CN106302535A - Attack simulation method and device for power system and attack simulation equipment - Google Patents
Attack simulation method and device for power system and attack simulation equipment Download PDFInfo
- Publication number
- CN106302535A CN106302535A CN201610881401.1A CN201610881401A CN106302535A CN 106302535 A CN106302535 A CN 106302535A CN 201610881401 A CN201610881401 A CN 201610881401A CN 106302535 A CN106302535 A CN 106302535A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- message data
- information content
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004088 simulation Methods 0.000 title claims abstract description 39
- 238000000034 method Methods 0.000 title abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 38
- 239000000203 mixture Substances 0.000 claims description 6
- 108010024160 informosome Proteins 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 claims 1
- 238000012544 monitoring process Methods 0.000 abstract description 15
- 238000012795 verification Methods 0.000 abstract description 3
- 238000012545 processing Methods 0.000 description 16
- 230000008569 process Effects 0.000 description 8
- 238000003860 storage Methods 0.000 description 8
- 238000005259 measurement Methods 0.000 description 6
- 230000005611 electricity Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 239000010410 layer Substances 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000011664 signaling Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 239000005336 safety glass Substances 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 210000001367 artery Anatomy 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000011229 interlayer Substances 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 239000002574 poison Substances 0.000 description 1
- 231100000614 poison Toxicity 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 210000003462 vein Anatomy 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides an attack simulation method, an attack simulation device and an attack simulation device of a power system, wherein the attack simulation method comprises the following steps: capturing a communication data packet and acquiring message data; analyzing the information content of the message data according to a preset electric power special protocol library; and carrying out corresponding attack simulation operation aiming at the information content. The attack simulation method, the device and the attack simulation equipment for the power system can simulate normal power monitoring system services and special protocol communication scenes, steal messages in the power system by eavesdropping, identify the format of a power special protocol message, issue false or malicious messages to the server end by message playback and bypass control means, and destroy the normal communication services of the power system, so that the message hijack attack method simulation verification is realized, and the safety of the power system which is put into operation is improved.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to attack emulation mode, the device of a kind of power system and attack
Hit emulator.
Background technology
Electric power monitoring system faces serious network attack threat at present, such as " shake net " virus, " black energy " disease
Poison etc..In order to improve electric power monitoring system safety protection level, for electric power monitoring system safety protection technique research, build
Attack and the security protection simulation and verification platform of vertical electric power monitoring system are significant.Wherein, message hijack attack becomes
For attacking the major networks attack means of electric power monitoring system.
Current existing attack simulating, verifying technology is mainly based upon TCP (Transmission Control
Protocol, transmission control protocol) long-range in/IP (Internet Protocol, Internet Protocol) network structure application layer
Log in (Telnet) agreement, FTP (File Transfer Protocol, file transfer protocol (FTP)), SSH (Secure Shell, peace
Full shell) agreement etc., carrying out message for the Internet (Internet) or TCP LAN kidnaps emulation attack checking, by
In the special format of power system specialized protocol, existing attack simulating, verifying technology cannot realize power system proprietary protocol
Resolve and identify, more cannot distort, forge electric power data message, therefore cannot carry out for the specialized protocol of electric power monitoring system
The simulating, verifying of message hijack attack.
Summary of the invention
In view of this, it is necessary to provide one attack emulation mode, device and attack emulator, it is achieved to power system
Message hijack attack simulating, verifying, to improve the safety of power system put into operation.
The invention discloses the attack emulation mode of a kind of power system, comprising:
Capture communication data packet and obtain message data;
According to default electric power specialized protocol storehouse, resolve the information content of described message data;
Simulation operations is attacked accordingly for described information content.
As a kind of embodiment, the electric power specialized protocol storehouse that described basis is preset, resolve the information of described message data
Content, including:
Described message data is mated with described default electric power specialized protocol storehouse, obtains the agreement of described message data
Type;
The information content of described message data is resolved according to described protocol type.
As a kind of embodiment, described described message data is mated with described default electric power specialized protocol storehouse,
Obtain the protocol type of described message data, including:
The field of the header fields of described message data with described default electric power specialized protocol storehouse is mated, obtains institute
State the protocol type of message data.
As a kind of embodiment, described according to described protocol type, resolve the information content of described message data, bag
Include:
The message frame form specified according to described protocol type, obtains the message information body in described message data;
According to the message code in described message information body, identify the information content that described message data carries.
As a kind of embodiment, described attack simulation operations accordingly for described information content, including:
Judge whether described information content is downlink information, be, carry out counterfeit message attack simulation operations;
Otherwise determine whether whether described information content is up numerical information, be, carry out Replay Attack emulation behaviour
Make.
The invention also discloses the attack simulator of a kind of power system, comprising:
Handling module, is used for capturing communication data packet and obtaining message data;
Parsing module, for according to presetting electric power specialized protocol storehouse, resolving the information content of described message data;
Emulation module, for attacking simulation operations accordingly for described information content.
As a kind of embodiment, described parsing module includes:
Matching unit, for being mated with described default electric power specialized protocol storehouse by described message data, obtains described
The protocol type of message data;
Resolution unit, for resolving the information content of described message data according to described protocol type.
As a kind of embodiment, described matching unit, for presetting the header fields of described message data with described
The field in electric power specialized protocol storehouse is mated, and obtains the protocol type of described message data.
As a kind of embodiment, described resolution unit includes:
Obtain subelement, for the message frame form specified according to described protocol type, obtain in described message data
Message information body;
Identify subelement, for according to the message code in described message information body, identify what described message data carried
Information content.
As a kind of embodiment, described emulation module includes judging unit and attacks unit, wherein:
Described judging unit is used for judging whether described information content is downlink information, is, described attack unit carry out
Counterfeit message attack simulation operations;
The most described judging unit determines whether whether described information content is up numerical information, is, described attack
Hit unit and carry out Replay Attack simulation operations.
The invention also discloses a kind of attack emulator, it includes the attack emulation dress described in any of the above-described embodiment
Put.
The attack emulation mode of above-mentioned power system, device and attack emulator, can simulate normal electricity monitoring is
System business and special stipulations communication scenes, can steal power system built-in message by eavesdropping means again, and identify that electric power is special
Protocol massages form, issues false or infected information to server end, to power train by message playback and Bypass Control means
The normal communications traffic of system destroys, thus realizes message hijack attack method simulating, verifying, the electricity put into operation with raising
The safety of Force system.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
The accompanying drawing of other embodiments is obtained according to these accompanying drawings.
Fig. 1 is the schematic flow sheet of the attack emulation mode of the power system of one embodiment of the invention;
Fig. 2 is the communication scheme of the power system of one embodiment of the invention;
Fig. 3 is the schematic flow sheet of the attack emulation mode of the power system of another embodiment of the present invention;
Fig. 4 is the schematic flow sheet of the attack emulation mode of the power system of further embodiment of this invention;
Fig. 5 is the modular structure schematic diagram attacking simulator of the power system of one embodiment of the invention;
Fig. 6 is the modular structure schematic diagram attacking simulator of the power system of another embodiment of the present invention;
Fig. 7 is the structural representation attacking emulator of the power system of one embodiment of the invention;
Fig. 8 is the structural representation attacking emulator of the power system of another embodiment of the present invention.
Detailed description of the invention
In order to make the purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, right
The present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, and
It is not used in the restriction present invention.
In describing the invention, it is to be understood that term " first ", " second " are only used for describing purpose, and can not
It is interpreted as instruction or hint relative importance or the implicit quantity indicating indicated technical characteristic.Thus, define " the
One ", the feature of " second " can express or implicitly include at least one this feature.In describing the invention, " multiple "
It is meant that at least two, such as two, three etc., unless otherwise expressly limited specifically.
Describe the attack emulation mode of power system according to embodiments of the present invention, device below in conjunction with the accompanying drawings and attack imitative
True equipment.Such as, the attack emulation mode of the power system of one embodiment of the invention comprises the following steps: capture communication data packet
And obtain message data;According to default electric power specialized protocol storehouse, resolve the information content of described message data;For described information
Content attacks simulation operations accordingly, such as, carry out Replay Attack simulation operations or counterfeit message attack simulation operations.
Referring to Fig. 1, it is the schematic flow sheet of attack emulation mode of power system of one embodiment of the invention.Such as figure
Shown in 1, described attack emulation mode comprises the following steps:
S110, captures communication data packet and obtains message data.
Such as, capture main website and the communication data packet on the communication link of slave station in power system, and obtain communication data
Message data in bag.And for example, capture the communication data packet on the communication link of the equipment room of slave station in power system, and obtain
Message data in communication data packet.Wherein, in power system, main website refers to control centre, and such as dispatching of power netwoks controls
System;Slave station refers to other websites in electrical network, such as transformer station.
Such as, as in figure 2 it is shown, pass through power scheduling number between dispatching of power netwoks control system (main website) and transformer station's (slave station)
Communicate according to net.Wherein, transformer substation side includes station level, wall and process layer, and station level includes that clock system, monitoring are main
Machine, five-preventing system, relay protection management module etc.;Wall includes that measure and control device, peace are from device, PMU (Phasor
Measurement Unit, synchronized phase measurement device), protection device etc.;Process layer includes many groups by combining unit, intelligence eventually
The equipment group of the composition such as end and primary equipment.
Such as, using eavesdropping means to capture packet, such as eavesdropping means include ARP (Address Resolution
Protocol, address resolution protocol) fraud or invade mutual machine.
As a kind of embodiment, cheat mode by ARP, capture communication data packet.Such as, in a local network, receive
ARP request broadcast packet, the IP address of each node and MAC (Media Access Control, media interviews control in eavesdropping LAN
System) address, the node in disguise as LAN, send vacation to victim Node (main website in such as power system and/or slave station)
Address, thus intercept the communication data packet in LAN.
As another embodiment, by the service switch on invasion communication link, capture communication data packet, to obtain
Take message data therein.
S130, according to default electric power specialized protocol storehouse, resolves the information content of described message data.
In the present embodiment, presetting electric power specialized protocol storehouse in attacking emulator, wherein storage has power system special
Various protocols/stipulations, such as storage have in the electric power specialized protocol/stipulations such as IEC101, IEC103, IEC104, IEC61850
At least one.Wherein, the agreement/stipulations such as above-mentioned IEC101, IEC103, IEC104, IEC61850 are International Electrotechnical Commission's systems
The fixed international standard for electric substation automation system, sets up the application layer at ICP/IP protocol, uses TCP/IP to provide
Transfer function carries out message communication.
Wherein, different electric power specialized protocol/stipulations, for advising communication data transfer different in power system
Fixed.Such as, electric substation automation system need the information of communications to include relay protection fault information (containing failure wave-recording, is disturbed
Dynamic record) and SCADA (Supervisory Control And Data Acquisition, data acquisition with monitor control be
System) monitoring information, relay protection fault information includes: state displacement, warning signal data;State change letter after the system failure
Number and event sequence (SOE) record, failure wave-recording, the data of disturbance record.SCADA monitoring information includes: measured value data;
Electric energy accumulation amount data;Control, lifting is ordered and order and interlock information are moved back in the throwing of relay protection device.Wherein, based on
The information spinner that IEC103 agreement transmits to include the relevant information for relay protection, such as: remote measurement, remote signalling, SOE event, fault
Information, Fault Recorder Information etc..Based on IEC104 agreement transmit information be mainly SCADA monitor information, such as include remote measurement,
The uplink information contents such as remote signalling, distant arteries and veins, terminal unit status, also include remote control, set up an office, pair time the downlink information content such as information.
IEC61850 series stipulations then existing IEC/IEEE/ISO/OSI can communication standard on the basis of, specification transformer station
Communication behavior between interior intelligent electronic device (IED) and relevant system requirements.
As a example by IEC104 stipulations, IEC104 stipulations use TCP network channel, and the port numbers of standard is 2404, by IANA
(The Internet Assigned Numbers Authority, the Internet numeral distributor gear) distribution Authorization definition is with true
Recognize, it is possible to determine the most voluntarily.Such as, the message frame form of IEC104 stipulations is as shown in the table:
| Start character 68H |
| APDU length (is 253 to the maximum) |
| Control territory eight-bit group 1 |
| Control territory eight-bit group |
| Control territory eight-bit group |
| Control territory eight-bit group |
| The ASDU of IEC104 definition |
In power system, especially control in great Qu producing, in electric power monitoring system station level host computer system and
Electric power proprietary protocol is used, such as IEC103, IEC104, IEC61850 etc. when interlayer, the equipment of process layer or module communication.Its
In, the message format that different agreement specifies also differs, and therefore, first determines the protocol type of message data, further according to protocol class
The information content of type analytic message data.Such as, the message data of acquisition is mated, really with default electric power specialized protocol storehouse
The protocol type of this message data fixed, and then according to the information content of protocol type analytic message data.
S150, attacks simulation operations accordingly for described information content.
In the present embodiment, attack simulation operations and at least include counterfeit message attack simulation operations and Replay Attack emulation behaviour
Make two kinds.Such as, if above-mentioned information content is downlink information, then carries out counterfeit message attack simulation operations, then distort message number
According to obtaining counterfeit message, and counterfeit message is sent to from site server, thus carries out counterfeit message attack emulation.Wherein, under
Row information includes: remote information, the information that sets up an office, pair time information etc. at least one.Such as, if above-mentioned information is up numerical value letter
Breath, then initiate Replay Attack, such as, send, to main website server, the bag that main website had received, make main website end server to obtain
The information updated.Wherein, up numerical information includes that remote measurement numerical information, remote signalling numerical information, distant rapid pulse value information, terminal set
Standby status information etc..
In one embodiment, after attacking simulation operations accordingly, judge that communication link is according to simulation result
No safety, or judge that the anti-attack ability of the equipment of advocating war/slave station equipment is the most qualified.Such as, if the anti-attack ability of equipment not
Qualified, then strengthen the defensive disposition of equipment, or make equipment not dispatch from the factory, to ensure the security protection performance of power system.
The attack emulation mode of above-mentioned power system, can simulate normal electricity monitoring system business and communicate with special stipulations
Scene, can steal power system built-in message by eavesdropping means again, and identify electric power specialized protocol message format, pass through message
Server end is issued false or infected information by playback and Bypass Control means, breaks the normal communications traffic of power system
Bad, thus realize message hijack attack method simulating, verifying, to improve the safety of the power system put into operation.
In one embodiment, as it is shown on figure 3, step S130 comprises the steps:
S131, mates described message data with described default electric power specialized protocol storehouse, obtains described message data
Protocol type.
Owing to being deployed with electric power proprietary protocol storehouse in advance, therefore possess IEC101, IEC102, IEC103, IEC104,
The identification ability of the multiple electric power specialized protocol message format such as IEC61850.Such as, by the header fields of described message data with
The field in described default electric power specialized protocol storehouse is mated, and obtains the protocol type of described message data.Such as, by described report
The header fields that the header fields of literary composition data and each quasi-protocol in described default electric power specialized protocol storehouse specify contrasts, with institute
State the protocol type that the header fields of message data matches, the protocol type of the most described message data.
S133, resolves the information content of described message data according to described protocol type.
In one embodiment, step S133 comprises the steps:
S1331, the message frame form specified according to described protocol type, obtain the message information in described message data
Body.Such as, the message format specified according to described protocol type, reject the formatted data in described data message, obtain message
Informosome.Such as, described formatted data includes fixing heading and the message trailer that agreement specifies.
S1332, according to the message code in described message information body, identifies the information content that described message data carries.
As a example by IEC104 agreement, the message frame form specified with reference to IEC104 agreement, peel off fixing in message data
Heading and message trailer, obtain message information body, according to message code in informosome, in identifying the information that this message data carries
Hold, thus reach the purpose of analytic message agreement.
In one embodiment, as shown in Figure 4, step S150 comprises the steps:
S151, it is judged that whether described information content is downlink information, is then to perform step S153, otherwise performs step
S155。
In the present embodiment, downlink information include remote information, the information that sets up an office, pair time information etc..Such as, it is judged that in information
Hold whether include remote information, the information that sets up an office, pair time information at least one, be to judge that described information content is descending letter
Breath.
Such as, intercepting message source digital content is: 68 14 02 00 08 00 67 01 06 00 01 00 00 00 00
01 05 10 09 0a 03 02, analyze as follows according to the form that protocol library specifies: 0x501=1 second 281 milliseconds, 0x10
=16 points, during 0x09=9,0x0a=10 day, the 0x03=3 month, 0x02=2002, can obtain the information content that message carries is
During 10 days 9 March in 2002 16 points 1 second 281 milliseconds, it can thus be appreciated that message when this message is pair, belong to downlink information.
S153, carries out counterfeit message attack simulation operations.
In the present embodiment, if the information content that the information content in message is downlink information content, such as message is control
Instruction message processed or pair time message, then carry out counterfeit message attack simulation operations, i.e. distort message data and obtain counterfeit message,
And counterfeit message is sent to from site server.
S155, it is judged that whether described information content is up numerical information, performs step S157.
In the present embodiment, up numerical information include remote measurement numerical information, remote signalling numerical information, distant rapid pulse value information,
Terminal unit status information etc..
S157, carries out Replay Attack simulation operations.That is, initiate Replay Attack, also can be regarded as emulation of again launching a offensive
Operation.
In the present embodiment, if the information content in message is up numerical information, then Replay Attack is initiated, such as to master
Site server sends the bag that main website had received, makes main website end server cannot obtain the information of renewal.
Should be appreciated that as a kind of embodiment, it is also possible to first carry out the judgement operation of step S155, be to perform
S157, otherwise performs entering of step S151 and once judges operation, enter and be once judged as YES then execution step S153.
The embodiment of the present invention additionally provides the attack simulator of a kind of power system, such as, described attack simulator
The attack emulation mode using the power system described in any of the above-described embodiment realizes.Such as, as it is shown in figure 5, described attack is imitated
True device 500 includes:
Handling module 510, is used for capturing communication data packet and obtaining message data.
Parsing module 530, for according to presetting electric power specialized protocol storehouse, resolving the information content of described message data.
Emulation module 550, for attacking simulation operations accordingly for described information content.
In one embodiment, as shown in Figure 6, parsing module 530 includes:
Matching unit 531, for being mated with described default electric power specialized protocol storehouse by described message data, obtains institute
State the protocol type of message data.
Resolution unit 533, for resolving the information content of described message data according to described protocol type.
In one embodiment, matching unit 531, for by the header fields of described message data and described default electric power
The field in specialized protocol storehouse is mated, and obtains the protocol type of described message data.
In one embodiment, resolution unit 533 includes obtaining subelement and identifying subelement, wherein:
Obtain subelement, for the message frame form specified according to described protocol type, obtain in described message data
Message information body;
Identify subelement, for according to the message code in described message information body, identify what described message data carried
Information content.
In one embodiment, emulation module 550 includes judging unit and attacks unit, wherein:
Judging unit is used for judging whether described information content is downlink information, is, is carried out counterfeit message by attacking unit
Attack simulation operations;
Otherwise judging unit determines whether whether described information content is up numerical information, is, is entered by attacking unit
Row Replay Attack simulation operations.
Further embodiment of this invention is, the attack simulator of a kind of power system, and it uses any of the above-described embodiment institute
State attack emulation mode;Such as, the attack simulator of a kind of power system, it uses to attack described in any of the above-described embodiment and imitates
True method realizes;And for example, the attack simulator of a kind of power system, it has attack emulation side described in any of the above-described embodiment
Functional module corresponding to method.
The attack simulator of above-mentioned power system, can simulate normal electricity monitoring system business and communicate with special stipulations
Scene, can steal power system built-in message by eavesdropping means again, and identify electric power specialized protocol message format, pass through message
Server end is issued false or infected information by playback and Bypass Control means, breaks the normal communications traffic of power system
Bad, thus realize message hijack attack method simulating, verifying, to improve the safety of the power system put into operation.
The embodiment of the present invention additionally provides a kind of attack emulator, and it includes that the attack described in any of the above-described embodiment is imitated
True device.
In one embodiment, above-mentioned attack emulator requires to be designed according to industrial environment, uses onboard high property
The embedded 1037U CPU of energy, fan-free designs, and high-temp resisting high-humidity resisting is suitable for multiple industrial applications, has powerful environment and fits
Ying Xing.Such as, the design parameter of above-mentioned attack emulator is as shown in the table:
In one embodiment, as it is shown in fig. 7, the attack emulator 700 of an embodiment, including housing 701, also include
The central processing unit 702, memorizer 703, transceiver 704, network interface module 705 and the hardware that are placed in described housing add solution
Close module 706, wherein, central processing unit 702, memorizer 703, transceiver 704, network interface module 705 are by bus 707 even
Connecing, hardware enciphering and deciphering module 706 electrically connects with transceiver 704.
In the present embodiment, memorizer 703 storage has electric power specialized protocol storehouse and agreement matching tool, such as storage to have
In the electric power specialized protocol/stipulations such as IEC701, IEC703, IEC704, IEC61850 at least one.Wherein agreement matching tool,
For, during message eavesdropping and identifying, providing Matching supporting for central processing module.
In the present embodiment, transceiver 704 is used for receiving and sending data.Such as, according to the finger of central processing unit 702
Order, transceiver 704 obtains network data message according to the pattern pre-set/eavesdropping flow process from switch, router.
Central processing unit 702 is the key component of above-mentioned attack emulator, is responsible for scheduling and the place of whole system
Reason computing.When emulation verification method is initiated, central processing unit is launched a offensive in a predetermined sequence.Such as, central processing unit
702 receive the network data message that transceiver 704 obtains, according to the algorithm prestored in flow process and memorizer 703, to message
Carry out classification process, and initiate message Replay Attack and false message injection attacks according to type of message.
In one embodiment, after central processing unit 702 starts attack operation, send to transceiver 704 and start order, and
Transmit corresponding parameter, make transceiver 704 obtain net according to the pattern pre-set/eavesdropping flow process from switch, router
Network data message.
In the present embodiment, network interface module 705 includes multiple interface, such as, include attacking private NNI the most logical
Use network interface.
When simulated strike, attack private NNI and send the time in strict accordance with the order and message attacking control module
Require to send message.Central processing unit is given by message when receiving (intercept or intercept) message.
Universal network interface is for receiving user by network to attacking the configuration parameter that main frame is carried out.For example, it is possible to will
At least one in multiple hardware interfaces is directly accessed the universal port of switch or router, to monitor network message, with logical
The network traffics crossing mirror port connection contrast.
In the present embodiment, hardware enciphering and deciphering module is used for encrypting or deciphering, such as, when the report that transceiver 704 receives
When literary composition needs deciphering, transceiver 704 communicates with hardware enciphering and deciphering module 706, sends message to hardware enciphering and deciphering module 706, by
Hardware enciphering and deciphering module 706 sends to central processing unit after being deciphered by message.And for example, when attacking the report that emulator externally sends
When literary composition needs to be encrypted, hardware enciphering and deciphering module 706 message of outgoing is encrypted, is transmitted further to transceiver 704 right
Outer transmission.
As a kind of embodiment, hardware enciphering and deciphering module 706 can include data input module, key production module, number
According to processing module, control module and memory module, wherein data input module connects key production module respectively, data process mould
Block and control module, data processing module is also connected with key production module and memory module.
The attack emulator of above-mentioned power system, can simulate normal electricity monitoring system business and communicate with special stipulations
Scene, can steal power system built-in message by eavesdropping means again, issues false or infected information, normal to power system
Communication service destroys, thus realize message hijack attack method simulating, verifying, to improve the power system put into operation
Safety.
In one embodiment, as shown in Figure 8, above-mentioned attack emulator also includes: power management modules 708, USB mould
Group 709 and man-machine interaction module 710 at least one.
Such as, in one embodiment, above-mentioned attack emulator also includes power management modules, described power management mould
Group is connected with described central processing unit, described memorizer, described transceiver and described network interface respectively by bus.
As a kind of embodiment, it is internal that described power management modules is arranged at described housing 700.
As another embodiment, described power management modules includes the power interface being fixedly installed on described housing
And moveable power supply adaptor, wherein said power interface by bus respectively with described central processing unit, described storage
Device, described transceiver and described network interface connect.
In one embodiment, described power supply adaptor includes safety glass shell and is arranged at outside described safety glass
At least one solar panels, solar storage battery and voltage conversion circuit in shell, wherein:
Described at least one solar panels fit in described safety glass shell at least one inner surface and with described solar energy
Accumulator connects;
Described voltage conversion circuit is connected with described solar storage battery.
As a kind of embodiment, described attack emulator also include USB (Universal Serial Bus, general
Universal serial bus) module, described USB module by bus respectively with described central processing unit, described memorizer, described transceiver and
Described network interface connects, and described USB module includes USB interface and the USB identification circuit being electrically connected to each other.
In the present embodiment, USB module is for being connected, such as USB flash disk with the equipment using USB interface.Connected by USB, make
Emulator must be attacked and can import and export CONFIG.SYS, attack model etc..
As a kind of embodiment, described attack emulator also includes man-machine interaction module, described man-machine interaction module
It is connected with described central processing unit, described memorizer, described transceiver and described network interface respectively by bus.
As a kind of embodiment, described man-machine interaction module includes input equipment and output device, wherein said input
Device includes at least one in photographic head, voice collection device, mouse, keyboard, and described output device includes display and audio frequency
In playing device at least one.
By man-machine interaction module, user can realize logging in, configuring and attack emulator and select the behaviour such as attack mode
Make.
The attack emulation mode of above-mentioned power system, device and attack emulator, the communication service to power system is entered
Row simulation, uses software and hardware simulation building regulation and control center and the communication environment of transformer station, it is possible to achieve power system main business
And the communication scenes of private communication stipulations (such as IEC103, IEC104, IEC61850 etc.).Wherein, attack emulator to use surreptitiously
Means are listened to steal electric power system data message, by protocol library coupling identification power system stipulations message format automatically, and according to
Message content initiates message Replay Attack or message distorts/forgery attack, it is achieved power system message hijack attack scene, passes through
Emulation judges the communication service whether safety of power system, and judges that the equipment in power system is the need of replacing.
Should be noted that in said apparatus embodiment, included modules simply carries out drawing according to function logic
Point, but it is not limited to above-mentioned division, as long as being capable of corresponding function;It addition, each functional module is concrete
Title also only to facilitate mutually distinguish, is not limited to protection scope of the present invention.
It addition, one of ordinary skill in the art will appreciate that all or part of step realizing in the various embodiments described above method
The program that can be by completes to instruct relevant hardware, and corresponding program can be stored in read/write memory medium, institute
State storage medium, such as ROM/RAM, disk, CD etc..
Each technical characteristic of embodiment described above can combine arbitrarily, for making description succinct, not to above-mentioned reality
The all possible combination of each technical characteristic executed in example is all described, but, as long as the combination of these technical characteristics is not deposited
In contradiction, all it is considered to be the scope that this specification is recorded.
Embodiment described above only have expressed the several embodiments of the present invention, and it describes more concrete and detailed, but also
Can not therefore be construed as limiting the scope of the patent.It should be pointed out that, come for those of ordinary skill in the art
Saying, without departing from the inventive concept of the premise, it is also possible to make some deformation and improvement, these broadly fall into the protection of the present invention
Scope.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.
Claims (10)
1. the attack emulation mode of a power system, it is characterised in that including:
Capture communication data packet and obtain message data;
According to default electric power specialized protocol storehouse, resolve the information content of described message data;
Simulation operations is attacked accordingly for described information content.
Attack emulation mode the most as claimed in claim 1, it is characterised in that the electric power specialized protocol storehouse that described basis is preset, solve
Analyse the information content of described message data, including:
Described message data is mated with described default electric power specialized protocol storehouse, obtains the protocol class of described message data
Type;
The information content of described message data is resolved according to described protocol type.
Attack emulation mode the most as claimed in claim 2, it is characterised in that described by described message data and described default electric power
Specialized protocol storehouse is mated, and obtains the protocol type of described message data, including:
The field of the header fields of described message data with described default electric power specialized protocol storehouse is mated, obtains described report
The protocol type of literary composition data.
Attack emulation mode the most as claimed in claim 2, it is characterised in that described according to described protocol type, resolve described report
The information content of literary composition data, including:
The message frame form specified according to described protocol type, obtains the message information body in described message data;
According to the message code in described message information body, identify the information content that described message data carries.
Attack emulation mode the most as claimed in claim 1, it is characterised in that described attack accordingly for described information content
Hit simulation operations, including:
Judge whether described information content is downlink information, be, carry out counterfeit message attack simulation operations;
Otherwise determine whether whether described information content is up numerical information, be, carry out Replay Attack simulation operations.
6. the attack simulator of a power system, it is characterised in that including:
Handling module, is used for capturing communication data packet and obtaining message data;
Parsing module, for according to presetting electric power specialized protocol storehouse, resolving the information content of described message data;
Emulation module, for attacking simulation operations accordingly for described information content.
Attack simulator the most as claimed in claim 6, it is characterised in that described parsing module includes:
Matching unit, for being mated with described default electric power specialized protocol storehouse by described message data, obtains described message
The protocol type of data;
Resolution unit, for resolving the information content of described message data according to described protocol type.
Attack simulator the most as claimed in claim 7, it is characterised in that described matching unit, for by described message data
Header fields mate with the field in described default electric power specialized protocol storehouse, obtain the protocol type of described message data.
Attack simulator the most as claimed in claim 7, it is characterised in that described resolution unit includes:
Obtain subelement, for the message frame form specified according to described protocol type, obtain the message in described message data
Informosome;
Identify subelement, for according to the message code in described message information body, identify the information that described message data carries
Content.
10. attack emulator for one kind, it is characterised in that include as according to any one of claim 6 to 9, attack emulation dress
Put.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610881401.1A CN106302535A (en) | 2016-09-30 | 2016-09-30 | Attack simulation method and device for power system and attack simulation equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610881401.1A CN106302535A (en) | 2016-09-30 | 2016-09-30 | Attack simulation method and device for power system and attack simulation equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106302535A true CN106302535A (en) | 2017-01-04 |
Family
ID=57718039
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610881401.1A Pending CN106302535A (en) | 2016-09-30 | 2016-09-30 | Attack simulation method and device for power system and attack simulation equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302535A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612927A (en) * | 2017-10-13 | 2018-01-19 | 中国电力科学研究院 | The safety detection method of electric power scheduling automatization system |
| CN108111482A (en) * | 2017-11-24 | 2018-06-01 | 国网天津市电力公司电力科学研究院 | A kind of intelligent grid industrial control network safety test system and test method |
| CN109040086A (en) * | 2018-08-15 | 2018-12-18 | 广东电网有限责任公司 | A kind of industrial control system DDOS attack emulation mode and device |
| CN110086803A (en) * | 2019-04-25 | 2019-08-02 | 江苏省电力试验研究院有限公司 | A kind of simulation attack synchronous phasor measuring device clock synchronization signal creating method and device |
| WO2020063188A1 (en) * | 2018-09-30 | 2020-04-02 | 浙江大学 | Industrial scada system-based deep packet inspection platform |
| CN111385249A (en) * | 2018-12-28 | 2020-07-07 | 中国电力科学研究院有限公司 | Vulnerability detection method |
| CN111770069A (en) * | 2020-06-17 | 2020-10-13 | 北京航空航天大学 | Vehicle-mounted network simulation data set generation method based on intrusion attack |
| CN111901200A (en) * | 2020-07-29 | 2020-11-06 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| CN112634604A (en) * | 2020-11-16 | 2021-04-09 | 中国电力科学研究院有限公司 | Attack testing method and system for electricity consumption information acquisition system |
| CN113473472A (en) * | 2021-09-02 | 2021-10-01 | 北京信联科汇科技有限公司 | Power network target range terminal access simulation and attack replay method and system |
| CN113515057A (en) * | 2021-06-16 | 2021-10-19 | 北京蓝军网安科技发展有限责任公司 | System for industrial control scene simulation and corresponding method, device and medium |
| CN113595799A (en) * | 2021-08-03 | 2021-11-02 | 北京恒安嘉新安全技术有限公司 | Mobile network shooting range system and network flow attack simulation method |
| CN113612721A (en) * | 2021-01-05 | 2021-11-05 | 青岛鼎信通讯股份有限公司 | Intelligent message analysis method based on power line carrier communication |
| CN117527238A (en) * | 2024-01-03 | 2024-02-06 | 成都新希望金融信息有限公司 | Key generation method, device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719306A (en) * | 2009-10-30 | 2010-06-02 | 深圳市科陆电子科技股份有限公司 | Parallel electric quantity data acquisition method |
| CN102480462A (en) * | 2010-11-23 | 2012-05-30 | 中国电信股份有限公司 | Universal protocol adapting method and device |
| CN103095609A (en) * | 2013-01-09 | 2013-05-08 | 大唐软件技术股份有限公司 | Access adaptive method and device based on Internet of things terminals |
| US20130347085A1 (en) * | 2012-06-22 | 2013-12-26 | Stratum Security, Inc. | Data exfiltration attack simulation technology |
| CN104702466A (en) * | 2015-02-12 | 2015-06-10 | 中国南方电网有限责任公司 | IEC62351 (International Electrotechnical Commission 62351)-based process layer safety test system and method |
-
2016
- 2016-09-30 CN CN201610881401.1A patent/CN106302535A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719306A (en) * | 2009-10-30 | 2010-06-02 | 深圳市科陆电子科技股份有限公司 | Parallel electric quantity data acquisition method |
| CN102480462A (en) * | 2010-11-23 | 2012-05-30 | 中国电信股份有限公司 | Universal protocol adapting method and device |
| US20130347085A1 (en) * | 2012-06-22 | 2013-12-26 | Stratum Security, Inc. | Data exfiltration attack simulation technology |
| CN103095609A (en) * | 2013-01-09 | 2013-05-08 | 大唐软件技术股份有限公司 | Access adaptive method and device based on Internet of things terminals |
| CN104702466A (en) * | 2015-02-12 | 2015-06-10 | 中国南方电网有限责任公司 | IEC62351 (International Electrotechnical Commission 62351)-based process layer safety test system and method |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612927B (en) * | 2017-10-13 | 2020-10-13 | 中国电力科学研究院 | Safety detection method for power dispatching automation system |
| CN107612927A (en) * | 2017-10-13 | 2018-01-19 | 中国电力科学研究院 | The safety detection method of electric power scheduling automatization system |
| CN108111482A (en) * | 2017-11-24 | 2018-06-01 | 国网天津市电力公司电力科学研究院 | A kind of intelligent grid industrial control network safety test system and test method |
| CN109040086A (en) * | 2018-08-15 | 2018-12-18 | 广东电网有限责任公司 | A kind of industrial control system DDOS attack emulation mode and device |
| CN109040086B (en) * | 2018-08-15 | 2020-11-03 | 广东电网有限责任公司 | Industrial control system DDOS attack simulation method and device |
| WO2020063188A1 (en) * | 2018-09-30 | 2020-04-02 | 浙江大学 | Industrial scada system-based deep packet inspection platform |
| CN111385249A (en) * | 2018-12-28 | 2020-07-07 | 中国电力科学研究院有限公司 | Vulnerability detection method |
| CN110086803A (en) * | 2019-04-25 | 2019-08-02 | 江苏省电力试验研究院有限公司 | A kind of simulation attack synchronous phasor measuring device clock synchronization signal creating method and device |
| CN111770069A (en) * | 2020-06-17 | 2020-10-13 | 北京航空航天大学 | Vehicle-mounted network simulation data set generation method based on intrusion attack |
| CN111901200B (en) * | 2020-07-29 | 2022-05-27 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| CN111901200A (en) * | 2020-07-29 | 2020-11-06 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| CN112634604A (en) * | 2020-11-16 | 2021-04-09 | 中国电力科学研究院有限公司 | Attack testing method and system for electricity consumption information acquisition system |
| CN112634604B (en) * | 2020-11-16 | 2022-07-01 | 中国电力科学研究院有限公司 | Attack testing method and system for electricity consumption information acquisition system |
| CN113612721A (en) * | 2021-01-05 | 2021-11-05 | 青岛鼎信通讯股份有限公司 | Intelligent message analysis method based on power line carrier communication |
| CN113515057A (en) * | 2021-06-16 | 2021-10-19 | 北京蓝军网安科技发展有限责任公司 | System for industrial control scene simulation and corresponding method, device and medium |
| CN113595799A (en) * | 2021-08-03 | 2021-11-02 | 北京恒安嘉新安全技术有限公司 | Mobile network shooting range system and network flow attack simulation method |
| CN113595799B (en) * | 2021-08-03 | 2024-06-04 | 北京恒安嘉新安全技术有限公司 | Mobile network target range system and network traffic attack simulation method |
| CN113473472B (en) * | 2021-09-02 | 2021-11-12 | 北京信联科汇科技有限公司 | Power network target range terminal access simulation and attack replay method and system |
| CN113473472A (en) * | 2021-09-02 | 2021-10-01 | 北京信联科汇科技有限公司 | Power network target range terminal access simulation and attack replay method and system |
| CN117527238A (en) * | 2024-01-03 | 2024-02-06 | 成都新希望金融信息有限公司 | Key generation method, device, electronic equipment and storage medium |
| CN117527238B (en) * | 2024-01-03 | 2024-03-19 | 成都新希望金融信息有限公司 | Key generation method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302535A (en) | Attack simulation method and device for power system and attack simulation equipment | |
| Mallouhi et al. | A testbed for analyzing security of SCADA control systems (TASSCS) | |
| Yang et al. | Cybersecurity test-bed for IEC 61850 based smart substations | |
| Radoglou-Grammatikis et al. | Attacking iec-60870-5-104 scada systems | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN106789015B (en) | Intelligent power distribution network communication safety system | |
| CN101728869B (en) | Power station automation system data network security monitoring method | |
| CN107734502A (en) | Micro-base station communication management method, system and equipment based on block chain | |
| CN106941494A (en) | A kind of security isolation gateway and its application method suitable for power information acquisition system | |
| CN104796261A (en) | Secure access control system and method for network terminal nodes | |
| da Silva et al. | A new methodology for real-time detection of attacks in IEC 61850-based systems | |
| CN106911529A (en) | Power network industry control safety detecting system based on protocol analysis | |
| CN113037745A (en) | Intelligent substation risk early warning system and method based on security situation awareness | |
| CN112738063A (en) | Industrial control system network safety monitoring platform | |
| CN110768842B (en) | Intelligent home communication safety management and control method, system and storage medium | |
| Elbez et al. | A cost-efficient software testbed for cyber-physical security in iec 61850-based substations | |
| CN111753297B (en) | Multi-information-flow modular access method applicable to multi-station fusion substation monitoring system | |
| Qassim et al. | Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system | |
| CN107124715B (en) | Safety protection performance evaluation method suitable for electric power wireless private network terminal | |
| CN106789274B (en) | Intelligent substation safety testing system and method | |
| CN102752289A (en) | Master station for power utilization information collecting system | |
| CN106789275B (en) | Power transmission network security test system and method for electric power system | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| Mai et al. | Uncharted networks: A first measurement study of the bulk power system | |
| CN204697072U (en) | A kind of secure accessing managing and control system of network end nodes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210803 Address after: 510663 3 building, 3, 4, 5 and J1 building, 11 building, No. 11, Ke Xiang Road, Luogang District Science City, Guangzhou, Guangdong. Applicant after: China South Power Grid International Co.,Ltd. Applicant after: SEATECH (BEIJING) CO.,LTD. Address before: 510663 No.11 Kexiang Road, Science City, Luogang District, Guangzhou City, Guangdong Province Applicant before: POWER GRID TECHNOLOGY RESEARCH CENTER. CHINA SOUTHERN POWER GRID Applicant before: China South Power Grid International Co.,Ltd. Applicant before: SEATECH (BEIJING) CO.,LTD. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170104 |