CN105763392A - Industrial control protocol fuzzing test method based on protocol state - Google Patents
Industrial control protocol fuzzing test method based on protocol state Download PDFInfo
- Publication number
- CN105763392A CN105763392A CN201610094014.3A CN201610094014A CN105763392A CN 105763392 A CN105763392 A CN 105763392A CN 201610094014 A CN201610094014 A CN 201610094014A CN 105763392 A CN105763392 A CN 105763392A
- Authority
- CN
- China
- Prior art keywords
- protocol
- industry control
- message
- test
- control assembly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Maintenance And Management Of Digital Transmission (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an industrial control protocol fuzzing test method based on protocol state, comprising the steps of extracting a protocol state machine, building a message sequence library, guiding the protocol state, sending and storing test cases, carrying out abnormality monitoring based on heart rate, and locating a test message causing abnormality. In view of the problem that industrial control protocol fuzzing test is of high blindness and low efficiency, test cases belonging to the protocol state of an industrial control component are sent to the industrial control component based on the protocol state, and therefore, the coverage of fuzzing test is extended effectively, and the test cases are more targeted. The abnormality monitoring based on heart rate is of extensive applicability. In addition, through the method for locating a test message causing abnormality, a single message or a message sequence causing abnormality of the industrial control protocol can be located efficiently and accurately, and excavation and analysis of security holes are facilitated.
Description
Technical field
The present invention relates to industry control protocol technology field, obtaining on the basis of industry control protocol state machine in particular to a kind of, according to protocol status, send test packet to the industry control assembly running industry control protocol entity program, the method excavating the security breaches that industry control protocol entity program exists.
Background technology
Industrial control system (ICS, IndustrialControlSystem, it is called for short " industrial control system ") it is the intelligence control system being made up of computer equipment and industrial stokehold assembly, it is widely used in the industries such as electric power, water process, oil and gas, chemical industry, transportation, manufacturing industry, it is by carrying out automatic monitoring, commander, control and adjustment to industrial equipments such as machinery, the vehicles, experimental provision, instrument and meters, ensure the normal operation of industrial plants, be brain and the maincenter of country's critical infrastructures.Industrial control system mainly includes data acquisition analysis system (SCADA, SupervisoryControlandDataAcquisition), distributed process control system (DCS, DistributedControlSystem), programmable logic controller (PLC) (PLC, ProgrammableLogicController), remote measurement and control unit (RTU, RemoteTerminalUnit) etc..
Traditional industrial control system is strong due to running environment closing, specificity, focuses on the integrity of function, less focus on the safety of system on system designs, and risk protective capacities is weak.Along with the quickening of industrial revolution paces, industrial control system is accelerated to networking and information-based transformation by the running environment of relative closure, and the industrial control system of a new generation is compatible Ethernet progressively, enables to be connected with ERP or even the Internet.
The industrialization of industrial control system and informationalized depth integration, while improving industrial production efficiency, the tender spots of industrial control system is also made to come out, once suffer the malicious attack of lawless person, immeasurable economic loss will be caused, even have influence on the safety and stability of society.Since 2010, world wide occurs in that a lot of industry control security incident." shake net (the Stuxnet) " virus attacking Iran's Bushire nuclear power station for 2010 is considered as the first input in whole world network superweapon under battle conditions.Pernicious anthelmintic " Duqu " virus found for 2011, special attack industrial control system collect intelligence." flame (the Flame) " virus found for 2012, its design is increasingly complex, and destructive power is higher, it is possible to hidden 5 years as long as.2014, " Aeschna melanictera tissue " utilization " Havex " virus, more than 1,000 energy enterprise of European and American areas is implemented attack.
The same with common computer network or information system, why industrial control system can be implemented to attack by assailant, and its core reasons are that the software and hardware in industry control network or system exists available security breaches.Software and hardware in industrial control system is carried out security test, excavates wherein security breaches that may be present, take corresponding remedial measure prior to assailant, the safety improving industrial control system is significant.
Fuzz testing, tests also referred to as Fuzzing, and it uses a large amount of half effective data as the input of target program, and the exception occurred by monitoring programme finds potential security breaches.Knowledge based engineering Fuzzing technical basis file or protocol format knowledge structuring test case, have simple efficient advantage, be the main direction of studying of current Fuzzing field tests.
In industrial control system, between each assembly, order is all realized by industry control network agreement with the transmission of control information and Monitoring Data.In industrial control system, having special system component to be responsible for resolving, processing industry control network agreement, these assemblies contain the entity program resolving industry control agreement, and their safety directly influences the safety of industrial control system.The vulnerability analysis that fuzz testing technology is applied to industry control software and hardware is an important research direction of current industry control security fields.
At present, existing research both at home and abroad is mostly the Fuzzing test that the Fuzzing testing tool of TCP/IP procotol is used for industry control agreement after improving.The researcher Devarajan of TippingPoint company of the U.S. develops the fuzz testing module of industry control agreement ICCP, Modbus, DNP3 exclusively for Sulley.RolandKoch of Augsburg, Germany application technology university et al. have developed ProFuzz on the basis of Scapyfuzzer, is specifically designed for Profinet protocol suite and carries out fuzz testing.Byres of Wurldtech company et al. has designed and Implemented BlackPeer test frame, and the Modbus/TCP protocol stack of two PLC device is tested, and is successfully found that more than 60 security breaches.Bratus et al. achieves a simple industry control agreement fuzz testing device LZFuzz on general Fuzzing tester GPF basis.
At present, the application in industrial control system of the Fuzzing technology is not enough in being primarily present following two.First, the coverage rate of fuzz testing is low.The most session-oriented of industry control agreement, possesses interaction mode, if not accounting for the interaction mode of agreement in test process, test is often confined to the starting stage of protocol interaction.If additionally, protocol massages does not mate with protocol status, also can be considered as invalid packet by protocol entity, it is impossible to trigger leak.Second, test mode and monitoring means are limited.A lot of leaks in industrial control system are not due to single message and are caused, but owing to protocol entity is progressively progressively directed to, from a certain protocol status, the protocol status that leak triggers by sequence of message, existing monitoring method is difficult to location and causes the sequence of message of leak.
Summary of the invention
For problems of the prior art, it is desirable to provide a kind of industry control agreement fuzz testing method based on protocol status.Protocol status is not taken into full account for fuzz testing process, cause the problem that testing efficiency is low, adopt XML script that protocol state machine is described, on the basis of protocol state machine, by Test cases generation algorithm, measurand is carried out state guiding, protocol entity program is set to be desired with the candidate state of test, to reach higher fuzz testing coverage rate.By tested embedded industrial control equipment being implemented Deviant Behavior convenient, effective monitoring based on the monitoring method of heart beating, the method that message backtracking judges is adopted to realize being accurately positioned the sequence of message causing security breaches.
For reaching above-mentioned purpose, the technical solution adopted in the present invention is as follows:
A kind of industry control agreement fuzz testing method based on protocol status, comprises the following steps:
(1) protocol state machine extracts: adopt protocol state machine extracting method, namely the protocol state machine extracting method of open source protocol conversed analysis project Netzob is adopted, its basic procedure is: on the basis of protocol communication message sample set, request query and response feedback is utilized constantly to expand original communication message sample set, judge that whether the candidate's protocol state machine inferred is consistent with true protocol state machine, the output protocol state machine when meeting the protocol state machine condition of equivalence;After the protocol state machine obtaining industry control agreement to be measured, protocol state machine is expressed as the script file that XML language describes;
(2) structure in sequence of message storehouse: based on protocol state machine, collect and store the normal mutual message between industry control protocol entity program;Guarantee for an industry control protocol entity program, when it is in original state, can by a series of normal mutual message, by any one the industry control protocol status in industry control protocol entity program designation to protocol state machine, in other words, abundant normal mutual message is collected and is stored in sequence of message storehouse, it is possible to by original state, protocol entity is directed to any one subsequent protocol state;
(3) guiding of protocol status: in order to improve the degree of depth of test, increases coverage rate, it is necessary to each protocol status that protocol state machine is comprised is tested, thus effectively finding the security breaches that industry control assembly exists when being in different agreement state;In test process, it is necessary to industry control assembly is guided to some the industry control protocol status needing test by normal mutual message, under this protocol status, industry control assembly is implemented fuzz testing;
(4) transmission of test case and storage: after by industry control protocol entity program designation to state to be measured, industry control protocol massages is made a variation by the packet mutation knowledge based on fuzz testing, and the message sent through variation to industry control protocol entity program implements test;Additionally, for the ease of subsequent analysis, the test case that storage is sent;
(5) based on the exception monitoring of heart beating: after having sent a test case; transmission is needed to enliven the heartbeat message of situation for detecting industry control assembly; tested industry control assembly is monitored; judge whether measurand is in normal active state, thus the protocol anomaly having found that test case to send in time and causing;
(6) cause that abnormal test packet positions: the process of industry control agreement is abnormal to be likely to be caused by single message, it is also possible to caused by sequence of message;Abnormal test packet is caused, it is necessary to store recent sent test packet at test lead in order to be accurately positioned;When occurring abnormal, tested industry control assembly is reset to normal operating conditions, recalls according to stored message, it is determined that cause abnormal message or sequence of message.
The workflow building the stage in abovementioned steps (2) sequence of message storehouse is as follows: based on protocol state machine, adopts Network monitor technology to carry out message information collection;Each industry control protocol status, generally requires a series of message interaction and just can arrive;Adopt Network monitor technology, catch from industry control agreement original state, arrive the message interaction sequence of each specific protocol state, and message interaction sequence and their message status that can arrive are stored in sequence of message storehouse in the lump;
The workflow of the vectoring phase of abovementioned steps (3) protocol status is as follows: carry out fuzz testing for the ease of industry control assembly is set to different protocol status, it is necessary to carry out the guiding of protocol status;For any one selected protocol status, first industry control assembly is set to original state, according to the information in sequence of message storehouse, sends message to industry control assembly, by a series of message interaction, make industry control assembly arrive the tested state specified;Namely the industry control protocol status of test is needed.
The transmission of abovementioned steps (4) test case is as follows with the workflow of memory phase: after industry control assembly is directed to state to be measured, will the proper network message that belong to this protocol status be made a variation, and generates test case;Variation knowledge according to fuzz testing is implemented by the variation of message, substitutes for data acquisition overlength (ultrashort) character string of character string type, format string;Value type adopts the numerical value that 0xff+1,0xffff etc. can trigger integer overflow leak to replace;After Test cases technology, use-case is sent to tested industry control assembly by test lead, abnormal to triggering at tested end;Simultaneously as need the test case to sending in the recent period to be analyzed when triggering abnormal, therefore, adopt the queue of first in first out that the test case sent is stored.
Abovementioned steps (5) is as follows based on the workflow in the exception monitoring stage of heart beating: in fuzz testing process, it is necessary to find the exception of measurand in time, thus being analyzed targetedly processing;It is subject to strict restriction, it is difficult to third party's debugging acid monitoring anomalous event is installed on industry control assembly, or forms log recording abnormal information owing to the industry control assemblies such as PLC, RTU belong to embedded system, computing capability and storage resource;In view of industry control built-in module often due to correctly exception message cannot be processed and cause that the assemblies such as PLC, RTU cannot respond to, the method for monitoring abnormality based on heart beating therefore can be adopted;So-called heartbeat message, refers to the probe messages sent to equipment under test, it is judged that to whether equipment under test is in active state;In fuzz testing process, often send a test packet to equipment under test, just after a bit of time set, send heartbeat message to equipment under test, whether beam back intended response message to judge whether equipment under test is in active state according to equipment under test;If the response message received, it is believed that exception does not occur in equipment;Without receiving response, then it is assumed that test case triggers exception in equipment end;
Abovementioned steps (6) causes that the workflow of abnormal test packet positioning stage is as follows: in fuzz testing process, if it find that equipment under test occurs abnormal, need to stop test, it is determined that be the exception owing to which message or which sequence of message cause;For the ease of analyzing, store recent sent test packet at test lead, record nearest tested industry control protocol status simultaneously;When occurring abnormal, it is first depending on the industry control protocol status tested recently, resets tested industry control assembly;According to sequence of message storehouse, by normal message interaction, industry control assembly is directed to the protocol status of test recently, then starts backtracking and judge;First send first test packet sent recently, observe whether tested industry control assembly shows exception;Abnormal without occurring, then tested industry control assembly is reset to normal operating conditions, and sends two test packets sent recently successively, observe whether tested industry control assembly exception occurs;Abnormal without occurring, then tested industry control assembly is carried out state replacement, and sends three test packets sent recently successively;By that analogy, until determining and causing abnormal sequence of message.
By technical scheme it can be seen that the beneficial effects of the present invention is according to protocol status, industry control assembly is implemented fuzz testing, advantageously reduce the blindness of test, the coverage of extension test, avoids not mating due to state and the invalid use-case that causes simultaneously, improves testing efficiency.Additionally, method can effectively find industry control assembly exception in testing, and it is accurately positioned the test packet or sequence of message that trigger exception, it is simple to the excavation of security breaches and analysis.
Accompanying drawing explanation
The entirety that Fig. 1 is the present invention realizes schematic flow sheet.
Fig. 2 is the example that in the present invention, Modbus/TCP industry control protocol state machine describes in xml format.
Detailed description of the invention
In order to be better understood by the technology contents of the present invention, especially exemplified by specific embodiment and coordinate accompanying drawing illustrate as follows.
As it is shown in figure 1, the preferred embodiment according to the present invention, based on the protocol state machine actively estimating method of protocol knowledge, comprise the following steps:
(1) protocol state machine extracts: adopts agreement reverse field protocol state machine extracting method to obtain the protocol state machine of industry control agreement to be measured, and adopts the form of XML script that protocol state machine is described;
(2) structure in sequence of message storehouse: protocol entity program is directed to the effect being arbitrarily designated protocol status by playing by sequence of message storehouse from original state.In order to build sequence of message storehouse, it is necessary to adopt Network monitor technology to collect the normal mutual message between protocol entity.Guarantee for the industry control assembly as protocol entity program, when it is in original state, it is possible to by a series of mutual message so that it is arrive any protocol status in protocol state machine.
(3) guiding of protocol status: according to sequence of message storehouse, industry control assembly is guided the protocol status to its needs test by normal mutual message, in this, as the basis of fuzz testing.
(4) transmission of test case and storage: based on the packet mutation knowledge of fuzz testing, the protocol massages under specific protocol state is made a variation, produces test case.Then, send test case to the industry control assembly as measurand and implement test.For the ease of analyzing the incidence relation between test case and program exception, the test case that storage is sent.
(5) based on the exception monitoring of heart beating: after having sent a test case, it is necessary to send the heartbeat message for detecting, tested industry control assembly is monitored.If industry control assembly is in normal active state, response message will be returned;If industry control assembly occurs abnormal, will not respond.Heartbeat message is utilized to be detected, it is possible to have found that test case sends and the protocol anomaly that causes in time.
(6) cause that abnormal test packet positions: once find that industry control assembly creates exception in process test case, it is necessary to location causes abnormal test packet.First, tested industry control assembly is reset to normal operating conditions, then, recall according to stored message, it is determined that cause abnormal message or sequence of message.
Flow process is realized with reference to the entirety shown in Fig. 1, the protocol state machine estimating method of the present embodiment mainly include protocol state machine extraction, the structure in sequence of message storehouse, the guiding of protocol status, test case transmission and storage, based on the exception monitoring of heart beating and cause 6 parts such as abnormal test packet location, specific embodiment illustrates individually below.
(1) protocol state machine extracts
The embodiment of the present invention first fully collects the input and output message that the industry control assembly as industry control protocol entity program produces in network service process, adopt the protocol state machine extracting method of open source protocol conversed analysis project Netzob (www.netzob.org), obtain protocol state machine.
Protocol state machine extracts the concrete form first requiring to infer communication message, on this basis, in units of session, carries out abstract to network service behavior.Session represents partial data exchange carried out between communication participant, it is possible to the migration situation being reflected in communication process protocol status.Based on substantial amounts of industry control protocol conversation sample, utilize the protocol state machine actively estimating method of Netzob, infer the protocol state machine drawing target industry control agreement.
The protocol state machine generated adopts special XML script to be described.For Modbus/TCP industry control agreement, the description script StateMachine.xml of its state machine is as shown in Figure 2.In protocol state machine description script,<SCADA-Fuzz>is the root element of script, identifies script type with type attribute, and attribute type=" StateMachine " represents that description is protocol state machine.The name attribute of<StateMachine>element is used for definition status machine title.Element<StateMachine>comprises the daughter element<State>describing state node and describes the daughter element<Trans>of state transition.<State>element name attribute definition state node title.<Trans>element has the attributes such as name, from, to, and wherein name is the name on state transfer limit, the current state of from presentation protocol entity, and to represents after performing<Action>action, the state that protocol entity moves to.Execution action corresponding during<Action>element representation state transition, name attribute represents execution denomination of dive.Each<Action>action corresponds to transmission or the reception of a test packet.The descriptive model of<Message>element representation protocol massages, ref attribute therein represents the type of message quoted.
(2) structure in sequence of message storehouse
According to protocol status, the industry control assembly running protocol entity program is implemented fuzz testing in order to efficient, it is necessary to build sequence of message storehouse.Sequence of message storehouse is by normal for record protocol inter-entity mutual message.Information in sequence of message storehouse may insure that protocol entity program is from original state, through a series of mutual message, it is possible to arrives any protocol status in protocol state machine.
Sequence of message storehouse adopts the method for network monitoring to build.In the process, by the network service of network monitoring industry control agreement, according to the protocol status machine information grasped, it is determined that the protocol status that tested end industry control assembly is residing at present.If reaching a new protocol status m, then the mutual message arriving this state from original state all being recorded in sequence of message storehouse, being formed from original state to the leader record of protocol status m.After the guidance information having recorded a protocol status, tested end industry control assembly is reset to original state, starts the mutual of a new round.By that analogy, until sequence of message storehouse storing guiding industry control assembly from original state to the record of every other protocol status.
(3) guiding of protocol status
Fuzz testing to industry control agreement, will implement according to protocol status, so can ensure that test case covers all of protocol status, fully excavate the security breaches existing for each protocol status.
The guiding of protocol status is implemented according to sequence of message storehouse.First industry control assembly is reset to original state, then in sequence of message storehouse, location needs the target protocol state arrived, according to sequence of message stored in sequence of message storehouse, send message to industry control assembly in order, guide industry control assembly to arrive target protocol state.
(4) transmission of test case and storage
In order to implement fuzz testing for the industry control assembly running industry control protocol entity program, it is necessary to generate test case efficiently.The method of the embodiment of the present invention is to implement variation on the basis of existing message, variation knowledge according to fuzz testing is implemented by the variation of message, such as, the data acquisition overlength of character string type or ultrashort character string are carried out substituting and adopt format string to substitute (adding the format strings such as similar %d, %x and %s in character string);Value type adopts the numerical value that 0xff+1,0xffff etc. can trigger integer overflow leak to replace;There is no the binary type field of general semantics, adopt bit map method, namely randomly choose some position in data to carry out overturning (become 1 by 0 or become 0 by 1), and adopt deletion field, increase and fill length and adopt the method that other character set are filled to make a variation, etc..
Test case and protocol status are closely connected, and the message of major part type only just can by protocol procedure acceptance process in specific protocol state.Therefore, it is necessary to according to protocol status, generate test case and implement test.In particular, it is desirable to after first industry control assembly being directed to specific protocol state, then it is sent to belong to the test case of this protocol status.
The purpose of test case is the exception that trigger processes, but is triggering after extremely, and more crucially location causes abnormal test case or test case sequence.In order to analyze the incidence relation between test case and program exception, the test case sent will be stored, it is simple to verified subsequently through resetting.
(5) based on the exception monitoring of heart beating
At industrial control field, the industry control assembly such as PLC, RTU belongs to embedded system, computing capability and storage resource and is subject to strict restriction, it is difficult to monitors anomalous event by third party's debugging acid or utilizes daily record to carry out recording exceptional information.But the built-in modules such as PLC, RTU have such a feature in test process, they are often due to cannot correctly process fuzz testing message and cannot respond to external message, it is necessary to restarting equipment could continue test.In consideration of it, the present invention adopts the method for monitoring abnormality based on heart beating, monitor whether tested industry control assembly is in normal active state.
So-called heartbeat message, the probe messages sent to equipment under test referred to, it is judged that to whether equipment under test is in active state.In the embodiment of the present invention, in fuzz testing process, often send a test packet to equipment under test, just after the time set, send heartbeat message to equipment under test, whether beam back intended response message to judge whether equipment under test is in active state according to equipment under test.If the response message received, it is believed that exception does not occur in equipment;Without receiving response, then it is assumed that test case triggers exception in equipment end, test process will be suspended, and analyze which test case or which test case sequence triggers program exception.
(7) cause that abnormal test packet positions
In fuzz testing process, if it find that equipment under test occurs abnormal, it is necessary to stop test, it is determined that be the exception owing to which message or which sequence of message cause.Based on the needs analyzed, the embodiment of the present invention stores 10 test packets sent recently at test lead, the protocol status that record industry control assembly is residing when test simultaneously.
When finding that tested industry control assembly occurs abnormal, first resetting industry control assembly is original state.Protocol status residing for industry control assembly time then according to test, based on sequence of message storehouse, by normal message interaction, is directed to industry control assembly the protocol status that test is residing recently, then starts backtracking and judge.
In decision process, first send first test packet sent recently, observe whether MUT module under test shows exception;Abnormal without occurring, then tested industry control assembly is reset to normal operating conditions, and sends two test packets sent recently successively, observe whether MUT module under test exception occurs;Abnormal without occurring, then tested industry control assembly is carried out state replacement, and sends three test packets sent recently successively.By that analogy, until determining and causing abnormal sequence of message.
From the above technical solution of the present invention shows that, the industry control agreement fuzz testing method based on protocol status of the present invention, the protocol state machine of industry control agreement is described with XML script, build sequence of message storehouse record and protocol entity program is directed to by original state the proper communication message of other different agreement states, on this basis, according to protocol status, industry control assembly is implemented fuzz testing.The present invention without at tested end installation and debugging instrument based on the method for monitoring abnormality of heart beating, is adapted in embedded system and uses, meet the application scenarios of industrial control system.In test process, after the exception triggering industry control assembly, reset by message, it is possible to effectively location causes abnormal test packet or test packet sequence, provide foundation for anomaly analysis.Adopt the method to need to obtain the industry control assembly running protocol entity program, and industry control assembly can be run as required, be sent to message and observe its response, in this, as the basis of industry control agreement fuzz testing.
In sum, the industry control agreement fuzz testing method based on protocol status of the present invention, according to the protocol status residing for industry control assembly, sends the test case belonging to this protocol status to industry control assembly, can effectively extend the coverage of fuzz testing, improve the specific aim of test case.Secondly, industry control assembly wide variety, the present invention has wide applicability based on the method for monitoring abnormality of heart beating, it is possible to be applied to the exception monitoring of all kinds of industry control assembly.Additionally, the localization method that the present invention is to causing abnormal test packet, it is possible to single message or the sequence of message of industry control protocol anomaly are caused in the location of efficiently and accurately, it is simple to the excavation of security breaches and analysis.
Although the present invention is disclosed above with preferred embodiment, so it is not limited to the present invention.Persond having ordinary knowledge in the technical field of the present invention, without departing from the spirit and scope of the present invention, when being used for a variety of modifications and variations.Therefore, protection scope of the present invention is when being as the criterion depending on those as defined in claim.
Claims (6)
1. the industry control agreement fuzz testing method based on protocol status, it is characterised in that comprise the following steps:
(1) protocol state machine extracts: adopt protocol state machine extracting method, namely the protocol state machine extracting method of open source protocol conversed analysis project Netzob is adopted, its basic procedure is: on the basis of protocol communication message sample set, request query and response feedback is utilized constantly to expand original communication message sample set, judge that whether the candidate's protocol state machine inferred is consistent with true protocol state machine, the output protocol state machine when meeting the protocol state machine condition of equivalence;After the protocol state machine obtaining industry control agreement to be measured, protocol state machine is expressed as the script file that XML language describes;
(2) structure in sequence of message storehouse: based on protocol state machine, collect and store the normal mutual message between industry control protocol entity program;Guarantee for an industry control protocol entity program, when it is in original state, can by a series of normal mutual message, by any one the industry control protocol status in industry control protocol entity program designation to protocol state machine, in other words, abundant normal mutual message is collected and is stored in sequence of message storehouse, it is possible to by original state, protocol entity is directed to any one subsequent protocol state;
(3) guiding of protocol status: in order to improve the degree of depth of test, increases coverage rate, it is necessary to each protocol status that protocol state machine is comprised is tested, thus effectively finding the security breaches that industry control assembly exists when being in different agreement state;In test process, it is necessary to industry control assembly is guided to some the industry control protocol status needing test by normal mutual message, under this protocol status, industry control assembly is implemented fuzz testing;
(4) transmission of test case and storage: after by industry control protocol entity program designation to state to be measured, industry control protocol massages is made a variation by the packet mutation knowledge based on fuzz testing, and the message sent through variation to industry control protocol entity program implements test;Additionally, for the ease of subsequent analysis, the test case that storage is sent;
(5) based on the exception monitoring of heart beating: after having sent a test case; transmission is needed to enliven the heartbeat message of situation for detecting industry control assembly; tested industry control assembly is monitored; judge whether measurand is in normal active state, thus the protocol anomaly having found that test case to send in time and causing;
(6) cause that abnormal test packet positions: the process of industry control agreement is abnormal to be likely to be caused by single message, it is also possible to caused by sequence of message;Abnormal test packet is caused, it is necessary to store recent sent test packet at test lead in order to be accurately positioned;When occurring abnormal, tested industry control assembly is reset to normal operating conditions, recalls according to stored message, it is determined that cause abnormal message or sequence of message.
2. the industry control agreement fuzz testing method based on protocol status according to claim 1, it is characterized in that, the workflow building the stage in abovementioned steps (2) sequence of message storehouse is as follows: based on protocol state machine, adopts Network monitor technology to carry out message information collection;Each industry control protocol status, generally requires a series of message interaction and just can arrive;Adopt Network monitor technology, catch from industry control agreement original state, arrive the message interaction sequence of each specific protocol state, and message interaction sequence and their message status that can arrive are stored in sequence of message storehouse in the lump.
3. the industry control agreement fuzz testing method based on protocol status according to claim 1, it is characterized in that, the workflow of the vectoring phase of abovementioned steps (3) protocol status is as follows: carry out fuzz testing for the ease of industry control assembly is set to different protocol status, it is necessary to carry out the guiding of protocol status;For any one selected protocol status, first industry control assembly is set to original state, according to the information in sequence of message storehouse, sends message to industry control assembly, by a series of message interaction, make industry control assembly arrive the tested state specified;Namely the industry control protocol status of test is needed.
4. the industry control agreement fuzz testing method based on protocol status according to claim 1, it is characterized in that, the transmission of abovementioned steps (4) test case is as follows with the workflow of memory phase: after industry control assembly is directed to state to be measured, the proper network message belonging to this protocol status will be made a variation, generate test case;Variation knowledge according to fuzz testing is implemented by the variation of message, substitutes for data acquisition overlength (ultrashort) character string of character string type, format string;Value type adopts the numerical value that 0xff+1,0xffff etc. can trigger integer overflow leak to replace;After Test cases technology, use-case is sent to tested industry control assembly by test lead, abnormal to triggering at tested end;Simultaneously as need the test case to sending in the recent period to be analyzed when triggering abnormal, therefore, adopt the queue of first in first out that the test case sent is stored.
5. the industry control agreement fuzz testing method based on protocol status according to claim 1, it is characterized in that, abovementioned steps (5) is as follows based on the workflow in the exception monitoring stage of heart beating: in fuzz testing process, need to find in time the exception of measurand, thus being analyzed targetedly processing;It is subject to strict restriction, it is difficult to third party's debugging acid monitoring anomalous event is installed on industry control assembly, or forms log recording abnormal information owing to the industry control assemblies such as PLC, RTU belong to embedded system, computing capability and storage resource;In view of industry control built-in module often due to correctly exception message cannot be processed and cause that the assemblies such as PLC, RTU cannot respond to, the method for monitoring abnormality based on heart beating therefore can be adopted;So-called heartbeat message, refers to the probe messages sent to equipment under test, it is judged that to whether equipment under test is in active state;In fuzz testing process, often send a test packet to equipment under test, just after a bit of time set, send heartbeat message to equipment under test, whether beam back intended response message to judge whether equipment under test is in active state according to equipment under test;If the response message received, it is believed that exception does not occur in equipment;Without receiving response, then it is assumed that test case triggers exception in equipment end.
6. the industry control agreement fuzz testing method based on protocol status according to claim 1, it is characterized in that, abovementioned steps (6) causes that the workflow of abnormal test packet positioning stage is as follows: in fuzz testing process, if it find that equipment under test occurs abnormal, need to stop test, it is determined that be the exception owing to which message or which sequence of message cause;For the ease of analyzing, store recent sent test packet at test lead, record nearest tested industry control protocol status simultaneously;When occurring abnormal, it is first depending on the industry control protocol status tested recently, resets tested industry control assembly;According to sequence of message storehouse, by normal message interaction, industry control assembly is directed to the protocol status of test recently, then starts backtracking and judge;First send first test packet sent recently, observe whether tested industry control assembly shows exception;Abnormal without occurring, then tested industry control assembly is reset to normal operating conditions, and sends two test packets sent recently successively, observe whether tested industry control assembly exception occurs;Abnormal without occurring, then tested industry control assembly is carried out state replacement, and sends three test packets sent recently successively;By that analogy, until determining and causing abnormal sequence of message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610094014.3A CN105763392B (en) | 2016-02-19 | 2016-02-19 | A kind of industry control agreement fuzz testing method based on protocol status |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610094014.3A CN105763392B (en) | 2016-02-19 | 2016-02-19 | A kind of industry control agreement fuzz testing method based on protocol status |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105763392A true CN105763392A (en) | 2016-07-13 |
| CN105763392B CN105763392B (en) | 2019-03-08 |
Family
ID=56330488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610094014.3A Active CN105763392B (en) | 2016-02-19 | 2016-02-19 | A kind of industry control agreement fuzz testing method based on protocol status |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105763392B (en) |
Cited By (41)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106647612A (en) * | 2017-02-17 | 2017-05-10 | 上海云剑信息技术有限公司 | PLC vulnerability discovery method based on state relational map |
| CN106656564A (en) * | 2016-11-11 | 2017-05-10 | 北京匡恩网络科技有限责任公司 | Automatic test method, device and system for industrial control network |
| CN106778210A (en) * | 2016-12-16 | 2017-05-31 | 成都巧班科技有限公司 | A kind of industrial control system functional safety verification method based on immunological learning |
| CN107479531A (en) * | 2017-07-31 | 2017-12-15 | 杭州电子科技大学 | The access device communication protocol frame format information of Embedded PLC remotely determines method |
| CN108337266A (en) * | 2018-03-07 | 2018-07-27 | 中国科学院信息工程研究所 | A kind of efficient protocol client vulnerability mining method and system |
| CN108600195A (en) * | 2018-04-04 | 2018-09-28 | 国家计算机网络与信息安全管理中心 | A kind of quick reverse estimating method of industry control protocol format based on incremental learning |
| CN108683554A (en) * | 2018-04-04 | 2018-10-19 | 国家计算机网络与信息安全管理中心 | A kind of various dimensions method for monitoring abnormality of fuzz testing effect |
| CN108897695A (en) * | 2018-08-06 | 2018-11-27 | 中国电力科学研究院有限公司 | A kind of the interconnection test method and system of demand side apparatus |
| CN108924102A (en) * | 2018-06-21 | 2018-11-30 | 电子科技大学 | Efficient industry control agreement fuzz testing method |
| CN108933784A (en) * | 2018-06-26 | 2018-12-04 | 北京威努特技术有限公司 | A kind of statement of industry control protocol-decoding rule and optimization coding/decoding method |
| CN109150654A (en) * | 2018-07-25 | 2019-01-04 | 深圳市吉祥腾达科技有限公司 | A kind of case designing method of the protocol conformance based on path |
| CN109462590A (en) * | 2018-11-15 | 2019-03-12 | 成都网域复兴科技有限公司 | A kind of unknown protocol conversed analysis method based on fuzz testing |
| CN109525457A (en) * | 2018-11-14 | 2019-03-26 | 中国人民解放军陆军工程大学 | A kind of network protocol fuzz testing method based on state transition traversal |
| CN109698841A (en) * | 2019-03-06 | 2019-04-30 | 成都明得科技有限公司 | The unknown bug excavation system and method for industry control based on video monitoring |
| CN110232012A (en) * | 2018-03-06 | 2019-09-13 | 国家计算机网络与信息安全管理中心 | A kind of fuzz testing language protocol test script and testing engine based on xml |
| CN110336827A (en) * | 2019-07-15 | 2019-10-15 | 北京工业大学 | A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning |
| CN110661778A (en) * | 2019-08-14 | 2020-01-07 | 中国电力科学研究院有限公司 | Method and system for testing industrial control network protocol based on reverse analysis fuzzy |
| CN110808962A (en) * | 2019-10-17 | 2020-02-18 | 奇安信科技集团股份有限公司 | Malformed data packet detection method and device |
| CN111427305A (en) * | 2020-03-29 | 2020-07-17 | 博智安全科技股份有限公司 | Method for Siemens P L C vulnerability mining |
| CN111628900A (en) * | 2019-02-28 | 2020-09-04 | 西门子股份公司 | Fuzzy test method and device based on network protocol and computer readable medium |
| CN111835733A (en) * | 2020-06-24 | 2020-10-27 | 广州海颐信息安全技术有限公司 | Method for realizing DLT 645-2007 protocol vulnerability discovery state machine |
| CN111917692A (en) * | 2019-05-10 | 2020-11-10 | 北京车和家信息技术有限公司 | Fuzzy test method, device, equipment and computer readable storage medium |
| CN112019403A (en) * | 2020-08-24 | 2020-12-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112055003A (en) * | 2020-08-26 | 2020-12-08 | 上海电力大学 | Method for generating private protocol fuzzy test case based on byte length classification |
| CN112395209A (en) * | 2021-01-21 | 2021-02-23 | 博智安全科技股份有限公司 | Industrial control protocol fuzzy test case generation method, device, equipment and storage medium |
| CN112714047A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Industrial control protocol flow based test method, device, equipment and storage medium |
| CN112918406A (en) * | 2019-12-06 | 2021-06-08 | 中车永济电机有限公司 | Tramcar monitoring system and tramcar system |
| CN113055374A (en) * | 2021-03-10 | 2021-06-29 | 湖南大学 | Detection method and system for IEC104 power protocol security test |
| CN113132366A (en) * | 2021-04-07 | 2021-07-16 | 深圳市奇虎智能科技有限公司 | Method, system, storage medium and computer device for interactive protocol reversal |
| CN113472739A (en) * | 2021-05-19 | 2021-10-01 | 中国科学院信息工程研究所 | Vulnerability discovery method and device for control equipment private protocol |
| CN113535731A (en) * | 2021-07-21 | 2021-10-22 | 北京威努特技术有限公司 | Heuristic message state interactive self-learning method and device |
| CN113572760A (en) * | 2021-07-22 | 2021-10-29 | 全球能源互联网研究院有限公司 | Equipment protocol vulnerability detection method and device |
| CN113886225A (en) * | 2021-09-18 | 2022-01-04 | 国网河南省电力公司电力科学研究院 | Unknown industrial control protocol-oriented fuzzy test system and method |
| CN113934621A (en) * | 2021-09-06 | 2022-01-14 | 中国科学院信息工程研究所 | Fuzzy test method, system, electronic device and medium |
| CN114024884A (en) * | 2021-11-18 | 2022-02-08 | 百度在线网络技术(北京)有限公司 | Test method, test device, electronic equipment and storage medium |
| CN114173344A (en) * | 2021-12-08 | 2022-03-11 | 百度在线网络技术(北京)有限公司 | Method and device for processing communication data, electronic equipment and storage medium |
| CN114265360A (en) * | 2021-12-28 | 2022-04-01 | 四川启睿克科技有限公司 | Industrial control system network security test box, fuzzy test method and attack demonstration method |
| CN114650163A (en) * | 2022-01-21 | 2022-06-21 | 中国人民解放军战略支援部队信息工程大学 | Stateful network protocol-oriented fuzzy test method and system |
| CN114661621A (en) * | 2022-05-13 | 2022-06-24 | 上海交通大学宁波人工智能研究院 | Industrial control protocol fuzzy test system and method based on reinforcement learning |
| CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
| CN115174194A (en) * | 2022-06-30 | 2022-10-11 | 浙江极氪智能科技有限公司 | System vulnerability mining method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102087631A (en) * | 2011-03-09 | 2011-06-08 | 中国人民解放军国发科学技术大学 | Method for realizing fuzzing of software on the basis of state protocol |
| CN103036730A (en) * | 2011-09-29 | 2013-04-10 | 西门子公司 | Method and device for achieving safety testing on protocol implementation |
| CN104796240A (en) * | 2015-04-30 | 2015-07-22 | 北京理工大学 | Fuzz testing system for stateful network protocol |
| CN105095075A (en) * | 2015-07-16 | 2015-11-25 | 北京理工大学 | Case generation method for semi-legalized fuzz test of network protocol based on finite-state machine |
-
2016
- 2016-02-19 CN CN201610094014.3A patent/CN105763392B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102087631A (en) * | 2011-03-09 | 2011-06-08 | 中国人民解放军国发科学技术大学 | Method for realizing fuzzing of software on the basis of state protocol |
| CN103036730A (en) * | 2011-09-29 | 2013-04-10 | 西门子公司 | Method and device for achieving safety testing on protocol implementation |
| CN104796240A (en) * | 2015-04-30 | 2015-07-22 | 北京理工大学 | Fuzz testing system for stateful network protocol |
| CN105095075A (en) * | 2015-07-16 | 2015-11-25 | 北京理工大学 | Case generation method for semi-legalized fuzz test of network protocol based on finite-state machine |
Cited By (58)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656564A (en) * | 2016-11-11 | 2017-05-10 | 北京匡恩网络科技有限责任公司 | Automatic test method, device and system for industrial control network |
| CN106778210A (en) * | 2016-12-16 | 2017-05-31 | 成都巧班科技有限公司 | A kind of industrial control system functional safety verification method based on immunological learning |
| CN106778210B (en) * | 2016-12-16 | 2020-04-07 | 成都巧班科技有限公司 | Industrial control system function safety verification method based on immune learning |
| CN106647612A (en) * | 2017-02-17 | 2017-05-10 | 上海云剑信息技术有限公司 | PLC vulnerability discovery method based on state relational map |
| CN107479531B (en) * | 2017-07-31 | 2019-08-20 | 杭州电子科技大学 | The access device communication protocol frame format information of Embedded PLC remotely determines method |
| CN107479531A (en) * | 2017-07-31 | 2017-12-15 | 杭州电子科技大学 | The access device communication protocol frame format information of Embedded PLC remotely determines method |
| CN110232012A (en) * | 2018-03-06 | 2019-09-13 | 国家计算机网络与信息安全管理中心 | A kind of fuzz testing language protocol test script and testing engine based on xml |
| CN108337266A (en) * | 2018-03-07 | 2018-07-27 | 中国科学院信息工程研究所 | A kind of efficient protocol client vulnerability mining method and system |
| CN108600195A (en) * | 2018-04-04 | 2018-09-28 | 国家计算机网络与信息安全管理中心 | A kind of quick reverse estimating method of industry control protocol format based on incremental learning |
| CN108600195B (en) * | 2018-04-04 | 2022-01-04 | 国家计算机网络与信息安全管理中心 | Rapid industrial control protocol format reverse inference method based on incremental learning |
| CN108683554A (en) * | 2018-04-04 | 2018-10-19 | 国家计算机网络与信息安全管理中心 | A kind of various dimensions method for monitoring abnormality of fuzz testing effect |
| CN108924102A (en) * | 2018-06-21 | 2018-11-30 | 电子科技大学 | Efficient industry control agreement fuzz testing method |
| CN108924102B (en) * | 2018-06-21 | 2020-03-10 | 电子科技大学 | Efficient industrial control protocol fuzzy test method |
| CN108933784A (en) * | 2018-06-26 | 2018-12-04 | 北京威努特技术有限公司 | A kind of statement of industry control protocol-decoding rule and optimization coding/decoding method |
| CN108933784B (en) * | 2018-06-26 | 2021-02-09 | 北京威努特技术有限公司 | Industrial control protocol decoding rule expression and optimized decoding method |
| CN109150654A (en) * | 2018-07-25 | 2019-01-04 | 深圳市吉祥腾达科技有限公司 | A kind of case designing method of the protocol conformance based on path |
| CN109150654B (en) * | 2018-07-25 | 2021-08-17 | 深圳市吉祥腾达科技有限公司 | Use case design method based on protocol consistency of path |
| CN108897695A (en) * | 2018-08-06 | 2018-11-27 | 中国电力科学研究院有限公司 | A kind of the interconnection test method and system of demand side apparatus |
| CN109525457A (en) * | 2018-11-14 | 2019-03-26 | 中国人民解放军陆军工程大学 | A kind of network protocol fuzz testing method based on state transition traversal |
| CN109525457B (en) * | 2018-11-14 | 2020-08-04 | 中国人民解放军陆军工程大学 | Network protocol fuzzy test method based on state transition traversal |
| CN109462590B (en) * | 2018-11-15 | 2021-01-15 | 成都网域复兴科技有限公司 | Unknown protocol reverse analysis method based on fuzzy test |
| CN109462590A (en) * | 2018-11-15 | 2019-03-12 | 成都网域复兴科技有限公司 | A kind of unknown protocol conversed analysis method based on fuzz testing |
| CN111628900B (en) * | 2019-02-28 | 2023-08-29 | 西门子股份公司 | Fuzzy test method, device and computer readable medium based on network protocol |
| CN111628900A (en) * | 2019-02-28 | 2020-09-04 | 西门子股份公司 | Fuzzy test method and device based on network protocol and computer readable medium |
| CN109698841A (en) * | 2019-03-06 | 2019-04-30 | 成都明得科技有限公司 | The unknown bug excavation system and method for industry control based on video monitoring |
| CN111917692A (en) * | 2019-05-10 | 2020-11-10 | 北京车和家信息技术有限公司 | Fuzzy test method, device, equipment and computer readable storage medium |
| CN110336827A (en) * | 2019-07-15 | 2019-10-15 | 北京工业大学 | A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning |
| CN110336827B (en) * | 2019-07-15 | 2021-06-18 | 北京工业大学 | Modbus TCP protocol fuzzy test method based on abnormal field positioning |
| CN110661778A (en) * | 2019-08-14 | 2020-01-07 | 中国电力科学研究院有限公司 | Method and system for testing industrial control network protocol based on reverse analysis fuzzy |
| CN110808962B (en) * | 2019-10-17 | 2022-04-29 | 奇安信科技集团股份有限公司 | Malformed data packet detection method and device |
| CN110808962A (en) * | 2019-10-17 | 2020-02-18 | 奇安信科技集团股份有限公司 | Malformed data packet detection method and device |
| CN112918406A (en) * | 2019-12-06 | 2021-06-08 | 中车永济电机有限公司 | Tramcar monitoring system and tramcar system |
| CN111427305A (en) * | 2020-03-29 | 2020-07-17 | 博智安全科技股份有限公司 | Method for Siemens P L C vulnerability mining |
| CN111835733B (en) * | 2020-06-24 | 2022-06-14 | 广州海颐信息安全技术有限公司 | Method for realizing DLT645-2007 protocol vulnerability discovery state machine |
| CN111835733A (en) * | 2020-06-24 | 2020-10-27 | 广州海颐信息安全技术有限公司 | Method for realizing DLT 645-2007 protocol vulnerability discovery state machine |
| CN112019403B (en) * | 2020-08-24 | 2021-10-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112019403A (en) * | 2020-08-24 | 2020-12-01 | 杭州弈鸽科技有限责任公司 | Cross-platform automatic mining method and system for message protocol state machine of Internet of things |
| CN112055003A (en) * | 2020-08-26 | 2020-12-08 | 上海电力大学 | Method for generating private protocol fuzzy test case based on byte length classification |
| CN112395209A (en) * | 2021-01-21 | 2021-02-23 | 博智安全科技股份有限公司 | Industrial control protocol fuzzy test case generation method, device, equipment and storage medium |
| CN113055374A (en) * | 2021-03-10 | 2021-06-29 | 湖南大学 | Detection method and system for IEC104 power protocol security test |
| CN112714047A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Industrial control protocol flow based test method, device, equipment and storage medium |
| CN112714047B (en) * | 2021-03-29 | 2021-06-29 | 北京网测科技有限公司 | Industrial control protocol flow based test method, device, equipment and storage medium |
| CN113132366A (en) * | 2021-04-07 | 2021-07-16 | 深圳市奇虎智能科技有限公司 | Method, system, storage medium and computer device for interactive protocol reversal |
| CN113472739A (en) * | 2021-05-19 | 2021-10-01 | 中国科学院信息工程研究所 | Vulnerability discovery method and device for control equipment private protocol |
| CN113535731A (en) * | 2021-07-21 | 2021-10-22 | 北京威努特技术有限公司 | Heuristic message state interactive self-learning method and device |
| CN113535731B (en) * | 2021-07-21 | 2024-04-16 | 北京威努特技术有限公司 | Heuristic-based message state interaction self-learning method and device |
| CN113572760A (en) * | 2021-07-22 | 2021-10-29 | 全球能源互联网研究院有限公司 | Equipment protocol vulnerability detection method and device |
| CN113934621A (en) * | 2021-09-06 | 2022-01-14 | 中国科学院信息工程研究所 | Fuzzy test method, system, electronic device and medium |
| CN113886225A (en) * | 2021-09-18 | 2022-01-04 | 国网河南省电力公司电力科学研究院 | Unknown industrial control protocol-oriented fuzzy test system and method |
| CN114024884A (en) * | 2021-11-18 | 2022-02-08 | 百度在线网络技术(北京)有限公司 | Test method, test device, electronic equipment and storage medium |
| CN114173344A (en) * | 2021-12-08 | 2022-03-11 | 百度在线网络技术(北京)有限公司 | Method and device for processing communication data, electronic equipment and storage medium |
| CN114265360A (en) * | 2021-12-28 | 2022-04-01 | 四川启睿克科技有限公司 | Industrial control system network security test box, fuzzy test method and attack demonstration method |
| CN114650163B (en) * | 2022-01-21 | 2023-08-22 | 中国人民解放军战略支援部队信息工程大学 | Fuzzy test method and system for stateful network protocol |
| CN114650163A (en) * | 2022-01-21 | 2022-06-21 | 中国人民解放军战略支援部队信息工程大学 | Stateful network protocol-oriented fuzzy test method and system |
| CN114661621B (en) * | 2022-05-13 | 2022-08-23 | 上海交通大学宁波人工智能研究院 | Industrial control protocol fuzzy test system and method based on reinforcement learning |
| CN114661621A (en) * | 2022-05-13 | 2022-06-24 | 上海交通大学宁波人工智能研究院 | Industrial control protocol fuzzy test system and method based on reinforcement learning |
| CN115174194A (en) * | 2022-06-30 | 2022-10-11 | 浙江极氪智能科技有限公司 | System vulnerability mining method, device, equipment and storage medium |
| CN115174441A (en) * | 2022-09-06 | 2022-10-11 | 中国汽车技术研究中心有限公司 | State machine based TCP fuzzy test method, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105763392B (en) | 2019-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105763392A (en) | Industrial control protocol fuzzing test method based on protocol state | |
| JP6302283B2 (en) | Intelligent cyber-physical intrusion detection and prevention system and method for industrial control systems | |
| Ahmed et al. | Programmable logic controller forensics | |
| US10547634B2 (en) | Non-intrusive digital agent for behavioral monitoring of cybersecurity-related events in an industrial control system | |
| Pliatsios et al. | A novel and interactive industrial control system honeypot for critical smart grid infrastructure | |
| Caselli et al. | Modeling message sequences for intrusion detection in industrial control systems | |
| CN108337266A (en) | A kind of efficient protocol client vulnerability mining method and system | |
| Matoušek et al. | Efficient modelling of ICS communication for anomaly detection using probabilistic automata | |
| Genge et al. | A connection pattern-based approach to detect network traffic anomalies in critical infrastructures | |
| Xiong et al. | A vulnerability detecting method for Modbus-TCP based on smart fuzzing mechanism | |
| Iturbe et al. | On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control | |
| CN113886225A (en) | Unknown industrial control protocol-oriented fuzzy test system and method | |
| Havlena et al. | Accurate Automata-Based Detection of Cyber Threats in Smart Grid Communication | |
| Abdelkhalek et al. | Ml-based anomaly detection system for der dnp3 communication in smart grid | |
| Chukwuka et al. | Bad data injection attack propagation in cyber-physical power delivery systems | |
| Tian et al. | A security model of SCADA system based on attack tree | |
| Sen et al. | On holistic multi-step cyberattack detection via a graph-based correlation approach | |
| CN112905493B (en) | Structured fuzzy test method based on conversion test | |
| Qu et al. | Online monitoring and analysis for self-protection against network attacks | |
| Blazek et al. | Development of cyber-physical security testbed based on IEC 61850 architecture | |
| Sagala et al. | Improving SCADA security using IDS and MikroTIK | |
| Hossain et al. | Detection of undesired events on real-world scada power system through process monitoring | |
| Siaterlis et al. | Theory of evidence-based automated decision making in cyber-physical systems | |
| Liu et al. | SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering | |
| Rusu et al. | SPEAR: A systematic approach for connection pattern-based anomaly detection in SCADA systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |