CN114244609B - Modbus TCP Protocol Protection Method for Industrial Firewall - Google Patents

Modbus TCP Protocol Protection Method for Industrial Firewall Download PDF

Info

Publication number
CN114244609B
CN114244609B CN202111551637.6A CN202111551637A CN114244609B CN 114244609 B CN114244609 B CN 114244609B CN 202111551637 A CN202111551637 A CN 202111551637A CN 114244609 B CN114244609 B CN 114244609B
Authority
CN
China
Prior art keywords
message
rule
firewall
modbus tcp
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111551637.6A
Other languages
Chinese (zh)
Other versions
CN114244609A (en
Inventor
李欣
***
陈君
王思同
蒙兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Guotai Wangxin Technology Co ltd
Beijing Guotai Netcom Technology Co ltd
Original Assignee
Chengdu Guotai Wangxin Technology Co ltd
Beijing Guotai Netcom Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Guotai Wangxin Technology Co ltd, Beijing Guotai Netcom Technology Co ltd filed Critical Chengdu Guotai Wangxin Technology Co ltd
Priority to CN202111551637.6A priority Critical patent/CN114244609B/en
Publication of CN114244609A publication Critical patent/CN114244609A/en
Application granted granted Critical
Publication of CN114244609B publication Critical patent/CN114244609B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a Modbus TCP protocol protection method for an industrial firewall, which belongs to the technical field of industrial control network security and comprises the following steps: s1, issuing rules to a firewall engine; s2, the firewall system performs prefiltering, and the message needing depth detection is sent to a firewall engine for depth detection processing; s3, the firewall engine carries out deep analysis on the received message according to a format specified by a Modbus TCP protocol, and extracts a function code, a starting address and a value carried in the message; s4, the function code, the initial address and the value extracted in the step S3 are sent to the middleware according to a preset format, and rule learning is completed; s5, matching the function code, the initial address and the value, and configuring corresponding actions for the message successfully matched with the rule according to the rule; and processing the messages which are not successfully matched according to the set rules. The invention improves the engine performance and the system security.

Description

Modbus TCP protocol protection method for industrial firewall
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a Modbus TCP protocol protection method for an industrial firewall.
Background
With the rapid development of the advanced convergence of informatization and industrialization, the industrial internet has become a new hot spot, and industrial firewalls have become an important ring in industrial internet security. The Modbus TCP protocol is used as a common industrial protocol, and filtering control on the Modbus TCP protocol has become an essential function of an industrial control firewall. Modbus TCP uses TCP/IP and Ethernet to transmit Modbus messages among stations, and combines the Ethernet physical network and the network standard TCP/IP and the data representation method using Modbus as an application protocol standard. Because Modbus TCP lacks the encryption flow, is transmitted in plaintext in the whole transmission process, is especially easy to attack or tamper with, thus causes serious accident.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a Modbus TCP protocol protection method for an industrial firewall, supports state filtering and packet filtering of the traditional firewall, combines the advanced analysis of Modbus TCP through prefiltering of five-tuple and other information, provides finer control on function codes, initial addresses, related values, ranges and the like, and greatly improves the performance of a firewall engine and the safety of the system.
The invention aims at realizing the following scheme:
a Modbus TCP protocol protection method for an industrial firewall comprises the following steps:
s1, issuing rules to a firewall engine;
s2, packet filtering: the firewall system performs prefiltering, and sends the message needing to be subjected to depth detection to the firewall engine for depth detection processing;
s3, application layer analysis: the firewall engine carries out deep analysis on the received message according to a format specified by Modbus TCP protocol, and extracts a function code, a starting address and a value carried in the message;
s4, rule learning: the function code, the initial address and the value extracted in the step S3 are sent to the middleware according to a preset format, and rule learning is completed;
s5, rule matching: matching the function code, the initial address and the value, and configuring corresponding actions for the message successfully matched with the rule according to the rule; and processing the messages which are not successfully matched according to the set rules.
Further, in step S5, for the message that is not successfully matched, the set rule includes notifying the kernel protocol stack to forward or discard the message.
Further, in step S1, the issuing rule includes issuing a handwriting rule or issuing a learning rule;
the issuing of the handwriting rules comprises the sub-steps of: configuring the Modbus TCP protocol by a user includes configuring: protocol name, port number, transport layer protocol, function code, initial address, value size range, configuration source destination IP and event log record and message processing mode, and completing the issuing of handwriting rule; the issuing of the learning rule comprises the sub-steps of: the firewall works in an all-pass mode, a depth detection switch is turned on, learning time is set, then the learning switch is turned on, after learning is completed, the learned rule is adjusted according to requirements, the Modbus TCP function code, the initial address and the value range are manually adjusted, and then the Modbus TCP function code, the initial address and the value range are issued to the firewall engine.
Further, in step S2, the pre-filtering comprises the sub-steps of: the kernel space filters the source IP address, the destination IP address, the source MAC address, the destination MAC address, the source port, the destination port, the protocol and the time, and only sends the message needing to be deeply detected to the firewall engine of the user space.
Further, in step S2, the method includes the sub-steps of: and setting the firewall system to discard all messages by default, and releasing the manual configuration rule for the messages needing to pass.
Further, in step S3, the method includes the sub-steps of: before deep parsing, the user space runs a firewall engine to reorganize Modbus TCP streams.
Further, in step S3, the method includes the sub-steps of: before extracting the function code, the initial address and the value carried in the message, carrying out protocol identification according to the characteristics of the message and the port information; and then, carrying out format check on the Modbus TCP protocol message, confirming the legality of the message, and detecting the legality of the conversation rate and the conversation total number in the transmission process.
Further, in step S4, the foregoing sending, according to a preset format, the foregoing sending to the middleware, and completing rule learning includes the following sub-steps: opening a rule learning switch, and displaying the analyzed function code, the initial address and the value information according to a set format; or the administrator makes adjustment according to the learned Modbus TCP rules and sends the adjustment to the firewall engine; or an administrator can configure the function code and the start address of Modbus TCP and the value information in a self-defined mode.
Further, in step S5, the matching function code, the start address and the value include the sub-steps of: firstly, matching the function codes, and if the function codes are successfully matched, continuing to match the initial address; if the initial address matching is successful, the matching value is continued again.
Further, the protocol identification is carried out according to the characteristics and the port information of the message, specifically, according to the deviation, the depth, the value and the port information of the protocol characteristics, and then the developer realizes the identification of the corresponding protocol, the message validity check and the code analysis; the validity of the confirmation message is specifically that the length and the function code of the Modbus TCP message are checked, and illegal messages are discarded.
The beneficial effects of the invention are as follows:
the invention not only supports the state filtering and the packet filtering of the traditional firewall, but also reduces the pressure of the firewall engine and improves the performance of the engine by using five-tuple and other information for prefiltering. Meanwhile, the system security action can be warned in real time, further transmission of threat is blocked, finer control is provided for Modebus TCP, an administrator can control the function code, the initial address, the related value and the range, and great convenience and powerful guarantee are provided for the user system security.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a schematic diagram of a frame of the present invention;
FIG. 2 is a Modbus TCP protocol learning flow chart of the present invention;
