CN109104335A - A kind of industrial control equipment network attack test method and system - Google Patents
A kind of industrial control equipment network attack test method and system Download PDFInfo
- Publication number
- CN109104335A CN109104335A CN201810982351.5A CN201810982351A CN109104335A CN 109104335 A CN109104335 A CN 109104335A CN 201810982351 A CN201810982351 A CN 201810982351A CN 109104335 A CN109104335 A CN 109104335A
- Authority
- CN
- China
- Prior art keywords
- under test
- equipment under
- test
- equipment
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
This application provides a kind of industrial control equipment network attack test method and system, and wherein method includes: while carrying out Network Attack test to equipment under test, and the probe messages for periodically sending different type agreement detect equipment under test;The operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement.Method provided by the present application can send the probe messages of different type agreement, when equipment under test responds the wherein probe messages of several types agreement, the operating status of equipment under test can be judged according to equipment under test the response of the probe messages of different type agreement, equipment under test is being detected at many levels, using operating status and the relational implementation judgement of different operating statuses for responding probe messages type of equipment under test, solves the technical problem that traditional test method the degree of automation is low and analysis level is single.
Description
Technical field
This application involves technical field of network test more particularly to a kind of industrial control equipment network attack test method be
System.
Background technique
In recent years, the assault for industrial important infrastructure is in rising trend.In China, the important work of country
The attack protection means of industry infrastructure mainly still take the boundaries safeguard procedures such as physical isolation.Once Border Protection is broken,
Industrial infrastructure will be directly facing the test of network attack.Due to not direct anti-attack ability, industrial infrastructure is non-
It is often fragile, so that by being destroyed within the most fast time by network attack.
In these years, the direct anti-attack ability of industrial control equipment is always the direction of Testing Technology Study, it is main
Verifying (such as DOS, fuzzing are attacked) under various network attack modes, the various abnormalities and robustness of industrial control equipment,
Such as network congestion, system in case of system halt are restarted.Conventional method is to send Network Attack to industrial control equipment with testing tool
While, the state of equipment under test is monitored by way of network protocol or device log.
Traditional network attack test method does not form unified closed-loop fashion, and test and interpretation of result are separately to hold
Row.Ordinary circumstance is that after initiating and completing test, relevant result parameter is checked on equipment under test.This method efficiency is very
It is low, artificial constantly intervention is needed, does not adapt to large-scale industrial control equipment network access testing.
Traditional network attack test method is generally basede on the diagnosis that single dimension carries out equipment under test state, according to single
The parameter of dimension carrys out the parameter of manual adjustment testing tool, is unfavorable for comprehensively considering equipment under test in synthesis in multiple dimensions in this way
Performance under conditions.
Traditional test method only simply checks the corresponding states and parameter of equipment under test, the problem of due to many levels
The reaction for the state parameter that may cause reaches unanimity, therefore is difficult fast resolution and positions the level to go wrong.
Summary of the invention
This application provides a kind of industrial control equipment network attack test method and systems, for solving traditional test method
The technical problem that the degree of automation is low and analysis level is single.
In view of this, the application first aspect provides a kind of industrial control equipment network attack test method, comprising:
While carrying out Network Attack test to equipment under test, the probe messages of different type agreement are periodically sent
Equipment under test is detected;
The operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement.
Preferably, the probe messages of the different type agreement include ARP probe packet, icmp probe message, TCP detection
Message and HTTP probe messages;The fortune that equipment under test is judged the response of the message of different type agreement according to equipment under test
Row state includes:
If detecting ARP probe packet without response, it is determined that the bottom firmware or operating system of equipment under test have blocked
Extremely;
If detecting the response of ARP probe packet and detecting icmp probe message without response, it is determined that equipment under test
Bottom firmware does not have stuck, and operating system is stuck;
If detecting the response of ARP probe packet and icmp probe message and detecting TCP probe messages and HTTP detection
Message is without response, it is determined that the operating system network layer of equipment under test does not have stuck, and transport layer or application layer software are stuck;
If detect ARP probe packet, icmp probe message and TCP probe messages response and detect HTTP detection report
Text is without response, it is determined that the operating system network layer and transport layer of equipment under test do not have stuck, and application layer software is stuck.
Preferably, the fortune that equipment under test is judged the response of the probe messages of different type agreement according to equipment under test
After row state further include:
Extract the operating system of equipment under test and the log information of application;
Keyword and keyword corresponding time, the operating status judging result with equipment under test are extracted from log information
It compares, if they are the same, then sends verifying correct signal, if not identical, send authentication failed signal.
Preferably, described while carrying out Network Attack test to equipment under test, periodically send different type association
Before the probe messages of view detect equipment under test further include:
The attack traffic size of regulating networks attack traffic test;
The operating status that equipment under test is judged the response of the probe messages of different type agreement according to equipment under test
Later further include:
The attack traffic size tested according to Network Attack is corresponding with the operating status judging result of equipment under test
Relationship obtains the corresponding attack traffic threshold value of various operating statuses of equipment under test.
Preferably, described while carrying out Network Attack test to equipment under test, periodically send different type association
Before the probe messages of view detect equipment under test further include:
To equipment under test, carries out the network tester of Network Attack test and carry out industrial control equipment network attack test
It is synchronous that method testing managing main frame carries out clock.
The application second aspect provides a kind of industrial control equipment network attack test system, a kind of industry control described in first aspect
Device network attack testing method is tested, comprising:
Network tester, for carrying out Network Attack test to equipment under test;It is attacked carrying out network to equipment under test
While hitting flow rate test, the probe messages for periodically sending different type agreement detect equipment under test;
Test and management host, for being set according to response judgement of the equipment under test to the probe messages of different type agreement is tested
Standby operating status;
Equipment under test, the connection network tester and the test and management host.
Preferably, the test and management host is specifically used for judgement:
If detecting ARP probe packet without response, it is determined that the bottom firmware or operating system of equipment under test have blocked
Extremely;
If detecting the response of ARP probe packet and detecting icmp probe message without response, it is determined that equipment under test
Bottom firmware does not have stuck, and operating system is stuck;
If detecting the response of ARP probe packet and icmp probe message and detecting TCP probe messages and HTTP detection
Message is without response, it is determined that the operating system network layer of equipment under test does not have stuck, and transport layer or application layer software are stuck;
If detect ARP probe packet, icmp probe message and TCP probe messages response and detect HTTP detection report
Text is without response, it is determined that the operating system network layer and transport layer of equipment under test do not have stuck, and application layer software is stuck.
Preferably, the test and management host is also used to:
Extract the operating system of equipment under test and the log information of application;
Keyword and keyword corresponding time, the operating status judging result with equipment under test are extracted from log information
It compares, if they are the same, then sends verifying correct signal, if not identical, send authentication failed signal.
Preferably, the network tester is also used to the attack traffic size of regulating networks attack traffic test;
The attack traffic size and equipment under test that the test and management host is also used to be tested according to Network Attack
The corresponding relationship of operating status judging result obtains the corresponding attack traffic threshold value of various operating statuses of equipment under test.
Preferably, the test and management host is also used to equipment under test, carry out the network survey of Network Attack test
It is synchronous with industrial control equipment network attack test method testing managing main frame progress clock is carried out to try instrument.
As can be seen from the above technical solutions, the application has the following advantages:
This application provides a kind of industrial control equipment network attack test method and system, and wherein method includes: to tested
While equipment carries out Network Attack test, the probe messages for periodically sending different type agreement visit equipment under test
It surveys;The operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement.The application energy
The probe messages for enough sending different type agreement can when equipment under test responds the wherein probe messages of several types agreement
The operating status that equipment under test is judged the response of the probe messages of different type agreement according to equipment under test, at many levels to quilt
Measurement equipment is detected, and operating status and the different operation shapes of relational implementation of responding probe messages type of equipment under test are utilized
The judgement of state solves the technical problem that traditional test method the degree of automation is low and analysis level is single.
Detailed description of the invention
It in ord to more clearly illustrate embodiments of the present application, below will be to required use in embodiment or description of the prior art
Attached drawing be briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for this
For the those of ordinary skill of field, without any creative labor, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the system architecture diagram of industrial control equipment network attack test system provided by the present application;
Fig. 2 is the method flow diagram of one embodiment of industrial control equipment network attack test method in the embodiment of the present application;
Fig. 3 is the method flow of another embodiment of industrial control equipment network attack test method in the embodiment of the present application
Figure;
Fig. 4 is the method flow of another embodiment of industrial control equipment network attack test method in the embodiment of the present application
Figure.
Specific embodiment
This application provides a kind of industrial control equipment network attack test method and systems, for solving traditional test method
The technical problem that the degree of automation is low and analysis level is single.
To enable present invention purpose, feature, advantage more obvious and understandable, below in conjunction with the application
Attached drawing in embodiment, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that disclosed below
Embodiment be only some embodiments of the present application, and not all embodiment.Based on the embodiment in the application, this field
Those of ordinary skill's all other embodiment obtained without making creative work belongs to the application protection
Range.
It should be understood that the application is applied to industrial control equipment network attack test system, referring to Fig. 1, Fig. 1 is the application implementation
Industrial control equipment network attack test system architecture diagram in example, as shown in Figure 1, including network tester, test and management host in Fig. 1
And equipment under test.
The application devises a kind of industrial control equipment network attack test method and system, utilizes the operating status of equipment under test
From the judgement of different operating statuses of the relational implementation of response probe messages type, solves traditional test method automation journey
Spend low and single analysis level technical problem.
In order to make it easy to understand, referring to Fig. 2, Fig. 2 is industrial control equipment network attack test method in the embodiment of the present application
Method flow diagram, as shown in Fig. 2, specifically:
101, while carrying out Network Attack test to equipment under test, the detection of different type agreement is periodically sent
Message detects equipment under test;
102, the operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement.
It should be noted that can also be judged according to equipment under test the response of the probe messages of different type agreement tested
Hardware corresponding with the probe messages of different type agreement or software is whether normal operation in equipment.
For example, it is assumed that equipment under test is computer (can certainly be other terminals, such as mobile phone, plate), then,
Since network is stratified operation.Therefore, in the network layer and five layer model of TCP/IP in five layer model of TCP/IP
ARP, ICMP, TCP, the corresponding relationship of http protocol are as follows:
First layer: application layer (HTTP)
The second layer: transport layer (TCP)
Third layer: network layer (ICMP)
4th layer: data link layer (ARP)
Layer 5: physical layer.
Physical layer is the bottom, and application layer is top, realization of the upper-layer protocol dependent on next layer protocol, if next
Layer is abnormal, then upper one layer of cisco unity malfunction.
According to principles above, two kinds of flow can be sent when network attack test:
One kind is attack traffic, it is therefore an objective to equipment under test offensive attack;
Another flow is verifying flow, it is therefore an objective to detect equipment under test under attack in which kind of state (which layer work
Make abnormal), if that low layer traffic probe message has response (equipment under test can normally return packet), illustrate equipment under test pair
The lower layer protocol answered is working properly, and high Layer Detection message cannot normally return packet describes the problem and appear on a high layer protocol,
Thus can seat offence result in that equipment under test which layer there is a problem.
The corresponding physical equipment of agreement:
Application layer (HTTP), transport layer (TCP) network layer (ICMP) are in the operating system of PC machine with software realization.
Data link layer (ARP): is realized in the network interface card of PC machine, the firmware of corresponding equipment under test.
Physical layer: cable or electric wire.
So by above-mentioned principle may determine that firmware go wrong or operating system inside it is a certain
Layer protocol goes wrong.
Therefore,
If detecting ARP probe packet without response, it is determined that the bottom firmware or operating system of equipment under test have blocked
Extremely;
If detecting the response of ARP probe packet and detecting icmp probe message without response, it is determined that equipment under test
Bottom firmware does not have stuck, and operating system is stuck;
If detecting the response of ARP probe packet and icmp probe message and detecting TCP probe messages and HTTP detection
Message is without response, it is determined that the operating system network layer of equipment under test does not have stuck, and transport layer or application layer software are stuck;
If detect ARP probe packet, icmp probe message and TCP probe messages response and detect HTTP detection report
Text is without response, it is determined that the operating system network layer and transport layer of equipment under test do not have stuck, and application layer software is stuck.
For different systems, there is different agreements to correspond to different hardware or software level, five layers of TCP/IP herein
The example of model is not construed as the limitation of the application.
Therefore, the application can send the probe messages of different type agreement, when equipment under test responds wherein several types
When the probe messages of agreement, equipment under test can be judged to the response of the probe messages of different type agreement according to equipment under test
Operating status is at many levels detecting equipment under test, utilizes the operating status and response probe messages type of equipment under test
The relational implementation judgement of different operating statuses, solve that traditional test method the degree of automation is low and analysis level is single
The technical issues of.
It is detailed to a kind of one embodiment progress of industrial control equipment network attack test method provided by the present application above
Description, another embodiment to a kind of industrial control equipment network attack test method provided by the present application is carried out below detailed
Description.
Referring to Fig. 3, a kind of another embodiment of industrial control equipment network attack test method provided by the present application, packet
It includes:
201, Network Attack test is carried out to equipment under test by network tester, and regulating networks attack stream measures
The attack traffic size of examination;
Network tester can carry out Network Attack test and attack traffic under the control of test and management host
Big minor adjustment.It can be and attack traffic size is adjusted to minimum, after the operating status judgement to equipment under test, gradually increasing
Add attack traffic size, and constantly judge in real time equipment under test operating status (i.e. step 202 and step 203 in real time into
Row, the attack traffic size of step 201 regulating networks attack traffic test, obtains a result finally by step 204, is also possible to
Step 201, step 202 and step 203 circulation carry out, obtain a result finally by step 204), obtain attack traffic size with
The relationship of the operating status judging result of equipment under test.Such as, when attack traffic size increases to first threshold, equipment under test is answered
Stuck with layer, when attack traffic size increases to second threshold, other similar relationship that the transport layer of equipment under test is stuck ... is not
It repeats again.
202, while carrying out Network Attack test to equipment under test, the detection of different type agreement is periodically sent
Message detects equipment under test;
The probe messages for sending different type agreement can send together or sequentially send, and in principle and indistinction, all may be used
The case where to observe back packet.Different agreement returns packet also can be different.It, can be sequentially generally in order to not cause simply to obscure
It sends, is sent one by one from the low layer of agreement to high level.
203, the operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement;
The step principle is as upper one embodiment.
204, according to the operating status judging result of the attack traffic size of Network Attack test and equipment under test
Corresponding relationship obtains the corresponding attack traffic threshold value of various operating statuses of equipment under test;
Two kinds of flows can be sent when network attack, one kind is attack traffic, it is therefore an objective to equipment under test offensive attack;It is another
Kind flow is verifying flow, it is therefore an objective to detect equipment under test under attack in which kind of state.In general, attack traffic can be with
One fixed rate issues equipment under test, and when flow becomes larger certain threshold value, equipment under test is due to limited capacity, centainly
It will appear operating system or firmware be stuck.Attack traffic, which gradually increases, makes equipment under test each stuck situation description occur
Situation, to detect the various attack resistance threshold values of equipment under test.
It is detailed to a kind of another embodiment progress of industrial control equipment network attack test method provided by the present application above
Thin description, below will be detailed to a kind of another embodiment progress of industrial control equipment network attack test method provided by the present application
Thin description.
Referring to Fig. 4, a kind of another embodiment of industrial control equipment network attack test method provided by the present application, packet
It includes:
301, the network tester to equipment under test, progress Network Attack test and progress industrial control equipment network attack
It is synchronous that the test and management host of test method carries out clock;
Synchronous clock information make each equipment in system logging time be it is unified, it is comparable, will not go out
Now because of equipment clock disunity, and appearance the case where lead to the Time Inconsistency of the log recording of synchronization, it avoids to result
Analysis interferes.
302, while carrying out Network Attack test to equipment under test, the detection of different type agreement is periodically sent
Message detects equipment under test;
303, the operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement;
304, the operating system of equipment under test and the log information of application are extracted;
The log information that operating system, application can be automatically extracted by network management technology means, for example, test and management
Host initiates log request to equipment under test by way of syslog, and equipment under test log information is acquired and is analyzed
305, keyword and keyword corresponding time are extracted from log information, are judged with the operating status of equipment under test
As a result it compares, if they are the same, then sends verifying correct signal, if not identical, send authentication failed signal.
The time-critical word for extracting log " is restarted " field to " communication disruption " in the logged result of same time and is carried out
It extracts, detects when sending attack traffic, if fault log occur.Such as: according to logging time, if attacking the phase in ARP
Between, equipment under test is to ARP probe packet without response, and the day of " with equipment under test network communication disconnecting " occurs in system log
Will information can then show that " equipment under test fails to sustain attack traffic test, firmware or operating system when attack test
It is stuck " conclusion.
Text analyzing the result is that be used to confirm verifying flow as a result, if the two is consistent, can automatically judge equipment
In malfunction, manual intervention is not needed.If attack traffic returns packet situation and text analyzing result is inconsistent, sending is tested
Demonstrate,prove failure signal, worker sees that authentication failed signal then will do it manual analysis, analysis equipment under test whether failure, consider: (1)
By manually checking where failure (2) considers why not equipment under test returns packet for the judgements such as application interface, operation system state? it is
It is no to be provided with the restriction strategies such as white list, blacklist.
The present embodiment periodically sends protocol massages with network tester respectively while carrying out Network Attack test
Comprehensive survey is carried out to equipment under test;Equipment running status is judged from different levels, while being read automatically and being compared device log
Information, state of the comprehensive descision equipment under test under network attack.
It is detailed to a kind of another embodiment progress of industrial control equipment network attack test method provided by the present application above
Description, one embodiment to a kind of industrial control equipment network attack test system provided by the present application is carried out below detailed
Description.
Referring to Fig. 1, a kind of one embodiment of industrial control equipment network attack test system provided by the present application, comprising:
Network tester, for carrying out Network Attack test to equipment under test;It is attacked carrying out network to equipment under test
While hitting flow rate test, the probe messages for periodically sending different type agreement detect equipment under test;
Test and management host, for being set according to response judgement of the equipment under test to the probe messages of different type agreement is tested
Standby operating status;
Equipment under test connects network tester and test and management host.
Further, test and management host is specifically used for judgement:
If detecting ARP probe packet without response, it is determined that the bottom firmware or operating system of equipment under test have blocked
Extremely;
If detecting the response of ARP probe packet and detecting icmp probe message without response, it is determined that equipment under test
Bottom firmware does not have stuck, and operating system is stuck;
If detecting the response of ARP probe packet and icmp probe message and detecting TCP probe messages and HTTP detection
Message is without response, it is determined that the operating system network layer of equipment under test does not have stuck, and transport layer or application layer software are stuck;
If detect ARP probe packet, icmp probe message and TCP probe messages response and detect HTTP detection report
Text is without response, it is determined that the operating system network layer and transport layer of equipment under test do not have stuck, and application layer software is stuck.
Further, test and management host is also used to:
Extract the operating system of equipment under test and the log information of application;
Keyword and keyword corresponding time, the operating status judging result with equipment under test are extracted from log information
It compares, if they are the same, then sends verifying correct signal, if not identical, send authentication failed signal.
Further, network tester is also used to the attack traffic size of regulating networks attack traffic test;
The operation of attack traffic size and equipment under test that test and management host is also used to be tested according to Network Attack
The corresponding relationship of state judging result obtains the corresponding attack traffic threshold value of various operating statuses of equipment under test.
Further, test and management host is also used to equipment under test, carry out the network test of Network Attack test
Instrument is synchronous with industrial control equipment network attack test method testing managing main frame progress clock is carried out.
Network tester is responsible for sending Network Attack and agreement probe messages to equipment under test;Test and management host one
Aspect controls network tester, is on the one hand responsible for from equipment under test remote collection result information.These three parts can form one
Closed loop feedback system, the flow that test and management host can send network tester according to the result information of equipment under test carry out
It adjusts.
Network tester is a kind of testing tool for having following characteristics: can emulate 2-7 layers of various protocol traffics;It can be with
Simulation type Network Attack abundant;The rate of simulating traffic is adjustable, can be realized and be attacked by simulating and testing instrument
Flow increases or reduces, and flow is byte stream.
The application has following obvious advantages:
1, automation replaces artificial;
Traditional network attack test method does not form unified closed-loop fashion, and test and interpretation of result are separately to hold
Row.Ordinary circumstance is that after initiating and completing test, relevant result parameter is checked on equipment under test.This method efficiency is very
It is low, artificial constantly intervention is needed, does not adapt to large-scale industrial control equipment network access testing.
The test theory of automation is that entire test macro is formed closed loop, is acquired by way of network protocol and log
The parameter that equipment under test changes under the test environment, automatically adjusts the test parameter of testing tool, surveys to reach automatic collect
Test result and the purpose for being automatically performed parameter regulation.
2, equipment state judgement is carried out from multiple dimensions, as a result accurately;
Traditional network attack test method is generally basede on the diagnosis that single dimension carries out equipment under test state, according to single
The parameter of dimension carrys out the parameter of manual adjustment testing tool, is unfavorable for comprehensively considering equipment under test in synthesis in multiple dimensions in this way
Performance under conditions.
The equipment under test condition diagnosing of multidimensional can be based on synthetical collection equipment under test state parameter, and according to setting in advance
The response strategy set carrys out the parameter regulation that COMPREHENSIVE CALCULATING is tested in next step, to measure equipment under test in a composite factor ring
Specific manifestation under border.
3, the method for different network protocol combination log is taken, it can be determined that go out the reason of equipment goes wrong in network
Which level (physical layer, operating system layer or application layer) of model;
Traditional test method only simply checks the corresponding states and parameter of equipment under test, the problem of due to many levels
The reaction for the state parameter that may cause reaches unanimity, therefore is difficult fast resolution and positions the level to go wrong.
The method for taking different network protocol combination log, and combine the comprehensive analysis of automation, so that it may it realizes not
With the fault location of level, so as to which which level of the reason of going wrong in network model quickly determined.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application
Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey
The medium of sequence code.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before
Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of industrial control equipment network attack test method characterized by comprising
While carrying out Network Attack test to equipment under test, the probe messages of different type agreement are periodically sent to quilt
Measurement equipment is detected;
The operating status of equipment under test is judged according to equipment under test the response of the probe messages of different type agreement.
2. a kind of industrial control equipment network attack test method according to claim 1, which is characterized in that the different type
The probe messages of agreement include ARP probe packet, icmp probe message, TCP probe messages and HTTP probe messages;The basis
Equipment under test judges that the operating status of equipment under test includes: to the response of the message of different type agreement
If detecting ARP probe packet without response, it is determined that the bottom firmware or operating system of equipment under test are stuck;
If detecting the response of ARP probe packet and detecting icmp probe message without response, it is determined that the bottom of equipment under test
Firmware does not have stuck, and operating system is stuck;
If detecting the response of ARP probe packet and icmp probe message and detecting TCP probe messages and HTTP probe messages
Without response, it is determined that the operating system network layer of equipment under test does not have stuck, and transport layer or application layer software are stuck;
If detect ARP probe packet, icmp probe message and TCP probe messages response and detect HTTP probe messages without
It responds, it is determined that the operating system network layer and transport layer of equipment under test do not have stuck, and application layer software is stuck.
3. a kind of industrial control equipment network attack test method according to claim 1, which is characterized in that the basis is tested
Equipment judges the response of the probe messages of different type agreement after the operating status of equipment under test further include:
Extract the operating system of equipment under test and the log information of application;
Keyword and keyword corresponding time are extracted from log information, are carried out with the operating status judging result of equipment under test
Comparison, if they are the same, then sends verifying correct signal, if not identical, sends authentication failed signal.
4. a kind of industrial control equipment network attack test method according to claim 1, which is characterized in that described to tested
While equipment carries out Network Attack test, the probe messages for periodically sending different type agreement visit equipment under test
Before survey further include:
The attack traffic size of regulating networks attack traffic test;
After the operating status for judging the response of the probe messages of different type agreement equipment under test according to equipment under test
Further include:
According to the corresponding relationship of the attack traffic size of Network Attack test and the operating status judging result of equipment under test
Obtain the corresponding attack traffic threshold value of various operating statuses of equipment under test.
5. a kind of industrial control equipment network attack test method according to claim 1, which is characterized in that described to tested
While equipment carries out Network Attack test, the probe messages for periodically sending different type agreement visit equipment under test
Before survey further include:
To equipment under test, carries out the network tester of Network Attack test and carry out industrial control equipment network attack test method
Test and management host to carry out clock synchronous.
6. a kind of industrial control equipment network attack test system, a kind of industry control as claimed in any of claims 1 to 5 is set
Standby network attack test method is tested characterized by comprising
Network tester, for carrying out Network Attack test to equipment under test;Network attack stream is being carried out to equipment under test
While measuring examination, the probe messages for periodically sending different type agreement detect equipment under test;
Test and management host, for judging equipment under test to the response of the probe messages of different type agreement according to equipment under test
Operating status;
Equipment under test, the connection network tester and the test and management host.
7. a kind of industrial control equipment network attack test system according to claim 6, which is characterized in that the test and management
Host is specifically used for judgement:
If detecting ARP probe packet without response, it is determined that the bottom firmware or operating system of equipment under test are stuck;
If detecting the response of ARP probe packet and detecting icmp probe message without response, it is determined that the bottom of equipment under test
Firmware does not have stuck, and operating system is stuck;
If detecting the response of ARP probe packet and icmp probe message and detecting TCP probe messages and HTTP probe messages
Without response, it is determined that the operating system network layer of equipment under test does not have stuck, and transport layer or application layer software are stuck;
If detect ARP probe packet, icmp probe message and TCP probe messages response and detect HTTP probe messages without
It responds, it is determined that the operating system network layer and transport layer of equipment under test do not have stuck, and application layer software is stuck.
8. a kind of industrial control equipment network attack test system according to claim 6, which is characterized in that the test and management
Host is also used to:
Extract the operating system of equipment under test and the log information of application;
Keyword and keyword corresponding time are extracted from log information, are carried out with the operating status judging result of equipment under test
Comparison, if they are the same, then sends verifying correct signal, if not identical, sends authentication failed signal.
9. a kind of industrial control equipment network attack test system according to claim 6, which is characterized in that the network test
Instrument is also used to the attack traffic size of regulating networks attack traffic test;
The operation of attack traffic size and equipment under test that the test and management host is also used to be tested according to Network Attack
The corresponding relationship of state judging result obtains the corresponding attack traffic threshold value of various operating statuses of equipment under test.
10. a kind of industrial control equipment network attack test system according to claim 6, which is characterized in that the testing tube
Reason host is also used to equipment under test, carry out the network tester of Network Attack test and carries out industrial control equipment network attack
It is synchronous that the test and management host of test method carries out clock.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810982351.5A CN109104335A (en) | 2018-08-27 | 2018-08-27 | A kind of industrial control equipment network attack test method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810982351.5A CN109104335A (en) | 2018-08-27 | 2018-08-27 | A kind of industrial control equipment network attack test method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109104335A true CN109104335A (en) | 2018-12-28 |
Family
ID=64851363
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810982351.5A Pending CN109104335A (en) | 2018-08-27 | 2018-08-27 | A kind of industrial control equipment network attack test method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109104335A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535730A (en) * | 2019-09-23 | 2019-12-03 | 杭州迪普科技股份有限公司 | The IP authentication function test method and device of the network equipment |
| CN112422557A (en) * | 2020-11-17 | 2021-02-26 | 中国信息安全测评中心 | Attack testing method and device for industrial control network |
| CN113542029A (en) * | 2021-07-19 | 2021-10-22 | 凌云天博光电科技股份有限公司 | Service stability testing method, system and tool of network equipment |
| CN114265383A (en) * | 2021-11-18 | 2022-04-01 | 北京威努特技术有限公司 | Full-automatic industrial control equipment detection method and system based on power management |
| CN114584466A (en) * | 2022-02-28 | 2022-06-03 | 湖南亿联无限科技有限公司 | Communication product reworking method and system |
| CN114745300A (en) * | 2022-03-29 | 2022-07-12 | 成都安恒信息技术有限公司 | Network asset detection method, device, electronic device and storage medium |
| CN118606961A (en) * | 2024-08-09 | 2024-09-06 | 杭州海康威视数字技术股份有限公司 | Fuzzy test method and equipment based on multidimensional time sequence anomaly observation |
| CN118606961B (en) * | 2024-08-09 | 2024-10-18 | 杭州海康威视数字技术股份有限公司 | Fuzzy test method and equipment based on multidimensional time sequence anomaly observation |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488890A (en) * | 2009-01-14 | 2009-07-22 | 成都市华为赛门铁克科技有限公司 | Method and system for network attack test |
| CN101883020A (en) * | 2009-04-29 | 2010-11-10 | 丛林网络公司 | The detection of malicious web ageng |
| CN103746885A (en) * | 2014-01-28 | 2014-04-23 | 中国人民解放军信息安全测评认证中心 | Test system and test method oriented to next-generation firewall |
| CN105227383A (en) * | 2015-11-06 | 2016-01-06 | 广东电网有限责任公司电力科学研究院 | A kind of device of network topology investigation |
| CN105450442A (en) * | 2015-11-06 | 2016-03-30 | 广东电网有限责任公司电力科学研究院 | Network topology checking method and system thereof |
| CN105827613A (en) * | 2016-04-14 | 2016-08-03 | 广东电网有限责任公司电力科学研究院 | Test method and system for information security of transformer substation industrial control equipment |
| CN106412067A (en) * | 2016-09-30 | 2017-02-15 | 广东电网有限责任公司电力科学研究院 | Data layered generation method based on fuzzy testing of industrial control protocol |
| WO2017064824A1 (en) * | 2015-10-15 | 2017-04-20 | 日本電気株式会社 | Monitoring device, base station, monitoring method, control method, and nontemporary computer-readable medium |
| CN106888106A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | The extensive detecting system of IT assets in intelligent grid |
| CN108111482A (en) * | 2017-11-24 | 2018-06-01 | 国网天津市电力公司电力科学研究院 | A kind of intelligent grid industrial control network safety test system and test method |
-
2018
- 2018-08-27 CN CN201810982351.5A patent/CN109104335A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488890A (en) * | 2009-01-14 | 2009-07-22 | 成都市华为赛门铁克科技有限公司 | Method and system for network attack test |
| CN101883020A (en) * | 2009-04-29 | 2010-11-10 | 丛林网络公司 | The detection of malicious web ageng |
| CN103746885A (en) * | 2014-01-28 | 2014-04-23 | 中国人民解放军信息安全测评认证中心 | Test system and test method oriented to next-generation firewall |
| WO2017064824A1 (en) * | 2015-10-15 | 2017-04-20 | 日本電気株式会社 | Monitoring device, base station, monitoring method, control method, and nontemporary computer-readable medium |
| CN105227383A (en) * | 2015-11-06 | 2016-01-06 | 广东电网有限责任公司电力科学研究院 | A kind of device of network topology investigation |
| CN105450442A (en) * | 2015-11-06 | 2016-03-30 | 广东电网有限责任公司电力科学研究院 | Network topology checking method and system thereof |
| CN106888106A (en) * | 2015-12-16 | 2017-06-23 | 国家电网公司 | The extensive detecting system of IT assets in intelligent grid |
| CN105827613A (en) * | 2016-04-14 | 2016-08-03 | 广东电网有限责任公司电力科学研究院 | Test method and system for information security of transformer substation industrial control equipment |
| CN106412067A (en) * | 2016-09-30 | 2017-02-15 | 广东电网有限责任公司电力科学研究院 | Data layered generation method based on fuzzy testing of industrial control protocol |
| CN108111482A (en) * | 2017-11-24 | 2018-06-01 | 国网天津市电力公司电力科学研究院 | A kind of intelligent grid industrial control network safety test system and test method |
Non-Patent Citations (3)
| Title |
|---|
| 曾纪钧: "工控设备通信协议安全测试技术研究", 《软件》 * |
| 朱广宇: "面向工业互联网环境的模糊测试系统设计研究与实现", 《信息通信技术》 * |
| 梁智强: "电网嵌入式设备通信健壮性测试", 《自动化技术与应用》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535730A (en) * | 2019-09-23 | 2019-12-03 | 杭州迪普科技股份有限公司 | The IP authentication function test method and device of the network equipment |
| CN110535730B (en) * | 2019-09-23 | 2020-12-29 | 杭州迪普科技股份有限公司 | IP authentication function test method and device of network equipment |
| CN112422557A (en) * | 2020-11-17 | 2021-02-26 | 中国信息安全测评中心 | Attack testing method and device for industrial control network |
| CN113542029A (en) * | 2021-07-19 | 2021-10-22 | 凌云天博光电科技股份有限公司 | Service stability testing method, system and tool of network equipment |
| CN114265383A (en) * | 2021-11-18 | 2022-04-01 | 北京威努特技术有限公司 | Full-automatic industrial control equipment detection method and system based on power management |
| CN114584466A (en) * | 2022-02-28 | 2022-06-03 | 湖南亿联无限科技有限公司 | Communication product reworking method and system |
| CN114745300A (en) * | 2022-03-29 | 2022-07-12 | 成都安恒信息技术有限公司 | Network asset detection method, device, electronic device and storage medium |
| CN118606961A (en) * | 2024-08-09 | 2024-09-06 | 杭州海康威视数字技术股份有限公司 | Fuzzy test method and equipment based on multidimensional time sequence anomaly observation |
| CN118606961B (en) * | 2024-08-09 | 2024-10-18 | 杭州海康威视数字技术股份有限公司 | Fuzzy test method and equipment based on multidimensional time sequence anomaly observation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109104335A (en) | A kind of industrial control equipment network attack test method and system | |
| US8006136B2 (en) | Automatic grammar based fault detection and isolation | |
| US20080222287A1 (en) | Constructing an Inference Graph for a Network | |
| Nováczki | An improved anomaly detection and diagnosis framework for mobile network operators | |
| CN110535710A (en) | Remote diagnosis method and system, the network equipment and Cloud Server of the network equipment | |
| CN109039763A (en) | A kind of network failure nodal test method and Network Management System based on backtracking method | |
| CN104932978B (en) | A kind of system operation automatic fault selftesting and the method and system of selfreparing | |
| WO2009105883A1 (en) | System and method for grammar based test planning | |
| CN112291075B (en) | Network fault positioning method and device, computer equipment and storage medium | |
| CN106776346B (en) | Test method and device of CCMTS (China center testing System) equipment | |
| CN107491021A (en) | Household electrical appliance and its fault diagnosis system, method and server | |
| CN105630647A (en) | Equipment detection method and detection equipment | |
| CN107356284A (en) | A kind of detection method, apparatus and system | |
| CN109787865B (en) | Method, system, switch and storage medium for verifying upgrading condition | |
| CN101252477B (en) | Determining method and analyzing apparatus of network fault root | |
| CN102299829B (en) | Network failure probing and positioning method | |
| CN110474821A (en) | Node failure detection method and device | |
| CN104950832B (en) | Steel plant's control system | |
| CN103716377B (en) | A kind of method and smart card for realizing UPS remote monitorings | |
| CN113726808A (en) | Website monitoring method, device, equipment and storage medium | |
| CN101707503A (en) | Embedded method and device for controlling automatic positioning of channel communication failure | |
| CN111431763B (en) | Connectivity detection method for SDN controller | |
| CN117376193A (en) | Automatic network link fault detection system and method | |
| CN103731315A (en) | Server failure detecting method | |
| CN110224872A (en) | A kind of communication means, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181228 |