CN110635971A - Industrial control asset detection and management method and device and electronic equipment - Google Patents
Industrial control asset detection and management method and device and electronic equipment Download PDFInfo
- Publication number
- CN110635971A CN110635971A CN201910982177.9A CN201910982177A CN110635971A CN 110635971 A CN110635971 A CN 110635971A CN 201910982177 A CN201910982177 A CN 201910982177A CN 110635971 A CN110635971 A CN 110635971A
- Authority
- CN
- China
- Prior art keywords
- asset
- industrial control
- assets
- detection
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Environmental & Geological Engineering (AREA)
- Human Computer Interaction (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides an industrial control asset detection and management method, an industrial control asset detection and management device and electronic equipment, and relates to the field of industrial control, wherein the method comprises the steps of respectively adopting a first communication protocol and a second communication protocol to carry out full-port pre-scanning on an industrial control system to obtain a survival port; the first communication protocol is different from the second communication protocol in protocol type; respectively sending a first detection message and a second detection message to the surviving port, and reading asset information of the industrial control assets corresponding to the surviving port; the first detection message is a message related to a first communication protocol, and the second detection message is a message related to a second communication protocol; and if the asset information is successfully read, determining the industrial control asset corresponding to the survival port as the survival asset. The method relieves the problem of limitation of detection range in the prior art, can detect more industrial control assets, has wider detection range, realizes unified identification of equipment assets and network assets, improves the identification rate of the assets, and has wider application range.
Description
Technical Field
The invention relates to the field of industrial control asset identification, in particular to an industrial control asset detection and management method, an industrial control asset detection and management device and electronic equipment.
Background
Most of the key infrastructures of the current societies of the national civilians depend on industrial control systems (industrial control systems for short) to realize related operations. Therefore, once the important industrial control systems are damaged, lose functions or leak information, the national safety and public benefits are even jeopardized; therefore, the network security of the industrial control system is already brought into the requirements of the basic requirements of information security technology network security level protection, and the requirements of industrial control system security extension of the basic requirements of information security technology network security level protection require that the control equipment needs to perform patch updating, firmware updating and other work on the control equipment under the condition of not influencing the safe and stable operation of the system after being fully tested and evaluated, so that the assets in the industrial control network need to be detected and identified.
At present, the existing industrial assets are mainly detected and identified by a network space search mode, for example, the most popular network space search engine, Shodan, is used, and can scan protocols such as HTTP, FTP, SSH, Telnet, SNMP, and SIP, and identify industrial control equipment by analyzing information in an interaction process between a client and a server, however, the above network space search mode adopted for industrial control asset identification has the following disadvantages: the network space searching method can only identify part of industrial control equipment, and the identification range is limited.
Disclosure of Invention
In view of the above, the present invention provides a method, an apparatus and an electronic device for detecting and managing industrial assets.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a method for detecting and managing industrial control assets, where the industrial control assets include device assets and network assets; the method comprises the following steps:
carrying out full-port pre-scanning on the industrial control system by adopting a first communication protocol and a second communication protocol respectively to obtain a survival port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol;
for the surviving port, respectively sending a first detection message and a second detection message to read asset information of the industrial control asset corresponding to the surviving port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol;
and if the asset information is successfully read, determining the industrial control asset corresponding to the survival port as the survival asset.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the method further includes: adding label information to the industrial control assets determined as the survival assets; and/or; and recording the industrial control assets determined as the survival assets into an asset library.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the method further includes:
receiving a query field input by a user;
if the query field includes at least one tag in the tag information, outputting asset information for the surviving asset associated with the tag information to an asset query interface.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the method further includes:
performing survivability detection on the surviving port every first preset time interval to generate a first detection result;
and if the first detection result indicates that the live port is disconnected, generating first alarm information.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the method further includes:
performing survivability detection on the non-survival port in the preset using network segment every second preset time interval to generate a second detection result;
and if the second detection result indicates that the newly accessed industrial control assets exist, sending a detection message to the newly accessed industrial control assets, and reading the asset information of the newly accessed industrial control assets.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the method further includes:
and generating an industrial control system asset topological graph for the industrial control assets of the survival assets based on the determination.
With reference to the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where the method further includes:
and displaying the asset topological graph of the industrial control system through a visual interface.
In a second aspect, an embodiment of the present invention provides an industrial control asset detection and management apparatus, where the industrial control asset includes a device asset and a network asset; the device comprises:
the acquisition module is used for carrying out full-port pre-scanning on the industrial control system by adopting a first communication protocol and a second communication protocol respectively to acquire a survival port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol;
the detection module is used for respectively sending a first detection message and a second detection message to the survival port so as to read the asset information of the industrial control asset corresponding to the survival port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol;
and the determining module is used for determining the industrial control assets corresponding to the survival ports as the survival assets if the asset information is successfully read.
In a third aspect, an embodiment of the present invention provides an electronic device, including a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor can execute the machine executable instructions to implement the method described in any one of the foregoing embodiments.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method according to any one of the foregoing embodiments.
The embodiment of the invention has the following beneficial effects: the industrial control asset detection and management method, the industrial control asset detection and management device, the electronic equipment and the computer readable storage medium are provided by the embodiment of the invention, wherein the industrial control asset detection and management method comprises the steps of detecting the industrial control asset, and acquiring the industrial control asset; the method comprises the following steps: carrying out full-port pre-scanning on the industrial control system by adopting a first communication protocol and a second communication protocol respectively to obtain a survival port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol; for the surviving port, respectively sending a first detection message and a second detection message to read asset information of the industrial control asset corresponding to the surviving port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol; and if the asset information is successfully read, determining the industrial control asset corresponding to the survival port as the survival asset. Therefore, the technical scheme provided by the embodiment of the invention can detect more industrial control assets, has a wider detection range, realizes unified identification of the equipment assets and the network assets, is beneficial to improving the identification rate of the assets, and has a wider application range.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a flow chart of a method for detecting and managing industrial assets according to an embodiment of the invention;
FIG. 2 is a flow chart illustrating another industrial asset detection and management method provided by an embodiment of the invention;
FIG. 3 is a schematic diagram of an industrial asset detection and management device according to an embodiment of the present invention;
fig. 4 shows a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
At present, the existing industrial assets are mainly detected and identified by a network space search mode, for example, the most popular network space search engine, Shodan, is used, and can scan protocols such as HTTP, FTP, SSH, Telnet, SNMP, and SIP, and identify industrial control equipment by analyzing information in an interaction process between a client and a server, however, the above network space search mode adopted for industrial control asset identification has the following disadvantages: the network space searching method can only identify part of industrial control equipment, and the identification range is limited.
Based on this, the industrial control asset detection and management method, the industrial control asset management device and the electronic equipment provided by the embodiment of the invention can detect more industrial control assets, have a wider detection range, realize unified identification of the equipment assets and the network assets, facilitate improvement of the identification rate of the assets, and have a wider application range.
For the convenience of understanding the embodiment, a detailed description will be given to an industrial control asset detection and management method disclosed in the embodiment of the present invention.
First embodiment
Referring to fig. 1, an embodiment of the present invention provides a method for detecting and managing industrial control assets, where the industrial control assets include device assets and network assets; the method comprises the following steps:
step S101, carrying out full-port pre-scanning on an industrial control system by adopting a first communication protocol and a second communication protocol respectively to obtain survival ports;
step S102, for the survival port, respectively sending a first detection message and a second detection message to read asset information of the industrial control asset corresponding to the survival port;
and step S103, if the asset information is successfully read, determining the industrial control asset corresponding to the survival port as the survival asset.
In step S101, the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol; for example, the first communication protocol includes TCP and UDP, and the second communication protocol includes at least one of the following protocols: modbus, IEC-104, DNP3, Ethernet/IP, S7, Ovation DCS.
Specifically, the step S101 can be implemented by the following steps:
a respectively adopting TCP, UDP network protocols and industrial control protocols such as Modbus, IEC-104, DNP3, Ethernet/IP, S7, Ovation DCS and the like to carry out full-port pre-scanning on all nodes in the industrial control system, namely sending messages to all IPs and ports thereof until all IPs and all ports are traversed, and primarily screening to obtain live IPs and live ports thereof;
b, caching the survival port to a pending target detection library;
c, analyzing the survival port and determining the category information of the survival port; the category information includes an asset category and a protocol category. The asset type refers to equipment assets and network assets, and the protocol type refers to a protocol used by assets (namely industrial control assets) corresponding to the survival port.
Specifically, the received surviving IPs and their port information (e.g., port numbers) are analyzed.
It should be noted that the above-mentioned port may be a physical port, and may also be an API port; the nodes mentioned above can be understood as all devices accessed inside the industrial control system, including but not limited to routers, switches, engineer stations, etc.
For the convenience of understanding, the following description will take a pre-scanning manner of TCP as an example:
1. splitting I P segments into a plurality of IP subsegments by using a distributed algorithm;
2. for each IP subsection, disordering a target IP by using a random algorithm and storing the target IP in an IP detection library;
3. sending SYN messages to all IP ports in an IP pool, wherein the sending method is to randomly select one port from 0 to 65535 ports and send the SYN messages, if the port can receive an ACK message of a target IP and shows that the port is alive, the IP and the alive port are added into a pending target detection library;
4. and repeating the step 3 until all IP and all ports are traversed.
For step S102, the first detection packet is a packet related to the first communication protocol, and the second detection packet is a packet related to the second communication protocol; asset information includes, but is not limited to, asset base information, vendor information, hardware specifications, software information, and the like; the asset basic information includes information such as an IP address and a MAC address.
In an alternative embodiment, this step S102 may be performed according to the following steps:
and respectively sending an industrial protocol detection message and TCP and UDP protocol detection messages aiming at the assets and the used protocol types and reading the basic information, manufacturer information, hardware specification, software information and the like of the assets for the IP and the survival ports thereof of the undetermined target library.
For step S103, when the asset information is successfully read, the asset corresponding to the live port may be determined as a live asset.
In an alternative embodiment, the method further comprises: adding label information to the industrial control assets determined as the survival assets; and/or; and recording the industrial control assets determined as the survival assets into an asset library.
The label information includes at least one of the following labels: IP address, MAC address, manufacturer information, model, etc.
In a specific implementation, the method further comprises: and adding label information to the industrial control assets determined as the survival assets, and recording the label information into an asset library.
The detected and surviving assets are input into an asset library, labels such as IP, MAC, manufacturer information, models and the like are marked, namely the labels are associated with the assets, and subsequent label query can be conveniently carried out.
In an alternative embodiment, the method further comprises the query step of:
1) receiving a query field input by a user;
specifically, receiving a query field input by a user on an asset query interface; where the query field is used to obtain asset information.
2) And if the query field comprises at least one tag in the tag information, outputting the asset information of the survival asset associated with the tag information to an asset query interface so that a user can view the asset information.
That is, the method can realize querying the asset according to the tag and displaying all information of the asset.
The industrial control asset detection and management method provided by the embodiment of the invention is a method for uniformly identifying assets of an industrial control system, and comprises the steps of firstly adopting a plurality of industrial control protocols to pre-scan all nodes in the industrial control system, and sending messages to all IPs and ports thereof until all IPs and all ports are traversed; acquiring a live IP and a live port thereof; analyzing the received alive IP and the port information of the alive port thereof, respectively sending an industrial protocol detection message and TCP and UDP protocol detection messages aiming at the assets and the used protocol types, and reading asset information such as asset basic information, manufacturer information, hardware specification, software information and the like; when the asset information is read successfully, identifying the assets corresponding to the survival ports as the survival assets; therefore, the method can detect more industrial control assets by combining a plurality of protocol scanning modes, has wider detection range, can simultaneously finish the unified identification of all the assets in the industrial control system, is favorable for improving the identification rate of the assets, and has wider application range.
Second embodiment
Referring to fig. 2, on the basis of the foregoing embodiment, an embodiment of the present invention provides another industrial control asset detection and management method, which is different from the foregoing embodiment in that the method further includes:
step S201, performing survivability detection on the surviving port at intervals of first preset time to generate a first detection result; and if the first detection result indicates that the live port is disconnected, generating first alarm information.
Step S202, survivability detection is carried out on non-survival ports in a preset using network segment at intervals of second preset time, and a second detection result is generated; and if the second detection result indicates that the newly accessed industrial control assets exist, sending a detection message to the newly accessed industrial control assets, and reading the asset information of the newly accessed industrial control assets.
In an alternative embodiment, the step S201 includes:
1) sending a port request to a survival port every first preset time;
specifically, according to a first preset time interval, port requests are sent to the alive IP in batches, and whether the alive IP and the alive port are alive or disconnected is judged according to whether response information is received (or according to received information). The purpose of the batch division is to avoid normal operation of internal services of the hard industrial control system and prevent the adverse effect of occupied resources on the industrial control system.
2) If the response of the alive port is not received, determining that the alive port is disconnected, namely the first detection result indicates the disconnection, and generating first alarm information;
3) and if the industrial control system asset topological graph which is completely drawn and displayed on the visual interface exists, prompting on the industrial control system asset topological graph.
In an alternative embodiment, this step S202 is implemented by:
(1) performing survivability detection on the non-survival ports in the preset using network segment every second preset time;
specifically, non-live ports in the used network segment are scanned in batches according to the second preset time of the interval, and whether new assets are accessed is judged according to whether a response is received (or according to the received information).
(2) If the response of the non-survival port is received, determining that a newly accessed asset exists, and determining the newly accessed industrial control asset as an abnormal access asset; sending a detection message to the newly accessed asset IP, and reading asset information of the newly accessed asset (namely the newly accessed industrial control asset); the asset information includes asset basic information, manufacturer information, hardware specifications, software information, and the like.
(3) If the asset information is successfully read, generating second alarm information based on the asset information of the newly accessed industrial control asset;
(4) and if the industrial control system asset topological graph which is completely drawn and displayed on the visual interface exists, performing alarm prompt on the industrial control system asset topological graph.
Through the steps S201-S102, the method can realize the survivability detection of the assets of the industrial control system, simultaneously alarm the IP (assets) which is disconnected, and prompt on a visual interface; and alarming the newly accessed IP (assets), and prompting on a visual interface.
In an alternative embodiment, the method further comprises:
and step S203, generating an industrial control system asset topological graph based on the industrial control assets determined as the survival assets.
And S204, displaying the asset topological graph of the industrial control system through a visual interface.
Wherein, the step 203 can be executed by the following steps:
a, adding a corresponding asset icon (namely a survival icon) to a survival asset on a topology canvas according to a preset strategy;
the preset strategy comprises a preset asset type, name and icon corresponding relation table.
Specifically, the asset type, name and icon are preset, and the corresponding asset icon is matched with the surviving asset; dragging an asset icon corresponding to the asset IP to a topological canvas in a dragging mode on a provided topological drawing interface to generate an industrial control system asset topological graph; for example, drag the asset icon corresponding to the live asset IP onto the topology canvas.
It should be noted that, the topology canvas is provided with a basic network connection line as a supplement to the drawing of the topology map; in addition, the drawn topological graph supports operations such as storage, modification, deletion and the like, that is, the method may further include: and receiving an operation instruction of a user, and executing an action corresponding to the operation instruction.
In an alternative embodiment, the step S204 includes:
1. assets in the topology map change color if a drop is found in the liveness probe and the drop is prompted.
2. If the abnormal access assets exist, the accessed asset nodes change colors and prompt information of the abnormal access and the accessed assets.
3. Responding to the hovering operation of the user within a preset distance range, and displaying asset information and survival status of the asset closest to the distance range;
i.e., the user's mouse is hovering over an asset, asset information and a survival status are displayed.
4. And responding to the clicking operation of the user, and jumping to the asset detail interface to display the asset corresponding to the clicking operation.
Namely, the user clicks some asset through the mouse, and the display of the asset detail interface is jumped to.
The industrial control asset detection and management method provided by the embodiment of the invention is a method for uniform asset identification, asset survivability detection, centralized asset classification management and visual display of diversified assets in an industrial control system, not only can be used for uniformly identifying all assets in the industrial control system, but also can be used for detecting the survivability of all assets in the industrial control system and providing a uniform survivability detection mechanism; and on the other hand, the complete set of asset detection, survival detection and topology drawing is realized.
Third embodiment
Referring to fig. 3, an embodiment of the present invention provides an industrial control asset detection and management apparatus 300, where the industrial control asset includes a device asset and a network asset; the industrial control asset detection and management device 300 includes: an acquisition module 301, a detection module 302 and a determination module 303;
the acquiring module 301 is configured to perform full-port pre-scanning on the industrial control system by using a first communication protocol and a second communication protocol, respectively, to acquire a surviving port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol;
a detection module 302, configured to send a first detection message and a second detection message to the surviving port, respectively, so as to read asset information of the industrial control asset corresponding to the surviving port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol;
and the determining module 303 is configured to determine the industrial control asset corresponding to the live port as a live asset if the asset information is successfully read.
Optionally, the apparatus further includes a storage labeling module 304, configured to add label information to the industrial control assets determined as the alive assets; and/or; and recording the industrial control assets determined as the survival assets into an asset library.
Optionally, the apparatus further comprises a query module 305 for receiving a query field input by a user; if the query field includes at least one tag in the tag information, outputting asset information for the surviving asset associated with the tag information to an asset query interface.
Optionally, the probing module 302 is further configured to perform survivability probing on the surviving port every interval of a first preset time, and generate a first probing result; and if the first detection result indicates that the live port is disconnected, generating first alarm information.
Optionally, the probing module 302 is further configured to perform survivability probing on the non-surviving ports in the preset using network segment every second preset time interval, so as to generate a second probing result; and if the second detection result indicates that the newly accessed industrial control assets exist, sending a detection message to the newly accessed industrial control assets, and reading the asset information of the newly accessed industrial control assets.
Optionally, the apparatus may further include a drawing and displaying module, configured to generate an industrial control system asset topology map based on the industrial control assets determined as the surviving assets.
Optionally, the drawing and displaying module is further configured to display the asset topological graph of the industrial control system through a visual interface.
The industrial control asset detection and management device provided by the embodiment of the invention provides a complete asset detection, survival detection and topology drawing set platform, can form a productized system for network operation and maintenance personnel, and can accurately acquire the asset state and abnormal access condition aiming at asset management in an industrial control system.
The industrial control asset detection and management device provided by the embodiment of the invention has the same technical characteristics as the industrial control asset detection and management method provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
Fourth embodiment
Referring to fig. 4, an embodiment of the present invention further provides an electronic device 100, including:
a processor 41, a memory 42, and a bus 43; the memory 42 is used for storing execution instructions and includes a memory 421 and an external memory 422; the memory 421 is also referred to as an internal memory, and temporarily stores operation data in the processor 41 and data exchanged with the external memory 422 such as a hard disk, and the processor 41 exchanges data with the external memory 422 via the memory 421.
In a possible real-time manner, the electronic device 100 may be an industrial asset detection and management device, and when the electronic device 100 is running, the processor 41 communicates with the memory 42 through the bus 43, so that the processor 41 executes the following instructions in a user mode: carrying out full-port pre-scanning on the industrial control system by adopting a first communication protocol and a second communication protocol respectively to obtain a survival port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol; for the surviving port, respectively sending a first detection message and a second detection message to read asset information of the industrial control asset corresponding to the surviving port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol; and if the asset information is successfully read, determining the industrial control asset corresponding to the survival port as the survival asset.
Optionally, the instructions executed by the processor 41 further include: adding label information to the industrial control assets determined as the survival assets; and/or recording the industrial control assets determined as the survival assets into an asset library.
Optionally, the instructions executed by the processor 41 further include: receiving a query field input by a user; if the query field includes at least one tag in the tag information, outputting asset information for the surviving asset associated with the tag information to an asset query interface.
Optionally, the instructions executed by the processor 41 further include: performing survivability detection on the surviving port every first preset time interval to generate a first detection result; and if the first detection result indicates that the live port is disconnected, generating first alarm information.
Optionally, the instructions executed by the processor 41 further include: performing survivability detection on the non-survival port in the preset using network segment every second preset time interval to generate a second detection result; and if the second detection result indicates that the newly accessed industrial control assets exist, sending a detection message to the newly accessed industrial control assets, and reading the asset information of the newly accessed industrial control assets.
Optionally, the instructions executed by the processor 41 further include: and generating an industrial control system asset topological graph for the industrial control assets of the survival assets based on the determination.
Optionally, the instructions executed by the processor 41 further include: and displaying the asset topological graph of the industrial control system through a visual interface.
The embodiment of the application further provides a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the industrial control asset detection and management method provided by the embodiment are executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative and, for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, each functional module or unit in each embodiment of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a smart phone, a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
Claims (10)
1. The industrial control asset detection and management method is characterized in that the industrial control asset comprises equipment assets and network assets; the method comprises the following steps:
carrying out full-port pre-scanning on the industrial control system by adopting a first communication protocol and a second communication protocol respectively to obtain a survival port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol;
for the surviving port, respectively sending a first detection message and a second detection message to read asset information of the industrial control asset corresponding to the surviving port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol;
and if the asset information is successfully read, determining the industrial control asset corresponding to the survival port as the survival asset.
2. The method of claim 1, further comprising:
adding label information to the industrial control assets determined as the survival assets;
and/or;
and recording the industrial control assets determined as the survival assets into an asset library.
3. The method of claim 2, further comprising:
receiving a query field input by a user;
if the query field includes at least one tag in the tag information, outputting asset information for the surviving asset associated with the tag information to an asset query interface.
4. The method of claim 1, further comprising:
performing survivability detection on the surviving port every first preset time interval to generate a first detection result;
and if the first detection result indicates that the live port is disconnected, generating first alarm information.
5. The method of claim 1, further comprising:
performing survivability detection on the non-survival port in the preset using network segment every second preset time interval to generate a second detection result;
and if the second detection result indicates that the newly accessed industrial control assets exist, sending a detection message to the newly accessed industrial control assets, and reading the asset information of the newly accessed industrial control assets.
6. The method of claim 1, further comprising:
and generating an industrial control system asset topological graph for the industrial control assets of the survival assets based on the determination.
7. The method of claim 6, further comprising:
and displaying the asset topological graph of the industrial control system through a visual interface.
8. The industrial control asset detection and management device is characterized in that the industrial control asset comprises equipment assets and network assets; the device comprises:
the acquisition module is used for carrying out full-port pre-scanning on the industrial control system by adopting a first communication protocol and a second communication protocol respectively to acquire a survival port; the first communication protocol is a network-based transmission protocol, and the second communication protocol is a PLC-based industrial protocol;
the detection module is used for respectively sending a first detection message and a second detection message to the survival port so as to read the asset information of the industrial control asset corresponding to the survival port; the first detection message is a message of the first communication protocol, and the second detection message is a message related to the second communication protocol;
and the determining module is used for determining the industrial control assets corresponding to the survival ports as the survival assets if the asset information is successfully read.
9. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor to perform the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910982177.9A CN110635971A (en) | 2019-10-16 | 2019-10-16 | Industrial control asset detection and management method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910982177.9A CN110635971A (en) | 2019-10-16 | 2019-10-16 | Industrial control asset detection and management method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110635971A true CN110635971A (en) | 2019-12-31 |
Family
ID=68975128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910982177.9A Pending CN110635971A (en) | 2019-10-16 | 2019-10-16 | Industrial control asset detection and management method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110635971A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111523782A (en) * | 2020-04-14 | 2020-08-11 | 杭州迪普科技股份有限公司 | Industrial control asset management method, device, equipment and storage medium |
| CN111709009A (en) * | 2020-06-17 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for networked industrial control system, computer equipment and medium |
| CN112118256A (en) * | 2020-09-17 | 2020-12-22 | 浙江齐安信息科技有限公司 | Industrial control equipment fingerprint normalization method and device, computer equipment and storage medium |
| CN112202609A (en) * | 2020-09-28 | 2021-01-08 | 全球能源互联网研究院有限公司 | Industrial control asset detection method and device, electronic equipment and storage medium |
| CN112583662A (en) * | 2020-12-04 | 2021-03-30 | 恒安嘉新(北京)科技股份公司 | Host survival detection method, device, equipment and storage medium |
| CN112671553A (en) * | 2020-11-26 | 2021-04-16 | 中国电子科技网络信息安全有限公司 | Industrial control network topological graph generation method based on active and passive detection |
| CN112671887A (en) * | 2020-12-21 | 2021-04-16 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112883031A (en) * | 2021-02-24 | 2021-06-01 | 杭州迪普科技股份有限公司 | Industrial control asset information acquisition method and device |
| CN113315769A (en) * | 2021-05-27 | 2021-08-27 | 杭州迪普科技股份有限公司 | Industrial control asset information collection method and device |
| CN113904800A (en) * | 2021-09-02 | 2022-01-07 | 成都仁达至信科技有限公司 | Internal network risk asset detection and analysis system |
| CN114025014A (en) * | 2021-10-29 | 2022-02-08 | 北京恒安嘉新安全技术有限公司 | Asset detection method and device, electronic equipment and storage medium |
| CN114584477A (en) * | 2022-02-10 | 2022-06-03 | 烽台科技(北京)有限公司 | Industrial control asset detection method and device, terminal and storage medium |
| CN114745300A (en) * | 2022-03-29 | 2022-07-12 | 成都安恒信息技术有限公司 | Network asset detection method, device, electronic device and storage medium |
| CN116455846A (en) * | 2023-06-14 | 2023-07-18 | 杭州海康威视数字技术股份有限公司 | Method and device for acquiring equipment information through VLAN (virtual local area network) and electronic equipment |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130031201A1 (en) * | 2008-04-03 | 2013-01-31 | Electro Industries/Gauge Tech | Intelligent electronic device communication solutions for network topologies |
| US20150195175A1 (en) * | 2014-01-06 | 2015-07-09 | Safe Frontier Llc | Method and apparatus for providing remote support for an embedded system |
| CN105450489A (en) * | 2015-12-02 | 2016-03-30 | 大连理工计算机控制工程有限公司 | HEBus efficient fieldbus system for preferably realizing shortest message in output and communication method |
| CN105553973A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | System and method for detecting industrial control equipment abnormality |
| CN106230780A (en) * | 2016-07-19 | 2016-12-14 | 国网四川省电力公司电力科学研究院 | A kind of intelligent transformer substation information and control system safety analysis Evaluation Platform |
| CN108696544A (en) * | 2018-09-05 | 2018-10-23 | 杭州安恒信息技术股份有限公司 | Security breaches detection method based on industrial control system and device |
| CN108809951A (en) * | 2018-05-16 | 2018-11-13 | 南京大学 | A kind of penetration testing frame suitable for industrial control system |
| CN109104331A (en) * | 2018-07-26 | 2018-12-28 | 上海交通大学 | A kind of industry control resource detection method |
| CN109740908A (en) * | 2018-12-27 | 2019-05-10 | 广州联达信息科技有限公司 | A kind of collecting method of multi-data source, apparatus and system |
| CN109768870A (en) * | 2017-11-09 | 2019-05-17 | 国网青海省电力公司电力科学研究院 | A kind of industry control network assets discovery method and system based on active probing technique |
| CN110336684A (en) * | 2019-03-21 | 2019-10-15 | 北京天防安全科技有限公司 | A kind of networked asset intelligent identification Method and system |
-
2019
- 2019-10-16 CN CN201910982177.9A patent/CN110635971A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130031201A1 (en) * | 2008-04-03 | 2013-01-31 | Electro Industries/Gauge Tech | Intelligent electronic device communication solutions for network topologies |
| US20150195175A1 (en) * | 2014-01-06 | 2015-07-09 | Safe Frontier Llc | Method and apparatus for providing remote support for an embedded system |
| CN105450489A (en) * | 2015-12-02 | 2016-03-30 | 大连理工计算机控制工程有限公司 | HEBus efficient fieldbus system for preferably realizing shortest message in output and communication method |
| CN105553973A (en) * | 2015-12-14 | 2016-05-04 | 中国电子信息产业集团有限公司第六研究所 | System and method for detecting industrial control equipment abnormality |
| CN106230780A (en) * | 2016-07-19 | 2016-12-14 | 国网四川省电力公司电力科学研究院 | A kind of intelligent transformer substation information and control system safety analysis Evaluation Platform |
| CN109768870A (en) * | 2017-11-09 | 2019-05-17 | 国网青海省电力公司电力科学研究院 | A kind of industry control network assets discovery method and system based on active probing technique |
| CN108809951A (en) * | 2018-05-16 | 2018-11-13 | 南京大学 | A kind of penetration testing frame suitable for industrial control system |
| CN109104331A (en) * | 2018-07-26 | 2018-12-28 | 上海交通大学 | A kind of industry control resource detection method |
| CN108696544A (en) * | 2018-09-05 | 2018-10-23 | 杭州安恒信息技术股份有限公司 | Security breaches detection method based on industrial control system and device |
| CN109740908A (en) * | 2018-12-27 | 2019-05-10 | 广州联达信息科技有限公司 | A kind of collecting method of multi-data source, apparatus and system |
| CN110336684A (en) * | 2019-03-21 | 2019-10-15 | 北京天防安全科技有限公司 | A kind of networked asset intelligent identification Method and system |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111523782B (en) * | 2020-04-14 | 2023-04-28 | 杭州迪普科技股份有限公司 | Industrial control asset management method, device, equipment and storage medium |
| CN111523782A (en) * | 2020-04-14 | 2020-08-11 | 杭州迪普科技股份有限公司 | Industrial control asset management method, device, equipment and storage medium |
| CN111709009A (en) * | 2020-06-17 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Detection method and device for networked industrial control system, computer equipment and medium |
| CN112118256B (en) * | 2020-09-17 | 2023-03-24 | 浙江齐安信息科技有限公司 | Industrial control equipment fingerprint normalization method and device, computer equipment and storage medium |
| CN112118256A (en) * | 2020-09-17 | 2020-12-22 | 浙江齐安信息科技有限公司 | Industrial control equipment fingerprint normalization method and device, computer equipment and storage medium |
| CN112202609A (en) * | 2020-09-28 | 2021-01-08 | 全球能源互联网研究院有限公司 | Industrial control asset detection method and device, electronic equipment and storage medium |
| CN112671553A (en) * | 2020-11-26 | 2021-04-16 | 中国电子科技网络信息安全有限公司 | Industrial control network topological graph generation method based on active and passive detection |
| CN112583662A (en) * | 2020-12-04 | 2021-03-30 | 恒安嘉新(北京)科技股份公司 | Host survival detection method, device, equipment and storage medium |
| CN112671887A (en) * | 2020-12-21 | 2021-04-16 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112671887B (en) * | 2020-12-21 | 2023-03-03 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112883031A (en) * | 2021-02-24 | 2021-06-01 | 杭州迪普科技股份有限公司 | Industrial control asset information acquisition method and device |
| CN113315769A (en) * | 2021-05-27 | 2021-08-27 | 杭州迪普科技股份有限公司 | Industrial control asset information collection method and device |
| CN113904800A (en) * | 2021-09-02 | 2022-01-07 | 成都仁达至信科技有限公司 | Internal network risk asset detection and analysis system |
| CN113904800B (en) * | 2021-09-02 | 2024-01-26 | 成都仁达至信科技有限公司 | Internal network risk asset detection and analysis system |
| CN114025014A (en) * | 2021-10-29 | 2022-02-08 | 北京恒安嘉新安全技术有限公司 | Asset detection method and device, electronic equipment and storage medium |
| CN114025014B (en) * | 2021-10-29 | 2024-01-30 | 北京恒安嘉新安全技术有限公司 | Asset detection method and device, electronic equipment and storage medium |
| CN114584477B (en) * | 2022-02-10 | 2023-06-27 | 烽台科技(北京)有限公司 | Industrial control asset detection method, device, terminal and storage medium |
| CN114584477A (en) * | 2022-02-10 | 2022-06-03 | 烽台科技(北京)有限公司 | Industrial control asset detection method and device, terminal and storage medium |
| CN114745300A (en) * | 2022-03-29 | 2022-07-12 | 成都安恒信息技术有限公司 | Network asset detection method, device, electronic device and storage medium |
| CN116455846A (en) * | 2023-06-14 | 2023-07-18 | 杭州海康威视数字技术股份有限公司 | Method and device for acquiring equipment information through VLAN (virtual local area network) and electronic equipment |
| CN116455846B (en) * | 2023-06-14 | 2023-11-14 | 杭州海康威视数字技术股份有限公司 | Method and device for acquiring equipment information through VLAN (virtual local area network) and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110635971A (en) | Industrial control asset detection and management method and device and electronic equipment | |
| CN107196895B (en) | Network attack tracing implementation method and device | |
| KR102298268B1 (en) | An apparatus for network monitoring based on edge computing and method thereof, and system | |
| US20210281601A1 (en) | Providing action recommendations based on action effectiveness across information technology environments | |
| US8549650B2 (en) | System and method for three-dimensional visualization of vulnerability and asset data | |
| CN104205774B (en) | network address repository management | |
| US8938489B2 (en) | Monitoring system performance changes based on configuration modification | |
| CN111934922B (en) | Method, device, equipment and storage medium for constructing network topology | |
| CN112637159A (en) | Network asset scanning method, device and equipment based on active detection technology | |
| CN110661669A (en) | Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols | |
| CN104205773A (en) | System asset repository management | |
| CN112152826B (en) | Asset management method, device, system and medium | |
| EP2705644B1 (en) | Method and apparatus for detecting intrusions on a set of virtual resources | |
| CA2895304A1 (en) | System and method for managing data integrity in electronic data storage | |
| CN113849820A (en) | Vulnerability detection method and device | |
| CN111193727A (en) | Operation monitoring system and operation monitoring method | |
| CN106470203B (en) | Information acquisition method and device | |
| CN110619022B (en) | Node detection method, device, equipment and storage medium based on block chain network | |
| CN111131484A (en) | Node mounting method, device, network node and storage medium | |
| CN110611591B (en) | Network topology establishing method and device | |
| CN113098776A (en) | Method, device, equipment and storage medium for determining network topology | |
| CN116346429A (en) | Illegal external connection equipment detection method and device | |
| CN113014587B (en) | API detection method and device, electronic equipment and storage medium | |
| CN112532448B (en) | Network topology processing method and device and electronic equipment | |
| CN114285628A (en) | Honeypot deployment method, device and system and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191231 |
|
| RJ01 | Rejection of invention patent application after publication |