CN106936801B - Method and device for realizing message filtering - Google Patents

Method and device for realizing message filtering Download PDF

Info

Publication number
CN106936801B
CN106936801B CN201511031847.7A CN201511031847A CN106936801B CN 106936801 B CN106936801 B CN 106936801B CN 201511031847 A CN201511031847 A CN 201511031847A CN 106936801 B CN106936801 B CN 106936801B
Authority
CN
China
Prior art keywords
opc
allowed
message
information indicating
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201511031847.7A
Other languages
Chinese (zh)
Other versions
CN106936801A (en
Inventor
张刚强
孟庆森
张帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING LEADSEC TECHNOLOGY CO LTD
Venustech Group Inc
Original Assignee
BEIJING LEADSEC TECHNOLOGY CO LTD
Venustech Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING LEADSEC TECHNOLOGY CO LTD, Venustech Group Inc filed Critical BEIJING LEADSEC TECHNOLOGY CO LTD
Priority to CN201511031847.7A priority Critical patent/CN106936801B/en
Publication of CN106936801A publication Critical patent/CN106936801A/en
Application granted granted Critical
Publication of CN106936801B publication Critical patent/CN106936801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method and a device for realizing message filtering, which comprises the following steps: receiving a data message from an OPC terminal; in a first corresponding relation among a preset operation method, an OPC item and information indicating whether the operation is allowed or not, the operation method in the data message and the information indicating whether the operation is allowed or not corresponding to the OPC item are searched, the found information indicating whether the operation is allowed or not is judged to be the information indicating that the operation is allowed, and the data message is sent to an OPC server. By the scheme of the invention, the operation method and the OPC item in the data message are filtered, and the protection performance of the data message is improved.

Description

Method and device for realizing message filtering
Technical Field
The present invention relates to Object Linking and embedding (OPC) for Process Control, and more particularly, to a method and an apparatus for implementing message filtering.
Background
The OPC protocol is proposed to provide a standard data exchange interface between the equipment and the application software of the automation manufacturer. The high-efficiency, reliable and open characteristics of the system greatly simplify the communication mechanism between the industrial field equipment and the application software, and provide convenience for equipment integration of different manufacturers. It is widely used in various industrial control networks. Since the OPC protocol lacks security considerations at the beginning of design and has many potential safety hazards, it is necessary to filter the messages between the OPC terminal and the OPC server.
The existing method for realizing message filtering roughly comprises the following steps:
and receiving the data message from the OPC terminal, judging that the received data message is an OPC protocol message, and sending the received message to the OPC server.
In the existing method for realizing message filtering, only whether the received data message is an OPC protocol message is judged, that is, the message is filtered from the network layer, but the content of the data message cannot be filtered, and the protection performance of the data message is low.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method and an apparatus for implementing message filtering, which can improve the protection performance of data messages.
In order to achieve the above object, the present invention provides a method for implementing message filtering, including:
receiving a data message from an object connection and embedded OPC terminal of user process control;
in a first corresponding relation among a preset operation method, an OPC item and information indicating whether the operation is allowed or not, the operation method in the data message and the information indicating whether the operation is allowed or not corresponding to the OPC item are searched, the found information indicating whether the operation is allowed or not is judged to be the information indicating that the operation is allowed, and the data message is sent to an OPC server.
Optionally, after receiving the data packet from the OPC terminal, before the searching for the information indicating whether the operation is allowed or not, which corresponds to the operation method and the OPC item in the data packet, in the first corresponding relationship, further includes:
and finding the operation method in the data message in the preset operation method allowed to be executed.
Optionally, when the operation method in the data packet is modified, after determining that the found information indicating whether to allow the operation is the information indicating that the operation is allowed, before sending the data packet to the OPC server, the method further includes:
searching a safety range corresponding to each OPC item in the data message in a second corresponding relation between preset OPC items and safety ranges respectively;
and respectively judging that the numerical value or the character string length corresponding to each OPC item in the data message is in the safety range corresponding to each searched OPC item.
Optionally, after receiving the data packet from the OPC terminal, before the searching for the information indicating whether the operation is allowed or not, which corresponds to the operation method and the OPC item in the data packet, in the first corresponding relationship, further includes:
in a third corresponding relation between preset parameters and information indicating whether the data is allowed to pass or not, searching information indicating whether the data is allowed to pass or not corresponding to each preset parameter in the data message, and judging whether the searched information indicating whether the data is allowed to pass or not is allowed to pass; the preset parameters are a source Internet Protocol (IP) address, a destination IP address, a source port or a destination port;
and/or the presence of a gas in the gas,
and judging that the data message is an OPC protocol message.
Optionally, when determining that the found information indicating whether to allow the operation is information indicating that the operation is not allowed, or determining that the operation method in the data packet cannot be found in the operation method allowed to be executed, or determining that a numerical value or a character string length corresponding to one OPC entry in the data packet is not within the safety range corresponding to the found OPC entry, or determining that at least one of the found information indicating whether to allow the data packet is not allowed, or determining that the data packet is not an OPC protocol packet, the method further includes:
and discarding the data message.
Optionally, the method further comprises:
receiving a main connection request message from the OPC terminal, acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to the OPC server;
receiving a main connection response message from the OPC server, and searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result;
acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result;
and sending the main connection response message to the OPC terminal.
Optionally, after receiving the main connection request message from the OPC terminal, before obtaining the name of the dynamic port obtaining method in the main connection request message, the method further includes:
in a third corresponding relation between preset parameters and information indicating whether the information allows passing or not, searching information indicating whether the information corresponding to each preset parameter in the main connection request message allows passing or not, and judging whether the searched information indicating whether the information allows passing or not is allowed;
and/or the presence of a gas in the gas,
and judging that the main connection request message is an OPC protocol message.
Optionally, after obtaining the dynamic port number in the execution result in the main connection response message according to the found information indicating the format of the execution result, the method further includes:
and in the third corresponding relation, setting the information indicating whether the obtained dynamic port number is allowed to pass or not as allowed to pass.
The invention also provides a device for realizing message filtering, which at least comprises:
the receiving module is used for receiving a data message from an object connection and embedded OPC terminal of user process control;
and the filtering module is used for searching the operation method in the data message and the information which represents whether the operation is allowed or not in a first corresponding relation among the preset operation method, the OPC item and the information which represents whether the operation is allowed or not, judging that the searched information which represents whether the operation is allowed or not is the information which represents that the operation is allowed, and sending the data message to the OPC server.
Optionally, the filtering module is specifically configured to:
searching the operation method in the data message in the preset operation method allowed to be executed, searching the information indicating whether the operation is allowed or not corresponding to the operation method and the OPC item in the data message in the first corresponding relation among the preset operation method, the OPC item and the information indicating whether the operation is allowed or not, judging that the searched information indicating whether the operation is allowed or not is the information indicating that the operation is allowed, and sending the data message to the OPC server.
Optionally, when the operation method in the data packet is modified, the filtering module is specifically configured to:
searching the operation method in the data message and information which represents whether the operation is allowed or not and corresponds to the OPC item in the first corresponding relation, judging that the searched information which represents whether the operation is allowed or not is the information which represents the operation allowed, and searching the safety range corresponding to each OPC item in the data message in a second corresponding relation between the preset OPC item and the safety range; and respectively judging that the numerical value or the character string length corresponding to each OPC item in the data message is in the searched safety range corresponding to each OPC item, and sending the data message to an OPC server.
Optionally, the filtering module is specifically configured to:
in a third corresponding relation between preset parameters and information indicating whether the data is allowed to pass or not, searching information indicating whether the data is allowed to pass or not corresponding to each preset parameter in the data message, and judging whether the searched information indicating whether the data is allowed to pass or not is allowed to pass; the preset parameters are a source Internet Protocol (IP) address, a destination IP address, a source port or a destination port; and/or judging that the data message is an OPC protocol message;
and searching the operation method in the data message and the information which represents whether the operation is allowed or not and corresponds to the OPC item in the first corresponding relation, judging that the searched information which represents whether the operation is allowed or not is the information which represents that the operation is allowed, and sending the data message to an OPC server.
Optionally, the filtering module is further configured to:
and when judging that the searched information indicating whether the operation is allowed is information indicating that the operation is not allowed, or an operation method in the data message cannot be searched in the operation method allowed to be executed, or judging that a numerical value or a character string length corresponding to one OPC item in the data message is not in a safety range corresponding to the searched OPC item, or judging that at least one of the searched information indicating whether the operation is allowed is not allowed, or judging that the data message is not an OPC protocol message, discarding the data message.
Optionally, the receiving module is further configured to:
receiving a main connection request message from the OPC terminal; receiving a main connection response message from the OPC server;
the filter module is further configured to:
acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to the OPC server; searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
Optionally, the receiving module is further configured to:
receiving a main connection request message from the OPC terminal; receiving a main connection response message from the OPC server;
the filter module is further configured to:
in a third corresponding relationship between preset parameters and information indicating whether the information allows passing or not, searching for the information indicating whether the information corresponding to each preset parameter in the main connection request message/the main connection response message allows passing or not, and judging whether the searched information indicating whether the information allows passing or not is allowed to pass; and/or judging that the main connection request message/the main connection response message is an OPC protocol message;
acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to the OPC server; searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
Optionally, the filtering module is further configured to:
and in the third corresponding relation, setting the information indicating whether the obtained dynamic port number is allowed to pass or not as allowed to pass.
Compared with the prior art, the technical scheme of the invention comprises the following steps: receiving a data message from an OPC terminal; in a first corresponding relation among a preset operation method, an OPC item and information indicating whether the operation is allowed or not, the operation method in the data message and the information indicating whether the operation is allowed or not corresponding to the OPC item are searched, the found information indicating whether the operation is allowed or not is judged to be the information indicating that the operation is allowed, and the data message is sent to an OPC server. By the scheme of the invention, the operation method and the OPC item in the data message are filtered, and the protection performance of the data message is improved.
Further, when the operation method in the data packet is modified, after finding the operation method in the data packet in the preset operation method allowed to be executed, before sending the data packet to the OPC server, the method further includes: searching a safety range corresponding to each OPC item in the data message in a second corresponding relation between the preset OPC items and the safety ranges respectively; and respectively judging that the numerical value or the character string length corresponding to each OPC item in the data message is in the safety range corresponding to each searched OPC item. And the value corresponding to the OPC item of the data message is further filtered, so that the protection performance of the data message is further improved.
Drawings
The accompanying drawings in the embodiments of the present invention are described below, and the drawings in the embodiments are provided for further understanding of the present invention, and together with the description serve to explain the present invention without limiting the scope of the present invention.
FIG. 1 is a flow chart of a method for implementing message filtering according to the present invention;
FIG. 2 is a flowchart of a method for establishing a primary connection according to a first embodiment of the present invention;
fig. 3 is a flowchart of a method for performing a data service according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a device for implementing message filtering according to the present invention.
Detailed Description
The following further description of the present invention, in order to facilitate understanding of those skilled in the art, is provided in conjunction with the accompanying drawings and is not intended to limit the scope of the present invention. In the present application, the embodiments and various aspects of the embodiments may be combined with each other without conflict.
Referring to fig. 1, the present invention provides a method for implementing packet filtering, including:
step 100, receiving a data message from an OPC terminal.
In this step, the data packet includes an operation method and an OPC entry.
The data packet may further include a value corresponding to the OPC entry.
The data message may include one or more operation methods, each operation method may correspond to one or more OPC entries, and each OPC entry corresponds to a value corresponding to one OPC entry.
The operation method may be adding, deleting, modifying, or the like to the OPC group or the OPC entry. When the operation method is deleting, the data packet may not include a packet corresponding to the OPC entry.
Step 101, in a first corresponding relation among a preset operation method, an OPC item and information indicating whether to allow operation, searching for information indicating whether to allow operation corresponding to the operation method and the OPC item in a data message, judging that the searched information indicating whether to allow operation is the information indicating whether to allow operation, and sending the data message to an OPC server.
In this step, when the operation method in the data message is modified, after determining that the found information indicating whether the operation is allowed is the information indicating that the operation is allowed, before sending the data message to the OPC server, the method further includes: searching a safety range corresponding to each OPC item in the data message in a second corresponding relation between the preset OPC items and the safety ranges respectively; and respectively judging that the numerical value or the character string length corresponding to each OPC item in the data message is in the safety range corresponding to each searched OPC item.
When the value corresponding to the OPC item is in a data format, respectively judging whether the numerical value corresponding to each OPC item in the data message is in the safety range corresponding to each searched OPC item; and when the value corresponding to the OPC item is in a character string format, respectively judging whether the length of the character string corresponding to each OPC item in the data message is in the safety range corresponding to each searched OPC item.
By the scheme of the invention, the operation method and the OPC item in the data message are filtered, and the protection performance of the data message is improved.
Further, between step 100 and step 101, the method further comprises: and finding the operation method in the data message in the preset operation method allowed to be executed.
Further, between step 100 and step 101, the method further comprises:
in a third corresponding relation between the preset parameters and the information indicating whether the data are allowed to pass or not, searching the information indicating whether the data are allowed to pass or not corresponding to each preset parameter in the data message, and judging whether the searched information indicating whether the data are allowed to pass or not;
and/or the presence of a gas in the gas,
and judging that the data message is an OPC protocol message.
Specifically, how to determine whether the data packet is the OPC protocol packet may be implemented by using a known technique of a person skilled in the art, and is not used to limit the protection scope of the present invention, and details are not described here.
The preset parameter may be a source IP address, a destination IP address, a source port, a destination port, or the like.
Further, when it is determined that the found information indicating whether the operation is allowed is information indicating that the operation is not allowed, or an operation method in which no data packet is found in an operation method allowed to be executed, or it is determined that a numerical value or a character string length corresponding to an OPC entry in a data packet is not within a safety range corresponding to the found OPC entry, or it is determined that at least one of the found information indicating whether the passage is allowed is not allowed, or it is determined that the data packet is not an OPC protocol packet, the method further includes:
and discarding the data message.
Further, the method also comprises the following steps:
receiving a main connection request message from an OPC terminal, acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to an OPC server; receiving a main connection response message from an OPC server, and searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of an execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
The information indicating the format of the execution result comprises the name of each field in the execution result and the sequence of each field.
And obtaining the numerical value of the dynamic port number field in the execution result in the main connection response message according to the name of each field and the sequence of each field, so as to obtain the dynamic port number.
The names of the fields and the like can be arranged according to the sequence of the fields in the execution result.
Further, after receiving the main connection request message from the OPC terminal/OPC server, before acquiring the dynamic port acquisition method name in the main connection request message, the method further includes:
in a third corresponding relation between the preset parameters and the information indicating whether the information allows passing or not, searching the information indicating whether the information corresponding to each preset parameter in the main connection request message allows passing or not, and judging whether the searched information indicating whether the information indicates allowing passing or not is allowed to pass;
and/or the presence of a gas in the gas,
and judging that the main connection request message is an OPC protocol message.
Specifically, how to determine whether the primary connection request packet/the primary connection response packet is the OPC protocol packet may be implemented by using a known technique of a person skilled in the art, and is not used to limit the protection scope of the present invention, and details are not described here.
Further, after obtaining the dynamic port number in the execution result in the main connection response message according to the found information indicating the format of the execution result, the method further includes:
and setting the information which indicates whether the obtained dynamic port number in the third corresponding relation allows the passing as the passing.
The process of the present invention is illustrated in detail by the following specific examples.
The method comprises three aspects of establishing a main connection, establishing a desired connection and carrying out data service.
First embodiment, referring to fig. 2, a method for establishing a primary connection includes:
step 200, receiving a main connection request message from an OPC terminal.
In this step, the destination port of the primary connection request message is 135.
Step 201, searching for information indicating whether the preset parameters in the primary connection request message are allowed to pass or not in the second corresponding relationship.
Step 202, judging whether the searched information which shows whether the information is allowed to pass or not, if so, executing step 203; if not, step 206 is performed.
Step 203, judging whether the main connection request message is an OPC protocol message, if so, executing step 204; if not, step 206 is performed.
And step 204, acquiring the name of the dynamic port acquisition method in the main connection request message, and sending the main connection request message to the OPC server.
Step 205, receiving the main connection response message from the OPC server, searching the information indicating the format of the execution result corresponding to the obtained dynamic port acquisition method name in the third corresponding relationship, acquiring the dynamic port number in the execution result in the main connection response message according to the searched information indicating the format of the execution result, setting the information indicating whether the information indicating the dynamic port number obtained in the second corresponding relationship allows passing or not as allowed passing, and sending the main connection response message to the OPC terminal.
Step 206, discarding the primary connection request message.
In a second embodiment, referring to fig. 3, a method for performing a data service includes:
step 300, receiving a data message from an OPC terminal.
In this step, the destination port of the data packet is the dynamic port number obtained in step 209.
Step 301, searching for information indicating whether the data packet is allowed to pass or not corresponding to each preset parameter in the third corresponding relation.
Step 302, judging whether the searched information which shows whether the information is allowed to pass or not is allowed to pass, and if so, executing step 303; if not, step 308 is performed.
Step 303, judging whether the data message is an OPC protocol message, if so, executing step 304; if not, step 310 is performed.
Step 304, searching the operation method in the data message in the preset operation method allowed to be executed, if the operation method can be found, executing step 305, and if the operation method cannot be found, executing step 310.
Step 305, searching the information which indicates whether the operation is allowed or not and corresponds to the operation method and the OPC item in the data message in the first corresponding relation.
Step 306, judging whether the searched information indicating whether the operation is allowed is the information indicating that the operation is allowed, if so, executing step 307 if the operation method is modified, otherwise, executing step 309, and otherwise, executing step 310.
Step 307, the security range corresponding to each OPC item in the data message is searched in the second corresponding relationship.
Step 308, respectively determining whether the numerical value or the character string length corresponding to each OPC entry in the data message is within the found safety range corresponding to each OPC entry, if so, executing step 309, and if one of the OPC entries does not have the numerical value or the character string length corresponding to the found OPC entry within the found safety range corresponding to the OPC entry, executing step 310.
Step 309, sending the data message to the OPC server.
Step 310, discarding the data packet.
Referring to fig. 4, the present invention further provides a device for implementing message filtering, which at least includes:
the receiving module is used for receiving a data message from an object connection and embedded OPC terminal of user process control;
and the filtering module is used for searching the operation method in the data message and the information which represents whether the operation is allowed or not in a first corresponding relation among the preset operation method, the OPC item and the information which represents whether the operation is allowed or not, judging that the searched information which represents whether the operation is allowed or not is the information which represents that the operation is allowed, and sending the data message to the OPC server.
In the apparatus of the present invention, the filter module is specifically configured to:
searching the operation method in the data message in the preset operation method allowed to be executed, searching the information indicating whether the operation is allowed or not corresponding to the operation method and the OPC item in the data message in the first corresponding relation among the preset operation method, the OPC item and the information indicating whether the operation is allowed or not, judging that the searched information indicating whether the operation is allowed or not is the information indicating that the operation is allowed, and sending the data message to the OPC server.
In the device of the present invention, when the operation method in the data packet is modified, the filtering module is specifically configured to:
searching the operation method in the data message and information which represents whether the operation is allowed or not and corresponds to the OPC item in the first corresponding relation, judging that the searched information which represents whether the operation is allowed or not is the information which represents the operation allowed, and searching the safety range corresponding to each OPC item in the data message in a second corresponding relation between the preset OPC item and the safety range; and respectively judging that the numerical value or the character string length corresponding to each OPC item in the data message is in the searched safety range corresponding to each OPC item, and sending the data message to an OPC server.
In the apparatus of the present invention, the filter module is specifically configured to:
in a third corresponding relation between the preset parameters and the information indicating whether the data are allowed to pass or not, searching the information indicating whether the data are allowed to pass or not corresponding to each preset parameter in the data message, and judging whether the searched information indicating whether the data are allowed to pass or not; the preset parameters are a source Internet Protocol (IP) address, a destination IP address, a source port or a destination port; and/or judging that the data message is an OPC protocol message;
and searching the operation method in the data message and the information which represents whether the operation is allowed or not and corresponds to the OPC item in the first corresponding relation, judging that the searched information which represents whether the operation is allowed or not is the information which represents that the operation is allowed, and sending the data message to an OPC server. .
In the apparatus of the present invention, the filter module is further configured to:
and when judging that the searched information which shows whether the operation is allowed is information which shows that the operation is not allowed, or judging that the operation method which does not exist in the data message in the operation method which is allowed to be executed, or judging that the numerical value or the character string length corresponding to one OPC item in the data message is not in the safety range corresponding to the searched OPC item, or judging that at least one of the searched information which shows whether the operation is allowed is not allowed, or judging that the data message is not an OPC protocol message, discarding the data message.
In the apparatus of the present invention, the receiving module is further configured to:
receiving a main connection request message from an OPC terminal; receiving a main connection response message from an OPC server;
the filter module is further configured to:
acquiring a dynamic port acquisition method name in a main connection request message, and sending the main connection request message to an OPC server; searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
In the apparatus of the present invention, the receiving module is further configured to:
receiving a main connection request message from an OPC terminal; receiving a main connection response message from an OPC server;
the filter module is further configured to:
in a third corresponding relation between preset parameters and information indicating whether the information allows passing or not, searching information indicating whether the information allows passing or not corresponding to each preset parameter in the main connection request message/main connection response message, and judging whether the searched information indicating whether the information allows passing or not is allowed; and/or judging that the main connection request message/the main connection response message is an OPC protocol message;
acquiring a dynamic port acquisition method name in a main connection request message, and sending the main connection request message to an OPC server; searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
In the apparatus of the present invention, the filter module is further configured to:
and setting the information which indicates whether the obtained dynamic port number in the third corresponding relation allows the passing as the passing.
It should be noted that the above-mentioned embodiments are only for facilitating the understanding of those skilled in the art, and are not intended to limit the scope of the present invention, and any obvious substitutions, modifications, etc. made by those skilled in the art without departing from the inventive concept of the present invention are within the scope of the present invention.

Claims (16)

1. A method for implementing message filtering is characterized by comprising the following steps:
receiving a data message from an object connection and embedded OPC terminal of user process control;
searching for the operation method in a data message and information indicating whether the operation is allowed or not in a first corresponding relation among a preset operation method, OPC items and the information indicating whether the operation is allowed or not, and searching for a safety range corresponding to each OPC item in the data message in a second corresponding relation between a preset OPC item and a safety range when the found information indicating whether the operation is allowed or not is judged to be the information indicating whether the operation is allowed or not and the operation method in the data message is modified;
and when the numerical value or the character string length corresponding to each OPC item in the data message is respectively judged to be in the searched safety range corresponding to each OPC item, the data message is sent to an OPC server.
2. The method according to claim 1, wherein after receiving the data packet from the OPC terminal, before the searching for the information indicating whether the operation is allowed or not corresponding to the operation method and the OPC entry in the data packet in the first corresponding relationship, the method further comprises:
and finding the operation method in the data message in the preset operation method allowed to be executed.
3. The method of claim 1, further comprising:
and when the found information indicating whether the operation is allowed is judged to be the information indicating the operation is allowed and the operation method in the data message is not modified, sending the data message to an OPC server.
4. The method according to claim 1, wherein after receiving the data packet from the OPC terminal, before the searching for the information indicating whether the operation is allowed or not corresponding to the operation method and the OPC entry in the data packet in the first corresponding relationship, the method further comprises:
in a third corresponding relation between preset parameters and information indicating whether the data is allowed to pass or not, searching information indicating whether the data is allowed to pass or not corresponding to each preset parameter in the data message, and judging whether the searched information indicating whether the data is allowed to pass or not is allowed to pass; the preset parameters are a source Internet Protocol (IP) address, a destination IP address, a source port or a destination port;
and/or the presence of a gas in the gas,
and judging that the data message is an OPC protocol message.
5. The method according to claim 1, 2, 3 or 4, wherein when it is determined that the searched information indicating whether to allow operation is information indicating that operation is not allowed, or an operation method in the data packet is not searched in the operation method allowed to be executed, or it is determined that a numerical value or a character string length corresponding to one OPC entry in the data packet is not within a safety range corresponding to the searched OPC entry, or it is determined that at least one of the searched information indicating whether to allow passage is not allowed, or it is determined that the data packet is not an OPC protocol packet, the method further comprises:
and discarding the data message.
6. The method of claim 1 or 2 or 3 or 4, further comprising, prior to the method:
receiving a main connection request message from the OPC terminal, acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to the OPC server;
receiving a main connection response message from the OPC server, and searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result;
acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result;
and sending the main connection response message to the OPC terminal.
7. The method according to claim 6, wherein after receiving the main connection request message from the OPC terminal, before obtaining the dynamic port obtaining method name in the main connection request message, the method further comprises:
in a third corresponding relation between preset parameters and information indicating whether the information allows passing or not, searching information indicating whether the information corresponding to each preset parameter in the main connection request message allows passing or not, and judging whether the searched information indicating whether the information allows passing or not is allowed;
and/or the presence of a gas in the gas,
and judging that the main connection request message is an OPC protocol message.
8. The method according to claim 7, wherein the obtaining the dynamic port number in the execution result in the primary connection response message according to the found information indicating the format of the execution result further comprises:
and in the third corresponding relation, setting the information indicating whether the obtained dynamic port number is allowed to pass or not as allowed to pass.
9. An apparatus for implementing message filtering, at least comprising:
the receiving module is used for receiving a data message from an object connection and embedded OPC terminal of user process control;
the filtering module is used for searching the operation method in the data message and the information which represents whether the operation is allowed or not in a first corresponding relation among the preset operation method, the OPC item and the information which represents whether the operation is allowed or not, and searching the safety range corresponding to each OPC item in the data message in a second corresponding relation between the preset OPC item and the safety range when the searched information which represents whether the operation is allowed or not is judged to be the information which represents that the operation is allowed or not and the operation method in the data message is modified; and when the numerical value or the character string length corresponding to each OPC item in the data message is respectively judged to be in the searched safety range corresponding to each OPC item, the data message is sent to an OPC server.
10. The apparatus according to claim 9, wherein the filtering module is further configured to, after receiving the data packet from the OPC terminal, find the operation method in the data packet in the preset operation method that is allowed to be executed before searching for the information indicating whether the operation is allowed or not, where the information corresponds to the operation method in the data packet and the OPC entry in the first corresponding relationship.
11. The apparatus of claim 9, wherein the filtering module is further configured to:
and when the found information indicating whether the operation is allowed is judged to be the information indicating the operation is allowed and the operation method in the data message is not modified, sending the data message to an OPC server.
12. The apparatus of claim 9, wherein the filtration module is further configured to
After receiving a data message from an OPC terminal, before searching for an operation method in the data message and information which represents whether the operation is allowed or not and corresponds to an OPC item in a first corresponding relation, searching for information which represents whether the operation is allowed or not and corresponds to each preset parameter in the data message and represents whether the information is allowed or not in a third corresponding relation between the preset parameter and the information which represents whether the operation is allowed or not, and judging whether the searched information which represents whether the information is allowed or not is allowed to be allowed; the preset parameters are a source Internet Protocol (IP) address, a destination IP address, a source port or a destination port; and/or judging that the data message is an OPC protocol message.
13. The apparatus of claim 9 or 10 or 11 or 12, wherein the filtration module is further configured to:
and when judging that the searched information indicating whether the operation is allowed is information indicating that the operation is not allowed, or an operation method in the data message cannot be searched in the operation method allowed to be executed, or judging that a numerical value or a character string length corresponding to one OPC item in the data message is not in a safety range corresponding to the searched OPC item, or judging that at least one of the searched information indicating whether the operation is allowed is not allowed, or judging that the data message is not an OPC protocol message, discarding the data message.
14. The apparatus of claim 9, 10, 11 or 12, wherein the receiving module is further configured to:
receiving a main connection request message from the OPC terminal; receiving a main connection response message from the OPC server;
the filter module is further configured to:
acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to the OPC server; searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
15. The apparatus of claim 9, 10, 11 or 12, wherein the receiving module is further configured to:
receiving a main connection request message from the OPC terminal; receiving a main connection response message from the OPC server;
the filter module is further configured to:
in a third corresponding relationship between preset parameters and information indicating whether the information allows passing or not, searching for the information indicating whether the information corresponding to each preset parameter in the main connection request message/the main connection response message allows passing or not, and judging whether the searched information indicating whether the information allows passing or not is allowed to pass; and/or judging that the main connection request message/the main connection response message is an OPC protocol message;
acquiring a dynamic port acquisition method name in the main connection request message, and sending the main connection request message to the OPC server; searching for information which is corresponding to the obtained dynamic port acquisition method name and represents the format of the execution result in a third corresponding relation between the preset dynamic port acquisition method name and the information which represents the format of the execution result; acquiring a dynamic port number in an execution result in the main connection response message according to the searched information which represents the format of the execution result; and sending the main connection response message to the OPC terminal.
16. The apparatus of claim 15, wherein the filtering module is further configured to:
and in the third corresponding relation, setting the information indicating whether the obtained dynamic port number is allowed to pass or not as allowed to pass.
CN201511031847.7A 2015-12-31 2015-12-31 Method and device for realizing message filtering Active CN106936801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511031847.7A CN106936801B (en) 2015-12-31 2015-12-31 Method and device for realizing message filtering

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511031847.7A CN106936801B (en) 2015-12-31 2015-12-31 Method and device for realizing message filtering

Publications (2)

Publication Number Publication Date
CN106936801A CN106936801A (en) 2017-07-07
CN106936801B true CN106936801B (en) 2020-09-18

Family

ID=59444307

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511031847.7A Active CN106936801B (en) 2015-12-31 2015-12-31 Method and device for realizing message filtering

Country Status (1)

Country Link
CN (1) CN106936801B (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101745545A (en) * 2008-12-09 2010-06-23 苏州有色金属研究院有限公司 WEB-based aluminum cold-rolling mill shape control man-machine interface operation method
CN101458521B (en) * 2008-12-30 2010-12-29 中国海洋石油总公司 Misoperation prevention method by DCS
CN104660593B (en) * 2015-02-09 2017-10-10 西北工业大学 OPC security gateway packet filtering methods
CN106559382B (en) * 2015-09-25 2019-10-11 北京计算机技术及应用研究所 Protection system of security gateway access control method based on OPC agreement

Also Published As

Publication number Publication date
CN106936801A (en) 2017-07-07

Similar Documents

Publication Publication Date Title
US20190075049A1 (en) Determining Direction of Network Sessions
EP2985968A1 (en) Method and apparatus for processing messages
US10417061B2 (en) Operating method of routing device, routing device, and terminal device
CN106850568B (en) Session aging method and device of multi-channel protocol
CN103560995A (en) URL filtering method for realizing IPv4 and IPv6 at the same time
CN102868693A (en) URL (Uniform Resource Locator) filtering method and URL (Uniform Resource Locator) filtering system aiming at HTTP (Hyper Text Transport Protocol) segment request
CN106713351B (en) Secure communication method and device based on serial server
CN106559856B (en) WIFI hotspot identification method and device
CN105530268A (en) Heterogeneous protocol interconnection method and controller
CN103795445A (en) Method and system for transferring address book information based on blue tooth
CN111756716A (en) Flow detection method and device and computer readable storage medium
CN108989480A (en) A method of client address is obtained in server
CN103001966B (en) The process of a kind of private network IP, recognition methods and device
CN106936801B (en) Method and device for realizing message filtering
US20230216796A1 (en) Embedding an artificially intelligent neuron capable of packet inspection and system optimization in ipv6 enabled wlan networks
CN105049437A (en) Method for filtering data of network application layer
WO2012016411A1 (en) Routing method, routing system and service gateway in intelligent home system
CN111147379A (en) Data transmission method, system and related equipment
CN104166554A (en) Software developing method and installation method supporting multiple operation systems
CN105991465B (en) Method, device and system for processing application program service
WO2017118428A1 (en) Method and apparatus for realizing message error detection
WO2016047088A1 (en) Gateway device, session management method, and session management program recording medium
JP2014191628A (en) Communication device, communication system, information processing method and program
CN105245601A (en) Data filtering method and data filtering system
CN114915576B (en) Method and system for identifying terminal equipment at router

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant