collectively referred to as a header, and its starting position and content are fixed; for the cross fields, the source address, the destination address, the source port, the destination port, etc. are usually included, and in the corresponding request/corresponding data packet, the content is unchanged and the positions are interchanged; for the gradual change field, the gradual change field usually includes function codes, parameters (such as data content and register addresses) and the like, according to the difference of the function codes, the quantity of the parameters carried behind and the data length are different, the starting position of the function codes is fixed, the parameter content of the same function code data packet is changed, the change rate is usually not large, and the value is stable in a certain range; for a changeable field, the changeable field is usually used for data verification, and is positioned at the tail of a data packet, the change of the content is irregular, and the change frequency is large. By adopting a multi-sequence alignment algorithm, the four types of fields in the data packet can be segmented.
For further analysis of the specific meaning of the gradient field, the change frequency can be compared byte by combining the field characteristics and the statistical results of the historical instruction operation set. For the function code field, the field meaning can be deduced by belonging to a fixed field in the same function code packet, but belonging to a gradient field in different function code packets. For the parameter fields, as shown in fig. 5 and fig. 6, the following comparison can be found: the Byte24 has the same statistical characteristics as the Byte enum and the Byte28 has the same statistical characteristics as the Register, so that it can be determined that the Byte24 represents the read data amount and the Byte28 represents the Register type.
For the protocol format information used by the deep analysis module, the format information of a public protocol can be easily acquired, for an undisclosed private protocol, a simulation environment is required to be built, different typical characteristics are repeatedly injected for many times, and the protocol format is reversely analyzed through comparison of input data and data packet contents. The method can analyze various private protocols which are not disclosed, has good expansibility, and is suitable for industrial control system networks in different industries. The analyzed protocol format can be used for supporting a deep analysis module to carry out deep analysis on the data.
The embodiment of the invention also provides computer equipment for solving the problem of insufficient analysis depth of the current industrial control network data packet, and as most industrial control protocols belong to private protocols, the protocol format is defined and not disclosed by manufacturers, and users cannot comprehensively know the content in the industrial control network data packet, the computer equipment comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and the processor realizes the reverse analysis method of the industrial communication protocol when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, which is used for solving the problem that the analysis depth of the industrial control network data packet is insufficient at present, and because most industrial control protocols belong to proprietary protocols, the protocol format is defined by manufacturers and is not disclosed, users cannot comprehensively know the content in the industrial control network data packet.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method for reverse analysis of an industrial communication protocol is characterized by comprising the following steps:
receiving a data acquisition instruction, acquiring a first data packet in an industrial control network data stream and obtaining data classification;
receiving a data packet reconstruction instruction, and analyzing the first data packet from bottom to top based on an OSI model to obtain a second data packet;
and receiving a data packet deep analysis instruction, and performing reverse analysis on the second data packet to obtain a protocol format.
2. The method of claim 1, wherein receiving a data acquisition command to acquire a first data packet in an industrial control network data stream and obtain a data classification comprises the following steps:
receiving a data identification instruction, and mainly checking the first data packet to obtain a required data type;
receiving a data acquisition part instruction, starting a mirror image port function on a switch of the industrial control system, and acquiring a first data packet;
receiving a data analysis instruction, and analyzing the content of the first data packet header;
and receiving a data storage instruction, and storing the acquired first data packet and data in a database in a classified manner.
3. The method of claim 1, wherein receiving a packet reconfiguration command, performing a bottom-up analysis on the first packet based on an OSI model to obtain a second packet comprises:
carrying out packet restoration after identifying the protocol of the network layer;
and removing the network layer protocol seal head to perform layer-by-layer analysis to obtain the second data packet.
4. The method of claim 1, wherein receiving a deep packet parsing command, performing a reverse analysis on the second packet to obtain a protocol format, further comprises:
building a simulation environment;
and analyzing the data relevance and similarity of the second data packet to generate a protocol format.
