CN111723181A - A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning - Google Patents

A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning Download PDF

Info

Publication number
CN111723181A
CN111723181A CN202010553659.5A CN202010553659A CN111723181A CN 111723181 A CN111723181 A CN 111723181A CN 202010553659 A CN202010553659 A CN 202010553659A CN 111723181 A CN111723181 A CN 111723181A
Authority
CN
China
Prior art keywords
active learning
industrial control
message
protocol
control protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010553659.5A
Other languages
Chinese (zh)
Inventor
张晓明
何跃鹰
孙中豪
张嘉玮
曹可建
王占丰
马玮骏
毛传奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Lexbell Information Technology Co ltd
National Computer Network and Information Security Management Center
Original Assignee
Nanjing Lexbell Information Technology Co ltd
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Lexbell Information Technology Co ltd, National Computer Network and Information Security Management Center filed Critical Nanjing Lexbell Information Technology Co ltd
Priority to CN202010553659.5A priority Critical patent/CN111723181A/en
Publication of CN111723181A publication Critical patent/CN111723181A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/33Querying
    • G06F16/3331Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Databases & Information Systems (AREA)
  • Communication Control (AREA)

Abstract

本发明公开了一种基于主动学习的工控协议逆向分析方法,包括导入、初步分析、变异、匹配、合并,通过对工控协议pcap报文样本进行初步分析,掌握工控协议的部分报文格式和状态机,然后再利用该结果与工控机进行交互式主动学习,不断获取新的报文,从而更为准确和完整地推断出协议个词法和语法,且在对协议进行逆向分析时采用了Needleman‑Wunsch序列比对算法,该算法通过相似度计分、最优回溯步骤推断协议的格式和状态机,有效保证了分析结果的准确性,同时结合主动学习过程,将响应报文与初步分析结果中的协议格式进行匹配,判断报文是否与这些协议格式相匹配,并根据需求进行反复的匹配,显著提高工控协议逆向的准确性和覆盖度。

Figure 202010553659

The invention discloses a reverse analysis method of industrial control protocol based on active learning. Then use the result to conduct interactive active learning with the industrial computer, and continuously acquire new messages, so as to more accurately and completely infer the lexical and syntax of the protocol, and use Needleman‑ Wunsch sequence alignment algorithm, the algorithm infers the format and state machine of the protocol through similarity scoring and optimal backtracking steps, which effectively ensures the accuracy of the analysis results. It matches the protocol format of the industrial control protocol, judges whether the packet matches these protocol formats, and performs repeated matching according to the requirements, which significantly improves the accuracy and coverage of the reverse industrial control protocol.

Figure 202010553659

Description

一种基于主动学习的工控协议逆向分析方法A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning

技术领域technical field

本发明涉及协议格式分析技术领域,具体为一种基于主动学习的工控协议逆向分析方法置。The invention relates to the technical field of protocol format analysis, in particular to a method for reverse analysis of industrial control protocols based on active learning.

背景技术Background technique

工业控制系统,简称工控系统,是由计算机设备与工业过程控制部件组成的自动控制系统,广泛应用于电力、水处理、石油与天然气、化工、交通运输、制造业等行业,随着工控系统的网络化和信息化,越来越多的工控设备连接到网络中,在方便使用的同时,也带来了非常大的安全风险,为了杜绝这些安全风险,需要采用协议逆向分析方法,结合模糊测试等技术对工控协议进行检测,从而挖掘出工控协议是否存在安全漏洞。Industrial control system, referred to as industrial control system, is an automatic control system composed of computer equipment and industrial process control components. It is widely used in electric power, water treatment, oil and gas, chemical industry, transportation, manufacturing and other industries. Networking and informatization, more and more industrial control devices are connected to the network, which brings great security risks while being convenient to use. and other technologies to detect the industrial control protocol, so as to dig out whether there is a security loophole in the industrial control protocol.

对未知工控协议的逆向分析主要采用基于网络流量的分析方法,这种方法较为通用,只需要将工控协议的通信样本以pcap的形式导入到分析系统中,然后就可逆向分析得到工控协议的格式和状态机,然而这种传统的处理方法存在着一种较大的问题是工控协议的样本很多时候无法覆盖协议的全部报文格式和状态机,会导致分析结果的不准确和不完整,因此,急需一种基于主动学习的工控协议逆向分析方法解决现有技术存在的问题。The reverse analysis of the unknown industrial control protocol mainly adopts the analysis method based on network traffic. This method is more general. It only needs to import the communication sample of the industrial control protocol into the analysis system in the form of pcap, and then the format of the industrial control protocol can be obtained by reverse analysis. However, there is a big problem with this traditional processing method. In many cases, the samples of industrial control protocols cannot cover all the message formats and state machines of the protocol, which will lead to inaccurate and incomplete analysis results. , there is an urgent need for a reverse analysis method of industrial control protocol based on active learning to solve the problems existing in the prior art.

发明内容SUMMARY OF THE INVENTION

本发明提供一种基于主动学习的工控协议逆向分析方法,可以有效解决上述背景技术中提出的传统的处理方法工控协议的样本很多时候无法覆盖协议的全部报文格式和状态机,导致分析结果的不准确和不完整的问题。The present invention provides a reverse analysis method of industrial control protocol based on active learning, which can effectively solve the problem that the traditional processing method proposed in the above background technology often fails to cover all the message formats and state machines of the protocol, resulting in inconsistent analysis results. Inaccurate and incomplete questions.

为实现上述目的,本发明提供如下技术方案:一种基于主动学习的工控协议逆向分析方法,包括如下步骤:In order to achieve the above object, the present invention provides the following technical solutions: a method for reverse analysis of industrial control protocols based on active learning, comprising the following steps:

S1、导入:将pcap文件中的报文数据导入,并将报文数据全部加载到报文数据集OriginalSet中;S1. Import: import the message data in the pcap file, and load all the message data into the original set of the message data set;

S2、初步分析:对算法对报文数据集OriginalSet中的报文进行逆向分析,得到初步的工控协议格式和状态机;S2. Preliminary analysis: perform reverse analysis on the packets in the packet data set OriginalSet by the algorithm, and obtain the preliminary industrial control protocol format and state machine;

S3、变异:根据初步得到的分析结果,对协议格式中的功能码字段进行变异,产生新的报文;S3. Mutation: According to the preliminary analysis results, the function code field in the protocol format is mutated to generate a new message;

S4、匹配:通过交互式主动学习,将响应报文与初步分析结果中的协议格式进行匹配,筛选出与已有协议格式不匹配的报文加入到报文数据集NewSet中;S4. Matching: Through interactive active learning, the response message is matched with the protocol format in the preliminary analysis result, and the message that does not match the existing protocol format is filtered out and added to the message data set NewSet;

S5、合并:将主动学习后的报文进行逆向分析,并将分析后的结果与初步分析结果进行合并,得到完整的分析结果。S5. Merge: reversely analyze the messages after the active learning, and merge the analyzed results with the preliminary analysis results to obtain a complete analysis result.

优选的,在步骤S1中,运行环境为Intel-Windows架构的PC机以及运行了工控协议服务器端程序的工控机和格式为pcap类型的样本数据集,并采用wireshark工具通过抓包的方式获得。Preferably, in step S1, the operating environment is a PC with an Intel-Windows architecture, an industrial computer running an industrial control protocol server-side program, and a sample data set in a pcap format, which is obtained by capturing packets using a wireshark tool.

优选的,在步骤S2中,对算法对报文数据集OriginalSet中的报文进行逆向分析,其中,对协议进行逆向分析时采用了Needleman-Wunsch序列比对算法,通过相似度计分以及最优回溯推断协议的格式和状态机。Preferably, in step S2, the algorithm performs reverse analysis on the packets in the original set of packet data set, wherein, the Needleman-Wunsch sequence alignment algorithm is used in the reverse analysis of the protocol, and the similarity score and optimal Backtracking infers the format and state machine of the protocol.

优选的,在步骤S4中,利用新的报文与工控机进行交互式主动学习,不断获取新的报文,具体步骤包括:Preferably, in step S4, the new message is used for interactive active learning with the industrial computer, and new messages are continuously obtained, and the specific steps include:

a、将新产生的报文发送给工控机,并接收工控机的响应报文;a. Send the newly generated message to the industrial computer, and receive the response message from the industrial computer;

b、将响应报文与初步分析结果中的协议格式进行匹配,判断报文是否与这些协议格式相匹配,若匹配进行步骤d,反之进行步骤c;b. Match the response message with the protocol format in the preliminary analysis result, and judge whether the message matches these protocol formats. If it matches, go to step d, otherwise go to step c;

c、将工控机的响应报文加入到NewSet集合中;c. Add the response message of the industrial computer to the NewSet collection;

d、判断主动学习过程是否结束,若结束完成主动学习,反之返回步骤a。d. Determine whether the active learning process is over, if the active learning is completed, otherwise return to step a.

优选的,在步骤S5中,将主动学习后,通过再次采用Needleman-Wunsch序列比对算法对报文数据集NewSet中的报文进行逆向分析,得到新的工控协议格式和状态机,并将分析后的结果与初步分析结果进行合并。Preferably, in step S5, after active learning, the Needleman-Wunsch sequence alignment algorithm is used to reversely analyze the messages in the message data set NewSet to obtain a new industrial control protocol format and state machine, and analyze the The latter results were combined with the results of the preliminary analysis.

与现有技术相比,本发明的有益效果:本发明结构科学合理,使用安全方便,通过对工控协议pcap报文样本进行初步分析,掌握工控协议的部分报文格式和状态机,然后再利用该结果与工控机进行交互式主动学习,不断获取新的报文,从而更为准确和完整地推断出协议个词法和语法,且在对协议进行逆向分析时采用了Needleman-Wunsch序列比对算法,该算法通过相似度计分、最优回溯步骤推断协议的格式和状态机,有效保证了分析结果的准确性,同时结合主动学习过程,将响应报文与初步分析结果中的协议格式进行匹配,判断报文是否与这些协议格式相匹配,并根据需求进行反复的匹配,显著提高工控协议逆向的准确性和覆盖度。Compared with the prior art, the beneficial effects of the present invention are as follows: the present invention has a scientific and reasonable structure, is safe and convenient to use, and can master some message formats and state machines of the industrial control protocol by preliminarily analyzing the pcap message samples of the industrial control protocol, and then utilize The result is interactive and active learning with the industrial computer, and new messages are continuously obtained, so as to more accurately and completely infer the lexical and grammar of the protocol, and the Needleman-Wunsch sequence alignment algorithm is used in the reverse analysis of the protocol. , the algorithm infers the format and state machine of the protocol through similarity scoring and optimal backtracking steps, which effectively ensures the accuracy of the analysis results. At the same time, combined with the active learning process, the response message is matched with the protocol format in the preliminary analysis results. , judging whether the message matches these protocol formats, and performing repeated matching according to requirements, which significantly improves the accuracy and coverage of the reverse engineering of industrial control protocols.

附图说明Description of drawings

附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明,并不构成对本发明的限制。The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the specification, and are used to explain the present invention together with the embodiments of the present invention, and do not constitute a limitation to the present invention.

在附图中:In the attached image:

图1是本发明主动学习的工控协议逆向分析方法的示意框图;Fig. 1 is the schematic block diagram of the industrial control protocol reverse analysis method of active learning of the present invention;

图2是本发明主动学习进行匹配的示意框图。FIG. 2 is a schematic block diagram of active learning for matching according to the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention will be described below with reference to the accompanying drawings. It should be understood that the preferred embodiments described herein are only used to illustrate and explain the present invention, but not to limit the present invention.

实施例:如图1所示,一种基于主动学习的工控协议逆向分析方法,包括如下步骤:Embodiment: As shown in Figure 1, a method for reverse analysis of industrial control protocol based on active learning includes the following steps:

S1、导入:将pcap文件中的报文数据导入,并将报文数据全部加载到报文数据集OriginalSet中;S1. Import: import the message data in the pcap file, and load all the message data into the original set of the message data set;

S2、初步分析:对算法对报文数据集OriginalSet中的报文进行逆向分析,得到初步的工控协议格式和状态机;S2. Preliminary analysis: perform reverse analysis on the packets in the packet data set OriginalSet by the algorithm, and obtain the preliminary industrial control protocol format and state machine;

S3、变异:根据初步得到的分析结果,对协议格式中的功能码字段进行变异,产生新的报文;S3. Mutation: According to the preliminary analysis results, the function code field in the protocol format is mutated to generate a new message;

S4、匹配:通过交互式主动学习,将响应报文与初步分析结果中的协议格式进行匹配,筛选出与已有协议格式不匹配的报文加入到报文数据集NewSet中;S4. Matching: Through interactive active learning, the response message is matched with the protocol format in the preliminary analysis result, and the message that does not match the existing protocol format is filtered out and added to the message data set NewSet;

S5、合并:将主动学习后的报文进行逆向分析,并将分析后的结果与初步分析结果进行合并,得到完整的分析结果。S5. Merge: reversely analyze the messages after the active learning, and merge the analyzed results with the preliminary analysis results to obtain a complete analysis result.

进一步的,在步骤S1中,运行环境为Intel-Windows架构的PC机以及运行了工控协议服务器端程序的工控机和格式为pcap类型的样本数据集,并采用wireshark工具通过抓包的方式获得,其中,本实施例中,该PC机硬件的主频2.5GHz及以上的Core八核CPU的PC机,内存≥4GB,硬盘500GB,运行Windows10操作系统,该工控机硬件的主频为2.5GHz及以上的Core八核CPU的PC机,内存≥2GB,硬盘100GB,运行Windows 10操作系统。Further, in step S1, the operating environment is a PC with an Intel-Windows architecture, an industrial computer running an industrial control protocol server-side program, and a sample data set with a format of pcap type, and the wireshark tool is used to obtain by capturing packets, Among them, in this embodiment, the PC hardware is a PC with a Core eight-core CPU with a main frequency of 2.5GHz and above, a memory ≥ 4GB, a hard disk of 500GB, running Windows 10 operating system, and the main frequency of the industrial computer hardware is 2.5GHz and above. A PC with the above Core eight-core CPU, memory ≥2GB, hard disk 100GB, running Windows 10 operating system.

进一步的,在步骤S2中,对算法对报文数据集OriginalSet中的报文进行逆向分析,其中,对协议进行逆向分析时采用了Needleman-Wunsch序列比对算法,通过相似度计分以及最优回溯推断协议的格式和状态机。Further, in step S2, the algorithm performs a reverse analysis on the packets in the packet data set OriginalSet, wherein, the Needleman-Wunsch sequence alignment algorithm is used in the reverse analysis of the protocol, and the similarity score and optimal Backtracking infers the format and state machine of the protocol.

如图2所示,在步骤S4中,利用新的报文与工控机进行交互式主动学习,不断获取新的报文,具体步骤包括:As shown in Figure 2, in step S4, the new message is used for interactive active learning with the industrial computer, and new messages are continuously obtained. The specific steps include:

a、将新产生的报文发送给工控机,并接收工控机的响应报文;a. Send the newly generated message to the industrial computer, and receive the response message from the industrial computer;

b、将响应报文与初步分析结果中的协议格式进行匹配,判断报文是否与这些协议格式相匹配,若匹配进行步骤d,反之进行步骤c;b. Match the response message with the protocol format in the preliminary analysis result, and judge whether the message matches these protocol formats. If it matches, go to step d, otherwise go to step c;

c、将工控机的响应报文加入到NewSet集合中;c. Add the response message of the industrial computer to the NewSet collection;

d、判断主动学习过程是否结束,若结束完成主动学习,反之返回步骤a。d. Determine whether the active learning process is over, if the active learning is completed, otherwise return to step a.

采用主动学习的方法,通过测试机主动与工控机进行通信交互,利用报文内容的变异来获取新的报文格式和状态机,从而实现工控协议分析结果的优化和完善。Using the method of active learning, the test machine actively communicates with the industrial computer, and uses the variation of the message content to obtain a new message format and state machine, so as to optimize and improve the analysis results of the industrial control protocol.

进一步的,在步骤S5中,将主动学习后,通过再次采用Needleman-Wunsch序列比对算法对报文数据集NewSet中的报文进行逆向分析,得到新的工控协议格式和状态机,并将分析后的结果与初步分析结果进行合并,从而得到完整的分析结果,并保存所有分析结果,并结束此次分析。Further, in step S5, after the active learning, by using the Needleman-Wunsch sequence alignment algorithm again to reversely analyze the messages in the message data set NewSet, a new industrial control protocol format and state machine are obtained, and the analysis is performed. The final results are merged with the preliminary analysis results to obtain the complete analysis results, save all the analysis results, and end the analysis.

最后应说明的是:以上所述仅为本发明的优选实例而已,并不用于限制本发明,尽管参照前述实施例对本发明进行了详细的说明,对于本领域的技术人员来说,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。Finally, it should be noted that the above descriptions are only preferred examples of the present invention, and are not intended to limit the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features therein. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (5)

1.一种基于主动学习的工控协议逆向分析方法,其特征在于,包括如下步骤:1. an industrial control protocol reverse analysis method based on active learning, is characterized in that, comprises the steps: S1、导入:将pcap文件中的报文数据导入,并将报文数据全部加载到报文数据集OriginalSet中;S1. Import: import the message data in the pcap file, and load all the message data into the original set of the message data set; S2、初步分析:对算法对报文数据集OriginalSet中的报文进行逆向分析,得到初步的工控协议格式和状态机;S2. Preliminary analysis: perform reverse analysis on the packets in the packet data set OriginalSet by the algorithm, and obtain the preliminary industrial control protocol format and state machine; S3、变异:根据初步得到的分析结果,对协议格式中的功能码字段进行变异,产生新的报文;S3. Mutation: According to the preliminary analysis results, the function code field in the protocol format is mutated to generate a new message; S4、匹配:通过交互式主动学习,将响应报文与初步分析结果中的协议格式进行匹配,筛选出与已有协议格式不匹配的报文加入到报文数据集NewSet中;S4. Matching: Through interactive active learning, the response message is matched with the protocol format in the preliminary analysis result, and the message that does not match the existing protocol format is filtered out and added to the message data set NewSet; S5、合并:将主动学习后的报文进行逆向分析,并将分析后的结果与初步分析结果进行合并,得到完整的分析结果。S5. Merge: reversely analyze the messages after the active learning, and merge the analyzed results with the preliminary analysis results to obtain a complete analysis result. 2.根据权利要求1所述的一种基于主动学习的工控协议逆向分析方法,其特征在于:在步骤S1中,运行环境为Intel-Windows架构的PC机以及运行了工控协议服务器端程序的工控机和格式为pcap类型的样本数据集,并采用wireshark工具通过抓包的方式获得。2. a kind of industrial control protocol reverse analysis method based on active learning according to claim 1, is characterized in that: in step S1, the operating environment is the PC of Intel-Windows architecture and the industrial control that has run the industrial control protocol server-side program The sample data set of the machine and format is pcap type, and is obtained by capturing packets using the wireshark tool. 3.根据权利要求1所述的一种基于主动学习的工控协议逆向分析方法,其特征在于:在步骤S2中,对算法对报文数据集OriginalSet中的报文进行逆向分析,其中,对协议进行逆向分析时采用了Needleman-Wunsch序列比对算法,通过相似度计分以及最优回溯推断协议的格式和状态机。3. a kind of industrial control protocol reverse analysis method based on active learning according to claim 1 is characterized in that: in step S2, the algorithm is reversely analyzed to the message in the message data set OriginalSet, wherein, to the protocol The Needleman-Wunsch sequence alignment algorithm was used for reverse analysis, and the format and state machine of the protocol were inferred through similarity scoring and optimal backtracking. 4.根据权利要求1所述的一种基于主动学习的工控协议逆向分析方法,其特征在于:在步骤S4中,利用新的报文与工控机进行交互式主动学习,不断获取新的报文,具体步骤包括:4. a kind of industrial control protocol reverse analysis method based on active learning according to claim 1, is characterized in that: in step S4, utilize new message and industrial computer to carry out interactive active learning, continuously obtain new message , the specific steps include: a、将新产生的报文发送给工控机,并接收工控机的响应报文;a. Send the newly generated message to the industrial computer, and receive the response message from the industrial computer; b、将响应报文与初步分析结果中的协议格式进行匹配,判断报文是否与这些协议格式相匹配,若匹配进行步骤d,反之进行步骤c;b. Match the response message with the protocol format in the preliminary analysis result, and judge whether the message matches these protocol formats. If it matches, go to step d, otherwise go to step c; c、将工控机的响应报文加入到NewSet集合中;c. Add the response message of the industrial computer to the NewSet collection; d、判断主动学习过程是否结束,若结束完成主动学习,反之返回步骤a。d. Determine whether the active learning process is over, if the active learning is completed, otherwise return to step a. 5.根据权利要求1所述的一种基于主动学习的工控协议逆向分析方法,其特征在于:在步骤S5中,将主动学习后,通过再次采用Needleman-Wunsch序列比对算法对报文数据集NewSet中的报文进行逆向分析,得到新的工控协议格式和状态机,并将分析后的结果与初步分析结果进行合并。5. a kind of industrial control protocol reverse analysis method based on active learning according to claim 1, is characterized in that: in step S5, after active learning, by adopting Needleman-Wunsch sequence comparison algorithm again to the message data set The messages in the NewSet are reversely analyzed to obtain a new industrial control protocol format and state machine, and the analyzed results are combined with the preliminary analysis results.
CN202010553659.5A 2020-06-17 2020-06-17 A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning Pending CN111723181A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010553659.5A CN111723181A (en) 2020-06-17 2020-06-17 A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010553659.5A CN111723181A (en) 2020-06-17 2020-06-17 A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning

Publications (1)

Publication Number Publication Date
CN111723181A true CN111723181A (en) 2020-09-29

Family

ID=72567209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010553659.5A Pending CN111723181A (en) 2020-06-17 2020-06-17 A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning

Country Status (1)

Country Link
CN (1) CN111723181A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422515A (en) * 2020-10-27 2021-02-26 锐捷网络股份有限公司 Protocol vulnerability testing method and device and storage medium
CN113132366A (en) * 2021-04-07 2021-07-16 深圳市奇虎智能科技有限公司 Method, system, storage medium and computer device for interactive protocol reversal
CN113535731A (en) * 2021-07-21 2021-10-22 北京威努特技术有限公司 Heuristic message state interactive self-learning method and device
CN115065623A (en) * 2022-08-15 2022-09-16 国家计算机网络与信息安全管理中心江苏分中心 Active and passive combined reverse analysis method for private industrial control protocol

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297427A (en) * 2013-05-21 2013-09-11 中国科学院信息工程研究所 Unknown network protocol identification method and system
CN105847249A (en) * 2016-03-22 2016-08-10 英赛克科技(北京)有限公司 Safety protection system and method for Modbus network
CN106326119A (en) * 2016-08-19 2017-01-11 北京匡恩网络科技有限责任公司 Method and device for generating test case
CN109462590A (en) * 2018-11-15 2019-03-12 成都网域复兴科技有限公司 A kind of unknown protocol conversed analysis method based on fuzz testing
CN110213130A (en) * 2019-06-03 2019-09-06 南京莱克贝尔信息技术有限公司 A kind of industry control protocol format analysis method based on iteration optimization

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297427A (en) * 2013-05-21 2013-09-11 中国科学院信息工程研究所 Unknown network protocol identification method and system
CN105847249A (en) * 2016-03-22 2016-08-10 英赛克科技(北京)有限公司 Safety protection system and method for Modbus network
CN106326119A (en) * 2016-08-19 2017-01-11 北京匡恩网络科技有限责任公司 Method and device for generating test case
CN109462590A (en) * 2018-11-15 2019-03-12 成都网域复兴科技有限公司 A kind of unknown protocol conversed analysis method based on fuzz testing
CN110213130A (en) * 2019-06-03 2019-09-06 南京莱克贝尔信息技术有限公司 A kind of industry control protocol format analysis method based on iteration optimization

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
张钊;温巧燕;唐文;: "协议规范挖掘研究综述", 计算机工程与应用, no. 09, pages 1 - 9 *
王珂: "基于等保2.0的工控系统网络安全防护技术方案研究", 《电子技术与软件工程》, no. 181, pages 255 - 256 *
费远鹏;陈剑云;马书研;: "基于Modbus协议的交流采样测量系统的实现", 微计算机信息, no. 23, pages 21 - 23 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422515A (en) * 2020-10-27 2021-02-26 锐捷网络股份有限公司 Protocol vulnerability testing method and device and storage medium
CN112422515B (en) * 2020-10-27 2023-03-21 锐捷网络股份有限公司 Protocol vulnerability testing method and device and storage medium
CN113132366A (en) * 2021-04-07 2021-07-16 深圳市奇虎智能科技有限公司 Method, system, storage medium and computer device for interactive protocol reversal
CN113535731A (en) * 2021-07-21 2021-10-22 北京威努特技术有限公司 Heuristic message state interactive self-learning method and device
CN113535731B (en) * 2021-07-21 2024-04-16 北京威努特技术有限公司 Heuristic-based message state interaction self-learning method and device
CN115065623A (en) * 2022-08-15 2022-09-16 国家计算机网络与信息安全管理中心江苏分中心 Active and passive combined reverse analysis method for private industrial control protocol

Similar Documents

Publication Publication Date Title
CN111723181A (en) A Reverse Analysis Method of Industrial Control Protocol Based on Active Learning
CN111277578B (en) Encrypted flow analysis feature extraction method, system, storage medium and security device
CN108600195B (en) Rapid industrial control protocol format reverse inference method based on incremental learning
CN112148772A (en) Alarm root cause identification method, device, equipment and storage medium
CN111371651A (en) Industrial communication protocol reverse analysis method
CN113452672B (en) Method for analyzing abnormal flow of terminal of Internet of things of electric power based on reverse protocol analysis
CN110188888A (en) Method, system and terminal for defect management of electrical equipment based on AHP and remote support
CN111723579A (en) Industrial control protocol field and semantic reverse inference method
CN110035087B (en) Method, device, equipment and storage medium for recovering account information from traffic
CN114153980A (en) Knowledge graph construction method and device, inspection method, storage medium
CN114528457A (en) Web fingerprint detection method and related equipment
CN117201646A (en) Deep analysis method for electric power Internet of things terminal message
CN113032341A (en) Log processing method based on visual configuration
CN110535972A (en) A kind of the coal gas detection equipment centralized management and communication system, equipment and readable storage medium storing program for executing of hardware and software platform
CN116909782A (en) Root cause analysis method, device, electronic equipment and readable storage medium
CN109284483B (en) Text processing method, device, storage medium and electronic equipment
CN117892176A (en) Artificial intelligence and network data processing method and medium
CN117792727A (en) Threat early warning model training and network threat early warning method, device and equipment
CN117407205A (en) Abnormality processing method, abnormality processing device, storage medium and electronic equipment
CN112905493B (en) A Structured Fuzz Testing Method Based on Transformation Testing
CN116048862A (en) Log abnormality detection method and system
CN112631900A (en) Interface inspection method and device, electronic equipment and storage medium
Gupta et al. Few-shot learning for structure extraction from heterogeneous log data
CN116910756B (en) Detection method for malicious PE (polyethylene) files
CN118509355B (en) A protocol analysis test method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200929