CN112235241A - Industrial control honeypot feature extraction method, system and medium based on fuzzy test - Google Patents
Industrial control honeypot feature extraction method, system and medium based on fuzzy test Download PDFInfo
- Publication number
- CN112235241A CN112235241A CN202010932430.2A CN202010932430A CN112235241A CN 112235241 A CN112235241 A CN 112235241A CN 202010932430 A CN202010932430 A CN 202010932430A CN 112235241 A CN112235241 A CN 112235241A
- Authority
- CN
- China
- Prior art keywords
- message
- industrial control
- honeypot
- request message
- variation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Medical Informatics (AREA)
- Evolutionary Computation (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an industrial control honeypot feature extraction method, system and medium based on fuzzy test, wherein the method comprises the following steps: constructing an industrial control honey pot testing environment; generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to networking test equipment; transmitting a response message returned by the networking test equipment to the message generator; analyzing the response message through the message generator; according to the analysis result, performing iterative processing on the first variation request message based on a preset objective function to generate a second variation request message meeting the threshold requirement of the objective function; and determining a detection message from the second variation request message, and acquiring the characteristics of honeypot identification through the detection message. The invention can efficiently construct the detection message, improves the accuracy of feature extraction, and can be widely applied to the technical field of industrial control systems.
Description
Technical Field
The invention relates to the technical field of industrial control systems, in particular to an industrial control honeypot feature extraction method, system and medium based on fuzzy test.
Background
Under the background of industry 4.0, the opening degree of Industrial Control Systems (ICS) is increasing, and more Industrial Control systems begin to implement interconnection and intercommunication between services by using internet protocols. The traditional transition from the closed mode to the open mode enables the attack behavior for the ICS to be greatly increased, the vulnerability of the ICS is gradually revealed, and the network security problem faced by the ICS is increasingly highlighted. The safety research of industrial control systems has become an important research direction in the industrial and information fields.
In order to cope with network detection and intrusion attack from the internet, more and more enterprises protect industrial control systems by deploying industrial control honeypots. The industrial control honeypot is an active defense technology for detecting dangerous sources and collecting attack data, and an attacker is deceived to detect and invade the industrial control honeypot, so that attack information of the attacker is collected, and potential security threats are discovered. On one hand, the industrial control honeypot can trace the source of the attack source and take targeted preventive measures on the attack source; on the other hand, the industrial control honeypot finds and strengthens weak links of ICS through audit analysis of different attacks. However, cheating and anti-cheating of industrial control honeypots are a process of attack and defense gaming, and with the continuous development of information technology, the identification technology for honeypots is also improved correspondingly. Therefore, the industrial control honeypot identification technology is analyzed from the perspective of an attacker, the industrial control honeypot is favorably optimized in a targeted manner, and the authenticity of the industrial control honeypot is improved.
The identification method based on service interaction, the identification method based on data packet fragmentation, the identification method based on machine learning and the like are mostly adopted for industrial control honeypot identification, the essence of the methods is that the identification is carried out based on the characteristics of the industrial control honeypot, and different characteristics can judge whether the target is the industrial control honeypot from different aspects. Identifying the industrial control honeypots or identifying the single type of industrial control honeypots by adopting one characteristic; or adopting multiple characteristics, distributing identification weight and identification probability for each characteristic, acquiring the weight by a machine learning method, acquiring the initial identification probability by an empirical value, calibrating by machine learning, generating comprehensive identification probability by an objective function, and comparing the identification probability with a threshold value to judge whether the objective is an industrial control honeypot.
At present, the identification characteristics of industrial control honeypots can be divided into: internal features and external features. The external characteristics are irrelevant to the realization of the internal functions of the honeypot, such as node deployment information, operating system fingerprints, network interaction information and the like; the internal features are related to honey pot function realization, such as industrial control protocol deep interaction information, configuration program debugging information, default configuration information, honey pot inherent defects and the like. The external feature acquisition is mature and can be acquired based on the traditional method; the internal characteristics relate to the characteristics of the industrial control honeypots and need to be obtained by a special method. At present, the internal characteristics of the industrial control honeypot are generally found out in a manual analysis mode based on expert knowledge, and a detection message is purposefully constructed, so that the efficiency is low.
Disclosure of Invention
In view of this, embodiments of the present invention provide an efficient industrial control honeypot feature extraction method, system and medium based on a fuzzy test.
The invention provides an industrial control honeypot feature extraction method based on fuzzy test, which comprises the following steps:
constructing an industrial control honey pot testing environment;
generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to networking test equipment;
transmitting a response message returned by the networking test equipment to the message generator;
analyzing the response message through the message generator;
according to the analysis result, performing iterative processing on the first variation request message based on a preset objective function to generate a second variation request message meeting the threshold requirement of the objective function;
and determining a detection message from the second variation request message, and acquiring the characteristics of honeypot identification through the detection message.
In some embodiments, the building an industrial control honeypot test environment includes:
deploying various industrial control devices in a laboratory environment;
building different types of industrial control honeypots for the various industrial control devices;
constructing a networking test device;
and determining the industrial control equipment to be tested, the industrial control honeypot and the networking test equipment.
In some embodiments, the method further comprises the step of constructing an initial seed.
In some embodiments, the step of constructing an initial seed comprises at least one of:
according to the standard structure of the ICS protocol message, constructing a network message which violates the standard structure as an initial seed;
constructing variation data between two correlation fields, and taking the network message corresponding to the field with the correlation damaged as an initial seed;
and constructing a network message carrying the abnormal function code as an initial seed.
In some embodiments, the constructing, according to the standard structure of the ICS protocol packet, a network packet that violates the standard structure as an initial seed includes:
determining fixed formats and fixed fields of an ADU part and a PDU part in a Modbus TCP protocol;
and randomly changing the content in the fixed format and/or the fixed field to obtain a network message which violates a standard structure, and taking the network message as an initial seed.
In some embodiments, the constructing variant data between two associated fields, using a network packet corresponding to a field whose association is destroyed as an initial seed, includes:
determining the relevance between the length field in the Modbus TCP protocol and the PDU length;
modifying the length field and/or modifying the PDU length;
and generating a network message corresponding to the field with the damaged relevance according to the modification result, and taking the network message as an initial seed.
In some embodiments, further comprising: a step of setting a restriction condition for the first mutation request message, the step including:
configuring the read-write operation on the address in the first mutation request message as the read-write operation on the non-key address;
configuring the variation of the field content in the variation process of the first variation request message into the variation of the field content constructed in a subtraction mode;
and configuring the packet sending rate of the first variation request message to be less than a preset rate.
The second aspect of the invention provides an industrial control honeypot feature extraction system based on fuzzy test, which comprises:
the environment construction module is used for constructing an industrial control honeypot test environment;
the first variation request message generation module is used for generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to the networking test equipment;
the transmission module is used for transmitting the response message returned by the networking test equipment to the message generator;
the analysis module is used for analyzing the response message through the message generator;
the iteration module is used for carrying out iteration processing on the first variation request message based on a preset objective function according to an analysis result to generate a second variation request message meeting the threshold requirement of the objective function;
and the characteristic extraction module is used for determining a detection message from the second variation request message and acquiring the characteristics of the honeypot identification through the detection message.
The third aspect of the invention provides an industrial control honeypot feature extraction system based on fuzzy test, which comprises:
the memory is used for storing programs;
the processor executing the program implements the method according to the first aspect of the invention.
A fourth aspect of the present invention provides a storage medium storing a program for execution by a processor to implement the method according to the first aspect.
The embodiment of the invention firstly constructs an industrial control honeypot test environment; then generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to networking test equipment; transmitting a response message returned by the networking test equipment to the message generator; analyzing the response message through the message generator; according to the analysis result, performing iterative processing on the first variation request message based on a preset objective function to generate a second variation request message meeting the threshold requirement of the objective function; and determining a detection message from the second variation request message, and acquiring the characteristics of honeypot identification through the detection message. The invention can efficiently construct the detection message and improve the accuracy of feature extraction.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of the steps of an industrial control honeypot feature extraction method based on fuzzy testing according to an embodiment of the present invention;
FIG. 2 is a diagram of a system architecture according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a honeypot identification process according to an embodiment of the present invention.
Detailed Description
The invention will be further explained and explained with reference to the drawings and the embodiments in the description. The step numbers in the embodiments of the present invention are set for convenience of illustration only, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adaptively adjusted according to the understanding of those skilled in the art.
Aiming at the defects that in the prior art, an industrial control honeypot identification method based on machine learning has insufficient characteristic value selection, does not consider inherent defects of honeypots and the like, the invention provides an industrial control honeypot characteristic extraction method based on fuzzy test. Fuzz testing is a security testing method that discovers the presence of vulnerabilities in a system by constructing a malformed input. The abnormal input in the fuzzy test is generated based on data variation, and the abnormal data are distinguished by using the difference of error processing of honeypots and real industrial control equipment. The method comprises the steps of constructing a malformation detection packet through a fuzzy test, detecting networking equipment by means of a scanner, analyzing a response packet with a large difference between the industrial control equipment and the industrial control honeypot, backtracking and retaining corresponding malformation detection packets, performing mutation optimization on the detection packets, detecting the networking equipment respectively, continuously and repeatedly optimizing the operation, and retaining the malformation detection packets as the characteristics for identifying the industrial control honeypot after response data corresponding to the malformation detection packets meet the indexes of a target function.
Referring to fig. 1, the industrial control honeypot feature extraction method based on the fuzzy test comprises the following steps S100-S600:
s100, constructing an industrial control honeypot test environment;
specifically, the step S100 includes:
s110, deploying various industrial control devices in a laboratory environment;
s120, building different types of industrial control honeypots for the various industrial control devices;
s130, constructing networking test equipment;
s140, determining industrial control equipment to be tested, industrial control honeypots and networking test equipment.
Specifically, the embodiment of the invention adopts a method of mixing off-line equipment and on-line equipment to build a test environment: firstly, deploying various real industrial control devices in a laboratory environment, and building different types of industrial control honeypots; in order to ensure the richness and authenticity of a test environment, networking equipment and honeypots can be added, and industrial control equipment and honeypots which can clearly identify types can be selected as tested equipment from a networking equipment list acquired from platforms such as shodan and Censys through methods such as an IP address and an operating system.
S200, generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to networking test equipment;
specifically, the embodiment of the present invention utilizes a mutation strategy, which can mutate the initial seed of the message generator and mutate the key part of the data packet, such as undefined function code, unreasonable request data, and the like. The purpose of the variation is to acquire the response message of the detected target for the error processing of the abnormal request as much as possible, and find out the abnormal detection packet which can cause as many different responses as possible by analyzing the message.
The embodiment of the invention also comprises a step of constructing the initial seed, wherein the step comprises at least one of the following S210-S230:
s210, constructing a network message violating the standard structure as an initial seed according to the standard structure of the ICS protocol message;
specifically, one of the seed variation rules of the embodiments of the present invention is: and (5) abnormal message structure. And constructing a network message violating the standard structure as input according to the specific ICS protocol message format. Taking a Modbus TCP protocol as an example, the Modbus comprises an ADU part and a PDU part, each part is provided with a fixed format and a fixed field, the fixed format and the fixed field can be randomly changed to obtain an abnormal input, and the abnormal input is used as an initial seed;
s220, constructing variation data between two correlation fields, and taking the network message corresponding to the field with the correlation damaged as an initial seed;
specifically, the second seed variation rule of the embodiment of the present invention is: and (4) abnormal associated information. If there is an association between two fields, constructing variant data destroys this association. For example, the value of the Modbus TCP length field (Len) and the PDU length are associated, and the content of Len can be changed, or the PDU length can be decreased/increased to achieve the destruction of the associated information.
And S230, constructing a network message carrying the abnormal function code as an initial seed.
Specifically, the third seed mutation rule of the embodiment of the present invention is: an exception function code. The function code is the basis of ICS industrial control protocol communication, and the abnormal response of different devices can be obtained by constructing the function code or abnormal function code which is not commonly used.
In addition, the embodiment of the invention can also adopt an abnormal access rule to carry out seed mutation. From the perspective of reading data, the processing condition of the industrial control honeypot when accessing the abnormal memory is tested, for example, the number of the reading coils exceeds the specified 0-2000.
In addition, in order to avoid the influence of abnormal input on the real equipment, the constructed abnormal input should follow the following principle as much as possible:
(1) the read-write operation of the key address is avoided as much as possible, particularly the condition of out-of-range memory write exists;
(2) the field content variation should be constructed in a subtraction mode as much as possible, so that unsafe factors possibly brought by incremental modes are avoided;
(3) to avoid the impact of the test on the device, the packet transmission rate should be limited.
S300, transmitting a response message returned by the networking test equipment to the message generator;
the embodiment of the invention can compile a network detection script of a specific protocol by means of the existing tools such as Nmap and the like or according to the detection requirement, and is used for sending the detection message and receiving the response message.
S400, analyzing the response message through the message generator;
s500, according to the analysis result, performing iterative processing on the first variation request message based on a preset objective function to generate a second variation request message meeting the threshold requirement of the objective function;
the objective function of the embodiment of the invention is used for measuring the quality of the abnormal detection packet. The excellent abnormal detection packet can cause different devices to wrongly process the response messages and have various differences. The objective function design should be based on the following rules:
1. effectiveness: sending the same detection message to the tested equipment, wherein the number of response messages received by each detection message is as large as possible;
2. diversity: sending the same detection message to the tested equipment, wherein the number of the types of the response messages received by each detection message is as large as possible;
3. balance: sending the same detection message to the tested equipment, wherein the quantity distribution of different types of response messages is balanced as much as possible;
4. coverage rate: sending a group of detection messages to the tested equipment, selecting a plurality of groups of detection message sets with better effects according to three principles of effectiveness, diversity and balance, and selecting one set from the plurality of detection message sets, so that the union set of the response message types corresponding to the detection messages in the set is as much as possible.
The detection message set selected based on the rules 1-4 can be used as a seed of the next round of variation. By setting iteration times and a threshold value, when the detection message completes variation times or meets the threshold value, the detection process is finished, and the message in the set is directly used as the detection message and stored in a seed bank.
S600, determining a detection message from the second variation request message, and acquiring the characteristics identified by the honeypots through the detection message.
Specifically, in the honeypot identification process according to the embodiment of the present invention, as shown in fig. 3, the abnormal detection packet of the seed bank is used to detect the networked device to be identified through the scanner, so as to obtain the response of the device to the data error processing, and the response can be used as an important identification feature to determine the authenticity of the device in combination with other identification methods.
In summary, the overall solution of the invention solves the following problems:
(1) and constructing and selecting the detection packet. The detection packet is selected to meet the format of a normal data packet, the detected device cannot directly discard the detection packet, and the industrial control honeypot and the networked real device should have difference in response message of the abnormal detection packet.
(2) And selecting the type of the abnormal input. Different from a destructive test target of a fuzzy test, the honeypot identification target based on error processing is to construct abnormal input on the basis of ensuring the safe operation of equipment, extract different characteristics of the equipment and the honeypot by analyzing the behavior and the result of the equipment on the error abnormal processing, and then distinguish the honeypot from real equipment. Therefore, it is necessary to select an input type that satisfies the condition.
(3) Mutation strategy of the malformation detection package. For the malformation detection packets meeting the conditions, a genetic or mutation method is adopted to mutate some key parts of the data packets, so that more detection packets meeting the conditions are generated to obtain more diversified response messages.
(4) And (4) selecting industrial control equipment. For a large number of networking devices, the networking devices need to be discriminated, and for the industrial control devices with response messages carrying more symbolic information, the industrial control devices should be collected as a device library, which is used as a basis for distinguishing industrial control honeypots.
(5) And (5) measurement of an objective function. And for the advantages and disadvantages of the malformed detection packet, an objective function needs to be created for measurement, a threshold value and iteration times are set, and when the response message corresponding to the detection packet meets the threshold value requirement or the variation reaches the iteration times, one detection packet measurement is completed. The qualified probe packets are added to the seed pool as a source of data variation.
The invention aims to construct an abnormal message which can effectively detect the industrial control honeypot so as to generate diversified depth identification characteristics which are difficult to predict and imitate. The invention applies the fuzzy test to the characteristic extraction of the industrial control honeypot, the system architecture is shown as figure 2, the main part comprises a detection message generator, a network scanner, an objective function and a detection seed library, and the specific realization process mainly comprises the following processes: (1) selecting real industrial control equipment and industrial control honeypots for testing, and constructing a testing environment; (2) then, the detection message generator generates n varied request messages according to the initial seeds and sends the n varied request messages to the networking test equipment through the network scanner; (3) the tested networking equipment returns a corresponding response message and returns the response message to the message generator through the scanner; (4) the message generator analyzes the n response messages, extracts k messages from the n variation request messages according to a target function O () as second-round seeds, and generates n variation messages again through methods such as heredity and variation; (5) k selected messages are put into a seed library; the above processes are iterated continuously until the threshold requirement of the objective function is reached or the iteration times are reached; (6) and finally, selecting k messages from the n mutation messages as detection messages. The probe messages can then be used to probe industrial honeypots or devices to obtain features for honeypot identification.
Compared with the prior art, the invention has the following differences:
1. the method for extracting the industrial control honeypot features based on the fuzzy test is provided, and the difference of the tested equipment on the abnormal data error processing mode is used as the features for judging real equipment and the industrial control honeypot;
2. different from the traditional fuzzy test aiming at single software or equipment, the fuzzy test provided by the invention aims at a plurality of targets, namely aiming at a group of equipment, generates a group of effective heterogeneous messages based on a seed variation strategy, respectively detects each equipment in the group and can select effective detection messages;
3. the off-line and on-line combined test environment construction method is provided, so that the richness and the authenticity of the test environment can be effectively improved;
3. a detection message variation rule is provided, and an abnormal message structure, abnormal association information, an abnormal function code, abnormal access and a safety rule are used as the basis of abnormal message variation, so that the effectiveness, diversity and safety of message variation are improved;
4. the method provides a target function design basis suitable for multi-target fuzzy test, integrates effectiveness, diversity, balance and coverage rate, and can effectively measure the quality of the abnormal detection message.
The existing industrial control honeypot identification technology has the defects of insufficient characteristic parameter selection and no consideration of the error processing capacity of industrial control equipment to abnormal data. By the invention, the following beneficial effects can be produced:
1. the invention considers the inherent defect of error processing capability of the industrial control honeypot; and selecting an abnormal detection message by using the error processing capability as a characteristic and utilizing a fuzzy test to analyze the error processing capability of the equipment on the abnormal data.
2. The method is based on the variation rule and the objective function, and can effectively perform variation on the seeds, thereby obtaining more detection samples, ensuring the safety of the test process as much as possible, and not influencing the real networking equipment.
The embodiment of the invention also provides an industrial control honeypot feature extraction system based on the fuzzy test, which comprises the following steps:
the environment construction module is used for constructing an industrial control honeypot test environment;
the first variation request message generation module is used for generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to the networking test equipment;
the transmission module is used for transmitting the response message returned by the networking test equipment to the message generator;
the analysis module is used for analyzing the response message through the message generator;
the iteration module is used for carrying out iteration processing on the first variation request message based on a preset objective function according to an analysis result to generate a second variation request message meeting the threshold requirement of the objective function;
and the characteristic extraction module is used for determining a detection message from the second variation request message and acquiring the characteristics of the honeypot identification through the detection message.
The embodiment of the invention also provides an industrial control honeypot feature extraction system based on the fuzzy test, which comprises the following steps:
the memory is used for storing programs;
the processor executes the program to implement the method as described in fig. 1.
An embodiment of the present invention further provides a storage medium, where the storage medium stores a program, and the program is executed by a processor to implement the method shown in fig. 1.
In alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flow charts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed and in which sub-operations described as part of larger operations are performed independently.
Furthermore, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise stated to the contrary, one or more of the described functions and/or features may be integrated in a single physical device and/or software module, or one or more functions and/or features may be implemented in a separate physical device or software module. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary for an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be understood within the ordinary skill of an engineer, given the nature, function, and internal relationship of the modules. Accordingly, those skilled in the art can, using ordinary skill, practice the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative of and not intended to limit the scope of the invention, which is defined by the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. The industrial control honeypot feature extraction method based on the fuzzy test is characterized by comprising the following steps:
constructing an industrial control honey pot testing environment;
generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to networking test equipment;
transmitting a response message returned by the networking test equipment to the message generator;
analyzing the response message through the message generator;
according to the analysis result, performing iterative processing on the first variation request message based on a preset objective function to generate a second variation request message meeting the threshold requirement of the objective function;
and determining a detection message from the second variation request message, and acquiring the characteristics of honeypot identification through the detection message.
2. The industrial control honeypot feature extraction method based on the fuzzy test as claimed in claim 1, wherein the building of the industrial control honeypot test environment comprises:
deploying various industrial control devices in a laboratory environment;
building different types of industrial control honeypots for the various industrial control devices;
constructing a networking test device;
and determining the industrial control equipment to be tested, the industrial control honeypot and the networking test equipment.
3. The industrial honeypot feature extraction method based on fuzzy testing of claim 1 further comprising the step of constructing initial seeds.
4. The fuzzy test-based industrial honeypot feature extraction method of claim 3, wherein the step of constructing initial seeds comprises at least one of:
according to the standard structure of the ICS protocol message, constructing a network message which violates the standard structure as an initial seed;
constructing variation data between two correlation fields, and taking the network message corresponding to the field with the correlation damaged as an initial seed;
and constructing a network message carrying the abnormal function code as an initial seed.
5. The industrial control honeypot feature extraction method based on the fuzzy test as claimed in claim 4, wherein the constructing a network packet violating the standard structure as an initial seed according to the standard structure of the ICS protocol packet comprises:
determining fixed formats and fixed fields of an ADU part and a PDU part in a Modbus TCP protocol;
and randomly changing the content in the fixed format and/or the fixed field to obtain a network message which violates a standard structure, and taking the network message as an initial seed.
6. The industrial control honeypot feature extraction method based on the fuzzy test as claimed in claim 4, wherein the constructing variant data between two associated fields, using the network packet corresponding to the field with the damaged association as an initial seed, comprises:
determining the relevance between the length field in the Modbus TCP protocol and the PDU length;
modifying the length field and/or modifying the PDU length;
and generating a network message corresponding to the field with the damaged relevance according to the modification result, and taking the network message as an initial seed.
7. The industrial control honeypot feature extraction method based on the fuzzy test as claimed in claim 1, further comprising:
a step of setting a restriction condition for the first mutation request message, the step including:
configuring the read-write operation on the address in the first mutation request message as the read-write operation on the non-key address;
configuring the variation of the field content in the variation process of the first variation request message into the variation of the field content constructed in a subtraction mode;
and configuring the packet sending rate of the first variation request message to be less than a preset rate.
8. Industrial control honeypot feature extraction system based on fuzzy test, its characterized in that includes:
the environment construction module is used for constructing an industrial control honeypot test environment;
the first variation request message generation module is used for generating a first variation request message through a message generator based on the industrial control honeypot test environment and a preset initial seed, and sending the first variation request message to the networking test equipment;
the transmission module is used for transmitting the response message returned by the networking test equipment to the message generator;
the analysis module is used for analyzing the response message through the message generator;
the iteration module is used for carrying out iteration processing on the first variation request message based on a preset objective function according to an analysis result to generate a second variation request message meeting the threshold requirement of the objective function;
and the characteristic extraction module is used for determining a detection message from the second variation request message and acquiring the characteristics of the honeypot identification through the detection message.
9. Industrial control honeypot feature extraction system based on fuzzy test, its characterized in that includes:
the memory is used for storing programs;
the processor executing the program realizes the method according to any one of claims 1-7.
10. A storage medium, characterized in that the storage medium stores a program, which is executed by a processor to implement the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010932430.2A CN112235241B (en) | 2020-09-08 | 2020-09-08 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010932430.2A CN112235241B (en) | 2020-09-08 | 2020-09-08 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112235241A true CN112235241A (en) | 2021-01-15 |
| CN112235241B CN112235241B (en) | 2023-02-24 |
Family
ID=74117279
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010932430.2A Active CN112235241B (en) | 2020-09-08 | 2020-09-08 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112235241B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113722717A (en) * | 2021-07-21 | 2021-11-30 | 中国科学院信息工程研究所 | Security vulnerability testing method, device, equipment and readable storage medium |
| CN113934621A (en) * | 2021-09-06 | 2022-01-14 | 中国科学院信息工程研究所 | Fuzzy test method, system, electronic device and medium |
| CN114650163A (en) * | 2022-01-21 | 2022-06-21 | 中国人民解放军战略支援部队信息工程大学 | Stateful network protocol-oriented fuzzy test method and system |
| CN114679334A (en) * | 2022-04-20 | 2022-06-28 | 哈尔滨工业大学(威海) | Industrial control safety detection method based on multi-mode artificial intelligence |
| CN114826996A (en) * | 2022-05-10 | 2022-07-29 | 上海磐御网络科技有限公司 | Router honeypot testing method and device based on busy file system |
| CN115134278A (en) * | 2021-03-24 | 2022-09-30 | 奇安信科技集团股份有限公司 | Fuzzy test method and device, electronic equipment and storage medium |
| CN115391792A (en) * | 2022-10-26 | 2022-11-25 | 北京邮电大学 | Fuzzy test method and related equipment |
| CN116708001A (en) * | 2023-07-13 | 2023-09-05 | 浙江齐安信息科技有限公司 | Industrial control system private protocol vulnerability detection method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873301A (en) * | 2014-03-20 | 2014-06-18 | 浙江宇视科技有限公司 | System and method for automatically finding and adding devices |
| CN105187228A (en) * | 2015-06-12 | 2015-12-23 | 中国通信建设集团设计院有限公司 | Network quality detection method and router |
| CN106302495A (en) * | 2016-08-25 | 2017-01-04 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence of a kind of ACK Flood attack and intervening guard device |
| CN109977681A (en) * | 2019-03-25 | 2019-07-05 | 西安电子科技大学 | A kind of fuzz testing system of fuzz testing method and unmanned plane towards unmanned plane |
| CN110266650A (en) * | 2019-05-23 | 2019-09-20 | 中国科学院信息工程研究所 | The recognition methods of Conpot industry control honey jar |
| CN110719251A (en) * | 2019-04-08 | 2020-01-21 | 四川大学 | Honeypot detection method based on machine learning |
| CN111126440A (en) * | 2019-11-25 | 2020-05-08 | 广州大学 | Integrated industrial control honeypot identification system and method based on deep learning |
-
2020
- 2020-09-08 CN CN202010932430.2A patent/CN112235241B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873301A (en) * | 2014-03-20 | 2014-06-18 | 浙江宇视科技有限公司 | System and method for automatically finding and adding devices |
| CN105187228A (en) * | 2015-06-12 | 2015-12-23 | 中国通信建设集团设计院有限公司 | Network quality detection method and router |
| CN106302495A (en) * | 2016-08-25 | 2017-01-04 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence of a kind of ACK Flood attack and intervening guard device |
| CN109977681A (en) * | 2019-03-25 | 2019-07-05 | 西安电子科技大学 | A kind of fuzz testing system of fuzz testing method and unmanned plane towards unmanned plane |
| CN110719251A (en) * | 2019-04-08 | 2020-01-21 | 四川大学 | Honeypot detection method based on machine learning |
| CN110266650A (en) * | 2019-05-23 | 2019-09-20 | 中国科学院信息工程研究所 | The recognition methods of Conpot industry control honey jar |
| CN111126440A (en) * | 2019-11-25 | 2020-05-08 | 广州大学 | Integrated industrial control honeypot identification system and method based on deep learning |
Non-Patent Citations (1)
| Title |
|---|
| 叶向豪: "《基于模糊测试的无人机软件系统漏洞挖掘研究》", 《中国优秀硕士学位论文全文数据库工程科技Ⅱ辑》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115134278A (en) * | 2021-03-24 | 2022-09-30 | 奇安信科技集团股份有限公司 | Fuzzy test method and device, electronic equipment and storage medium |
| CN113722717B (en) * | 2021-07-21 | 2024-04-05 | 中国科学院信息工程研究所 | Security vulnerability testing method, device, equipment and readable storage medium |
| CN113722717A (en) * | 2021-07-21 | 2021-11-30 | 中国科学院信息工程研究所 | Security vulnerability testing method, device, equipment and readable storage medium |
| CN113934621A (en) * | 2021-09-06 | 2022-01-14 | 中国科学院信息工程研究所 | Fuzzy test method, system, electronic device and medium |
| CN114650163B (en) * | 2022-01-21 | 2023-08-22 | 中国人民解放军战略支援部队信息工程大学 | Fuzzy test method and system for stateful network protocol |
| CN114650163A (en) * | 2022-01-21 | 2022-06-21 | 中国人民解放军战略支援部队信息工程大学 | Stateful network protocol-oriented fuzzy test method and system |
| CN114679334B (en) * | 2022-04-20 | 2023-08-25 | 哈尔滨工业大学(威海) | Industrial control safety detection system based on multi-mode artificial intelligence |
| CN114679334A (en) * | 2022-04-20 | 2022-06-28 | 哈尔滨工业大学(威海) | Industrial control safety detection method based on multi-mode artificial intelligence |
| CN114826996A (en) * | 2022-05-10 | 2022-07-29 | 上海磐御网络科技有限公司 | Router honeypot testing method and device based on busy file system |
| CN115391792B (en) * | 2022-10-26 | 2023-02-07 | 北京邮电大学 | Fuzzy test method and related equipment |
| CN115391792A (en) * | 2022-10-26 | 2022-11-25 | 北京邮电大学 | Fuzzy test method and related equipment |
| CN116708001A (en) * | 2023-07-13 | 2023-09-05 | 浙江齐安信息科技有限公司 | Industrial control system private protocol vulnerability detection method and device |
| CN116708001B (en) * | 2023-07-13 | 2024-01-23 | 浙江齐安信息科技有限公司 | Industrial control system private protocol vulnerability detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112235241B (en) | 2023-02-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112235241B (en) | Industrial control honeypot feature extraction method, system and medium based on fuzzy test | |
| Bouzida et al. | Neural networks vs. decision trees for intrusion detection | |
| CN101753562B (en) | Detection methods, device and network security protecting device for botnet | |
| CN111083126A (en) | Expert knowledge base-based penetration test risk assessment method and model | |
| CN112217800B (en) | Honeypot identification method, system, device and medium | |
| CN111628900B (en) | Fuzzy test method, device and computer readable medium based on network protocol | |
| CN110765000B (en) | Program testing method and device | |
| CN113408609A (en) | Network attack detection method and system | |
| Kamhoua et al. | Game theory and machine learning for cyber security | |
| Al-Asiri et al. | On using physical based intrusion detection in SCADA systems | |
| Salih et al. | Implementation of hybrid artificial intelligence technique to detect covert channels attack in new generation internet protocol IPv6 | |
| CN111262854A (en) | Internet anti-cheating behavior method, device, equipment and readable storage medium | |
| CN114531283A (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| CN110365625B (en) | Internet of things security detection method and device and storage medium | |
| CN112822223A (en) | DNS hidden tunnel event automatic detection method and device and electronic equipment | |
| CN116866078A (en) | Network security evaluation method | |
| CN116318783B (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| Kayacik et al. | Automatically evading IDS using GP authored attacks | |
| CN113452707B (en) | Scanner network scanning attack behavior detection method, medium and terminal | |
| Mohammadkhani et al. | A new method for behavioural-based malware detection using reinforcement learning | |
| Zou et al. | Deep learning for detecting logic-flaw-exploiting network attacks: An end-to-end approach | |
| Atmojo et al. | A New Approach for ARP Poisoning Attack Detection Based on Network Traffic Analysis | |
| CN117829677A (en) | Automatic evaluation method, equipment and medium for industrial network target range task | |
| Ye et al. | An attack-norm separation approach for detecting cyber attacks | |
| CN115051833B (en) | Intercommunication network anomaly detection method based on terminal process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |