CN103780602A - Method for preventing Stuxnet attacks - Google Patents
Method for preventing Stuxnet attacks Download PDFInfo
- Publication number
- CN103780602A CN103780602A CN201310552468.7A CN201310552468A CN103780602A CN 103780602 A CN103780602 A CN 103780602A CN 201310552468 A CN201310552468 A CN 201310552468A CN 103780602 A CN103780602 A CN 103780602A
- Authority
- CN
- China
- Prior art keywords
- packet
- safety device
- condition code
- plc
- data packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method for preventing Stuxnet attacks, which comprises the following steps: step 1, a safety device is arranged in network communication, and the safety device is stored with a characteristic code; step 2, all data packets passing through the safety device are filtered and analyzed, and compared with the characteristic code; and step 3, the data packet is intercepted if the data packet is matched with the characteristic code. The method realizes a purpose of preventing attacks of Stuxnet through preventing downloading data packets of programs, analyzes the data packets passing through, intercepts the data packets which are matched with the characteristic code, terminates a download behavior of a PLC project, allows the data packets which are not matched with the characteristic code to pass through, realizes normal network communication, and ensures safe operation of an industrial Ethernet.
Description
Technical field
The present invention relates to network security technology field, particularly relate to a kind of method that stops shake net to be attacked in information-based industry.
Background technology
Along with the arrival of networked information era, there is earth-shaking variation in China's industrial model, thoroughly broken " information island " pattern, enterprise's complete networking, creation data is easily realized Macro or mass analysis, has not only improved production efficiency, also promotes the national strategy of energy-saving and emission-reduction.The information-based favourable variation bringing to industry, apparent, but thing followed Network Information Security Problem makes people alarmed for it again.
Stuxnet worm (being commonly called as " shake net ", " Shuangzi ") starts outburst in July, 2010.It has utilized at least 4 leaks in microsoft operation system, wherein has 3 brand-new zero-day vulnerabilities; Forge the digital signature of driver; By a set of complete invasion and medium process, break through the physical restriction of industrial private local area network; Utilize 2 leaks of WinCC system, it is carried out to Subversive attack.It is first malicious code that directly destroys industrial infrastructure in real world.According to the statistics of Symantec Corporation, existing approximately 45000 networks in the whole world are by this invermination at present, and wherein 60% victim host is positioned at Iran within the border.The Iranian government has confirmed that the Bushire nuclear power station of this state suffers the attack of Stuxnet worm.
The appearance of Stuxnet worm-type virus allows people recognize, the harm of virus has been not limited to the office network of ours at one's side, it has extended to industrial network, control appliance (or system) becomes under fire object, serious threat is to the safety of country of China essential industry facility, and let us has to pay close attention to industrial network safety.
At present, for the network security problem in office network, there are in the market this few series products solutions: fire compartment wall (firewall), intruding detection system (IDS), intrusion prevention system (IPS), but this several prods is not suitable for Industrial Ethernet above.
First say fire compartment wall, the firewall product occurring in the market belongs to commercial fire compartment wall substantially, and commercial fire compartment wall is mainly that the attack of network layer is tackled, part fire compartment wall possesses the filter analysis of application layer data, but be only for common procotol, such as HTTP, FTP etc.In Industrial Ethernet, shake net is attacked the Siemens OP/PG agreement using, and business does not possess the ability of resolving these agreements of filtering, and therefore commercial fire compartment wall does not possess the ability that protection shake net is attacked.
The IDS that bypass is disposed can find the further attack behavior of those firewall-penetratings in time, supplement as the useful of fire compartment wall, but it's a pity very much cannot be real-time blocking-up shake net attack.Although IDS and firewall linkage, find by IDS, blocks by fire compartment wall.But shake net is to belong to " moment attacks ", even if IDS discovery attack and has been notified fire compartment wall, but this attack is through with, and fire compartment wall is also helpless.
Intrusion prevention system (IPS), supplementing anti-virus software and fire compartment wall, it can effectively stop propagation and the attack of known viruse in IPS virus base, but shake net virus meeting mutation, once virus mutation must be upgraded, IPS virus base could detect and stop, otherwise it is cruel that the virus of mutation still can be executed in network, once wincc or step7 are infected, can revise PLC program, the PLC being modified is not with virus characteristic, even if the virus base of now IPS upgrading, also cannot detect and tackle the PLC program that is modified.
Shake net attack process is as follows: infect the Siemens PLC C in the first initiatively search network of the viral computer of shake net, as after finding Siemens PLC C, Virus can be revised PLC code, and the code of modification is downloaded in PLC, is modified the equipment that code will control PLC and destroys.
Summary of the invention
For solving the problems of the technologies described above, the object of this invention is to provide a kind of method that can effectively stop shake net to be attacked.
For achieving the above object, technical scheme provided by the present invention is as follows:
A method that stops shake net to be attacked, comprises the steps:
Step 1 arranges safety device in network communication, in described safety device, stores condition code;
Step 2 filter analysis is all by the packet of safety device, and with condition code comparison;
If step 3 packet mates with condition code, this packet is tackled.
Further, also comprise step 4: if packet does not mate with condition code, allow this packet to pass through.
Further, described safety device is arranged in the network of communication between host computer and PLC;
Further, the customizing messages in the described condition code handshake data bag that to be host computer send to PLC.
The packet that the present invention downloads by prevention is realized the object that stops the virus attack of shake net, the packet passing through is analyzed, the packet that interception is mated with condition code, the behavior that PLC engineering is downloaded is terminated, allow to pass through with the unmatched packet of condition code, realize normal network communication.The safe operation of safeguard industries Ethernet.
Accompanying drawing explanation
Fig. 1 is flow chart of the present invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Fig. 1 is the flow chart of prevention shake net attack method provided by the present invention, and as shown in Figure 1, a kind of method that stops shake net to be attacked, comprises the steps:
Step 1 arranges safety device in network communication, in described safety device, stores condition code;
Step 2 filter analysis is all by the packet of safety device, and with condition code comparison;
If step 3 packet mates with condition code, this packet is tackled.
Step 4: if packet does not mate with condition code, allow this packet to pass through.
Use technique scheme, can effectively stop control appliance or system etc. in the worm-type virus infringement to network, particularly Industrial Ethernet, guarantee industrial plants safety and normally operation.
Take PLC control appliance as example, in the communication process of host computer and PLC control appliance, if need to revise the project file of PLC, must first send handshake data bag, just can carry out the download of PLC engineering after only shaking hands successfully, otherwise PLC will not revise authority.Using customizing messages in this section of handshake data bag as condition code, by this condition code, with the message comparison of attempting to access PLC in network, initiatively find the packet that engineering is downloaded.If find the packet with this condition code, refuse at once packet and pass through, stop the download behavior of PLC program, thereby complete blocking shake net.
The present invention is the analysis based on to Siemens's protocol contents also, find engineering downloading data bag condition code, initiatively find the packet that engineering is downloaded, then stop host computer to carry out engineering download to PLC, stop the viral attack of shake net to realize, thereby guarantee PLC a kind of method of lower normal operation in working order.
Take the protocol contents of Siemens as example, by the analysis to Siemens's protocol contents, found engineering download in condition code in handshake data bag, condition code particular content is as follows:
03?00?00?21?02?f0?80?32?01?00?00?05?00?00?10?00?00?29?00?00?00?00?0009?
50?
5f?
50?
52?
4f?
47?
52?
41?
4d
Underscore part translates into ASCII: P_PROGRAM
Filter analysis is all by the packet of safety device (described safety device is arranged in host computer and PLC communication process), and with condition code comparison, if comprise the data the same with above-mentioned condition code in discovery packet, will tackle immediately this packet.Once this packet is blocked, the behavior that PLC engineering is downloaded will be terminated.
The above embodiment has only expressed embodiments of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (4)
1. a method that stops shake net to be attacked, is characterized in that comprising the steps:
Step 1 arranges safety device in network communication, in described safety device, stores condition code;
Step 2 filter analysis is all by the packet of safety device, and with condition code comparison;
If step 3 packet mates with condition code, this packet is tackled.
2. the method that prevention shake net according to claim 1 is attacked, characterized by further comprising step 4: if packet does not mate with condition code, allow this packet to pass through.
3. the method that prevention shake net according to claim 1 is attacked, is characterized in that: described safety device is arranged in the network of communication between host computer and PLC.
4. the method that prevention according to claim 3 shake net is attacked, is characterized in that: described condition code is the customizing messages in the handshake data bag that sends to PLC of host computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310552468.7A CN103780602A (en) | 2012-10-17 | 2013-10-16 | Method for preventing Stuxnet attacks |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210394746.6 | 2012-10-17 | ||
| CN201210394746 | 2012-10-17 | ||
| CN201310552468.7A CN103780602A (en) | 2012-10-17 | 2013-10-16 | Method for preventing Stuxnet attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103780602A true CN103780602A (en) | 2014-05-07 |
Family
ID=50572432
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310552468.7A Pending CN103780602A (en) | 2012-10-17 | 2013-10-16 | Method for preventing Stuxnet attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103780602A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104993976A (en) * | 2015-07-07 | 2015-10-21 | 北京科技大学 | Method and system for evaluating PLC safety protection equipment |
| CN105022335A (en) * | 2015-07-03 | 2015-11-04 | 北京科技大学 | Method and device for filtering link command of PLC upper computer based on RS232 communication protocol |
| CN112305986A (en) * | 2020-10-23 | 2021-02-02 | 广州大学 | PLC protection system, method and medium based on verification separation |
| CN114189395A (en) * | 2022-02-15 | 2022-03-15 | 北京安帝科技有限公司 | Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6850252B1 (en) * | 1999-10-05 | 2005-02-01 | Steven M. Hoffberg | Intelligent electronic appliance system and method |
| US20060053491A1 (en) * | 2004-03-01 | 2006-03-09 | Invensys Systems, Inc. | Process control methods and apparatus for intrusion detection, protection and network hardening |
| CN101296256A (en) * | 2008-06-19 | 2008-10-29 | 中国电信股份有限公司 | Method and system for implementing accurate information propelling by internet |
| CN101321163A (en) * | 2008-07-03 | 2008-12-10 | 江苏华丽网络工程有限公司 | Integrated hardware implementing method for multi-layer amalgamation and parallel processing network access equipment |
| CN101599976A (en) * | 2009-07-10 | 2009-12-09 | 成都市华为赛门铁克科技有限公司 | The method and apparatus of filtering user datagram protocol data packet |
| US20100005166A1 (en) * | 2006-01-27 | 2010-01-07 | Jong-Hoon Chung | Network device |
| CN102223267A (en) * | 2011-06-17 | 2011-10-19 | 北京电子科技学院 | IDS (intrusion detection system) detecting method and IDS detecting equipment |
| US20120198541A1 (en) * | 2011-02-02 | 2012-08-02 | Reeves Randall E | Methods and apparatus for preventing network intrusion |
-
2013
- 2013-10-16 CN CN201310552468.7A patent/CN103780602A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6850252B1 (en) * | 1999-10-05 | 2005-02-01 | Steven M. Hoffberg | Intelligent electronic appliance system and method |
| US20060053491A1 (en) * | 2004-03-01 | 2006-03-09 | Invensys Systems, Inc. | Process control methods and apparatus for intrusion detection, protection and network hardening |
| US20100005166A1 (en) * | 2006-01-27 | 2010-01-07 | Jong-Hoon Chung | Network device |
| CN101296256A (en) * | 2008-06-19 | 2008-10-29 | 中国电信股份有限公司 | Method and system for implementing accurate information propelling by internet |
| CN101321163A (en) * | 2008-07-03 | 2008-12-10 | 江苏华丽网络工程有限公司 | Integrated hardware implementing method for multi-layer amalgamation and parallel processing network access equipment |
| CN101599976A (en) * | 2009-07-10 | 2009-12-09 | 成都市华为赛门铁克科技有限公司 | The method and apparatus of filtering user datagram protocol data packet |
| US20120198541A1 (en) * | 2011-02-02 | 2012-08-02 | Reeves Randall E | Methods and apparatus for preventing network intrusion |
| CN102223267A (en) * | 2011-06-17 | 2011-10-19 | 北京电子科技学院 | IDS (intrusion detection system) detecting method and IDS detecting equipment |
Non-Patent Citations (8)
| Title |
|---|
| MARIUS CRISTEA: "《Some Security Issues In SCALANCE Wireless Industrial Networks》", 《IEEE》 * |
| RAHAT MASOOD等: "《SWAM: Stuxnet Worm Analysis in Metasploit 》", 《IEEE》 * |
| 华镕: "《震网给工业控制敲响了警钟》", 《仪器仪表标准化与计量》 * |
| 华镕: "《预防新一代"震网"病毒》", 《仪器仪表标准化与计量》 * |
| 李战宝,潘卓: "《透视"震网"病毒》", 《次全国计算机安全学术交流会》 * |
| 王长兴: "《信息时代工厂信息安全》", 《E-WORKS数字化企业网》 * |
| 繆学勤: "《采用纵深防御策略,确保智能电网信息安全》", 《电气时代网》 * |
| 蒲石等: "《震网病毒分析与防范》", 《技术研究》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105022335A (en) * | 2015-07-03 | 2015-11-04 | 北京科技大学 | Method and device for filtering link command of PLC upper computer based on RS232 communication protocol |
| CN104993976A (en) * | 2015-07-07 | 2015-10-21 | 北京科技大学 | Method and system for evaluating PLC safety protection equipment |
| WO2017004867A1 (en) * | 2015-07-07 | 2017-01-12 | 北京科技大学 | Device testing and evaluation method and system for plc security protection |
| CN104993976B (en) * | 2015-07-07 | 2018-07-13 | 北京科技大学 | A kind of PLC safety protection equipments assessment method and system |
| CN112305986A (en) * | 2020-10-23 | 2021-02-02 | 广州大学 | PLC protection system, method and medium based on verification separation |
| CN112305986B (en) * | 2020-10-23 | 2021-08-17 | 广州大学 | PLC protection system, method and medium based on verification separation |
| CN114189395A (en) * | 2022-02-15 | 2022-03-15 | 北京安帝科技有限公司 | Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop |
| CN114189395B (en) * | 2022-02-15 | 2022-06-28 | 北京安帝科技有限公司 | Method and device for acquiring risk detection packet of PLC (programmable logic controller) attack stop |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11882136B2 (en) | Process-specific network access control based on traffic monitoring | |
| US20170289191A1 (en) | Infiltration Detection and Network Rerouting | |
| US9552479B2 (en) | Malware detection and computer monitoring methods | |
| CN111181926B (en) | Security device based on mimicry defense idea and operation method thereof | |
| JP2005523539A (en) | Malicious code detection and countermeasures in enterprise networks | |
| CN102346825A (en) | Device and method for providing soc-based anti-malware service | |
| CN103780602A (en) | Method for preventing Stuxnet attacks | |
| CN104660610A (en) | Cloud computing environment based intelligent security defending system and defending method thereof | |
| ElSawy et al. | Spatial firewalls: Quarantining malware epidemics in large-scale massive wireless networks | |
| CN113382076A (en) | Internet of things terminal security threat analysis method and protection method | |
| Abbas et al. | Generic signature development for IoT Botnet families | |
| Alnabulsi et al. | Protecting code injection attacks in intelligent transportation system | |
| Das et al. | Detection and prevention of mirai attack | |
| CN104735043A (en) | Method for preventing suspicious data package from attacking PLC via industrial Ethernet | |
| Botvinkin et al. | Analysis, classification and detection methods of attacks via wireless sensor networks in SCADA systems | |
| Luo et al. | DDOS Defense Strategy in Software Definition Networks | |
| CN115834218A (en) | Safety protection method and system for scheduling data network multistage blocking | |
| Yu et al. | Research on key technology of industrial network boundary protection based on endogenous security | |
| Albashir | Detecting unknown vulnerabilities using honeynet | |
| Zou et al. | A case study of anomaly detection in industrial environments | |
| CN111404917B (en) | Industrial control simulation equipment-based threat information analysis and detection method and system | |
| Gaylah et al. | Mitigation and prevention methods for distributed denial-of-service attacks on network servers | |
| CN114205166A (en) | Virus protection system | |
| Jain et al. | A hybrid honeyfarm based technique for defense against worm attacks | |
| Lau et al. | Securing supervisory control and data acquisition control systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140507 |