CN111404870B - Safe and reliable public network communication method applied to Modbus - Google Patents
Safe and reliable public network communication method applied to Modbus Download PDFInfo
- Publication number
- CN111404870B CN111404870B CN201911108354.7A CN201911108354A CN111404870B CN 111404870 B CN111404870 B CN 111404870B CN 201911108354 A CN201911108354 A CN 201911108354A CN 111404870 B CN111404870 B CN 111404870B
- Authority
- CN
- China
- Prior art keywords
- information
- transmission
- delay
- transmitted
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000004891 communication Methods 0.000 title claims abstract description 25
- 230000005540 biological transmission Effects 0.000 claims abstract description 125
- 239000000284 extract Substances 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 230000003111 delayed effect Effects 0.000 description 11
- 230000035515 penetration Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 4
- 230000002035 prolonged effect Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1044—Group management mechanisms
- H04L67/1046—Joining mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
- H04L67/1074—Peer-to-peer [P2P] networks for supporting data block transmission mechanisms
- H04L67/1078—Resource delivery mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for realizing safe and reliable public network communication applied to Modbus, which is characterized by comprising the following steps: s1: establishing a characteristic information point-to-point transmission tunnel between an information sending end and an information receiving end; s2: the information sending end combines the information to be sent into transmission information according to importance and sends the characteristic information of the transmission information to the information receiving end through a transmission tunnel; s3: the information receiving end establishes a service session for analyzing the transmitted information according to the characteristic information of the transmitted information, and after receiving the information, the information receiving end matches the received information with the established service session and analyzes the received information. The invention provides a safe and reliable public network communication method applied to Modbus, which provides effective safety measures when a Modbus protocol is used for external connection.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a safe and reliable public network communication method applied to Modbus.
Background
Currently, in the background of industrial production, Modbus is widely applied to the fields of data acquisition and data interaction, and especially to typical simple control devices (PLC) and the like, the Modbus is more widely applied to various aspects.
Since the Modbus protocol is born earlier, the Modbus protocol has no good applicability in the aspects of identity identification verification and secure communication, but with the wide development of the internet of things technology, it becomes a typical requirement to realize data acquisition and communication of field devices through the Modbus protocol.
In the traditional use process, the server is exposed on the public network based on directly adopting a firewall mapping or NAT mapping mode, the use of the service is realized through accessing a determined port outside, but the long-time opening based on a fixed port and the lack of effective safety measures bring huge hidden dangers for safe use.
Under the conditions of the complexity of the existing product and the complexity of the system, the traditional software is unrealistic to carry out large-scale architecture modification and does not meet the cost requirement, the problems are avoided by controlling users or reducing the use time in a mode of adoption, but the principle is not cured, along with the enhancement of the informatization degree, the enterprise information network is connected to the outside increasingly frequently, and the security access risk is also accompanied under the condition that the inside of the enterprise information network is communicated with the public network.
The solution of the prior art is as follows: the method is characterized in that a private network is formed based on a VPN network or a proprietary network is formed based on hardware to realize data communication, and the defects of the method are as follows: cost and complexity of management, as well as usage constraints and limitations due to the complexity of the VPN network.
The invention discloses a Chinese patent publication No. CN109739203A, published 2019, 05 and 10, and discloses an industrial network boundary protection system, which comprises a production network system, an data acquisition network system, an office network system and an industrial firewall system, wherein the production network system is connected with the data acquisition network system through the industrial firewall system to realize data one-way transmission, the control and operation of equipment can be completed in the production network, the data acquisition network system comprises an industrial control safety audit platform, and the office network system also comprises an industrial control system information safety supervision and analysis platform, a production scheduling system and a client. The scheme cannot solve the problem of safety of the public network connected by using the Modbus protocol, and ports exposed to the public network still can be attacked maliciously.
Disclosure of Invention
The invention aims to overcome the problem that effective safety measures are lacked when a Modbus protocol is used for external connection in the prior art, and provides a safe and reliable public network communication method applied to Modbus, which can provide effective safety measures when the Modbus protocol is used for external connection.
In order to achieve the purpose, the invention adopts the following technical scheme:
the technical scheme adopted by the invention for solving the technical problems is as follows: a safe and reliable public network communication method applied to Modbus is characterized by comprising the following steps:
s1: establishing a characteristic information point-to-point transmission tunnel between an information sending end and an information receiving end;
s2: the information sending end combines the information to be sent into transmission information according to importance and sends the characteristic information of the transmission information to the information receiving end through a transmission tunnel;
s3: the information receiving end establishes a service session for analyzing the transmitted information according to the characteristic information of the transmitted information, and after receiving the information, the information receiving end matches the received information with the established service session and analyzes the received information. Firstly, the characteristic information of the transmitted information is transmitted to the information receiving end, and the information receiving end establishes the service session corresponding to the transmitted information, when the transmitted information is transmitted to the information receiving end, it can be analyzed by the service session corresponding to the transmitted information, when the information receiving end receives the information, the information is compared with the service session, if there is a service session corresponding to the service session, storing and analyzing the information, if there is no corresponding service session, it indicates that the information is not the information to be received by the information receiving end, at this time, discarding the information, deleting the information, therefore, external sniffing is shielded, information to be sent is merged firstly and then sent, the narrow characteristic of a Modbus data packet is fully utilized, the performance and load of a single connection session are effectively improved, and important information cannot be delayed due to waiting for merging with other information.
Preferably, the step S2 includes the steps of:
s21: the information sending end combines the information to be sent into transmission information according to importance:
s22: the information sending end extracts the characteristic information of the transmitted information;
s23: the information sending end transmits the characteristic information of the transmission information to the information receiving end through the transmission tunnel. The information to be transmitted is merged firstly, so that the narrower characteristic of a Modbus data packet is fully utilized, the performance and the load of a single connection session are effectively improved, important information is not delayed due to waiting for merging with other information, the feature information of the merged information to be transmitted is extracted and transmitted to the information receiving end, and the information receiving end can identify and transmit the information through the feature information of the transmitted information.
Preferably, the step S21 includes the steps of:
s211: dividing information to be transmitted into delay-capable information and delay-incapable information;
s212: the undelayable information is used alone as a piece of transmission information, and several pieces of the delayable information are combined into one piece of transmission information according to the delayable time or the target device. The undelayable messages are important messages, the messages cannot be delayed, the undelayable messages are transmitted as soon as possible, delay time is caused when the undelayable messages are waiting to be combined with other messages, the undelayable messages are transmitted firstly, and the undelayable messages are combined to be transmitted, so that the performance and load of a single connection session can be improved.
Preferably, the process of combining the plurality of pieces of delay-able information into one piece of transmission information according to the delay-able time in step S212 is as follows: setting a combined delay information quantity threshold value, setting a delay time threshold value of delay information, judging whether the quantity of delay information to be sent is greater than the delay information quantity threshold value, if the quantity of delay information to be sent is greater than the delay information quantity threshold value, combining all delay information to be sent into one piece of transmission information, otherwise combining the delay information to be sent with the delay time exceeding the delay time threshold value of the delay information into one piece of transmission information. Because the delay-able information can not be prolonged for an infinite time, when the number of the information to be transmitted is less than the threshold value of the combined delay-able information number, the information to be transmitted is combined into one piece of transmission information, and when the number of the information to be transmitted exceeds the threshold value of the combined delay-able information number, the information which is delayed for a longer time is preferentially combined and transmitted.
Preferably, the process of combining several pieces of deferrable information into one piece of transmission information according to the target device in step S212 is as follows: combining a plurality of to-be-transmitted deferrable information addressed to the same target device into one transmission information. Merging information to be transmitted according to the target device can improve the transmission efficiency.
Preferably, the step S22 includes: the information sending end distributes a unique identification code to each piece of transmission information, and the identification code is used as the characteristic information of the transmission information. The information sending end distributes a unique identification code to each piece of transmission information, so that the transmission information can be identified when being sent to the information receiving end, the information which cannot be identified is useless information or unauthorized malicious information, and the information is not used, thereby ensuring the safety.
Preferably, the information sending end uses the first characters of the transmission information as supplementary characteristic information of the transmission information, and adds the unique code of the transmission information to the supplementary characteristic information to form the characteristic information of the transmission information. The first characters of the transmission information are used as the supplementary characteristic information of the transmission information, so that the accuracy of identifying the transmission information can be increased, and the condition that the transmission information cannot be identified when the identification code of the transmission information is disordered is avoided.
Preferably, the identification code is reset every few minutes. The identification code will become larger gradually as the transmission information is transmitted continuously, thus making the transmitted data larger and wasting the prior resource, so the identification code is reset once every several minutes to avoid the situation.
Preferably, the step S3 includes: the information receiving end establishes a service session for each piece of transmission information according to the characteristic information of the received transmission information, after the information receiving end receives the information, the received information is compared with the service session, the received information is analyzed through the service session corresponding to the transmission information, the analysis process is to restore the information combined in the transmission information into the information before combination, and if the received information is compared with the service session and the service session corresponding to the information cannot be found, the received information is discarded. The characteristic information of the transmitted information is firstly transmitted to an information receiving terminal, the information receiving terminal establishes a service session corresponding to the transmitted information, when the transmitted information is transmitted to the information receiving terminal, the transmitted information can be analyzed through the corresponding service session, when the information receiving terminal receives the information, the information is firstly compared with the service session, if the information has the corresponding service session, the information is stored and analyzed, if the information does not have the corresponding service session, the information is not the information to be received by the information receiving terminal, at the moment, the information is abandoned, and the information is deleted, so that the external sniffing is shielded.
Preferably, the information to be sent and the received information are Modbus TCP communication protocol data.
Therefore, the invention has the following beneficial effects: (1) firstly, the characteristic information of the transmitted information is transmitted to an information receiving terminal, the information receiving terminal establishes a service session corresponding to the transmitted information, when the transmitted information is transmitted to the information receiving terminal, the transmitted information can be analyzed through the corresponding service session, when the information receiving terminal receives the information, the information is compared with the service session, if the information has the corresponding service session, the information is stored and analyzed, if the information does not have the corresponding service session, the information is not the information to be received by the information receiving terminal, at the moment, the information is abandoned, and the information is deleted, so that the external sniffing is shielded;
(2) information to be sent is merged first, so that the narrower characteristic of a Modbus data packet is fully utilized, the performance and load of a single connection session are effectively improved, important information is not delayed due to waiting for merging with other information, the feature information of the merged information to be sent is extracted and sent to an information receiving end, and the information receiving end can identify and send the information through the feature information of the transmitted information;
(3) the undelayable information is important information, the information cannot be delayed, the information is transmitted as soon as possible, delay time is delayed when the information is waited to be combined with other information, the undelayable information is transmitted firstly at the moment, and the undelayable information is combined to be transmitted, so that the performance and the load of a single connection session can be improved;
(4) because the delay-able information can not be prolonged for an infinite time, when the quantity of the information to be sent is less than the threshold value of the combined delay-able information quantity, the information to be sent is combined into one piece of transmission information, and when the quantity of the information to be sent exceeds the threshold value of the combined delay-able information quantity, the information which is delayed for a longer time is preferably combined and sent out;
(5) the information sending end distributes a unique identification code to each piece of transmission information, so that the transmission information can be identified when being sent to the information receiving end, the information which cannot be identified is useless information or unauthorized malicious information, and the information is not used, thereby ensuring the safety;
(6) the identification code will become larger gradually as the transmission information is transmitted continuously, thus making the transmitted data larger and wasting the prior resource, so the identification code is reset once every several minutes to avoid the situation.
Drawings
FIG. 1 is a schematic diagram of information delivery according to the present invention
FIG. 2 is a schematic diagram of information merging according to the present invention
FIG. 3 is a schematic diagram of information merging and transmission according to the present invention
FIG. 4 is a schematic diagram of matching information with service session according to the present invention
FIG. 5 is a diagram illustrating information merging and parsing according to the present invention.
Detailed Description
The invention is further described with reference to the following detailed description and accompanying drawings.
Example (b): a safe and reliable public network communication method applied to Modbus is characterized by comprising the following steps:
s1: establishing a characteristic information point-to-point transmission tunnel between an information sending end and an information receiving end;
s2: the information sending end combines the information to be sent into transmission information according to importance and sends the characteristic information of the transmission information to the information receiving end through a transmission tunnel;
s21: the information sending end combines the information to be sent into transmission information according to importance;
s211: dividing information to be transmitted into delay-capable information and delay-incapable information;
s212: the undelayable information is singly used as a piece of transmission information, a plurality of pieces of delay-able information are combined into one piece of transmission information according to the delay-able time or the target device, and the process of combining a plurality of pieces of delay-able information into one piece of transmission information according to the delay-able time is as follows: setting a threshold value of the quantity of combined delay information, setting a delay time threshold value of the delay information, judging whether the quantity of the delay information to be sent is greater than the threshold value of the quantity of the delay information, if the quantity of the delay information to be sent is greater than the threshold value of the quantity of the delay information to be sent, combining all the delay information to be sent into one piece of transmission information, otherwise combining the delay information to be sent with the delay time exceeding the delay time threshold value of the delay information into one piece of transmission information, wherein the process of combining a plurality of delay information into one piece of transmission information according to target equipment is as follows: a plurality of pieces of delay-able information to be transmitted, which are transmitted to the same target device, are combined into one piece of transmission information.
S22: the information sending end extracts the characteristic information of the transmission information, distributes a unique identification code to each transmission information, takes the identification code as the characteristic information of the transmission information, resets the identification code after each minute, and can also generate the characteristic information by the following processes: the information sending end takes a plurality of characters at the beginning of the transmission information as supplementary characteristic information of the transmission information, adds the unique code of the transmission information before the supplementary characteristic information to form the characteristic information of the transmission information, wherein the identification code is reset once after every several minutes;
s23: the information sending end transmits the characteristic information of the transmission information to the information receiving end through the transmission tunnel.
S3: the information receiving end establishes a service session for analyzing the transmitted information according to the characteristic information of the transmitted information, and after the information receiving end receives the information, the information receiving end matches the received information with the established service session and analyzes the received information, and the specific process is as follows: the information receiving end establishes a service session for each piece of transmission information according to the characteristic information of the received transmission information, after the information receiving end receives the information, the received information is compared with the service session, the received information is analyzed through the service session corresponding to the transmission information, the analyzing process is to restore the information combined in the transmission information into the information before combination, and if the received information is compared with the service session and the service session corresponding to the information cannot be found, the received information is discarded.
The information to be sent and the received information are Modbus TCP communication protocol data.
The invention is further illustrated by the following specific examples: as shown in fig. 1, the information receiving end is an intranet penetration server when the information sending end is an intranet penetration client, the information receiving end may be an intranet penetration server when the information sending end is an intranet penetration client, data transmission between the Modbus TCP client and the Modbus TCP server is performed through a communication path established between the intranet penetration client and the intranet penetration server,
s1: establishing a characteristic information point-to-point transmission tunnel between an information sending end and an information receiving end;
s2: the information sending end combines the information to be sent into transmission information according to importance and sends the characteristic information of the transmission information to the information receiving end through a transmission tunnel; information to be sent is merged first and then sent, so that the narrower characteristic of a Modbus data packet is fully utilized, the performance and the load of a single connection session are effectively improved, and important information is not delayed because of waiting for merging with other information
S21: the information sending end combines the information to be sent into transmission information according to importance; the information to be transmitted is merged firstly, so that the narrower characteristic of a Modbus data packet is fully utilized, the performance and the load of a single connection session are effectively improved, important information is not delayed due to waiting for merging with other information, the feature information of the merged information to be transmitted is extracted and transmitted to the information receiving end, and the information receiving end can identify and transmit the information through the feature information of the transmitted information.
S211: dividing information to be transmitted into delay-capable information and delay-incapable information; if stop operation information sent to an information receiving end by an information sending end, data information stored in an address D100 and data information in a read address D205 exist, the stop operation information is used as undelayable information, the data information stored in the address D100 and the data information in the read address D205 are stored, the classification of the undelayable information and the undelayable information is determined by the information sending end according to information obtained by searching a classification database, the classification database is formed by judging various types of information by a worker and is led into the information sending end, and the information which is not in the classification database is processed according to the undelayable information.
S212: as shown in fig. 3, the stop job information is regarded as undelayable information, so the stop job information is regarded as one piece of transmission information alone, and the process of combining several pieces of deferrable information into one piece of transmission information according to deferrable time is as follows: setting a threshold value of the quantity of combined deferrable information to be 5, setting a threshold value of the hysteresis time of the deferrable information to be 0.3S, if the quantity of the deferrable information to be sent is 2, the quantity of the deferrable information to be sent is not more than the threshold value of the quantity of the deferrable information to be sent 5, therefore, the data information stored in the address D100 and the data information read in the address D205 are combined into one piece of transmission information, if the quantity of the deferrable information to be sent is more than the threshold value of the quantity of the deferrable information to be sent 5, the deferrable information to be sent with the hysteresis time exceeding the threshold value of the hysteresis time of the deferrable information is combined into one piece of transmission information, and the process of combining a plurality of deferrable information into one piece of transmission information according to the target device is as follows: if the data information stored in the address D100 and the data information read from the address D205 are addressed to the same device, the two pieces of information are combined into one piece of transfer information. As shown in fig. 2, the merging process is to split the original message body into a communication protocol header and a communication message body, use the same communication protocol header as the communication protocol header of the new message, merge all the communication message bodies together regularly, and mark each original message, so that the original message can be accurately restored during restoration. Because the delay-able information can not be prolonged for an infinite time, when the number of the information to be transmitted is less than the threshold value of the combined delay-able information number, the information to be transmitted is combined into one piece of transmission information, and when the number of the information to be transmitted exceeds the threshold value of the combined delay-able information number, the information which is delayed for a longer time is preferentially combined and transmitted. Merging information to be transmitted according to the target device can improve the transmission efficiency.
S22: the information sending end extracts the characteristic information of the transmission information, assigns a unique identification code to each transmission information, stops working information, stores the data information in the address D100 and reads the identification codes of the data information in the address D205 to be 001, 002 and 003 respectively, takes the identification codes as the characteristic information of the transmission information, resets the identification codes once after 5 minutes, and when the identification codes are reset, if the transmission information corresponding to the identification codes is not sent, the identification codes corresponding to the unsent transmission information are not reset. The characteristic information may also be generated by the following process: the information sending end takes the first characters of the transmission information as supplementary characteristic information of the transmission information, adds the unique code of the transmission information to the supplementary characteristic information to form the characteristic information of the transmission information, wherein the identification code is reset once after 5 minutes, and when the identification code is reset, if the transmission information corresponding to the identification code is not sent, the identification code corresponding to the transmission information which is not sent is not reset.
S23: the information sending end transmits the characteristic information of the transmission information to the information receiving end through the transmission tunnel.
S3: as shown in fig. 4, the information receiving end establishes a service session for analyzing the transmission information according to the characteristic information of the transmission information, and after receiving the information, the information receiving end matches the received information with the established service session and analyzes the received information, and the specific process is as follows: the information receiving end establishes a service session for each transmission information according to the characteristic information of the received transmission information, establishes a service session No. 1, a service session No. 2 and a service session No. 3 for stopping the operation information, storing the data information into the address D100 and reading the data information in the address D205, compares the received information with the service session after the information receiving end receives the information, analyzes the received information through the service session corresponding to the transmission information, and the analyzing process is that the information combined in the transmission information is reduced to the information before combination, if the service session corresponding to the received information cannot be found after the received information is compared with the service session, the received information is discarded, if the unknown information 4 in FIG. 4 is not included, the unknown information 4 is discarded, and the process of combining and analyzing the information to be transmitted is shown in FIG. 5, : 9000. the method comprises the following steps 9002 and: 9003 combine and then transmit, then analyze out: 9000. the method comprises the following steps 9002 and: 9003. the characteristic information of the transmitted information is firstly transmitted to an information receiving terminal, the information receiving terminal establishes a service session corresponding to the transmitted information, when the transmitted information is transmitted to the information receiving terminal, the transmitted information can be analyzed through the corresponding service session, when the information receiving terminal receives the information, the information is firstly compared with the service session, if the information has the corresponding service session, the information is stored and analyzed, if the information does not have the corresponding service session, the information is not the information to be received by the information receiving terminal, at the moment, the information is abandoned, and the information is deleted, so that the external sniffing is shielded.
Claims (7)
1. A safe and reliable public network communication method applied to Modbus is characterized by comprising the following steps:
s1: establishing a characteristic information point-to-point transmission tunnel between an information sending end and an information receiving end;
s2: the information sending end combines the information to be sent into transmission information according to importance and sends the characteristic information of the transmission information to the information receiving end through a transmission tunnel;
s2 includes the steps of:
s21: the information sending end combines the information to be sent into transmission information according to importance:
s22: the information sending end extracts the characteristic information of the transmitted information; the information sending end distributes a unique identification code to each piece of transmission information, and the identification codes are used as characteristic information of the transmission information; the characteristic information may also be generated by the following process: the information sending end takes a plurality of characters at the head of the transmission information as supplementary characteristic information of the transmission information, and adds the unique code of the transmission information before the supplementary characteristic information to form the characteristic information of the transmission information;
s23: the information sending end transmits the characteristic information of the transmission information to the information receiving end through the transmission tunnel;
s3: the information receiving end establishes a service session for analyzing the transmitted information according to the characteristic information of the transmitted information, and after receiving the information, the information receiving end matches the received information with the established service session and analyzes the received information.
2. The method for realizing the safe and reliable public network communication applied to the Modbus according to claim 1, wherein the step S21 comprises the following steps:
s211: dividing information to be transmitted into delay-capable information and delay-incapable information;
s212: the undelayable information is used alone as a piece of transmission information, and several pieces of the delayable information are combined into one piece of transmission information according to the delayable time or the target device.
3. The method according to claim 2, wherein the step S212 of combining the plurality of deferrable messages into one transmission message according to the deferrable time includes: setting a combined delay information quantity threshold value, setting a delay time threshold value of delay information, judging whether the quantity of delay information to be sent is greater than the delay information quantity threshold value, if the quantity of delay information to be sent is greater than the delay information quantity threshold value, combining all delay information to be sent into one piece of transmission information, otherwise combining the delay information to be sent with the delay time exceeding the delay time threshold value of the delay information into one piece of transmission information.
4. The method according to claim 2, wherein the step S212 of merging the plurality of deferrable messages into one message transmission process according to the target device includes: combining a plurality of to-be-transmitted deferrable information addressed to the same target device into one transmission information.
5. The method of claim 1, wherein the identification code is reset every few minutes.
6. The method for realizing the safe and reliable public network communication applied to the Modbus according to claim 1, wherein the step S3 is as follows: the information receiving end establishes a service session for each piece of transmission information according to the characteristic information of the received transmission information, after the information receiving end receives the information, the received information is compared with the service session, the received information is analyzed through the service session corresponding to the transmission information, the analysis process is to restore the information combined in the transmission information into the information before combination, and if the received information is compared with the service session and the service session corresponding to the information cannot be found, the received information is discarded.
7. The method for realizing safe and reliable public network communication applied to Modbus according to claim 1, wherein the information to be sent and the received information are Modbus TCP communication protocol data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911108354.7A CN111404870B (en) | 2019-11-13 | 2019-11-13 | Safe and reliable public network communication method applied to Modbus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911108354.7A CN111404870B (en) | 2019-11-13 | 2019-11-13 | Safe and reliable public network communication method applied to Modbus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111404870A CN111404870A (en) | 2020-07-10 |
| CN111404870B true CN111404870B (en) | 2022-05-31 |
Family
ID=71435870
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911108354.7A Active CN111404870B (en) | 2019-11-13 | 2019-11-13 | Safe and reliable public network communication method applied to Modbus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404870B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572643A (en) * | 2008-04-30 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and system for realizing data transmission among private networks |
| CN106131177A (en) * | 2016-06-29 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
| CN106254437A (en) * | 2016-07-28 | 2016-12-21 | 普奥云信息科技(北京)有限公司 | Internet of Things communication means |
| CN107395572A (en) * | 2017-06-29 | 2017-11-24 | 京信通信系统(中国)有限公司 | A kind of data processing method and things-internet gateway |
| CN107528932A (en) * | 2016-06-22 | 2017-12-29 | 中兴通讯股份有限公司 | A kind of data transmission method, network address translation apparatus |
-
2019
- 2019-11-13 CN CN201911108354.7A patent/CN111404870B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572643A (en) * | 2008-04-30 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and system for realizing data transmission among private networks |
| CN107528932A (en) * | 2016-06-22 | 2017-12-29 | 中兴通讯股份有限公司 | A kind of data transmission method, network address translation apparatus |
| CN106131177A (en) * | 2016-06-29 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
| CN106254437A (en) * | 2016-07-28 | 2016-12-21 | 普奥云信息科技(北京)有限公司 | Internet of Things communication means |
| CN107395572A (en) * | 2017-06-29 | 2017-11-24 | 京信通信系统(中国)有限公司 | A kind of data processing method and things-internet gateway |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111404870A (en) | 2020-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106815112B (en) | Massive data monitoring system and method based on deep packet inspection | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| US20180278678A1 (en) | System and method for limiting access request | |
| CN102231748B (en) | Method and device for verifying client | |
| CN105162626A (en) | Network traffic depth identification system and method based on many-core processor | |
| CN101286896A (en) | IPSec VPN protocol drastic detecting method based on flows | |
| US7478168B2 (en) | Device, method and program for band control | |
| CN101426014B (en) | Method and system for multicast source attack prevention | |
| CN101360090B (en) | Application protocol recognition method | |
| CN110691097A (en) | Industrial honey pot system based on hpfeeds protocol and working method thereof | |
| CN114070800B (en) | SECS2 flow quick identification method combining deep packet inspection and deep flow inspection | |
| CN109922081B (en) | TCP stream length connection data analysis method | |
| CN111404870B (en) | Safe and reliable public network communication method applied to Modbus | |
| CN104702596B (en) | A kind of Information hiding based on data packet length and the method and system of transmission | |
| CN113872956A (en) | Method and system for inspecting IPSEC VPN transmission content | |
| CN101079830A (en) | A method, system and device for providing friend status in instant communication process | |
| CN111224891B (en) | Flow application identification system and method based on dynamic learning triples | |
| CN105991509A (en) | Session processing method and apparatus | |
| CN102480503B (en) | P2P (peer-to-peer) traffic identification method and P2P traffic identification device | |
| CN101547127B (en) | Identification method of inside and outside network messages | |
| CN110865965A (en) | Method and device for realizing flow table bidirectional data synchronization based on hardware | |
| CN114050917B (en) | Audio data processing method, device, terminal, server and storage medium | |
| CN110300105B (en) | Remote key management method of network cipher machine | |
| CN109587087B (en) | Message processing method and system | |
| CN113364793A (en) | ICMP hidden tunnel detection method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 309 Liuhe Road, Binjiang District, Hangzhou, Zhejiang 310000 Patentee after: Zhongkong Technology Co.,Ltd. Country or region after: China Patentee after: SUPCON TECHNOLOGY (XI'AN) CO.,LTD. Address before: 309 Liuhe Road, Binjiang District, Hangzhou, Zhejiang 310000 Patentee before: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd. Country or region before: China Patentee before: SUPCON TECHNOLOGY (XI'AN) CO.,LTD. |