CN111385249B - Vulnerability detection method - Google Patents
Vulnerability detection method Download PDFInfo
- Publication number
- CN111385249B CN111385249B CN201811622270.0A CN201811622270A CN111385249B CN 111385249 B CN111385249 B CN 111385249B CN 201811622270 A CN201811622270 A CN 201811622270A CN 111385249 B CN111385249 B CN 111385249B
- Authority
- CN
- China
- Prior art keywords
- script
- test
- task
- protocol
- entering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a vulnerability detection method, which comprises the following steps: step S1: verifying whether the message is authenticated; step S2: and verifying whether the message is encrypted. The invention has a powerful autonomous industrial control vulnerability database, and can detect a large number of '0 day' vulnerabilities which are not disclosed by power distribution automation system equipment and software. Meanwhile, by configuring a corresponding scanning strategy, the characteristic of nondestructive detection vulnerability can be realized; it can check whether the commonly used power distribution 101/104 protocol takes authentication and encryption measures, thereby ensuring the stable operation of the system.
Description
[ field of technology ]
The invention belongs to the technical field of power distribution automation, and particularly relates to a vulnerability detection method.
[ background Art ]
The vulnerability of the distribution automation system mainly comprises system loopholes, 101/104 protocol security risks and the like. The distribution terminal access master station in the built distribution automation system lacks an identity authentication mechanism, and interaction data such as remote signaling and remote measurement are mostly transmitted in a clear text, so that data leakage and tampering are easy to cause. If the equipment in the power distribution automation system has application program loopholes, operating system loopholes, WEB application loopholes, database loopholes and the like, an illegal person can attack the power distribution automation system by utilizing the loopholes, and the stable operation of the system is affected. The established distribution automation system safety protection system in early stage is mainly formulated with reference to the requirements of a company (national grid regulator [2011] 168) on the notification of the safety protection work of the distribution automation system, wherein the requirements comprise that the distribution automation system should support a one-way authentication function based on an asymmetric key technology, a remote control command issued by a main station should be provided with a digital signature based on a dispatching certificate, and a sub-station side or a terminal side should be capable of authenticating the digital signature of the main station, so that the safety authentication and the data integrity verification of control commands and parameter setting instructions of the main station system are realized. But when the terminal is in online operation, the master station lacks an authentication mechanism, so that the master station lacks authentication capability for the authenticity of the terminal. And the remote measurement and remote signaling data interaction between the main station and the terminal is clear text transmission, which is easy to cause data leakage and tampering. Therefore, a new vulnerability detection method is needed, and the method has a strong autonomous industrial control vulnerability library, and can detect a large number of '0 day' vulnerabilities which are not disclosed by power distribution automation system equipment and software. Meanwhile, by configuring a corresponding scanning strategy, the characteristic of nondestructive detection vulnerability can be realized; it can check whether the commonly used power distribution 101/104 protocol takes authentication and encryption measures, thereby ensuring the stable operation of the system.
[ invention ]
In order to solve the above-mentioned problems in the prior art, the present invention proposes a vulnerability detection method, which comprises:
step S1: verifying whether the message is authenticated;
step S2: and verifying whether the message is encrypted.
Further, the step S1 specifically includes: and actively transmitting a message to the terminal which has determined to run the protocol for verification.
Further, the step of actively transmitting a message to the terminal determined to run the protocol for verification specifically includes:
step S11: determining whether the terminal to be verified, which has determined to run a protocol, is a terminal running a specific protocol; if yes, entering the next step, otherwise, entering the step S1X;
step S12: determining whether a link can be established with the terminal; if yes, entering the next step, otherwise; step S16 is entered;
step S13: sending a protocol link request test message, if the terminal returns a successful link test message, entering a step S14, otherwise, entering a step S17;
step S14: sending a protocol total call test message, if the terminal returns a message that the total call test is successful, entering a step S15, otherwise, entering a step S18;
step S15: determining that the protocol is not authenticated;
step S16: abnormal connection occurs, and protocol authentication state cannot be tested; step S1X is entered;
step S17: determining that the link request test fails, and entering step S14;
step S18: determining that the total call test fails, and entering step S19;
step S19: determining that the protocol has been authenticated;
step S1X: and (5) ending.
Further, the step S2 specifically includes: and analyzing through actively grabbing port data packets of the terminal running the protocol to determine whether the message is encrypted.
Further, the analyzing is performed by actively grabbing a port data packet of the terminal running the protocol to determine whether the message is encrypted, specifically:
step S21: determining whether the terminal is a terminal running a specific protocol; if yes, entering the next step, otherwise entering the step S2X;
step S22: capturing port data packets in real time;
step S23: determining whether the data packet contains data of a specific type;
step S24: determining that the protocol is not encrypted, and entering step S2X;
step S25: determining that the protocol has been encrypted;
step S2X: and (5) ending.
Further, the 2404 port packet is grabbed by tshark.
Further, the specific type is 60870-5-105-Asdu data.
Further, the protocol is 104 protocol.
The beneficial effects of the invention include: the method has the advantages that the method has a powerful autonomous industrial control vulnerability library, and a large number of '0 day' vulnerabilities are not disclosed in power distribution automation system equipment and software. Meanwhile, by configuring a corresponding scanning strategy, the characteristic of nondestructive detection vulnerability can be realized; it can check whether the commonly used power distribution 101/104 protocol takes authentication and encryption measures, thereby ensuring the stable operation of the system.
[ description of the drawings ]
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate and together with the description serve to explain the invention, if necessary:
fig. 1 is a schematic configuration diagram of a vulnerability detection system of the present invention.
Fig. 2 is a schematic diagram of a script execution module structure of the present invention.
FIG. 3 is a schematic diagram of a vulnerability scanning strategy of the present invention.
Fig. 4 is a schematic diagram of a protocol authentication test method according to the present invention.
Fig. 5 is a schematic diagram of a protocol encryption testing method according to the present invention.
Fig. 6 is a schematic diagram of a leak detection result according to the present invention.
[ detailed description ] of the invention
The present invention will now be described in detail with reference to the drawings and the specific embodiments thereof, wherein the exemplary embodiments and the description are for the purpose of illustrating the invention only and are not to be construed as limiting the invention.
As shown in fig. 1, a vulnerability detection system to which the present invention is applied will be described in detail; the vulnerability detection system comprises a vulnerability scanning system and a configuration management module;
the vulnerability scanning system is in communication connection with the configuration management module so as to perform task issuing work and result returning;
the vulnerability scanning system comprises a task analyzer, a script engine and a vulnerability scanning test script library; wherein: the task analyzer is used for analyzing the task issued by the configuration management module, the script engine is used for loading a test script which is required to be executed for completing the issued task, carrying out grammar analysis and execution on the test script, and returning the execution result of the test script to the configuration management module;
the task analyzer is used for analyzing the tasks issued by the configuration management module; specific: the task is issued in a mode of an instruction, wherein the instruction comprises a task name, task details, a task data address and the like; when task data is received, analyzing task details, acquiring the task data based on analysis results, and creating a new test process to perform task processing;
the configuration management module is used for issuing a test task and receiving a test result returned by the vulnerability scanning system; the test task comprises script names and parameter information required by the test; the system also comprises a task name, task details and a task data address; when task data is received, analyzing task details; the method is also used for configuring a scheduling strategy for the required test script; the scheduling policy may be an initial default scheduling policy;
the task data are acquired based on the analysis result, and a new test process is created to perform task processing, specifically: analyzing task details to obtain task types, when script execution types are carried out in the task types, obtaining task data addresses, obtaining script names and parameter information based on the task data addresses, creating new test processes based on the script names and the parameter information, and copying the script names and the parameter information into process storage spaces of the new test processes; therefore, data can be transmitted through the process body, a shared storage space is not reserved between the task analyzer and the script engine, and the possibility of data pollution is avoided;
the task details comprise task types, and the tasks can be divided into a plurality of types, and the main types are as follows:
CREQ_ATTACHED_FILE: the received content is of a file type, and the received file is stored;
CREQ_LONG_ATTACK: receiving a script execution command, and calling a specified script (policy configuration selection) to perform package detection on a configuration target;
CREQ_PAUSE_WHOLE_TEST: sending sigustr 1 signals to all test processes to suspend all tests;
CREQ_PLUGIN_INFO: acquiring test script information of a specified OID value;
creq_ PREFERENCES: acquiring parameter information of a scanning engine;
CREQ_RESUME_WHOLE_TEST: sending SIGUSR2 signals to all test processes to resume the suspended test;
creq_stop_attack: a SIGTERM signal is sent to a test process of a designated host computer to finish a scanning process;
CREQ_STOP_WHOLE_TEST: a SIGTERM signal is sent to the test processes of all hosts, and all scanning processes are finished;
creq_nvt_info: obtaining NVT script library information;
creq_unknown: default type, the task received is not compliant or can't analyze, do not process this task request;
the script engine comprises a script scheduling module, a script executing module and a knowledge base; the script scheduling module is used for selecting a test script to be executed, and the script execution module is used for executing the selected test script;
the script scheduling module is used for reading the test script and completing initialization and serialization of script call; the script scheduling module comprises a script loading module and a script organizing module;
the loading module is used for loading the corresponding test script according to the script name and parameter information to be executed and initializing the corresponding test script; specific: loading all test scripts and storing the test scripts as a global variable chain table containing all information of the script engine in the starting, running and ending processes; preferably: the global variable linked list is stored in a process space of the test process; when the control right is transferred to the script engine from the task analyzer, the data exchange and the storage are carried out through the process;
the organizing module is used for determining the execution sequence of the script according to the scheduling strategy of the script and the related scheduling information stored in the knowledge base, and performing interpretation and execution of the test script based on the execution sequence; specifically, the method comprises the following steps; the organizing module is used for acquiring and determining a preliminary execution sequence according to a scheduling strategy of the script; the preliminary execution sequence is adjusted through the related scheduling information stored in the knowledge base so as to obtain the execution sequence of the script; performing interpretation and execution of the test script based on the execution sequence;
preferably: each test script has a corresponding scheduling policy, and the scheduling policy is set by a configuration management module; the scheduling strategy comprises the running state of a script, strategy coding, priority, timeout time, tcp port, udp short couple, node identification in a required global variable chain table, node identification in a compulsory required global variable chain table and the like;
the organizing module is used for acquiring and determining a preliminary execution sequence according to a scheduling strategy of a script, and specifically comprises the following steps: the method comprises the steps that an organization module obtains all test scripts, obtains strategy types of scheduling strategies based on the scheduling strategies of the test scripts, and obtains corresponding priorities based on the types of the scheduling strategies; determining a preliminary execution order based on the priority and policy encoding; the following table is a comparison table of policy types and priorities thereof;
table 1: policy type and priority level comparison table thereof
The determining the preliminary execution sequence based on the priority and the strategy coding specifically comprises the following steps: sequencing script strategies according to the priority, wherein the execution sequence is more advanced when the priority is higher, and vice versa; if the priorities of the two test scripts are the same, sorting is carried out according to the strategy codes, and when the value of the strategy codes is smaller, the execution sequence is earlier;
the preliminary execution sequence is adjusted through the related scheduling information stored in the knowledge base to obtain the execution sequence of the script, specifically: performing preliminary execution sequence adjustment based on the dependency relationship between the test scripts to obtain an execution sequence;
the preliminary execution sequence is adjusted based on the dependency relationship among the test scripts so as to obtain an execution sequence; the method comprises the following steps: when the execution sequence of two test scripts in the preliminary execution sequence violates the sequence requirement between the two test scripts, the sequence of the two test scripts is adjusted to meet the sequence requirement; taking the execution sequence meeting the sequence requirement as an execution sequence;
the explanation and execution of the test script based on the execution sequence is specifically as follows: whether the running requirement of the test script to be executed can be met by the execution environment of the script engine is predicted based on the execution environment, and if so, the test script is continuously executed; otherwise, the execution script is subjected to post-processing on the execution sequence; the most straightforward and efficient way to optimize the scheduling of scripts is to confirm what the script engine is in without having to launch the script. For example, the script needs to establish a connection to the remote host 123/TCP port, and if it is known that this port has been closed, it is not necessary to re-run the script. Operating related information in a knowledge base, and determining a scheduling strategy of a script;
the pushing and post-processing of the execution script is carried out on the execution sequence, specifically: the execution script is placed in a waiting queue different from the execution sequence queue, the execution environment is checked regularly, when the execution environment can meet the running requirement of the test script, the test script is awakened, and the test script is placed at the first place in the execution sequence;
preferably: inquiring a scheduling strategy corresponding to the knowledge base and the test script to acquire the running requirement of the test script; acquiring execution environment information by querying a global variable linked list;
preferably: the script engine acquires a test script for testing tasks to be completed and parameter information thereof from a process space;
the system loads all scripts and stores the scripts into an arglist structure, wherein the arglist structure is a global variable linked list and comprises all information of an engine in the starting, running and ending processes, including starting configuration, script interpretation and execution, return information and the like, and the data structure of the nodes comprises information such as node names, node types (representing the types of the stored information), node values (representing the contents of the stored information), node lengths, node addresses of the next nodes, node numbers (calculated according to a hash algorithm) and the like; each piece of information required by the script engine, such as script information, target host information and the like, is contained in a corresponding linked list, the linked lists are connected to a global variable linked list, an empty global variable linked list is initialized when the script engine is started, and the global variable linked list is filled in during operation; searching required information from the global variable chain table in the running process by the script engine; the global variable chain table is operated along with the script engine, and the information on each node is modified in real time;
the script engine searches the needed information from the global variable chain table in the running process, specifically: the script engine stores a global variable linked list abstract table; the script engine searches the global variable linked list through the abstract table; the global variable linked list abstract table stores the node abstract value and the corresponding relation of the type and the position of the node abstract value; the abstract value is key information of the node, and the key information is common search content, key value and the like; the script engine needs to modify the abstract table in real time after modifying the global variable linked list;
the knowledge base is used for storing the test scripts and performing interaction between the test script information; in the work of the script engine, the information collected by executing the script is stored in the knowledge base, so that repeated scanning can be effectively avoided, unnecessary resource waste is reduced, and the work efficiency is improved;
the script knowledge base maintained by the script engine records useful information obtained after some scripts are run, such as the type of an operating system, an opened port, provided services, logged-in accounts and the like; information interaction among scripts can be performed by utilizing the knowledge base, a foundation is provided for running some scripts, and meanwhile, writing of script codes is simplified; for example; the information such as the system environment, the port state and the like which need to be relied on in the running process is not required to be written in the test script; in the actual execution process of the test script, reasonable operation is performed on the information such as the depending system environment, port state and the like by inquiring a knowledge base; for example: inquiring script related information based on the type of the script; in the maintenance process of the script engine, the knowledge base is automatically filled based on commonalities in the script; after the script engine finishes executing the script, filling a knowledge base based on the execution information in the execution process;
as shown in fig. 2: the script execution module is used for interpreting and executing a specific test script; the script execution module comprises a script interpreter, the script interpreter analyzes and interprets sentence by sentence according to the dynamic sequence of sentences in the test script, and converts the script into internal functions and variables to be executed by combining a symbol table and an error processing mechanism through lexical analysis, grammar analysis and semantic analysis;
preferably: after the loading and organization of the script are completed, the script engine calls a script execution module to execute a specific test script;
preferably: the lexical analysis is mainly used for dividing the NASL script into binary groups of types and values, separating single words and filling the single words into a symbol table; the grammar analysis is to analyze word chain table formed in the lexical analysis stage, identify complete sentence and verify grammar integrity; during the execution of the script, various defined variables are identified and filled into the symbol table; the semantic analysis is used for a grammar analysis stage, analyzing each sentence in the formed grammar tree and executing corresponding semantic actions;
the vulnerability scanning test script library stores vulnerability scanning test scripts; the vulnerability scanning test script is written by using nasl language, and the test script comprises a vulnerability and script description part and a vulnerability test flow part;
the loophole and script description part describes the test script and the loophole, and comprises a loophole name, a loophole description, a loophole id number, a loophole cve number, a loophole bid number, a loophole cnvd number, a loophole influence version, a loophole solution, a loophole threat level, a loophole belonged family, a loophole related link address, a loophole required kb value, a loophole mandatory required kb value, a loophole exclusion kb value, a loophole scanning parameter and the like;
the vulnerability test flow part is a logic flow for vulnerability verification, namely a method for sending a data packet, and comprises character string analysis, socket related functions, file operation related functions and the like;
the vulnerability scanning test can select a corresponding scanning strategy to detect the vulnerability according to the running condition, the scanning time schedule and the like of the equipment to be detected; several vulnerability scanning strategies are shown in fig. 3;
for a specific test strategy of a test script, an early built power distribution automation system safety protection system supports a one-way authentication function based on an asymmetric key technology, a remote control command issued by a master station is provided with a digital signature based on a dispatching certificate, and a substation side or a terminal side is provided with a digital signature capable of authenticating the master station so as to realize control command and parameter setting command safety authentication and data integrity verification of the master station system. But when the terminal is in online operation, the master station lacks an authentication mechanism, so that the master station lacks authentication capability for the authenticity of the terminal. And the remote measurement and remote signaling data interaction between the main station and the terminal is clear text transmission, which is easy to cause data leakage and tampering. Aiming at the situation, the power distribution protocol safety authentication and encryption function is detected by utilizing the method of analyzing the active packet sending and the passive intercepted data packet of the detection system. At present, a power distribution main station and a terminal generally adopt a 101/104 protocol for communication, so that a protocol connection and communication data packet is constructed by analyzing a power distribution 101/104 protocol, the data packet is actively transmitted to a tested target system, and whether the data packet is effectively authenticated or not is tested by the response condition of the target system. If the connection and communication can be successfully established with the target system by using the unauthenticated data packet, the target system is indicated to not adopt an authentication mechanism. In addition, the 101/104 protocol communication data packet is intercepted, the data packet is subjected to deep packet analysis, the data packet of the appointed target equipment IP and the appointed port (2404) is filtered through tshark, whether the data packet accords with the 101/104 protocol or not is analyzed through a 60870-5-104-Asdu component built in the tshark, if the data packet accords with the type information and the function code information in the re-extracted data packet, and if the extracted information accords with the 101/104 standard protocol, the protocol is considered to be unencrypted.
Next, based on 104 protocol, analyzing the protocol security test method in detail; for example: the 104 protocol security test is to perform protocol security check on the power distribution network system running 104 protocol, and comprises two parts of verifying whether the 104 message is authenticated or not and whether the 104 message is encrypted or not;
the vulnerability detection method provided by the invention comprises the following steps:
step S1: verifying whether the message is authenticated; the method comprises the following steps: the verification is carried out by actively sending a message to the terminal which has determined to run the protocol (as shown in figure 4);
step S11: determining whether the terminal to be verified, which has determined to run a protocol, is a terminal running a specific protocol; if yes, entering the next step, otherwise, entering the step S1X;
step S12: determining whether a link can be established with the terminal; if yes, entering the next step, otherwise; step S16 is entered;
step S13: sending a protocol link request test message, if the terminal returns a successful link test message, entering a step S14, otherwise, entering a step S17;
step S14: sending a protocol total call test message, if the terminal returns a message that the total call test is successful, entering a step S15, otherwise, entering a step S18;
step S15: determining that the protocol is not authenticated;
step S16: abnormal connection occurs, and protocol authentication state cannot be tested; step S1X is entered;
step S17: determining that the link request test fails, and entering step S14;
step S18: determining that the total call test fails, and entering step S19;
step S19: determining that the protocol has been authenticated;
step S1X: ending;
step S2: verifying whether the message is encrypted; the method comprises the following steps: analyzing by actively grabbing port data packets of a terminal running a protocol to determine whether a message is encrypted (as shown in fig. 5);
step S21: determining whether the terminal is a terminal running a specific protocol; if yes, entering the next step, otherwise entering the step S2X;
step S22: capturing port data packets in real time;
preferably: capturing 2404 port data packets through tshark;
step S23: determining whether the data packet contains data of a specific type;
preferably: the specific type is 60870-5-105-Asdu data;
step S24: determining that the protocol is not encrypted, and entering step S2X;
step S25: determining that the protocol has been encrypted;
step S2X: ending;
as shown in fig. 6, the vulnerability detection method of the present invention can quickly find a vulnerability, and fig. 6 shows the vulnerability detection result of the present invention;
in several embodiments provided in the present invention, it should be understood that the disclosed method and terminal may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be other manners of division when actually implemented.
In addition, the technical solutions in the above several embodiments can be combined and replaced with each other without contradiction.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of modules or means recited in the system claims can also be implemented by means of one module or means in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (8)
1. A vulnerability detection method, a system for the vulnerability detection method comprises a vulnerability scanning system and a configuration management module;
the vulnerability scanning system is in communication connection with the configuration management module so as to perform task issuing work and result returning;
the vulnerability scanning system comprises a task analyzer, a script engine and a vulnerability scanning test script library; wherein: the task analyzer is used for analyzing the task issued by the configuration management module, the script engine is used for loading a test script which is required to be executed for completing the issued task, carrying out grammar analysis and execution on the test script, and returning the execution result of the test script to the configuration management module;
the script engine comprises a script scheduling module, a script executing module and a knowledge base; the script scheduling module is used for selecting a test script to be executed, and the script execution module is used for executing the selected test script;
the script scheduling module is used for reading the test script and completing initialization and serialization of script call; the script scheduling module comprises a script loading module and a script organizing module;
the loading module is used for loading the corresponding test script according to the script name and parameter information to be executed and initializing the corresponding test script; specific: loading all test scripts and storing the test scripts as a global variable chain table containing all information of the script engine in the starting, running and ending processes; the global variable linked list is stored in a process space of the test process; when the control right is transferred to the script engine from the task analyzer, the data exchange and the storage are carried out through the process;
the task analyzer is used for analyzing the tasks issued by the configuration management module; specific: the task is issued in a mode of an instruction, wherein the instruction comprises a task name, task details, a task data address and the like; when task data is received, analyzing task details, acquiring the task data based on analysis results, and creating a new test process to perform task processing;
the configuration management module is used for issuing a test task and receiving a test result returned by the vulnerability scanning system; the test task comprises script names and parameter information required by the test; the system also comprises a task name, task details and a task data address; and is also used for configuring a scheduling strategy for each required test script; the scheduling policy is an initial default scheduling policy;
the task data are acquired based on the analysis result, and a new test process is created to perform task processing, specifically: analyzing task details to obtain task types, when script execution types are carried out in the task types, obtaining task data addresses, obtaining script names and parameter information based on the task data addresses, creating new test processes based on the script names and the parameter information, and copying the script names and the parameter information into process storage spaces of the new test processes; therefore, data can be transmitted through the process body, a shared storage space is not reserved between the task analyzer and the script engine, and the possibility of data pollution is avoided;
characterized in that the method comprises:
step S1: verifying whether the message is authenticated;
step S2: and verifying whether the message is encrypted.
2. The vulnerability detection method according to claim 1, wherein the step S1 specifically comprises: and actively transmitting a message to the terminal which has determined to run the protocol for verification.
3. The vulnerability detection method according to claim 2, wherein the verifying by actively sending a message to the terminal that has determined to operate a protocol, specifically comprises:
step S11: determining whether the terminal to be verified, which has determined to run a protocol, is a terminal running a specific protocol; if yes, entering the next step, otherwise, entering the step S1X;
step S12: determining whether a link can be established with the terminal; if yes, entering the next step, otherwise; step S16 is entered;
step S13: sending a protocol link request test message, if the terminal returns a successful link test message, entering a step S14, otherwise, entering a step S17;
step S14: sending a protocol total call test message, if the terminal returns a message that the total call test is successful, entering a step S15, otherwise, entering a step S18;
step S15: determining that the protocol is not authenticated;
step S16: abnormal connection occurs, and protocol authentication state cannot be tested; step S1X is entered;
step S17: determining that the link request test fails, and entering step S14;
step S18: determining that the total call test fails, and entering step S19;
step S19: determining that the protocol has been authenticated;
step S1X: and (5) ending.
4. The vulnerability detection method according to claim 3, wherein the step S2 specifically comprises: and analyzing through actively grabbing port data packets of the terminal running the protocol to determine whether the message is encrypted.
5. The vulnerability detection method of claim 4, wherein the analyzing by actively grabbing the port packet of the terminal running the protocol to determine whether the message is encrypted specifically comprises:
step S21: determining whether the terminal is a terminal running a specific protocol; if yes, entering the next step, otherwise entering the step S2X;
step S22: capturing port data packets in real time;
step S23: determining whether the data packet contains data of a specific type;
step S24: determining that the protocol is not encrypted, and entering step S2X;
step S25: determining that the protocol has been encrypted;
step S2X: and (5) ending.
6. The vulnerability detection method of claim 5, wherein 2404 port packets are grabbed by tshark.
7. The vulnerability detection method of claim 6, wherein the specific type is 60870-5-105-Asdu data.
8. The vulnerability detection method of claim 7, wherein the protocol is 104 protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811622270.0A CN111385249B (en) | 2018-12-28 | 2018-12-28 | Vulnerability detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811622270.0A CN111385249B (en) | 2018-12-28 | 2018-12-28 | Vulnerability detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111385249A CN111385249A (en) | 2020-07-07 |
| CN111385249B true CN111385249B (en) | 2023-07-18 |
Family
ID=71217993
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811622270.0A Active CN111385249B (en) | 2018-12-28 | 2018-12-28 | Vulnerability detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111385249B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7450514B2 (en) * | 2003-09-03 | 2008-11-11 | University-Industry Cooperation Group Of Kyunghee University | Method and device for delivering multimedia data using IETF QoS protocols |
| CN102082659A (en) * | 2009-12-01 | 2011-06-01 | 厦门市美亚柏科信息股份有限公司 | Vulnerability scanning system oriented to safety assessment and processing method thereof |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| CN104200166A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Script-based website vulnerability scanning method and system |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| CN104583949A (en) * | 2012-08-16 | 2015-04-29 | 高通股份有限公司 | Pre-processing of scripts in web browsers |
| CN106227668A (en) * | 2016-07-29 | 2016-12-14 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN107094158A (en) * | 2017-06-27 | 2017-08-25 | 四维创智(北京)科技发展有限公司 | The fragile analysis system of one kind automation intranet security |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102377571A (en) * | 2011-11-15 | 2012-03-14 | 航天科工深圳(集团)有限公司 | Method and system for implementing IEC104 message transmission |
| WO2014058971A1 (en) * | 2012-10-09 | 2014-04-17 | Huawei Technologies Co., Ltd. | Authenticated encryption support in iso/iec 23009-4 |
| CN103888444B (en) * | 2014-02-24 | 2018-07-10 | 国家电网公司 | A kind of safe distribution of electric power authentication device and its method |
| CN104168288A (en) * | 2014-08-27 | 2014-11-26 | 中国科学院软件研究所 | Automatic vulnerability discovery system and method based on protocol reverse parsing |
| CN105721255A (en) * | 2016-04-14 | 2016-06-29 | 北京工业大学 | Industrial control protocol vulnerability mining system based on fuzzy test |
| CN106302535A (en) * | 2016-09-30 | 2017-01-04 | 中国南方电网有限责任公司电网技术研究中心 | The attack emulation mode of power system, device and attack emulator |
| CN107070893A (en) * | 2016-12-09 | 2017-08-18 | 中国电子科技网络信息安全有限公司 | A kind of power distribution network terminal IEC101 protocol massages certification method of discrimination |
| CN106911514A (en) * | 2017-03-15 | 2017-06-30 | 江苏省电力试验研究院有限公司 | SCADA network inbreak detection methods and system based on the agreements of IEC60870 5 104 |
-
2018
- 2018-12-28 CN CN201811622270.0A patent/CN111385249B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7450514B2 (en) * | 2003-09-03 | 2008-11-11 | University-Industry Cooperation Group Of Kyunghee University | Method and device for delivering multimedia data using IETF QoS protocols |
| CN102082659A (en) * | 2009-12-01 | 2011-06-01 | 厦门市美亚柏科信息股份有限公司 | Vulnerability scanning system oriented to safety assessment and processing method thereof |
| CN104583949A (en) * | 2012-08-16 | 2015-04-29 | 高通股份有限公司 | Pre-processing of scripts in web browsers |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| CN104200166A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Script-based website vulnerability scanning method and system |
| CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
| CN106227668A (en) * | 2016-07-29 | 2016-12-14 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN107094158A (en) * | 2017-06-27 | 2017-08-25 | 四维创智(北京)科技发展有限公司 | The fragile analysis system of one kind automation intranet security |
Non-Patent Citations (1)
| Title |
|---|
| CPU仿真器MCS中存贮结构仿真的实现;李锋,王雷,刘又诚,周伯生;北京航空航天大学学报(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111385249A (en) | 2020-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109325351B (en) | Security hole automatic verification system based on public testing platform | |
| CN107317730B (en) | Method, equipment and system for monitoring state of block chain node | |
| CN110310205B (en) | Block chain data monitoring method, device, equipment and medium | |
| CN106203113B (en) | The privacy leakage monitoring method of Android application file | |
| CN109800160B (en) | Cluster server fault testing method and related device in machine learning system | |
| Chen et al. | Penetration testing in the iot age | |
| CN111092910B (en) | Database security access method, device, equipment, system and readable storage medium | |
| CN113179271A (en) | Intranet security policy detection method and device | |
| CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
| CN110276198A (en) | A kind of embedded changeable granularity control flow verification method and system based on probabilistic forecasting | |
| CN110022311A (en) | A kind of cloud outsourcing service leaking data safety test use-case automatic generating method based on attack graph | |
| CN106656927A (en) | Method and device for enabling Linux account to be added to AD domain | |
| CN114500099A (en) | Big data attack processing method and server for cloud service | |
| CN110086827A (en) | A kind of SQL injection method of calibration, server and system | |
| Araujo Rodriguez et al. | Program-aware fuzzing for MQTT applications | |
| CN115701019A (en) | Access request processing method and device of zero trust network and electronic equipment | |
| CN109818972A (en) | A kind of industrial control system information security management method, device and electronic equipment | |
| CN111385253B (en) | Vulnerability detection system for network security of power distribution automation system | |
| CN112235124B (en) | Method and device for configuring pico-cell, storage medium and electronic device | |
| CN113591096A (en) | Vulnerability scanning system for comprehensively detecting big data bugs and unsafe configurations | |
| CN111385249B (en) | Vulnerability detection method | |
| Li et al. | A dynamic taint tracking optimized fuzz testing method based on multi-modal sensor data fusion | |
| Wang et al. | A model-based behavioral fuzzing approach for network service | |
| Cheng et al. | PDFuzzerGen: Policy-driven black-box fuzzer generation for smart devices | |
| CN114189383A (en) | Blocking method, device, electronic equipment, medium and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |