CN114760234B - Verification system and method for industrial control system protocol analysis result - Google Patents
Verification system and method for industrial control system protocol analysis result Download PDFInfo
- Publication number
- CN114760234B CN114760234B CN202210329289.6A CN202210329289A CN114760234B CN 114760234 B CN114760234 B CN 114760234B CN 202210329289 A CN202210329289 A CN 202210329289A CN 114760234 B CN114760234 B CN 114760234B
- Authority
- CN
- China
- Prior art keywords
- protocol
- module
- verification
- data packet
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 60
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000003993 interaction Effects 0.000 claims abstract description 22
- 238000010276 construction Methods 0.000 claims abstract description 12
- 238000004891 communication Methods 0.000 claims abstract description 10
- 230000000007 visual effect Effects 0.000 claims description 7
- 238000013461 design Methods 0.000 abstract description 6
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000012804 iterative process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
Abstract
The invention provides a verification system and a verification method for a protocol analysis result of an industrial control system, wherein the verification system comprises a protocol analysis module, a data packet construction module and a network interaction module, wherein the protocol analysis module is used for collecting communication flow, analyzing field constitution of a protocol and recording field value information; the data packet constructing module constructs each layer of protocol content layer by layer according to a protocol stack used by the data packet; the network interaction module is used for managing the protocol automatic sub-module in the network interaction module and integrating other independent module functions into a complete workflow. The verification system and the verification method for the protocol analysis result of the industrial control system can systematically verify the protocol analysis result and verify the safety of the protocol design.
Description
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a verification system and method for an industrial control system protocol analysis result.
Background
Industrial control protocol analysis is a serious issue in industrial control network security research, and is an important foundation for developing a plurality of network security products. Industrial control protocol analysis is an iterative process based on guesses and experiments, but a method for systematically verifying analysis results is lacking in the prior art.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, so as to provide a verification system and a verification method for an industrial control system protocol analysis result, which can systematically verify the protocol analysis result and verify the safety of protocol design.
In order to achieve the above object, the present invention provides the following technical solutions:
The verification system of industrial control system protocol analysis result includes protocol analysis module, data packet construction module and network interaction module,
The protocol analysis module is used for collecting communication flow, analyzing field constitution of a protocol and recording field value information;
the data packet constructing module constructs each layer of protocol content layer by layer according to a protocol stack used by the data packet;
The network interaction module is used for managing the protocol automatic sub-module in the network interaction module and integrating other independent module functions into a complete workflow.
The verification system of the industrial control system protocol analysis result also comprises an interface display module, wherein the interface display module provides a visual man-machine interaction interface for operators to observe real-time state information and protocol verification results in the protocol verification process.
According to the verification system of the industrial control system protocol analysis result, the protocol analysis module analyzes the binary stream data into each field of the protocol, and can also sequence the filled protocol field into binary data.
According to the verification system of the industrial control system protocol analysis result provided by the invention, the data packet construction module is filled layer by layer from bottom to top, and records each layer of protocol of the protocol stack and fields thereof.
According to the verification system of the industrial control system protocol analysis result, the network interaction module is used for configuring network parameters, indicating verification objects and calling protocol automatic sub-modules to complete verification flow.
According to the verification system of the industrial control system protocol analysis result, which is provided by the invention, the network interaction module is also used for submitting information to the interface display module.
According to the verification system for the industrial control system protocol analysis result, which is provided by the invention, the network interaction module records the completion process of protocol verification and provides a log interface for external objects, and the interface display module displays the information in a visual mode.
A method for verifying an industrial control system protocol analysis result comprises the following steps:
step S1: collecting communication flow, analyzing field constitution of a protocol, and recording field value information;
step S2: filling from bottom to top layer by layer according to the constitution of the protocol stack, and recording each layer of protocol and the field constitution of the protocol stack;
Step S3: and calling a data packet construction module to construct a corresponding data packet sequence according to the configured network parameters and the designated verification object, calling a protocol automatic sub-module to carry out protocol verification, outputting a protocol verification result, and providing real-time state information in the protocol verification process and a protocol verification result to an interface display module.
Compared with the prior art, the verification system and method for the industrial control system protocol analysis result provided by the invention have the following beneficial effects:
the verification system and the method for the protocol analysis result of the industrial control system can systematically verify the protocol analysis result to verify whether the protocol analysis result of the industrial control system is correct or not, and in addition, the verification system and the method for the protocol analysis result of the industrial control system can verify the safety of the protocol design, such as verifying whether the safety design of random numbers, time stamps, sequence numbers and the like used in the protocol takes effect or not.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a general flow chart of a verification system and method for the analysis result of an industrial control system protocol according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a protocol automation sub-module according to an embodiment of the present invention.
Detailed Description
Although the system and method for verifying the protocol parsing result of the industrial control system of the present invention may be implemented in a variety of different manners, exemplary embodiments will be described in detail herein with reference to the accompanying drawings, and the scope of the present invention is not intended to be limited to the exemplary embodiments. Accordingly, the drawings and description of the embodiments are to be regarded as illustrative in nature, and not as restrictive.
Further details are provided below with reference to the specific embodiments.
As shown in FIG. 1, the invention provides a verification system for the protocol analysis result of an industrial control system, which consists of four modules, namely a protocol analysis module, a data packet construction module, a network interaction module and an interface display module. These four modules will be described in detail below.
Protocol analysis module
The function of the protocol parsing module is to parse binary stream data into various fields of the protocol for a certain protocol, otherwise, the filled protocol fields can be serialized into binary data.
The protocol parsing module may sequentially define field components of a protocol, for example: a typical ethernet protocol consists of three fields, respectively: destination MAC address, source MAC address, frame type. The protocol analysis module defines a protocol in a similar way and records information such as field values.
Data packet construction module
The data packet constructing module has the function of constructing each layer of protocol content layer by layer according to the protocol stack used by the data packet. For example: the protocol stack of the GIOP protocol (a protocol used in industrial control networks) is: ethernet protocol/IP protocol/TCP protocol/GIOP protocol/payload. The data packet constructing module fills the data packets from bottom to top layer by layer according to the constitution of the protocol stack, and records each layer of protocol of the protocol stack and the field composition thereof.
Network interaction module
The network interaction module is used for managing the protocol automation sub-module in the network interaction module and integrating other independent module functions into a complete workflow. The work done by this module is: (1) configuring network parameters; (2) indicating an authentication object; (3) calling a protocol automatic sub-module to finish the verification process; and (4) submitting the information to an interface display module.
(1) Configuring network parameters
Connecting to different bus networks requires configuring different parameters, such as: IP address, TCP port, etc. Incorrect parameters will result in failure of the verification process.
(2) Specifying verification objects
The authentication objects supported by the modules are also different for different types of protocols or different fields of the protocols, and after configuring network parameters, the objects to be authenticated need to be specified.
(3) Calling protocol automatic machine sub-module to complete verification flow
The protocol automatic machine sub-module completes the main work of protocol verification. The automaton uses the data packet construction module to generate a data packet and sends the data packet to the network, and uses the protocol analysis module to re-analyze the returned binary stream data into readable internal data packet objects.
As shown in fig. 2, the protocol automation sub-module describes the workflow of a protocol. For the TCP protocol, the TCP maintains its own state machine model, the initial state is "connection disconnection", and in the process of completing the three-way handshake, both communication parties can transfer to a new state after each handshake is completed, if the communication parties successfully transfer to the "connection establishment" state, the connection is successfully established by the TCP. Similarly, the protocol automation sub-module also uses this form to describe the flow of an industrial control protocol required to perform a job. The present invention uses the concept of a sequence of data packets to describe the data packets required by both parties to a communication to perform a job. The automaton model constructs the data packets according to the sequence of the data packets and sends the data packets to the network.
The protocol automaton describes the overall flow that a party in industrial control system communication needs when completing a job. For example, when device a sends an operation command to device B, the workflow of the sender, i.e., the protocol automaton of device a, is: transmitting a data packet 1 to B; waiting for a return data packet 2 of B; transmitting a data packet 3 to B; waiting for a return data packet 4 of B; and so on.
(4) Submitting information to interface display
The network interaction module records the completion process of protocol verification, and the module provides a log interface for external objects to use. The interface presentation module presents this information in a visual manner.
Interface display module
The interface display module provides a visual man-machine interaction interface for operators to observe real-time state information and protocol verification results in the protocol verification process.
The invention also provides a verification method of the industrial control system protocol analysis result, which comprises the following steps:
step S1: collecting communication flow, analyzing field constitution of a protocol, and recording field value information;
step S2: filling from bottom to top layer by layer according to the constitution of the protocol stack, and recording each layer of protocol and the field constitution of the protocol stack;
Step S3: and calling a data packet construction module to construct a corresponding data packet sequence according to the configured network parameters and the designated verification object, calling a protocol automatic sub-module to carry out protocol verification, outputting a protocol verification result, and providing real-time state information in the protocol verification process and a protocol verification result to an interface display module.
The interface display module provides a visual man-machine interaction interface for operators to observe real-time state information and protocol verification results in the protocol verification process.
The invention provides a verification method of an industrial control system protocol analysis result, which can systematically verify the protocol analysis result; the security of the protocol design may be verified, such as verifying whether the security design, such as a random number, a time stamp, a sequence number, etc., used in the protocol is valid.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (4)
1. The verification system of the industrial control system protocol analysis result is characterized by comprising a protocol analysis module, a data packet construction module and a network interaction module,
The protocol analysis module is used for collecting communication flow, analyzing field constitution of a protocol and recording field value information; the protocol analysis module analyzes the binary stream data into each field of the protocol, and can also serialize the filled protocol field into binary data;
the data packet constructing module constructs each layer of protocol content layer by layer according to a protocol stack used by the data packet;
The network interaction module is used for managing the protocol automatic sub-module in the network interaction module and integrating other independent module functions into a complete workflow; the method comprises the steps of configuring network parameters, indicating a verification object and calling a protocol automatic sub-module to finish the verification process, wherein the automatic machine uses a data packet construction module to generate a data packet and sends the data packet to a network, and uses a protocol analysis module to re-analyze returned binary stream data into a readable internal data packet object; the system is also used for submitting information to an interface display module;
the interface display module provides a visual man-machine interaction interface for operators to observe real-time state information and protocol verification results in the protocol verification process.
2. The system according to claim 1, wherein the data packet construction module is filled layer by layer from bottom to top, and records each layer of protocol of the protocol stack and its fields.
3. The system of claim 1, wherein the network interaction module records a completion process of protocol verification, provides a log interface for external objects, and the interface presentation module presents the information in a visual manner.
4. The method for verifying the analysis result of the industrial control system protocol is characterized by comprising the following steps:
step S1: collecting communication flow, analyzing field constitution of a protocol, and recording field value information;
step S2: filling from bottom to top layer by layer according to the constitution of the protocol stack, and recording each layer of protocol and the field constitution of the protocol stack;
Step S3: and calling a data packet construction module to construct a corresponding data packet sequence according to the configured network parameters and the designated verification object, calling a protocol automatic sub-module to carry out protocol verification, outputting a protocol verification result, and providing real-time state information in the protocol verification process and a protocol verification result to an interface display module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210329289.6A CN114760234B (en) | 2022-03-30 | 2022-03-30 | Verification system and method for industrial control system protocol analysis result |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210329289.6A CN114760234B (en) | 2022-03-30 | 2022-03-30 | Verification system and method for industrial control system protocol analysis result |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760234A CN114760234A (en) | 2022-07-15 |
| CN114760234B true CN114760234B (en) | 2024-05-10 |
Family
ID=82329210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210329289.6A Active CN114760234B (en) | 2022-03-30 | 2022-03-30 | Verification system and method for industrial control system protocol analysis result |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760234B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010048776A1 (en) * | 2008-10-28 | 2010-05-06 | 中国科学院研究生院 | Method for obex protocol vulnerability discovery and system thereof |
| CN101707532A (en) * | 2009-10-30 | 2010-05-12 | 中山大学 | Automatic analysis method for unknown application layer protocol |
| CN103476033A (en) * | 2013-09-25 | 2013-12-25 | 南京大学 | Wireless sensor network security protocol verification method based on model checking |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN110808962A (en) * | 2019-10-17 | 2020-02-18 | 奇安信科技集团股份有限公司 | Malformed data packet detection method and device |
| CN111130947A (en) * | 2019-12-30 | 2020-05-08 | 成都科来软件有限公司 | Network space mapping method based on service verification |
| CN111352619A (en) * | 2018-12-21 | 2020-06-30 | 核动力运行研究所 | DCS two-layer configuration data translation system of nuclear power analog machine |
| CN111901200A (en) * | 2020-07-29 | 2020-11-06 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| CN113242160A (en) * | 2021-07-12 | 2021-08-10 | 深圳市永达电子信息股份有限公司 | Protocol identification method based on state machine |
| CN113271237A (en) * | 2021-06-16 | 2021-08-17 | 山石网科通信技术股份有限公司 | Industrial control protocol analysis method and device, storage medium and processor |
| CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
| CN114050979A (en) * | 2021-11-19 | 2022-02-15 | 成都卓源网络科技有限公司 | Industrial control protocol safety test system and device |
| CN114157461A (en) * | 2021-11-22 | 2022-03-08 | 绿盟科技集团股份有限公司 | Industrial control protocol data stream processing method, device, equipment and storage medium |
-
2022
- 2022-03-30 CN CN202210329289.6A patent/CN114760234B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010048776A1 (en) * | 2008-10-28 | 2010-05-06 | 中国科学院研究生院 | Method for obex protocol vulnerability discovery and system thereof |
| CN101707532A (en) * | 2009-10-30 | 2010-05-12 | 中山大学 | Automatic analysis method for unknown application layer protocol |
| CN103476033A (en) * | 2013-09-25 | 2013-12-25 | 南京大学 | Wireless sensor network security protocol verification method based on model checking |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN111352619A (en) * | 2018-12-21 | 2020-06-30 | 核动力运行研究所 | DCS two-layer configuration data translation system of nuclear power analog machine |
| CN110808962A (en) * | 2019-10-17 | 2020-02-18 | 奇安信科技集团股份有限公司 | Malformed data packet detection method and device |
| CN111130947A (en) * | 2019-12-30 | 2020-05-08 | 成都科来软件有限公司 | Network space mapping method based on service verification |
| CN111901200A (en) * | 2020-07-29 | 2020-11-06 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| CN113271237A (en) * | 2021-06-16 | 2021-08-17 | 山石网科通信技术股份有限公司 | Industrial control protocol analysis method and device, storage medium and processor |
| CN113242160A (en) * | 2021-07-12 | 2021-08-10 | 深圳市永达电子信息股份有限公司 | Protocol identification method based on state machine |
| CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
| CN114050979A (en) * | 2021-11-19 | 2022-02-15 | 成都卓源网络科技有限公司 | Industrial control protocol safety test system and device |
| CN114157461A (en) * | 2021-11-22 | 2022-03-08 | 绿盟科技集团股份有限公司 | Industrial control protocol data stream processing method, device, equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| Wireshark环境下的网络协议解析与验证方法;罗青林;徐克付;臧文羽;刘金刚;;计算机工程与设计(03);全文 * |
| 基于逆向分析的工控协议模糊测试方法;王海翔;朱朝阳;应欢;缪思薇;;电力信息与通信技术;20190415(04);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760234A (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104660593B (en) | OPC security gateway packet filtering methods | |
| CN106789259A (en) | A kind of LoRa core network systems and implementation method | |
| CN108200146A (en) | A kind of micro services framework implementation method of lightweight | |
| CN105989539A (en) | Financial trading condition acquisition system and method | |
| CN107945048A (en) | A kind of data additional collecting system based on metering automation system | |
| CN103368809A (en) | Internet reverse penetration tunnel implementation method | |
| CN105897652A (en) | Standard protocol based heterogeneous terminal dynamic access method | |
| CN101141328B (en) | Method and device for simulating Diameter server terminal | |
| CN108366356A (en) | The interoperability methods and device of M2M systems and identification (RNC-ID) analytic system | |
| CN109347812A (en) | A kind of industry control bug excavation method and system | |
| CN102438017A (en) | Routing function-based conversion apparatus of Modbus protocol and BACnet Ethernet protocol and conversion method thereof | |
| CN107566526A (en) | A kind of device based on Web configuration RTU parameters | |
| CN105959385A (en) | Information communication method, device and system | |
| CN107040613A (en) | A kind of message transmitting method and system | |
| CN114760234B (en) | Verification system and method for industrial control system protocol analysis result | |
| CN102480472B (en) | Application program integration login method of enterprise inner network and verification server thereof | |
| CN109474540A (en) | A kind of method and device identifying OPC flow | |
| US20210243104A1 (en) | Automated multi-node network performance testing | |
| CN104394151A (en) | Method, device and system for accessing campus network into operator network | |
| CN112965463A (en) | Remote diagnosis system and remote diagnosis method | |
| CN101895528A (en) | System and method for realizing graphical user interface | |
| CN115150207B (en) | Industrial network equipment identification method and device, terminal equipment and storage medium | |
| CN104468213B (en) | A kind of switch remote management system and method | |
| CN105430345A (en) | Method for remote monitoring of comprehensive video training platform | |
| CN104993969B (en) | A kind of asynchronous configuration ONU methods, system and OLT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |