CN113676436B - Method and network equipment for realizing hot switching of industrial control protocol analysis rules - Google Patents

Method and network equipment for realizing hot switching of industrial control protocol analysis rules Download PDF

Info

Publication number
CN113676436B
CN113676436B CN202010405532.9A CN202010405532A CN113676436B CN 113676436 B CN113676436 B CN 113676436B CN 202010405532 A CN202010405532 A CN 202010405532A CN 113676436 B CN113676436 B CN 113676436B
Authority
CN
China
Prior art keywords
time
protocol analysis
analysis rule
rule
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010405532.9A
Other languages
Chinese (zh)
Other versions
CN113676436A (en
Inventor
刘元
江国进
白涛
孟庆军
杨景利
吴显东
李红霞
王俊三
林杰
孙洪涛
范辉先
马建新
彭立
朱郁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Techenergy Co Ltd
Original Assignee
China Techenergy Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Techenergy Co Ltd filed Critical China Techenergy Co Ltd
Priority to CN202010405532.9A priority Critical patent/CN113676436B/en
Publication of CN113676436A publication Critical patent/CN113676436A/en
Application granted granted Critical
Publication of CN113676436B publication Critical patent/CN113676436B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Communication Control (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and network equipment for realizing hot switching of an industrial control protocol analysis rule, wherein the method for realizing hot switching of the industrial control protocol analysis rule comprises the following steps: the protocol analysis rule loading process comprises the following steps: when the network equipment receives a request for loading the protocol analysis rule, calculating the time interval between the current time and the last time of loading the protocol analysis rule; judging the time interval and the size of a preset waiting time; when the time interval is longer than the preset waiting time, loading a corresponding protocol analysis rule according to the protocol analysis rule loading request; and when the time interval is not greater than the preset waiting time, prompting that the loading fails and waiting is needed. The scheme of the invention can realize the hot switching of the protocol analysis rule under the condition of no locking, and simultaneously can ensure the safety of switching and the integrity of analysis.

Description

Method and network equipment for realizing hot switching of industrial control protocol analysis rules
Technical Field
The invention relates to the technical field of industrial control system networks, in particular to a method and network equipment for realizing hot switching of an industrial control protocol analysis rule.
Background
At present, an industrial control system network is a network formed by industrial automatic production equipment, and different from an IT network, an industrial control network has a proprietary communication protocol and a communication mechanism, and besides existing industrial control protocols such as a Modbus protocol and an IEC-104 protocol, many industrial control protocols are proprietary or confidential. Therefore, the network protection or network audit products specially designed for the industrial control network security problem often cannot cover all industrial control protocols, and therefore, the security protection does not have any help to the protocols. Therefore, at present, many network protection or network audit products designed specifically for the safety problem of the industrial control network propose a method for extending the industrial control protocol by using description syntax.
For example, the patent with publication number CN105141596A discloses a method for extending the support protocol of industrial firewall, which extends the protocol detected by the security gateway through the configuration of the user, uses the configuration file to define the protocol features and the detected position, and can ensure that the security service is not stopped during the protocol upgrade process; the configuration of the user refers to that the user configures key parameters according to the condition of the network flow, the key parameters refer to an IP address, a port, a transport layer protocol, fingerprint characteristics of a message to be detected, an extraction rule of content to be detected, a legal value of the content to be detected and corresponding actions taken by gateway equipment, and the configuration file refers to a file containing the user configuration content stored in a certain format.
However, in consideration of a situation of message caching that may occur in the analysis process of the industrial control protocol, for example, a situation of TCP packet transmission, after the analysis configuration file is loaded, directly switching the configuration content may cause an error of the cache content, resulting in a failure of subsequent message analysis.
For example, the prior art implements protocol resolution rule hot-switching by: the network security device prepares N blocks (N is generally 2) of pre-allocated memories, wherein one of the memories is in use and is marked as M0, and the other memories are used as backup memories and are marked as M1. When a request for loading the protocol analysis rule is initiated, the network security equipment uses any backup memory M1 to load the rule, after the loading is completed, the used backup memory M1 is switched to the main memory, the previous main memory M0 is switched to the backup memory, meanwhile, the content of the memory M0 is not emptied temporarily, and the content is emptied when the memory M0 is used again to load the protocol analysis rule. In this way, the traffic that newly starts to be analyzed performs protocol analysis using the rule on the M1 memory. The flow analyzed by the protocol analysis rule in the M0 memory before can still be analyzed by the protocol analysis rule in the M0 memory until a complete result is analyzed, and then switching is performed. However, the switching method has the following disadvantages: the trigger time for loading the protocol parsing rule is uncertain, and it cannot be guaranteed that the content in the M0 memory is always valid in the life cycle of the whole flow.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method for realizing hot switching of an industrial control protocol analysis rule, which adopts a method for delaying the protocol analysis rule, namely, the protocol analysis rule is allowed to be reloaded after a certain time. Therefore, the flow analyzed by using the protocol analysis rule in the original main memory can be effectively ensured to be completely analyzed, and the content on the original main memory can be released. Meanwhile, the completeness and consistency of the analyzed content can be ensured.
The method for hot switching of the industrial control protocol analysis rule comprises a protocol analysis rule loading process, wherein the protocol analysis rule loading process comprises the following steps:
when the network equipment receives a request for loading the protocol analysis rule, calculating the time interval between the current time and the last time of loading the protocol analysis rule;
judging the size between the calculated time interval and a preset waiting time;
when the time interval is longer than the preset waiting time, loading a corresponding protocol analysis rule according to the protocol analysis rule loading request;
and when the time interval is not greater than the preset waiting time, prompting that the loading fails and waiting is needed.
Further, the method for hot switching of the industrial control protocol parsing rule further includes:
creating a stream node in the network equipment, wherein the stream node is used for caching the analysis intermediate state of the message with the same five-tuple and the version number of a protocol analysis rule used when the message is analyzed;
when no message of a certain quintuple enters the network equipment within the preset caching time, emptying the content on the flow node corresponding to the quintuple and releasing the corresponding storage space; wherein the preset cache time is the flow aging time t age ,t age >0。
Further, the preset waiting time is calculated according to the following formula:
t=t age +2t continue
wherein t in the calculation formula represents the preset waiting time; t is t age Is the flow aging time, and t age >0;t continue For reserving a predetermined processing time for a quintuple which is not completely processed in the corresponding flow node, and t continue Is greater than 0; and epsilon is an error correction parameter and is more than or equal to 0.
Further, the method for hot switching of the industrial control protocol analysis rule further comprises a message selection protocol analysis rule flow, and the message selection protocol analysis rule flow comprises the following steps:
when a message to be analyzed enters network equipment, finding a corresponding flow node according to the quintuple of the message to be analyzed;
judging whether the version number of the original protocol analysis rule used for analyzing the message to be analyzed recorded on the found stream node before is the same as the version number of the current protocol analysis rule loaded in the main memory;
when the version number of the original protocol analysis rule is the same as that of the current protocol analysis rule, continuing to use the original protocol analysis rule to analyze the message to be analyzed;
when the version number of the original protocol analysis rule is different from the version number of the current protocol analysis rule, judging whether the first time the version number is different;
when the situation that the version numbers are different occurs for the first time, recording the current time on the corresponding stream node, and continuously analyzing the message to be analyzed by using the original protocol analysis rule;
when the version numbers are not different for the first time, calculating the time difference between the current time and the time point recorded on the corresponding stream node when the version numbers are different for the first time;
when the time difference is less than t continue If so, continuing to analyze the message to be analyzed by using the original protocol analysis rule;
when the time difference is not less than t continue And then, clearing the content on the corresponding stream node, analyzing the message to be analyzed by using the current protocol analysis rule, and simultaneously recording the version number of the current protocol analysis rule on the stream node corresponding to the message to be analyzed.
Optionally, the preset processing time t in the method is continue The value of (a) is between 50 and 60 seconds, and the value of the error correction parameter epsilon is between 0.5 and 7 seconds.
Accordingly, aiming at the defects existing in the prior art, the invention also provides a network device for realizing the hot switch of the industrial control protocol analysis rule, wherein the network device comprises a protocol analysis rule loading module, and the protocol analysis rule loading module comprises:
the first calculation unit is used for calculating the time interval between the current time and the last time of loading the protocol analysis rule when the network equipment receives the request of loading the protocol analysis rule;
a first judging unit, configured to judge a size between the time interval calculated by the first calculating unit and a preset waiting duration;
a loading unit, configured to request to load a corresponding protocol analysis rule according to the loaded protocol analysis rule when the time interval is greater than the preset waiting time;
and the prompting unit is used for prompting the loading failure and waiting when the time interval is not greater than the preset waiting time.
Further, the network device further includes:
a flow node establishing module, configured to establish a flow node in a network device, where the flow node is configured to cache an analysis intermediate state of a packet having the same five-tuple and a version number of a protocol analysis rule used in analyzing the packet;
a buffer emptying module, configured to empty the content on the flow node corresponding to a quintuple and release a corresponding storage space when no message of the quintuple enters any more in the network device within a preset buffer time; wherein the preset cache time is the flow aging time t age ,t age >0。
Further, the preset waiting time period is calculated according to the following formula:
t=t age +2t continue
wherein t in the calculation formula represents the preset waiting time; t is t age Is the flow aging time, and t age >0;t continue For reserving a predetermined processing time for a quintuple which is not completely processed in the corresponding flow node, and t continue Is greater than 0; and epsilon is an error correction parameter, and epsilon is more than or equal to 0.
Further, the network device further includes a protocol parsing rule selection module, where the protocol parsing rule selection module includes:
the searching unit is used for finding the corresponding flow node according to the quintuple of the message to be analyzed when the message to be analyzed enters the network equipment;
a second judging unit, configured to judge whether a version number of an original protocol parsing rule used when the message to be parsed recorded in the flow node found by the searching unit is parsed before is the same as a version number of a current protocol parsing rule loaded in the main memory;
a first parsing unit, configured to continue to parse the message to be parsed by using the original protocol parsing rule when the version number of the original protocol parsing rule is the same as the version number of the current protocol parsing rule;
a third judging unit, configured to, when the version number of the original protocol parsing rule is different from the version number of the current protocol parsing rule, continuously judge whether a situation that the version number is different occurs for the first time;
the second analysis unit is used for recording the current time on a corresponding flow node when the version numbers are different for the first time, and continuously analyzing the message to be analyzed by using the original protocol analysis rule;
the second calculating unit is used for calculating the time difference value between the current time and the time point recorded on the corresponding stream node when the first occurrence version number is different when the first occurrence version number is not different;
a third analyzing unit for analyzing the time difference value smaller than t continue If so, continuing to use the original protocol analysis rule to analyze the message to be analyzed;
a fourth analyzing unit for analyzing the time difference value continue And then, clearing the content on the corresponding stream node, analyzing the message to be analyzed by using the current protocol analysis rule, and simultaneously recording the version number of the current protocol analysis rule on the stream node corresponding to the message to be analyzed.
Optionally, the preset processing time t in the network device is set continue The value of (a) is between 50 and 60 seconds, and the value of the error correction parameter epsilon is between 0.5 and 7 seconds.
The invention has the following beneficial effects:
the invention adopts a method of delaying protocol analysis rules, namely, the protocol analysis rules are allowed to be reloaded after a determined time. Therefore, the flow analyzed by using the protocol analysis rule in the original main memory can be effectively ensured to be completely analyzed, and the content on the original main memory can be released. Meanwhile, the completeness and consistency of the analyzed content can be ensured. Therefore, the hot switching of the protocol analysis rule can be realized under the condition of no locking, and meanwhile, the switching safety and the analysis integrity can be ensured.
Drawings
Fig. 1 is a schematic flow chart of a message selection protocol parsing rule according to a first embodiment of the present invention;
fig. 2 is a schematic flow chart of a parsing rule of a loading protocol according to a first embodiment of the present invention;
fig. 3 is a system block diagram of a network device for implementing an industrial control protocol parsing rule hot switch according to a second embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The prior art realizes protocol parsing rule hot switch by the following method: the network security device prepares N blocks (N is generally 2) of pre-allocated memories, wherein one of the memories is in use and is marked as M0, and the other memories are used as backup memories and are marked as M1. When a request for loading the protocol analysis rule is initiated, the network security equipment uses any backup memory M1 to load the rule, after the loading is completed, the used backup memory M1 is switched to the main memory, the previous main memory M0 is switched to the backup memory, meanwhile, the content of the memory M0 is not cleared temporarily, and the content is cleared when the memory M0 is used again to load the protocol analysis rule. In this way, the traffic that newly starts to be analyzed performs protocol analysis using the rule on the M1 memory. The flow analyzed by the protocol analysis rule in the M0 memory before can still be analyzed by the protocol analysis rule in the M0 memory until a complete result is analyzed, and then switching is performed. However, the switching method has the following disadvantages: the trigger time for loading the protocol parsing rule is uncertain, and it cannot be guaranteed that the content on the M0 memory is always valid in the life cycle of the entire traffic.
Aiming at the defects in the prior art, the invention provides a method for realizing hot switching of an industrial control protocol analysis rule, which adopts a method of delaying the protocol analysis rule, namely, the protocol analysis rule is allowed to be reloaded after a determined preset waiting time t. Therefore, the flow analyzed by using the protocol analysis rule in the original main memory can be effectively ensured to be completely analyzed, so that the content on the original main memory can be released, and meanwhile, the completeness and consistency of the analyzed content can be ensured.
In order to implement this technical solution, a stream node is first created in the network device to cache the analysis intermediate state of the packet of the same five-tuple. When no more message of a certain quintuple enters the network equipment within a preset cache time, clearing the contents of the flow node corresponding to the quintuple and releasing a corresponding storage space, wherein the preset cache time is called flow aging time which is a fixed parameter of a system and is recorded as t age And t is age >0。
On the other hand, after a certain quintuple is loaded in a new protocol parsing rule, the protocol parsing rule loaded in the old memory still needs to be used due to the cache of the parsing content. And the requirement of the network equipment for continuously switching the protocol analysis rule and the requirement for analyzing the integrity of the content are comprehensively considered, the network equipment cannot wait for the quintuple to finish the processing of the cached content indefinitely, and simultaneously the cached content should not be emptied immediately, but can be reserved for the quintuple which is not finished to be processed for a preset processing time t continue ,t continue > 0, if at t continue In the course of time,if the quintuple still has cache content, emptying the cache and forcibly using a new protocol analysis rule to carry out the next analysis. Meanwhile, a field is added in the flow node to store the version number of the protocol analysis rule used in the previous analysis of the message, and when the message selects the protocol analysis rule, the original version number and the current version number need to be compared, so that which protocol analysis rule is used by the message is determined; for details, see the following examples:
first embodiment
Referring to fig. 1 and fig. 2, the present embodiment provides a method for implementing an analysis rule hot switch of an industrial control protocol, where the method for implementing an analysis rule hot switch of an industrial control protocol includes a message selection protocol analysis rule flow, and the message selection protocol analysis rule flow is shown in fig. 1, and includes the following steps:
s101, receiving a message to be analyzed, and then entering S102;
s102, finding a corresponding flow node according to a quintuple of a message to be analyzed, and then entering S103;
it should be noted that the quintuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol of a session, different sessions can be distinguished according to the quintuple, and a corresponding session is unique; therefore, in the present embodiment, different packets are distinguished by the quintuple.
S103, judging whether the version number of the original protocol analysis rule used for analyzing the message to be analyzed recorded on the found stream node before is the same as the version number of the current protocol analysis rule loaded in the main memory; if the version number of the original protocol analysis rule is the same as the version number of the current protocol analysis rule, the process enters S104; otherwise, entering S105;
it should be noted that, the version number of the original protocol parsing rule is the same as the version number of the current protocol parsing rule, which indicates that the device does not perform protocol parsing rule switching; if the version number of the original protocol analysis rule is different from the version number of the current protocol analysis rule, the protocol analysis rule is switched by the equipment, namely, a new protocol analysis rule is loaded in the current memory; if the received message is analyzed before the protocol analysis rule is switched, the analysis is started, and the message needs to be analyzed continuously after the switching; after the protocol parsing rule is switched, the corresponding protocol parsing rule needs to be selected for the protocol parsing rule through the following steps, so that the complete parsing of the message is realized.
S104, continuing to use the original protocol analysis rule to analyze the message to be analyzed;
here, it is explained that the device does not switch the protocol parsing rule, so the message is parsed by using the original protocol parsing rule.
S105, judging whether the first occurrence of the situation of different version numbers exists, and if the first occurrence of the situation of different version numbers exists, entering S106; otherwise, entering S107;
s106, recording the current time on the corresponding stream node, and continuously analyzing the message to be analyzed by using the original protocol analysis rule;
s107, calculating a time difference value between the current time and a time point recorded on the corresponding stream node when the first version number is different, and then entering S108;
s108, judging whether the obtained time difference value is less than t continue (ii) a When the time difference is less than t continue Entering S109 if not, entering S110 if not;
note that, t here continue The value of (a) needs to be determined according to the performance of the corresponding network equipment, and the values of the network equipment with different performances are different; here, the present embodiment provides a feasible value range: 50 to 60 seconds. It is to be understood, of course, that this embodiment is not specific to t continue Is specifically defined as the value of (a), t continue The value of (a) is set properly only according to the performance of the corresponding network device.
S109, continuing to use the original protocol analysis rule to analyze the message to be analyzed;
s110, emptying the content on the corresponding stream node, analyzing the message to be analyzed by using the current protocol analysis rule, and recording the version number of the current protocol analysis rule on the stream node corresponding to the message to be analyzed.
The above S109 is the predetermined processing time t left for the not-processed quintuple continue In the method, the original protocol analysis rule can still be continuously used for analyzing the corresponding message; and S110 is the time when the preset processing time t reserved for the five-tuple which is not processed is exceeded continue And then, whether the quintuple is processed or not, analyzing the corresponding message by using a new protocol analysis rule in a mandatory manner so as to prevent the quintuple from occupying system resources for a long time.
Further, the method for implementing hot handover of the industrial control protocol parsing rule of this embodiment further includes a protocol parsing rule loading process, where the protocol parsing rule loading process is shown in fig. 2, and includes the following steps:
s201, receiving a protocol loading analysis rule request, and then entering S202;
s202, calculating the time interval between the current time and the last time of loading the protocol analysis rule, and then entering S203;
s203, judging whether the calculated time interval is greater than a preset waiting time length; when the time interval is longer than the preset waiting time, entering S204, otherwise, entering S205;
s204, loading a corresponding protocol analysis rule according to the protocol analysis rule loading request;
s205, prompting the loading failure and needing to wait.
It should be noted that, for the preset waiting time period, the preset waiting time period is calculated by the following calculation formula:
t=t age +2t continue
wherein t in the above calculation formula represents a preset waiting time; t is t age Is the flow aging time, is the system default value, and t age >0;t continue For reserving a predetermined processing time for a quintuple which is not completely processed in the corresponding flow node, and t continue Is greater than 0; ε is given by t age Certain errors may exist, and epsilon is more than or equal to 0 according to the introduced error correction parameters; and the value of epsilon depends on the performance of the corresponding network equipment; for networks of different capabilitiesDevices, which differ in value; here, the present embodiment provides a feasible value range: 0.5 to 7 seconds. It should be understood, of course, that the value of epsilon is not specifically limited in this embodiment, and the value of epsilon only needs to be set appropriately according to the performance of the corresponding network device.
By switching the protocol analysis rule after waiting for the preset waiting time t obtained by the calculation formula, no quintuple can be guaranteed to use the rule on the original memory to analyze the message under the condition of no locking, and thus the safe switching is realized.
The method of the embodiment adopts a method of delaying the protocol resolution rule, namely, the protocol resolution rule is allowed to be reloaded after a certain time. Therefore, the flow analyzed by using the protocol analysis rule in the original main memory can be effectively ensured to be completely analyzed, and the content on the original main memory can be released. Meanwhile, the completeness and consistency of the analyzed content can be ensured. Therefore, the hot switching of the protocol analysis rule can be realized under the condition of no locking, and meanwhile, the switching safety and the analysis integrity can be ensured.
Second embodiment
Referring to fig. 3, the present embodiment provides a network device 3 for implementing an industrial control protocol parsing rule hot switch, where the network device 3 for implementing an industrial control protocol parsing rule hot switch includes a protocol parsing rule loading module 30, and the protocol parsing rule loading module 30 includes:
a first calculating unit 301, configured to calculate a time interval between a current time and a last time of loading a protocol parsing rule when the network device 3 receives a request for loading a protocol parsing rule;
a first judging unit 302, configured to judge a size between the time interval calculated by the first calculating unit 301 and a preset waiting time;
a loading unit 303, configured to, when the time interval is greater than the preset waiting time, request to load a corresponding protocol parsing rule according to a loaded protocol parsing rule;
the prompting unit 304 is configured to prompt that the loading fails and needs to wait when the time interval is not greater than the preset waiting time.
Further, the network device 3 in this embodiment further includes:
a flow node establishing module 31, configured to create a flow node in the network device 3, where the flow node is configured to cache an analysis intermediate state of a packet having the same five-tuple and a version number of a protocol analysis rule used in the packet analysis;
a buffer emptying module 32, configured to empty the content on the flow node corresponding to a quintuple and release a corresponding storage space when no packet of the quintuple enters any more in the network device 3 within a preset buffer time; wherein the preset cache time is the flow aging time t age ,t age >0。
In addition, the network device 3 of the present embodiment further includes a protocol parsing rule selecting module 33, where the protocol parsing rule selecting module 33 includes:
the searching unit 331 is configured to find a corresponding flow node according to a quintuple of the packet to be analyzed when the packet to be analyzed enters the network device;
a second determining unit 332, configured to determine whether a version number of an original protocol parsing rule used when a message to be parsed, which is recorded on the stream node found by the searching unit 331, is parsed before is the same as a version number of a current protocol parsing rule loaded in the main memory;
a first parsing unit 333, configured to, when the version number of the original protocol parsing rule is the same as the version number of the current protocol parsing rule, continue to parse the message to be parsed using the original protocol parsing rule;
a third determining unit 334, configured to continue to determine whether a first case where the version number is different occurs when the version number of the original protocol parsing rule is different from the version number of the current protocol parsing rule;
a second parsing unit 335, configured to record the current time on a corresponding flow node when the first version number is different, and continue to parse the to-be-parsed packet using the original protocol parsing rule;
a second calculating unit 336, configured to calculate, when the version numbers do not differ for the first occurrence, a time difference value between the current time and a time point when the version numbers recorded on the corresponding stream nodes differ for the first occurrence;
a third parsing unit 337 for parsing the time difference value when the time difference value is less than t continue If so, continuing to analyze the message to be analyzed by using the original protocol analysis rule;
a fourth parsing unit 338 for determining whether the time difference is not less than t continue And then, clearing the content on the corresponding stream node, analyzing the message to be analyzed by using the current protocol analysis rule, and simultaneously recording the version number of the current protocol analysis rule on the stream node corresponding to the message to be analyzed.
The network device 3 for implementing the hot switch of the analysis rule of the industrial control protocol corresponds to the method for implementing the hot switch of the analysis rule of the industrial control protocol in the first embodiment; the functions implemented by the modules correspond to the flow steps of the method in the first embodiment one by one, and thus are not described herein again.
The device of this embodiment uses a method of delaying the protocol resolution rule, i.e. the protocol resolution rule is allowed to be reloaded after a certain time. Therefore, the flow analyzed by using the protocol analysis rule in the original main memory can be effectively ensured to be completely analyzed, and the content on the original main memory can be released. Meanwhile, the completeness and consistency of the analyzed content can be ensured. Therefore, the hot switching of the protocol analysis rule can be realized under the condition of no locking, and meanwhile, the switching safety and the analysis integrity can be ensured.
Furthermore, it should be appreciated by those skilled in the art that the present solution may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
Furthermore, embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will of course be appreciated that whilst preferred embodiments of the present invention have been described, further variations and modifications to these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present invention.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrases "comprising one of \ 8230; \8230;" does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The present invention has been described in terms of the preferred embodiment, and it is not intended to be limited to the embodiment. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (4)

1. A method for realizing hot switch of industrial control protocol analysis rule is characterized in that a stream node is created in a network device, and the stream node is used for caching the analysis intermediate state of a message with the same five-tuple and the version number of the protocol analysis rule used during message analysis;
when no message of a certain quintuple enters the network equipment within the preset caching time, emptying the content on the flow node corresponding to the quintuple and releasing the corresponding storage space; wherein the preset cache time is the flow aging time t age ,t age >0;
The preset waiting time is calculated according to the following formula:
t=t age +2t continue
wherein t in the calculation formula represents the preset waiting time; t is t age The time for which the flow rate is aged,and t is age >0;t continue For reserving a predetermined processing time for a quintuple which is not completely processed in the corresponding flow node, and t continue Is greater than 0; epsilon is an error correction parameter, and epsilon is more than or equal to 0;
the method comprises a protocol analysis rule loading process, wherein the protocol analysis rule loading process comprises the following steps:
when the network equipment receives a request for loading the protocol analysis rule, calculating the time interval between the current time and the last time for loading the protocol analysis rule;
judging the size between the calculated time interval and a preset waiting time;
when the time interval is longer than the preset waiting time, loading a corresponding protocol analysis rule according to the protocol analysis rule loading request;
when the time interval is not greater than the preset waiting time, prompting that the loading fails and waiting is needed;
the method also comprises a message selection protocol analysis rule flow, and the message selection protocol analysis rule flow comprises the following steps:
when a message to be analyzed enters network equipment, finding a corresponding flow node according to the quintuple of the message to be analyzed;
judging whether the version number of the original protocol analysis rule used for analyzing the message to be analyzed recorded on the found stream node before is the same as the version number of the current protocol analysis rule loaded in the main memory;
when the version number of the original protocol analysis rule is the same as that of the current protocol analysis rule, continuing to use the original protocol analysis rule to analyze the message to be analyzed;
when the version number of the original protocol analysis rule is different from the version number of the current protocol analysis rule, judging whether the version number is different for the first time;
when the situation that the version numbers are different occurs for the first time, recording the current time on the corresponding stream node, and continuously analyzing the message to be analyzed by using the original protocol analysis rule;
when the situation that the version numbers are different for the first time does not exist, calculating the time difference between the current time and the time point recorded on the corresponding stream node when the version numbers are different for the first time;
when the time difference is less than t continue If so, continuing to analyze the message to be analyzed by using the original protocol analysis rule;
when the time difference is not less than t continue And then, clearing the content on the corresponding stream node, analyzing the message to be analyzed by using the current protocol analysis rule, and simultaneously recording the version number of the current protocol analysis rule on the stream node corresponding to the message to be analyzed.
2. The method for implementing industry control protocol parsing rule hot switch as claimed in claim 1, wherein the predetermined processing time t is continue The value of (a) is between 50 and 60 seconds, and the value of the error correction parameter epsilon is between 0.5 and 7 seconds.
3. A network device for realizing industrial control protocol analysis rule hot switching is characterized in that the network device comprises a protocol analysis rule loading module, and the protocol analysis rule loading module comprises:
the first calculation unit is used for calculating the time interval between the current time and the last time of loading the protocol analysis rule when the network equipment receives the request of loading the protocol analysis rule;
the first judging unit is used for judging the size between the time interval calculated by the first calculating unit and a preset waiting time;
a loading unit, configured to, when the time interval is greater than the preset waiting time, request to load a corresponding protocol parsing rule according to the loaded protocol parsing rule;
the prompting unit is used for prompting the loading failure and waiting when the time interval is not greater than the preset waiting time;
the network device further includes:
a flow node establishing module, configured to establish a flow node in a network device, where the flow node is used to cache an analysis intermediate state of a packet having the same five-tuple and a version number of a protocol analysis rule used in the packet analysis;
a cache clearing module, configured to clear content on a flow node corresponding to a quintuple and release a corresponding storage space when no message of the quintuple enters any more in the network device within a preset cache time; wherein the preset cache time is the flow aging time t age ,t age >0;
The preset waiting time is calculated according to the following formula:
t=t age +2t continue
wherein t in the calculation formula represents the preset waiting time; t is t age Is the flow aging time, and t age >0;t continue Is a preset processing time reserved for the five tuple which is not processed in the corresponding stream node, and t continue Is greater than 0; epsilon is an error correction parameter and is more than or equal to 0;
the network device further comprises a protocol parsing rule selection module, wherein the protocol parsing rule selection module comprises:
the searching unit is used for finding the corresponding flow node according to the quintuple of the message to be analyzed when the message to be analyzed enters the network equipment;
a second judging unit, configured to judge whether a version number of an original protocol parsing rule used when the packet to be parsed recorded on the stream node found by the searching unit is parsed before is the same as a version number of a current protocol parsing rule loaded in a main memory;
the first analysis unit is used for continuing to use the original protocol analysis rule to analyze the message to be analyzed when the version number of the original protocol analysis rule is the same as the version number of the current protocol analysis rule;
a third judging unit, configured to, when the version number of the original protocol parsing rule is different from the version number of the current protocol parsing rule, continuously judge whether a situation that the version number is different occurs for the first time;
the second analysis unit is used for recording the current time on a corresponding flow node when the version numbers are different for the first time, and continuously analyzing the message to be analyzed by using the original protocol analysis rule;
the second calculating unit is used for calculating the time difference value between the current time and the time point recorded on the corresponding stream node when the first occurrence version number is different when the first occurrence version number is not different;
a third analysis unit for analyzing the time difference value when the time difference value is less than t continue If so, continuing to use the original protocol analysis rule to analyze the message to be analyzed;
a fourth analyzing unit for analyzing the time difference value continue And then, clearing the content on the corresponding stream node, analyzing the message to be analyzed by using the current protocol analysis rule, and simultaneously recording the version number of the current protocol analysis rule on the stream node corresponding to the message to be analyzed.
4. The network device for implementing IPD rule hot-switch as claimed in claim 3, wherein the predetermined processing time t continue The value of (a) is between 50 and 60 seconds, and the value of the error correction parameter epsilon is between 0.5 and 7 seconds.
CN202010405532.9A 2020-05-14 2020-05-14 Method and network equipment for realizing hot switching of industrial control protocol analysis rules Active CN113676436B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010405532.9A CN113676436B (en) 2020-05-14 2020-05-14 Method and network equipment for realizing hot switching of industrial control protocol analysis rules

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010405532.9A CN113676436B (en) 2020-05-14 2020-05-14 Method and network equipment for realizing hot switching of industrial control protocol analysis rules

Publications (2)

Publication Number Publication Date
CN113676436A CN113676436A (en) 2021-11-19
CN113676436B true CN113676436B (en) 2022-12-20

Family

ID=78537130

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010405532.9A Active CN113676436B (en) 2020-05-14 2020-05-14 Method and network equipment for realizing hot switching of industrial control protocol analysis rules

Country Status (1)

Country Link
CN (1) CN113676436B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1992672A (en) * 2005-12-27 2007-07-04 中兴通讯股份有限公司 Method for preventing network interruption caused by address aging and time inconformity
CN104038389A (en) * 2014-06-19 2014-09-10 高长喜 Multiple application protocol identification method and device
CN105141596A (en) * 2015-08-12 2015-12-09 北京威努特技术有限公司 Industrial control firewall implementation method supporting extensible protocol detection
CN109600258A (en) * 2018-12-10 2019-04-09 英赛克科技(北京)有限公司 Industrial protocol message accounting device and method
CN110445815A (en) * 2019-09-20 2019-11-12 北京天地和兴科技有限公司 A kind of industry control protocol depth analytic method
CN110460623A (en) * 2019-09-27 2019-11-15 杭州九略智能科技有限公司 A kind of processing system, method and terminal for Industry Control puppy parc

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9374387B2 (en) * 2012-10-12 2016-06-21 Rockwell Automation Technologies, Inc. Hardware-based granular traffic storm protection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1992672A (en) * 2005-12-27 2007-07-04 中兴通讯股份有限公司 Method for preventing network interruption caused by address aging and time inconformity
CN104038389A (en) * 2014-06-19 2014-09-10 高长喜 Multiple application protocol identification method and device
CN105141596A (en) * 2015-08-12 2015-12-09 北京威努特技术有限公司 Industrial control firewall implementation method supporting extensible protocol detection
CN109600258A (en) * 2018-12-10 2019-04-09 英赛克科技(北京)有限公司 Industrial protocol message accounting device and method
CN110445815A (en) * 2019-09-20 2019-11-12 北京天地和兴科技有限公司 A kind of industry control protocol depth analytic method
CN110460623A (en) * 2019-09-27 2019-11-15 杭州九略智能科技有限公司 A kind of processing system, method and terminal for Industry Control puppy parc

Also Published As

Publication number Publication date
CN113676436A (en) 2021-11-19

Similar Documents

Publication Publication Date Title
US20070076625A1 (en) Data communication apparatus
US10341411B2 (en) Methods, systems, and computer readable media for providing message encode/decode as a service
US20190075049A1 (en) Determining Direction of Network Sessions
US10135740B2 (en) Method and apparatus for limiting rate by means of token bucket, and computer storage medium
CN113055127B (en) Data message duplicate removal and transmission method, electronic equipment and storage medium
RU2019109163A (en) SYSTEMS AND METHODS FOR SESSION CONTROL OF A PROTOCOL DATA UNIT (PDU) ADAPTED TO AN APP
US20200275305A1 (en) Session management in wireless communication system
US20090238071A1 (en) System, method and apparatus for prioritizing network traffic using deep packet inspection (DPI) and centralized network controller
US20090300153A1 (en) Method, System and Apparatus for Identifying User Datagram Protocol Packets Using Deep Packet Inspection
EP2118748B1 (en) Method for predictive call admission control within a media over internet protocol network
US20110228790A1 (en) Conditional Execution of Commands
US10193802B2 (en) Methods, systems, and computer readable media for processing messages using stateful and stateless decode strategies
EP2916516A1 (en) Packet processing method and apparatus
US9313291B2 (en) Systems and methods for transparent communication with bandwidth conservation and HTTP caching
CN113676436B (en) Method and network equipment for realizing hot switching of industrial control protocol analysis rules
EP3264851B1 (en) Data transmission method and device for data service
WO2023051050A1 (en) Network monitoring method and apparatus, and computer storage medium
JP2007228217A (en) Traffic decision device, traffic decision method, and program therefor
WO2014002337A1 (en) Communication control device and communication control method
CN111669320B (en) Method for processing message and network equipment
WO2004066562A1 (en) Data transmission apparatus
CN108933683B (en) Network acceleration sensing method, device and system
JP5429902B2 (en) COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
CN116155826A (en) Message receiving and transmitting method, network equipment, system and storage medium
CN109547389B (en) Code stream file recombination method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant