CN112653693A - Industrial control protocol analysis method and device, terminal equipment and readable storage medium - Google Patents
Industrial control protocol analysis method and device, terminal equipment and readable storage medium Download PDFInfo
- Publication number
- CN112653693A CN112653693A CN202011517371.9A CN202011517371A CN112653693A CN 112653693 A CN112653693 A CN 112653693A CN 202011517371 A CN202011517371 A CN 202011517371A CN 112653693 A CN112653693 A CN 112653693A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- control protocol
- transmission data
- data
- tested equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 38
- 230000005540 biological transmission Effects 0.000 claims abstract description 67
- 238000012360 testing method Methods 0.000 claims abstract description 55
- 230000002159 abnormal effect Effects 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000004891 communication Methods 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 20
- 230000002547 anomalous effect Effects 0.000 claims description 5
- 238000001514 detection method Methods 0.000 abstract description 5
- 230000008439 repair process Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
Abstract
The application is applicable to the technical field of industrial control protocols, and provides an industrial control protocol analysis method, an industrial control protocol analysis device, terminal equipment and a readable storage medium, wherein the method comprises the following steps: and randomly generating a test data packet and sending the test data packet to the tested equipment so as to carry out fuzzy test on the tested equipment, acquiring transmission data of the tested equipment, comparing the transmission data with pre-stored risk data, judging that an industrial control protocol corresponding to the tested equipment is abnormal when the transmission data is consistent with the risk data or the fuzzy test result is detected to be abnormal, and generating and displaying protocol alarm information. Whether the industrial control protocol corresponding to the tested equipment is abnormal or not is judged by carrying out fuzzy test on the tested equipment and detecting whether transmission data in the tested equipment is consistent with pre-stored risk data or not, so that the accuracy of a detection and analysis result is improved, the vulnerability of the industrial control protocol is accurately determined, the vulnerability is convenient to repair, and further, the safety of an industrial control system ensures information safety.
Description
Technical Field
The application belongs to the technical field of industrial control protocols, and particularly relates to an industrial control protocol analysis method, an industrial control protocol analysis device, terminal equipment and a readable storage medium.
Background
In practical application, the industrial control system usually adopts a low-flow communication mode, and has high availability and information real-time performance. However, the above features tend to make industrial control systems face more security challenges.
During the intrusion process, an intruder usually attacks the industrial control system by transmitting abnormal data. The industrial control equipment protocol used by the existing industrial control system cannot be disclosed, so that the invasion risk cannot be accurately detected, the safety of the industrial control system is reduced, the problems of data theft, system damage and the like are easily caused.
Disclosure of Invention
The embodiment of the application provides an industrial control protocol analysis method, an industrial control protocol analysis device, terminal equipment and a readable storage medium, and can solve the problem that an existing industrial control system cannot accurately detect an intrusion risk.
In a first aspect, an embodiment of the present application provides an industrial control protocol analysis method, including:
randomly generating a test data packet and sending the test data packet to a tested device so as to carry out fuzzy test on the tested device;
acquiring transmission data of the tested device;
comparing the transmission data with pre-stored risk data;
and when the transmission data is detected to be consistent with the risk data or the fuzzy test result is detected to be abnormal, judging that the industrial control protocol corresponding to the tested equipment is abnormal, and generating and displaying protocol alarm information.
In one embodiment, the acquiring transmission data of the device under test includes:
determining an industrial control protocol corresponding to the tested equipment;
and acquiring transmission data of the tested equipment, and converting the transmission data into a transmission data packet with a format corresponding to the industrial control protocol.
In one embodiment, the comparing the transmission data with pre-stored risk data comprises:
analyzing the transmission data packet according to the industrial control protocol to obtain communication data;
comparing the communication data with pre-stored risk data.
In one embodiment, the method further comprises:
acquiring the equipment state of the equipment to be tested;
and generating a device state abnormity notification when the device state abnormity is detected.
In one embodiment, the test data packet includes anomalous data.
In a second aspect, an embodiment of the present application provides an industrial control protocol analysis apparatus, including:
the generating module is used for randomly generating a test data packet and sending the test data packet to the tested equipment so as to carry out fuzzy test on the tested equipment;
the first acquisition module is used for acquiring transmission data of the tested equipment;
the comparison module is used for comparing the transmission data with pre-stored risk data;
and the judging module is used for judging that the industrial control protocol corresponding to the tested equipment is abnormal when the transmission data is detected to be consistent with the risk data or the fuzzy test result is detected to be abnormal, and generating and displaying protocol alarm information.
In one embodiment, the first obtaining module includes:
the determining unit is used for determining an industrial control protocol corresponding to the tested equipment;
and the acquisition unit is used for acquiring the transmission data of the tested equipment and converting the transmission data into a transmission data packet with a format corresponding to the industrial control protocol.
In one embodiment, the comparison module includes:
the analysis unit is used for analyzing the transmission data packet according to the industrial control protocol to obtain communication data;
and the comparison unit is used for comparing the communication data with pre-stored risk data.
In one embodiment, the apparatus further comprises:
the second acquisition module is used for acquiring the equipment state of the equipment to be tested;
and the control module is used for generating a device state abnormity notice when the device state abnormity is detected.
In one embodiment, the test data packet includes anomalous data.
In a third aspect, an embodiment of the present application provides a terminal device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor, when executing the computer program, implements the industrial control protocol analysis method according to any one of the first aspect.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for analyzing an industrial control protocol according to any one of the first aspect is implemented.
In a fifth aspect, an embodiment of the present application provides a computer program product, which, when running on a terminal device, causes the terminal device to execute the industrial control protocol analysis method according to any one of the above first aspects.
The test data packet is randomly generated and sent to the tested equipment, the tested equipment is subjected to fuzzy test, when the fact that the fuzzy test result is abnormal or the transmission data in the tested equipment is consistent with the pre-stored risk data is detected, the fact that the industrial control protocol corresponding to the tested equipment is abnormal is judged, protocol alarm information is generated and displayed, the accuracy of the detection and analysis result is improved, the purpose that the vulnerability of the industrial control protocol is accurately determined is achieved, the vulnerability is convenient to repair, the safety of an industrial control system is improved, and information safety is guaranteed.
It is understood that the beneficial effects of the second aspect to the fifth aspect can be referred to the related description of the first aspect, and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart of an industrial control protocol analysis method provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of step S102 of an industrial control protocol analysis method provided in an embodiment of the present application;
fig. 3 is a schematic flowchart of step S103 of the industrial control protocol analysis method provided in the embodiment of the present application;
fig. 4 is a schematic structural diagram of an industrial control protocol analysis apparatus provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of the first obtaining module 102 according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of the comparison module 103 provided in the embodiment of the present application;
fig. 7 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to" determining "or" in response to detecting ". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Furthermore, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
The industrial control protocol analysis method provided by the embodiment of the application can be applied to terminal equipment such as a mobile phone, a tablet computer and a notebook computer, and the embodiment of the application does not limit the specific type of the terminal equipment.
Fig. 1 shows a schematic flow chart of the industrial control protocol analysis method provided in the present application, which can be applied to the above-mentioned notebook computer by way of example and not limitation.
S101, randomly generating a test data packet and sending the test data packet to a tested device to carry out fuzzy test on the tested device.
In specific application, communication connection with the tested equipment is established, transmission parameters (including communication ports and transmission frequency and number of test data packets) are set according to the tested equipment, and the test data packets are randomly generated and sent to the tested equipment so as to carry out fuzzy test on the tested equipment. Among them, Fuzzing (Fuzzing) is a method of discovering software bugs by providing unexpected inputs to a target system and monitoring anomalous results. The tested equipment is industrial control equipment in an industrial control system. The test data packet is a data packet which is used for testing whether the industrial control protocol has a bug and carries abnormal data and conforms to a corresponding format of the industrial control protocol. The abnormal data refers to data for attacking the industrial control system.
And S102, acquiring transmission data of the tested equipment.
In specific application, all transmission data of the tested device are acquired and used for detecting whether the transmission data of the tested device are abnormal or not.
S103, comparing the transmission data with pre-stored risk data.
In specific application, the obtained transmission data of the tested equipment is converted into a data packet with a preset format, the data packet with the preset format is analyzed to obtain communication data, and whether the communication data is the same as each kind of risk data stored in advance is respectively compared. The preset format refers to a format set correspondingly according to an industrial control protocol. The communication data refers to data carried in the transmission data and used for controlling the industrial control system to execute corresponding operations; the risk data includes at least one of the presently disclosed communication data for controlling the industrial control system to perform the abnormal operation.
And S104, when the consistency of the transmission data and the risk data is detected or the abnormality of the fuzzy test result is detected, judging that the industrial control protocol corresponding to the tested equipment is abnormal, and generating and displaying protocol alarm information.
In specific application, when the abnormality of the fuzzy test result is detected and/or the communication data is detected to be consistent with any one of the pre-stored risk data, the industrial control protocol corresponding to the tested equipment is judged to be abnormal, the protocol alarm information is immediately generated and displayed, a user is prompted that the current industrial control protocol is abnormal, the repair is immediately carried out, and the safety of the industrial control system is ensured. The percentage of completion of the detection analysis can also be displayed in real time during the test analysis.
As shown in fig. 2, in an embodiment, the step S102 includes:
s1021, determining an industrial control protocol corresponding to the tested equipment;
and S1022, acquiring the transmission data of the tested equipment, and converting the transmission data into a transmission data packet with a format corresponding to the industrial control protocol.
In specific application, the industrial control protocol corresponding to the tested equipment is determined, all transmission data of the tested equipment are obtained in real time, and the transmission data obtained at the moment are disordered flow data, so that the transmission data need to be converted into a pcap transmission data packet in a format corresponding to the industrial control protocol, and the analysis is facilitated to obtain communication data used for controlling the industrial control system in the transmission data packet.
As shown in fig. 3, in an embodiment, the step S103 includes:
s1031, analyzing the transmission data packet according to the industrial control protocol to obtain communication data;
s1032, comparing the communication data with the pre-stored risk data.
In specific application, the transmission data packet is analyzed according to the industrial control protocol to obtain communication data contained in the transmission data packet, the communication data is compared with each risk data, whether data abnormity occurs in the tested equipment is detected according to the fact that whether the communication data is identical to the risk data, and then whether the industrial control protocol corresponding to the tested equipment is abnormal is judged.
In one embodiment, the method further comprises:
acquiring the equipment state of the equipment to be tested;
and generating a device state abnormity notification when the device state abnormity is detected.
In specific application, the equipment state of the controlled equipment is detected in real time, when the equipment state of the controlled equipment is detected to send an abnormal state, the equipment is judged to have a fault, and an equipment state abnormal notification is generated to remind a user to diagnose and maintain the controlled equipment. The abnormal state of the equipment comprises abnormal phenomena of abnormal opening, shutdown, sharp increase of data transmission quantity of the equipment and the like.
The test data packet is randomly generated and sent to the tested equipment, the tested equipment is subjected to fuzzy test, when the fact that the fuzzy test result is abnormal or the transmission data in the tested equipment is consistent with the pre-stored risk data is detected, the fact that the industrial control protocol corresponding to the tested equipment is abnormal is judged, protocol alarm information is generated and displayed, the accuracy of the detection and analysis result is improved, the purpose that the vulnerability of the industrial control protocol is accurately determined is achieved, the vulnerability is convenient to repair, the safety of an industrial control system is improved, and information safety is guaranteed.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Fig. 4 is a block diagram of an industrial control protocol analysis apparatus according to an embodiment of the present application, and only a part related to the embodiment of the present application is shown for convenience of description.
Referring to fig. 4, the industrial control protocol analysis apparatus 100 includes:
the generating module 101 is configured to randomly generate a test data packet and send the test data packet to a device to be tested, so as to perform a fuzzy test on the device to be tested;
a first obtaining module 102, configured to obtain transmission data of the device under test;
a comparison module 103, configured to compare the transmission data with pre-stored risk data;
and the judging module 104 is configured to, when it is detected that the transmission data is consistent with the risk data or an abnormality exists in a fuzzy test result, judge that an industrial control protocol corresponding to the device under test is abnormal, and generate and display protocol alarm information.
As shown in fig. 5, in one embodiment, the first obtaining module 102 includes:
a determining unit 1021, configured to determine an industrial control protocol corresponding to the device under test;
an obtaining unit 1022, configured to obtain transmission data of the device under test, and convert the transmission data into a transmission data packet in a format corresponding to the industrial control protocol.
As shown in fig. 6, in one embodiment, the comparing module 103 includes:
an analyzing unit 1031, configured to analyze the transmission data packet according to the industrial control protocol to obtain communication data;
a comparing unit 1032 for comparing the communication data with pre-stored risk data.
In one embodiment, the apparatus 100 further comprises:
the second acquisition module is used for acquiring the equipment state of the equipment to be tested;
and the control module is used for generating a device state abnormity notice when the device state abnormity is detected.
In one embodiment, the test data packet includes anomalous data.
The test data packet is randomly generated and sent to the tested equipment, the tested equipment is subjected to fuzzy test, when the fact that the fuzzy test result is abnormal or the transmission data in the tested equipment is consistent with the pre-stored risk data is detected, the fact that the industrial control protocol corresponding to the tested equipment is abnormal is judged, protocol alarm information is generated and displayed, the accuracy of the detection and analysis result is improved, the purpose that the vulnerability of the industrial control protocol is accurately determined is achieved, the vulnerability is convenient to repair, the safety of an industrial control system is improved, and information safety is guaranteed.
It should be noted that, for the information interaction, execution process, and other contents between the above-mentioned devices/units, the specific functions and technical effects thereof are based on the same concept as those of the embodiment of the method of the present application, and specific reference may be made to the part of the embodiment of the method, which is not described herein again.
Fig. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present application. As shown in fig. 6, the terminal device 6 of this embodiment includes: at least one processor 60 (only one shown in fig. 6), a memory 61, and a computer program 62 stored in the memory 61 and executable on the at least one processor 60, wherein the processor 60 executes the computer program 62 to implement the steps of any of the various industrial control protocol analysis method embodiments described above.
The terminal device 6 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The terminal device may include, but is not limited to, a processor 60, a memory 61. Those skilled in the art will appreciate that fig. 6 is only an example of the terminal device 6, and does not constitute a limitation to the terminal device 6, and may include more or less components than those shown, or combine some components, or different components, such as an input/output device, a network access device, and the like.
The Processor 60 may be a Central Processing Unit (CPU), and the Processor 60 may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 61 may in some embodiments be an internal storage unit of the terminal device 6, such as a hard disk or a memory of the terminal device 6. In other embodiments, the memory 61 may also be an external storage device of the terminal device 6, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital Card (SD), a Flash memory Card (Flash Card), and the like, which are equipped on the terminal device 6. Further, the memory 61 may also include both an internal storage unit and an external storage device of the terminal device 6. The memory 61 is used for storing an operating system, an application program, a BootLoader (BootLoader), data, and other programs, such as program codes of the computer program. The memory 61 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program implements the steps in the above-mentioned method embodiments.
The embodiments of the present application provide a computer program product, which when running on a mobile terminal, enables the mobile terminal to implement the steps in the above method embodiments when executed.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing apparatus/terminal apparatus, a recording medium, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), an electrical carrier signal, a telecommunications signal, and a software distribution medium. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other ways. For example, the above-described apparatus/network device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. An industrial control protocol analysis method is characterized by comprising the following steps:
randomly generating a test data packet and sending the test data packet to a tested device so as to carry out fuzzy test on the tested device;
acquiring transmission data of the tested device;
comparing the transmission data with pre-stored risk data;
and when the transmission data is detected to be consistent with the risk data or the fuzzy test result is detected to be abnormal, judging that the industrial control protocol corresponding to the tested equipment is abnormal, and generating and displaying protocol alarm information.
2. The industrial control protocol analysis method of claim 1, wherein the obtaining the transmission data of the device under test comprises:
determining an industrial control protocol corresponding to the tested equipment;
and acquiring transmission data of the tested equipment, and converting the transmission data into a transmission data packet with a format corresponding to the industrial control protocol.
3. The industrial control protocol analysis method of claim 2, wherein the comparing the transmission data with pre-stored risk data comprises:
analyzing the transmission data packet according to the industrial control protocol to obtain communication data;
comparing the communication data with pre-stored risk data.
4. The industrial control protocol analysis method of claim 1, wherein the method further comprises:
acquiring the equipment state of the equipment to be tested;
and generating a device state abnormity notification when the device state abnormity is detected.
5. The industrial control protocol analysis method of any one of claims 1 to 4, wherein the test data packet includes anomalous data.
6. An industrial control protocol analysis device, comprising:
the generating module is used for randomly generating a test data packet and sending the test data packet to the tested equipment so as to carry out fuzzy test on the tested equipment;
the first acquisition module is used for acquiring transmission data of the tested equipment;
the comparison module is used for comparing the transmission data with pre-stored risk data;
and the judging module is used for judging that the industrial control protocol corresponding to the tested equipment is abnormal when the transmission data is detected to be consistent with the risk data or the fuzzy test result is detected to be abnormal, and generating and displaying protocol alarm information.
7. The industrial control protocol analysis device of claim 6, wherein the first obtaining module comprises:
the determining unit is used for determining an industrial control protocol corresponding to the tested equipment;
and the acquisition unit is used for acquiring the transmission data of the tested equipment and converting the transmission data into a transmission data packet with a format corresponding to the industrial control protocol.
8. The industrial control protocol analysis apparatus of claim 7, wherein the comparison module comprises:
the analysis unit is used for analyzing the transmission data packet according to the industrial control protocol to obtain communication data;
and the comparison unit is used for comparing the communication data with pre-stored risk data.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 5 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011517371.9A CN112653693A (en) | 2020-12-21 | 2020-12-21 | Industrial control protocol analysis method and device, terminal equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011517371.9A CN112653693A (en) | 2020-12-21 | 2020-12-21 | Industrial control protocol analysis method and device, terminal equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112653693A true CN112653693A (en) | 2021-04-13 |
Family
ID=75360272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011517371.9A Pending CN112653693A (en) | 2020-12-21 | 2020-12-21 | Industrial control protocol analysis method and device, terminal equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112653693A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114928528A (en) * | 2022-03-31 | 2022-08-19 | 厦门科华数能科技有限公司 | Fault diagnosis method, controller, protocol conversion system, and storage medium |
| CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115604037A (en) * | 2022-12-13 | 2023-01-13 | 广州市盛通建设工程质量检测有限公司(Cn) | Communication safety testing method of fault monitoring system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101859274A (en) * | 2009-04-07 | 2010-10-13 | 西门子(中国)有限公司 | Method and system for fuzz testing |
| US20160277541A1 (en) * | 2015-03-16 | 2016-09-22 | Ixia | Methods, systems, and computer readable media for simplistic visual representation of complex interdependent network protocol fields for network protocol fuzzing and graphical framework for reporting instantaneous system level progress |
| CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
| CN107046526A (en) * | 2016-12-28 | 2017-08-15 | 北京邮电大学 | Distributed heterogeneous network hole method for digging based on Fuzzing algorithms |
| CN107835189A (en) * | 2017-11-28 | 2018-03-23 | 北京启明星辰信息安全技术有限公司 | A kind of bug excavation method and system |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| US20190306173A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Alert smart contracts configured to manage and respond to alerts related to code |
| CN111262722A (en) * | 2019-12-31 | 2020-06-09 | 中国广核电力股份有限公司 | Safety monitoring method for industrial control system network |
| CN111427307A (en) * | 2020-04-22 | 2020-07-17 | 国网浙江省电力有限公司 | Industrial control abnormity detection method, device and equipment |
-
2020
- 2020-12-21 CN CN202011517371.9A patent/CN112653693A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101859274A (en) * | 2009-04-07 | 2010-10-13 | 西门子(中国)有限公司 | Method and system for fuzz testing |
| US20160277541A1 (en) * | 2015-03-16 | 2016-09-22 | Ixia | Methods, systems, and computer readable media for simplistic visual representation of complex interdependent network protocol fields for network protocol fuzzing and graphical framework for reporting instantaneous system level progress |
| CN106131041A (en) * | 2016-07-29 | 2016-11-16 | 北京匡恩网络科技有限责任公司 | A kind of industry control network safety detection device and unknown leak detection method |
| CN107046526A (en) * | 2016-12-28 | 2017-08-15 | 北京邮电大学 | Distributed heterogeneous network hole method for digging based on Fuzzing algorithms |
| CN107835189A (en) * | 2017-11-28 | 2018-03-23 | 北京启明星辰信息安全技术有限公司 | A kind of bug excavation method and system |
| US20190306173A1 (en) * | 2018-04-02 | 2019-10-03 | Ca, Inc. | Alert smart contracts configured to manage and respond to alerts related to code |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN111262722A (en) * | 2019-12-31 | 2020-06-09 | 中国广核电力股份有限公司 | Safety monitoring method for industrial control system network |
| CN111427307A (en) * | 2020-04-22 | 2020-07-17 | 国网浙江省电力有限公司 | Industrial control abnormity detection method, device and equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114928528A (en) * | 2022-03-31 | 2022-08-19 | 厦门科华数能科技有限公司 | Fault diagnosis method, controller, protocol conversion system, and storage medium |
| CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115604037A (en) * | 2022-12-13 | 2023-01-13 | 广州市盛通建设工程质量检测有限公司(Cn) | Communication safety testing method of fault monitoring system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112653693A (en) | Industrial control protocol analysis method and device, terminal equipment and readable storage medium | |
| CN107294808B (en) | Interface test method, device and system | |
| CN110912927B (en) | Method and device for detecting control message in industrial control system | |
| CN107483472B (en) | Network security monitoring method and device, storage medium and server | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN108650225B (en) | Remote safety monitoring equipment, system and remote safety monitoring method | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN111178760A (en) | Risk monitoring method and device, terminal equipment and computer readable storage medium | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN110636075A (en) | Operation and maintenance management and control and operation and maintenance analysis method and device | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| US11856426B2 (en) | Network analytics | |
| CN114598512B (en) | Network security guarantee method and device based on honeypot and terminal equipment | |
| CN114024884B (en) | Test method, test device, electronic equipment and storage medium | |
| CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
| CN111556473A (en) | Abnormal access behavior detection method and device | |
| CN112506795A (en) | Method, system, terminal and storage medium for testing security vulnerability of industrial control equipment | |
| CN112506798A (en) | Performance test method, device, terminal and storage medium of block chain platform | |
| CN112035831A (en) | Data processing method, device, server and storage medium | |
| CN109462617B (en) | Method and device for detecting communication behavior of equipment in local area network | |
| CN111585830A (en) | User behavior analysis method, device, equipment and storage medium | |
| CN112329021B (en) | Method and device for checking application loopholes, electronic device and storage medium | |
| CN112650557B (en) | Command execution method and device | |
| CN114584391A (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN114629696A (en) | Security detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210413 |
|
| RJ01 | Rejection of invention patent application after publication |