5. The method of claim 4, wherein the performing data correlation and similarity analysis on the second data packet to generate a protocol format further comprises: calculating the data relevance and similarity between the second data packets to generate character features;
counting the character features, and segmenting four types of fields: fixed fields, crossed fields, gradient fields and variable fields;
and deducing the meanings of the fixed field, the crossed field, the gradient field and the changeable field according to the four types of fields, and analyzing and generating a protocol format.
6. The method of claim 5, wherein the statistical features are rate of change, mean, variance.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the inverse analysis method for industrial communication protocol as claimed in any one of claims 1 to 6 when executing the computer program.
8. A computer-readable storage medium storing a computer program for performing the inverse analysis method of the industrial communication protocol according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010168286.XA CN111371651A (en) | 2020-03-12 | 2020-03-12 | Industrial communication protocol reverse analysis method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010168286.XA CN111371651A (en) | 2020-03-12 | 2020-03-12 | Industrial communication protocol reverse analysis method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111371651A true CN111371651A (en) | 2020-07-03 |
Family
ID=71211195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010168286.XA Pending CN111371651A (en) | 2020-03-12 | 2020-03-12 | Industrial communication protocol reverse analysis method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111371651A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917777A (en) * | 2020-08-03 | 2020-11-10 | 中国电子科技集团公司第三十六研究所 | Network data analysis method and device and electronic equipment |
| CN112187583A (en) * | 2020-09-30 | 2021-01-05 | 绿盟科技集团股份有限公司 | Method, device and storage medium for recognizing action information in private industrial control protocol |
| CN112751845A (en) * | 2020-12-28 | 2021-05-04 | 北京恒光信息技术股份有限公司 | Network protocol analysis method, system and device |
| CN113507449A (en) * | 2021-06-17 | 2021-10-15 | 北京惠而特科技有限公司 | Deep identification method and device for GE private protocol |
| CN113904965A (en) * | 2021-11-02 | 2022-01-07 | 上海尚往网络科技有限公司 | Method, device, medium and program product for determining camera |
| CN114338104A (en) * | 2021-12-15 | 2022-04-12 | 北京六方云信息技术有限公司 | Security gateway parsing function verification method, device, equipment and storage medium |
| CN114697156A (en) * | 2022-03-16 | 2022-07-01 | 航天科工火箭技术有限公司 | Rocket bus data monitoring method, rocket bus data monitoring device, terminal equipment and medium |
| CN114866282A (en) * | 2022-03-30 | 2022-08-05 | 中核武汉核电运行技术股份有限公司 | Nuclear power industry control protocol analysis system and method based on network behavior reconstruction |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130094376A1 (en) * | 2011-10-18 | 2013-04-18 | Randall E. Reeves | Network protocol analyzer apparatus and method |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN105656923A (en) * | 2016-02-18 | 2016-06-08 | 中国工程物理研究院计算机应用研究所 | Binary protocol format analysis method based on fuzzy weighting |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN106888209A (en) * | 2017-03-02 | 2017-06-23 | 中国科学院信息工程研究所 | A kind of industry control bug excavation method based on protocol status figure extreme saturation |
| CN108418807A (en) * | 2018-02-05 | 2018-08-17 | 浙江大学 | A kind of industrial control system popular protocol is realized and monitoring analyzing platform |
| CN109547409A (en) * | 2018-10-19 | 2019-03-29 | 中国电力科学研究院有限公司 | A kind of method and system for being parsed to industrial network transport protocol |
-
2020
- 2020-03-12 CN CN202010168286.XA patent/CN111371651A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130094376A1 (en) * | 2011-10-18 | 2013-04-18 | Randall E. Reeves | Network protocol analyzer apparatus and method |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| CN105656923A (en) * | 2016-02-18 | 2016-06-08 | 中国工程物理研究院计算机应用研究所 | Binary protocol format analysis method based on fuzzy weighting |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN106888209A (en) * | 2017-03-02 | 2017-06-23 | 中国科学院信息工程研究所 | A kind of industry control bug excavation method based on protocol status figure extreme saturation |
| CN108418807A (en) * | 2018-02-05 | 2018-08-17 | 浙江大学 | A kind of industrial control system popular protocol is realized and monitoring analyzing platform |
| CN109547409A (en) * | 2018-10-19 | 2019-03-29 | 中国电力科学研究院有限公司 | A kind of method and system for being parsed to industrial network transport protocol |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111917777A (en) * | 2020-08-03 | 2020-11-10 | 中国电子科技集团公司第三十六研究所 | Network data analysis method and device and electronic equipment |
| CN111917777B (en) * | 2020-08-03 | 2023-04-18 | 中国电子科技集团公司第三十六研究所 | Network data analysis method and device and electronic equipment |
| CN112187583A (en) * | 2020-09-30 | 2021-01-05 | 绿盟科技集团股份有限公司 | Method, device and storage medium for recognizing action information in private industrial control protocol |
| CN112751845A (en) * | 2020-12-28 | 2021-05-04 | 北京恒光信息技术股份有限公司 | Network protocol analysis method, system and device |
| CN112751845B (en) * | 2020-12-28 | 2022-12-02 | 北京恒光信息技术股份有限公司 | Network protocol analysis method, system and device |
| CN113507449A (en) * | 2021-06-17 | 2021-10-15 | 北京惠而特科技有限公司 | Deep identification method and device for GE private protocol |
| CN113904965A (en) * | 2021-11-02 | 2022-01-07 | 上海尚往网络科技有限公司 | Method, device, medium and program product for determining camera |
| CN114338104A (en) * | 2021-12-15 | 2022-04-12 | 北京六方云信息技术有限公司 | Security gateway parsing function verification method, device, equipment and storage medium |
| CN114697156A (en) * | 2022-03-16 | 2022-07-01 | 航天科工火箭技术有限公司 | Rocket bus data monitoring method, rocket bus data monitoring device, terminal equipment and medium |
| CN114866282A (en) * | 2022-03-30 | 2022-08-05 | 中核武汉核电运行技术股份有限公司 | Nuclear power industry control protocol analysis system and method based on network behavior reconstruction |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111371651A (en) | Industrial communication protocol reverse analysis method | |
| CN110597734B (en) | Fuzzy test case generation method suitable for industrial control private protocol | |
| Bossert et al. | Towards automated protocol reverse engineering using semantic information | |
| US20170195197A1 (en) | Method and system for classifying a protocol message in a data communication network | |
| CN108600193B (en) | Industrial control honeypot identification method based on machine learning | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN111191767A (en) | Vectorization-based malicious traffic attack type judgment method | |
| CN113645065A (en) | Industrial control safety audit system and method based on industrial internet | |
| CN109547466B (en) | Method and device for improving risk perception capability based on machine learning, computer equipment and storage medium | |
| CN113285916B (en) | Intelligent manufacturing system abnormal flow detection method and detection device | |
| CN114281676A (en) | Black box fuzzy test method and system for industrial control private protocol | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| CN114172703A (en) | Malicious software identification method, device and medium | |
| CN109347785A (en) | A kind of terminal type recognition methods and device | |
| CN116232696A (en) | Encryption traffic classification method based on deep neural network | |
| CN106911665B (en) | Method and system for identifying malicious code weak password intrusion behavior | |
| CN111756716A (en) | Flow detection method and device and computer readable storage medium | |
| TWI703846B (en) | URL abnormal location method, device, server and storage medium | |
| CN112839055B (en) | Network application identification method and device for TLS encrypted traffic and electronic equipment | |
| CN115118447A (en) | Safety discrimination method and device for industrial control network flow, electronic device and medium | |
| CN112613576B (en) | Method, device, electronic equipment and storage medium for determining alarm | |
| CN115051874B (en) | Multi-feature CS malicious encrypted traffic detection method and system | |
| CN115002243B (en) | Data processing method and device | |
| CN116170227A (en) | Flow abnormality detection method and device, electronic equipment and storage medium | |
| Sija et al. | Survey on network protocol reverse engineering approaches, methods and tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310000 rooms 501-505, building 4, 188 Lianchuang street, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province Applicant after: Zhejiang Mulian Internet of things Technology Co.,Ltd. Address before: 310000 rooms 501-505, building 4, 188 Lianchuang street, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province Applicant before: Hangzhou wooden chain Internet of things Technology Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200703 |