CN112711756B - Fingerprint identification method and system for passive power industrial control equipment - Google Patents
Fingerprint identification method and system for passive power industrial control equipment Download PDFInfo
- Publication number
- CN112711756B CN112711756B CN202011595978.9A CN202011595978A CN112711756B CN 112711756 B CN112711756 B CN 112711756B CN 202011595978 A CN202011595978 A CN 202011595978A CN 112711756 B CN112711756 B CN 112711756B
- Authority
- CN
- China
- Prior art keywords
- register
- industrial control
- control equipment
- dfa
- boolean logic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 239000011159 matrix material Substances 0.000 claims abstract description 56
- 238000010586 diagram Methods 0.000 claims abstract description 28
- 238000004891 communication Methods 0.000 claims abstract description 18
- 238000012544 monitoring process Methods 0.000 claims abstract description 11
- 238000004364 calculation method Methods 0.000 claims description 11
- 230000001419 dependent effect Effects 0.000 claims description 10
- 230000001960 triggered effect Effects 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 230000009466 transformation Effects 0.000 abstract description 3
- 238000004590 computer program Methods 0.000 description 10
- 238000001514 detection method Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 9
- 230000006870 function Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 239000000523 sample Substances 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001351 cycling effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Mathematical Analysis (AREA)
- Computational Mathematics (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Algebra (AREA)
- Databases & Information Systems (AREA)
- Selective Calling Equipment (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a fingerprint identification method and a fingerprint identification system for passive power industrial control equipment, wherein the method comprises the following steps: extracting a ladder diagram control program of the power industrial control equipment; converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by utilizing a ladder diagram control program; generating a register DFA sequence according to the Boolean logic matrix; and comparing the characteristic value in the register DFA sequence of the power control equipment with the state characteristic value of the register of the power control equipment obtained from the communication protocol data packet flow to finish the identification of the power control equipment. The invention can be widely deployed in monitoring systems such as power transformation automation and the like, and periodically detects and identifies south self-power transformation equipment terminals adopted in the systems to find illegal equipment in a network. The method can be comprehensively popularized and applied in the later period, and has wider application prospect by adding more equipment fingerprints.
Description
Technical Field
The invention belongs to the technical field of power industrial control equipment, and particularly relates to a fingerprint identification method and a fingerprint identification system for passive power industrial control equipment.
Background
The detection and identification of devices is a fundamental means of device information collection and security detection. And information such as equipment type, manufacturer, model, operating system, service type, firmware version and the like is identified by the discovery equipment, so that a basis is provided for equipment security state analysis. The device has differences in software and hardware functions and realization, a device fingerprint model can be established according to the differences to extract fingerprints, and device identification is performed by comparing the fingerprints with characteristic information in a device response message. Research on device identification technology starts from operating system identification and gradually expands to aspects of device type identification, automatic device identification and the like. Operating system identification is based on the differential identification operating system on TCP/IP protocol stack realization, and research is focused on two aspects of reducing identification time and improving identification precision.
The safety of the embedded terminal equipment of the power grid is related to national and national strategic safety. Are widely used in electrical grids such as PLC, RTU, HMI in electrical industrial control systems, engineer stations, operator stations, etc. The embedded terminal equipment can enable the power grid to be more networked, intelligent and multifunctional, and meanwhile, more safety risks are brought. There are a large number of devices based on a single-chip microcomputer or an embedded operating system in the smart grid business system, such as a power distribution terminal, a power transmission and transformation online state monitoring terminal and the like. The embedded terminals have certain processing capacity, support network access and access, and terminal equipment of part of the system is deployed in an open environment or on a user side, and lacks of physical access control or insufficient control, so that the equipment is easier to be directly contacted by an attacker. Therefore, the equipment in the power grid needs to be identified and detected regularly, illegal equipment hidden in the power grid is found in time, and the subsequent network attack and other problems are prevented.
Electrical industrial equipment typically performs complex production operations using specific business processes. Active detection is though flexible in selecting the detection range and the content to be detected. However, too high a detection speed may affect the network environment of the device and may even affect the normal service of the detected device.
The Nmap sends 12 TCP packets, 1 UDP packet and 2 ICMP packets to the survival port of the target host by adopting an active detection mode for the first time, and the fingerprint of the equipment operating system is constructed according to the difference of the characteristic field contents (the message initialization size, TTL value, TCP sliding window size, maximum segment length and other characteristics) of the response packet header. The Nmap is suitable for operating system identification only in the case of a limited number of devices because of the large number of probe packets to be transmitted.
Xprobe uses the difference of the information acquired by different probe packets to select the probe packets, optimizes the rearrangement transmission sequence, and uses a small amount of probe packets to identify the operating system, but the identification accuracy is also reduced.
P0f adopts a passive mode to intercept TCP/IP messages at the network boundary, analyzes the types of hosts and operating systems thereof existing in the network, and identifies the packet sending conditions of the precision and speed dependent equipment.
The target power industrial control equipment aimed at by the existing detection method can acquire control logic and register values, or else, the equipment fingerprint cannot be acquired; in the running process, after the control logic of the target power industrial control equipment is changed, the corresponding equipment fingerprint is changed, and the equipment fingerprint needs to be regenerated.
Disclosure of Invention
The invention aims to provide a fingerprint identification method and a fingerprint identification system for passive power industrial control equipment, which are used for solving the technical problem that the equipment is continuously disturbed in the detection process in the prior art and the normal operation of the equipment is possibly influenced.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
a fingerprint identification method of passive power industrial control equipment comprises the following steps:
extracting a ladder diagram control program of the power industrial control equipment;
converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by utilizing a ladder diagram control program;
generating a register DFA sequence according to the Boolean logic matrix;
and comparing the characteristic value in the register DFA sequence of the power control equipment with the state characteristic value of the register of the power control equipment obtained from the communication protocol data packet flow to finish the identification of the power control equipment.
The invention is further improved in that: the boolean logic matrix |w| is:
wherein w is i,j Each row represents a boolean logic operation and each column represents a combination between all variables.
The invention is further improved in that: the method also comprises the following steps: the execution condition of the controller of the power industrial control equipment is simulated through the Boolean logic matrix operation, and a register I Dependent variables I for storing the calculation result is obtained.
The invention is further improved in that: the execution condition of the controller of the power industrial control equipment is simulated through Boolean logic matrix operation, and the method specifically comprises the following steps:
the execution condition of the controller is represented by using Boolean matrix operation, and the controller is designed as follows:
W*|Independent variables|=|Dependent variables|
where Independent variables is a register for boolean computations.
The invention is further improved in that: the step of generating the register DFA sequence according to the boolean logic matrix specifically comprises:
arranging the input register set REG;
for each register sequence, acquiring a register valid sequence by using a Boolean logic matrix W; if the Boolean logic matrix W has a complex register, the Boolean logic calculation is unified to calculate the slave value of the complex register; when the condition of the complex register is triggered, setting the output value of the complex register to be 1, and converting the complex register into Boolean logic operation;
the result of the Boolean logic matrix W multiplied by the register effective sequence is taken as a node of the DFA and added into the DFA;
adding edges between the newly added candidate node and other nodes in the DFA;
if any candidate node is within the DFA, a register DFA sequence is obtained.
The invention is further improved in that: the complex register includes at least one of: holding a register; a timer register; a counter register.
The invention is further improved in that: the monitoring of the communication protocol data packet flow of the power industrial control equipment comprises at least one of the following steps:
and monitoring ModBus, CIP, SRTP communication protocol data packet traffic of the power industrial control equipment.
The invention is further improved in that: nodes in the register DFA sequence are the register state sequence and edges are the order of execution of the register sequence.
A passive electronic industrial control device fingerprint identification system, comprising:
the extraction module is used for extracting a ladder diagram control program of the power industrial control equipment;
the conversion module is used for converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by utilizing a ladder diagram control program;
the fingerprint generation module is used for generating a register DFA sequence according to the Boolean logic matrix;
and the identification module is used for comparing the characteristic value in the register DFA sequence of the electric power industrial control equipment with the state characteristic value of the register of the electric power industrial control equipment obtained from the communication protocol data packet flow so as to finish the identification of the electric power industrial control equipment.
The invention is further improved in that: the fingerprint generation module specifically comprises the steps of generating a register DFA sequence according to a Boolean logic matrix:
arranging the input register set REG;
for each register sequence, acquiring a register valid sequence by using a Boolean logic matrix W; if the Boolean logic matrix W has a complex register, the Boolean logic calculation is unified to calculate the slave value of the complex register; when the condition of the complex register is triggered, setting the output value of the complex register to be 1, and converting the complex register into Boolean logic operation;
the result of the Boolean logic matrix W multiplied by the register effective sequence is taken as a node of the DFA and added into the DFA;
adding edges between the newly added candidate node and other nodes in the DFA;
if any candidate node is within the DFA, a register DFA sequence is obtained.
A passive power industrial control device fingerprint identification system for use in a power system, the system comprising: the fingerprint identification system comprises a processor and a memory coupled with the processor, wherein the memory stores a computer program which realizes the method steps of the fingerprint identification method of the passive power industrial control equipment when the computer program is executed by the processor.
Compared with the prior art, the invention has the following beneficial effects:
the common active detection and identification method needs to send detection messages and extract characteristic identification equipment according to the messages returned by the target equipment, so that the normal operation of the equipment can be influenced; the invention provides a fingerprint identification method and a fingerprint identification system for passive power industrial control equipment, which only monitor message information in a network, extract characteristic value identification equipment such as register states and the like, and zero disturb the operation of the equipment.
Furthermore, the logic circuit of the power industrial control equipment is converted into a Boolean logic matrix by utilizing the ladder diagram, and the execution condition of the power industrial control equipment controller is simulated through Boolean logic matrix operation.
Further, after the Boolean matrix of the power control equipment is obtained, a register DFA sequence is generated to present the fingerprint of the power control equipment, wherein nodes in the DFA are register state sequences, and edges are execution sequences of the register sequences.
Further, the invention acquires the characteristic values such as the register state of the electric industrial control equipment by monitoring the communication protocol data packet flow of ModBus, CIP, SRTP and the like of the electric industrial control equipment.
Furthermore, the invention compares the characteristic value in the obtained fingerprint of the electric power industrial control equipment with the characteristic value such as the state of the register of the electric power industrial control equipment obtained in the communication flow, thereby realizing the identification of the electric power industrial control equipment.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention. In the drawings:
FIG. 1 is a schematic flow chart of a fingerprint identification method of a passive power industrial control device;
FIG. 2 is an example control logic extraction and analysis process;
FIG. 3 is a schematic diagram of a logic circuit described by the LAD using Boolean expressions;
FIG. 4 is a hierarchical structure diagram of an electrical industrial control device;
FIG. 5 is an example diagram of a power industrial control device periodically performing a register state change;
fig. 6 is a block diagram of a fingerprint recognition system of a passive power industrial control device according to the present invention.
Detailed Description
The invention will be described in detail below with reference to the drawings in connection with embodiments. It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
The following detailed description is exemplary and is intended to provide further details of the invention. Unless defined otherwise, all technical terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the invention.
Example 1
The principles and features of the present invention are described below in conjunction with fig. 1, with the examples being set forth only to illustrate the present invention and not to limit the scope of the invention.
The invention provides an effective method for identifying fingerprints of power industrial control equipment, which can accurately and uniquely identify the power industrial control equipment. Analyzing control programs such as a ladder diagram of the electric power industrial control equipment in a fingerprint extraction stage, extracting control logic of the electric power industrial control equipment, converting a logic circuit of the electric power industrial control equipment into a state space of an equipment register by using Boolean logic matrix operation, and finally generating a sequence state as equipment fingerprint; and in the equipment identification stage, the equipment protocol communication flow is monitored, the characteristics such as the real-time register value of the equipment are obtained, and the characteristics are compared with the characteristics in the fingerprint library to identify the power industrial control equipment.
According to the fingerprint identification architecture diagram of the power industrial control equipment shown in fig. 1, the invention discloses a passive power industrial control equipment fingerprint identification method, which specifically comprises the following steps:
s1, extracting control logic of the power industrial control equipment from firmware of the power industrial control equipment, and extracting a ladder diagram control program of the power industrial control equipment from the control logic.
S2, converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by using a ladder diagram control program, representing the state of a register of the electric power industrial control equipment by using the Boolean logic matrix, and simulating the execution condition of a controller of the electric power industrial control equipment by using the Boolean logic matrix to obtain a register I Dependent variables I for storing a calculation result.
And step 3, after the Boolean logic matrix of the power industrial control equipment is obtained, generating a register DFA sequence to present the fingerprint of the power industrial control equipment, wherein nodes in the DFA are register state sequences, and edges are execution sequences of the register sequences.
And step 4, acquiring a register state characteristic value of the power control equipment by monitoring the ModBus, CIP, SRTP communication protocol data packet flow of the power control equipment.
And 5, comparing the characteristic value in the fingerprint (register DFA sequence) of the electric power industrial control equipment obtained in the step 3 with the state characteristic value of the register of the electric power industrial control equipment obtained in the step 4 from the communication protocol data packet flow, thereby realizing the identification of the electric power industrial control equipment.
The flow of the invention will be described in detail below by taking a PLC device supporting protocols such as ModBus and CIP in a substation as an example.
1. Boolean logic matrix generation and execution process
Generally, an electrical industrial control device includes a logic circuit and a register.
For logic circuits, boolean operations in electrical industrial control devices are represented using the ladder logic programming Language (LAD) in IEC 61131-3. Therefore, first, control logic is extracted from the electrical industrial control device, and an LAD control program (ladder diagram control program) is obtained by analysis, as illustrated in fig. 2.
The LAD describes the logic circuit using boolean expressions as illustrated in fig. 3.
Given the logic circuitry of an electrical industrial control device, it can be converted by LAD into a Boolean matrix |W|, using the Boolean matrix to represent the logic controller circuitry, as shown below, where each W i,j Are constant boolean values (0 or 1). Each row represents a boolean logic operation and each column represents a combination between all variables. The logic circuit performs several boolean logic operations:
for registers, each register has its name, address and type, as shown in FIG. 4, the first register name is X0, type is bool, and address is% I0.0. Most electrical industrial control devices have tens of registers, including input, intermediate and output registers. Furthermore, there are three complex registers, a hold register, a timer register and a counter register, which change state when their conditions are triggered.
Register values are performed using a boolean matrix. Each register state is used as a variable and is divided into two types, namely independent variable and dependent variable. The former is a register state used in computation, and the latter is a register state used for saving a result. The boolean matrix operation is reused to represent the execution of the controller, which is designed as follows, with | Independent variables | being the register for boolean calculations and | Dependent variables | being the register for holding the calculation results, in order to simplify the logic design.
W*|Independent variables|=|Dependent variables|
2. Register sequence generation process
Once the boolean matrix of the electrical control device is obtained, a register state sequence, i.e. a fingerprint of the electrical control device, may be generated.
The above algorithm describes a register state generation process in a logic controller. The inputs to the algorithm are a boolean logic matrix M and a register set reg= { REG 1 ,…,reg n And the output is DFA.
Firstly, arranging an input register set REG; after the ordering is completed, a loop is next performed. For each round of cycling, the following is performed:
1) For each register sequence, a boolean matrix M is used to obtain its active sequence. If there are complex registers (counter register C_reg, timer register T_reg and hold register H_reg) in the Boolean logic matrix M, the Boolean logic calculations are unified to calculate their slave values. When the conditions of these complex registers are triggered, their output values are set to 1 and converted into boolean logic operations;
2) The result of the Boolean logic matrix M multiplied by the register effective sequence is used as a candidate node of the DFA, and the candidate node is the register state sequence and is added into the DFA.
3) Adding edges between the newly added node and other nodes; if the node has the parameter "order", then find the node with the same order in the DFA and add an edge between the two. The other edges are then added in the order of change of the register state sequence.
4) If any candidate node is in the DFA, the loop is jumped out, and the algorithm is ended; and obtaining a register DFA sequence, namely the fingerprint of the electric power industrial control equipment.
Fig. 5 is an example of a power plant periodically performing a register state change.
3. Device identification process
And acquiring the characteristic values such as the register state of the power industrial control equipment by monitoring the ModBus, CIP, SRTP communication protocol data packet flow of the power industrial control equipment. And comparing the characteristic value in the fingerprint of the electric power industrial control equipment obtained in the algorithm with the state characteristic value of the register of the electric power industrial control equipment obtained from the communication flow, thereby realizing the identification of the electric power industrial control equipment.
It will be appreciated by those skilled in the art that the present invention can be carried out in other embodiments without departing from the spirit or essential characteristics thereof. Accordingly, the above disclosed embodiments are illustrative in all respects, and not exclusive. All changes that come within the scope of the invention or equivalents thereto are intended to be embraced therein.
Example 2
The invention provides a fingerprint identification system of passive power industrial control equipment, which comprises:
the extraction module is used for extracting control logic of the power industrial control equipment from firmware of the power industrial control equipment and extracting a ladder diagram control program of the power industrial control equipment from the control logic.
The conversion module is used for converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by utilizing a ladder diagram control program, and simulating the execution condition of the electric power industrial control equipment controller through the Boolean logic matrix operation to obtain a register I Dependent variables I for storing a calculation result.
And the fingerprint generation module is used for generating a register DFA sequence to present the fingerprint of the power control equipment after the Boolean logic matrix of the power control equipment is obtained, wherein nodes in the DFA are register state sequences, and edges are execution sequences of the register sequences.
And the monitoring module is used for acquiring the register state characteristic value of the power industrial control equipment by monitoring the ModBus, CIP, SRTP communication protocol data packet flow of the power industrial control equipment.
And the identification module is used for comparing the characteristic value in the obtained fingerprint (register DFA sequence) of the electric power industrial control equipment with the state characteristic value of the register of the electric power industrial control equipment obtained from the communication protocol data packet flow, thereby realizing the identification of the electric power industrial control equipment.
Example 3
The invention also provides a fingerprint identification system of the passive power industrial control equipment, which is applied to a power system and comprises: a processor and a memory coupled to the processor, the memory storing a computer program that, when executed by the processor, performs the method steps as described in embodiment 1.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (7)
1. The fingerprint identification method of the passive power industrial control equipment is characterized by comprising the following steps of:
extracting a ladder diagram control program of the power industrial control equipment;
converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by utilizing a ladder diagram control program;
generating a register DFA sequence according to the Boolean logic matrix;
comparing the characteristic value in the register DFA sequence of the power industrial control equipment with the state characteristic value of the register of the power industrial control equipment obtained from the communication protocol data packet flow to finish the identification of the power industrial control equipment;
the boolean logic matrix |w| is:
wherein w is i,j Each row represents a boolean logic operation, and each column represents a combination among all variables;
the step of generating the register DFA sequence according to the boolean logic matrix specifically comprises:
arranging the input register set REG;
for each register sequence, acquiring a register valid sequence by using a Boolean logic matrix W; if the Boolean logic matrix W has a complex register, the Boolean logic calculation is unified to calculate the slave value of the complex register; when the condition of the complex register is triggered, setting the output value of the complex register to be 1, and converting the complex register into Boolean logic operation;
the result of the Boolean logic matrix W multiplied by the register effective sequence is taken as a node of the DFA and added into the DFA;
adding edges between the newly added candidate node and other nodes in the DFA;
if any candidate node is within the DFA, a register DFA sequence is obtained.
2. The method for fingerprint identification of a passive power control device of claim 1, further comprising the steps of: the execution condition of the controller of the power industrial control equipment is simulated through the Boolean logic matrix operation, and a register I Dependent variables I for storing the calculation result is obtained.
3. The fingerprint identification method of a passive power control device according to claim 2, wherein the execution condition of the controller of the passive power control device is simulated by boolean logic matrix operation, specifically comprising:
the execution condition of the controller is represented by using Boolean matrix operation, and the controller is designed as follows:
W*|Independent variables|=|Dependent variables|
where Independent variables is a register for boolean computations.
4. The method of claim 1, wherein the complex register comprises at least one of: holding a register; a timer register; a counter register.
5. The method for fingerprint identification of a passive electrical industrial control device according to claim 1, wherein monitoring the communication protocol packet traffic of the electrical industrial control device comprises at least one of:
and monitoring ModBus, CIP, SRTP communication protocol data packet traffic of the power industrial control equipment.
6. The method of claim 1, wherein nodes in the register DFA sequence are register state sequences and edges are execution sequences of the register sequences.
7. A passive power industrial control device fingerprint identification system, comprising:
the extraction module is used for extracting a ladder diagram control program of the power industrial control equipment;
the conversion module is used for converting a logic circuit of the electric power industrial control equipment into a Boolean logic matrix by utilizing a ladder diagram control program;
the fingerprint generation module is used for generating a register DFA sequence according to the Boolean logic matrix;
the identification module is used for comparing the characteristic value in the register DFA sequence of the power industrial control equipment with the state characteristic value of the register of the power industrial control equipment obtained from the communication protocol data packet flow so as to finish the identification of the power industrial control equipment;
the fingerprint generation module specifically comprises the steps of generating a register DFA sequence according to a Boolean logic matrix:
arranging the input register set REG;
for each register sequence, acquiring a register valid sequence by using a Boolean logic matrix W; if the Boolean logic matrix W has a complex register, the Boolean logic calculation is unified to calculate the slave value of the complex register; when the condition of the complex register is triggered, setting the output value of the complex register to be 1, and converting the complex register into Boolean logic operation; the result of the Boolean logic matrix W multiplied by the register effective sequence is taken as a node of the DFA and added into the DFA;
adding edges between the newly added candidate node and other nodes in the DFA;
if any candidate node is in the DFA, a register DFA sequence is obtained;
the boolean logic matrix |w| is:
wherein w is i,j Each row represents a boolean logic operation and each column represents a combination between all variables.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011595978.9A CN112711756B (en) | 2020-12-28 | 2020-12-28 | Fingerprint identification method and system for passive power industrial control equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011595978.9A CN112711756B (en) | 2020-12-28 | 2020-12-28 | Fingerprint identification method and system for passive power industrial control equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112711756A CN112711756A (en) | 2021-04-27 |
| CN112711756B true CN112711756B (en) | 2024-02-27 |
Family
ID=75546473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011595978.9A Active CN112711756B (en) | 2020-12-28 | 2020-12-28 | Fingerprint identification method and system for passive power industrial control equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112711756B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105302055A (en) * | 2015-11-09 | 2016-02-03 | 北京工业大学 | Safety monitoring system for programmable logic controller in industrial control system and method thereof |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN110086810A (en) * | 2019-04-29 | 2019-08-02 | 西安交通大学 | Passive type industrial control equipment fingerprint identification method and device based on characteristic behavior analysis |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9552278B1 (en) * | 2016-01-04 | 2017-01-24 | International Business Machines Corporation | Configurable code fingerprint |
-
2020
- 2020-12-28 CN CN202011595978.9A patent/CN112711756B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105302055A (en) * | 2015-11-09 | 2016-02-03 | 北京工业大学 | Safety monitoring system for programmable logic controller in industrial control system and method thereof |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN110086810A (en) * | 2019-04-29 | 2019-08-02 | 西安交通大学 | Passive type industrial control equipment fingerprint identification method and device based on characteristic behavior analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112711756A (en) | 2021-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN103124936B (en) | The summaryization configuration of the compound physical equipment of monitoring/control system | |
| CN110336808B (en) | Attack tracing method and system for power industrial control network | |
| Shang et al. | Industrial communication intrusion detection algorithm based on improved one-class SVM | |
| Noorizadeh et al. | A cyber-security methodology for a cyber-physical industrial control system testbed | |
| Schuster et al. | Towards learning normality for anomaly detection in industrial control networks | |
| CN108600195A (en) | A kind of quick reverse estimating method of industry control protocol format based on incremental learning | |
| CN113067798B (en) | ICS intrusion detection method and device, electronic equipment and storage medium | |
| Gao et al. | LSTM for SCADA intrusion detection | |
| CN114884754A (en) | Network security system for realizing fault prediction by intelligent analysis | |
| CN112711756B (en) | Fingerprint identification method and system for passive power industrial control equipment | |
| Deng et al. | Intrusion detection method based on support vector machine access of modbus TCP protocol | |
| CN113654080A (en) | Method and device for determining on-off state of burner in gas boiler | |
| Havlena et al. | Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication | |
| Hormann et al. | Detecting Anomalies by using Self-Organizing Maps in Industrial Environments. | |
| Aldossary et al. | Securing SCADA systems against cyber-attacks using artificial intelligence | |
| CN116992274A (en) | Short-term wind speed prediction method and system based on improved principal component regression model | |
| CN116232777A (en) | DDoS attack detection and defense method based on statistical measure in SDN-IIOT and related equipment | |
| US11841387B2 (en) | Cloud-end collaborative system and method for load identification | |
| Wan et al. | Function‐Aware Anomaly Detection Based on Wavelet Neural Network for Industrial Control Communication | |
| CN110488772B (en) | DCS centralized monitoring method and device and centralized monitoring terminal | |
| CN110708344A (en) | Vulnerability detection method and system based on fuzzy technology | |
| Yang et al. | Electric Power Sensing Data Quality Classification Using Decision-Tree via IEC60870-5-101/104 | |
| Akpinar et al. | A standalone gray-box EtherCAT fuzzer | |
| Gao et al. | Distributed Fuzzy Resilient Tracking for Nonlinear MASs Under DoS Attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |