CN113472739B - Vulnerability discovery method and device for control equipment private protocol - Google Patents

Vulnerability discovery method and device for control equipment private protocol Download PDF

Info

Publication number
CN113472739B
CN113472739B CN202110545409.1A CN202110545409A CN113472739B CN 113472739 B CN113472739 B CN 113472739B CN 202110545409 A CN202110545409 A CN 202110545409A CN 113472739 B CN113472739 B CN 113472739B
Authority
CN
China
Prior art keywords
industrial control
control equipment
messages
test
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110545409.1A
Other languages
Chinese (zh)
Other versions
CN113472739A (en
Inventor
孙利民
刘圃卓
宋站威
孙玉砚
顾智敏
黄伟
刘伟
郭雅娟
姜海涛
朱道华
周超
郭静
王梓莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd
Original Assignee
Institute of Information Engineering of CAS
Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS, Electric Power Research Institute of State Grid Jiangsu Electric Power Co Ltd filed Critical Institute of Information Engineering of CAS
Priority to CN202110545409.1A priority Critical patent/CN113472739B/en
Publication of CN113472739A publication Critical patent/CN113472739A/en
Application granted granted Critical
Publication of CN113472739B publication Critical patent/CN113472739B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a vulnerability discovery method, a device, an electronic device and a storage medium for a private protocol of a control device, wherein the vulnerability discovery method for the private protocol of the control device comprises the following steps: sniffing communication traffic generated during communication with industrial control equipment through engineering software; generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and generating a test case based on the seeds; guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple; and testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment. The method provided by the invention can effectively discover the security vulnerability of the industrial control equipment by using the message sequence to guide the state of the control equipment and generate the test case.

Description

Vulnerability discovery method and device for control equipment private protocol
Technical Field
The invention relates to the technical field of network protocol implementation safety, Internet of things/industrial control equipment safety and safety testing, in particular to a vulnerability discovery method and device for a control equipment private protocol, electronic equipment and a storage medium.
Background
With the development of industrial internet, information technology and operation technology tend to be fused. The application of the fusion technology breaks through the original closure and isolation of the industrial control system, and increases the probability that the industrial control equipment faces network threats while improving the production efficiency. And the purpose of the attack aiming at the industrial control system is often to influence the production of the physical world, so that the control device is more likely to be the target of an attacker, and the attacker triggers the vulnerability in the device by means of network protocol communication to complete the remote attack. The method actively discovers the vulnerability of the industrial control equipment and timely repairs the vulnerability to become an important safety protection means.
Industrial control devices have highly customized and proprietary features such as system architecture, operating systems, communication protocols. This makes the vulnerability discovery methods used in conventional embedded devices unusable. At present, a black box fuzzy test method is mainly adopted, and is a security vulnerability test method which is used for observing whether a test target has abnormal behaviors or not by inputting a test case generated without guidance to the test target. The test method has the problems of low efficiency, high missing report rate and the like. Except for the unknown constraints of syntax, semantics and time sequence of a private protocol, the black box fuzzy test for the industrial control equipment has function execution state constraints in the control equipment, different functions need to be executed in advance to build an execution environment, and the industrial control protocol is command-oriented and has a large number of variable parameters, so the black box fuzzy test faces huge input space and needs to be explored. In addition, the protocol fuzzy test judges whether the equipment is abnormal or not by acquiring the network state, and the method can only discover the vulnerability related to the network service in the embedded equipment, so that the condition that the vulnerability in the non-network service is missed is caused. In order to effectively discover the vulnerability existing in the industrial control equipment, a set of vulnerability mining systems specially aiming at the proprietary protocol of the industrial control equipment is needed.
Disclosure of Invention
The invention provides a fuzzy test vulnerability mining method based on message driving and information physical integrated monitoring for industrial control equipment, and solves the problems that the traditional vulnerability mining tool is low in vulnerability mining efficiency caused by unknown syntax, semantics and time sequence of a private protocol and unknown dependence relation of equipment functions, and an embedded device does not have a GUI (graphical user interface) and cannot acquire abnormal information of the equipment, so that the purpose of effectively finding safety defects in the realization of the private protocol of the industrial control equipment is achieved.
Specifically, the invention provides the following technical scheme:
in a first aspect, the present invention provides a vulnerability discovery method for a control device private protocol, including:
sniffing communication traffic generated during communication with industrial control equipment through engineering software;
generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and generating a test case based on the seeds;
conducting guidance of the state of the industrial control device and verification of network connection validity based on the initial test tuple;
and testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment.
Further, the generating an initial test tuple based on the communication traffic comprises:
dividing the communication traffic into a request message sequence and a response message sequence;
filtering messages in the request message sequence which are irrelevant to device state guidance;
and marking part of the messages as seeds in the filtered request message sequence to form an initial test tuple.
Further, the generating a test case based on the seed includes:
and carrying out variation on the data length and the content of the seeds to generate a test case.
Further, the filtering messages in the request message sequence that are not related to device state guidance comprises:
calculating the frequency characteristic of the occurrence of the preset bytes of each message in the request message sequence and the similarity characteristic between the messages;
filtering messages unrelated to device state guidance based on the frequency features and similarity features.
Further, said marking a portion of the messages as seeds in the filtered sequence of request messages comprises:
calculating the similarity between all the messages in the filtered request message sequence;
and marking the message which does not meet the similarity condition with other messages as the seed.
Further, the conducting of the guidance of the state of the industrial control device and the verification of the validity of the network connection based on the initial test tuple comprises:
conducting a boot of a state of the industrial control device using a preamble of the seed;
and modifying the authentication field of the state guide message corresponding to the seed according to the test configuration file of the industrial control equipment, thereby verifying the legality of the network connection.
Further, the performing the test of the industrial control device based on the test case includes:
updating the initial test tuple based on a test response message obtained by testing the industrial control equipment;
and iteratively testing the industrial control equipment based on the updated initial test tuple.
In a second aspect, the present invention provides a vulnerability discovery apparatus for a control device private protocol, including:
the communication flow sniffing module is used for sniffing the communication flow generated in the process of communicating with the industrial control equipment through engineering software;
the test case generation module is used for generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and a test case is generated based on the seeds;
the guiding and verifying module is used for guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple;
an anomaly discovery module for testing the industrial control equipment based on the test case and discovering the anomaly of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment
In a third aspect, the present invention provides an electronic device, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the vulnerability discovery method for the control device private protocol according to the first aspect when executing the program.
In a fourth aspect, the invention provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the vulnerability discovery method for control device private protocols according to the first aspect.
The method provided by the invention forms a message sequence by acquiring and analyzing the communication traffic of the control equipment and the engineering software, and utilizes the message sequence to guide the state of the control equipment and generate the test case. And the network information and the output signal are combined to monitor the equipment state and judge the occurrence of abnormal conditions, thereby effectively discovering the security loopholes existing in the industrial control equipment.
Drawings
FIG. 1 is a flow diagram of a vulnerability discovery method for a control device private protocol according to an embodiment of the present invention;
FIG. 2 is a general framework diagram of a fuzzy test based on message-driven and cyber-physical integrated monitoring for a proprietary protocol of a control device according to an embodiment of the present invention;
FIG. 3 is a schematic flow diagram of traffic handling and scheduling according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a vulnerability discovery apparatus for a control device private protocol according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The method aims to effectively find out the safety defect of the industrial control equipment in the protocol implementation process, solve the problem that the traditional vulnerability mining tool has low efficiency of testing the black box fuzziness of the industrial control equipment, solve the problem that the test input space is huge under the non-guidance condition brought by unknown syntax, semantics, time sequence and function constraints of the proprietary protocol of the industrial control equipment, and simultaneously solve the problem that the embedded equipment cannot effectively monitor the running state of the equipment. The invention provides a fuzzy test method based on message driving and information physical integrated monitoring, which is used for discovering the loopholes in control equipment.
Fig. 1 is a flowchart of a vulnerability discovery method for a control device private protocol according to an embodiment of the present invention, and with reference to fig. 1, the vulnerability discovery method for a control device private protocol provided by an embodiment of the present invention includes:
step 110, sniffing communication traffic generated in the process of communicating with industrial control equipment through engineering software;
step 120, generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and generating a test case based on the seeds;
step 130, guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple;
step 140, testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment
Specifically, in order to more fully illustrate the concept of the present invention, the vulnerability discovery for the proprietary protocol of the control device proposed by the embodiment of the present invention can be described as a fuzz test method for the proprietary protocol of the industrial control device, which mainly includes:
firstly, in a communication flow sniffing stage, communication interaction is carried out on equipment through operating engineering software in the stage, wherein the communication interaction comprises connection, online, running, file downloading, disconnection and the like; and sniffs traffic generated during the communication as input. Sniffing the traffic generated in the process and dividing the acquired traffic into a request message sequence (messages sent by engineering software) and a response message sequence (messages sent by equipment);
a preprocessing stage, in which a filtering method independent of protocol knowledge is used to filter the information irrelevant to the state guidance for the request information sequence obtained by sniffing in the communication traffic collection stage, for example, the information irrelevant to the state guidance of the device (for example, heartbeat information, device state acquisition information, memory reading information, etc.) is filtered by using the similarity and frequency characteristics of the information;
and marking seed messages used for generating the test cases in the filtered message sequence to form an initial test tuple, for example, selecting test seeds to form the initial test tuple based on the filtered messages by using Hamming distance.
Thirdly, in the fuzzy test stage, the mutation module in the stage generates a test case by utilizing marked seeds to perform random mutation based on the initial test tuple obtained in the preprocessing stage;
the scheduling module firstly utilizes the message before the seed to conduct equipment state guidance, and then sends a test case to test the equipment. In the process, the scheduling module needs to modify the state boot message according to the configuration file of the private protocol to complete the verification of the device anti-replay protection mechanism, so as to bypass the anti-replay protection mechanism which may exist in the state boot process.
In the fuzzy test process, the scheduling module also evaluates the similarity of the response message of the test case and the response message sequence obtained by sniffing in the preprocessing stage and determines whether to generate a new test tuple.
The monitoring module can monitor the network state, the network response and the output signal through the network interface and the output module interface of the equipment in the test process, check the equipment state according to the network connection state information and the frequency and amplitude change of the equipment output module signal, judge whether a leak is triggered or abnormal, record and early warn abnormal conditions, and therefore the purpose of accurately and effectively finding the safety defects in the industrial control equipment is achieved.
Specifically, referring to fig. 2, fig. 2 is an overall framework diagram of a fuzz test based on message-driven and cyber-physical integrated monitoring for a control device proprietary protocol according to an embodiment of the present invention.
The embodiment of the invention provides detailed steps of the overall flow of a vulnerability discovery method aiming at a control device private protocol, which comprise the following steps:
1) for a given device, the device is communicated using its corresponding engineering software, for example by clicking a series of function buttons to interact with the device while using a sniffing tool to sniff the communication traffic generated during the communication as input.
The interaction mode with the equipment can be known by searching a GUI interface control, searching a product specification provided by a manufacturer, searching network communication behavior according to experience and the like. The interaction with the device includes connecting the device, uploading the device program, downloading the device program, switching the device mode (such as programming mode), starting and stopping the device, and the like.
2) The communication traffic input in step 1) is divided into a request message sequence (messages sent by engineering software) and a response message sequence (messages sent by equipment).
3) Filtering the state guide irrelevant messages by using the request message sequence in the step 2). Messages that are not related to device state guidance are filtered using similarity and frequency characteristics of the messages. For example, the proportion of 0X00 bytes of all messages in the message sequence is calculated, the number of messages with the same proportion value is counted, the messages with the same proportion value are classified into a set, then the set of three messages with the number being more than the first three in the ranking is taken, the similarity of the messages in the set is evaluated by measuring the hamming distance, if the edit distance of a certain pair of messages in a set is less than 3, and the number of messages with the same edit distance is more than or equal to 3, the messages are considered to be similar, and the messages are filtered.
The setting of the threshold values involved therein, such as the number of selected categories, edit distance, may affect the actual test effect for the setting of the threshold values of different protocols. The setting of the threshold value needs to be kept on the principle of not influencing the state of the device, and the judgment can be specifically carried out according to whether the original function can be completed or not by replaying the filtered message sequence.
The irrelevant message filtering method provided by the embodiment of the invention does not depend on the knowledge of a specific private protocol, and the messages are filtered by the characteristic that the messages with the same functions of the protocol messages have high similarity and the characteristic that the quantity of the messages which are actively sent by the engineering software and are irrelevant to state guidance accounts for a large ratio.
4) Utilizing the message sequence filtered in the step 3), calculating the Hamming distance between each message in the message sequence and other messages with the same length, if the edit distance of a certain pair of messages with the same length is less than 3, further evaluating the edit distance of a preamble message pair and a subsequent message pair of the pair of messages, if the edit distance of the preamble message pair and the subsequent message pair is less than 3, marking the pair of messages as N, marking the rest cases as Y, and forming an initial test tuple, wherein the marked Y is a seed for generating a test case.
5) And 4), performing variation on the data length and the content of the seeds by using the initial test tuple generated in the step 4) by using a variation module to generate a test case.
The seed selection method provided by the embodiment of the invention does not depend on the knowledge of a specific private protocol, calculates the similarity between messages by using the Hamming distance, and does not perform fuzzy test on similar messages when the similar messages and adjacent preamble and adjacent subsequent messages also meet the similarity judgment condition, thereby improving the test efficiency.
6) And performing state guidance and testing of the test case in the step 5) by using the initial test tuple generated in the step 4). The scheduling module may complete the guiding of the device state by replaying the preamble message of the seed, modify the message in the test tuple before the current test seed according to the test configuration file, that is, modify the authentication field of the state guiding message, and verify the network connection validity by the device, that is, verify the anti-replay mechanism of the device, wherein for the authentication field, the Sequence Number, the Session ID, and the Challenge-response field may be focused. And then sending the test case in the step 5).
In the actual testing process, different manufacturers can set different protection mechanisms to ensure the validity of network connection, and the mechanisms can influence the validity of fuzz testing. For example, a fixed location in the message requires random data from the device response message to be filled in to be properly received by the device. Modifications to the preamble message according to the test profile in the private protocol are therefore required to pass the authentication mechanism.
For example, the above steps 2) to 6) are described with reference to fig. 3), and fig. 3 is a schematic flow diagram of traffic processing and scheduling according to an embodiment of the present invention. Assuming A-H is the captured traffic, where B and E are filtered as extraneous messages, A, C, F, H is labeled Y, assuming we replay A, C, D the three messages for state steering when testing the F seed, and then test the test case (RD) generated based on F.
7) And (3) exploring the uncaptured equipment state by measuring the similarity of the response messages to form a new test tuple by using the response messages of the test case in the step 6) and the response message sequence in the step 2). Specifically, the dispatching module calculates the similarity between the messages by using the hamming distance, and if the editing distances are all larger than 3, the similarity judgment condition is not met, the dispatching module uses the test case to replace the seed to form a new test tuple.
8) In the test process, for the response of the information domain, the monitoring module judges the state through the network state and the detection message. Specifically, the monitoring module judges the network connection state of the equipment according to the response of the equipment to the TCP SYN, TCP FIN and heartbeat message, and records the abnormal condition if the network connection state detection message cannot be correctly responded; the monitoring module acquires manufacturer information, equipment model information, firmware version information and the like of the equipment by sending the equipment detection message, judges whether the equipment can correctly respond to the equipment detection message or not, and records abnormal information if the equipment cannot correctly respond to the equipment detection message.
For the response of the physical domain, the monitoring module is connected with the digital oscilloscope through the TCP/IP to acquire digital oscilloscope data, the digital oscilloscope is connected with an output module port of the control equipment to monitor the waveform of an output signal, the monitoring module calculates the peak value and the frequency of the waveform according to the acquired data, and the equipment state is judged according to a set threshold value. And recording abnormal information if the abnormality is found.
The digital oscilloscope is adopted to monitor the signal of the output module of the control equipment, the control logic of the control equipment can be set by an operator, and the complex operation logic can increase the difficulty of state monitoring. Therefore, the service state of the equipment can be effectively monitored by setting simple control logic such as output timing reversal.
9) And (5) repeating the step 5), the step 6), the step 7) and the step 8), continuously carrying out the automatic fuzzy test on the control equipment, and stopping the test process if the upper limit of the test time is reached or no new seeds can be tested.
The vulnerability discovery method for the control equipment private protocol provided by the embodiment of the invention can effectively and automatically discover the vulnerability existing in the implementation process of the industrial control equipment private protocol. The method is used for solving the problems that the conventional vulnerability mining tool has low efficiency of fuzzy testing of the black box of the industrial control equipment, and the problem that the test input space is huge under the condition of no guidance brought by unknown syntax, semantics, time sequence and function constraint of the proprietary protocol of the industrial control equipment, and the problem that the embedded equipment cannot effectively monitor the running state of the equipment. The purpose of effectively discovering the security defects existing in the process of using the private protocol communication in the industrial control equipment is achieved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a vulnerability discovery apparatus for a control device private protocol according to an embodiment of the present invention, and the vulnerability discovery apparatus for a control device private protocol provided by the embodiment of the present invention includes:
a communication traffic sniffing module 410 for sniffing communication traffic generated during communication with the industrial control device through engineering software;
a test case generating module 420, configured to generate an initial test tuple based on the communication traffic, where a part of messages of the initial test tuple is marked as a seed, and generate a test case based on the seed;
a guidance and verification module 430 for performing guidance of the state of the industrial control device and verification of network connection validity based on the initial test tuple;
an anomaly discovery module 440, configured to perform a test on the industrial control device based on the test case, and discover an anomaly of the industrial control device by monitoring an output signal waveform and a network state of the industrial control device
Since the vulnerability discovery apparatus for the control device private protocol provided in the embodiment of the present invention can be used to execute the vulnerability discovery method for the control device private protocol described in the above embodiment, and the working principle and the beneficial effects are similar, so detailed descriptions are omitted here, and specific contents can be referred to the description of the above embodiment.
In this embodiment, it should be noted that each module in the apparatus according to the embodiment of the present invention may be integrated into a whole or may be separately disposed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a Processor (Processor)510, a communication Interface (Communications Interface)520, a Memory (Memory)530 and a communication bus 540, wherein the Processor 510, the communication Interface 520 and the Memory 530 communicate with each other via the communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform a vulnerability discovery method for a control device private protocol, the method comprising: sniffing communication traffic generated during communication with industrial control equipment through engineering software; generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and generating a test case based on the seeds; guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple; and testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment.
In addition, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the vulnerability discovery method for control device private protocol provided by the above methods, the method comprising: sniffing communication traffic generated during communication with industrial control equipment through engineering software; generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and generating a test case based on the seeds; guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple; and testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program that when executed by a processor is implemented to perform the vulnerability discovery method for control device private protocol provided above, the method comprising: sniffing communication traffic generated during communication with industrial control equipment through engineering software; generating an initial test tuple based on the communication traffic, wherein part of messages of the initial test tuple are marked as seeds, and generating a test case based on the seeds; guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple; and testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A vulnerability discovery method for industrial control device proprietary protocols, comprising:
sniffing communication traffic generated during communication with industrial control equipment through engineering software;
dividing the communication traffic into a request message sequence and a response message sequence; filtering messages in the request message sequence which are irrelevant to device state guidance; marking part of the messages as seeds in the filtered request message sequence to form an initial test tuple comprising the seeds; generating a test case based on the seeds;
conducting guidance of the state of the industrial control device and verification of network connection validity based on the initial test tuple;
and testing the industrial control equipment based on the test case, and discovering the abnormality of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment.
2. The method of claim 1, wherein generating test cases based on the seed comprises:
and carrying out variation on the data length and the content of the seeds to generate a test case.
3. The method of claim 1, wherein filtering messages in the sequence of request messages that are unrelated to device state bootstrapping comprises:
calculating the frequency characteristic of the occurrence of the preset bytes of each message in the request message sequence and the similarity characteristic between the messages;
filtering messages unrelated to device state guidance based on the frequency feature and the similarity feature.
4. The method of claim 1, wherein marking partial messages as seeds in the sequence of filtered request messages comprises:
calculating the similarity between all the messages in the filtered request message sequence;
and marking the message which does not meet the similarity condition with other messages as the seed.
5. The method of claim 1, wherein said conducting the direction of the state of the industrial control device and the verification of the validity of the network connection based on the initial test tuple comprises:
using the preamble message of the seed to conduct the guiding of the state of the industrial control equipment;
and modifying the authentication field of the state guide message corresponding to the seed according to the test configuration file of the industrial control equipment, thereby verifying the legality of the network connection.
6. The method of claim 1, wherein the performing the test of the industrial control device based on the test case comprises:
updating the initial test tuple based on a test response message obtained by testing the industrial control equipment;
and iteratively testing the industrial control equipment based on the updated initial test tuple.
7. An apparatus for vulnerability discovery for industrial control device proprietary protocols, comprising:
the communication flow sniffing module is used for sniffing the communication flow generated in the process of communicating with the industrial control equipment through engineering software;
the test case generation module is used for dividing the communication flow into a request message sequence and a response message sequence; filtering messages in the request message sequence which are irrelevant to device state guidance; marking part of the messages as seeds in the filtered request message sequence to form an initial test tuple comprising the seeds; generating a test case based on the seeds;
the guiding and verifying module is used for guiding the state of the industrial control equipment and verifying the network connection validity based on the initial test tuple;
and the abnormity discovery module is used for testing the industrial control equipment based on the test case and discovering the abnormity of the industrial control equipment by monitoring the output signal waveform and the network state of the industrial control equipment.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the vulnerability discovery method for industrial control device proprietary protocols according to any of claims 1 to 6 when executing the program.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the vulnerability discovery method for industrial control device proprietary protocols according to any of claims 1 to 6.
CN202110545409.1A 2021-05-19 2021-05-19 Vulnerability discovery method and device for control equipment private protocol Active CN113472739B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110545409.1A CN113472739B (en) 2021-05-19 2021-05-19 Vulnerability discovery method and device for control equipment private protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110545409.1A CN113472739B (en) 2021-05-19 2021-05-19 Vulnerability discovery method and device for control equipment private protocol

Publications (2)

Publication Number Publication Date
CN113472739A CN113472739A (en) 2021-10-01
CN113472739B true CN113472739B (en) 2022-08-23

Family

ID=77870926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110545409.1A Active CN113472739B (en) 2021-05-19 2021-05-19 Vulnerability discovery method and device for control equipment private protocol

Country Status (1)

Country Link
CN (1) CN113472739B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152795A (en) * 2020-08-11 2020-12-29 中国人民解放军战略支援部队信息工程大学 Security protocol code vulnerability mining method based on state machine consistency detection

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9246932B2 (en) * 2010-07-19 2016-01-26 Sitelock, Llc Selective website vulnerability and infection testing
CN102087631B (en) * 2011-03-09 2012-09-05 中国人民解放军国发科学技术大学 Method for realizing fuzzing of software on the basis of state protocol
CN105763392B (en) * 2016-02-19 2019-03-08 中国人民解放军理工大学 A kind of industry control agreement fuzz testing method based on protocol status
CN107241226B (en) * 2017-06-29 2020-10-16 北京工业大学 Fuzzy test method based on industrial control private protocol
CN110912855A (en) * 2018-09-17 2020-03-24 中国信息通信研究院 Block chain architecture security assessment method and system based on permeability test case set

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152795A (en) * 2020-08-11 2020-12-29 中国人民解放军战略支援部队信息工程大学 Security protocol code vulnerability mining method based on state machine consistency detection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于流量行为的协议逆向方法研究与实现;胡莹;《中国优秀硕士学位论文全文数据库(电子期刊)信息科技辑》;20190515;全文 *

Also Published As

Publication number Publication date
CN113472739A (en) 2021-10-01

Similar Documents

Publication Publication Date Title
Tak et al. Logan: Problem diagnosis in the cloud using log-based reference models
CN110912776B (en) Automatic fuzzy test method and device for entity router management protocol
US20150058672A1 (en) System and method for grammar based test planning
CN109063486B (en) Safety penetration testing method and system based on PLC equipment fingerprint identification
CN110650035B (en) Method and system for generating and managing virtual industrial devices in an industrial network
CN112073242A (en) Method for generating and applying network protocol fuzzy test case
CN117435506B (en) Fuzzy test method, electronic device and computer readable storage medium
CN113934621A (en) Fuzzy test method, system, electronic device and medium
CN114398643A (en) Penetration path planning method, device, computer and storage medium
CN111510339A (en) Industrial Internet data monitoring method and device
KR102325258B1 (en) Method for an autonomic or ai-assisted validation or decision making regarding network performance of a telecommunications network and/or for an autonomic or ai-assisted troubleshooting or performance enhancement within a telecommunications network, telecommunications network, system, machine intelligence entity, visualization interface, computer program and computer-readable medium
CN113472739B (en) Vulnerability discovery method and device for control equipment private protocol
CN116318783B (en) Network industrial control equipment safety monitoring method and device based on safety index
US11805142B2 (en) Communication system and communication method
CN112291213A (en) Abnormal flow analysis method and device based on intelligent terminal
CN112422515B (en) Protocol vulnerability testing method and device and storage medium
Luong Nguyen et al. Validation, verification and root-cause analysis
CN113014587A (en) API detection method and device, electronic equipment and storage medium
CN116455798B (en) Automatic generation method and device for protocol program test model
CN111259400A (en) Vulnerability detection method, device and system
Zerzzari et al. A Methodology for Monitoring IOV Interoperability Testing
US11824887B1 (en) Eliminating network security blind spots
CN111261271B (en) Service availability diagnosis method and device for video monitoring environment
CN117278232A (en) Method, system, storage medium and computer equipment for discovering terminal asset
CN117499280A (en) Industrial protocol fuzzy test method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant