CN115150207B - Industrial network equipment identification method and device, terminal equipment and storage medium - Google Patents
Industrial network equipment identification method and device, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN115150207B CN115150207B CN202211081829.XA CN202211081829A CN115150207B CN 115150207 B CN115150207 B CN 115150207B CN 202211081829 A CN202211081829 A CN 202211081829A CN 115150207 B CN115150207 B CN 115150207B
- Authority
- CN
- China
- Prior art keywords
- industrial
- information
- network
- protocol
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Communication Control (AREA)
Abstract
The invention discloses an industrial network equipment identification method, an industrial network equipment identification device, terminal equipment and a storage medium, belonging to the field of industrial network security, wherein the industrial network equipment identification method comprises the following steps: carrying out protocol analysis on the received network message to acquire medium access control information and characteristic information; identifying manufacturer information of the equipment according to the medium access control information; comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an industrial protocol or industrial application identification result; and identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result. The method can accurately identify the type of the industrial equipment, is applied to network security products, enhances the visibility of network security, does not generate any interference on the industrial production network, and is helpful for practitioners to quickly become familiar with and master the security condition of each equipment in the industrial production network, thereby ensuring the security of the industrial network and the stability of industrial production.
Description
Technical Field
The present invention relates to the field of industrial network security, and in particular, to an industrial network device identification method, apparatus, terminal device, and storage medium.
Background
With the popularization of industrial control networks, network attack events are frequent, and network security is continuously threatened, so network security products such as industrial firewalls, industrial audits and the like increasingly become necessities for safe production and operation of enterprises.
Currently, most of these network security products are developed in the background of IT network security technology, and the industrial control practitioners are more familiar with the types of devices, names of devices, such as PLC, RTU, and so on. In the existing network security products, two modes are available for identifying industrial equipment, namely an active identification mode; the second is a passive identification mode. The active identification mode is that an industrial firewall or audit actively sends a detection message to the equipment of the network, and the detection message is identified through information replied by the equipment. The mode increases the load of the original industrial network, possibly causes stopping, restarting or other error operations of industrial network equipment, brings unstable factors to the industrial control network, cannot play the roles of safety protection and audit, and influences the safety of industrial production.
The existing passive identification mode solves the problem to a certain extent. However, the existing passive identification mode can only identify the manufacturer of the equipment, but cannot identify the equipment type, and is not helpful for industrial control practitioners. Therefore, how to identify not only the manufacturer of the device but also the device type by a passive identification method to increase the visibility of the industrial network security and maintain the stability of the industrial production is a problem to be solved urgently.
Disclosure of Invention
The embodiments of the present invention mainly aim to provide an industrial network device identification method, an apparatus, a terminal device and a storage medium, and aim to solve the technical problem that the existing passive identification method cannot identify the type of an industrial device.
In order to achieve the above object, an embodiment of the present invention provides an industrial network device identification method, which is applied in the field of industrial network security, and the industrial network device identification method includes:
receiving a network message which flows through a network security product and is sent by equipment;
performing protocol analysis on the network message to acquire medium access control information and characteristic information;
identifying manufacturer information of the equipment according to the medium access control information;
comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment;
and identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result.
Optionally, the step of comparing the feature information with information in a preset industrial protocol or industrial application feature library to obtain an identification result includes:
and comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library, judging whether the characteristic information exists in the characteristic library, and if so, searching the corresponding industrial protocol or industrial application from the characteristic library as an identification result.
Optionally, the step of identifying, in combination with the vendor information and the identification result, a device type that sends the network packet includes:
and comparing the manufacturer information and the identification result with an industrial equipment knowledge information base, and searching the equipment types corresponding to the manufacturer information and the identification result from the industrial equipment knowledge information base to obtain the equipment type for sending the network message.
Optionally, the step of performing protocol parsing on the network packet to obtain medium access control information and feature information includes:
carrying out protocol analysis on the network message through a network protocol to obtain link layer data, transmission layer data and application layer data;
and extracting medium access control information from the link layer data, and extracting characteristic information of an industrial protocol or industrial application from the transmission layer and application layer data.
Optionally, the step of identifying, according to the media access control information, vendor information to which the device belongs includes:
and comparing the medium access control information with a manufacturer medium access control information management library, and finding out manufacturer information corresponding to the medium access control information from the manufacturer medium access control information management library as manufacturer information of the equipment.
Optionally, the step of receiving the network packet sent by the device and flowing through the network security product further includes:
and collecting manufacturer information, industrial protocols or industrial applications corresponding to each industrial device based on preset rules, and storing the collected results in an industrial device knowledge information base.
Optionally, before the step of collecting manufacturer information, industrial protocols or industrial applications corresponding to each industrial device and storing the collected results in the industrial device knowledge information base, the method further comprises:
collecting original network flow data;
according to the flow data, carrying out protocol analysis according to a network protocol to obtain manufacturer information protocol characteristics, industrial protocols or characteristics corresponding to industrial application;
storing the vendor information protocol features in a vendor media access control information management library;
and storing the corresponding characteristics of the industrial protocol or the industrial application in the preset industrial protocol or industrial application characteristic library.
An embodiment of the present invention further provides an industrial network device identification apparatus, where the industrial network device identification apparatus includes:
the network message receiving module is used for receiving the network message which flows through the network security product and is sent by the equipment;
the protocol analysis module is used for carrying out protocol analysis on the network message to acquire medium access control information and characteristic information;
the manufacturer identification module is used for identifying manufacturer information of the equipment according to the medium access control information;
the protocol or application identification module is used for comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment;
and the equipment type identification module is used for identifying the equipment type of the network message by combining the manufacturer information and the identification result.
The embodiment of the invention also provides terminal equipment, which comprises a memory, a processor and an industrial network equipment identification program which is stored on the memory and can run on the processor, wherein the industrial network equipment identification program realizes the steps of the industrial network equipment identification method when being executed by the processor.
The embodiment of the invention also provides a storage medium, wherein an industrial network device identification program is stored on the storage medium, and the steps of the industrial network device identification method are realized when the industrial network device identification program is executed by the processor.
The embodiment of the invention provides an industrial network equipment identification method, an industrial network equipment identification device, terminal equipment and a storage medium, wherein a protocol is analyzed on a network message which flows through a network security product and is sent by receiving equipment, and medium access control information and characteristic information are obtained; identifying manufacturer information of the equipment according to the medium access control information; comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment; and identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result. According to the scheme, the original network flow data is collected and analyzed, the protocol features in the analysis result are extracted and stored, and then the protocol features are compared with the obtained medium access control information and the obtained feature information to identify the manufacturer information of the equipment and the used industrial protocol or the operated industrial application, so that the equipment type for sending the network message is identified, the industrial equipment type is accurately identified and applied to network safety products, the visibility of network safety is enhanced, no interference is generated on the industrial production network, and the method is helpful for practitioners to quickly know and master the safety condition of each equipment in the industrial production network, so that the safety of the industrial network and the stability of industrial production are ensured.
Drawings
Fig. 1 is a schematic diagram of functional modules of a terminal device to which an industrial network device identification apparatus belongs;
FIG. 2 is a flowchart illustrating a first exemplary embodiment of an industrial network device identification method according to the present invention;
FIG. 3 is a flowchart illustrating a fourth exemplary embodiment of an industrial network device identification method according to the present invention;
FIG. 4 is a flowchart illustrating a fifth exemplary embodiment of an industrial network device identification method according to the present invention;
FIG. 5 is a flowchart illustrating a sixth exemplary embodiment of an industrial network device identification method according to the present invention;
fig. 6 is a schematic diagram of an overall architecture of the identification apparatus for industrial network devices according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the embodiment of the invention is as follows: performing protocol analysis on a network message which flows through a network security product and is sent by receiving equipment to acquire medium access control information and characteristic information; identifying manufacturer information of the equipment according to the medium access control information; comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment; and identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result. Based on the scheme, the original network flow data is collected and analyzed, the protocol features in the analysis result are extracted and stored, and then the protocol features are compared with the acquired medium access control information and the acquired feature information to identify the manufacturer information of the equipment and the used industrial protocol or the operated industrial application, so that the equipment type of the network message is identified, the accurate identification of the industrial equipment type is realized, the equipment type is applied to network safety products, the visibility of network safety is enhanced, the practitioner can quickly know and master the safety condition of each equipment in an industrial production network, and the safety of the industrial network and the stability of industrial production are ensured.
Specifically, referring to fig. 1, fig. 1 is a schematic diagram of functional modules of a terminal device to which the industrial network device identification apparatus of the present invention belongs. The industrial network device identification device may be a device of the terminal device, which can identify the device type of the sending network message, and may be carried on the terminal device in a form of hardware or software. The terminal equipment can be an intelligent mobile terminal with a data processing function, such as a mobile phone, a tablet personal computer and the like, and can also be fixed terminal equipment or a server and the like with the data processing function.
In this embodiment, the terminal device to which the industrial network device identification apparatus belongs at least includes an output module 110, a processor 120, a memory 130 and a communication module 140.
The memory 130 stores therein an operating system and an industrial network device identification program; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.
Wherein the industrial network device identification program in the memory 130 when executed by the processor implements the steps of:
receiving a network message which flows through a network security product and is sent by equipment;
carrying out protocol analysis on the network message to acquire medium access control information and characteristic information;
identifying manufacturer information of the equipment according to the medium access control information;
comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment;
and identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result.
Further, the industrial network device identification program in the memory 130 when executed by the processor further implements the steps of:
and comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library, judging whether the characteristic information exists in the characteristic library, and if so, searching the corresponding industrial protocol or industrial application from the characteristic library as an identification result.
Further, the industrial network device identification program in the memory 130 when executed by the processor further implements the steps of:
and comparing the manufacturer information and the identification result with an industrial equipment knowledge information base, and searching the equipment types corresponding to the manufacturer information and the identification result from the industrial equipment knowledge information base to obtain the equipment type for sending the network message.
Further, the industrial network device identification program in the memory 130 when executed by the processor further implements the steps of:
performing protocol analysis on the network message through a network protocol to obtain data of a link layer, a transmission layer and an application layer;
and extracting medium access control information from the link layer data, and extracting characteristic information of an industrial protocol or industrial application from the transmission layer and application layer data.
Further, the industrial network device identification program in the memory 130 when executed by the processor further performs the steps of:
and comparing the medium access control information with a manufacturer medium access control information management library, and finding out manufacturer information corresponding to the medium access control information from the manufacturer medium access control information management library as manufacturer information of the equipment.
Further, the industrial network device identification program in the memory 130 when executed by the processor further performs the steps of:
and collecting manufacturer information, industrial protocols or industrial applications corresponding to each industrial device based on preset rules, and storing the collected results in an industrial device knowledge information base.
Further, the industrial network device identification program in the memory 130 when executed by the processor further implements the steps of:
collecting original network flow data;
according to the flow data, carrying out protocol analysis according to a network protocol to obtain manufacturer information protocol characteristics, industrial protocols or characteristics corresponding to industrial application;
storing the vendor information protocol features in a vendor media access control information management library;
and storing the corresponding characteristics of the industrial protocol or the industrial application in the preset industrial protocol or industrial application characteristic library.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first exemplary embodiment of an industrial network device identification method according to the present invention. The industrial network equipment identification method comprises the following steps:
step S110, receiving a network message which flows through a network security product and is sent by equipment;
specifically, network messages sent by industrial equipment and flowing through network security products such as industrial firewalls or industrial audits are received in a passive mode.
The network message is a data unit exchanged and transmitted in the network, that is, a data block to be sent by a station at a time, and the network message includes complete data information to be sent, and has very different lengths, and the lengths are unlimited and variable; the network transmission unit is also a network transmission unit, and packets, packets and frames are continuously encapsulated in the transmission process for transmission, the encapsulation mode is to add some information sections, namely data organized by a certain format of a network message header, such as message types, message versions, message lengths, message entities and other information.
Step S120, carrying out protocol analysis on the network message to obtain medium access control information and characteristic information;
specifically, a protocol analysis is carried out on the network message through a network protocol to obtain link layer data, transmission layer data and application layer data; and extracting medium access control information from the link layer data, and extracting characteristic information of an industrial protocol or industrial application from the transmission layer and application layer data.
Because the network messages are used for exchanging information when requests and responses are performed among various systems, the network messages need to conform to a well-defined format, and according to a network protocol, the network message formats of different data layers are different, so that the network messages need to be subjected to protocol analysis to obtain messages of different data layers, and then medium access control information and characteristic information are obtained from the network messages of different data layers obtained through analysis.
Step S130, identifying manufacturer information of the equipment according to the medium access control information;
specifically, the medium access control information is compared with a manufacturer medium access control information management library, and manufacturer information corresponding to the medium access control information is found from the manufacturer medium access control information management library as manufacturer information to which the device belongs.
Among them, a Media Access Control (MAC) address is focused on a data link layer, and a data frame is transmitted from one node to another node of the same link, so that it is also called a physical address, a hardware address, or a link address, and written inside hardware when produced by a network device manufacturer. The media access control address is independent of the network, that is, wherever the hardware (such as network card, hub, router, etc.) with the address is connected to the network, the same media access control address is available, and it is written in the Basic Input Output System (BIOS) of the network card by the manufacturer.
Therefore, to identify the vendor information to which the device belongs, media access control information needs to be acquired, and the information needs to be extracted from the link layer data, and then, in the past, the link layer data needs to be obtained by performing protocol analysis on the acquired network packet according to the network protocol. Therefore, data link layer data is obtained from a network message according to a network protocol, the medium access control information is extracted from the link layer data, and then the medium access control information is compared with a manufacturer medium access control information management library, so that manufacturer information of the equipment is identified.
Step S140, comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to the industrial protocol used by the equipment or the running industrial application;
specifically, the characteristic information is compared with information in a preset industrial protocol or industrial application characteristic library, and a corresponding industrial protocol or industrial application is searched from the characteristic library to serve as an identification result.
The industrial protocol, also called communication protocol, is a communication protocol applied to industrial automation, maintained by Open device net manufacturers Association (ODVA), and is a contract for both communication parties to control data transmission. The convention includes making a unified provision for data format, synchronization mode, transmission speed, transmission step, error detection and correction mode, control character definition and other problems, which must be observed by both communication parties, and is also called link control protocol, such as Modbus communication protocol (Modbus protocol), S7 communication protocol and so on.
The Modbus communication protocol was published in 1979 by Modicon corporation (current Schneider electrical) for communication using a Programmable Logic Controller (PLC), and is an application layer message transmission protocol that provides a service specified by a function code through a master-slave request/response mode, and is widely applied to communication of autonomous devices.
The S7 communication protocol is a communication protocol integrated in Siemens S7 series PLC, is the essence of the S7 series PLC, and is a communication protocol which runs on a transmission layer (a session layer/a presentation layer/an application layer) and is specially optimized.
And step S150, identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result.
Specifically, the manufacturer information and the identification result are combined and compared with an industrial equipment knowledge information base, and the equipment type corresponding to the manufacturer information and the identification result is searched from the industrial equipment knowledge information base to obtain the equipment type for sending the network message.
According to the scheme, the protocol analysis is carried out on the network message through the network security product sent by the receiving equipment, and the medium access control information and the characteristic information are obtained; identifying manufacturer information of the equipment according to the medium access control information; comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment; and identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result. According to the scheme, original network flow data are collected and analyzed, protocol features in an analysis result are extracted and stored, and then compared with the acquired medium access control information and the acquired feature information, manufacturer information of the equipment and used industrial protocols or operating industrial applications are identified, the equipment type sending the network message is identified, the industrial equipment type is accurately identified and applied to network safety products, the visibility of network safety is enhanced, no interference is generated on the industrial production network, and the safety of each equipment in the industrial production network is facilitated to be quickly familiar and mastered by practitioners, so that the safety of the industrial network and the stability of industrial production are ensured.
Further, based on the embodiment shown in fig. 2, in this embodiment, in the step S140, the step of comparing the feature information with information in a preset industrial protocol or an industrial application feature library to obtain an identification result includes:
step S1401, comparing the feature information with information in a preset industrial protocol or industrial application feature library, determining whether the feature information exists in the feature library, and if the feature information exists, looking up a corresponding industrial protocol or industrial application from the feature library as an identification result.
Specifically, the characteristic information is obtained by extracting data from a transmission layer and an application layer after performing protocol analysis on a message sent by equipment and acquiring the data; if the feature information has five points, comparing the five-point feature information with information in a preset industrial protocol or industrial application feature library to see whether the feature library has the same feature information, and if so, finding out the industrial protocol or industrial application corresponding to the five-point feature from the feature library, namely, the industrial protocol or industrial application used by the equipment sending the message. For example, after the five-point characteristic information is compared, the communication protocol S7 is found to correspond to.
According to the scheme, the characteristic information is extracted from the obtained data of the transmission layer and the application layer, and the characteristic information is extracted because different industrial protocols or industrial applications have respective unique characteristics, so that the corresponding industrial protocols or industrial applications can be searched and identified only by extracting the characteristics, and the identification of the industrial protocols or industrial applications used by the message sending equipment can be greatly accelerated by the aid of the preset industrial protocols or industrial application characteristic library. For example, if the comparison shows that the industrial protocol used by the device sending the message is the S7 communication protocol, the identification range of the device type can be further narrowed according to the protocol, so as to prepare for accurate identification of the subsequent device type.
Further, based on the embodiment shown in fig. 2, in this embodiment, in the step S150, combining the vendor information and the identification result, the step of identifying the type of the device sending the network packet includes:
step S1501, comparing the manufacturer information and the identification result with an industrial equipment knowledge information base, and finding out the equipment type corresponding to the manufacturer information and the identification result from the industrial equipment knowledge information base to obtain the equipment type for sending the network message.
Specifically, the manufacturer information refers to a manufacturer that produces the device, the identification result refers to an industrial protocol used by the device that sends the packet or an industrial application that runs, the device that sends the packet refers to an industrial production device in an industrial control system, and the manufacturer information and the identification result are combined to search for a corresponding device type from a pre-established industrial device knowledge information base.
For example, if the manufacturer information is siemens and the recognition result is the S7 communication protocol, the siemens is combined with the S7 communication protocol, and the type of the siemens using the S7 communication protocol is searched from the industrial equipment knowledge information base, so that the siemens PLC serving as the equipment is obtained.
According to the technical scheme, the obtained manufacturer information and the identified industrial protocol or industrial application are searched from the industrial equipment knowledge information base to obtain the equipment type, so that the presenting mode of the equipment type is more consistent with the work description habit of industrial practitioners, and the industrial practitioners can quickly master the safety condition of the equipment type and take corresponding measures in time.
Further, referring to fig. 3, fig. 3 is a flowchart illustrating a fourth exemplary embodiment of an industrial network device identification method. Based on the embodiment shown in fig. 2, in this embodiment, in the step S120, the step of performing protocol parsing on the network packet to obtain the medium access control information and the feature information includes:
step S1201, carrying out protocol analysis on the network message through a network protocol to obtain link layer data, transmission layer data and application layer data;
in particular, network protocols are a set of rules, standards, or conventions established for exchanging data over a computer network. For example, a microcomputer user communicates with an operator of a mainframe in a network, and since the character sets used by the two data terminals are different, commands input by the operator are not known to each other. In order to carry out communication, each terminal is required to convert characters in the respective character set into characters in a standard character set, then the characters enter a network for transmission, and after reaching a destination terminal, the characters are converted into characters in the character set of the terminal. Of course, for incompatible terminals, besides the character set characters need to be converted, other characteristics such as display format, line length, line number, screen scrolling mode, etc. need to be converted accordingly. The network protocol makes unified regulations on the transmission format, transmission rate, transmission steps and the like of data, and two communication parties must abide by simultaneously to complete data exchange. Such as: transmission Control Protocol/Internet Protocol (TCP/IP).
TCP/IP is not a protocol, but is a generic term for a family of protocols, such as S7 communication protocol, which is a member of the family. TCP/IP defines a standard for how computers connect to the internet and how data is transmitted between them. It internally contains a series of protocols for handling data traffic and employs a layered model of four layers, each calling the protocol provided by its next layer to fulfill its own requirements. The TCP/IP includes a data link layer, a network layer, a transport layer and an application layer, each layer being responsible for different communication functions.
Therefore, protocol analysis needs to be performed on the network packet according to the network protocol to obtain data of the link layer, the transport layer and the application layer, so as to prepare for extracting the media access control information and the characteristic information of the industrial protocol or the industrial application from the data.
And step S1202, extracting medium access control information from the link layer data, and extracting characteristic information of an industrial protocol or industrial application from the transmission layer and application layer data.
Specifically, the mac layer is one of two sublayers of the data link layer, and therefore, after acquiring the link layer data, mac information needs to be extracted from the link layer data. The transport layer provides data transmission between nodes and communication service between application programs, and has the main functions of data formatting, data confirmation, loss retransmission and the like, such as TCP (transmission control Protocol), user Datagram Protocol (UDP) and the like, wherein the TCP and the UDP add transmission data to a data packet and transmit the data packet to the next layer, and the layer is responsible for transmitting data and determining that the data is sent to and received; the application layer is a layer responsible for communication between applications, such as Simple Mail Transfer Protocol (SMTP), file Transfer Protocol (FTP), and the like. Therefore, the characteristic information of the industrial protocol or the industrial application is extracted from the acquired data of the transmission layer and the application layer, and the preparation for further identifying the industrial protocol used by the equipment or the running industrial application can be made.
According to the scheme, the passively received network message is subjected to protocol analysis according to the network protocol to obtain the data of the link layer, the data of the transmission layer and the data of the application layer, and the medium access control information, the industrial protocol or the characteristic information of the industrial application are respectively extracted from the obtained data of different layers, so that preparation is provided for the following identification of manufacturer information, the identification of the industrial protocol and the industrial application, and the equipment identification efficiency is improved.
Further, referring to fig. 4, fig. 4 is a flowchart illustrating a fifth exemplary embodiment of an industrial network device identification method. In this embodiment, based on the embodiment shown in fig. 2, in this embodiment, before the step S110 receives the network packet sent by the device and flowing through the network security product, the method for identifying the industrial network device further includes:
and S100, collecting manufacturer information, industrial protocols or industrial applications corresponding to each industrial device based on preset rules, and storing the collected results in an industrial device knowledge information base.
Specifically, since the device type needs to be identified, in order to improve the identification efficiency, an industrial device knowledge information base needs to be established in advance, the industrial protocol used by each industrial device, the industrial application operated by each industrial device, and the corresponding manufacturer information are collected and organized in the industrial information base, and the information base is continuously updated, so that the information in the information base is as comprehensive and accurate as possible.
According to the scheme, the information of the S7 communication protocol, the Siemens and the corresponding equipment type Siemens PLC and the like is stored in the industrial equipment information base specifically by collecting the information of manufacturers, the industrial protocols or the industrial applications corresponding to each industrial equipment and arranging the collected results into the industrial equipment knowledge information base, such as Siemens PLC equipment, wherein the manufacturers of the equipment are Siemens and the used industrial protocol is the S7 communication protocol. Therefore, when the manufacturer information of the equipment and the used industrial protocol or the running industrial application are received, the equipment type can be found out, so that industrial workers can know the equipment type and the safety condition thereof more intuitively and can quickly take safety countermeasures.
Further, referring to fig. 5, fig. 5 is a flowchart illustrating a sixth exemplary embodiment of an industrial network device identification method. In this embodiment, based on the embodiment shown in fig. 6, in step S100, before collecting vendor information, an industrial protocol, or an industrial application corresponding to each industrial device, and storing a collection result in an industrial device knowledge information base, the method for identifying an industrial network device further includes:
step S60, collecting original network flow data;
specifically, the network traffic is the total of data packets passing through the network link in unit time, and is a basic index for measuring the network load and the forwarding performance, and the collected network traffic data is the collection of network IP data messages. Collecting the original network traffic data of the network is the basis for traffic analysis.
Step S70, according to the flow data, carrying out protocol analysis according to a network protocol to obtain manufacturer information protocol characteristics, industrial protocols or characteristics corresponding to industrial application;
specifically, the protocol analysis is carried out on the flow data according to a network protocol, link layer data, transmission layer and application layer data are obtained, and manufacturer information protocol features in the obtained link layer data and corresponding features of an industrial protocol or industrial application are obtained from the transmission layer and application layer data.
Step S80, storing the manufacturer information protocol characteristics in a manufacturer medium access control information management library;
specifically, the obtained manufacturer information protocol features and the corresponding manufacturer information are stored in a manufacturer medium access control information management library so as to facilitate subsequent manufacturer information identification.
And S90, storing the corresponding characteristics of the industrial protocol or the industrial application in the preset industrial protocol or industrial application characteristic library.
Specifically, the preset industrial protocol or industrial application feature library mainly stores various industrial protocols and industrial applications and their corresponding features, which are obtained by capturing raw network traffic data and performing protocol analysis.
It should be noted that the steps S60 to S90 may not be necessarily performed before S100, and may be performed before step S110, for example.
In this embodiment, by using the above-mentioned solution, specifically, the collected characteristics of the industrial protocol or the industrial application are analyzed, and the analyzed result is sorted and stored in the preset industrial protocol or industrial application characteristic library, and is used as a comparison object of the industrial protocol or the industrial application characteristic information in the passively received network packet, so as to identify the industrial protocol used by the device sending the packet or the running industrial application, thereby reducing the device type identification range, which is a precondition for subsequently identifying the device type.
In addition, referring to fig. 6, fig. 6 is a schematic diagram of an overall architecture of the industrial network device identification apparatus. The embodiment of the present invention further provides an industrial network device identification apparatus, where the industrial network device identification apparatus includes:
the network message receiving module is used for receiving the network message which flows through the network security product and is sent by the equipment;
the protocol analysis module is used for carrying out protocol analysis on the network message to acquire medium access control information and characteristic information;
the manufacturer identification module is used for identifying manufacturer information of the equipment according to the medium access control information;
the protocol or application identification module is used for comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the equipment or an industrial application operated by the equipment;
and the equipment type identification module is used for identifying the equipment type of the network message by combining the manufacturer information and the identification result.
For the identification principle and implementation process of the industrial network device implemented in this embodiment, please refer to the above embodiments, which are not described herein again.
In addition, an embodiment of the present invention further provides a terminal device, where the terminal device includes a memory, a processor, and an industrial network device identification program that is stored in the memory and is executable on the processor, and the industrial network device identification program implements the steps of the industrial network device identification method when executed by the processor.
Since the industrial network device identification program is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and no further description is given here.
In addition, an embodiment of the present invention further provides a storage medium, where the storage medium stores an industrial network device identification program, and the industrial network device identification program, when executed by a processor, implements the steps of the industrial network device identification method described above.
Since the industrial network device identification program is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and details are not repeated herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or system comprising the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (9)
1. An industrial network device identification method, characterized in that the industrial network device identification method comprises the following steps:
receiving a network message which is sent by equipment and flows through a network security product;
carrying out protocol analysis on the network message to acquire medium access control information and characteristic information;
identifying manufacturer information of the equipment according to the medium access control information;
comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the industrial network equipment or an industrial application operated by the industrial network equipment;
identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result;
the step of comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result comprises the following steps:
and comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library, judging whether the characteristic information exists in the characteristic library, and if so, searching the corresponding industrial protocol or industrial application from the characteristic library to serve as an identification result.
2. The method for identifying industrial network equipment according to claim 1, wherein the step of identifying the equipment type sending the network message by combining the vendor information and the identification result comprises:
and comparing the manufacturer information and the identification result with an industrial equipment knowledge information base, and searching the equipment types corresponding to the manufacturer information and the identification result from the industrial equipment knowledge information base to obtain the equipment type for sending the network message.
3. The method for identifying industrial network equipment according to claim 1, wherein the step of performing protocol parsing on the network packet to obtain medium access control information and characteristic information comprises:
carrying out protocol analysis on the network message through a network protocol to obtain link layer data, transmission layer data and application layer data;
and extracting medium access control information from the link layer data, and extracting characteristic information of an industrial protocol or industrial application from the transmission layer and application layer data.
4. The method for identifying industrial network equipment according to claim 1, wherein the step of identifying vendor information to which the equipment belongs according to the medium access control information comprises:
and comparing the medium access control information with a manufacturer medium access control information management library, and finding out manufacturer information corresponding to the medium access control information from the manufacturer medium access control information management library as manufacturer information of the equipment.
5. The method for identifying industrial network equipment according to claim 1, wherein the step of receiving the network message sent by the equipment and flowing through the network security product further comprises:
and collecting manufacturer information, industrial protocols or industrial applications corresponding to each industrial device based on preset rules, and storing the collected results in an industrial device knowledge information base.
6. The method according to claim 5, wherein the step of collecting manufacturer information, industrial protocols or industrial applications corresponding to each industrial device and storing the collected results in an industrial device knowledge information base further comprises:
collecting original network flow data;
according to the flow data, carrying out protocol analysis according to a network protocol to obtain manufacturer information protocol characteristics, industrial protocols or characteristics corresponding to industrial application;
storing the vendor information protocol features in a vendor media access control information management library;
and storing the corresponding characteristics of the industrial protocol or the industrial application in the preset industrial protocol or industrial application characteristic library.
7. An industrial network device identification apparatus, characterized in that the industrial network device identification apparatus comprises:
the network message receiving module is used for receiving the network message which flows through the network security product and is sent by the equipment;
the protocol analysis module is used for carrying out protocol analysis on the network message to acquire medium access control information and characteristic information;
the manufacturer identification module is used for identifying manufacturer information of the equipment according to the medium access control information;
the protocol or application identification module is used for comparing the characteristic information with information in a preset industrial protocol or industrial application characteristic library to obtain an identification result, wherein the identification result refers to an industrial protocol used by the industrial network equipment or an industrial application operated by the industrial network equipment;
the equipment type identification module is used for identifying the type of the equipment sending the network message by combining the manufacturer information and the identification result;
the protocol or application identification module is further configured to compare the feature information with information in a preset industrial protocol or industrial application feature library, determine whether the feature information exists in the feature library, and if the feature information exists, search the corresponding industrial protocol or industrial application from the feature library as an identification result.
8. A terminal device comprising a memory, a processor, and an industrial network device identification program stored on the memory and executable on the processor, the industrial network device identification program when executed by the processor implementing the steps of the industrial network device identification method according to any one of claims 1-6.
9. A storage medium having stored thereon an industrial network device identification program, which when executed by a processor implements the steps of the industrial network device identification method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211081829.XA CN115150207B (en) | 2022-09-06 | 2022-09-06 | Industrial network equipment identification method and device, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211081829.XA CN115150207B (en) | 2022-09-06 | 2022-09-06 | Industrial network equipment identification method and device, terminal equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115150207A CN115150207A (en) | 2022-10-04 |
| CN115150207B true CN115150207B (en) | 2022-11-29 |
Family
ID=83415552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211081829.XA Active CN115150207B (en) | 2022-09-06 | 2022-09-06 | Industrial network equipment identification method and device, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115150207B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115379029A (en) * | 2022-10-27 | 2022-11-22 | 北京六方云信息技术有限公司 | Message identification method and device, terminal equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109391700A (en) * | 2018-12-12 | 2019-02-26 | 北京华清信安科技有限公司 | Internet of Things safe cloud platform based on depth traffic aware |
| CN110336896A (en) * | 2019-07-17 | 2019-10-15 | 山东中网云安智能科技有限公司 | A kind of lan device kind identification method |
| CN112260861A (en) * | 2020-10-13 | 2021-01-22 | 上海奇甲信息科技有限公司 | Network asset topology identification method based on flow perception |
| CN112532489A (en) * | 2020-12-01 | 2021-03-19 | 深圳万物安全科技有限公司 | Internet of things equipment identification method and system and storage medium |
| CN113676459A (en) * | 2021-07-28 | 2021-11-19 | 中国石油化工股份有限公司 | Real-time industrial control passive identification method for Rockwell equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2827104B1 (en) * | 2001-07-03 | 2004-01-30 | Elzbieta Krystyna Ploc Cochard | METHOD FOR CONTROLLING THE EXCHANGE OF DATA BETWEEN TWO APPLICATIONS, RESPECTIVELY OF THE CLIENT TYPE AND OF THE SERVER TYPE |
| CN106487879A (en) * | 2016-09-20 | 2017-03-08 | 北京知道未来信息技术有限公司 | A kind of network equipment recognition methodss based on device-fingerprint storehouse and device |
-
2022
- 2022-09-06 CN CN202211081829.XA patent/CN115150207B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109391700A (en) * | 2018-12-12 | 2019-02-26 | 北京华清信安科技有限公司 | Internet of Things safe cloud platform based on depth traffic aware |
| CN110336896A (en) * | 2019-07-17 | 2019-10-15 | 山东中网云安智能科技有限公司 | A kind of lan device kind identification method |
| CN112260861A (en) * | 2020-10-13 | 2021-01-22 | 上海奇甲信息科技有限公司 | Network asset topology identification method based on flow perception |
| CN112532489A (en) * | 2020-12-01 | 2021-03-19 | 深圳万物安全科技有限公司 | Internet of things equipment identification method and system and storage medium |
| CN113676459A (en) * | 2021-07-28 | 2021-11-19 | 中国石油化工股份有限公司 | Real-time industrial control passive identification method for Rockwell equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115150207A (en) | 2022-10-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170244792A1 (en) | Power-Line Carrier Terminal Control Apparatus, System, and Method | |
| CN111083161A (en) | Data transmission processing method and device and Internet of things equipment | |
| WO2012152132A1 (en) | Method and system for realizing application platform adaptation | |
| CN112751733B (en) | Link detection method, device, equipment, system and switch | |
| CN112769598B (en) | Network communication system and communication implementation method thereof | |
| CN115150207B (en) | Industrial network equipment identification method and device, terminal equipment and storage medium | |
| US20220303198A1 (en) | Method and apparatus for detecting anomaly of traffic of internet of things device based on automata | |
| EP3226516B1 (en) | Unified data networking across heterogeneous networks | |
| CN110855493A (en) | Application topological graph drawing device for mixed environment | |
| EP3226518A1 (en) | Content delivery across heterogeneous networks | |
| CN116319953B (en) | Semiconductor device data acquisition method | |
| CN114338287A (en) | Industrial edge gateway data management method based on active identification | |
| CN115412602A (en) | Data parsing and transferring method, device, equipment and medium for digital twin | |
| KR102094041B1 (en) | System having the Semantic Engine based on RDF Graph for Autonomous Interaction between IoT Devices in Real-Time | |
| CN113904950B (en) | Stream-based network monitoring method and device, computer equipment and storage medium | |
| CN112486706B (en) | Internet of things local equipment linkage method based on MQTT message driving mechanism | |
| EP2472785B1 (en) | Service linkage control system and method | |
| Francia III et al. | Towards an in-depth understanding of deep packet inspection using a suite of industrial control systems protocol packets | |
| CN115226100A (en) | Industry heterogeneous network edge gateway based on 5G | |
| CN114615170B (en) | Message processing method, device and computer storage medium | |
| CN113163025B (en) | Data transmission method, device, equipment and storage medium | |
| CN114567651B (en) | Rapid visual access method for equipment and Internet of things platform | |
| CN114006651B (en) | Satellite internet transmission method suitable for multiple protocols | |
| CN112486115B (en) | Method and system for realizing device communication protocol configuration | |
| CN111934929B (en) | Router setting method and router |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |