CN106027511A - Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) - Google Patents
Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) Download PDFInfo
- Publication number
- CN106027511A CN106027511A CN201610320345.4A CN201610320345A CN106027511A CN 106027511 A CN106027511 A CN 106027511A CN 201610320345 A CN201610320345 A CN 201610320345A CN 106027511 A CN106027511 A CN 106027511A
- Authority
- CN
- China
- Prior art keywords
- data
- protocol
- agreement
- module
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a protocol isolation method based on deep resolution of a Modbus/TCP (Transmission Control Protocol). The technical scheme adopted by the method mainly deploys a security strategy to an external boundary and internal network boundaries with the different security levels of a network with the high security level based on a virtualization technology. The whole structure is divided into flow lead, protocol cleaning and data ferrying. A flow lead module is responsible for leading a physical data packet into an appointed virtual machine; a protocol cleaning module is responsible for carrying out protocol identification, data content security detection and private protocol encapsulation and resolution; and data ferrying utilizes the shared memory of the virtual machine to carry out data ferrying on private protocol data. The correct and secure flow filtering can be carried out on different application layer protocols; through the scheme, the protocol data can be ferried securely, and an attacker cannot obtain the interactive data under the normal state; and the scheme simulates a special medium in a physical gap to carry out data ferrying based on a shared memory mechanism of the virtualization technology, so that the processing performance is improved and the timeliness requirements are met.
Description
Technical field
The invention belongs to industrial control field and areas of information technology, relate to puppy parc conventional in a kind of industrial control system
The protocol isolating method of Modbus/TCP deep analysis, particularly relate to a kind of agreement based on Modbus/TCP deep analysis every
From method.
Background technology
Industrial control system is widely used in the country critical infrastructures fields such as electric power, chemical industry, oil-gas mining, transportation,
Thus the security relationship of industrial control system is to national security.In recent years, along with the fast development of industrial Ethernet technology,
The Internet technologies such as TCP/IP are introduced in industrial control system.The security threat of TCP/IP technology is being incorporated into industry control
While in system processed, also destroy the closure of industrial control system.By privately owned association widely used in industrial control system
Leak in the design of view and realization is exposed to assailant, brings huge threat to industrial control system.
Industrial control network also exists greatest differences with tradition IT network.Industrial control system generally has fixed qty
Equipment, predictable communication stream and privately owned communication protocol, it is most important that high-availability requirement.Due to industrial control system
The particularity of network, traditional IT safety protecting mechanism is invalid.The industrial control system proprietary protocol of widespread deployment is such as:
DNP3, Modbus, Modbus/TCP do not provide security control, provides more utilizable leak to assailant.
Industry control network is more and more higher for the requirement of safety, whether tradition gateway series products or intrusion detection series products has respectively
From obvious defect, and industry control environment is more sensitive for these defects, thus it is infeasible for merely relying on certain product.
The communication protocol that gateway class safety product uses the method for application protocol stripping and conversion to achieve both sides blocks, and effectively reduces
The security attack probability that procotol is brought, by peeling off the Safety Examination of data and controlling to substantially increase network peace especially
Quan Xing.But the gateway series products scope of application is narrower, need to develop corresponding Switching Module, and the exchange velocity of physical gateway
Theoretical limit already close to this technology, it is anticipated that physical gateway can become bottleneck.The security threat of industrial control system concentrates on
Industry control agreement, and existing solution is solely to increase security function for industry control environment on the basis of conventional security product,
Lack Universal and scalability.Compared with traditional industry control safety approach, this method has merged physical gateway and fire wall is each
From advantage, enterprise can be according to different network environment customizing virtual machine templates, it is possible to be deployed on industry control network border,
Targetedly data traffic is carried out safety filtering and isolation, utilizes Xen virtual technology to promote isolation performance and extensibility,
Meet the demand for security of enterprise.
Summary of the invention
In order to solve the problems referred to above, it is external at high level of security network that the technical scheme that this method uses is based primarily upon Intel Virtualization Technology
Border level of security different with inside network boundary deployment secure strategy.Overall structure is divided into flow lead, agreement to clean sum
According to ferry-boat.Flow lead module is responsible for importing in the virtual machine specified by physical data bag, and agreement cleaning module is responsible for leading
The packet entered carries out protocol identification, data content safety detection and the work such as proprietary protocol encapsulation and parsing, and data are ferried then
It is to utilize virtual machine shared drive that proprietary protocol data are carried out data ferry-boat.
For achieving the above object, the technical solution used in the present invention is the isolation of a kind of agreement based on Modbus/TCP deep analysis
Method,
Agreement isolation under Xen virtual environment, the internal, external network simulating agreement isolation with two Guest OS respectively processes single
Unit.Dispose agreement cleaning module on Guest OS, first IP traffic amount is resolved at agreement cleaning module, peel off TCP/IP
Protocol characteristic, block attack based on ICP/IP protocol feature, be applied layer protocol data, then according to proprietary protocol
The attribute of definition and rule, be configured to this packet proprietary protocol packet and carry out safety detection with depth detection method,
Ensure the legitimacy of Modbus/TCP data content.
1) agreement isolation thought
The communication of Modbus/TCP is explained as follows.
(1) under Xen environment, build two VM and simulate respectively at Intranet processing unit i.e. VM1 and the outer net of agreement isolation
Reason unit i.e. VM2.
(2) the Modbus/TCP request that client computer is initiated, first issues VM1.The VM1 Modbus/TCP to receiving please
Ask and carry out protocol analysis, separate header information and initial data.The data being stripped out are cleaned by VM1 through agreement afterwards
After the safety detection of module, ferry to VM2 in the way of shared drive.After VM2 receives the data separated, according to data
In header information, obtain real server address, data be re-packaged into Modbus/TCP agreement simultaneously, send
To Modbus/TCP server.
(3) after Modbus/TCP server receives Modbus/TCP client requests, respond, response message is issued
VM2.The VM2 response message to receiving carries out protocol analysis, separates header information and initial data.VM2 will separate
Data after the safety detection of agreement cleaning module, ferry to VM1 in the way of shared drive.VM1 receives stripping
After the data gone out and header information, Reseal becomes Modbus/TCP agreement to be sent to client computer.
(4) communication between a Modbus/TCP client computer and Modbus/TCP server so far, is completed.
2) overall architecture of agreement isolation
Fig. 1 represents the agreement isolation architecture of Xen virtual platform, including the flow lead module on VMM, data ferry-boat
Module and two virtual machines, be wherein all deployed with agreement cleaning module on two virtual machines.Two virtual machines are put by data
The mode crossed exchanges data, needs to use synchronization mechanism data are ferried when, and data ferry-boat function package is ferried in data
Module.
3) handling process of agreement isolation
Agreement isolation processing flow process is as in figure 2 it is shown, groundwork includes:
(1) virtual platform receives after the connection request of device A, gives flow lead resume module.
(2) flow lead module according to formulate stream table by flow lead to VM1 process.After VM1 receives packet,
Agreement cleaning module is transferred to carry out resolving and safety detection, if detection is not passed through, then packet discard;If detection is passed through, then
The application layer initial data of packet is carried out proprietary protocol encapsulation, is sent to data ferry-boat module.
(3) data ferry-boat module utilizes shared drive by proprietary protocol packet ferry-boat to VM2.VM2 receives VM1 and " ferries "
After the proprietary protocol packet come over, VM2 agreement cleaning module resolves, according to corresponding ICP/IP protocol form by number
According to being re-packaged into the ICP/IP protocol packet of standard, it is transmitted to flow lead module afterwards.
(4) flow lead module delivers a packet to equipment B according to corresponding stream table rule.
Flow lead module is responsible for importing in the virtual machine specified data traffic, is basis and the premise realizing security function.Stream
Amount traction module is to be set up by OpenFlow and OpenvSwitch (OVS) to form, and its function is the packet by specifying network interface
Import in designated virtual machine, and export to the packet of designated virtual machine specify physical internet ports.Flow lead module by
OpenFlow agreement is as control protocol, and OpenvSwitch, as virtual switch, is upwards assisted by OpenFlow by manager
View controls, and stream table therein management is exactly that agreement issues realization.The core of flow lead module is stream table, and it is in whole model
Flow switch, directly determine the break-make of network and the flow direction of data.
The IP traffic amount that traction module traction comes is resolved by agreement cleaning module, separates application layer protocol data, then
According to attribute and the rule of proprietary protocol definition, this packet is configured to proprietary protocol packet and carries out safety detection.
The groundwork of agreement cleaning module includes the following:
(1), after VM1 receives the packet that the traction of flow lead module comes, first packet is shelled
From, be applied layer data, builds proprietary protocol data according to rule, application layer data is carried out safety detection simultaneously.
Detection is not passed through, and directly abandons this packet, interrupts communication connection.Detection is passed through, then by data ferry-boat module by privately owned
Protocol data bag is ferried VM2.
(2) after VM2 receives the proprietary protocol packet that data ferry-boat module ferry-boat comes, first to proprietary protocol
Packet carries out completeness check, resolves proprietary protocol packet simultaneously and obtains original application layer data, according to standard
Protocol data Reseal is become the ICP/IP protocol packet of standard by ICP/IP protocol.Last VM2 is good by Reseal
Standard ICP/IP protocol packet is dealt into network by flow lead module.Agreement cleaning module flow chart such as Fig. 5.
The mode of shared drive can accelerate data exchange, thus utilize the shared drive mode of Xen in data ferry-boat module,
Complete data exchange.Create shared drive by Grant Table mechanism during data exchange, by Producer/consumer and
XenStore mechanism carries out data syn-chronization.During data are ferried, transmission is proprietary protocol data, proprietary protocol data
Peel off ICP/IP protocol feature, it is possible to block aggressive behavior based on ICP/IP protocol, thus count during ensureing ferry-boat
According to safety.
Communication between VM1 and VM2 realizes by the way of data are ferried, and the agreement cleaning module of VM1 completes privately owned association
After the structure of view, VM1 and VM2 sets up two virtual internal memory circle queues, is respectively used to data transmission and data connect
Receive.
(1) VM1 is according to the event channel table safeguarded under privileged virtual machine, the address information that inquiry VM2 is relevant.If coupling
To corresponding VM2 address and the information of port, then explanation can set up communication connection, is ready for next step operation.If
Join less than, then terminate this communication.
(2) Xen utilizes that is two actual memory circle queues of Grant Table Mechanism establishing shared drive, prepares to receive and send
Data, the meanwhile state of Xenstore synchronized update virtual machine.XenStore is being total between the different virtual machine under Xen
Enjoy memory block, store configuration relevant for VM and status information with the form of key/value.Before shared drive is set up, pass through
XenStore transmits synchronically controlling information, it is ensured that the correctness that shared drive is read and write by VM1 and VM2.
(3) the shared drive information that VM1 will build up, prepares logical by event channel mechanism notice VM2, VM1 and VM2
Cross shared drive and carry out data communication.
(4) the proprietary protocol data write shared drive that agreement cleaning module is built by VM1, now in synchronization and mutex mechanism
Under control, VM2 cannot read data from this shared drive.
(5) VM1 is after shared drive write data, notifies VM2 by event channel.VM2 reads from shared drive subsequently
Data, notify VM1, data are handed over the agreement cleaning module of VM2 process simultaneously after reading.VM1 receives VM1
After the complete event notification message of reading sent, then write according to practical situation or directly exit.
The present invention compared with prior art, has a following advantage:
Carry out correct and safe traffic filtering for different application layer protocols, this programme is ferried based on virtualized data
Method can be ferried protocol data safely, and assailant cannot obtain interaction data in normal state, and this programme is based on virtual
Dedicated medium in the shared drive mechanism simulation physical gateway of change technology, carries out data ferry-boat, improves process performance, meets
Real-time demand.
Accompanying drawing explanation
Fig. 1: agreement isolating frame composition.
Fig. 2: agreement isolation processing flow process.
Fig. 3: Proto_Handle structure.
Fig. 4: flow lead module rack composition.
Fig. 5: agreement cleaning module flow process.
Fig. 6: data ferry-boat block process.
Fig. 7: protocol detection flow process.
Detailed description of the invention
First several to this part nouns explain:
Trusted function code includes a few functions code that configuration software realizes and the self-defining function code that user confirms;Because of each
Function code definable multiple subfunction code or loss of fecundity function code;The corresponding trusted function code list of each trusted function code, one
Individual sensitive subfunction code list and disabled subfunction code.
Trusted function code list only comprises trusted function code.
Sensitive subfunction code is subordinated to a trusted function code;Finger system needs, but is illegally used and will cause the system failure
Subfunction code.Subfunction code 01 such as function code 08.
The list that sensitive subfunction code list is made up of sensitive subfunction code;The most each sensitive subfunction code and IP address are to (source
IP address and purpose IP address) white list associates;Each sensitive subfunction code list is subordinated to a trusted function code.
Credible subfunction code is subordinated to a trusted function code;Referring to the subfunction code without threat characteristics, in system, all devices is equal
This subfunction code can be performed.
The list that credible subfunction code list is made up of credible subfunction code, each credible subfunction code list is subordinated to one can
Telecommunication function code.
Read-write capability code list is the list of 8 kinds of common read-write capability codes of definition, is the function code listed of table 1.
Table 1 read-write capability code and data field relation list
Remarks: write in multiple coil, N=exports quantity/8, if remainder is not 0, N=N+1, writing N in multiple depositor is
Register number.
Modbus/TCP protocol detection algorithm is as shown in Figure 6:
Step 1:Modbus/TCP application message before sending, need to set up corresponding socket, and this detection method reads and deposits
Storage source IP address, purpose IP address and destination slogan.
Step 2: source IP address and purpose IP address are tested by this detection method, it is judged that whether IP address is at trusted
Address list in.If source IP address and purpose IP address are all in address list trusty, then detection is passed through;Otherwise refuse
The connection request of this socket absolutely.
Step 3: this detection method judges whether destination slogan is 502.Detection is passed through, and performs step 4;Otherwise refusal should
Message.
Step 4: this detection method reads transaction identifiers, and detection transaction identifier whether standardization, such as whether be 2
Byte.Detect by performing step 5, otherwise refuse this message.
Step 5: whether the protocol identifier field in detection method verification MBAP is 0.Protocol identifier field is 0, holds
Row step 6;Otherwise refuse this message.
Step 6: the total length of the value of length field with element identifier (element ID) and Modbus data field is compared by detection method.
It is worth equal, performs step 7;Otherwise refuse this message.
Step 7: detection method judging unit identifier.If remote equipment is connected directly between in TCP/IP network, then unit mark
Know symbol and should be 0xff;If being connected on serial link gateway, then the corresponding multiple terminal units in IP address, according to unit mark
Knowing symbol and identify different terminal units, now effective range is 0-255.If element identifier (element ID) field is legal, then perform step
8, otherwise refuse this message.
Step 8: whether detection method arbitration functions code is the read-write operation function code defined.If the read-write operation function of definition
Code, then perform step 9;Otherwise perform step 10.
Step 9: detection method reads data object origing address field (OAF), it is judged that initial address is the most legal.If initial address is closed
Method, detection method determines whether that this function code is read operation or write operation.If this function code is read operation, detection method
Verification data byte number is the most legal, if byte number is legal, this message is by detection;If byte number is illegal, refuse this report
Literary composition.If write operation, detection method judges that the byte number of write and write data are the most legal, and legal, this message passes through
Detection;Do not conform to rule and refuse this message.If initial address is illegal, refuse this message.
Step 10: whether detection algorithm arbitration functions code is in trusted list.If this function code performs in trusted list
Step 11, otherwise refuses this message.
Step 11: detection algorithm judges whether data field first character joint is subfunction code.If subfunction code performs step 12,
Otherwise perform step 13.
Step 12: detection method reads the credible subfunction code list of this function code, sees this subfunction code the most in the list.
If in credible subfunction code list, this message is by detection.Otherwise, detection method continues to search for sensitive subfunction code list.
If this subfunction code is in sensitive subfunction code list, detection method continues to search for the IP address dialogue of this sensitivity subfunction code
List, it is judged that the IP address of this message to whether in the IP address of this sensitivity subfunction code in white list.If this IP address
To in IP address in white list, then this subfunction code is by detection, otherwise refuses this message.If this subfunction code is the most not
In sensitive subfunction code list, refuse this message.
Step 13: detection method read data words section key message, it is judged that key message is the most legal.If legal, then detect
Pass through, otherwise refuse this message.Such as the most legal according to the message length that this function code of length rule judgment is corresponding.
Agreement isolation processing flow process is as in figure 2 it is shown, groundwork includes:
(1) virtual platform receives after the connection request of device A, gives flow lead resume module.
(2) flow lead module according to formulate stream table by flow lead to VM1 process.After VM1 receives packet,
Agreement cleaning module is transferred to carry out resolving and safety detection, if detection is not passed through, then packet discard;If detection is passed through, then
The application layer initial data of packet is carried out proprietary protocol encapsulation, is sent to data ferry-boat module.
(3) data ferry-boat module utilizes shared drive by proprietary protocol packet ferry-boat to VM2.VM2 receives VM1 and " ferries "
After the proprietary protocol packet come over, VM2 agreement cleaning module resolves, according to corresponding ICP/IP protocol form by number
According to being re-packaged into the ICP/IP protocol packet of standard, it is transmitted to flow lead module afterwards.
(4) flow lead module delivers a packet to equipment B according to corresponding stream table rule.
1) flow lead module is responsible for importing in the virtual machine specified data traffic, is basis and the premise realizing security function.Flow
Traction module is to be set up by OpenFlow and OpenvSwitch (OVS) to form, and its function is to be led by the packet specifying network interface
Enter in designated virtual machine, and export to the packet of designated virtual machine specify physical internet ports.Flow lead module is by OpenFlow
Agreement is as control protocol, and OpenvSwitch is as virtual switch, upwards by manager by OpenFlow protocol integrated test system,
Stream table therein management is exactly that agreement issues realization.The core of flow lead module is stream table, and it is that the flow in whole model is opened
Close, directly determine break-make and the flow direction of data of network.
Fig. 4 is mainly received (transmission) end, data stream list item and execution behavior aggregate by packet and constitutes.
(1) packet receives (transmission) end: provide the entrance and exit (being similar to the Ethernet interface of physical switches) of packet
Carry out exchange data packets.Flow transferring module can fictionalize N number of port, and is each port assignment port numbers.In order to anti-
Only conflict with outer net IP, a virtual network (being similar to NAT) can be created, port is put into wherein.
(2) stream list item collection: stream list item collection, comprises the stream table that each manager adds, and the field in stream table can comprise port
Number, vlan number, source physical address, purpose physical address, ethernet type, source IP address and purpose IP address etc..
(3) behavior aggregate is performed: performing behavior aggregate and correspond to stream list item, the most each stream list item can have a behavior aggregate the most corresponding.
When packet is after flow lead module carries out stream table coupling, can check in performing behavior aggregate that the most matched stream table institute is right
The action answered also performs.The operation performing behavior aggregate support includes exporting packet to designated port, amendment packet source/destination
MAC Address, revises packet source/destination IP address, the field etc. of amendment stream table.
(4) controller: based on OpenFlow agreement, the remotely or locally flow lead module on configuration host.Mainly
Configuration object flows list item exactly, and controller can also receive the packet not mating any stream list item, and makees default action.
Flow lead module is positioned on host, and physical internet ports and virtual network port are all mapped in flow lead module.Data flow
Determining according to the stream table list item in this module, packet performs matching operation in flow lead module with stream list item.If this number
Match stream list item according to bag, perform the behavior aggregate of this stream list item, be otherwise dropped.The purpose of flow lead module is correctly
Guide and management flow, it is ensured that communication data is properly parsed, detects and ferries.
2) the IP traffic amount that traction module traction comes is resolved by agreement cleaning module, separates application layer protocol data, so
After according to proprietary protocol definition attribute and rule, this packet is configured to proprietary protocol packet and carries out safety detection.
The structure of proprietary protocol, is related to the safety of data exchange, thus the key data structure introducing proprietary protocol is shown in
Fig. 3.
Proto_Handler structure includes the essential information that proprietary protocol constructs: the identity of agreement, protocol list, association
The safety detection method of view and real application data.As a example by Modbus/TCP agreement, in the structure of above-mentioned proprietary protocol
Protocol name field is Modbus/TCP, protocol list field following ETH-> IP-> TCP-> Modbus/TCP, wherein comprises
Link layer is to the header essential information of application layer, and number of protocols field value is 4, and safety detection method is
Check_ModbusTCP_* (), applies Modbus/TCP depth detection method in the method, payload is Modbus/TCP
PDU。
The groundwork of agreement cleaning module includes:
(1), after VM1 receives the packet that the traction of flow lead module comes, first packet is shelled
From, be applied layer data, builds proprietary protocol data according to rule, application layer data is carried out safety detection simultaneously.
Detection is not passed through, and directly abandons this packet, interrupts communication connection.Detection is passed through, then by data ferry-boat module by privately owned
Protocol data bag is ferried VM2.
(2), after VM2 receives the proprietary protocol packet that data ferry-boat module ferry-boat comes, first proprietary protocol packet is carried out
Completeness check, resolves proprietary protocol packet simultaneously and obtains original application layer data, will according to the ICP/IP protocol of standard
Protocol data Reseal becomes the ICP/IP protocol packet of standard.Last VM2 is by standard TCP/IP association good for Reseal
View packet is dealt into network by flow lead module.Agreement cleaning module flow chart such as Fig. 5.
3) communication between VM1 and VM2 realizes by the way of data are ferried, and the agreement cleaning module of VM1 completes privately owned
After the structure of agreement, VM1 and VM2 sets up two virtual internal memory circle queues, is respectively used to data and sends and data
Receive.
(1) VM1 is according to the event channel table safeguarded under privileged virtual machine, the address information that inquiry VM2 is relevant.If coupling
To corresponding VM2 address and the information of port, then explanation can set up communication connection, is ready for next step operation.If
Join less than, then terminate this communication.
(2) Xen utilizes Grant Table Mechanism establishing shared drive (two actual memory circle queues), prepares to receive and send out
Send data, meanwhile the state of Xenstore synchronized update virtual machine.XenStore is between the different virtual machine under Xen
Shared memory, stores configuration relevant for VM and status information with the form of key/value.Before shared drive is set up, pass through
XenStore transmits synchronically controlling information, it is ensured that the correctness that shared drive is read and write by VM1 and VM2.
(3) the shared drive information that VM1 will build up, prepares logical by event channel mechanism notice VM2, VM1 and VM2
Cross shared drive and carry out data communication.
(4) the proprietary protocol data write shared drive that agreement cleaning module is built by VM1, now in synchronization and mutex mechanism
Under control, VM2 cannot read data from this shared drive.
(5) VM1 is after shared drive write data, notifies VM2 by event channel.VM2 reads from shared drive subsequently
Data, notify VM1, data are handed over the agreement cleaning module of VM2 process simultaneously after reading.VM1 receives VM1
After the complete event notification message of reading sent, then write according to practical situation or directly exit.
Claims (3)
1. a protocol isolating method based on Modbus/TCP deep analysis, it is characterised in that: under Xen virtual environment
Agreement isolation, with two Guest OS simulate respectively agreement isolate internal, external network processing unit;Association is disposed on Guest OS
View cleaning module, first resolves IP traffic amount at agreement cleaning module, peels off the protocol characteristic of TCP/IP, blocks
Attack based on ICP/IP protocol feature, be applied layer protocol data, then according to the attribute of proprietary protocol definition and rule,
This packet is configured to proprietary protocol packet and carries out safety detection with depth detection method, it is ensured that Modbus/TCP number
Legitimacy according to content;
1) agreement isolation thought
The communication of Modbus/TCP is explained as follows;
(1) under Xen environment, build two VM and simulate respectively at Intranet processing unit i.e. VM1 and the outer net of agreement isolation
Reason unit i.e. VM2;
(2) the Modbus/TCP request that client computer is initiated, first issues VM1;The VM1 Modbus/TCP to receiving please
Ask and carry out protocol analysis, separate header information and initial data;The data being stripped out are cleaned by VM1 through agreement afterwards
After the safety detection of module, ferry to VM2 in the way of shared drive;After VM2 receives the data separated, according to data
In header information, obtain real server address, data be re-packaged into Modbus/TCP agreement simultaneously, send
To Modbus/TCP server;
(3) after Modbus/TCP server receives Modbus/TCP client requests, respond, response message is issued
VM2;The VM2 response message to receiving carries out protocol analysis, separates header information and initial data;VM2 will separate
Data after the safety detection of agreement cleaning module, ferry to VM1 in the way of shared drive;VM1 receives stripping
After the data gone out and header information, Reseal becomes Modbus/TCP agreement to be sent to client computer;
(4) communication between a Modbus/TCP client computer and Modbus/TCP server so far, is completed;
2) overall architecture of agreement isolation
The agreement isolation architecture of Xen virtual platform includes the flow lead module on VMM, data ferry-boat module and two
Platform virtual machine, is wherein all deployed with agreement cleaning module on two virtual machines;Two virtual machines are handed over by the way of data are ferried
Changing data, need to use synchronization mechanism data are ferried when, data ferry-boat function package is ferried module in data;
3) handling process of agreement isolation
Agreement isolation processing flow process groundwork includes:
(1) virtual platform receives after the connection request of device A, gives flow lead resume module;
(2) flow lead module according to formulate stream table by flow lead to VM1 process;After VM1 receives packet,
Agreement cleaning module is transferred to carry out resolving and safety detection, if detection is not passed through, then packet discard;If detection is passed through, then
The application layer initial data of packet is carried out proprietary protocol encapsulation, is sent to data ferry-boat module;
(3) data ferry-boat module utilizes shared drive by proprietary protocol packet ferry-boat to VM2;VM2 receives VM1 and " ferries "
After the proprietary protocol packet come over, VM2 agreement cleaning module resolves, according to corresponding ICP/IP protocol form by number
According to being re-packaged into the ICP/IP protocol packet of standard, it is transmitted to flow lead module afterwards;
(4) flow lead module delivers a packet to equipment B according to corresponding stream table rule;
Flow lead module is responsible for importing in the virtual machine specified data traffic, is basis and the premise realizing security function;Stream
Amount traction module is to be set up by OpenFlow and OpenvSwitch to form, and its function is to import the packet specifying network interface to specify
In virtual machine, and export to the packet of designated virtual machine specify physical internet ports;Flow lead module is made by OpenFlow agreement
For control protocol, OpenvSwitch is as virtual switch, upwards by manager by OpenFlow protocol integrated test system, therein
The management of stream table is exactly that agreement issues realization;The core of flow lead module is stream table, and it is the flow switch in whole model, directly
Connect break-make and the flow direction of data determining network.
A kind of protocol isolating method based on Modbus/TCP deep analysis the most according to claim 1, its feature exists
In: the IP traffic amount that traction module traction comes is resolved by agreement cleaning module, separates application layer protocol data, then
According to attribute and the rule of proprietary protocol definition, this packet is configured to proprietary protocol packet and carries out safety detection;
The groundwork of agreement cleaning module includes the following:
(1) after VM1 receives the packet that the traction of flow lead module comes, first peeling off packet, be applied layer
Data, build proprietary protocol data according to rule, application layer data are carried out safety detection simultaneously;Detection is not passed through, directly
Connect and abandon this packet, interrupt communication connection;Detection is passed through, then ferried by proprietary protocol packet by data ferry-boat module
To VM2;
(2) after VM2 receives the proprietary protocol packet that data ferry-boat module ferry-boat comes, first to proprietary protocol
Packet carries out completeness check, resolves proprietary protocol packet simultaneously and obtains original application layer data, according to standard
Protocol data Reseal is become the ICP/IP protocol packet of standard by ICP/IP protocol;Last VM2 is good by Reseal
Standard ICP/IP protocol packet is dealt into network by flow lead module;
The mode of shared drive can accelerate data exchange, thus utilize the shared drive mode of Xen in data ferry-boat module,
Complete data exchange;Create shared drive by Grant Table mechanism during data exchange, by Producer/consumer and
XenStore mechanism carries out data syn-chronization;During data are ferried, transmission is proprietary protocol data, proprietary protocol data
Peel off ICP/IP protocol feature, it is possible to block aggressive behavior based on ICP/IP protocol, thus count during ensureing ferry-boat
According to safety.
A kind of protocol isolating method based on Modbus/TCP deep analysis the most according to claim 1, its feature exists
In: the communication between VM1 and VM2 realizes by the way of data are ferried, and the agreement cleaning module of VM1 completes privately owned association
After the structure of view, VM1 and VM2 sets up two virtual internal memory circle queues, is respectively used to data transmission and data connect
Receive;
(1) VM1 is according to the event channel table safeguarded under privileged virtual machine, the address information that inquiry VM2 is relevant;If coupling
To corresponding VM2 address and the information of port, then explanation can set up communication connection, is ready for next step operation;If
Join less than, then terminate this communication;
(2) Xen utilizes that is two actual memory circle queues of Grant Table Mechanism establishing shared drive, prepares to receive and send
Data, the meanwhile state of Xenstore synchronized update virtual machine;XenStore is being total between the different virtual machine under Xen
Enjoy memory block, store configuration relevant for VM and status information with the form of key/value;Before shared drive is set up, pass through
XenStore transmits synchronically controlling information, it is ensured that the correctness that shared drive is read and write by VM1 and VM2;
(3) the shared drive information that VM1 will build up, prepares logical by event channel mechanism notice VM2, VM1 and VM2
Cross shared drive and carry out data communication;
(4) the proprietary protocol data write shared drive that agreement cleaning module is built by VM1, now in synchronization and mutex mechanism
Under control, VM2 cannot read data from this shared drive;
(5) VM1 is after shared drive write data, notifies VM2 by event channel;VM2 reads from shared drive subsequently
Data, notify VM1, data are handed over the agreement cleaning module of VM2 process simultaneously after reading;VM1 receives VM1
After the complete event notification message of reading sent, then write according to practical situation or directly exit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610320345.4A CN106027511A (en) | 2016-05-13 | 2016-05-13 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610320345.4A CN106027511A (en) | 2016-05-13 | 2016-05-13 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106027511A true CN106027511A (en) | 2016-10-12 |
Family
ID=57096905
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610320345.4A Pending CN106027511A (en) | 2016-05-13 | 2016-05-13 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106027511A (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453389A (en) * | 2016-11-11 | 2017-02-22 | 浙江中烟工业有限责任公司 | Network isolation method based on combination of firewall and gatekeeper |
| CN106502951A (en) * | 2016-10-21 | 2017-03-15 | 南京南瑞集团公司 | PCIE interface data ferry-boat card and its method for ferry-boat data |
| CN106657003A (en) * | 2016-11-11 | 2017-05-10 | 浙江中烟工业有限责任公司 | Flexible and software-definable network security isolation method |
| CN106789874A (en) * | 2016-11-11 | 2017-05-31 | 浙江中烟工业有限责任公司 | A kind of method that Intrusion Detection based on host Intel Virtualization Technology realizes procotol isolation |
| CN107196931A (en) * | 2017-05-17 | 2017-09-22 | 南京南瑞继保电气有限公司 | A kind of deep message detection method based on network isolating device |
| CN107948195A (en) * | 2017-12-25 | 2018-04-20 | 杭州迪普科技股份有限公司 | A kind of method and device of protection Modbus attacks |
| CN111031077A (en) * | 2020-03-10 | 2020-04-17 | 杭州圆石网络安全技术有限公司 | Flow cleaning method, flow cleaning system and equipment |
| CN111245715A (en) * | 2019-12-31 | 2020-06-05 | 亚信科技(中国)有限公司 | Message transmission method and system |
| CN111262861A (en) * | 2020-01-16 | 2020-06-09 | 四川效率源科技有限责任公司 | Method for identifying and filtering MODBUS TCP/UDP protocol |
| CN111327645A (en) * | 2018-11-28 | 2020-06-23 | 鸿合科技股份有限公司 | Network sharing method and device and electronic equipment |
| CN111343144A (en) * | 2020-01-23 | 2020-06-26 | 奇安信科技集团股份有限公司 | OPC (optical proximity correction) network gate system based on Linux and data processing method |
| CN111371651A (en) * | 2020-03-12 | 2020-07-03 | 杭州木链物联网科技有限公司 | Industrial communication protocol reverse analysis method |
| CN111510362A (en) * | 2020-04-23 | 2020-08-07 | 宁波伟立机器人科技股份有限公司 | Communication method and system based on ModBus data service function |
| CN112187583A (en) * | 2020-09-30 | 2021-01-05 | 绿盟科技集团股份有限公司 | Method, device and storage medium for recognizing action information in private industrial control protocol |
| CN113037833A (en) * | 2021-03-04 | 2021-06-25 | 北京安华金和科技有限公司 | Data processing method and device, storage medium and electronic equipment |
| CN113301049A (en) * | 2021-05-26 | 2021-08-24 | 杭州安恒信息技术股份有限公司 | Industrial control equipment auditing method, device, equipment and readable storage medium |
| CN115277221A (en) * | 2022-07-29 | 2022-11-01 | 深圳市风云实业有限公司 | Transmission method and isolation device based on transparent data landing and protocol isolation |
| CN115801643A (en) * | 2022-10-28 | 2023-03-14 | 北京六方云信息技术有限公司 | Method and device for testing protocol analysis function, terminal equipment and storage medium |
| CN115801452A (en) * | 2023-01-30 | 2023-03-14 | 北京万维盈创科技发展有限公司 | Data acquisition instrument with network security isolation function |
| CN116939065A (en) * | 2023-08-07 | 2023-10-24 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
| CN117792831A (en) * | 2024-02-27 | 2024-03-29 | 天津大学四川创新研究院 | Multi-protocol Modbus gateway control system and method |
| CN115277221B (en) * | 2022-07-29 | 2024-06-07 | 深圳市风云实业有限公司 | Transmission method and isolation equipment based on transparent data landing and protocol isolation |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090287848A1 (en) * | 2008-05-13 | 2009-11-19 | Kabushiki Kaisha Toshiba | Information processing device and communication control method |
| CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| CN103036903A (en) * | 2012-12-26 | 2013-04-10 | 北京中电普华信息技术有限公司 | Data processing method and web service assembly |
| CN104702571A (en) * | 2013-12-06 | 2015-06-10 | 北京天地超云科技有限公司 | Method for detecting intrusion of network data in Xen virtual environment |
-
2016
- 2016-05-13 CN CN201610320345.4A patent/CN106027511A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090287848A1 (en) * | 2008-05-13 | 2009-11-19 | Kabushiki Kaisha Toshiba | Information processing device and communication control method |
| CN101668022A (en) * | 2009-09-14 | 2010-03-10 | 陈博东 | Virtual network isolation system established on virtual machine and implementation method thereof |
| CN102129531A (en) * | 2011-03-22 | 2011-07-20 | 北京工业大学 | Xen-based active defense method |
| CN103036903A (en) * | 2012-12-26 | 2013-04-10 | 北京中电普华信息技术有限公司 | Data processing method and web service assembly |
| CN104702571A (en) * | 2013-12-06 | 2015-06-10 | 北京天地超云科技有限公司 | Method for detecting intrusion of network data in Xen virtual environment |
Non-Patent Citations (1)
| Title |
|---|
| 吴欢等: "一种高效虚拟化多级网络安全互联机制", 《山东大学学报(理学版)》 * |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106502951A (en) * | 2016-10-21 | 2017-03-15 | 南京南瑞集团公司 | PCIE interface data ferry-boat card and its method for ferry-boat data |
| CN106657003A (en) * | 2016-11-11 | 2017-05-10 | 浙江中烟工业有限责任公司 | Flexible and software-definable network security isolation method |
| CN106789874A (en) * | 2016-11-11 | 2017-05-31 | 浙江中烟工业有限责任公司 | A kind of method that Intrusion Detection based on host Intel Virtualization Technology realizes procotol isolation |
| CN106453389A (en) * | 2016-11-11 | 2017-02-22 | 浙江中烟工业有限责任公司 | Network isolation method based on combination of firewall and gatekeeper |
| CN107196931A (en) * | 2017-05-17 | 2017-09-22 | 南京南瑞继保电气有限公司 | A kind of deep message detection method based on network isolating device |
| CN107948195A (en) * | 2017-12-25 | 2018-04-20 | 杭州迪普科技股份有限公司 | A kind of method and device of protection Modbus attacks |
| CN107948195B (en) * | 2017-12-25 | 2020-12-04 | 杭州迪普科技股份有限公司 | Method and device for protecting Modbus attack |
| CN111327645A (en) * | 2018-11-28 | 2020-06-23 | 鸿合科技股份有限公司 | Network sharing method and device and electronic equipment |
| CN111327645B (en) * | 2018-11-28 | 2023-11-21 | 鸿合科技股份有限公司 | Network sharing method and device and electronic equipment |
| CN111245715A (en) * | 2019-12-31 | 2020-06-05 | 亚信科技(中国)有限公司 | Message transmission method and system |
| CN111245715B (en) * | 2019-12-31 | 2022-02-22 | 亚信科技(中国)有限公司 | Message transmission method and system |
| CN111262861A (en) * | 2020-01-16 | 2020-06-09 | 四川效率源科技有限责任公司 | Method for identifying and filtering MODBUS TCP/UDP protocol |
| CN111343144A (en) * | 2020-01-23 | 2020-06-26 | 奇安信科技集团股份有限公司 | OPC (optical proximity correction) network gate system based on Linux and data processing method |
| CN111031077A (en) * | 2020-03-10 | 2020-04-17 | 杭州圆石网络安全技术有限公司 | Flow cleaning method, flow cleaning system and equipment |
| CN111031077B (en) * | 2020-03-10 | 2020-06-09 | 杭州圆石网络安全技术有限公司 | Flow cleaning method, flow cleaning system and equipment |
| CN111371651A (en) * | 2020-03-12 | 2020-07-03 | 杭州木链物联网科技有限公司 | Industrial communication protocol reverse analysis method |
| CN111510362A (en) * | 2020-04-23 | 2020-08-07 | 宁波伟立机器人科技股份有限公司 | Communication method and system based on ModBus data service function |
| CN111510362B (en) * | 2020-04-23 | 2021-08-24 | 宁波伟立机器人科技股份有限公司 | Communication method and system based on ModBus data service function |
| CN112187583A (en) * | 2020-09-30 | 2021-01-05 | 绿盟科技集团股份有限公司 | Method, device and storage medium for recognizing action information in private industrial control protocol |
| CN113037833A (en) * | 2021-03-04 | 2021-06-25 | 北京安华金和科技有限公司 | Data processing method and device, storage medium and electronic equipment |
| CN113301049A (en) * | 2021-05-26 | 2021-08-24 | 杭州安恒信息技术股份有限公司 | Industrial control equipment auditing method, device, equipment and readable storage medium |
| CN113301049B (en) * | 2021-05-26 | 2023-02-24 | 杭州安恒信息技术股份有限公司 | Industrial control equipment auditing method, device, equipment and readable storage medium |
| CN115277221A (en) * | 2022-07-29 | 2022-11-01 | 深圳市风云实业有限公司 | Transmission method and isolation device based on transparent data landing and protocol isolation |
| CN115277221B (en) * | 2022-07-29 | 2024-06-07 | 深圳市风云实业有限公司 | Transmission method and isolation equipment based on transparent data landing and protocol isolation |
| CN115801643B (en) * | 2022-10-28 | 2023-09-22 | 北京六方云信息技术有限公司 | Protocol analysis function test method and device, terminal equipment and storage medium |
| CN115801643A (en) * | 2022-10-28 | 2023-03-14 | 北京六方云信息技术有限公司 | Method and device for testing protocol analysis function, terminal equipment and storage medium |
| CN115801452A (en) * | 2023-01-30 | 2023-03-14 | 北京万维盈创科技发展有限公司 | Data acquisition instrument with network security isolation function |
| CN116939065A (en) * | 2023-08-07 | 2023-10-24 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
| CN116939065B (en) * | 2023-08-07 | 2024-02-06 | 山东九州信泰信息科技股份有限公司 | Modbus protocol TCP segmentation rapid deep inspection method |
| CN117792831A (en) * | 2024-02-27 | 2024-03-29 | 天津大学四川创新研究院 | Multi-protocol Modbus gateway control system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106027511A (en) | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) | |
| CN104685500B (en) | The method and system of application security strategy in overlay network | |
| CN104683352B (en) | A kind of industrial communication isolation gap with binary channels ferry-boat | |
| CN104767748B (en) | Opc server security protection system | |
| CN107070907A (en) | Intranet and extranet data unidirectional transmission method and system | |
| CN102006246B (en) | Trusted separate gateway | |
| CN106209684B (en) | A method of detection scheduling is forwarded based on time trigger | |
| CN106027358A (en) | Network security management and control system for accessing social video networks to video private network | |
| KR20020092972A (en) | System, device and method for rapid packet filtering and processing | |
| KR101221045B1 (en) | Packet Processing Method and TOE Hardware Using The Same | |
| Xu et al. | Demystifying the energy efficiency of network function virtualization | |
| CN102255903A (en) | Safety isolation method for virtual network and physical network of cloud computing | |
| CN107360145A (en) | A kind of multinode honey pot system and its data analysing method | |
| EP2577918A1 (en) | Method and device for processing source role information | |
| WO2023004992A1 (en) | Traffic monitoring method and apparatus for open stack tenant network | |
| JP2002533792A (en) | Method and system for protecting the operation of a trusted internal network | |
| CN116055254A (en) | Safe and trusted gateway system, control method, medium, equipment and terminal | |
| KR101076683B1 (en) | Apparatus and method for splitting host-based networks | |
| CN106330973B (en) | Data security exchange method based on black and white list | |
| CN107645472A (en) | A kind of virtual machine traffic detecting system based on OpenFlow | |
| CN104735071A (en) | Network access control implementation method between virtual machines | |
| US11431677B2 (en) | Mechanisms for layer 7 context accumulation for enforcing layer 4, layer 7 and verb-based rules | |
| CN107070893A (en) | A kind of power distribution network terminal IEC101 protocol massages certification method of discrimination | |
| CN109450928A (en) | A kind of across cloud data penetration transmission method and system based on UDP and Modbus TCP | |
| CN104573508B (en) | The compliance detection method of application is paid under virtualized environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161012 |
|
| RJ01 | Rejection of invention patent application after publication |