FIG. 3 is a rule issuing flow chart of the present invention;
fig. 4 is a rule matching flow chart of the present invention.
Detailed Description
All of the features disclosed in all of the embodiments of this specification, or all of the steps in the methods or processes disclosed implicitly, may be combined in any combination and order, except for the mutually exclusive features.
The technical conception, the working principle, the efficacy and the working process of the present invention are further described in detail below with reference to fig. 1 to 4.
The invention aims to solve the technical problem that Modbus TCP lacks encryption flow, is transmitted in plaintext in the whole transmission process, is especially easy to attack or tamper, thereby causing serious accidents, and provides a Modbus TCP protocol protection scheme in an industrial firewall system, which comprises the following steps when in actual application:
1) The industrial firewall system is connected in series in an industrial network in a two-layer transparent mode or a three-layer routing mode;
2) The firewall system pre-filters the passing messages according to a pre-configured source IP address, a target IP address, a source MAC address, a target MAC address, a source port, a target port, a protocol, time and the like;
3) And sending the Modbus TCP message to a firewall engine for deep detection processing.
As one of the design points of the present invention, the firewall system in step 2) defaults to discard all messages, and for the messages that need to pass, the manual configuration rule is released;
as one of the design points of the present invention, the depth detection process of the firewall engine in the step 3) specifically includes:
(1) carrying out protocol identification according to the characteristics of the message, the port and other information;
(2) optionally, detecting validity of session rate and total number of sessions in the transmission process;
(3) for the Modbus TCP protocol message, firstly performing format check to confirm the validity of the message;
(4) analyzing Modbus TCP message as one of design points of the invention, and analyzing information such as function code, initial address, value and the like;
(5) optionally, after the rule learning switch is turned on, the information such as the parsed function code, the start address, the value and the like is displayed according to a specific format;
(6) optionally, according to the learned Modbus TCP rule, the administrator makes adjustment as required and issues the adjustment to the firewall engine;
(7) optionally, an administrator configures information such as a function code, a start address, a value and the like of Modbus TCP in a self-defined manner;
(8) based on preset configuration, matching rules such as Modbus TCP message quintuple, function code, starting address and value are analyzed;
(9) if the matching is successful, the message is processed according to the set action, and the security event notification manager can be reported for the discarding and warning actions at the same time.
As one of the design points of the present invention, the protocol identification in step (1), modbus TCP is based on the offset, depth, value and port information of the protocol feature, and then the developer implements the identification of the corresponding protocol, the message validity check and the code analysis.
As one of the design points of the present invention, the connection validity in the step (2) is a limitation on the connection rate and the total number of connections, and if the limitation is exceeded, the message is discarded and a security event is pushed to the administrator.
As one of the design points of the present invention, the validity of the message in step (3) will be checked for the length and function code of the Modbus TCP message, and the illegal message will be discarded.
As one of the design points of the present invention, the message deep parsing in the step (4) is the deep parsing of the Modbus TCP message, especially the deep parsing of the read-write function code, so as to parse the function code, the start address, the related value size and the range carried by the message.
As one of design points of the invention, the rule learning in the step (5) is based on the analysis result of the step (4), and the rule learning is pushed to an administrator according to a certain format, and the administrator can edit the rule according to the need and then issue the rule learning to the firewall again.
According to the invention, the Modbus TCP rules are automatically learned or manually configured, then rule learning and matching are carried out, the protection of the Modbus TCP protocol is completed, and the discovered security threat is notified to an administrator. In order to enable those skilled in the art to better understand the technical solution of the present invention, the technical solution of the present invention will be further described below with reference to fig. 1 to 4 in the embodiment of the present invention.
Example 1: a Modbus TCP protocol protection method for an industrial firewall comprises the following steps:
s1, issuing rules to a firewall engine;
s2, packet filtering: the firewall system performs prefiltering, and sends the message needing to be subjected to depth detection to the firewall engine for depth detection processing;
s3, application layer analysis: the firewall engine carries out deep analysis on the received message according to a format specified by Modbus TCP protocol, and extracts a function code, a starting address and a value carried in the message;
s4, rule learning: the function code, the initial address and the value extracted in the step S3 are sent to the middleware according to a preset format, and rule learning is completed;
s5, rule matching: matching the function code, the initial address and the value, and configuring corresponding actions for the message successfully matched with the rule according to the rule; and processing the messages which are not successfully matched according to the set rules.
Example 2: based on embodiment 1, in step S5, for the message that is not successfully matched, the set rule includes notifying the kernel protocol stack to forward or discard the message.
Example 3: on the basis of embodiment 1, in step S1, the issuing rule includes issuing a handwriting rule or issuing a learning rule; the issuing of the handwriting rules comprises the sub-steps of: configuring the Modbus TCP protocol by a user includes configuring: protocol name, port number, transport layer protocol, function code, initial address, value size range, configuration source destination IP and event log record, message processing mode, and completing the issuing of handwriting rule; the issuing of the learning rule comprises the sub-steps of: the firewall works in an all-pass mode, a depth detection switch is turned on, learning time is set, then the learning switch is turned on, after learning is completed, the learned rule is adjusted according to requirements, the Modbus TCP function code, the initial address and the value range are manually adjusted, and then the Modbus TCP function code, the initial address and the value range are issued to the firewall engine.
Example 4: on the basis of embodiment 1, in step S2, the pre-filtering comprises the sub-steps of: the kernel space filters the source IP address, the destination IP address, the source MAC address, the destination MAC address, the source port, the destination port, the protocol and the time, and only sends the message needing to be deeply detected to the firewall engine of the user space.
Example 5: on the basis of embodiment 1, in step S2, the sub-steps are included: and setting the firewall system to discard all messages by default, and releasing the manual configuration rule for the messages needing to pass.
Example 6: on the basis of embodiment 1, in step S3, the sub-steps are included: before deep parsing, the user space runs a firewall engine to reorganize Modbus TCP streams.
Example 7: on the basis of embodiment 1, in step S3, the sub-steps are included: before extracting the function code, the initial address and the value carried in the message, carrying out protocol identification according to the characteristics of the message and the port information; and then, carrying out format check on the Modbus TCP protocol message, confirming the legality of the message, and detecting the legality of the conversation rate and the conversation total number in the transmission process.
Example 8: on the basis of embodiment 1, in step S4, the foregoing is sent to the middleware according to a preset format, and the completion of rule learning includes the sub-steps of: opening a rule learning switch, and displaying the analyzed function code, the initial address and the value information according to a set format; or the administrator makes adjustment according to the learned Modbus TCP rules and sends the adjustment to the firewall engine; or an administrator can configure the function code and the start address of Modbus TCP and the value information in a self-defined mode.
Example 9: on the basis of embodiment 7, in step S5, the matching function code, the start address and the value include the sub-steps of: firstly, matching the function codes, and if the function codes are successfully matched, continuing to match the initial address; if the initial address matching is successful, the matching value is continued again.
Example 10: based on embodiment 1, the protocol identification is specifically performed according to the characteristics of the message and the port information, namely, according to the deviation, depth, value and port information of the protocol characteristics, and then the developer realizes the identification of the corresponding protocol, the message validity check and the code analysis; the validity of the confirmation message is specifically that the length and the function code of the Modbus TCP message are checked, and the illegal message is discarded.
Example 11: fig. 1 is a schematic diagram of a framework of a Modbus TCP protocol protection method for an industrial firewall according to the present invention, which specifically includes the following steps:
step 1: and issuing rules. The invention provides two ways to issue rules, and the specific flow is shown in figure 3: 1) And issuing handwriting rules. The Modbus TCP protocol is configured by a user, which comprises the following steps: protocol name, port number, transport layer protocol and function code, start address, size range of values. Configuring source destination IP (supporting grouped IP) and event processing modes, namely configuring warning or permission, and completing issuing of handwriting rules; 2) And issuing a learning rule. The administrator needs to make the firewall work in an all-pass mode (one of the firewall modes, all messages are put through in the firewall mode), turn on a depth detection switch, set learning time, turn on a learning switch, wait for learning to finish, adjust learned rules according to requirements, manually adjust Modbus TCP function codes, initial addresses and value ranges, and then send the Modbus TCP function codes, initial addresses and value ranges to a firewall engine;
step 2: and (5) filtering the package. The kernel space filters a source IP address, a destination IP address, a source MAC address, a destination MAC address, a source port, a destination port, a protocol, time and the like, and only sends a message needing to be subjected to depth detection to a firewall engine in the user space for further processing, so that the working pressure of the firewall engine is reduced, and the firewall performance is improved;
step 3: and (5) application layer analysis. The user space runs a firewall engine, and Modbus TCP streams are recombined first to ensure the integrity of data. And carrying out deep analysis on the message after the recombination is completed according to a format specified by the Modbus TCP protocol, and extracting the function code, the starting address and the value carried in the message.
Step 4: and (5) rule learning. According to the Modbus TCP protocol learning flow chart shown in FIG. 2, the function code, the initial address and the value analyzed in the step 3 are sent to the middleware according to a preset format to complete rule learning;
step 5: rule matching. According to the rule matching flow chart of Modbus TCP shown in FIG. 4, firstly matching the function codes, and if the function codes are successfully matched, continuing to match the initial address; if the initial address matching is successful, the matching value is continued again. Configuring corresponding actions for the message successfully matched with the rule according to the rule; messages that are not successfully matched are set to be discarded by default in the working mode. It should be noted that, in the alternative design, only one match of the function code, the start address and the value fails, and this considers that the rule fails to match;
step 6: the kernel protocol stack is notified to forward or discard the message. For messages that are not successfully matched, in a working mode (one of firewall modes, all messages are discarded by default in the mode, only rules allow the messages to pass, and notification information such as events is sent) the kernel protocol stack is notified to discard the messages.
The above description is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto. It should be noted that it is within the scope of the claims of the present invention to have several modifications or adaptations which are obvious to those skilled in the art without departing from the principle of the present invention.
The inventive functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in the form of a software product stored in a storage medium and executing all or part of the steps of the method according to the embodiments of the present invention in a computer device (which may be a personal computer, a server, or a network device, etc.) and corresponding software. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, and an optical disk, and test or actual data exist in a read-only memory (Random Access Memory, RAM), a random access memory (Random Access Memory, RAM), and the like in program implementation.

Claims (4)

1. The Modbus TCP protocol protection method for the industrial firewall is characterized by comprising the following steps of:
s1, issuing rules to a firewall engine; in step S1, the issuing rule includes issuing a handwriting rule or issuing a learning rule; the issuing of the handwriting rules comprises the sub-steps of: configuring the Modbus TCP protocol by a user includes configuring: protocol name, port number, transport layer protocol, function code, initial address, value size range, configuration source destination IP and event log record and message processing mode, and completing the issuing of handwriting rule; the issuing of the learning rule comprises the sub-steps of: the firewall works in an all-pass mode, a depth detection switch is turned on, the learning time is set, then the learning switch is turned on, after learning is completed, the learned rule is adjusted according to the requirement, the Modbus TCP function code, the initial address and the value range are manually adjusted, and then the Modbus TCP function code, the initial address and the value range are issued to the firewall engine;
s2, the firewall system performs prefiltering, and the message needing depth detection is sent to a firewall engine for depth detection processing; in step S2, the pre-filtering comprises the sub-steps of: the kernel space filters the source IP address, the destination IP address, the source MAC address, the destination MAC address, the source port, the destination port, the protocol and the time, and only sends the message needing to be deeply detected to a firewall engine of the user space;
s3, the firewall engine carries out deep analysis on the received message according to a format specified by a Modbus TCP protocol, and extracts a function code, a starting address and a value carried in the message;
s4, the function code, the initial address and the value extracted in the step S3 are sent to the middleware according to a preset format, and rule learning is completed; in step S4, the foregoing is sent to the middleware according to a preset format, and the completion of rule learning includes the sub-steps of: opening a rule learning switch, and displaying the analyzed function code, the initial address and the value information according to a set format; or the administrator makes adjustment according to the learned Modbus TCP rules and sends the adjustment to the firewall engine; or an administrator can configure the function code and the starting address of Modbus TCP and value information in a self-defined mode;
s5, matching the function code, the initial address and the value, and configuring corresponding actions for the message successfully matched with the rule according to the rule; the message which is not successfully matched is processed according to the set rule result; the processing according to the set rule result specifically informs the kernel protocol stack to forward or discard the message; in step S2, the sub-steps are included: setting the firewall system as default to discard all messages, and releasing the manual configuration rule for the messages needing to pass; the matching function code, the start address and the value comprise the sub-steps of: firstly, matching the function codes, and if the function codes are successfully matched, continuing to match the initial address; if the initial address matching is successful, the matching value is continued again.
2. The Modbus TCP protocol protection method for industrial firewall according to claim 1, wherein in step S3, comprising the sub-steps of: before deep parsing, the user space runs a firewall engine to reorganize Modbus TCP streams.
3. The Modbus TCP protocol protection method for industrial firewall according to claim 1, wherein in step S3, comprising the sub-steps of: before extracting the function code, the initial address and the value carried in the message, carrying out protocol identification according to the characteristics of the message and the port information; and then, carrying out format check on the Modbus TCP protocol message, confirming the legality of the message, and detecting the legality of the conversation rate and the conversation total number in the transmission process.
4. The method for protecting a Modbus TCP protocol for an industrial firewall according to claim 3, wherein said protocol identification is performed according to characteristics of a message and port information, specifically, according to offset, depth, value and port information of the protocol characteristics, and then a developer implements identification of a corresponding protocol, message validity checking and code analysis; the validity of the confirmation message is specifically that the length and the function code of the Modbus TCP message are checked, and illegal messages are discarded.
CN202111551637.6A 2021-12-17 2021-12-17 Modbus TCP Protocol Protection Method for Industrial Firewall Active CN114244609B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111551637.6A CN114244609B (en) 2021-12-17 2021-12-17 Modbus TCP Protocol Protection Method for Industrial Firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111551637.6A CN114244609B (en) 2021-12-17 2021-12-17 Modbus TCP Protocol Protection Method for Industrial Firewall

Publications (2)

Publication Number Publication Date
CN114244609A CN114244609A (en) 2022-03-25
CN114244609B true CN114244609B (en) 2023-08-25

Family

ID=80757897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111551637.6A Active CN114244609B (en) 2021-12-17 2021-12-17 Modbus TCP Protocol Protection Method for Industrial Firewall

Country Status (1)

Country Link
CN (1) CN114244609B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114978782B (en) * 2022-08-02 2022-11-01 北京六方云信息技术有限公司 Industrial control threat detection method and device, industrial control equipment and storage medium
CN116939065B (en) * 2023-08-07 2024-02-06 山东九州信泰信息科技股份有限公司 Modbus protocol TCP segmentation rapid deep inspection method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104519065A (en) * 2014-12-22 2015-04-15 北京卓越信通电子股份有限公司 Implementation method of industrial control firewall supporting Modbus TCP protocol filtering
CN105704103A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11463407B2 (en) * 2018-07-13 2022-10-04 Raytheon Company Policy engine for cyber anomaly detection

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105704103A (en) * 2014-11-26 2016-06-22 中国科学院沈阳自动化研究所 Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
CN104519065A (en) * 2014-12-22 2015-04-15 北京卓越信通电子股份有限公司 Implementation method of industrial control firewall supporting Modbus TCP protocol filtering

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Study on application layer support for Factories of the Future in 5G network;3GPP;3GPP TR 23.745 V1.7.0;全文 *

Also Published As

Publication number Publication date
CN114244609A (en) 2022-03-25

Similar Documents

Publication Publication Date Title
CN114244609B (en) Modbus TCP Protocol Protection Method for Industrial Firewall
CN109587179B (en) SSH (Single sign indicating) protocol behavior pattern recognition and alarm method based on bypass network full flow
CN108848067B (en) OPC protocol safety protection method for intelligently learning and presetting read-only white list rule
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
US9531673B2 (en) High availability security device
CN104767748B (en) Opc server security protection system
US11683343B2 (en) Distributed network and security operations platform
WO2013097476A1 (en) Method and device for detecting rule optimization configuration
CN110912921B (en) Safety data verification system and method for industrial control system
CN111526121A (en) Intrusion prevention method and device, electronic equipment and computer readable medium
CN110830330A (en) Firewall testing method, device and system
CN107204965A (en) The hold-up interception method and system of a kind of password cracking behavior
CN105743868B (en) A kind of data collection system and method for supporting encryption and non-encrypted agreement
CN114139133A (en) Industrial control safety protection method and device
CN101127744B (en) Separation prompt method and system for illegal client and gateway device
EP2007066A2 (en) A policy enforcement point and a linkage method and system for intrude detection system
CN113709129A (en) White list generation method, device and system based on traffic learning
EP3133790B1 (en) Message sending method and apparatus
CN106713355A (en) PC-based network filtering method and client PC
CN113872949B (en) Address resolution protocol response method and related device
CN109617866B (en) Industrial control system host session data filtering method and device
CN106657087B (en) Method for realizing industrial firewall dynamically tracked by Ethernet/Ip protocol
CN114465744A (en) Safety access method and network firewall system
CN111083011A (en) Automatic testing method and device for routing security firewall and management platform
CN109299218B (en) Method and device for extracting user information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant