CN115001829B - Protocol vulnerability discovery method, device, equipment and storage medium - Google Patents
Protocol vulnerability discovery method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115001829B CN115001829B CN202210636442.XA CN202210636442A CN115001829B CN 115001829 B CN115001829 B CN 115001829B CN 202210636442 A CN202210636442 A CN 202210636442A CN 115001829 B CN115001829 B CN 115001829B
- Authority
- CN
- China
- Prior art keywords
- protocol
- data
- equipment
- tested
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000003860 storage Methods 0.000 title claims abstract description 13
- 238000012360 testing method Methods 0.000 claims abstract description 79
- 238000012795 verification Methods 0.000 claims abstract description 44
- 238000004458 analytical method Methods 0.000 claims abstract description 36
- 230000035772 mutation Effects 0.000 claims abstract description 30
- 238000012545 processing Methods 0.000 claims abstract description 14
- 238000004590 computer program Methods 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 19
- 238000012544 monitoring process Methods 0.000 claims description 15
- 238000005065 mining Methods 0.000 claims description 10
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 230000003993 interaction Effects 0.000 claims description 8
- 230000007547 defect Effects 0.000 claims description 4
- 238000007405 data analysis Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 230000002452 interceptive effect Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 13
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000003086 colorant Substances 0.000 description 2
- 230000002860 competitive effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
Abstract
The application relates to the field of communication security, and provides a protocol vulnerability discovery method, device, equipment and storage medium. The method comprises the following steps: acquiring protocol data of equipment to be tested, and analyzing the protocol data to generate an analysis result; carrying out protocol verification according to the analysis result, and verifying whether the protocol of the equipment to be tested accords with a protocol standard; according to the protocol data, carrying out message replay verification on the equipment to be tested; and carrying out mutation processing on the protocol data according to a preset test case to obtain mutation data, and carrying out vulnerability test on the equipment to be tested according to the mutation data. The application improves the coverage of the test by the expanded test cases, reduces the total number of the test cases to be completed and shortens the test time, thereby being beneficial to finding unknown vulnerabilities of the robot protocol more quickly and accurately.
Description
Technical Field
The present application relates to the field of communications security, and in particular, to a method, an apparatus, a device, and a storage medium for protocol vulnerability discovery.
Background
Industrial robots are an important marker for measuring the national manufacturing level and are an important tool and means for remolding the competitive advantage of the manufacturing industry in China. Currently, industrial robots in China have a large holding quantity, are widely applied to industries such as automobiles, chemical industry and the like, can automatically, efficiently and accurately finish industrial production, and are beneficial to improving the competitive advantage of products.
With the wide application of industrial robots, the problem of network security is increasingly prominent. As the information security situation faced by industrial control systems becomes more severe, the need for specialized robotic system product security detection is also becoming more prominent. At present, a special protocol vulnerability mining method for a robot does not exist, so that the protocol vulnerability of the robot cannot be effectively discovered.
Disclosure of Invention
In view of the above, the embodiments of the present application provide a method, an apparatus, a device, and a storage medium for discovering a vulnerability of a communication protocol of a robot, so as to solve the problem in the prior art that the vulnerability of the communication protocol of the robot cannot be discovered effectively.
A first aspect of an embodiment of the present application provides a protocol vulnerability discovery method, where the method includes:
Acquiring protocol data of equipment to be tested, and analyzing the protocol data to generate an analysis result;
Carrying out protocol verification according to the analysis result, and verifying whether the protocol of the equipment to be tested accords with a protocol standard;
According to the protocol data, carrying out message replay verification on the equipment to be tested;
And carrying out mutation processing on the protocol data according to a preset test case to obtain mutation data, and carrying out vulnerability test on the equipment to be tested according to the mutation data.
With reference to the first aspect, in a first possible implementation manner of the first aspect, performing, according to a preset test case, mutation processing on the protocol data to obtain mutation data includes:
Determining a key protocol field in a preset test case;
Modifying key protocol fields in the protocol data according to a preset fuzzy strategy to obtain variant data;
Or alternatively
Determining a protocol format of a preset test case;
and modifying the protocol format according to a preset fuzzy strategy to obtain variant data.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, performing a vulnerability test on the device under test according to mutation data includes:
transmitting the variation data to the equipment to be tested;
and monitoring and recording the state information of the equipment to be tested.
With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, monitoring state information of the device under test includes:
monitoring the online state of the equipment to be tested through a ping instruction;
port monitoring is used for determining the port switch state of the equipment to be tested;
And acquiring input data and output data of the equipment to be tested through I/O monitoring interaction data.
With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, after acquiring input data and output data of the device under test through I/O monitoring interaction data, the method further includes:
Determining abnormal data in the monitored interactive data;
And determining the test case generating the abnormal data through interval test.
With reference to the first aspect, in a fifth possible implementation manner of the first aspect, performing protocol verification according to the analysis result, and verifying whether the protocol of the device under test meets a protocol standard includes:
And determining whether the protocol of the equipment to be tested accords with a protocol standard through characteristic value matching, grammar structure analysis and/or data relation analysis.
With reference to the first aspect, in a sixth possible implementation manner of the first aspect, performing, according to the protocol data, message replay verification on the device under test includes:
Obtaining first response data of an original message in the equipment to be tested through data grabbing;
and sending the original message to the equipment to be tested, acquiring second response data of the equipment to be tested, and determining a replay verification result according to the first response data and the second response data.
A second aspect of an embodiment of the present application provides a protocol vulnerability discovery apparatus, where the apparatus includes:
The protocol data analysis unit is used for acquiring the protocol data of the equipment to be tested, analyzing the protocol data and generating an analysis result;
the protocol verification unit is used for carrying out protocol verification according to the analysis result, and verifying whether the protocol of the equipment to be tested accords with a protocol standard;
The replay verification unit is used for carrying out message replay verification on the equipment to be tested according to the protocol data;
and the mutation testing unit is used for carrying out mutation processing on the protocol data according to a preset test case to obtain mutation data, and carrying out vulnerability testing on the equipment to be tested according to the mutation data.
A third aspect of an embodiment of the present application provides a protocol vulnerability discovery apparatus comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when executing the computer program.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method according to any of the first aspects.
Compared with the prior art, the embodiment of the application has the beneficial effects that: according to the embodiment of the application, whether the protocol is standard or not is determined based on the analysis result of the protocol data, the message replay verification is performed based on the protocol data, the identity authentication security of the device to be tested is verified, after the device to be tested passes the message replay verification, the vulnerability test is performed on the device to be tested further through the mutation processing of the test case, the test coverage breadth is improved through the expanded test case, the total number of the test cases is reduced, the test time is shortened, and the unknown vulnerability of the robot protocol can be found more quickly and accurately.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an implementation scenario of a protocol vulnerability discovery method of a robot according to an embodiment of the present application;
fig. 2 is a schematic implementation flow diagram of a protocol vulnerability discovery method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a protocol vulnerability discovery apparatus according to an embodiment of the present application;
fig. 4 is a schematic diagram of a protocol vulnerability discovery apparatus according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
In order to illustrate the technical scheme of the application, the following description is made by specific examples.
Fig. 1 is a schematic diagram of an implementation scenario of a protocol vulnerability discovery method of a robot according to an embodiment of the present application. As shown in fig. 1, the implementation scenario includes a service platform, a device under test, and a protocol vulnerability discovery device. The service platform can establish a communication link with the equipment to be tested, and can send information such as control instructions, data and the like to the equipment to be tested through the communication link. The device to be tested can transmit the collected data to the service platform through the communication link, wherein the collected data comprise state data of the device to be tested or environment data of the device to be tested. The protocol vulnerability discovery equipment is accessed to the communication link, and when the service platform and the equipment to be tested perform data interaction, the protocol vulnerability discovery equipment can acquire the protocol data of the equipment to be tested through the communication link in a data interception mode. The protocol data comprises one or two of data sent to the service platform by the device to be tested and data sent to the device to be tested by the service platform. It can be understood that the service platform can be connected with other devices to be tested, or the devices which have been tested, or can also be connected with mobile control end devices, or connected with a control center, etc.
Fig. 2 is a schematic implementation flow diagram of a protocol vulnerability discovery method based on the implementation scenario shown in fig. 1 according to an embodiment of the present application, which is described in detail below:
in S201, the protocol data of the device to be tested is obtained, and the protocol data is parsed to generate a parsing result.
Specifically, the device to be tested in the embodiment of the application can comprise intelligent devices such as an industrial robot, industrial automation equipment and the like.
When the equipment to be tested is accessed to the communication link between the equipment to be tested and the service platform, the protocol vulnerability mining equipment can be accessed to the mirror image port of the equipment to be tested in the switch, and the protocol data can be captured based on the mirror image port.
The protocol data capturing manner may include a real-time acquisition manner or a manual acquisition manner. Or the acquisition time of the protocol data can be determined according to the analysis result, the verification result and other information of the protocol data.
In the embodiment of the application, when the protocol data of the robot is analyzed, the protocol of the robot may include Modbus, umas, S, comm, profinet, deviceNet, ethernetIP and other communication protocols. When analyzing the protocol data, one or more of data such as source address, destination port, source port, network protocol, transmission flow, reception flow, number of transmitted data packets, number of received data packets, protocol type and the like in protocols such as tcp (english collectively referred to as Transmission Control Protocol, chinese collectively referred to as transmission control protocol) and udp (english collectively referred to as userdatagram protocol) can be analyzed as an analysis result. And according to the obtained analysis result, the method can be used for protocol verification and message replay verification in the subsequent steps.
In the embodiment of the application, TCP data stream reorganization can be performed on the captured data packet. The reassembly-based data analyzes various application layer protocols based on the TCP protocol. Or may also be based on IP fragmentation reassembly. And filtering irrelevant data packets in the recombined data packets, uniformly formatting the data packets after the irrelevant data packets are filtered, and storing analysis results through a standardized data structure so as to facilitate protocol verification according to the analysis results.
In S202, a protocol verification is performed according to the analysis result, to verify whether the protocol of the device under test meets a protocol standard.
Different authentication criteria are present for different protocols. The protocol verification flow of different protocols can be designed in the form of plug-ins, so that the protocol of different robots can be verified by using different plug-ins. And determining a network protocol adopted by the device to be tested according to the analysis result of the protocol data, and adopting a protocol verification plug-in corresponding to the network protocol based on the determined network protocol.
In the embodiment of the application, the protocol vulnerability discovery equipment is preset with a test case. After the analysis of the acquired protocol data is successful, the characteristic value of the acquired protocol data and the corresponding message position can be transmitted in a specific format according to a specific transmission mode when the analysis is successful. The ratio can be transmitted in the json format by mqtt transmission modes. The characteristic value may include, for example, a source IP, a destination IP, a source port, a destination port, a protocol type, a function code, a data packet, and the like.
When the test case is intelligently generated, fields in the analysis result can be marked (including marking by different colors), the message combination can be carried out on the whole flow dialogue through flow tracking, various messages are analyzed, and the analysis result can be recorded through marked different marks including labels with different colors. And comparing the analysis result with the standard result to determine whether the protocol accords with the protocol standard.
In the embodiment of the application, when verifying whether the protocol meets the protocol standard, whether the protocol meets the protocol standard can be determined through one or more of characteristic value matching, grammar structure analysis and data relation analysis.
For example, the protocol verification may be performed according to a feature value in the protocol data, including, for example, a protocol format, and if the intercepted protocol data does not match the feature value of the data format of the standard protocol data, the protocol verification cannot be performed.
When the grammar structure analysis is carried out, the grammar structure of the data message in the intercepted protocol data can be compared with the grammar structure of the data message of the standard protocol, and the matching degree of the grammar structure can be determined. And determining whether the acquired protocol data accords with the protocol standard or not based on the matching degree of the grammar structure and the standard information of the grammar structure of the standard protocol.
When the protocol verification is performed based on the data relationship, whether the current protocol data accords with the protocol standard can be determined based on the data relationship between the data of the standard protocol and the data relationship of the intercepted protocol data. The data relationship may include a correspondence relationship between data, a calculation relationship between data, and the like.
When the protocol in the protocol data is detected to be out of compliance with the standard, the place which is out of compliance with the standard can be marked or an alarm prompt can be sent out, so that the staff can be facilitated to perfect or repair the protocol loophole according to the prompt.
In S203, according to the protocol data, the device under test is subjected to message replay verification.
In the embodiment of the application, the original message corresponding to the first response data in the intercepted protocol data can be determined. And sending the original message to equipment to be tested, and acquiring second response data of the equipment to be tested according to the original message. And comparing the first response data with the second response data, and performing message replay verification on the equipment to be tested, such as an industrial robot. For example, the original message may be login data, the intercepted message may be sent to the device to be tested, and the result of the message replay verification is determined according to the difference of the response authorities. According to the message replay verification result, when the message replay verification is passed, the first response data is consistent with the second response data, for example, the login authority of the device to be tested can be obtained through intercepted protocol data, the defect of login security of the current protocol is determined, and the security performance of the protocol can be improved based on the defect.
In S204, mutation processing is performed on the protocol data according to a preset test case to obtain mutation data, and vulnerability testing is performed on the device to be tested according to the mutation data.
In the embodiment of the application, the protocol vulnerability discovery equipment stores the test cases in advance, and the data packets of the test cases can be sent according to a certain test interval. In the embodiment of the application, the abnormal data structure can be generated by the fuzzy test engine according to the analysis result after the protocol verification. The fuzzy engine comprises a generator for generating an abnormal structure and a compiler for calling the generator to generate a mutation result aiming at the content of protocol data.
Upon exception generation, known exception generation and format exception generation may be included. The known exception generation can be used for matching key protocol fields capable of performing fuzzy test according to the built-in test case, and the key protocol fields included in the intercepted protocol data can be randomly changed in the test process, such as inserting special characters and the like. In the format exception generation mode, as each protocol message format has a corresponding standard, for example, the header and the tail of Modubus protocols have fixed formats, the format exception generation can be realized by randomly changing the message format according to a preset fuzzy strategy.
In the embodiment of the application, the generated variation data can be sent to the equipment to be detected, the state information of the equipment to be detected is monitored and recorded, and the protocol vulnerability of the equipment to be detected is determined based on the monitored state information.
The state of the device under test may include an on-line state, a port switch state, and an input data state, an output data/output data state, etc. of the device under test. For example, the online state of the device to be tested can be monitored through a ping instruction; port monitoring is used for determining the port switch state of the equipment to be tested; and acquiring input data and output data of the equipment to be tested through I/O monitoring interaction data.
In the embodiment of the application, the test case causing the test abnormality can be inquired through a section test method. The field content with errors can be determined through the built-in error protocol field during interval test, the field content with errors is matched with the built-in test case, and the matched test case is determined.
In the embodiment of the application, the running state of the robot in the protocol vulnerability discovery process can be monitored through the monitoring module. The monitor is capable of monitoring the status of a device under test, such as a robot, during a test. The state of the robot may mainly include capture of a robot protocol test data packet, robot protocol data analysis, and the like. According to the embodiment of the application, the script of the robot protocol detection data packet can be predefined according to the specification of the robot protocol, and the detection packet is sent at certain test intervals.
In the embodiment of the application, an inline deployment mode can be adopted, and the protocol fuzzy test engine of the equipment to be tested, namely the protocol vulnerability mining equipment in the application, is inserted between the service platform and the client (the equipment to be tested), and the intercepted protocol data can be mutated in a replay mode to generate malformed data or variant data, so that the protocol vulnerability mining method can realize abnormal restarting.
When the equipment to be tested normally operates, data I/O interaction is usually carried out with the lower-layer production process, and if the process processing mechanism is affected by the protocol stack to be abnormal, lower-layer I/O signals are affected. The application can use an interface card with a D/A or A/D conversion function to externally connect an I/O output line of the robot device to an upper computer (such as protocol vulnerability mining equipment), meanwhile, a flow simulation program is operated on the upper computer, a monitoring program is deployed to continuously poll the signal interaction condition of the I/O port, and when an abnormality occurs, a message is sent to the protocol vulnerability mining equipment so as to save scene information, and on the other hand, the I/O abnormality condition and flow break point can be locally saved so as to be further analyzed.
In addition, in the embodiment of the application, after the fuzzy test engine in the protocol vulnerability mining equipment is called by state transition, the test of the equipment to be tested can be started to run. A monitor module can be arranged in the protocol vulnerability mining equipment, and the monitor module can send a data packet which is well defined in the test case to the equipment to be tested and check whether the protocol stack of the equipment to be tested is normal or not from top to bottom. The protocol data of the device to be tested (robot) comprises capturing of protocol test data packets, analysis of the robot protocol data and the like. According to the specification of the robot protocol, the protocol vulnerability discovery equipment can send the data packet of the test case for detection at a certain test interval, if the data packet is normal, the next data packet for detection is continuously sent, and if the data packet is abnormal, the data packet is reported to the protocol vulnerability discovery equipment.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
Fig. 3 is a schematic diagram of a protocol vulnerability discovery apparatus according to an embodiment of the present application, as shown in fig. 3, where the apparatus includes:
The protocol data parsing unit 301 is configured to obtain protocol data of a device to be tested, parse the protocol data, and generate a parsing result;
a protocol verification unit 302, configured to perform protocol verification according to the analysis result, to verify whether the protocol of the device to be tested meets a protocol standard;
A replay verification unit 303, configured to perform message replay verification on the device under test according to the protocol data;
The mutation testing unit 304 is configured to perform mutation processing on the protocol data according to a preset test case to obtain mutation data, and perform a vulnerability test on the device to be tested according to the mutation data.
The protocol vulnerability discovery apparatus shown in fig. 3 corresponds to the protocol vulnerability discovery method shown in fig. 2.
Fig. 4 is a schematic diagram of a protocol vulnerability discovery apparatus according to an embodiment of the present application. As shown in fig. 4, the protocol vulnerability discovery apparatus 4 of this embodiment includes: a processor 40, a memory 41, and a computer program 42, such as a protocol vulnerability discovery program, stored in the memory 41 and executable on the processor 40. The steps of the various protocol vulnerability discovery method embodiments described above are implemented by the processor 40 when executing the computer program 42. Or the processor 40, when executing the computer program 42, performs the functions of the modules/units of the apparatus embodiments described above.
Illustratively, the computer program 42 may be partitioned into one or more modules/units that are stored in the memory 41 and executed by the processor 40 to complete the present application. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions describing the execution of the computer program 42 in the protocol vulnerability discovery mining apparatus 4.
The protocol vulnerability discovery apparatus may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is merely an example of the protocol vulnerability discovery device 4 and is not meant to be limiting of the protocol vulnerability discovery device 4, and may include more or fewer components than illustrated, or may combine certain components, or different components, e.g., the protocol vulnerability discovery device may further include input-output devices, network access devices, buses, etc.
The Processor 40 may be a central processing unit (Central Processing Unit, CPU), other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may be an internal storage unit of the protocol vulnerability discovery apparatus 4, such as a hard disk or a memory of the protocol vulnerability discovery apparatus 4. The memory 41 may also be an external storage device of the protocol vulnerability discovery apparatus 4, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD) or the like, which are provided on the protocol vulnerability discovery apparatus 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the protocol vulnerability discovery apparatus 4. The memory 41 is used for storing the computer program and other programs and data required by the protocol vulnerability discovery apparatus. The memory 41 may also be used for temporarily storing data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other manners. For example, the apparatus/terminal device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on this understanding, the present application may also be implemented by implementing all or part of the procedures in the methods of the above embodiments, and the computer program may be stored in a computer readable storage medium, where the computer program when executed by a processor may implement the steps of the respective method embodiments. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium may include content that is subject to appropriate increases and decreases as required by jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is not included as electrical carrier signals and telecommunication signals.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (9)
1. A method for mining protocol vulnerabilities, the method comprising:
acquiring protocol data of equipment to be tested, analyzing the protocol data to generate an analysis result, wherein the equipment to be tested comprises an industrial robot;
According to the analysis result, determining a network protocol adopted by the equipment to be tested, based on the determined network protocol, adopting a protocol verification plug-in corresponding to the network protocol to perform protocol verification, and verifying whether the protocol of the equipment to be tested accords with a protocol standard or not by comparing a grammar structure in a data message in intercepted protocol data with a grammar structure of a standard data message and calculating the relationship between the data through a corresponding relationship between data in data relationship analysis;
then according to the protocol data, carrying out message replay verification on the equipment to be tested, and sending the original message to the equipment to be tested by intercepting the original message corresponding to the first response data in the protocol data, obtaining second response data obtained by the equipment to be tested according to the original message, and if the first response data is consistent with the second response data, determining that the current protocol has defects;
After the message replay verification is passed, carrying out mutation processing on the protocol data according to a preset test case to obtain mutation data, and carrying out vulnerability test on the equipment to be tested according to the mutation data.
2. The method of claim 1, wherein the mutating the protocol data according to a predetermined test case to obtain mutated data comprises:
Determining a key protocol field in a preset test case;
Modifying key protocol fields in the protocol data according to a preset fuzzy strategy to obtain variant data;
Or alternatively
Determining a protocol format of a preset test case;
and modifying the protocol format according to a preset fuzzy strategy to obtain variant data.
3. The method of claim 2, wherein performing the vulnerability test on the device under test based on the mutation data comprises:
transmitting the variation data to the equipment to be tested;
and monitoring and recording the state information of the equipment to be tested.
4. A method according to claim 3, wherein monitoring status information of the device under test comprises:
monitoring the online state of the equipment to be tested through a ping instruction;
port monitoring is used for determining the port switch state of the equipment to be tested;
And acquiring input data and output data of the equipment to be tested through I/O monitoring interaction data.
5. The method of claim 4, wherein after obtaining the input data and the output data of the device under test by I/O listening for the interaction data, the method further comprises:
Determining abnormal data in the monitored interactive data;
And determining the test case generating the abnormal data through interval test.
6. The method of claim 1, wherein performing a protocol verification according to the parsing result, verifying whether the protocol of the device under test meets a protocol standard, comprises:
And determining whether the protocol of the equipment to be tested accords with a protocol standard through characteristic value matching, grammar structure analysis and/or data relation analysis.
7. A protocol vulnerability discovery apparatus, the apparatus comprising:
The protocol data analysis unit is used for acquiring protocol data of equipment to be detected, analyzing the protocol data to generate an analysis result, wherein the equipment to be detected comprises an industrial robot;
The protocol verification unit is used for determining a network protocol adopted by the equipment to be tested according to the analysis result, carrying out protocol verification by adopting a protocol verification plug-in corresponding to the network protocol based on the determined network protocol, comparing the corresponding relation between data in data relation analysis and the calculation relation between the data with a grammar structure in a data message in the intercepted protocol data with a grammar structure of a standard data message, determining the matching degree of the grammar structure, and verifying whether the protocol of the equipment to be tested accords with a protocol standard;
the replay verification unit is used for carrying out message replay verification on the equipment to be tested according to the protocol data, sending the original message to the equipment to be tested by intercepting the original message corresponding to the first response data in the protocol data, acquiring second response data obtained by the equipment to be tested according to the original message, and determining that the current protocol has defects if the first response data is consistent with the second response data;
and the mutation testing unit is used for carrying out mutation processing on the protocol data according to a preset test case to obtain mutation data after the message replay verification is passed, and carrying out vulnerability testing on the equipment to be tested according to the mutation data.
8. A protocol vulnerability discovery apparatus comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the steps of the method of any one of claims 1 to 6.
9. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210636442.XA CN115001829B (en) | 2022-06-07 | 2022-06-07 | Protocol vulnerability discovery method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210636442.XA CN115001829B (en) | 2022-06-07 | 2022-06-07 | Protocol vulnerability discovery method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001829A CN115001829A (en) | 2022-09-02 |
| CN115001829B true CN115001829B (en) | 2024-06-07 |
Family
ID=83032425
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210636442.XA Active CN115001829B (en) | 2022-06-07 | 2022-06-07 | Protocol vulnerability discovery method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001829B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115361240B (en) * | 2022-10-21 | 2022-12-27 | 北京星阑科技有限公司 | Vulnerability determination method and device, computer equipment and storage medium |
| CN115941358B (en) * | 2023-01-29 | 2023-06-30 | 国家工业信息安全发展研究中心 | Vulnerability discovery method, vulnerability discovery device, terminal equipment and storage medium |
Citations (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101620636A (en) * | 2009-08-21 | 2010-01-06 | 腾讯科技(北京)有限公司 | Method and apparatus for displaying tabular data |
| CN105721230A (en) * | 2014-11-30 | 2016-06-29 | 中国科学院沈阳自动化研究所 | Modbus protocol-oriented fuzz testing method |
| CN106487813A (en) * | 2016-12-13 | 2017-03-08 | 北京匡恩网络科技有限责任公司 | Industry control network safety detecting system and detection method |
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化***有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN108400978A (en) * | 2018-02-07 | 2018-08-14 | 深圳壹账通智能科技有限公司 | Leak detection method, device, computer equipment and storage medium |
| CN108683558A (en) * | 2018-05-10 | 2018-10-19 | 中国铁路总公司 | Railway security Communication Protocol Conformance Testing Methodology |
| CN108801653A (en) * | 2018-06-25 | 2018-11-13 | 工业和信息化部计算机与微电子发展研究中心(中国软件评测中心) | The evaluation tool of floor truck and the assessment method of floor truck |
| CN109818973A (en) * | 2019-03-13 | 2019-05-28 | 信联科技(南京)有限公司 | A kind of agreement fuzz testing method based on tandem |
| CN110401581A (en) * | 2019-07-22 | 2019-11-01 | 杭州电子科技大学 | Industry control agreement fuzz testing case generation method based on flow retrospect |
| CN110505111A (en) * | 2019-07-09 | 2019-11-26 | 杭州电子科技大学 | The industry control agreement fuzz testing method reset based on flow |
| CN110515030A (en) * | 2019-09-03 | 2019-11-29 | 国网青海省电力公司电力科学研究院 | A kind of simulation detection system automating power failure reporting functions |
| CN110912944A (en) * | 2019-12-31 | 2020-03-24 | 信联科技(南京)有限公司 | CAN equipment safety test system and test method |
| CN111767544A (en) * | 2020-06-15 | 2020-10-13 | 招商银行股份有限公司 | Multi-frequency replay attack vulnerability determination method, device, equipment and readable storage medium |
| CN111931188A (en) * | 2020-08-13 | 2020-11-13 | 中国工商银行股份有限公司 | Vulnerability testing method and system under login scene |
| CN112235244A (en) * | 2020-09-10 | 2021-01-15 | 北京威努特技术有限公司 | Construction method of abnormal message, detection method, device and medium of industrial control network equipment |
| CN112703457A (en) * | 2018-05-07 | 2021-04-23 | 强力物联网投资组合2016有限公司 | Method and system for data collection, learning and machine signal streaming for analysis and maintenance using industrial internet of things |
| CN113542299A (en) * | 2021-07-29 | 2021-10-22 | 国家工业信息安全发展研究中心 | Industrial internet vulnerability mining method and system based on fuzzy test |
| CN113542275A (en) * | 2021-07-15 | 2021-10-22 | 国家能源集团科学技术研究院有限公司 | Vulnerability discovery method for power plant industrial control system |
| CN113886225A (en) * | 2021-09-18 | 2022-01-04 | 国网河南省电力公司电力科学研究院 | Unknown industrial control protocol-oriented fuzzy test system and method |
| CN113901476A (en) * | 2021-10-12 | 2022-01-07 | 北京恒安嘉新安全技术有限公司 | Vulnerability verification method, system, equipment and medium based on virtualization environment |
| CN113901475A (en) * | 2021-09-27 | 2022-01-07 | 成都卫士通信息产业股份有限公司 | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment |
| CN113946823A (en) * | 2021-10-20 | 2022-01-18 | 中国电子科技集团公司第三十研究所 | SQL injection detection method and device based on URL baseline deviation analysis |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10997244B2 (en) * | 2017-07-14 | 2021-05-04 | Phylot Inc. | Method and system for identifying and discovering relationships between disparate datasets from multiple sources |
-
2022
- 2022-06-07 CN CN202210636442.XA patent/CN115001829B/en active Active
Patent Citations (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101620636A (en) * | 2009-08-21 | 2010-01-06 | 腾讯科技(北京)有限公司 | Method and apparatus for displaying tabular data |
| CN105721230A (en) * | 2014-11-30 | 2016-06-29 | 中国科学院沈阳自动化研究所 | Modbus protocol-oriented fuzz testing method |
| CN106487813A (en) * | 2016-12-13 | 2017-03-08 | 北京匡恩网络科技有限责任公司 | Industry control network safety detecting system and detection method |
| CN108255711A (en) * | 2017-12-29 | 2018-07-06 | 湖南优利泰克自动化***有限公司 | A kind of PLC firmware fuzz testing systems and test method based on stain analysis |
| CN108400978A (en) * | 2018-02-07 | 2018-08-14 | 深圳壹账通智能科技有限公司 | Leak detection method, device, computer equipment and storage medium |
| CN112703457A (en) * | 2018-05-07 | 2021-04-23 | 强力物联网投资组合2016有限公司 | Method and system for data collection, learning and machine signal streaming for analysis and maintenance using industrial internet of things |
| CN108683558A (en) * | 2018-05-10 | 2018-10-19 | 中国铁路总公司 | Railway security Communication Protocol Conformance Testing Methodology |
| CN108801653A (en) * | 2018-06-25 | 2018-11-13 | 工业和信息化部计算机与微电子发展研究中心(中国软件评测中心) | The evaluation tool of floor truck and the assessment method of floor truck |
| CN109818973A (en) * | 2019-03-13 | 2019-05-28 | 信联科技(南京)有限公司 | A kind of agreement fuzz testing method based on tandem |
| CN110505111A (en) * | 2019-07-09 | 2019-11-26 | 杭州电子科技大学 | The industry control agreement fuzz testing method reset based on flow |
| CN110401581A (en) * | 2019-07-22 | 2019-11-01 | 杭州电子科技大学 | Industry control agreement fuzz testing case generation method based on flow retrospect |
| CN110515030A (en) * | 2019-09-03 | 2019-11-29 | 国网青海省电力公司电力科学研究院 | A kind of simulation detection system automating power failure reporting functions |
| CN110912944A (en) * | 2019-12-31 | 2020-03-24 | 信联科技(南京)有限公司 | CAN equipment safety test system and test method |
| CN111767544A (en) * | 2020-06-15 | 2020-10-13 | 招商银行股份有限公司 | Multi-frequency replay attack vulnerability determination method, device, equipment and readable storage medium |
| CN111931188A (en) * | 2020-08-13 | 2020-11-13 | 中国工商银行股份有限公司 | Vulnerability testing method and system under login scene |
| CN112235244A (en) * | 2020-09-10 | 2021-01-15 | 北京威努特技术有限公司 | Construction method of abnormal message, detection method, device and medium of industrial control network equipment |
| CN113542275A (en) * | 2021-07-15 | 2021-10-22 | 国家能源集团科学技术研究院有限公司 | Vulnerability discovery method for power plant industrial control system |
| CN113542299A (en) * | 2021-07-29 | 2021-10-22 | 国家工业信息安全发展研究中心 | Industrial internet vulnerability mining method and system based on fuzzy test |
| CN113886225A (en) * | 2021-09-18 | 2022-01-04 | 国网河南省电力公司电力科学研究院 | Unknown industrial control protocol-oriented fuzzy test system and method |
| CN113901475A (en) * | 2021-09-27 | 2022-01-07 | 成都卫士通信息产业股份有限公司 | Fuzzy mining method for input verification vulnerability of industrial control terminal equipment |
| CN113901476A (en) * | 2021-10-12 | 2022-01-07 | 北京恒安嘉新安全技术有限公司 | Vulnerability verification method, system, equipment and medium based on virtualization environment |
| CN113946823A (en) * | 2021-10-20 | 2022-01-18 | 中国电子科技集团公司第三十研究所 | SQL injection detection method and device based on URL baseline deviation analysis |
Non-Patent Citations (4)
| Title |
|---|
| Automated Verification for Secure Messaging Protocols and Their Implementations;Nadim Kobeissi;《2017 IEEE European Symposium on Security and Privacy (EuroS&P)》;20170703;全文 * |
| 基于模测试的车辆ECU漏洞挖掘技术研究与实现;李涛;《中国优秀硕士论文全文数据库》;20210515;全文 * |
| 基于模糊测试的未知协议漏洞挖掘方法研究;刘智远;《中国优秀硕士论文全文数据库》;20220115;全文 * |
| 视频监控网络协议在线漏洞挖掘;李佳莉;《中国优秀硕士论文全文数据库》;20181015;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001829A (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115001829B (en) | Protocol vulnerability discovery method, device, equipment and storage medium | |
| CN112468488B (en) | Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium | |
| KR102666283B1 (en) | System and method for monitoring intrusion anomalies in an automotive environment | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| CN110636075A (en) | Operation and maintenance management and control and operation and maintenance analysis method and device | |
| US20100095370A1 (en) | Selective packet capturing method and apparatus using kernel probe | |
| CN108092854B (en) | Test method and device for train-level Ethernet equipment based on IEC61375 protocol | |
| CN109063486B (en) | Safety penetration testing method and system based on PLC equipment fingerprint identification | |
| CN112367680B (en) | External communication test method and device based on intelligent ammeter and computer equipment | |
| US11240068B2 (en) | Method for detecting and identifying items of equipment communicating according to a Modbus protocol and communication controller for the implementation of such a method | |
| CN113821242B (en) | Intelligent firmware matching method and system | |
| CN111427307B (en) | Industrial control abnormity detection method, device and equipment | |
| CN110896368A (en) | Network quality monitoring method and device | |
| CN110768871A (en) | Test method and system for automatically counting data transmission correctness of DCS (distributed control system) | |
| CN114172796B (en) | Fault positioning method and related device for communication network | |
| CN110620661A (en) | System and method for writing key into intelligent equipment | |
| CN115550228A (en) | Internet of vehicles bus communication network test method and system | |
| CN114500247A (en) | Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium | |
| CN113645101A (en) | Automatic verification method for CSD link of intelligent substation switch | |
| CN111181797B (en) | Block chain consensus mechanism verification method based on interceptor | |
| CN114553490B (en) | Industrial passive fuzzy test method, system and readable storage medium | |
| US20240154857A1 (en) | Protocol analyzer, non-transitory computer-readable storage medium in which protocol error detection program is recorded, and protocol error detection method | |
| CN115150187B (en) | Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium | |
| CN113224851B (en) | Power distribution terminal state determination method and device, electronic equipment and storage medium | |
| CN115174244B (en) | Safety detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| CB03 | Change of inventor or designer information |
Inventor after: Li Mengwei Inventor after: Gong Xiao Inventor after: Wan Binbin Inventor after: Cui Dengqi Inventor after: Zhao Zhengbin Inventor before: Li Mengwei Inventor before: Gong Xiao Inventor before: Cui Dengqi Inventor before: Zhao Zhengbin Inventor before: Wan Binbin |
|
| CB03 | Change of inventor or designer information | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |