CN111385253A - Vulnerability detection system for network security of power distribution automation system - Google Patents

Vulnerability detection system for network security of power distribution automation system Download PDF

Info

Publication number
CN111385253A
CN111385253A CN201811623895.9A CN201811623895A CN111385253A CN 111385253 A CN111385253 A CN 111385253A CN 201811623895 A CN201811623895 A CN 201811623895A CN 111385253 A CN111385253 A CN 111385253A
Authority
CN
China
Prior art keywords
script
test
task
vulnerability
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811623895.9A
Other languages
Chinese (zh)
Other versions
CN111385253B (en
Inventor
李二霞
何连杰
李玉凌
亢超群
常方圆
孙智涛
许保平
樊勇华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, China Electric Power Research Institute Co Ltd CEPRI, Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd, State Grid Shandong Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201811623895.9A priority Critical patent/CN111385253B/en
Publication of CN111385253A publication Critical patent/CN111385253A/en
Application granted granted Critical
Publication of CN111385253B publication Critical patent/CN111385253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a vulnerability detection system for network security of a power distribution automation system, which comprises: a vulnerability scanning system and a configuration management module; and the vulnerability scanning system is in communication connection with the configuration management module so as to perform task issuing work and result return. The invention adopts a plug-in-based leak library characteristic matching mode, and meanwhile, the detection system also has a powerful automatic industrial control leak library; the method can realize the characteristic of nondestructive leak detection, has no attack behavior in the detection process, and can carry out comprehensive scanning on the master station server, the application software, the network equipment, the power distribution terminal, the protocol safety and the like on the premise of ensuring that the normal operation of the field service is not influenced.

Description

Vulnerability detection system for network security of power distribution automation system
[ technical field ] A method for producing a semiconductor device
The invention belongs to the technical field of network security of a power distribution automation system, and particularly relates to a vulnerability detection system for network security of the power distribution automation system.
[ background of the invention ]
In recent years, power grid safety events are frequent abroad, large-area power failure accidents and great economic losses are caused, and social harmfulness is huge. Due to the existence of system bugs, an attacker can utilize the existing bugs to have very bad influence on software and hardware equipment, application services and even the whole network of a computer under the unauthorized condition. The operation condition of the distribution automation system directly influences the power supply reliability of a user, and whether high-risk leaks exist in distribution automation system equipment or not is lack of a detection method and a judgment means at present, so that equipment such as a distribution main station server, a distribution terminal and the like in the system run with diseases, and hidden dangers are brought to the stable operation of the distribution automation system. At present, some detection means aiming at the internet system bugs are provided at home and abroad, the bugs of the general IT equipment can be well detected, but the detection means has no specificity to industrial control systems such as a distribution automation system and the like, and has no detection capability to some industrial control system bugs. For example, industrial control systems have a plurality of specific protocols, and in order to take account of the real-time performance of industrial control system communication during initial design, additional functions such as confidentiality and authenticable performance of protocol communication which are not necessary at that time are ignored in many cases. However, as the industrial control system is increasingly closely linked with the information network, vulnerabilities of the industrial control protocol are easily utilized by attackers. Meanwhile, the power distribution automation system runs on line for a long time, and the stable running of the system can be influenced in the scanning process of the existing vulnerability checking equipment, so that large-area line drop or power failure accidents of the transported equipment are caused. Therefore, a new vulnerability detection system facing the network security of the power distribution automation system is needed, the vulnerability detection system adopts a plug-in-based vulnerability library characteristic matching mode, and meanwhile, the detection system also has a powerful autonomous industrial control vulnerability library; the method can realize the characteristic of nondestructive leak detection, has no attack behavior in the detection process, and can carry out comprehensive scanning on the master station server, the application software, the network equipment, the power distribution terminal, the protocol safety and the like on the premise of ensuring that the normal operation of the field service is not influenced.
[ summary of the invention ]
In order to solve the above problems in the prior art, the present invention provides a vulnerability detection system for network security of a power distribution automation system, which includes: a vulnerability scanning system and a configuration management module; the vulnerability scanning system is in communication connection with the configuration management module so as to perform task issuing work and result return;
the vulnerability scanning system comprises a task analyzer, a script engine and a vulnerability scanning test script library; wherein: the task analyzer is used for analyzing the tasks issued by the configuration management module, and the script engine is used for loading test scripts which need to be executed after the issued tasks are completed, performing syntax analysis and execution on the test scripts and returning the execution results of the test scripts to the configuration management module; saving the vulnerability scanning test script in the test script library;
the configuration management module is used for issuing a test task and receiving a test result returned by the bug scanning system.
Further, the task analyzer is configured to analyze a task issued by the configuration management module; specifically, the method comprises the following steps: the task is issued by adopting a command mode, wherein the command comprises a task name, task details and a task data address; and when the task data is received, analyzing the task details, acquiring the task data based on the analysis result and creating a new test process for task processing.
Further, the acquiring of the task data and the creating of a new test process for task processing based on the analysis result specifically include: analyzing the task details to obtain a task type, when a script execution type is in the task type, obtaining a task data address, obtaining a script name and parameter information based on the task data address, creating a new test process based on the script name and the parameter information, and copying the script name and the parameter information into a process storage space of the new test process.
Furthermore, the script engine comprises a script scheduling module, a script execution module and a knowledge base.
Furthermore, the script scheduling module selects the test script to be executed, and the script execution module is used for executing the selected test script.
Furthermore, the script scheduling module is used for reading the test script and completing the initialization and serialization of script calling; the script scheduling module comprises a script loading module and a script organizing module.
Furthermore, the loading module is used for loading a corresponding test script according to the script name and parameter information to be executed and initializing the test script; specifically, the method comprises the following steps: loading all test scripts and storing the test scripts into a global variable linked list containing all information of a script engine in the starting, running and ending processes; preferably: the global variable linked list is stored in a process space of a test process; and when the control right is handed over from the task analyzer to the script engine, data exchange and storage are carried out through the process.
Furthermore, the organization module is used for determining the execution sequence of the script according to the scheduling strategy of the script and the related scheduling information stored in the knowledge base, and performing the interpretation and execution of the test script based on the execution sequence.
Further, the organization module is used for obtaining and determining a preliminary execution sequence according to the scheduling strategy of the script; adjusting the preliminary execution sequence through relevant scheduling information stored in a knowledge base to acquire the execution sequence of the script; and interpreting and executing the test script based on the execution sequence.
Furthermore, each test script has a corresponding scheduling policy, and the scheduling policy is set for the configuration management module.
The beneficial effects of the invention include: a plug-in-based leak library feature matching mode is adopted, and meanwhile, the detection system also has a powerful automatic industrial control leak library; the method can realize the characteristic of nondestructive leak detection, has no attack behavior in the detection process, and can carry out comprehensive scanning on the master station server, the application software, the network equipment, the power distribution terminal, the protocol safety and the like on the premise of ensuring that the normal operation of the field service is not influenced.
[ description of the drawings ]
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, and are not to be considered limiting of the invention, in which:
fig. 1 is a schematic diagram of the vulnerability detection system of the present invention.
FIG. 2 is a schematic diagram of the structure of a script execution module of the present invention.
Fig. 3 is a schematic diagram of the vulnerability scanning strategy of the present invention.
FIG. 4 is a schematic diagram of a protocol authentication test method according to the present invention.
Fig. 5 is a schematic diagram of a protocol encryption test method of the present invention.
Fig. 6 is a schematic diagram of a vulnerability detection result according to the present invention.
[ detailed description ] embodiments
The present invention will now be described in detail with reference to the drawings and specific embodiments, wherein the exemplary embodiments and descriptions are provided only for the purpose of illustrating the present invention and are not to be construed as limiting the present invention.
As shown in fig. 1, a vulnerability detection system for network security of a power distribution automation system to which the present invention is applied is explained in detail;
the vulnerability detection system comprises a vulnerability scanning system and a configuration management module;
the vulnerability scanning system is in communication connection with the configuration management module so as to perform task issuing work and result return;
the vulnerability scanning system comprises a task analyzer, a script engine and a vulnerability scanning test script library; wherein: the task analyzer is used for analyzing the tasks issued by the configuration management module, and the script engine is used for loading test scripts which need to be executed after the issued tasks are completed, performing syntax analysis and execution on the test scripts and returning the execution results of the test scripts to the configuration management module;
the task analyzer is used for analyzing the tasks issued by the configuration management module; specifically, the method comprises the following steps: the task is issued by adopting a command mode, and the command comprises a task name, task details, a task data address and the like; when receiving the task data, analyzing the task details, acquiring the task data based on the analysis result and creating a new test process for task processing;
the configuration management module is used for issuing a test task and receiving a test result returned by the bug scanning system; the test task comprises a script name and parameter information thereof required by the test; the system also comprises a task name, task details and a task data address; when receiving task data, analyzing task details; the system is also used for configuring a scheduling strategy for the required test script which is not given; the scheduling policy may be an initial default scheduling policy;
the task processing based on the analysis result acquisition task data and the new test process creation is specifically as follows: analyzing task details to obtain a task type, when a script execution type is in the task type, obtaining a task data address, obtaining a script name and parameter information based on the task data address, creating a new test process based on the script name and the parameter information, and copying the script name and the parameter information into a process storage space of the new test process; therefore, data can be transmitted through the process body, and a storage space is not shared between the task analyzer and the script engine, so that the possibility of data pollution is avoided;
the task details comprise task types, and the tasks can be divided into a plurality of types, wherein the main types are as follows:
CREQ _ ATTACHED _ FILE: the received content is of a file type, and the received file is stored;
CREQ _ LONG _ ATTACK: receiving a script execution command, and calling a specified script (strategy configuration selection) to perform package sending detection on a configuration target;
CREQ _ PAUSE _ WHOLE _ TEST: sending a SIGUSR1 signal to all test processes to suspend all tests;
CREQ _ PLUGIN _ INFO: acquiring test script information of a specified OID value;
CREQ _ PREFERENCES: acquiring parameter information of a scanning engine;
CREQ _ RESUME _ WHOLE _ TEST: sending a SIGUSR2 signal to all test processes to resume the suspended test;
CREQ _ STOP _ ATTACK: sending a SIGTERM signal to a test process of a specified host to end a scanning process;
CREQ _ STOP _ WHOLE _ TEST: sending SIGTERM signals to the test processes of all the hosts and finishing all the scanning processes;
CREQ _ NVT _ INFO: acquiring NVT script library information;
CREQ _ UNKNOWN: the default type is that the received task is not in compliance or cannot be analyzed, and the task request is not processed;
the script engine comprises a script scheduling module, a script execution module and a knowledge base; the script scheduling module selects a test script to be executed, and the script execution module is used for executing the selected test script;
the script scheduling module is used for reading the test script and finishing the initialization and serialization of script calling; the script scheduling module comprises a script loading module and a script organizing module;
the loading module is used for loading a corresponding test script according to the script name and parameter information to be executed and initializing the test script; specifically, the method comprises the following steps: loading all test scripts and storing the test scripts into a global variable linked list containing all information of a script engine in the starting, running and ending processes; preferably: the global variable linked list is stored in a process space of a test process; when the control right is handed over from the task analyzer to the script engine, data exchange and storage are carried out through the process;
the organizing module is used for determining the execution sequence of the script according to the scheduling strategy of the script and the related scheduling information stored in the knowledge base, and interpreting and executing the test script based on the execution sequence; specifically; the organization module is used for acquiring and determining a preliminary execution sequence according to the scheduling strategy of the script; adjusting the preliminary execution sequence through relevant scheduling information stored in a knowledge base to acquire the execution sequence of the script; interpreting and executing the test script based on the execution sequence;
preferably: each test script has a corresponding scheduling strategy, and the scheduling strategy is set by a configuration management module; the scheduling strategy comprises the running state of a script, strategy coding, priority, timeout time, a tcp port, a udp port, a required node identifier in a global variable linked list, a node identifier in a global variable linked list required by force and the like;
the organization module is used for obtaining and determining a preliminary execution sequence according to the scheduling strategy of the script, and specifically comprises the following steps: the method comprises the following steps that an organization module obtains all test scripts, obtains strategy types of scheduling strategies based on the scheduling strategies of the test scripts and obtains corresponding priorities based on the types of the scheduling strategies; determining a preliminary execution order based on the priority and a policy encoding; the following table is a comparison table of the strategy types and the priorities thereof;
table 1: policy type and priority comparison table thereof
Figure BDA0001927558460000071
Figure BDA0001927558460000081
The determining of the preliminary execution sequence based on the priority and the policy coding specifically includes: the script strategies are sorted according to the priority, the execution sequence is advanced when the priority is higher, and vice versa; if the priority levels of the two test scripts are the same, sequencing is carried out according to the strategy codes, and when the value of the strategy codes is smaller, the execution sequence is earlier;
the adjusting the preliminary execution sequence through the relevant scheduling information stored in the knowledge base to obtain the execution sequence of the script specifically comprises: adjusting the preliminary execution sequence based on the dependency relationship among the test scripts to obtain an execution sequence;
adjusting the preliminary execution sequence based on the dependency relationship among the test scripts to obtain an execution sequence; the method specifically comprises the following steps: when the execution sequence of two test scripts in the preliminary execution sequence violates the requirement of the sequence between the two test scripts, adjusting the sequence of the two test scripts so as to meet the requirement of the sequence; taking the execution sequence meeting the requirement of the sequence as an execution sequence;
the interpreting and executing of the test script based on the execution sequence specifically includes: predicting whether the running requirement of the test script to be executed can be met by the execution environment of the script engine or not based on the execution environment, and if so, continuing to execute the test script; otherwise, performing post-processing on the execution script in the execution sequence; the most straightforward and effective way to optimize the scheduling of scripts is to identify the scenario in which the script engine is without starting the script. For example, a script needs to establish a connection to the remote host 123/TCP port, and if it is known that this port has been closed, it is not necessary to run the script. Operating relevant information in a knowledge base, and determining a scheduling strategy of a script;
the performing post-processing on the execution script in the execution sequence specifically includes: putting the execution script in a waiting queue different from the execution sequence queue, regularly checking an execution environment, awakening the test script when the execution environment can meet the running requirement of the test script, and putting the test script at the first position in the execution sequence;
preferably: acquiring the running requirement of the test script by inquiring a knowledge base and a scheduling strategy corresponding to the test script; acquiring execution environment information by inquiring a global variable linked list;
preferably: the script engine acquires a test script and parameter information thereof, which need to be completed by a test task, from a process space;
the system loads all scripts and stores the scripts as an arglist structure which is a global variable linked list and comprises all information of an engine in the processes of starting, running and ending, starting configuration, script explanation execution, return information and the like, and a data structure of a node comprises information such as a node name, a node type (representing the type of the stored information), a node value (representing the content of the stored information), a node length, a node address next to the node, a node number (calculated according to a Hash algorithm) and the like; each kind of information required by the script engine, such as script information, target host information and the like, is contained in a linked list corresponding to the script engine, the linked lists are connected to a global variable linked list, an empty global variable linked list is initialized when the script engine is started, and the global variable linked list is filled in during the operation period; the script engine searches the required information from the global variable linked list in the running process; the information on each node is modified in real time along with the running of the script engine by the global variable linked list;
the script engine searches the required information from the global variable linked list in the running process, and specifically comprises the following steps: saving a global variable linked list abstract table in a script engine; the script engine searches the global variable linked list through the abstract table; the node abstract value, the type and the position corresponding relation are stored in the global variable linked list abstract table; the abstract value is key information of the node, and the key information is common search content, key value and the like; the script engine needs to modify the summary table in real time after modifying the global variable linked list;
the knowledge base is used for storing the test scripts and carrying out interaction of test script information; in the work of the script engine, the information collected by script execution is stored in the knowledge base, so that repeated scanning can be effectively avoided, unnecessary resource waste is reduced, and the work efficiency is improved;
the script knowledge base maintained by the script engine records useful information obtained after running of some scripts, such as the type of an operating system, an opened port, a provided service, a logged-in account and the like; information interaction among the scripts can be performed by utilizing the knowledge base, so that a foundation is provided for running of some scripts, and meanwhile, the compiling of script codes is simplified; for example; information such as system environment, port state and the like which need to be relied on in operation does not need to be written in a test script; in the actual execution process of the test script, reasonable operation is performed on information such as a system environment and a port state which depend on the test script by inquiring a knowledge base; for example: inquiring script related information based on the type of the script; in the maintenance process of the script engine, automatically filling a knowledge base based on the commonalities in the script; after the script engine finishes executing the script, filling a knowledge base based on the execution information in the execution process;
as shown in fig. 2: the script execution module is used for explaining and executing a specific test script; the script execution module comprises a script interpreter which analyzes and interprets the test script sentence by sentence according to the dynamic sequence of the sentences in the test script, and converts the script into internal functions and variables and executes the internal functions and variables by lexical analysis, syntax analysis and semantic analysis in combination with a symbol table and an error processing mechanism;
preferably: after the script is loaded and organized, the script engine calls a script execution module to execute a specific test script;
preferably: the lexical analysis is mainly used for dividing the NASL script into binary groups of types and values, separating single words and filling the words into a symbol table; the grammar analysis is to analyze the word chain table formed in the lexical analysis stage, identify complete sentences and verify the grammar integrity; during the process of executing the script, identifying various defined variables and filling the variables into a symbol table; the semantic analysis is used for analyzing each statement in the formed syntax tree in a syntax analysis stage and executing corresponding semantic action;
saving the vulnerability scanning test script in a vulnerability scanning test script library; a vulnerability scanning test script is compiled by using a nasl language, and the test script comprises a vulnerability and script description part and a vulnerability test flow part;
the vulnerability and script description part describes the test script and the vulnerability, and comprises a vulnerability name, a vulnerability description, a vulnerability id number, a vulnerability cve number, a vulnerability bid number, a vulnerability cnvd number, a vulnerability cnnv number, a vulnerability affected version, a vulnerability solution, a vulnerability threat level, a vulnerability family, a vulnerability related link address, a vulnerability required kb value, a vulnerability mandatory required kb value, a vulnerability exclusion kb value, a vulnerability script scanning parameter and the like;
the vulnerability testing flow part is a logic flow for vulnerability verification, namely a mode method for sending a data packet, and comprises character string analysis, socket related functions, file operation related functions and the like;
the vulnerability scanning test can select a corresponding scanning strategy for vulnerability detection according to the running condition of the equipment to be tested, the scanning time arrangement and the like; several vulnerability scanning strategies are shown in FIG. 3;
in terms of a specific test strategy of a test script, an early established safety protection system of a power distribution automation system supports a one-way authentication function based on an asymmetric key technology, a remote control command issued by a master station should have a digital signature based on a scheduling certificate, and a slave station side or a terminal side should be capable of identifying the digital signature of the master station, so that the safety identification and the data integrity verification of a control command and a parameter setting command of the master station system are realized. However, when the terminal is on-line, the master station lacks an authentication mechanism, so that the master station lacks the capability of identifying the authenticity of the terminal. And the remote measurement and remote signaling data exchange between the master station and the terminal are transmitted in plaintext, which is easy to cause data leakage and tampering. Aiming at the situation, the security authentication and encryption functions of the power distribution protocol are detected by using the modes of actively sending packets and passively intercepting data packets and analyzing by using a detection system. At present, the power distribution master station and the terminals generally adopt an 101/104 protocol for communication, so that a protocol connection and communication data packet is constructed by analyzing a power distribution 101/104 protocol, the data packet is actively sent to a tested target system, and whether effective authentication processing is carried out on the data packet is tested according to the response condition of the target system. If the unauthenticated data packet can be used for smoothly establishing connection and communication with the target system, the target system is indicated to be not adopting an authentication mechanism. In addition, the protocol communication data packet is intercepted 101/104, deep packet analysis is carried out on the protocol communication data packet, the data packet of a specified target device IP and a specified port (2404) is filtered through tshark, then whether the data packet conforms to the 101/104 protocol is analyzed through a 60870-5-104-Asdu component built in the tshark, if the data packet conforms to the extracted type information and function code information in the data packet, and if the extracted information conforms to the 101/104 standard protocol specification, the protocol is considered to be unencrypted.
Next, a protocol security test method is analyzed in detail based on the 104 protocol; for example: the 104 protocol safety test is to perform protocol safety check on the power distribution network system running the 104 protocol, and comprises two parts of verifying whether 104 messages are authenticated and encrypting whether 104 messages are encrypted;
the vulnerability detection method comprises the following steps:
step S1: verifying whether the message is authenticated; the method specifically comprises the following steps: the message is actively sent to the terminal with the determined operating protocol for verification (as shown in figure 4);
step S11: determining whether the terminal to be verified, which is determined to operate the protocol, is a terminal operating a specific protocol; if yes, go to the next step, otherwise, go to step S1X;
step S12: determining whether a link can be established with the terminal; if yes, entering the next step, otherwise; proceeding to step S16;
step S13: sending a protocol link request test message, if the terminal returns a link test success message, entering the step S14, otherwise, entering the step S17;
step S14: sending a protocol total calling test message, if the terminal returns a total calling test success message, entering step S15, otherwise entering step S18;
step S15: determining that the protocol is not authenticated;
step S16: the protocol authentication state cannot be tested when the connection is abnormal; proceeding to step S1X;
step S17: determining that the link request test fails, and entering step S14;
step S18: determining that the total summoning test fails, and entering step S19;
step S19: determining that the protocol is authenticated;
step S1X: finishing;
step S2: verifying whether the message is encrypted; the method specifically comprises the following steps: the method comprises the steps that a port data packet of a terminal operating a protocol is actively captured and analyzed to determine whether a message is encrypted or not (as shown in figure 5);
step S21: determining whether the terminal is a terminal operating a specific protocol; if yes, go to the next step, otherwise go to step S2X;
step S22: capturing a port data packet in real time;
preferably: grasping 2404 port packets by tshark;
step S23: determining whether the data packet contains data of a specific type;
preferably: the specific type is 60870-5-105-Asdu data;
step S24: determining that the protocol is not encrypted, and proceeding to step S2X;
step S25: determining that the protocol has been encrypted;
step S2X: finishing;
as shown in fig. 6, the vulnerability detection method of the present invention can quickly find a vulnerability, and fig. 6 shows the vulnerability detection result of the present invention;
in the embodiments provided in the present invention, it should be understood that the disclosed method and terminal can be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
In addition, the technical solutions in the above several embodiments can be combined and replaced with each other without contradiction.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of modules or means recited in the system claims may also be implemented by one module or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (10)

1. A power distribution automation system network security-oriented vulnerability detection system, the detection system comprising: a vulnerability scanning system and a configuration management module; the vulnerability scanning system is in communication connection with the configuration management module so as to perform task issuing work and result return;
the vulnerability scanning system comprises a task analyzer, a script engine and a vulnerability scanning test script library; wherein: the task analyzer is used for analyzing the tasks issued by the configuration management module, and the script engine is used for loading test scripts which need to be executed after the issued tasks are completed, performing syntax analysis and execution on the test scripts and returning the execution results of the test scripts to the configuration management module; saving the vulnerability scanning test script in the test script library;
the configuration management module is used for issuing a test task and receiving a test result returned by the bug scanning system.
2. The distribution automation system network security-oriented vulnerability detection system of claim 1, wherein the task analyzer is configured to analyze tasks issued by the configuration management module; specifically, the method comprises the following steps: the task is issued by adopting a command mode, wherein the command comprises a task name, task details and a task data address; and when the task data is received, analyzing the task details, acquiring the task data based on the analysis result and creating a new test process for task processing.
3. The power distribution automation system network security-oriented vulnerability detection system of claim 2, wherein the task processing based on the analysis result obtaining task data and creating a new test process is specifically: analyzing the task details to obtain a task type, when a script execution type is in the task type, obtaining a task data address, obtaining a script name and parameter information based on the task data address, creating a new test process based on the script name and the parameter information, and copying the script name and the parameter information into a process storage space of the new test process.
4. The power distribution automation system network security-oriented vulnerability detection system of claim 3, wherein the script engine comprises a script scheduling module and a script execution module, a knowledge base.
5. The power distribution automation system network security-oriented vulnerability detection system of claim 4, wherein the script scheduling module selects the test script to be executed, and the script execution module is configured to execute the selected test script.
6. The distribution automation system network security-oriented vulnerability detection system of claim 5, wherein the script scheduling module is to read test scripts and complete initialization and serialization of script calls; the script scheduling module comprises a script loading module and a script organizing module.
7. The distribution automation system network security-oriented vulnerability detection system of claim 6, wherein the loading module is used for loading and initializing corresponding test scripts according to script names and parameter information to be executed; specifically, the method comprises the following steps: loading all test scripts and storing the test scripts into a global variable linked list containing all information of a script engine in the starting, running and ending processes; preferably: the global variable linked list is stored in a process space of a test process; and when the control right is handed over from the task analyzer to the script engine, data exchange and storage are carried out through the process.
8. The power distribution automation system network security-oriented vulnerability detection system of claim 7, wherein the organization module is configured to determine an execution sequence of the scripts according to a scheduling policy of the scripts and related scheduling information stored in the knowledge base, and perform interpretation and execution of the test scripts based on the execution sequence.
9. The distribution automation system network security-oriented vulnerability detection system of claim 8, wherein the organization module is configured to determine a preliminary execution sequence according to a scheduling policy acquisition of the script; adjusting the preliminary execution sequence through relevant scheduling information stored in a knowledge base to acquire the execution sequence of the script; and interpreting and executing the test script based on the execution sequence.
10. The power distribution automation system network security-oriented vulnerability detection system of claim 9, wherein each test script has its corresponding scheduling policy set for configuration management modules.
CN201811623895.9A 2018-12-28 2018-12-28 Vulnerability detection system for network security of power distribution automation system Active CN111385253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811623895.9A CN111385253B (en) 2018-12-28 2018-12-28 Vulnerability detection system for network security of power distribution automation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811623895.9A CN111385253B (en) 2018-12-28 2018-12-28 Vulnerability detection system for network security of power distribution automation system

Publications (2)

Publication Number Publication Date
CN111385253A true CN111385253A (en) 2020-07-07
CN111385253B CN111385253B (en) 2023-05-23

Family

ID=71217972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811623895.9A Active CN111385253B (en) 2018-12-28 2018-12-28 Vulnerability detection system for network security of power distribution automation system

Country Status (1)

Country Link
CN (1) CN111385253B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111737697A (en) * 2020-08-06 2020-10-02 中国人民解放军国防科技大学 Safety scanning system and scanning method based on atomization function

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
CN102567669A (en) * 2011-12-23 2012-07-11 广东电网公司电力科学研究院 Automatic testing and evaluation method for database security in classified protection testing and evaluation and system thereof
CN103106368A (en) * 2013-02-26 2013-05-15 南京理工大学常熟研究院有限公司 Vulnerability scanning method for grade protection
US20140012963A1 (en) * 2012-07-03 2014-01-09 Skyfire Labs, Inc. Linked List Scripting Engine
CN107729234A (en) * 2017-09-29 2018-02-23 郑州云海信息技术有限公司 The scheduling of test case performs method, apparatus, equipment and computer-readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
CN102567669A (en) * 2011-12-23 2012-07-11 广东电网公司电力科学研究院 Automatic testing and evaluation method for database security in classified protection testing and evaluation and system thereof
US20140012963A1 (en) * 2012-07-03 2014-01-09 Skyfire Labs, Inc. Linked List Scripting Engine
CN103106368A (en) * 2013-02-26 2013-05-15 南京理工大学常熟研究院有限公司 Vulnerability scanning method for grade protection
CN107729234A (en) * 2017-09-29 2018-02-23 郑州云海信息技术有限公司 The scheduling of test case performs method, apparatus, equipment and computer-readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111737697A (en) * 2020-08-06 2020-10-02 中国人民解放军国防科技大学 Safety scanning system and scanning method based on atomization function

Also Published As

Publication number Publication date
CN111385253B (en) 2023-05-23

Similar Documents

Publication Publication Date Title
CN109325351B (en) Security hole automatic verification system based on public testing platform
CN106203113B (en) The privacy leakage monitoring method of Android application file
Lv Security of internet of things edge devices
CN112134761B (en) Electric power Internet of things terminal vulnerability detection method and system based on firmware analysis
CN105956474B (en) Android platform software unusual checking system
CN109800160B (en) Cluster server fault testing method and related device in machine learning system
CN106845236A (en) A kind of application program various dimensions privacy leakage detection method and system for iOS platforms
CN112685737A (en) APP detection method, device, equipment and storage medium
CN104484607A (en) Universal method and universal system for performing safety testing on Android application programs
CN111294345A (en) Vulnerability detection method, device and equipment
CN103746992B (en) Based on reverse intruding detection system and method thereof
CN113704767A (en) Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system
KR101972825B1 (en) Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method
KR20110128632A (en) Method and device for detecting malicious action of application program for smartphone
CN106506280A (en) The communication protocol method of testing of intelligent home device and system
CN109948338B (en) Android application sensitive path triggering method based on static analysis
CN110138731B (en) Network anti-attack method based on big data
CN112887388A (en) Data processing system based on sandbox environment
Tabrizi et al. Design-level and code-level security analysis of IoT devices
CN114816894B (en) Chip testing system, method, equipment and medium
Tabrizi et al. A model-based intrusion detection system for smart meters
Shi et al. The penetration testing framework for large-scale network based on network fingerprint
CN115361203A (en) Vulnerability analysis method based on distributed scanning engine
Pearson et al. Fume: Fuzzing message queuing telemetry transport brokers
CN104486292A (en) Enterprise-resource safety-access control method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant