CN110351237B - Honeypot method and device for numerical control machine tool - Google Patents
Honeypot method and device for numerical control machine tool Download PDFInfo
- Publication number
- CN110351237B CN110351237B CN201910435072.1A CN201910435072A CN110351237B CN 110351237 B CN110351237 B CN 110351237B CN 201910435072 A CN201910435072 A CN 201910435072A CN 110351237 B CN110351237 B CN 110351237B
- Authority
- CN
- China
- Prior art keywords
- request
- machine tool
- industrial control
- control protocol
- numerical control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Abstract
The embodiment of the invention provides a honeypot method and a honeypot device for a numerical control machine tool. The method comprises the following steps: acquiring a request initiated by a request source to the numerical control machine tool, and judging whether the request is a detection request; if the request is not a detection request, analyzing the request and determining an industrial control protocol used by the request; and if the request is judged and known to trigger at least one pre-discovered bug according to the industrial control protocol, the request is not responded. According to the honeypot method and device for the numerical control machine tool, provided by the embodiment of the invention, through simulating the response of a real numerical control machine tool to a request, the illegal access of an attacker can be effectively induced, the audio and video of the attacker can be confused, the numerical control machine tool can be protected in a targeted manner according to the attack behavior of the attacker, and the reliability of safety protection can be improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a honeypot method and a honeypot device for a numerical control machine tool.
Background
In recent years, with the continuous advance of intelligent manufacturing, industrial manufacturing and internet are deeply merged, the network security problem behind the intelligent manufacturing is continuously highlighted, and the security requirement is continuously enhanced.
The numerical control machine plays an important role in an industrial control system, and is one of important industrial control devices for realizing production automation. However, currently, most of the companies use numerical control systems (operating systems installed in numerical control machines) produced by domestic and foreign manufacturers such as sonaceae (also known as french, francus), Siemens (Siemens), Mitsubishi (Mitsubishi), and hidehan. These numerical control systems are black boxes for the user, who have no knowledge of whether there is a security backdoor or security threat. Therefore, safety protection of the numerical control machine tool is required.
At present, the safety protection technology for numerically controlled machine tools still remains in the business management layer, and mainly includes a method for monitoring the flow of incoming and outgoing traffic by establishing a firewall in the area of the numerically controlled machine tool, and a method for designing the safety protection of the numerically controlled network from four dimensions of structural safety, behavior safety, body safety and gene safety. However, the security protection method based on the service management layer performs protection by detecting the attack behavior, the false alarm rate is high, and the security protection cannot be performed on the numerical control machine, so the reliability of protection is poor.
Disclosure of Invention
The embodiment of the invention provides a honeypot method and a honeypot device for a numerical control machine tool, which are used for solving or at least partially solving the defect of poor reliability of protection of the numerical control machine tool in the prior art.
In a first aspect, an embodiment of the present invention provides a honeypot method for a numerical control machine, including:
acquiring a request initiated by a request source to a numerical control machine tool, and judging whether the request is a detection request;
if the request is not a detection request, analyzing the request and determining an industrial control protocol used by the request;
and if judging and knowing that the request triggers at least one pre-discovered bug according to the industrial control protocol, not responding to the request.
Preferably, after the determining whether the request is a probe request, the method further includes:
and if the request is a detection request, obtaining the detection type of the request, and returning a response generated according to the detection type.
Preferably, after determining the industrial control protocol used by the request, the method further includes:
and if judging and knowing that the request does not trigger any pre-discovered bug according to the industrial control protocol, acquiring the service requested by the request based on the industrial control protocol, and returning an execution result of the service as a response to the request.
Preferably, after parsing the request, the method further includes:
and if the industrial control protocol used by the request is not determined, data capture is carried out on the request.
Preferably, after determining the industrial control protocol used by the request, the method further includes:
and if judging and knowing that the request triggers at least one pre-discovered bug according to the industrial control protocol, performing data capture aiming at the request.
Preferably, after the determining whether the request is a probe request, the method further includes:
data capture is performed for the request.
Preferably, after obtaining the request initiated by the numerically controlled machine tool, the method further includes:
logging the request.
In a second aspect, an embodiment of the present invention provides a honeypot apparatus for a numerical control machine, including:
the fingerprint simulation module is used for acquiring a request initiated by a request source to the numerical control machine tool and judging whether the request is a detection request;
the protocol interaction module is used for analyzing the request and determining an industrial control protocol used by the request if the request is not a detection request;
and the vulnerability deployment module is used for not responding to the request if judging that the request triggers at least one pre-discovered vulnerability according to the industrial control protocol.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the computer program is executed, the steps of the honeypot method for a numerically controlled machine tool as provided in any one of the various possible implementations of the first aspect are implemented.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the honeypot method for a numerically controlled machine tool as provided in any one of the various possible implementations of the first aspect.
According to the honeypot method and device for the numerical control machine tool, provided by the embodiment of the invention, through simulating the response of a real numerical control machine tool to a request, the illegal access of an attacker can be effectively induced, the audio and video of the attacker can be confused, the numerical control machine tool can be protected in a targeted manner according to the attack behavior of the attacker, and the reliability of safety protection can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a honeypot method for a numerical control machine according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a honeypot apparatus for a numerical control machine tool according to an embodiment of the present invention;
fig. 3 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to overcome the above problems in the prior art, embodiments of the present invention provide a honeypot method and apparatus for a numerical control machine, and the inventive concept is that the honeypot method is implemented by using a honeypot apparatus for a numerical control machine, which can effectively induce an illegal access of an attacker, confuse the audiovisual of the attacker, and further implement protection of a real numerical control machine.
Fig. 1 is a schematic flow chart of a honeypot method for a numerical control machine tool according to an embodiment of the present invention. As shown in fig. 1, the method includes: step S101, obtaining a request initiated to the numerical control machine tool, and judging whether the request is a detection request.
It should be noted that, the execution subject of the honeypot method for the numerical control machine tool provided by the embodiment of the invention is a honeypot device which is constructed in advance.
The Numerical Control machine tool externally provides a TCP (Transmission Control Protocol) connection service through a specific port, and completes functions such as NC (Numerical Control, Numerical Control for short) data Transmission, remote Control, and the like. The specific port is related to a numerical control system of the numerical control machine tool. For example, the numerical control system of the Fanuc numerical control machine tool provides TCP connection service through 8193 ports.
The provided services may include at least one of searching, reading, deleting, importing an NC program, reading, writing PMC (programmable machine controller, built-in P L C control technology for numerical control machine) parameters, acquiring coordinates of each axis, operating time, the number of processes, and acquiring device information.
The honeypot device is used as a bait to attract attackers to attack the numerical control machine tool in the future. After the attacker attacks, the attacker can know how to attack the numerical control machine tool through monitoring and analysis, and know the latest attack and leak aiming at the starting of the numerical control machine tool at any time, so that the safety protection of the numerical control machine tool can be pertinently carried out, and the protection reliability is higher.
The honeypot device treats the originator of all requests as an attacker.
An attacker makes a request to the numerical control machine tool. The request is a data packet. The request is used for triggering the numerical control machine tool to execute a certain service in the numerical control system, and the numerical control machine tool generates a response message according to the result of the service and returns the response message to the initiator of the request. The attacker can be a terminal, such as a personal computer, and a mobile terminal such as a smart phone and a tablet computer.
The honeypot device can acquire the request initiated by the attacker by monitoring the preselected ports.
The honeypot device simulates the basic functions of the numerical control machine tool by analyzing the request and replying the corresponding response message, thereby achieving the purpose of inducing the attack.
A real attacker may send a request through an installed network scanning and sniffing tool, such as nmap (network mapper).
The attacker's request can be divided into three types: a probe request, a normal handshake request, and an industrial control protocol request. The normal requests include normal handshake requests and industrial control protocol requests.
And analyzing the TCP header and load of the request sent by the attacker, and judging whether the request is a probe request or a normal request.
If it is not a probe request but a normal request, the following step S102 is performed.
And step S102, if the request is not a detection request, analyzing the request and determining the industrial control protocol used by the request.
It should be noted that, because numerical control systems of different manufacturers are different, industrial control protocols used by different numerical control systems are also different accordingly.
For example, the industrial control protocol used by the Fanuc numerical control machine tool is the FOCAS1/2 protocol, and the industrial control protocol used by the Fanuc Mate 0i-D numerical control machine tool is the FOCAS2 protocol.
When an attacker accesses the honeypot device, the honeypot device establishes a session with the source of the request according to the source of the request (i.e., the originator of the request).
The honeypot device can establish a session queue to facilitate managing sessions with attackers. When an attacker accesses the honeypot device, the honeypot device establishes a session with the attacker and inserts the session into a session queue; and after the conversation is ended, the honeypot device moves the conversation out of the conversation queue.
The honeypot apparatus can include a protocol distributor.
The protocol distributor matches the application layer data of the request, and distinguishes different industrial control protocols according to the fixed field (for example, the fixed field can be defined as a type field), so that the industrial control protocol used by the request can be determined.
It can be understood that the honeypot system is preset with the basic protocol format of various industrial control protocols, and the protocol format comprises various fields. The method can be obtained by reversing various industrial control protocols in advance according to basic protocol formats of various industrial control protocols.
And S103, if judging and knowing that the request triggers at least one pre-discovered bug according to the industrial control protocol, not responding to the request.
Wherein, the loophole is a loophole in a numerical control system using an industrial control protocol.
It should be noted that, for each industrial control protocol, at least one vulnerability in the numerical control system using the industrial control protocol used by the request may be obtained in advance, and the vulnerability of each numerical control system may be deployed in the honeypot device. The honeypot device can simulate the above vulnerabilities to better fool an attacker.
For example, it is found in advance that three denial of service bugs (0Day bugs) exist in the Fanuc Mate 0i-D type NC machine tool, and the bug numbers are CNVD-2019-.
And judging whether the request triggers any one of at least one vulnerability in the numerical control system discovered in advance. The numerical control system is a numerical control system using an industrial control protocol used by the request.
When an attacker performs trial attack by sending a disguised normal request after scanning detection, if the attack is one of the at least one vulnerability, the vulnerability is triggered.
For a real numerical control machine tool, triggering the loophole can cause the shutdown of the numerical control machine tool, the numerical control machine tool stops working, for a honeypot device, the honeypot device does not stop working, but does not return any result, does not send a response message to an attacker, and stops providing externally connected TCP service (namely simulating the condition that a numerical control system on the numerical control machine tool is switched to a denial service and has no response), so as to simulate the shutdown condition of the numerical control machine tool.
The response of the real numerical control machine tool to the request is stop work, and no response message is returned when the stop work is finished, so that the response of the honeypot device to the request is no result returned to an attacker.
Further, after judging that the learning request triggers at least one pre-discovered bug, the honeypot device can provide connection TCP service for the outside again after a preset time length.
The preset time period can be set to be close to the time period for restarting the numerical control machine, for example, 5 minutes, so that an attacker can be more confident that the honeypot apparatus is a real numerical control machine.
The embodiment of the present invention is not limited to the specific value of the preset duration.
It should be noted that the honeypot apparatus ends with a completion response for each request that is acquired. The non-response is also a response, and except the non-response, other response forms are response messages.
It should be noted that each session between the honeypot device and the attacker is independent.
The embodiment of the invention simulates the response of a real numerical control machine tool to the request through the honeypot device, can effectively induce the illegal access of an attacker, confuses the audio and video of the attacker, can carry out targeted protection on the numerical control machine tool according to the attack behavior of the attacker, and can improve the reliability of safety protection.
Based on the content of the foregoing embodiments, after determining whether the request is a probe request, the method further includes: and if the request is a detection request, obtaining the detection type of the request and returning a response generated according to the detection type.
Specifically, the attacker performs a probing scan on the attacker (numerical control machine) in the information collection stage. The detection type includes at least one of sequence number detection, control message protocol request detection, transmission control protocol congestion detection, transmission control protocol detailed detection, and user datagram protocol detection.
The sequence number probe may be denoted as sequence generation (SEQ/OPS/WIN/T1).
The Control Message Protocol (ICMP) request probe may be denoted as ICMP Echo (IE).
Transmission Control Protocol (TCP) congestion detection is denoted as TCPexplicit congestion notification (ECN)
The TCP detail probe is denoted TCP (T2-T7)
The user datagram protocol probe is denoted UDP (U1).
If the request sent by the attacker is determined to be a detection request, which protocol the request belongs to, such as IP, ICMP, TCP or UDP, is distinguished, the detection type of the request is determined according to the protocol the request belongs to, then the request enters different execution units according to different detection types to generate a response message, and after the above processes are completed, the generated response message is returned to the attacker, so that fingerprint simulation is realized to deceive the attacker.
The following describes the implementation process of the fingerprint simulation of the honeypot device by taking the fingerprint scanning and detection of an attacker on the OS (Operating System) of the FANUC Mate 0i-D type numerical control machine tool through the Nmap tool as an example.
Firstly, analyzing the principle of fingerprint detection of an operating system by using Nmap, and determining that cheating is mainly performed on 5 types of detection requests (detection types comprise serial number detection, control message protocol request detection, transmission control protocol congestion detection, transmission control protocol detailed detection and user datagram protocol detection) sent by the Nmap.
After the 5 types of detection requests are determined, under the experimental environment, a FANUC Mate 0i-D type machine tool is scanned by using Nmap, and the 5 types of detection requests sent by the Nmap and response data given by the machine tool are captured.
Since the nc system of the nc machine tool is mostly based on L inux, it may use the sub-system netfilter In the L inux system, specifically, L ocal _ In point In 5 hooks provided by the netfilter frame (this is a point before submitting the protocol stack processing, specifically hook2, where truncation is performed, processing is performed first), In the process before the network card receives data and processes it through the protocol stack, transfer the request to QUEUE (this is a rule-specific value of iptables, there are respectively DROP, ACCEPT, QUEUE, and QUEUE is a user space, and all requests are transferred to the user space), process them through a callback function In the user space, and automatically switch using getent to process the requests from different request sources placed In the QUEUE.
In the callback function, the following two methods are adopted for processing:
if the result of judging whether the request is the detection request is yes, simulating the response result of the fingerprint according to the acquired response data given by the machine tool to the 5 types of detection requests, namely modifying the values of fields of an IP layer and a TCP layer according to the response mode of the real machine tool.
And if the result of judging whether the request is the detection request is negative, releasing the request and returning the request to the protocol stack for processing, and further responding by the service in the industrial control protocol to generate a response result.
Through the process, a hacker cannot distinguish the honeypot device from the real numerical control machine from the perspective of system fingerprints, and the situation that the honeypot device is identified by Shodan and Nmap to be not the real numerical control machine can be avoided.
According to the embodiment of the invention, through the simulation of the response data of each detection type, an attacker cannot identify the honeypot device from the perspective of the system fingerprint, so that the illegal access of the attacker can be more effectively induced, the audio and video of the attacker can be confused, the numerical control machine tool can be protected in a targeted manner according to the attack behavior of the attacker, and the reliability of safety protection can be improved.
Based on the content of the foregoing embodiments, after determining the industrial control protocol requested to be used, the method further includes: and if the request is judged and known not to trigger any pre-discovered bug according to the industrial control protocol, acquiring the service requested by the request based on the industrial control protocol, and returning the execution result of the service as a response to the request.
It will be appreciated that the requests sent by an attacker may not be all aggressive behavior, and that an attacker may also send normal requests to perform the heuristic.
Specifically, after judging whether the request triggers any one of at least one pre-discovered vulnerability in a numerical control system using the industrial control protocol of the request, if the judgment result is that the request does not trigger any pre-discovered vulnerability, determining the service requested by the request based on the industrial control protocol used by the request, and simulating the execution result of the service as the response data corresponding to the request.
Based on the industrial control protocol used by the request, determining the service requested by the request, and simulating the execution result of the service, specifically, the service is realized through a basic protocol format of the industrial control protocol obtained by reversing the industrial control protocol in advance.
It can be understood that the honeypot device is preset with a basic protocol format of various industrial control protocols obtained by reversing various industrial control protocols in advance.
The industrial control protocol mainly comprises the services of connection, NC program searching, deleting and reading, axis information acquisition, PMC parameter information acquisition and the like.
And the execution result is a response message, and after the response message is generated, the generated response message is returned to the attacker.
The embodiment of the invention can more effectively deal with the probing of the attacker by simulating the result of the normal request and returning the corresponding response data, so that the attacker is more difficult to identify the honeypot device, thereby more effectively inducing the illegal access of the attacker and confusing the audio and video of the attacker, and can carry out targeted protection on the numerical control machine tool according to the attack behavior of the attacker and improve the reliability of safety protection.
Based on the content of the foregoing embodiments, after parsing the request, the method further includes: and if the industrial control protocol used by the request is not determined, data capture is carried out aiming at the request.
Specifically, the industrial control protocol used by the request is not determined, which means that the result of analyzing the request does not conform to the preset basic protocol format of each industrial control protocol, and at this time, the request is taken as an abnormal data packet.
After the abnormal data packet is found, the requested attack data can be captured by a data capture module included in the honeypot device.
Data capture, the purpose of which is to perform data analysis, is an important step of the honeypot method. Raw data capture and filtering can be achieved using Tcpdump to accomplish data capture.
It can be appreciated that for portions of functionality that fail to resolve, embodiments of the present invention store the captured attack data in a local database of the honeypot device.
The captured attack data can be analyzed, so that how an attacker attacks the numerical control machine tool is known according to an analysis result, and the latest attack and loophole aiming at the starting of the numerical control machine tool are known, so that the safety protection of the numerical control machine tool can be pertinently performed, and the protection reliability is higher.
The embodiment of the invention carries out data capture aiming at the abnormal data packet, and can analyze the captured data, thereby carrying out safety protection on the numerical control machine tool per se according to more pertinence and having higher protection reliability.
Based on the content of the foregoing embodiments, after determining the industrial control protocol requested to be used, the method further includes: and if the request is judged and known to trigger at least one pre-discovered bug according to the industrial control protocol, data capture is carried out aiming at the request.
Specifically, if a request triggers any vulnerability in a numerical control system using an industrial control protocol of the request, which is previously deployed in the honeypot device, the attack data of the request can be captured by a data capture module included in the honeypot device.
It can be appreciated that for portions of functionality that fail to resolve, embodiments of the present invention store the captured attack data in a local database of the honeypot device.
The captured attack data can be analyzed, so that how an attacker attacks the numerical control machine tool is known according to an analysis result, and the latest attack and loophole aiming at the starting of the numerical control machine tool are known, so that the safety protection of the numerical control machine tool can be pertinently performed, and the protection reliability is higher.
The embodiment of the invention captures data aiming at the request for triggering the loophole, and can analyze the captured data, thereby carrying out safety protection on the numerical control machine tool per se according to a more targeted mode, and having higher protection reliability.
Based on the content of the foregoing embodiments, after determining whether the request is a probe request, the method further includes: data capture is performed for the request.
Specifically, if the learning request is determined to be a probe request, the attack data of the request may be captured by a data capture module included in the honeypot device.
It can be appreciated that for portions of functionality that fail to resolve, embodiments of the present invention store the captured attack data in a local database of the honeypot device.
The captured attack data can be analyzed, so that how an attacker attacks the numerical control machine tool is known according to an analysis result, and the latest attack and loophole aiming at the starting of the numerical control machine tool are known, so that the safety protection of the numerical control machine tool can be pertinently performed, and the protection reliability is higher.
The embodiment of the invention carries out data capture aiming at the detection request and can analyze the captured data, thereby carrying out safety protection on the numerical control machine tool according to more pertinence and having higher protection reliability.
Based on the content of the above embodiments, after acquiring the request initiated to the numerical control machine, the method further includes: the request is logged.
In particular, to facilitate analysis of the request, after obtaining the request, the honeypot device may include a logging module that generates a corresponding log according to each processing step of the request, and logs the request.
The honeypot device stores the request data in the form of logs and data packets when an attacker requests corresponding functions, the logs are processed and displayed by the analysis module, and the data packets can be left for research and analysis personnel to perform post analysis.
The log is for more convenient analysis and presentation.
The log record can adopt triple, namely timestamp, level (int type), request type (int type), and detailed information (including request source, request message and return message). To be more efficient, application layer data may be extracted as request and return message information by a logging module included with the honeypot device.
For example: the log format is as follows
Time stamping:
message level: 0/1/2 (values for Normal/Medium/Serious, respectively)
Request type: 0-32 (corresponding to 32 types of functions respectively)
Detailed information: {
Source: (ip, port),
request_data:’a0a0a0a0..’,
response_data:’a0a0a0a0..’
}
a log file and a pcap data packet can be generated in a preset time period (daily), the log file and the pcap data packet are named by date, the log is sent to an E L K log analysis and display module for analysis and display, the pcap data packet is left to researchers for further extracting attack characteristics, a replay experiment is carried out afterwards, and whether the pcap data packet belongs to an undiscovered vulnerability or not is verified and reported in time.
And the pcap data packet is the attack data captured by the request acquired in the time period.
The method can adopt three open source software of E (elastic search) L (L ogstash) K (Kibana) to establish a set of solution for collecting, analyzing and displaying the logs, and the logs are displayed and analyzed through a log analysis display module included in the honeypot device, wherein the log analysis display module can also be called as an E L K log analysis display module due to the adoption of the three open source software of E (elastic search) L (L ogstash) K (Kibana).
It should be noted that after screening and classifying the traffic of the illegal access initiated by the attacker, the request with a large threat can be marked with an alarm, and when log recording is performed, the alarm is timely issued according to the mark, and measures are timely taken to prevent the attacker from further damaging.
The embodiment of the invention can perform log recording on the request and analyze and display the log, thereby better mastering the condition of the request, performing safety protection on the numerical control machine tool per se according to a more targeted mode, and having higher protection reliability.
Fig. 2 is a schematic structural diagram of a honeypot apparatus for a numerical control machine tool according to an embodiment of the present invention. Based on the content of the foregoing embodiments, as shown in fig. 2, the apparatus includes a fingerprint simulation module 201, a protocol interaction module 202, and a vulnerability deployment module 203, where:
the fingerprint simulation module 201 is configured to obtain a request initiated by a request source to the numerical control machine tool, and determine whether the request is a detection request;
the protocol interaction module 202 is configured to, if the request is not a probe request, analyze the request and determine an industrial control protocol used by the request;
and the vulnerability deployment module 203 is configured to not respond to the request if it is determined that the request triggers at least one pre-discovered vulnerability according to the industrial control protocol.
Specifically, the fingerprint simulation module 201 obtains the request initiated by the attacker by monitoring the preselected ports, and performs TCP header and load analysis on the request to determine whether the request is a probe request or a normal request.
The protocol interaction module 202 matches the application layer data of the request, and distinguishes different industrial control protocols according to a fixed field (for example, the fixed field may be defined as a type field), so as to determine the industrial control protocol used by the request.
The vulnerability deployment module 203 judges whether the request triggers any one of at least one vulnerability in a pre-discovered numerical control system using the industrial control protocol according to the industrial control protocol, if the attacking is one of the at least one vulnerability, the vulnerability is triggered, the vulnerability deployment module 203 does not return any result, does not send a response message to an attacker, and stops providing external connection TCP service so as to simulate the downtime of the numerical control machine.
The honey pot device for the numerical control machine tool provided by the embodiment of the invention is used for executing the honey pot method for the numerical control machine tool provided by each embodiment of the invention, and the specific method and process for realizing the corresponding function of each module included in the honey pot device for the numerical control machine tool are described in the embodiment of the honey pot method for the numerical control machine tool, and are not described again here.
The honeypot apparatus for the numerical control machine tool is used for the honeypot method for the numerical control machine tool of the aforementioned embodiments. Therefore, the description and definition in the honeypot method for the numerical control machine tool in the foregoing embodiments can be used for understanding the execution modules in the embodiments of the present invention.
The embodiment of the invention simulates the response of a real numerical control machine tool to the request through the honeypot device, can effectively induce the illegal access of an attacker, confuses the audio and video of the attacker, can carry out targeted protection on the numerical control machine tool according to the attack behavior of the attacker, and can improve the reliability of safety protection.
Fig. 3 is a block diagram of an electronic device according to an embodiment of the present invention. Based on the content of the above embodiment, as shown in fig. 3, the electronic device may include: a processor (processor)301, a memory (memory)302, and a bus 303; wherein, the processor 301 and the memory 302 complete the communication with each other through the bus 303; the processor 301 is used for calling the computer program instructions stored in the memory 302 and capable of running on the processor 301 to execute the honeypot method for the numerical control machine tool provided by the above-mentioned method embodiments, for example, the honeypot method comprises: acquiring a request initiated by a request source to the numerical control machine tool, and judging whether the request is a detection request; if the request is not a detection request, analyzing the request and determining an industrial control protocol used by the request; and if the request is judged and known to trigger at least one pre-discovered bug according to the industrial control protocol, the request is not responded.
Another embodiment of the present invention discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instructions are executed by a computer, the computer can execute the honeypot method for the numerical control machine tool provided by the above-mentioned method embodiments, for example, the honeypot method includes: acquiring a request initiated by a request source to the numerical control machine tool, and judging whether the request is a detection request; if the request is not a detection request, analyzing the request and determining an industrial control protocol used by the request; and if the request is judged and known to trigger at least one pre-discovered bug according to the industrial control protocol, the request is not responded.
Furthermore, the logic instructions in the memory 302 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Another embodiment of the present invention provides a non-transitory computer-readable storage medium, which stores computer instructions, the computer instructions causing a computer to execute the honeypot method for a numerical control machine tool provided by the above method embodiments, for example, the honeypot method includes: acquiring a request initiated by a request source to the numerical control machine tool, and judging whether the request is a detection request; if the request is not a detection request, analyzing the request and determining an industrial control protocol used by the request; and if the request is judged and known to trigger at least one pre-discovered bug according to the industrial control protocol, the request is not responded.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. It is understood that the above-described technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method of the above-described embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (5)
1. A honeypot method for a numerically controlled machine tool, comprising:
acquiring a request initiated by a request source to a numerical control machine tool, and judging whether the request is a detection request;
if the request is not a detection request, analyzing the request and determining an industrial control protocol used by the request;
if the request triggers at least one pre-discovered bug according to the industrial control protocol judgment, the request is not responded;
wherein, after determining whether the request is a probe request, the method further comprises:
if the request is a detection request, obtaining the detection type of the request, and returning a response generated according to the detection type;
after the industrial control protocol used by the request is determined, the method further includes:
if the request is judged and known not to trigger any one of the pre-discovered bugs according to the industrial control protocol, obtaining the service requested by the request based on the industrial control protocol, and returning the execution result of the service as a response to the request;
after parsing the request, the method further includes:
if the industrial control protocol used by the request is not determined, data capture is carried out on the request;
after the industrial control protocol used by the request is determined, the method further includes:
if the request triggers at least one pre-discovered bug according to the industrial control protocol, data capture is carried out on the request;
after the determining whether the request is a probe request, the method further includes:
data capture is performed for the request.
2. The honeypot method for numerically controlled machine tools according to claim 1, wherein the obtaining of the request initiated by the numerically controlled machine tool further comprises:
logging the request.
3. A honeypot device for digit control machine tool, its characterized in that includes:
the fingerprint simulation module is used for acquiring a request initiated by a request source to the numerical control machine tool and judging whether the request is a detection request;
the protocol interaction module is used for analyzing the request and determining an industrial control protocol used by the request if the request is not a detection request;
the vulnerability deployment module is used for not responding to the request if judging that the request triggers at least one pre-discovered vulnerability according to the industrial control protocol;
the honeypot device is further configured to, after determining whether the request is a probe request, if the request is a probe request, obtain a probe type of the request, and return a response generated according to the probe type;
after the industrial control protocol used by the request is determined, if the fact that the request does not trigger any pre-discovered bug is judged and known according to the industrial control protocol, obtaining the service requested by the request based on the industrial control protocol, and returning an execution result of the service as a response to the request;
after the request is analyzed, if the industrial control protocol used by the request is not determined, data capture is carried out on the request;
after the industrial control protocol used by the request is determined, if the fact that the request triggers at least one pre-discovered bug is judged and known according to the industrial control protocol, data capture is carried out on the request;
and after judging whether the request is a detection request, performing data capture on the request.
4. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor, when executing the program, implements the steps of the honeypot method for numerical control machine tool according to any one of claims 1 and 2.
5. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the honeypot method for numerical control machine tools according to any one of claims 1 and 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435072.1A CN110351237B (en) | 2019-05-23 | 2019-05-23 | Honeypot method and device for numerical control machine tool |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910435072.1A CN110351237B (en) | 2019-05-23 | 2019-05-23 | Honeypot method and device for numerical control machine tool |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110351237A CN110351237A (en) | 2019-10-18 |
| CN110351237B true CN110351237B (en) | 2020-07-10 |
Family
ID=68174302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910435072.1A Active CN110351237B (en) | 2019-05-23 | 2019-05-23 | Honeypot method and device for numerical control machine tool |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110351237B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111308958B (en) * | 2019-11-14 | 2021-04-20 | 广州安加互联科技有限公司 | CNC equipment simulation method and system based on honeypot technology and industrial control honeypot |
| CN113765846B (en) * | 2020-06-01 | 2023-08-04 | 极客信安(北京)科技有限公司 | Intelligent detection and response method and device for network abnormal behaviors and electronic equipment |
| CN112650077A (en) * | 2020-12-11 | 2021-04-13 | 中国科学院信息工程研究所 | PLC honeypot system based on industrial control service simulation, implementation method and simulation equipment |
| CN112702363A (en) * | 2021-03-24 | 2021-04-23 | 远江盛邦(北京)网络安全科技股份有限公司 | Node hiding method, system and equipment based on deception |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105447385A (en) * | 2014-12-08 | 2016-03-30 | 哈尔滨安天科技股份有限公司 | Multilayer detection based application type database honey pot realization system and method |
| CN106341819A (en) * | 2016-10-10 | 2017-01-18 | 西安瀚炬网络科技有限公司 | Phishing WiFi identification system and method based on honeypot technology |
| CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
| CN107465702A (en) * | 2017-09-30 | 2017-12-12 | 北京奇虎科技有限公司 | Method for early warning and device based on wireless network invasion |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN109639733A (en) * | 2019-01-24 | 2019-04-16 | 南方电网科学研究院有限责任公司 | Safety detection and monitoring system suitable for industrial control system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101567887B (en) * | 2008-12-25 | 2012-05-23 | 中国人民解放军总参谋部第五十四研究所 | Vulnerability simulation overload honeypot method |
| CN102571793A (en) * | 2012-01-09 | 2012-07-11 | 中国人民解放军信息工程大学 | Acquisition device for telecommunication network garbage calling |
| CN108092948B (en) * | 2016-11-23 | 2021-04-02 | 中国移动通信集团湖北有限公司 | Network attack mode identification method and device |
| CN107070929A (en) * | 2017-04-20 | 2017-08-18 | 中国电子技术标准化研究院 | A kind of industry control network honey pot system |
| CN109257326B (en) * | 2017-07-14 | 2021-05-04 | 东软集团股份有限公司 | Method and device for defending against data stream attack, storage medium and electronic equipment |
| CN107770199A (en) * | 2017-12-08 | 2018-03-06 | 东北大学 | It is a kind of towards industry internet with the industry control agreement honey jar of self-learning function and application |
| CN108259478B (en) * | 2017-12-29 | 2021-10-01 | 中国电力科学研究院有限公司 | Safety protection method based on industrial control terminal equipment interface HOOK |
-
2019
- 2019-05-23 CN CN201910435072.1A patent/CN110351237B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105447385A (en) * | 2014-12-08 | 2016-03-30 | 哈尔滨安天科技股份有限公司 | Multilayer detection based application type database honey pot realization system and method |
| CN106341819A (en) * | 2016-10-10 | 2017-01-18 | 西安瀚炬网络科技有限公司 | Phishing WiFi identification system and method based on honeypot technology |
| CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
| CN107465702A (en) * | 2017-09-30 | 2017-12-12 | 北京奇虎科技有限公司 | Method for early warning and device based on wireless network invasion |
| CN107566401A (en) * | 2017-09-30 | 2018-01-09 | 北京奇虎科技有限公司 | The means of defence and device of virtualized environment |
| CN109639733A (en) * | 2019-01-24 | 2019-04-16 | 南方电网科学研究院有限责任公司 | Safety detection and monitoring system suitable for industrial control system |
Non-Patent Citations (1)
| Title |
|---|
| 《基于沙盒技术的应用层蜜罐软件实现》;郭骞;《中国优秀硕士学位论文全文数据库 程科技Ⅱ辑》;20190515;第2019卷(第5期);正文第三、四、五、六章 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110351237A (en) | 2019-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN105264861B (en) | Method and apparatus for detecting multistage event | |
| CN112054996B (en) | Attack data acquisition method and device for honeypot system | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN113676449B (en) | Network attack processing method and device | |
| CN104509034A (en) | Pattern consolidation to identify malicious activity | |
| CN113162953B (en) | Network threat message detection and source tracing evidence obtaining method and device | |
| CN105577670B (en) | A kind of warning system hitting library attack | |
| CN113259392B (en) | Network security attack and defense method, device and storage medium | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN107864128B (en) | Network behavior based scanning detection method and device and readable storage medium | |
| CN101902349A (en) | Method and system for detecting scanning behaviors of ports | |
| CN106789486B (en) | Method and device for detecting shared access, electronic equipment and computer readable storage medium | |
| CN113746810B (en) | Network attack inducing method, device, equipment and storage medium | |
| CN104486320B (en) | Intranet sensitive information leakage evidence-obtaining system and method based on sweet network technology | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| CN112272175A (en) | Trojan horse virus detection method based on DNS | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| KR101022167B1 (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| CN115883169A (en) | Industrial control network attack message response method and response system based on honeypot system | |
| CN109560960B (en) | WAF brute force cracking protection parameter configuration method and device and WAF system | |
| CN114363059A (en) | Attack identification method and device and related equipment | |
| CN111680294A (en) | Database monitoring method, device and equipment based on high-interaction honeypot technology | |
| CN114465795B (en) | Method and system for interfering network scanner |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |