CN111083149A - Variable data detection and analysis method and device of Modbus protocol - Google Patents

Variable data detection and analysis method and device of Modbus protocol Download PDF

Info

Publication number
CN111083149A
CN111083149A CN201911333599.XA CN201911333599A CN111083149A CN 111083149 A CN111083149 A CN 111083149A CN 201911333599 A CN201911333599 A CN 201911333599A CN 111083149 A CN111083149 A CN 111083149A
Authority
CN
China
Prior art keywords
modbus
data
variable data
server
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911333599.XA
Other languages
Chinese (zh)
Inventor
许金鹏
金戈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jianwang Technology Co Ltd
Original Assignee
Beijing Jianwang Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jianwang Technology Co Ltd filed Critical Beijing Jianwang Technology Co Ltd
Priority to CN201911333599.XA priority Critical patent/CN111083149A/en
Publication of CN111083149A publication Critical patent/CN111083149A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40228Modbus

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a variable data detection and analysis method and device of a Modbus protocol, wherein the method comprises the following steps: acquiring a data packet of a current Modbus protocol; analyzing a data packet of a current Modbus protocol to obtain the IP address of a Modbus server, the equipment number of the Modbus server and the characteristic information of variable data; and matching the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of the variable data with a preset matching rule, and if the matching is unsuccessful, generating an alarm event for displaying. According to the scheme, the variable data of the Modbus protocol are detected and matched in real time by using the preset matching rules generated by self-learning, abnormal data are found, and an alarm event is generated, so that the detection of the variable value is realized.

Description

Variable data detection and analysis method and device of Modbus protocol
Technical Field
The invention relates to the technical field of industrial control firewalls, in particular to a variable data detection and analysis method and device of a Modbus protocol.
Background
With the continuous increase of information security requirement in the industrial control field, the common firewall cannot completely adapt to the particularity of the industrial control field. The monitoring based on variable values is an important function of an industrial control firewall, and the monitoring is carried out on some common industrial control protocols such as a Modbus TCP protocol.
Modbus is a common industrial control protocol and is realized on the basis of TCP. The existing firewall focuses on detecting header information of a data packet, such as an IP source address, an IP destination address, and a TCP source port number, or further a message type, a message length, and a message flow rate of a Modbus protocol, but rarely detects variable data in the Modbus protocol, which results in that some specific attacks based on the variable data for an industrial control system cannot be detected.
Disclosure of Invention
The embodiment of the invention provides a variable data detection and analysis method and device of a Modbus protocol, and solves the technical problem that some specific attacks based on variable data aiming at an industrial control system cannot be detected in the prior art.
The embodiment of the invention provides a variable data detection and analysis method of a Modbus protocol, which comprises the following steps:
acquiring a data packet of a current Modbus protocol;
analyzing a data packet of a current Modbus protocol to obtain the IP address of a Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
and matching the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of the variable data with a preset matching rule, and if the matching is unsuccessful, generating an alarm event for displaying.
The embodiment of the invention also provides a variable data detection and analysis device of the Modbus protocol, which comprises:
the Modbus data acquisition module is used for acquiring a data packet of a current Modbus protocol;
the Modbus data analysis module is used for analyzing a data packet of a current Modbus protocol to obtain the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
the Modbus data matching module is used for matching the characteristic information of the IP address of the Modbus server, the equipment number of the Modbus server and the variable data with a preset matching rule;
and the alarm event display module is used for generating an alarm event for display if the matching is unsuccessful.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the method when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the method.
In the embodiment of the invention, the variable data of the Modbus protocol is detected and matched in real time by using the preset matching rule generated by self learning, abnormal data is found and an alarm event is generated, so that the detection of the variable value is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart (one) of a variable data detection and analysis method of a Modbus protocol according to an embodiment of the present invention;
fig. 2 is a flowchart of a variable data detection and analysis method of a Modbus protocol according to an embodiment of the present invention (ii);
fig. 3 is a block diagram (one) of a structure of a variable data detection and analysis device of a Modbus protocol according to an embodiment of the present invention;
fig. 4 is a block diagram of a structure of a variable data detection and analysis device of a Modbus protocol according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The conventional firewall has the function of failing to meet the requirements of industrial control systems. For example: in a certain network attack, due to the fact that a control console of a user is attacked, various variable parameters in a system actually exceed limit values, but various variable data of the control console are displayed normally, the actual values cannot be observed, and finally frequent faults of system equipment are caused, production progress is seriously influenced, and finally project failure is caused.
Based on this, the present invention provides a method for detecting and analyzing variable data of a Modbus protocol, as shown in fig. 1, the method includes:
step 102: acquiring a data packet of a current Modbus protocol;
step 104: analyzing a data packet of a current Modbus protocol to obtain the IP address of a Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
step 106: and matching the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of the variable data with a preset matching rule, and if the matching is unsuccessful, generating an alarm event for displaying.
In the embodiment of the present invention, as shown in fig. 2, the method further includes:
step 202: acquiring a data packet of a Modbus protocol at the previous moment;
step 204: analyzing a data packet of a Modbus protocol at the previous moment to obtain the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
step 206: and generating a preset matching rule according to the Modbus server IP address, the Modbus server equipment number and the characteristic information of the variable data.
The process of step 202-206 belongs to a self-learning process, and the matching rule is obtained through the self-learning process.
The characteristic information of the variable data comprises the type, the address and the numerical value of the variable data; the preset matching rules comprise the types of the variable data, the address range of the variable data, the numerical range of the variable data, the IP address of the Modbus server and the matching rules of the Modbus server equipment number.
The current time and the previous time are set manually, for example, the previous time may be 10 minutes before, or may be other times.
In the embodiment of the present invention, as shown in fig. 2, the method further includes:
step 208: and modifying and confirming the preset matching rule to obtain the modified preset matching rule.
In the embodiment of the present invention, as shown in fig. 2, the method further includes:
step 108: and viewing the alarm event, and analyzing and processing the alarm event.
Based on the same inventive concept, embodiments of the present invention further provide a variable data detection and analysis device of a Modbus protocol, as described in the following embodiments. Because the principle of solving the problems of the variable data detection and analysis device of the Modbus protocol is similar to the variable data detection and analysis method of the Modbus protocol, the implementation of the variable data detection and analysis device of the Modbus protocol can refer to the implementation of the variable data detection and analysis method of the Modbus protocol, and repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram showing a configuration of a variable data detection and analysis device of the Modbus protocol according to an embodiment of the present invention, and as shown in fig. 3, the variable data detection and analysis device includes:
the Modbus data acquisition module 02 is used for acquiring a data packet of a current Modbus protocol;
the Modbus data analysis module 04 is used for analyzing a data packet of a current Modbus protocol to obtain a Modbus server IP address, a Modbus server equipment number and characteristic information of variable data;
the Modbus data matching module 06 is used for matching the Modbus server IP address, the Modbus server equipment number and the characteristic information of the variable data with preset matching rules;
and the alarm event display module 08 is used for generating an alarm event for displaying if the matching is unsuccessful.
In an embodiment of the present invention, the Modbus data acquiring module 02 is further configured to: acquiring a data packet of a Modbus protocol at the previous moment;
the Modbus data analysis module 04 is further configured to: analyzing a data packet of a Modbus protocol at the previous moment to obtain the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
as shown in fig. 4, the method further includes:
and the preset matching rule generating module 10 is configured to generate a preset matching rule according to the Modbus server IP address, the Modbus server device number, and the characteristic information of the variable data.
In the embodiment of the present invention, as shown in fig. 4, the method further includes:
and the preset matching rule modification module 12 is configured to modify and confirm the preset matching rule to obtain the modified preset matching rule.
In an embodiment of the present invention, the alarm event presentation module 08 is further configured to: and viewing the alarm event, and analyzing and processing the alarm event.
In the embodiment of the invention, the industrial control firewall is a firewall system comprising a Modbus variable value detection function. Modbus customer end, Modbus server set up respectively on 2 network interface that industrial control firewall, and Modbus customer end passes through industrial control firewall and is connected with Modbus server establishment, then sets up firewall policy on the industrial control firewall, makes Modbus server and Modbus customer end communicate: the Modbus client side applies for data to the Modbus server, wherein the data comprises the type, the address and the number of variable data, and the Modbus server returns various types of variable data including the value of the variable data to the midbus client side.
The industrial control firewall comprises a general firewall function and is used for basic data detection.
The Modbus data acquisition module of the industrial control firewall receives 502 port data based on a TCP (transmission control protocol), namely all data packets of the Modbus protocol.
The Modbus data analysis module that industrial control firewall included analyzes the message data of all levels of every data packet in proper order: the Modbus message comprises an Ethernet layer, an IP layer, a TCP layer, a Modbus message header, a Modbus message body, an IP address of a Modbus server, a Modbus server equipment number, and the type, address and value of Modbus variable data.
In the self-learning stage, a Modbus data acquisition module included in the industrial control firewall acquires all data packets of a historical Modbus protocol, a Modbus data analysis module analyzes the data packets and then establishes a cache, the information (server IP address and Modbus server equipment number) of each Modbus server, the maximum value and the minimum value of the type, the address and the numerical value of all variable data are recorded, and the data are stored in a Modbus data table.
The type and the address of variable data refer to all addresses of each variable data type of the Modbus, and the addresses comprise:
coil-status data type, pool type, address range: 0000-0 xffff;
input-status data type, pool type, address range: 0000-0 xffff;
hold-register data type, 2-byte unsigned integer, address range: 0000-0 xffff;
input-register data type, 2-byte unsigned integer, address range: 0000-0 xffff.
The maximum and minimum values of the Modbus protocol variable value refer to actual values of the actually detected bool and 2-byte unsigned integers, and the value range is as follows:
the bol variables: minimum value: 0, maximum value: 1;
2-byte unsigned integer: minimum value: 0, maximum value: 65535.
after the self-learning is completed, a preset matching rule generation module included in the industrial control firewall generates the following detection rules based on data in the Modbus data table:
[rule_1]
Host=192.168.1.2
Dev=1
Modbus_coil_status=0:0,1;
Modbus_coil_status=10:1,1;
Modbus_input_status=0:0,0;
Modbus_holding_register=100:123,4567;
Modbus_input_register=100:432,2312;
…….
wherein: [ ruler _1] represents a rule name.
Host indicates that the IP address of the Modbus server is 192.168.1.2.
Dev denotes the Modbus server device number 1.
The fourth row, Modbus _ coil _ status, defines a coil _ status type variable data rule in which the variable address is 0, the variable minimum value is 0, and the maximum value is 1. This is a pool type data.
The fifth row, Modbus _ coil _ status, defines a coil _ status type variable data rule with a variable address of 10 and a variable minimum and maximum of 1. This is a pool type data.
The sixth row, Modbus _ input _ status, defines a variable data rule of the input _ status type, where the variable address is 0, and the variable minimum and maximum values are both 0. This is a pool type data.
The seventh row, Modbus _ holding _ register, defines a holding _ register type variable data rule with a variable address of 100, a minimum value of 123, and maximum values of 4567. This is a 2-byte unsigned integer.
The eighth row, Modbus _ input _ register, defines an input _ register type variable data rule with a variable address of 100, a minimum value of 432, and a maximum value of 2312. This is a 2-byte unsigned integer.
And so on.
And then storing the matching rules into a local corresponding Modbus rule file.
And then, editing the matching rules stored in the Modbus rule file (manual editing can be adopted) through a preset matching rule modification module (which can be a web interface) of the industrial control firewall, and adding, deleting and modifying each data item to ensure that the data items are more reliable. And the matching rule after confirmation can be issued to the Modbus data matching module through an issuing mechanism of the industrial control firewall.
The Modbus data matching module reads the Modbus rule file and generates a Modbus rule table in the memory, and the Modbus rule table stores all data information of the Modbus rule file for real-time monitoring.
In the detection operation stage, the Modbus data matching module directly matches various types of analyzed data of the Modbus with matching rule data in a memory to generate various types of detection alarm events, and the detection alarm events are displayed through an alarm event display module (namely a web interface) and are matched as follows:
firstly, the IP address of the Modbus server is matched, if the current Modbus server address is not in the range of the matching rule in the current memory, an alarm event is generated: and the Modbus server has an IP address error.
And matching the Modbus server equipment number, and if the current Modbus server equipment number is not in the range of the matching rule in the current memory, generating an alarm event: and the Modbus server equipment number is wrong.
And then matching the type and address of the variable data, if the type and address of the variable data are the coil _ status type data, matching the current variable address with the address of the coil _ status in the matching rule in the memory, and if the current variable address is not in the address range in the matching rule, generating an alarm event: and the Modbus server coil _ status type data address is wrong. There may be four types of data for address errors: a coil-status, an input-status, a hold-register, an input-register.
And finally, matching the variable value of the variable data, if the value of the current address is between the minimum value and the maximum value of the variable value of the corresponding variable address of the matching rule in the memory, determining that the data is correct data, and otherwise, generating an alarm event: and the value of the Modbus server xx type address yy is wrong. Where xx is the variable type, the range is: a coil-status, an input-status, a holding _ register, an input _ register; yy is the data address, the range is: 0-0 xffff.
After the alarm event is generated, the event information can be displayed on a web interface in real time, wherein the event information comprises an event name, an ip address of a Modbus server, an address of a Modbus client, a device number, a variable data type, a variable address, a variable value, a minimum variable value of a matching rule and a maximum variable value of the matching rule.
Finally, all generated alarm data may be analyzed by the alarm event presentation module (i.e., web interface): sort by data item, merge, and so on. The alarm event display module is used for man-machine interaction between a system and an interface, and controlling the starting and ending of self-learning of the system, rule generation, rule editing, strategy issuing, real-time event checking, historical event analysis and other functions.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the method when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the method.
In conclusion, compared with the prior art, the method and the device have the advantages that the preset matching rules generated by self-learning are used for detecting and matching the variable data of the Modbus protocol in real time, abnormal data are found and an alarm event is generated, so that the detection of the variable quantity value is realized.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A variable data detection and analysis method of a Modbus protocol is characterized by comprising the following steps:
acquiring a data packet of a current Modbus protocol;
analyzing a data packet of a current Modbus protocol to obtain the IP address of a Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
and matching the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of the variable data with a preset matching rule, and if the matching is unsuccessful, generating an alarm event for displaying.
2. The method for detecting and analyzing variable data of the Modbus protocol according to claim 1, further comprising:
acquiring a data packet of a Modbus protocol at the previous moment;
analyzing a data packet of a Modbus protocol at the previous moment to obtain the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
and generating a preset matching rule according to the Modbus server IP address, the Modbus server equipment number and the characteristic information of the variable data.
3. The method for detecting and analyzing variable data of the Modbus protocol according to claim 2, further comprising:
and modifying and confirming the preset matching rule to obtain the modified preset matching rule.
4. The method for detecting and analyzing variable data of the Modbus protocol according to claim 1, further comprising:
and viewing the alarm event, and analyzing and processing the alarm event.
5. The utility model provides a variable data detection analytical equipment of Modbus agreement which characterized in that includes:
the Modbus data acquisition module is used for acquiring a data packet of a current Modbus protocol;
the Modbus data analysis module is used for analyzing a data packet of a current Modbus protocol to obtain the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
the Modbus data matching module is used for matching the characteristic information of the IP address of the Modbus server, the equipment number of the Modbus server and the variable data with a preset matching rule;
and the alarm event display module is used for generating an alarm event for display if the matching is unsuccessful.
6. The Modbus protocol variable data detection and analysis device according to claim 5, wherein the Modbus data acquisition module is further configured to: obtaining a historical data packet of a Modbus protocol at the previous moment;
the Modbus data analysis module is also used for: analyzing a data packet of a Modbus protocol at the previous moment to obtain the IP address of the Modbus server, the equipment number of the Modbus server and the characteristic information of variable data;
further comprising:
and the preset matching rule generating module is used for generating a preset matching rule according to the Modbus server IP address, the Modbus server equipment number and the characteristic information of the variable data.
7. The variable data detection and analysis device of the Modbus protocol according to claim 6, further comprising:
and the preset matching rule modification module is used for modifying and confirming the preset matching rule to obtain the modified preset matching rule.
8. The variable data detecting and analyzing device of the Modbus protocol according to claim 5, wherein the alarm event presenting module is further configured to:
and viewing the alarm event, and analyzing and processing the alarm event.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1 to 4.
CN201911333599.XA 2019-12-23 2019-12-23 Variable data detection and analysis method and device of Modbus protocol Pending CN111083149A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911333599.XA CN111083149A (en) 2019-12-23 2019-12-23 Variable data detection and analysis method and device of Modbus protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911333599.XA CN111083149A (en) 2019-12-23 2019-12-23 Variable data detection and analysis method and device of Modbus protocol

Publications (1)

Publication Number Publication Date
CN111083149A true CN111083149A (en) 2020-04-28

Family

ID=70316639

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911333599.XA Pending CN111083149A (en) 2019-12-23 2019-12-23 Variable data detection and analysis method and device of Modbus protocol

Country Status (1)

Country Link
CN (1) CN111083149A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511524A (en) * 2020-11-24 2021-03-16 北京天融信网络安全技术有限公司 Access control policy configuration method and device
CN114978782A (en) * 2022-08-02 2022-08-30 北京六方云信息技术有限公司 Industrial control threat detection method and device, industrial control equipment and storage medium
CN114979828A (en) * 2022-05-18 2022-08-30 成都安讯智服科技有限公司 Internet of things communication module flow control method and system based on Modbus
CN115550472A (en) * 2022-11-22 2022-12-30 浙江大华技术股份有限公司 Heterogeneous data processing method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054829A1 (en) * 2001-06-25 2004-03-18 White William A. Method, system and program for the transmission of modbus messages between networks
CN105429963A (en) * 2015-11-04 2016-03-23 北京工业大学 Invasion detection analysis method based on Modbus/Tcp
CN107979567A (en) * 2016-10-25 2018-05-01 北京计算机技术及应用研究所 A kind of abnormality detection system and method based on protocal analysis
CN108021096A (en) * 2016-11-03 2018-05-11 沈阳高精数控智能技术股份有限公司 A kind of long-distance monitoring method of the digital control system based on Modbus
CN109379375A (en) * 2018-11-28 2019-02-22 杭州迪普科技股份有限公司 Acquisition methods, device and the network equipment of access control rule

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054829A1 (en) * 2001-06-25 2004-03-18 White William A. Method, system and program for the transmission of modbus messages between networks
CN105429963A (en) * 2015-11-04 2016-03-23 北京工业大学 Invasion detection analysis method based on Modbus/Tcp
CN107979567A (en) * 2016-10-25 2018-05-01 北京计算机技术及应用研究所 A kind of abnormality detection system and method based on protocal analysis
CN108021096A (en) * 2016-11-03 2018-05-11 沈阳高精数控智能技术股份有限公司 A kind of long-distance monitoring method of the digital control system based on Modbus
CN109379375A (en) * 2018-11-28 2019-02-22 杭州迪普科技股份有限公司 Acquisition methods, device and the network equipment of access control rule

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511524A (en) * 2020-11-24 2021-03-16 北京天融信网络安全技术有限公司 Access control policy configuration method and device
CN114979828A (en) * 2022-05-18 2022-08-30 成都安讯智服科技有限公司 Internet of things communication module flow control method and system based on Modbus
CN114979828B (en) * 2022-05-18 2023-03-10 成都安讯智服科技有限公司 Internet of things communication module flow control method and system based on Modbus
CN114978782A (en) * 2022-08-02 2022-08-30 北京六方云信息技术有限公司 Industrial control threat detection method and device, industrial control equipment and storage medium
CN114978782B (en) * 2022-08-02 2022-11-01 北京六方云信息技术有限公司 Industrial control threat detection method and device, industrial control equipment and storage medium
CN115550472A (en) * 2022-11-22 2022-12-30 浙江大华技术股份有限公司 Heterogeneous data processing method and device

Similar Documents

Publication Publication Date Title
CN111083149A (en) Variable data detection and analysis method and device of Modbus protocol
CN109802953B (en) Industrial control asset identification method and device
CN107656520B (en) CAN bus data analysis method and computer readable storage medium
EP3361442B1 (en) Method and apparatus for detecting security using an industry internet operating system
CN109040073B (en) Method, device, medium and equipment for detecting access of abnormal behaviors of world wide web
CN106603281A (en) Configuration file management method and system
US20160308745A1 (en) Presenting application performance monitoring data in distributed computer systems
CN110808962B (en) Malformed data packet detection method and device
CN107483472A (en) A kind of method, apparatus of network security monitoring, storage medium and server
CN106326119A (en) Method and device for generating test case
US20190116100A1 (en) Machine-to-machine (m2m) communication monitoring
CN112187583B (en) Method, device and storage medium for recognizing action information in private industrial control protocol
CN107819808A (en) Communicate to connect method for building up and device
CN112822291A (en) Monitoring method and device for industrial control equipment
CN114363212B (en) Equipment detection method, device, equipment and storage medium
EP3702951A1 (en) Computer-implemented method and blockchain system for detection of attacks on a computer system or computer network
WO2020252635A1 (en) Method and apparatus for constructing network behavior model, and computer readable medium
CN111130848B (en) Fault detection method and device for authentication, authorization and accounting (AAA)
CN105959289A (en) Self-learning-based safety detection method for OPC Classic protocol
CN113709129A (en) White list generation method, device and system based on traffic learning
CN106506553B (en) A kind of Internet protocol IP filter method and system
CN108780486B (en) Context aware security self-evaluation
CN113157790A (en) Nuclear fusion curve editing method, system, terminal and medium
CN112448919B (en) Network anomaly detection method, device and system and computer readable storage medium
US9542250B2 (en) Distributed maintenance mode control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200428