CN110784486A - Industrial vulnerability scanning method and system - Google Patents
Industrial vulnerability scanning method and system Download PDFInfo
- Publication number
- CN110784486A CN110784486A CN201911080364.4A CN201911080364A CN110784486A CN 110784486 A CN110784486 A CN 110784486A CN 201911080364 A CN201911080364 A CN 201911080364A CN 110784486 A CN110784486 A CN 110784486A
- Authority
- CN
- China
- Prior art keywords
- industrial
- equipment
- active
- communication
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses an industrial vulnerability scanning method and system, wherein the industrial vulnerability scanning method comprises the following steps: monitoring a bus communication message in the industrial local area network by using a bypass detection engine to identify active industrial equipment in the industrial local area network; the bus communication message comprises communication characteristics of the industrial equipment; sending an industrial vulnerability scanning message to the active industrial equipment according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment to obtain a feedback message of the active industrial equipment, wherein the feedback message comprises equipment characteristic information; and acquiring vulnerability information of the active industrial equipment according to the equipment characteristic information. The technical scheme of the invention can solve the problems that the industrial equipment in the prior art has high real-time requirements, and the real-time action of the production equipment is influenced by a large amount of industrial vulnerability detection packages generated by the existing scanning mode.
Description
Technical Field
The invention relates to the technical field of industrial control networks, in particular to an industrial vulnerability scanning method and system.
Background
Industrial control networks, referred to as industrial control networks for short; industrial control networks have many advantages, and can realize interconnection among industrial devices and information transmission and communication among industrial devices. With the development of industrial control networks and the explosion of industrial internet technologies, a large number of industrial devices are connected to the internet, so that the production state is presented in real time and related production tasks are issued, further, the industrial devices, industrial production lines, employees, factories, warehouses, suppliers, products and customers are tightly connected, various element resources of the whole industrial production process are shared, the whole industrial control system is digitized, networked, automated and intelligentized, the efficiency is improved, the cost is reduced, and the productivity is greatly improved.
Although the industrial control network can network the industrial devices, the industrial devices are also easy to stare at by lawless persons as the traditional IT devices after being networked. Industrial equipment in an industrial control network often has certain industrial loopholes, and once the industrial equipment is damaged by a lawbreaker by utilizing the industrial loopholes, the whole production activity is seriously damaged. For example: iran's centrifuge explosion and venezuela blackout events are both destructive activities that utilize industrial leaks. Therefore, as with the conventional IT equipment, the industrial equipment also needs to scan related vulnerabilities, so as to reduce the possibility that illegal personnel utilize the industrial vulnerabilities to carry out malicious damage; the industrial vulnerability scanning tool is a good choice for detecting the industrial vulnerability existing in the industrial equipment. Aiming at a large amount of industrial equipment in the existing industrial local area network, the industrial vulnerability scanning mode is also a traditional IT vulnerability-based scanning mode; referring specifically to fig. 1, the existing industrial vulnerability scanning method includes the following steps: s110, starting scanning and starting a scanning process; s120, sending a large number of detection messages to all industrial equipment; S130-S170, respectively sending a PING scanning message, an operating system detection message, a port scanning message, a detection access rule message, an industrial protocol detection message and the like.
However, unlike the bug scanning of the conventional IT equipment, the industrial equipment has high real-time requirements, and as shown in fig. 1, a large number of industrial bug detection packets are generated for each industrial equipment in the conventional scanning process, and these industrial bug detection packets are easy to block the fragile industrial field bus, affect the real-time action of the production equipment, and bring unpredictable risks to the production of products. How to scan the equipment loophole without influencing production provides a realistic requirement.
Disclosure of Invention
The invention provides an industrial vulnerability scanning method and system, and aims to solve the problems that industrial equipment in the prior art has high real-time requirement, and the existing scanning mode can generate a large number of industrial vulnerability detection packages aiming at all industrial equipment to influence the real-time action of production equipment.
To achieve the above object, according to a first aspect of the present invention, the present invention provides an industrial vulnerability scanning method, including:
monitoring a bus communication message in the industrial local area network by using a bypass detection engine to identify active industrial equipment in the industrial local area network; the bus communication message comprises communication characteristics of the industrial equipment;
sending an industrial vulnerability scanning message to the active industrial equipment according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment to obtain a feedback message of the active industrial equipment, wherein the feedback message comprises equipment characteristic information;
and acquiring vulnerability information of the active industrial equipment according to the equipment characteristic information.
Preferably, the step of using the bypass detection engine to listen to the bus communication message in the industrial lan to identify the active industrial equipment in the industrial lan includes:
using a bypass detection engine to intercept a bus communication message;
extracting communication characteristics of industrial equipment in the industrial local area network from the bus communication message, wherein the communication characteristics comprise communication type characteristics and communication content characteristics;
and determining active industrial equipment according to the communication type characteristics and the communication content characteristics of the industrial equipment.
Preferably, the step of sending the industrial vulnerability scanning message to the active industrial device according to the scanning strategy corresponding to the communication characteristics of the active industrial device includes:
matching the communication type characteristics and the communication content characteristics of the active industrial equipment, and determining the equipment type and the busy degree of the active industrial equipment;
matching the equipment type of the active industrial equipment with the industrial protocol fingerprint characteristics, and recording an equipment path corresponding to the industrial protocol fingerprint characteristics;
and sending an industrial vulnerability scanning message to each industrial device through a device path according to the busy degree of each active industrial device.
Preferably, the industrial vulnerability scanning message includes an information query instruction; the step of sending an industrial vulnerability scanning message to the active industrial equipment comprises:
sending an industrial vulnerability scanning message to the active industrial equipment according to an industrial protocol of the active industrial equipment, wherein the industrial vulnerability scanning message comprises an information query instruction;
and acquiring the equipment characteristic information of the active industrial equipment corresponding to the information query instruction.
Preferably, the step of obtaining vulnerability information of the active industrial device according to the device characteristic information includes:
and matching the equipment characteristic information with vulnerability information in a preset industrial vulnerability information base, and determining vulnerability information of the active industrial equipment.
According to a second aspect of the present invention, the present invention also provides an industrial vulnerability scanning system, including:
the device identification module is used for intercepting a bus communication message in the industrial local area network by using the bypass detection engine so as to identify active industrial devices in the industrial local area network; the bus communication message comprises communication characteristics of the industrial equipment;
the message sending module is used for sending an industrial vulnerability scanning message to the active industrial equipment according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment so as to obtain a feedback message of the active industrial equipment, wherein the feedback message comprises equipment characteristic information;
and the vulnerability information acquisition module is used for acquiring vulnerability information of the active industrial equipment according to the equipment characteristic information.
Preferably, the device identification module comprises:
the communication message interception submodule is used for intercepting the bus communication message by using the bypass detection engine;
the communication feature extraction submodule is used for extracting the communication features of the industrial equipment in the industrial local area network from the bus communication message, wherein the communication features comprise communication type features and communication content features;
and the active equipment determining submodule is used for determining active industrial equipment according to the communication type characteristics and the communication content characteristics of the industrial equipment.
Preferably, the message sending module includes:
the communication characteristic matching sub-module is used for matching the communication type characteristics and the communication content characteristics of the active industrial equipment and determining the equipment type and the busy degree of the active industrial equipment;
the device path recording sub-module is used for matching the industrial protocol fingerprint characteristics by using the device types of the active industrial devices and recording a device path corresponding to the industrial protocol fingerprint characteristics;
and the communication message sending submodule is used for sending the industrial vulnerability scanning message to each industrial device through the device path according to the busy degree of each active industrial device.
Preferably, the industrial vulnerability scanning message comprises an information query instruction; the message sending module comprises:
the query instruction sending submodule is used for sending an industrial vulnerability scanning message to the active industrial equipment according to an industrial protocol of the active industrial equipment, wherein the industrial vulnerability scanning message comprises an information query instruction;
and the characteristic information acquisition submodule is used for acquiring the equipment characteristic information of the active industrial equipment corresponding to the information query instruction.
Preferably, the vulnerability information obtaining module is further configured to match the device characteristic information with vulnerability information in a preset industrial vulnerability information base, and determine vulnerability information of the active industrial device.
According to the industrial vulnerability scanning scheme provided by the technical scheme, the bypass detection engine is used for monitoring the bus communication message in the industrial local area network, so that active industrial equipment in the industrial local area network can be identified; the active industrial devices are industrial devices which receive and transmit data in an industrial local area network, so that vulnerability scanning aiming at the active industrial devices can reduce scanning workload; the bus communication message comprises communication characteristics of the industrial equipment. Because each industrial device comprises the communication characteristics, the industrial vulnerability scanning message is sent to the active industrial device according to the scanning strategy corresponding to the communication characteristics of the active industrial device, and the industrial vulnerability scanning message can be adapted to the communication characteristics of the active industrial device, so that the occupation of an industrial field bus is reduced. The industrial vulnerability scanning message is only one, and the purpose is to obtain the equipment characteristic information included in the feedback message of the active industrial equipment; therefore, the industrial vulnerability scanning message occupies smaller space. After the device characteristic information is obtained, the vulnerability information of the active industrial device can be accurately searched according to the device characteristic information. By the method, the industrial equipment in the industrial local area network can be scanned in a targeted manner, the occupation of the industrial field bus by the industrial vulnerability scanning message is reduced, the detection efficiency of the industrial vulnerability is improved, and the interference to the real-time property of the production equipment is reduced. By the method, the problems that in the prior art, the requirement of industrial equipment on real-time performance is increased, and the real-time action of production equipment is influenced due to the fact that a large number of industrial vulnerability detection packages are generated in the conventional scanning mode can be solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a schematic flow chart of an industrial vulnerability scanning method provided in the prior art;
fig. 2 is a schematic flowchart of an industrial vulnerability scanning method according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart diagram of a method for active industrial equipment identification provided by the embodiment shown in FIG. 2;
fig. 4 is a schematic flowchart of a first method for sending an industrial vulnerability scanning message according to the embodiment shown in fig. 2;
fig. 5 is a schematic flowchart of a second method for sending an industrial vulnerability scanning message according to the embodiment shown in fig. 2;
fig. 6 is a schematic structural diagram of an industrial vulnerability scanning system according to an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of a device identification module provided in the embodiment shown in FIG. 6;
fig. 8 is a schematic structural diagram of a first message sending module according to the embodiment shown in fig. 6;
fig. 9 is a schematic structural diagram of a second message sending module according to the embodiment shown in fig. 6.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 2, fig. 2 is a schematic flow chart of an industrial vulnerability scanning method according to an embodiment of the present invention, and as shown in fig. 2, the industrial vulnerability scanning method includes the following steps:
s210: monitoring a bus communication message in the industrial local area network by using a bypass detection engine to identify active industrial equipment in the industrial local area network; the bus communication message includes communication characteristics of the industrial equipment.
The bypass detection engine can occupy the local area network bus as little as possible when monitoring the bus communication message in the industrial local area network. And the bus communication message in the industrial local area network is intercepted, the communication characteristics of the industrial equipment in the bus communication message can be obtained, and the communication characteristics and the occupied data volume of the active industrial equipment can be determined according to the communication characteristics, so that the scanning strategy of the industrial vulnerability scanning message is matched.
As shown in fig. 3, the step S210: the method for detecting the bus communication messages in the industrial local area network by using the bypass detection engine to identify the active industrial equipment in the industrial local area network comprises the following steps:
s211: the bus communication message is intercepted using the bypass detection engine.
S212: and extracting the communication characteristics of the industrial equipment in the industrial local area network from the bus communication message, wherein the communication characteristics comprise communication type characteristics and communication content characteristics.
S213: and determining active industrial equipment according to the communication type characteristics and the communication content characteristics.
By listening to bus communication messages and then extracting communication characteristics of the industrial device, such as communication protocol characteristics, from the bus communication messages, active industrial devices can be determined from the communication type characteristics and the communication content characteristics included in the communication characteristics. And the scanning strategy for processing active industrial equipment can be determined through the communication type characteristics and the communication content characteristics.
Specifically, taking modbus protocol (a serial communication protocol, which has become an industry standard of industrial field communication protocols) as an example, the bypass detection engine listens to bus communication messages to obtain the modbus communication protocol characteristics of active industrial devices.
The standard ModbusTCP communication protocol is characterized as follows:
according to the modbus protocol specification, the data frame of ModbusTCP is divided into two parts, namely MBAP and PDU.
Wherein the MBAP part corresponds to the following table:
wherein, the PDU part consists of functional code and data. The function code is 1 byte, the length of the data is not fixed, and the function code is determined by the specific function.
Referring specifically to fig. 1, fig. 1 shows the packet capture data of a pair of modbus bypass detection engines. Through the analysis of the packet capturing data, the following results are obtained:
and matching the MBAP and PDU data characteristics by using a MODBUS protocol library, and basically judging that the equipment is MODBUS equipment when the application data frame is identified to contain the MBAP data characteristics and the PDU data characteristics are successfully matched. The circled portion 0x01 indicates that the device address is 1, the first 0x1b indicates that the PDU portion has a byte length of 27 bytes, 0x10 indicates a function code, and is characterized by writing registers, 0x00 and 0x00 indicate the starting address of the registers to be written, 0x00 and 0x0a indicate the number of registers to be written (this indicates that 10 registers are to be written), 0x14 indicates the number of bytes to be written (this indicates that 20 bytes are to be written), and 0x00, 0x40, 0x00, 0x41, 0x00, 0x42, 0x00, and 0x4 indicate that the data actually written to the registers are 60, 61, 62, and 63, respectively.
As shown in fig. 2, the industrial vulnerability scanning method provided in the embodiment of the present application further includes step S220: and sending an industrial vulnerability scanning message to the active industrial equipment according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment to obtain a feedback message of the active industrial equipment, wherein the feedback message comprises equipment characteristic information.
After the bypass detection engine monitors and obtains the communication characteristics of the active industrial equipment, the communication characteristics can be matched with the industrial protocol fingerprint library, and the scanning strategy for scanning the active industrial equipment for industrial vulnerabilities is determined, so that the communication protocol corresponding to the active industrial equipment is completely simulated, and industrial vulnerability scanning messages are sent according to the sequence of busy and idle degrees. Through the process, the equipment characteristic information in the feedback message of the active industrial equipment can be obtained, so that the equipment characteristic information is further analyzed, and industrial vulnerabilities are searched.
Specifically, as shown in fig. 4, the step S220: according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment, sending an industrial vulnerability scanning message to the active industrial equipment, which specifically comprises the following steps:
s221: and matching the communication type characteristics and the communication content characteristics of the active industrial equipment, and determining the equipment type and the busy degree of the active industrial equipment.
Because the bypass detection engine is used for intercepting the bus communication message, the communication characteristics of the industrial equipment can be obtained, the communication characteristics comprise communication type characteristics and communication content characteristics, the activity degree of the industrial equipment can be completely determined according to the communication characteristics and the communication content, and the communication protocol of the active industrial equipment is determined.
For example, the bypass detection engine may detect that the communication type of the active industrial device is modbus communication protocol type by detecting that the communication type characteristic is MBAP characteristic and the communication content characteristic is PDU characteristic. In addition, the busy degree of the active industrial equipment can be determined according to the communication content characteristics.
S222: and matching the device type of the active industrial device with the industrial protocol fingerprint characteristics, and recording a device path corresponding to the industrial protocol fingerprint characteristics.
After the bypass detection engine listens to the bus communication message, extracting communication characteristics in the bus communication message, wherein the communication characteristics comprise a device type, and then matching the device type of the active industrial device with the industrial protocol fingerprint characteristics to determine a device path of the active industrial device, wherein the device path comprises a related IP address, a port number and the like.
The active industrial equipment is scanned according to the equipment path, and ping scanning and port scanning in the traditional scanning stage can be directly skipped, so that the occupation time of a local area network bus is reduced, a real-time control instruction of industrial equipment communication is not influenced, blind scanning from beginning to end is not needed, and the scanning time is greatly saved.
S223: and sending an industrial vulnerability scanning message to each industrial device through a device path according to the busy degree of each active industrial device.
In conclusion, after the device path and the busy degree of the active industrial device are determined, when the active industrial device is scanned for industrial loopholes, ping scanning and port scanning in the traditional scanning stage can be directly skipped, so that the local area network bus occupation time is reduced, real-time control instructions of industrial device communication are not influenced, blind scanning from head to tail is not needed, the scanning time is greatly saved, related target devices can be scanned more pertinently, and the accuracy is higher. And after the industrial protocol fingerprints are used for matching, the device communication protocol can be completely simulated, and the industrial vulnerability scanning message is sent according to the busy and idle degree. Because the data volume of the whole scanning message is small, the scanning message is injected through the equipment communication protocol, the scanning message can be completely merged into the normal communication flow of the equipment, the normal network communication data flow format of the production equipment can not be damaged, the normal production activity of the industrial equipment can not be influenced, and the scanning message belongs to non-inductive scanning.
Also after determining the scanning strategy, as shown in fig. 5, step S220 in fig. 2: the sending of the industrial vulnerability scanning message to the active industrial equipment specifically comprises the following steps:
s224: and sending an industrial vulnerability scanning message to the active industrial equipment according to an industrial protocol of the active industrial equipment, wherein the industrial vulnerability scanning message comprises an information inquiry instruction.
S225: and acquiring the equipment characteristic information of the active industrial equipment corresponding to the information query instruction.
Specifically, for an industrial protocol identified by a bypass detection engine, generally, industrial equipment has 2 types of instructions of reading and writing, a read data instruction of the industrial protocol is called according to the matched industrial protocol and a corresponding equipment model, namely, the information query instruction, an industrial vulnerability scanning message is sent to active industrial equipment to query the current software version of the active industrial equipment, the read data instruction is consistent with a normal communication instruction of the active industrial equipment, and only if the read register address is different, the active industrial equipment can return data stored in the address after receiving the specified register address, so that the equipment characteristic information of the active industrial equipment is analyzed.
In addition, due to the accurate matching of the prior industrial protocol fingerprint database, the message for sending the industrial vulnerability scanning information can be more accurate; and the characteristic information of the industrial equipment excludes any operation instruction, only has an information inquiry function, and reduces the influence on other industrial equipment or scanning equipment per se.
In addition, the embodiment shown in fig. 2 further includes step S230: and acquiring vulnerability information of the active industrial equipment according to the equipment characteristic information.
Wherein, the step S230: acquiring vulnerability information of active industrial equipment according to the equipment characteristic information, wherein the vulnerability information comprises: and matching the equipment characteristic information with vulnerability information in a preset industrial vulnerability information base, and determining vulnerability information of the active industrial equipment.
After the industrial vulnerability scanning message is sent according to the protocol, the related industrial equipment feeds back equipment characteristic information, and the industrial vulnerability scanning tool compares vulnerability information in the industrial vulnerability information base after receiving the equipment characteristic information, so as to obtain vulnerability information of the active industrial equipment. Because the industrial vulnerability scanning method only scans the equipment matched with the industrial fingerprint database, the process is quite quick and accurate.
In summary, according to the industrial vulnerability scanning method provided by the technical scheme of the application, the bypass detection engine is used for intercepting the bus communication message in the industrial local area network, so that the active industrial equipment in the industrial local area network can be identified; the active industrial devices are industrial devices which receive and transmit data in an industrial local area network, so that vulnerability scanning aiming at the active industrial devices can reduce scanning workload; the bus communication message comprises communication characteristics of the industrial equipment. Because each industrial device comprises the communication characteristics, the industrial vulnerability scanning message is sent to the active industrial device according to the scanning strategy corresponding to the communication characteristics of the active industrial device, and the industrial vulnerability scanning message can be adapted to the communication characteristics of the active industrial device, so that the occupation of an industrial field bus is reduced. The industrial vulnerability scanning message is only one, and the purpose is to obtain the equipment characteristic information included in the feedback message of the active industrial equipment; therefore, the industrial vulnerability scanning message occupies smaller space. After the device characteristic information is obtained, the vulnerability information of the active industrial device can be accurately searched according to the device characteristic information. By the method, the industrial equipment in the industrial local area network can be scanned in a targeted manner, the occupation of the industrial field bus by the industrial vulnerability scanning message is reduced, the detection efficiency of the industrial vulnerability is improved, and the interference to the real-time property of the production equipment is reduced. By the method, the problems that in the prior art, the requirement of industrial equipment on real-time performance is increased, and the real-time action of production equipment is influenced due to the fact that a large number of industrial vulnerability detection packages are generated in the conventional scanning mode can be solved.
In addition, based on the same concept of the embodiment of the method, the embodiment of the present invention further provides an industrial vulnerability scanning system for implementing the method of the present invention, and since the principle of solving the problem of the embodiment of the system is similar to that of the method, the embodiment of the present invention at least has all the beneficial effects brought by the technical solution of the embodiment, and the details are not repeated herein.
Referring to fig. 6 in particular, fig. 6 is a schematic structural diagram of an industrial vulnerability scanning system according to an embodiment of the present invention. As shown in fig. 6, the industrial vulnerability scanning system includes:
the device identification module 601 is configured to use a bypass detection engine to intercept a bus communication packet in the industrial lan, so as to identify active industrial devices in the industrial lan; the bus communication message includes communication characteristics of the industrial equipment.
A message sending module 602, configured to send an industrial vulnerability scanning message to an active industrial device according to a scanning policy corresponding to communication characteristics of the active industrial device, so as to obtain a feedback message of the active industrial device, where the feedback message includes device characteristic information;
and a vulnerability information obtaining module 603, configured to obtain vulnerability information of the active industrial device according to the device characteristic information.
In summary, the industrial vulnerability scanning system provided by the technical scheme of the application can identify active industrial equipment in the industrial local area network by using the bypass detection engine to monitor the bus communication message in the industrial local area network; the active industrial devices are industrial devices which receive and transmit data in an industrial local area network, so that vulnerability scanning aiming at the active industrial devices can reduce scanning workload; the bus communication message comprises communication characteristics of the industrial equipment. Because each industrial device comprises the communication characteristics, the industrial vulnerability scanning message is sent to the active industrial device according to the scanning strategy corresponding to the communication characteristics of the active industrial device, and the industrial vulnerability scanning message can be adapted to the communication characteristics of the active industrial device, so that the occupation of an industrial field bus is reduced. The industrial vulnerability scanning message is only one, and the purpose is to obtain the equipment characteristic information included in the feedback message of the active industrial equipment; therefore, the industrial vulnerability scanning message occupies smaller space. After the device characteristic information is obtained, the vulnerability information of the active industrial device can be accurately searched according to the device characteristic information. By the method, the industrial equipment in the industrial local area network can be scanned in a targeted manner, the occupation of the industrial field bus by the industrial vulnerability scanning message is reduced, the detection efficiency of the industrial vulnerability is improved, and the interference to the real-time property of the production equipment is reduced. By the method, the problems that in the prior art, the requirement of industrial equipment on real-time performance is increased, and the real-time action of production equipment is influenced due to the fact that a large number of industrial vulnerability detection packages are generated in the conventional scanning mode can be solved.
In the embodiment shown in fig. 6, the device identification module 601 includes:
a communication message interception submodule 6011 configured to intercept the bus communication message by using a bypass detection engine;
a communication feature extraction submodule 6012, configured to extract, from the bus communication packet, a communication feature of an industrial device in an industrial local area network, where the communication feature includes a communication type feature and a communication content feature;
an active device determining submodule 6013 is configured to determine an active industrial device according to the communication type characteristic and the communication content characteristic of the industrial device.
As shown in fig. 8, in the industrial vulnerability scanning system provided in the embodiment shown in fig. 6, the message sending module 602 includes:
the communication feature matching submodule 6021 is used for matching the communication type feature and the communication content feature of the active industrial equipment, and determining the equipment type and the busy degree of the active industrial equipment;
the device path recording sub-module 6022 is configured to match the industrial protocol fingerprint feature with the device type of the active industrial device, and record a device path corresponding to the industrial protocol fingerprint feature;
and the communication message sending submodule 6023 is configured to send the industrial vulnerability scanning message to each industrial device through the device path according to the busy/idle degree of each active industrial device.
In addition, the industrial vulnerability scanning message in the industrial vulnerability scanning system provided by the embodiment shown in fig. 6 includes an information query instruction; as shown in fig. 9, the message sending module 602 in the embodiment of fig. 6 includes:
the query instruction sending submodule 6024 is configured to send an industrial vulnerability scanning message to the active industrial device according to an industrial protocol of the active industrial device, where the industrial vulnerability scanning message includes an information query instruction.
The characteristic information obtaining sub-module 6025 is configured to obtain the device characteristic information of the active industrial device corresponding to the information query instruction.
In addition, the vulnerability information obtaining module 603 in the embodiment of fig. 6 is further configured to match the device characteristic information with vulnerability information in a preset industrial vulnerability information base, and determine vulnerability information of the active industrial device.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. An industrial vulnerability scanning method, comprising:
intercepting a bus communication message in an industrial local area network by using a bypass detection engine to identify active industrial equipment in the industrial local area network; the bus communication message comprises communication characteristics of industrial equipment;
sending an industrial vulnerability scanning message to active industrial equipment according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment to obtain a feedback message of the active industrial equipment, wherein the feedback message comprises equipment characteristic information;
and acquiring the vulnerability information of the active industrial equipment according to the equipment characteristic information.
2. The industrial vulnerability scanning method of claim 1, wherein the step of using a bypass detection engine to listen to bus communication messages in an industrial local area network to identify active industrial devices in the industrial local area network comprises:
intercepting the bus communication message by using the bypass detection engine;
extracting communication characteristics of industrial equipment in an industrial local area network from the bus communication message, wherein the communication characteristics comprise communication type characteristics and communication content characteristics;
and determining the active industrial equipment according to the communication type characteristics and the communication content characteristics of the industrial equipment.
3. The industrial vulnerability scanning method according to claim 1, wherein the step of sending an industrial vulnerability scanning message to an active industrial device according to a scanning strategy corresponding to communication characteristics of the active industrial device comprises:
matching the communication type characteristics and the communication content characteristics of the active industrial equipment, and determining the equipment type and the busy degree of the active industrial equipment;
matching the equipment type of the active industrial equipment with industrial protocol fingerprint characteristics, and recording an equipment path corresponding to the industrial protocol fingerprint characteristics;
and sending the industrial vulnerability scanning message to each industrial device through the device path according to the busy degree of each active industrial device.
4. The industrial vulnerability scanning method according to claim 1 or 3, wherein the industrial vulnerability scanning message comprises an information query instruction; the step of sending an industrial vulnerability scanning message to the active industrial device comprises:
sending the industrial vulnerability scanning message to the active industrial equipment according to an industrial protocol of the active industrial equipment, wherein the industrial vulnerability scanning message comprises an information query instruction;
and acquiring the equipment characteristic information of the active industrial equipment corresponding to the information query instruction.
5. The industrial vulnerability scanning method according to claim 1, wherein the step of obtaining vulnerability information of the active industrial equipment according to the equipment feature information comprises:
and matching the device characteristic information with vulnerability information in a preset industrial vulnerability information base, and determining vulnerability information of the active industrial device.
6. An industrial vulnerability scanning system, comprising:
the device identification module is used for intercepting a bus communication message in an industrial local area network by using a bypass detection engine so as to identify active industrial devices in the industrial local area network; the bus communication message comprises communication characteristics of industrial equipment;
the message sending module is used for sending an industrial vulnerability scanning message to the active industrial equipment according to a scanning strategy corresponding to the communication characteristics of the active industrial equipment so as to obtain a feedback message of the active industrial equipment, wherein the feedback message comprises equipment characteristic information;
and the vulnerability information acquisition module is used for acquiring vulnerability information of the active industrial equipment according to the equipment characteristic information.
7. The industrial vulnerability scanning system of claim 6, wherein the device identification module comprises:
a communication message interception submodule for intercepting the bus communication message by using the bypass detection engine;
the communication feature extraction submodule is used for extracting the communication features of the industrial equipment in the industrial local area network from the bus communication message, wherein the communication features comprise communication type features and communication content features;
and the active equipment determining submodule is used for determining the active industrial equipment according to the communication type characteristics and the communication content characteristics of the industrial equipment.
8. The industrial vulnerability scanning system of claim 6, wherein the message sending module comprises:
the communication characteristic matching sub-module is used for matching the communication type characteristics and the communication content characteristics of the active industrial equipment and determining the equipment type and the busy degree of the active industrial equipment;
the device path recording sub-module is used for matching industrial protocol fingerprint features by using the device types of the active industrial devices and recording a device path corresponding to the industrial protocol fingerprint features;
and the communication message sending submodule is used for sending the industrial vulnerability scanning message to each industrial device through the device path according to the busy and idle degree of each active industrial device.
9. The industrial vulnerability scanning system of claim 6, wherein the industrial vulnerability scanning messages include information query instructions; the message sending module comprises:
the query instruction sending submodule is used for sending the industrial vulnerability scanning message to the active industrial equipment according to an industrial protocol of the active industrial equipment, wherein the industrial vulnerability scanning message comprises an information query instruction;
and the characteristic information acquisition submodule is used for acquiring the equipment characteristic information of the active industrial equipment corresponding to the information query instruction.
10. The industrial vulnerability scanning system of claim 6, wherein the vulnerability information obtaining module is further configured to match the device characteristic information with vulnerability information in a preset industrial vulnerability information base to determine vulnerability information of the active industrial devices.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911080364.4A CN110784486A (en) | 2019-11-07 | 2019-11-07 | Industrial vulnerability scanning method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911080364.4A CN110784486A (en) | 2019-11-07 | 2019-11-07 | Industrial vulnerability scanning method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110784486A true CN110784486A (en) | 2020-02-11 |
Family
ID=69390021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911080364.4A Pending CN110784486A (en) | 2019-11-07 | 2019-11-07 | Industrial vulnerability scanning method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110784486A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113792300A (en) * | 2021-11-17 | 2021-12-14 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on internet and industrial control network bug parameters |
| CN114021149A (en) * | 2021-11-17 | 2022-02-08 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on correction parameters |
| CN115277136A (en) * | 2022-07-15 | 2022-11-01 | 云南电网有限责任公司电力科学研究院 | Vulnerability scanning method, system, computer equipment and medium |
| CN117061178A (en) * | 2023-08-21 | 2023-11-14 | 山东九州信泰信息科技股份有限公司 | Industrial control network vulnerability scanning method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106161426A (en) * | 2016-06-08 | 2016-11-23 | 北京工业大学 | A kind of vulnerability scanning method being applied to industry Internet of Things |
| CN106301909A (en) * | 2016-08-11 | 2017-01-04 | 杭州华三通信技术有限公司 | A kind of port detection method and device |
| CN106713449A (en) * | 2016-12-21 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Method for quickly identifying networked industrial control device |
| CN108696544A (en) * | 2018-09-05 | 2018-10-23 | 杭州安恒信息技术股份有限公司 | Security breaches detection method based on industrial control system and device |
| CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
| CN110008713A (en) * | 2019-05-06 | 2019-07-12 | 杭州齐安科技有限公司 | A kind of novel industry control system vulnerability detection method and system |
-
2019
- 2019-11-07 CN CN201911080364.4A patent/CN110784486A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106161426A (en) * | 2016-06-08 | 2016-11-23 | 北京工业大学 | A kind of vulnerability scanning method being applied to industry Internet of Things |
| CN106301909A (en) * | 2016-08-11 | 2017-01-04 | 杭州华三通信技术有限公司 | A kind of port detection method and device |
| CN106713449A (en) * | 2016-12-21 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Method for quickly identifying networked industrial control device |
| CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
| CN108696544A (en) * | 2018-09-05 | 2018-10-23 | 杭州安恒信息技术股份有限公司 | Security breaches detection method based on industrial control system and device |
| CN110008713A (en) * | 2019-05-06 | 2019-07-12 | 杭州齐安科技有限公司 | A kind of novel industry control system vulnerability detection method and system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113792300A (en) * | 2021-11-17 | 2021-12-14 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on internet and industrial control network bug parameters |
| CN114021149A (en) * | 2021-11-17 | 2022-02-08 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on correction parameters |
| CN113792300B (en) * | 2021-11-17 | 2022-02-11 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on internet and industrial control network bug parameters |
| CN114021149B (en) * | 2021-11-17 | 2022-06-03 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on correction parameters |
| CN115277136A (en) * | 2022-07-15 | 2022-11-01 | 云南电网有限责任公司电力科学研究院 | Vulnerability scanning method, system, computer equipment and medium |
| CN115277136B (en) * | 2022-07-15 | 2023-11-21 | 云南电网有限责任公司电力科学研究院 | Vulnerability scanning method, vulnerability scanning system, computer equipment and medium |
| CN117061178A (en) * | 2023-08-21 | 2023-11-14 | 山东九州信泰信息科技股份有限公司 | Industrial control network vulnerability scanning method |
| CN117061178B (en) * | 2023-08-21 | 2024-02-06 | 山东九州信泰信息科技股份有限公司 | Industrial control network vulnerability scanning method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110784486A (en) | Industrial vulnerability scanning method and system | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108683687B (en) | Network attack identification method and system | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN112714047B (en) | Industrial control protocol flow based test method, device, equipment and storage medium | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| US10257222B2 (en) | Cloud checking and killing method, device and system for combating anti-antivirus test | |
| CN111049786A (en) | Network attack detection method, device, equipment and storage medium | |
| CN113240258A (en) | Industrial asset detection method, equipment and device | |
| CN111049783A (en) | Network attack detection method, device, equipment and storage medium | |
| CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
| CN110708292A (en) | IP processing method, device, medium and electronic equipment | |
| US10701087B2 (en) | Analysis apparatus, analysis method, and analysis program | |
| CN112671878B (en) | Block chain information subscription method, device, server and storage medium | |
| CN111198806B (en) | Service call data statistical analysis method and system based on service open platform | |
| CN112769635A (en) | Service identification method and device for multi-granularity feature analysis | |
| CN112487265A (en) | Data processing method and device, computer storage medium and electronic equipment | |
| CN113765850A (en) | Internet of things anomaly detection method and device, computing equipment and computer storage medium | |
| CN110650126A (en) | Method and device for preventing website traffic attack, intelligent terminal and storage medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN110620682B (en) | Resource information acquisition method and device, storage medium and terminal | |
| CN114090650A (en) | Sample data identification method and device, electronic equipment and storage medium | |
| CN108255715B (en) | Test result processing method and terminal equipment | |
| CN113032255A (en) | Response noise recognition method, model, electronic device, and computer storage medium | |
| CN107959678A (en) | The analysis system and analysis method of a kind of network packet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200211 |
|
| RJ01 | Rejection of invention patent application after publication |