CN116708001A - Industrial control system private protocol vulnerability detection method and device - Google Patents
Industrial control system private protocol vulnerability detection method and device Download PDFInfo
- Publication number
- CN116708001A CN116708001A CN202310861442.4A CN202310861442A CN116708001A CN 116708001 A CN116708001 A CN 116708001A CN 202310861442 A CN202310861442 A CN 202310861442A CN 116708001 A CN116708001 A CN 116708001A
- Authority
- CN
- China
- Prior art keywords
- protocol
- tested
- test
- equipment
- response data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims description 42
- 238000000034 method Methods 0.000 claims abstract description 54
- 230000004044 response Effects 0.000 claims abstract description 54
- 230000035772 mutation Effects 0.000 claims abstract description 11
- 230000004083 survival effect Effects 0.000 claims description 13
- 238000004519 manufacturing process Methods 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a system for detecting proprietary protocol loopholes of an industrial control system, wherein the method comprises the following steps: identifying at least one target device in the network under test; respectively connecting target devices; selecting at least one target device, and defining the target device as a device to be tested; constructing corresponding variation test messages according to the response data of each device to be tested; and respectively sending the mutation test messages to corresponding equipment to be tested, and detecting the loopholes of the equipment to be tested. The method can automatically and accurately confirm the target equipment, and the generated variation test message can completely simulate real hacking, quickly discover the vulnerable point of the private protocol in the industrial control system, help industrial enterprises to know the security threat existing in the industrial field in time, and ensure the safe operation of the production network. The whole method adopts a full-automatic technology, does not need a large amount of manual learning cost, and can also quickly and conveniently generate different variation test messages.
Description
Technical Field
The application belongs to the technical field of network security of industrial control systems, and particularly relates to a method and a device for detecting proprietary protocol loopholes of an industrial control system.
Background
With the deep integration of informatization and industrialization, the information security situation of an industrial control system is increasingly severe. Today's industrial control systems have undergone tremendous changes in control scale, control technology and information sharing, from initially simple controlled closed systems to now complex or advanced controlled open systems, with increasing incidents of cyber attacks against industrial control systems, which are facing unprecedented cyber security threats. Industrial control systems typically employ proprietary protocols for communication. In the context of industrial control system security facing increasing risks, proprietary protocols are becoming a concern for industrial control system security. For example, common proprietary protocols such as Modbus protocol, S7 protocol, FINS protocol, etc. have serious security problems.
At present, a lot of leak detection methods aiming at a private protocol of an industrial control system are quite numerous in the market, but most of the detection methods are realized by using a plurality of tools and a lot of manpower, such as intercepting flow by using a wirehierarchy, manually analyzing data, and a lot of invalid loss exists in the process, wherein the invalid loss comprises the manual learning cost of the tools, the manual learning cost of the private protocol and the influence of the necessary conditions such as learning capacity during the process, so that the analysis cost is too high. In addition, the detection process also needs to mutate message data, and the precondition of message mutation is that the meaning represented by the protocol tree and each field in the private protocol is correctly acquired, and the incorrect mutate message data cannot be understood by industrial control equipment, so that the mutate message data is discarded, and the vulnerability detection of the private protocol of the industrial control system cannot be completed. The loophole detection method is performed under the condition that all target devices are known, and when the target conditions are assumed to be completely unknown or only partially known, the existing loophole detection method is difficult to judge the conditions of the target devices, so that the loophole detection is greatly influenced.
Disclosure of Invention
Aiming at the defects in the prior art, the method and the device for detecting the proprietary protocol loopholes of the industrial control system can realize full-automatic proprietary protocol loopholes detection aiming at different target devices, and save a large amount of learning cost.
In a first aspect, an industrial control system private protocol vulnerability detection method includes:
identifying at least one target device in the network under test;
respectively connecting target devices;
selecting at least one target device, and defining the target device as a device to be tested;
constructing corresponding variation test messages according to the response data of each device to be tested;
and respectively sending the mutation test messages to corresponding equipment to be tested, and detecting the loopholes of the equipment to be tested.
Further, identifying at least one target device in the network under test specifically includes:
detecting equipment in the network to be detected to obtain all surviving equipment in the network to be detected;
acquiring an identification case in a fingerprint identification case library;
transmitting the identification use case to the survival equipment;
acquiring response data of each survival device;
analyzing the response data to obtain the model, manufacturer or protocol of each surviving device;
judging whether the surviving equipment is the target equipment according to the model, manufacturer or protocol.
Further, the connection target apparatus specifically includes:
and after the connection with the target equipment is established, continuously sending a heartbeat packet to the target equipment, and maintaining the connection with the target equipment.
Further, constructing a corresponding mutation test report according to the response data of each device to be tested specifically includes:
acquiring response data of the equipment to be tested;
calling a protocol analyzer to construct a test message according to the response data;
and mutating the test message to obtain a mutated test message.
Further, the protocol parser comprises a plurality of proprietary protocol format files;
the method for calling the protocol analyzer to construct the test report according to the response data comprises the following steps:
calling a corresponding private protocol format file in the protocol parser according to the response data;
constructing a test message according to the private protocol format file;
the test message contains a field length, a field type, and a field name.
Further, the mutating the test message specifically includes:
determining a variable node in a test message according to the test requirement type;
and changing the content of the variable nodes in the test message by using a variation method.
Further, after detecting the vulnerability of the device under test, the method further comprises:
recording a detection result;
and generating a log file according to the detection result and outputting the log file.
In a second aspect, an industrial control system private protocol vulnerability detection apparatus includes:
device identification unit: for identifying at least one target device in the network under test;
a device connection unit: for connecting the target devices respectively; selecting at least one target device, and defining the target device as a device to be tested;
message generation unit: the method comprises the steps of constructing corresponding variation test messages according to response data of each device to be tested;
and a detection unit: and the device is used for respectively sending the mutation test messages to the corresponding device to be tested and detecting the loopholes of the device to be tested.
Further, the message generating unit is specifically configured to:
acquiring response data of the equipment to be tested;
calling a protocol analyzer to construct a test message according to the response data;
and mutating the test message to obtain a mutated test message.
Further, the protocol parser comprises a plurality of proprietary protocol format files;
the message generating unit is specifically configured to:
calling a corresponding private protocol format file in the protocol parser according to the response data;
constructing a test message according to the private protocol format file;
the test message contains a field length, a field type, and a field name.
According to the technical scheme, the method and the system for detecting the private protocol vulnerability of the industrial control system are based on the real flow of the real environment of the industrial control system, and the method and the system for detecting the private protocol vulnerability of the industrial control system are used for determining target equipment after acquiring the real flow by connecting to a network to be detected, constructing a variation test message and verifying the vulnerability of the private protocol in an attack mode. The method can automatically and accurately confirm the target equipment, and the generated variation test message can completely simulate real hacking, quickly discover the vulnerable point of the private protocol in the industrial control system, help industrial enterprises to know the security threat existing in the industrial field in time, and ensure the safe operation of the production network. The whole method adopts a full-automatic technology, does not need a large amount of manual learning cost, can quickly and conveniently generate different variation test messages, and is widely suitable for an industrial control system with single detection dimension.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. Like elements or portions are generally identified by like reference numerals throughout the several figures. In the drawings, elements or portions thereof are not necessarily drawn to scale.
Fig. 1 is a flowchart of a method for detecting a proprietary protocol vulnerability of an industrial control system according to an embodiment.
Fig. 2 is a schematic diagram of a connection target device according to an embodiment.
Fig. 3 is a schematic diagram of a Fins proprietary protocol format provided in an embodiment.
Fig. 4 is a schematic diagram of a test packet according to an embodiment.
Fig. 5 is a schematic diagram of response data provided in an embodiment.
Detailed Description
Embodiments of the technical scheme of the present application will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and thus are merely examples, and are not intended to limit the scope of the present application. It is noted that unless otherwise indicated, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Examples:
referring to fig. 1, the method for detecting proprietary protocol vulnerabilities of an industrial control system includes:
identifying at least one target device in the network under test;
respectively connecting target devices;
selecting at least one target device, and defining the target device as a device to be tested;
constructing corresponding variation test messages according to the response data of each device to be tested;
and respectively sending the mutation test messages to corresponding equipment to be tested, and detecting the loopholes of the equipment to be tested.
In this embodiment, the method for detecting a vulnerability of a proprietary protocol of an industrial control system is mainly used for detecting the vulnerability of the proprietary protocol. The method first identifies a target device in the network to be tested, for example, the method can determine a private protocol to be tested and define a device using a certain private protocol as the target device. The method then simulates the real connection mode of the upper computer and the lower computer, connects the target device, for example, see fig. 2, and establishes connection between the industrial control device and the device to be tested through the switch. The method can also obtain the current running state of each target device, wherein the running states are described differently by different manufacturers, for example Siemens are divided into Run running states and Stop running states, and Rockwell is divided into three running states of a programming mode, a running mode and a checking mode. The running state is mainly used for restoring the equipment to the running state before detection after the vulnerability detection of the equipment is completed. Then, one or more target devices are selected as the devices to be detected, the target devices can be arranged in ascending order or descending order according to the IP addresses when the target devices are selected as the devices to be detected, and vulnerability detection is sequentially carried out on the devices to be detected according to the arrangement order. When the method detects the loopholes of the equipment to be detected, firstly, a mutation test message is constructed, and the mutation test message is sent to the corresponding equipment to be detected, so that the loopholes of the equipment to be detected are detected.
The method for detecting the private protocol loopholes of the industrial control system is based on the real flow of the real environment of the industrial control system, and comprises the steps of obtaining the real flow by connecting to a network to be detected, determining target equipment, constructing a variation test message and verifying the loopholes of the private protocol in an attack mode. The method can automatically and accurately confirm the target equipment, and the generated variation test message can completely simulate real hacking, quickly discover the vulnerable point of the private protocol in the industrial control system, help industrial enterprises to know the security threat existing in the industrial field in time, and ensure the safe operation of the production network. The whole method adopts a full-automatic technology, does not need a large amount of manual learning cost, can quickly and conveniently generate different variation test messages, and is widely suitable for an industrial control system with single detection dimension.
Further, in some embodiments, identifying at least one target device in the network under test specifically includes:
detecting equipment in the network to be detected to obtain all surviving equipment in the network to be detected;
acquiring an identification case in a fingerprint identification case library;
transmitting the identification use case to the survival equipment;
acquiring response data of each survival device;
analyzing the response data to obtain the model, manufacturer or protocol of each surviving device;
judging whether the surviving equipment is the target equipment according to the model, manufacturer or protocol.
In this embodiment, the network to be tested may be a secure partition where the device to be tested is located. When the method identifies the target equipment, network detection is firstly carried out, equipment in the network to be detected is detected, all surviving equipment in the network to be detected is found, a list collection can be generated according to the found surviving equipment, and a network structure is drawn, so that the method is convenient for a user to check. The fingerprint identification use case library may include a plurality of identification use cases, where the identification use cases are used to identify the model, manufacturer or protocol of the surviving device. After network detection is completed, equipment identification is carried out, identification cases in a fingerprint identification case library are called, the identification cases are sent to survival equipment, and the model, manufacturer or protocol of the survival equipment is obtained according to response data of the survival equipment, for example: and aiming at the ohm dragon fins, sending a fins equipment authentication message in a fingerprint identification case library, and slicing the acquired response data to obtain 30-55 bytes of ASCII codes, namely obtaining the model and version of the ohm dragon.
Further, in some embodiments, the connection target device specifically includes:
and after the connection with the target equipment is established, continuously sending a heartbeat packet to the target equipment, and maintaining the connection with the target equipment.
In this embodiment, after the connection with the target device is established, the method continuously sends the heartbeat packet to the target device, handshakes with the target device, and maintains the effective connection with the target device, so as to avoid the condition that the target device is dropped in the vulnerability detection process.
Further, in some embodiments, constructing the corresponding variant test report according to the response data of each device under test specifically includes:
acquiring response data of the equipment to be tested;
calling a protocol analyzer to construct a test message according to the response data;
and mutating the test message to obtain a mutated test message.
In this embodiment, since the method has acquired the interaction data (including the request data and the response data) with the target device when determining the target device, the protocol parser can be called to construct the test message according to the response data, wherein the protocol parser includes various types of proprietary protocol formats. And finally, mutating the test message, and intercepting and packaging the mutated message to obtain a mutated test message.
Further, in some embodiments, the protocol parser includes a plurality of proprietary protocol format files;
the method for calling the protocol analyzer to construct the test report according to the response data comprises the following steps:
calling a corresponding private protocol format file in the protocol parser according to the response data;
constructing a test message according to the private protocol format file;
the test message contains a field length, a field type, and a field name.
In this embodiment, the protocol parser includes a plurality of format files of the private protocol, and an administrator may also add, modify or delete format files of the private protocol in the protocol parser to complete the protocol parser. The method calls a protocol analyzer to read a private protocol format file related to a private protocol in the device to be tested, fills response data into nodes corresponding to a protocol tree according to the private protocol format file, and obtains a test message. Referring to fig. 3, fig. 4 and fig. 5, taking the test message and response data written by Omron films as an example, fig. 3 is a film proprietary protocol format, according to the protocol format of fig. 3, the test message shown in fig. 4 can be constructed, and fig. 5 is response data. Because various messages, such as FIN, SYN, ACK messages of TCP, protocol messages of other application layers and the like, are mixed in the response data, the messages can influence the construction of the test message, and after the response data is obtained by the method, irrelevant messages in the response data can be filtered out, and the test message is constructed.
Further, in some embodiments, the mutating the test message specifically includes:
according to the test requirement type, the variable nodes in the test message are determined, for example, the variable nodes are nodes such as function codes, initial addresses, writing lengths and the like, and the method can change different variable nodes according to different field environments, for example: under the condition that the closing and stopping of the PLC can not affect the primer in the environment of the non-production state, the variable node is set as a function code node, the function code is adjusted to the function code stopping operation, and the PLC is tried to be closed. In the production environment of the operation state, the operation state of the PLC influences the stability of the production link, and at the moment, the variable node can be set as a function code node and a starting address node to read information stored by the PLC.
And changing the content of the variable nodes in the test message by using a variation method.
In this embodiment, when the method changes the test message, the partial data in the test message may be changed, and different changing methods are selected for changing the content of the changeable node in the test message according to different types of test requirements.
Further, in some embodiments, after detecting the vulnerability of the device under test, further comprising:
recording a detection result;
and generating a log file according to the detection result and outputting the log file.
In this embodiment, the method records the detection result after completing the vulnerability detection, and outputs the log file according to the detection result, so that the user can know the whole vulnerability detection process and result after viewing the log file.
An industrial control system proprietary protocol vulnerability detection device, comprising:
device identification unit: for identifying at least one target device in the network under test;
a device connection unit: for connecting the target devices respectively; selecting at least one target device, and defining the target device as a device to be tested;
message generation unit: the method comprises the steps of constructing corresponding variation test messages according to response data of each device to be tested;
and a detection unit: and the device is used for respectively sending the mutation test messages to the corresponding device to be tested and detecting the loopholes of the device to be tested.
Further, in some embodiments, the device identification unit is specifically configured to:
detecting equipment in the network to be detected to obtain all surviving equipment in the network to be detected;
acquiring an identification case in a fingerprint identification case library;
transmitting the identification use case to the survival equipment;
acquiring response data of each survival device;
analyzing the response data to obtain the model, manufacturer or protocol of each surviving device;
judging whether the surviving equipment is the target equipment according to the model, manufacturer or protocol.
Further, in some embodiments, the device connection unit is specifically configured to:
and after the connection with the target equipment is established, continuously sending a heartbeat packet to the target equipment, and maintaining the connection with the target equipment.
Further, in some embodiments, the message generating unit is specifically configured to:
acquiring response data of the equipment to be tested;
calling a protocol analyzer to construct a test message according to the response data;
and mutating the test message to obtain a mutated test message.
Further, in some embodiments, the protocol parser includes a plurality of proprietary protocol format files;
the message generating unit is specifically configured to:
calling a corresponding private protocol format file in the protocol parser according to the response data;
constructing a test message according to the private protocol format file;
the test message contains a field length, a field type, and a field name.
Further, in some embodiments, the message generating unit is specifically configured to:
determining a variable node in a test message according to the test requirement type;
and changing the content of the variable nodes in the test message by using a variation method.
Further, in some embodiments, further comprising:
an output unit: the method is used for recording the detection result; and generating a log file according to the detection result and outputting the log file.
For a brief description of the system provided by the embodiments of the present application, reference may be made to the corresponding content in the foregoing embodiments where the description of the embodiments is not mentioned.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application, and are intended to be included within the scope of the appended claims and description.
Claims (10)
1. The method for detecting the proprietary protocol loopholes of the industrial control system is characterized by comprising the following steps:
identifying at least one target device in the network under test;
respectively connecting the target devices;
selecting at least one target device, and defining the target device as a device to be tested;
constructing corresponding variation test messages according to the response data of each device to be tested;
and respectively sending the mutation test messages to the corresponding equipment to be tested, and detecting the loopholes of the equipment to be tested.
2. The method for detecting a proprietary protocol vulnerability of an industrial control system according to claim 1, wherein the identifying at least one target device in the network to be detected specifically comprises:
detecting the equipment in the network to be detected to obtain all surviving equipment in the network to be detected;
acquiring an identification case in a fingerprint identification case library;
transmitting the identification use case to the survival device;
acquiring the response data of each survival device;
analyzing the response data to obtain the model, manufacturer or protocol of each survival device;
and judging whether the survival equipment is the target equipment according to the model, manufacturer or protocol.
3. The method for detecting a proprietary protocol vulnerability of an industrial control system according to claim 1, wherein the connecting the target device specifically comprises:
and continuously sending a heartbeat packet to the target equipment after the connection with the target equipment is established, and keeping the connection with the target equipment.
4. The method for detecting a proprietary protocol vulnerability of an industrial control system according to claim 1, wherein constructing a corresponding variant test report according to the response data of each device to be tested specifically comprises:
acquiring the response data of the equipment to be tested;
a protocol analyzer is called to construct a test message according to the response data;
and mutating the test message to obtain the mutated test message.
5. The method for proprietary protocol vulnerability detection of industrial control system of claim 4, wherein,
the protocol parser comprises a plurality of private protocol format files;
the call protocol parser builds a test report according to the response data, which comprises:
calling a corresponding private protocol format file in the protocol analyzer according to the response data;
constructing the test message according to the private protocol format file;
the test message comprises a field length, a field type and a field name.
6. The method for detecting a proprietary protocol vulnerability of an industrial control system according to claim 5, wherein the mutating the test message specifically comprises:
determining a variable node in the test message according to the test requirement type;
and changing the content of the variable nodes in the test message by using a variation method.
7. The method for detecting vulnerabilities of an industrial control system private protocol according to claim 1, further comprising, after detecting the vulnerabilities of the device under test:
recording a detection result;
and generating a log file according to the detection result and outputting the log file.
8. The utility model provides an industry control system private protocol leak detection device which characterized in that includes:
device identification unit: for identifying at least one target device in the network under test;
a device connection unit: for connecting the target devices respectively; selecting at least one target device, and defining the target device as a device to be tested;
message generation unit: the method comprises the steps of constructing corresponding variation test messages according to response data of each device to be tested;
and a detection unit: and the device is used for respectively sending the mutation test messages to the corresponding device to be tested and detecting the loopholes of the device to be tested.
9. The device for detecting a proprietary protocol vulnerability of an industrial control system according to claim 8, wherein the message generating unit is specifically configured to:
acquiring the response data of the equipment to be tested;
a protocol analyzer is called to construct a test message according to the response data;
and mutating the test message to obtain the mutated test message.
10. The industrial control system proprietary protocol vulnerability detection device of claim 9, wherein the protocol parser comprises a plurality of proprietary protocol format files;
the message generating unit is specifically configured to:
calling a corresponding private protocol format file in the protocol analyzer according to the response data;
constructing the test message according to the private protocol format file;
the test message comprises a field length, a field type and a field name.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310861442.4A CN116708001B (en) | 2023-07-13 | 2023-07-13 | Industrial control system private protocol vulnerability detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310861442.4A CN116708001B (en) | 2023-07-13 | 2023-07-13 | Industrial control system private protocol vulnerability detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116708001A true CN116708001A (en) | 2023-09-05 |
| CN116708001B CN116708001B (en) | 2024-01-23 |
Family
ID=87845172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310861442.4A Active CN116708001B (en) | 2023-07-13 | 2023-07-13 | Industrial control system private protocol vulnerability detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116708001B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241226A (en) * | 2017-06-29 | 2017-10-10 | 北京工业大学 | Fuzz testing method based on industry control proprietary protocol |
| CN110401662A (en) * | 2019-07-29 | 2019-11-01 | 华能阜新风力发电有限责任公司 | A kind of industrial control equipment fingerprint identification method, storage medium |
| CN110505111A (en) * | 2019-07-09 | 2019-11-26 | 杭州电子科技大学 | The industry control agreement fuzz testing method reset based on flow |
| CN111709009A (en) * | 2020-06-17 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for networked industrial control system, computer equipment and medium |
| CN112235241A (en) * | 2020-09-08 | 2021-01-15 | 广州大学 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
| US20210306296A1 (en) * | 2020-03-27 | 2021-09-30 | The Nielsen Company (Us), Llc | Methods and apparatus to facilitate device identification |
-
2023
- 2023-07-13 CN CN202310861442.4A patent/CN116708001B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241226A (en) * | 2017-06-29 | 2017-10-10 | 北京工业大学 | Fuzz testing method based on industry control proprietary protocol |
| CN110505111A (en) * | 2019-07-09 | 2019-11-26 | 杭州电子科技大学 | The industry control agreement fuzz testing method reset based on flow |
| CN110401662A (en) * | 2019-07-29 | 2019-11-01 | 华能阜新风力发电有限责任公司 | A kind of industrial control equipment fingerprint identification method, storage medium |
| US20210306296A1 (en) * | 2020-03-27 | 2021-09-30 | The Nielsen Company (Us), Llc | Methods and apparatus to facilitate device identification |
| CN111709009A (en) * | 2020-06-17 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for networked industrial control system, computer equipment and medium |
| CN112235241A (en) * | 2020-09-08 | 2021-01-15 | 广州大学 | Industrial control honeypot feature extraction method, system and medium based on fuzzy test |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116708001B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11902126B2 (en) | Method and system for classifying a protocol message in a data communication network | |
| US20080168425A1 (en) | Software testing techniques for stack-based environments | |
| CN112184091B (en) | Industrial control system security threat assessment method, device and system | |
| CN114050979B (en) | Industrial control protocol safety test system and device | |
| CN113542299A (en) | Industrial internet vulnerability mining method and system based on fuzzy test | |
| CN109063486B (en) | Safety penetration testing method and system based on PLC equipment fingerprint identification | |
| CN110912927A (en) | Method and device for detecting control message in industrial control system | |
| CN112822151A (en) | Multilayer accurate active network attack detection method and system for control network industrial computer | |
| CN112055003B (en) | Method for generating private protocol fuzzy test case based on byte length classification | |
| CN114124476B (en) | Sensitive information leakage vulnerability detection method, system and device for Web application | |
| CN110879891A (en) | Vulnerability detection method and device based on web fingerprint information | |
| CN110765333A (en) | Method and device for collecting website information, storage medium and electronic device | |
| CN112565229A (en) | Hidden channel detection method and device | |
| CN114499974B (en) | Device detection method, device, computer device and storage medium | |
| CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
| CN112988670B (en) | Log data processing method and device | |
| CN116708001B (en) | Industrial control system private protocol vulnerability detection method and device | |
| CN117254964A (en) | Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN113992419A (en) | User abnormal behavior detection and processing system and method thereof | |
| CN114978592B (en) | Modbus vulnerability mining method based on optimized multicomponent subcontracting mechanism | |
| Pramudya et al. | Implementation of signature-based intrusion detection system using SNORT to prevent threats in network servers | |
| CN110830605A (en) | Self-discovery client, communication terminal equipment and automatic discovery method thereof | |
| Arabo | Distributed ids using agents: an agent-based detection system to detect passive and active threats to a network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |