CN111800379A - Industrial control private protocol detection method and device based on Lua - Google Patents

Industrial control private protocol detection method and device based on Lua Download PDF

Info

Publication number
CN111800379A
CN111800379A CN202010457125.2A CN202010457125A CN111800379A CN 111800379 A CN111800379 A CN 111800379A CN 202010457125 A CN202010457125 A CN 202010457125A CN 111800379 A CN111800379 A CN 111800379A
Authority
CN
China
Prior art keywords
protocol
industrial control
lua
detection
private
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010457125.2A
Other languages
Chinese (zh)
Inventor
李思齐
谭曙光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huierte Technology Co ltd
Original Assignee
Beijing Huierte Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huierte Technology Co ltd filed Critical Beijing Huierte Technology Co ltd
Priority to CN202010457125.2A priority Critical patent/CN111800379A/en
Publication of CN111800379A publication Critical patent/CN111800379A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/03Protocol definition or specification 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses an industrial control private protocol detection method and device based on Lua, wherein the method comprises the following steps: carrying out configuration and Lua programming in a visual mode by utilizing a UI component, and defining an industrial control private protocol; the industrial control proprietary protocol comprises a protocol format and an expanded detection logic; triggering a preset Lua virtual machine to start, and loading a protocol format and an expanded detection logic included in the defined industrial control private protocol; and realizing the analysis and detection of the protocol based on a preset industrial control DPI engine and the Lua virtual machine. By adopting the Lua-based industrial control private protocol detection method, an integrated process can be formed from the definition of the industrial control private protocol to the generation of the filtering rule, a user does not need more intervention, the energy and time of the user are greatly saved, the method is more intuitive and more easy to use, the private protocol content does not need to be disclosed, and the decoding and detection logic of the industrial control DPI engine does not need to be recoded.

Description

Industrial control private protocol detection method and device based on Lua
Technical Field
The embodiment of the invention relates to the technical field of industrial control network security, in particular to a Lua-based industrial control private protocol detection method and device and a Lua-based industrial control private protocol customization method and device. In addition, an electronic device and a storage medium are also related.
Background
In recent years, with the rapid development of industrial internet technology, the industrialization and informatization progress are continuously fused, and more information technologies are applied to the industrial field. Industrial automation is a trend of widely adopting automatic control and automatic adjustment devices in industrial production to replace manual operation machines and machine systems for processing production. Meanwhile, as the industrial control system widely adopts general software and hardware and network facilities and integrates with an enterprise management information system, the industrial control system is more and more open, and data exchange is generated with an intranet and the internet. Therefore, industrial control vulnerability detection is started for industrial control equipment, which is globally authoritative for vulnerability detection of the industrial control equipment and is Achilles of Wurldtech, vulnerability detection is realized for industrial control equipment, however, at present, many industrial control protocols are proprietary protocols which are not open to the outside, and therefore, a user-defined function is introduced into Achilles vulnerability detection products to realize vulnerability detection of the proprietary protocols. In the existing industrial network security detection equipment, a behavior characteristic rule (generally a rule similar to Snort) of an industrial control network is formed for the detection of an industrial control private protocol mostly in a self-learning or self-defining mode, the behavior characteristic rule generally comprises a source IP, a target IP, a protocol name and detailed protocol data in network data, then an industrial protocol behavior characteristic library of a specific scene is gradually generated, and then an industrial DPI engine and the behavior characteristic rule are utilized to detect an industrial field network.
However, the inspection of the industrial proprietary protocol usually requires a DPI developer to know the details of the protocol, however, for a large number of industrial control proprietary protocols existing in an industrial control scenario, the industrial control DPI engine cannot effectively monitor the control details, and meanwhile, when the protocol format or inspection logic is modified by the hard-coded protocol definition, the DPI engine needs to be re-encoded and the version of the industrial control DPI engine needs to be upgraded, which is very troublesome. For the expression mode similar to Snort rule, the protocol logic is limited in expression, at present, a self-learning or self-defining mode is adopted, the complete and comprehensive learning process is difficult to define, and the user has great difficulty in forming the baseline rule of industrial control safety behavior or the baseline of detection rule.
Disclosure of Invention
Therefore, the embodiment of the invention provides an industrial control private protocol detection method based on Lua, which is used for solving the problems that the industrial control private protocol detection mode in the prior art is complicated, the efficiency is low, and the actual requirements of the current user cannot be effectively met.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
in a first aspect, an industrial control private protocol detection method based on Lua provided in an embodiment of the present invention includes: carrying out configuration and Lua programming in a visual mode by utilizing a UI component, and defining an industrial control private protocol; the industrial control proprietary protocol comprises a protocol format and an expanded detection logic; triggering a preset Lua virtual machine to start, and loading a protocol format and an expanded detection logic included in the defined industrial control private protocol; and realizing the analysis and detection of the protocol based on a preset industrial control DPI engine and the Lua virtual machine.
Further, the configuring and Lua programming are performed in a visual manner by using the UI component, and the defining of the industrial control proprietary protocol specifically includes: generating basic logic unit components in advance; utilizing the UI component to carry out configuration definition of the industrial control protocol to form a protocol format described by the Lua script language; utilizing Lua script language programming to realize the extended private protocol data complex detection logic; forming snort rules of an industrial control protocol by using a configuration mode; and combining the Snort rule, the expanded keywords and the protocol format described by the Lua script language to form the industrial control protocol safety rule.
Further, the analyzing and detecting of the protocol based on the preset industrial control DPI engine and the Lua virtual machine specifically includes: communicating with the Lua virtual machine through a specific interface by utilizing the industrial control DPI engine; receiving a message content segment sent by the industrial control DPI engine through the Lua virtual machine; and loading the protocol format and the expanded detection logic included by the industrial control private protocol through the Lua virtual machine to analyze and detect to obtain a detection result, and sending the detection result to the industrial control DPI engine to realize protocol detection.
Further, the configuration definition of the industrial control protocol by using the UI component specifically includes: and by using a preset protocol editing tool, carrying out configuration definition on a basic logic unit component in the industrial control protocol, editing the protocol format, further programming and expanding the detection logic, and finally exporting the format described by the Lua script language and the expanded detection script.
In a second aspect, an embodiment of the present invention further provides an industrial control proprietary protocol detection apparatus based on Lua, including: the industrial control private protocol definition unit is used for carrying out configuration and Lua programming in a visual mode by utilizing a UI component and defining an industrial control private protocol, wherein the industrial control private protocol comprises a protocol format and extended detection logic; the industrial control private protocol loading unit is used for triggering a preset Lua virtual machine to start and loading a defined protocol format and an extended detection logic included in the industrial control private protocol; and the protocol detection unit is used for realizing the analysis and detection of the protocol based on a preset industrial control DPI engine and the Lua virtual machine.
Further, the industry control proprietary protocol definition unit is specifically configured to: generating basic logic unit components in advance; utilizing the UI component to carry out configuration definition of the industrial control protocol to form a protocol format described by the Lua script language; utilizing Lua script language programming to realize the extended private protocol data complex detection logic; forming snort rules of an industrial control protocol by using a configuration mode; and combining the Snort rule, the expanded keywords and the protocol format described by the Lua script language to form the industrial control protocol safety rule.
Further, the protocol detection unit is specifically configured to: communicating with the Lua virtual machine through a specific interface by utilizing the industrial control DPI engine; receiving a message content segment sent by the industrial control DPI engine through the Lua virtual machine; and loading the protocol format and the expanded detection logic included by the industrial control private protocol through the Lua virtual machine to analyze and detect to obtain a detection result, and sending the detection result to the industrial control DPI engine to realize protocol detection.
Further, the configuration definition of the industrial control protocol by using the UI component specifically includes: and by using a preset protocol editing tool, carrying out configuration definition on a basic logic unit component in the industrial control protocol, editing the protocol format, further programming and expanding the detection logic, and finally exporting the format described by the Lua script language and the expanded detection script.
In a third aspect, an embodiment of the present invention further provides a method for customizing an industrial control proprietary protocol based on Lua, including: generating basic logic unit components in advance; utilizing the UI component to carry out configuration definition of the industrial control protocol; forming snort rules of an industrial control protocol by using a configuration mode; and combining the Snort rule, the extended Snort key words and the Lua script to form the safety rule of the industrial control private protocol.
Further, the configuration definition of the industrial control protocol by using the UI component specifically includes: and a preset protocol editing tool is utilized to carry out configuration definition on the basic logic unit component in the industrial control protocol in an intuitive and draggable mode, the protocol format is edited, the detection logic can be further programmed and expanded, and finally the format described by the Lua script language and the expanded detection script are exported.
In a fourth aspect, an embodiment of the present invention further provides an industrial control proprietary protocol customization apparatus based on Lua, including: the component generation unit is used for generating basic logic unit components in advance; the configuration definition unit is used for carrying out configuration definition on the industrial control protocol by utilizing the UI component; the rule forming unit is used for forming snort rules of the industrial control protocol by using a configuration mode; and the industrial control private protocol safety rule definition unit is used for combining the Snort rule, the expanded Snort keyword and the Lua script to form the safety rule of the industrial control private protocol.
Further, the configuration definition unit is specifically configured to: and a preset protocol editing tool is utilized to carry out configuration definition on the basic logic unit component in the industrial control protocol in an intuitive and draggable mode, the protocol format is edited, the detection logic can be further programmed and expanded, and finally the format described by the Lua script language and the expanded detection script are exported.
Correspondingly, an embodiment of the present application further provides an electronic device, including: a processor and a memory; the memory is used for storing a program of the Lua-based industrial control private protocol detection or customization method, and after the electronic device is powered on and runs the program of the Lua-based industrial control private protocol detection or customization method through the processor, the electronic device executes any one of the Lua-based industrial control private protocol detection or customization methods.
Accordingly, the present application further provides a computer-readable storage medium, where the computer storage medium contains one or more program instructions, and the one or more program instructions are used for a server to execute any of the Lua-based industrial control proprietary protocol detection or customization methods described above.
By adopting the Lua-based industrial control private protocol detection method, an integrated process can be formed from the definition of the industrial control private protocol to the generation of the filtering rule, a user does not need more intervention, the energy and time of the user are greatly saved, the method is more intuitive and easier to use, the protocol content does not need to be disclosed, the industrial control DPI engine does not need to be recoded, and the detection efficiency of the network security data is effectively improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
Fig. 1 is a schematic flow chart of an industrial control proprietary protocol detection method based on Lua according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an industrial proprietary protocol detection apparatus based on Lua according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of an industrial control proprietary protocol customization method based on Lua according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an industrial proprietary protocol customization apparatus based on Lua according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention;
fig. 6 is a complete flowchart of an industrial control proprietary protocol detection method based on Lua according to an embodiment of the present invention;
fig. 7 is a complete flowchart of an industrial control proprietary protocol customization method based on Lua according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the specific implementation process, the application site generally consists of an industrial management network, an abnormality detection network and an industrial site network. The components are as follows: the industrial management network consists of an engineer station, a Modbus client simulator and the like, and can directly access equipment of an industrial field network to generate data flow and application layer protocol messages. The abnormity detection network consists of an abnormity detection system and a network branching unit, and can carry out abnormity detection on the obtained network data. The industrial field network comprises a PLC or Modbus server simulator, an FTP of an industrial field, an HTTP server and the like. The technical scheme disclosed by the invention is mainly applied to the behavior baseline rule of an anomaly detection network part or the forming process of the detection rule and the detection process of the industrial control private protocol network flow by utilizing the detection rule or the behavior baseline rule by an industrial DPI engine.
The embodiment of the industrial control proprietary protocol detection method based on Lua according to the present invention is described in detail below. As shown in fig. 1 and 6, which are a flowchart and a complete flowchart of the Lua-based industrial control proprietary protocol detection method provided in the embodiment of the present invention, respectively, a specific implementation process includes the following steps:
step S101: and carrying out configuration and Lua programming in a visual mode by utilizing a UI component, and defining an industrial control private protocol, wherein the industrial control private protocol comprises a protocol format and extended detection logic.
In the embodiment of the present invention, the configuration and the programming are performed in a visual manner by using the Lua scripting language, and the industrial control private protocol is defined, and the implementation manner may include: the method comprises the steps of generating a basic logic unit assembly in advance, utilizing the Lua script language to carry out configuration definition on the industrial control protocol, utilizing a configuration mode to form Snort rules of the industrial control protocol, and utilizing the Snort rules, expanded keywords and a protocol format described by the Lua script language to carry out combination to form safety rules of the industrial control protocol. The configuration definition of the industrial control protocol by using the Lua script language specifically comprises the following steps: and a preset protocol editing tool is utilized to carry out configuration definition on the basic logic unit component in the industrial control protocol, and after the protocol format is edited, the format described by the Lua script language is exported.
The specific implementation manner can be shown in fig. 7, wherein template customization can be performed on the basis of several typical industrial control protocols, such as formats of Modbus-TCP and Modbus-UDP, regarding the template customization process, pre-generated basic logic unit components (including source mac, destination mac, and the like) can be dragged, and partial display bits can be visually displayed in a manner similar to wireshark, so as to display a defined industrial control proprietary protocol. Complex parsing and matching logic steps are implemented with respect to Lua programming: the Lua programming part requires an editor to be capable of conducting Lua programming, complex analysis and detection logic can be customized by utilizing the function, and logic achieved through the Lua programming can achieve more comprehensive and fine-grained monitoring. In the specific implementation process, the import and export of the whole Lua script can be encrypted selectively, so that the content of the private protocol cannot be leaked. Regarding the visual exposure proprietary protocol step: the visualization part can show the graphic representation in a mode of a protocol of wireshark, so that the exported Lua script can be directly imported into the wireshark, and whether the protocol format definition is correct or not is checked by using the wireshark. And the step of customizing the function code: the self-defined function code part is an interactive process, and the definition of the function code comprises fields of function code name, attribute, value and the like.
In addition, configuration (configuration) means configuration, setting, etc., and means that a user can complete the software functions required by the user in a simple manner like "building blocks" without writing a computer program. Specifically, the invention mainly defines the industrial control private protocol by using the Lua script language in a visual mode and by using a configuration method, and in the specific implementation process, the industrial control private protocol can be configured by using a preset protocol editing tool in an intuitive and draggable mode, and after the format of the industrial control private protocol is edited, the format described by the Lua script can be exported. It should be noted that, besides the industrial control private protocol definition by the protocol editing tool in the Windows tool, the protocol definition may also be performed by the Web, which is not specifically limited herein. Therefore, the invention realizes the protocol customization tool of the javascript version, and can also customize the protocol and the detection rule on the detection and protection equipment, which is not described in detail herein.
Step S102: and triggering a preset Lua virtual machine to start, and loading a protocol format and an extended detection logic included in the defined industrial control private protocol.
After the industrial control private protocol is defined in the above step S101, the defined content of the industrial control private protocol may be loaded through the Lua virtual machine in this step.
In the embodiment of the present invention, as shown in fig. 6, the Lua virtual machine loads the rule to detect the content of the data packet (i.e., the industrial control private protocol custom content) and matches the rule, and the DPI communicates with the virtual machine through a specific interface to obtain a detection result; the protocol customization and detection rule logic is modified by modifying the Lua script without re-hard coding the DPI, so that the DPI code does not need to be recompiled, and the continuous operation of the whole system and the production cannot be influenced by the restart of the Lua virtual machine.
Step S103: and analyzing and detecting the content of the format part which is not disclosed by the implementation protocol based on a preset industrial control DPI engine and the Lua virtual machine.
After the Lua virtual machine loads the industrial control private protocol content in step S102, in this step, the protocol detection may be further implemented by the industrial control DPI engine and the Lua virtual machine.
In the embodiment of the present invention, the implementation protocol detection based on the preset industrial control DPI engine and the Lua virtual machine may specifically include: the industrial control DPI engine is communicated with the Lua virtual machine through a specific interface; the Lua virtual machine receives a message content segment sent by the industrial control DPI engine; and loading the content of the industrial control private protocol through the Lua virtual machine to analyze the matching rule completely to obtain a detection result, and sending the detection result to the industrial control DPI engine to realize protocol detection.
In the specific implementation process, a complete industrial control private protocol can be defined through imaging, so that a complete industrial control private protocol structure is obtained, a set of Lua scripts are correspondingly generated for the protocol, the definition of the industrial control private protocol is completed in a graphical interface mode, the structure of the industrial control private protocol is defined through the graphical interface, Lua program scripts are automatically generated, a Wireshark plug-in is generated for verifying the correctness of the definition of the industrial control protocol, and the industrial control protocol behavior characteristic rule in the Lua format can be generated through imaging interaction.
By adopting the Lua-based industrial control private protocol detection method, an integrated process can be formed from the definition of the industrial control private protocol to the generation of the filtering rule, a user does not need more intervention, the energy and time of the user are greatly saved, the method is more intuitive and easier to use, the protocol content does not need to be disclosed, the industrial control DPI engine does not need to be recoded, and the detection granularity and the efficiency of the industrial control protocol private data are effectively improved.
Corresponding to the Lua-based industrial control private protocol detection method, the invention also provides a Lua-based industrial control private protocol detection device. Because the embodiment of the device is similar to the embodiment of the method, the description is relatively simple, and for the relevant points, reference is made to the description of the embodiment of the method, and the following description of the embodiment of the Lua-based industrial control proprietary protocol detection device is only illustrative. Fig. 2 is a schematic diagram of an industrial proprietary protocol detection apparatus based on Lua according to an embodiment of the present invention.
The industrial control proprietary protocol detection device based on Lua comprises the following parts:
the industrial control proprietary protocol definition unit 201 is configured and Lua programmed in a visual manner by using the UI component to define an industrial control proprietary protocol, where the industrial control proprietary protocol includes a protocol format and extended detection logic.
And the industrial control private protocol loading unit 202 is configured to trigger a preset Lua virtual machine to start, and load a defined protocol format and extended detection logic included in the industrial control private protocol.
And the protocol detection unit 203 is used for analyzing and detecting the content of the format part which is not disclosed by the implementation protocol based on the preset industrial control DPI engine and the Lua virtual machine.
By adopting the Lua-based industrial control private protocol detection device, an integrated process can be formed from the definition of the industrial control private protocol to the generation of the filtering rule, a user does not need to intervene more, the energy and time of the user are greatly saved, the device is more intuitive and easier to use, the protocol content does not need to be disclosed, the industrial control DPI engine does not need to be recoded, and the detection granularity and the efficiency of the industrial control protocol private data are effectively improved.
The following describes an embodiment of the Lua-based industrial control proprietary protocol customization method according to the present invention. As shown in fig. 3 and 7, which are a flowchart and a complete flowchart of the Lua-based industrial control proprietary protocol customization method provided by the embodiment of the present invention, respectively, an implementation process thereof includes the following steps:
step S301: basic logical unit components are generated in advance.
Step S302: and the Lua script language is used for carrying out configuration definition of the industrial control protocol.
After the basic logic unit component is generated in step S101, in this step, the basic logic unit component in the industrial control protocol may be further configured and defined by using the Lua script language.
Step S303: the snort rule of the industrial control protocol is formed by using a configuration mode.
After the configuration definition is performed on the industrial control protocol in step S102, the snort rule of the industrial control protocol can be formed in this step by using a configuration method.
Step S304: and combining the Snort rule, the expanded Snort key words and the Lua script to form the industrial control protocol safety rule.
After the filtering rule of the industrial control protocol is formed in step S103, the Snort rule, the extended Snort keyword, and the Lua script may be combined to form the industrial control protocol security rule in this step.
In the embodiment of the present invention, the configuration and the programming are performed in a visual manner by using the Lua scripting language, and the industrial control private protocol is defined, and the implementation manner may include: the method comprises the steps of generating a basic logic unit assembly in advance, utilizing a Lua script language to carry out configuration definition of the industrial control protocol, utilizing Lua script programming to realize complex detection logic, utilizing a configuration mode to form a Snort rule of the industrial control protocol, and utilizing a preset Snort rule, an expanded Snort keyword and a Lua script to carry out combination to form an industrial control protocol safety rule. The configuration definition of the industrial control protocol by using the Lua script language specifically comprises the following steps: and a preset protocol editing tool is utilized to carry out configuration definition on the basic logic unit component in the industrial control protocol, and after the protocol format is edited, the format described by the Lua script language is exported.
The specific implementation manner can be shown in fig. 7, wherein template customization can be performed on the basis of several typical industrial control protocols, such as formats of Modbus-TCP and Modbus-UDP, regarding the template customization process, pre-generated basic logic unit components (including source mac, destination mac, and the like) can be dragged, and partial display bits can be visually displayed in a manner similar to wireshark, so as to display a defined industrial control proprietary protocol. Complex parsing and matching logic steps are implemented with respect to Lua programming: the Lua programming part requires an editor to be capable of conducting Lua programming, complex analysis and detection logic can be customized by utilizing the function, and the logic achieved through the Lua programming can achieve finer-grained monitoring. In the specific implementation process, the import and export of the whole Lua script are encrypted, so that the content of the private protocol cannot be leaked. Regarding the visual exposure proprietary protocol step: the visualization part can show the graphic representation in a mode of a protocol of wireshark, so that the exported Lua script can be directly imported into the wireshark, and whether the protocol format definition is correct or not is checked by using the wireshark. And the step of customizing the function code: the self-defined function code part is an interactive process, and the definition of the function code comprises fields of function code name, attribute, value and the like.
In addition, configuration (configuration) means configuration, setting, etc., and means that a user can complete the software functions required by the user in a simple manner like "building blocks" without writing a computer program. Specifically, the invention mainly defines the industrial control private protocol by using the Lua script language in a visual mode and by using a configuration method, and in the specific implementation process, the industrial control private protocol can be configured by using a preset protocol editing tool in an intuitive and draggable mode, and after the format of the industrial control private protocol is edited, the format described by the Lua script can be exported. It should be noted that, besides the industrial control private protocol definition by the protocol editing tool in the Windows tool, the protocol definition may also be performed by the Web, which is not specifically limited herein. Therefore, the invention realizes the protocol customization tool of the javascript version, and can also customize the protocol and the detection rule on the detection and protection equipment, which is not described in detail herein.
By adopting the Lua-based industrial control private protocol customization method, an integrated process can be formed from the definition of the industrial control private protocol to the generation of the filtering rule, a user does not need more intervention, the energy and time of the user are greatly saved, the method is more intuitive and more easy to use, and the protocol content does not need to be disclosed.
Corresponding to the Lua-based industrial control private protocol customizing method, the invention also provides a Lua-based industrial control private protocol customizing device. Since the embodiment of the apparatus is similar to the above method embodiment, the description is simple, and for the relevant points, reference may be made to the description of the above method embodiment, and the following description of an embodiment of the apparatus for customizing an industrial control proprietary protocol based on Lua is only illustrative. Fig. 4 is a schematic diagram of an industrial proprietary protocol customization apparatus based on Lua according to an embodiment of the present invention.
The invention relates to an industrial control private protocol customization device based on Lua, which comprises the following parts:
a component generating unit 401, configured to generate basic logic unit components in advance.
A configuration definition unit 402, configured to perform configuration definition of the industrial control protocol by using the Lua script language.
A rule forming unit 403, configured to form a filtering rule of the industrial control protocol.
And the industrial control private protocol definition unit 404 is used for combining the Snort rule, the extended Snort keyword and the Lua script to form an industrial control protocol security rule.
By adopting the industrial control private protocol customizing device based on Lua, an integrated process can be formed from the definition of the industrial control private protocol to the generation of the filtering rule, a user does not need more intervention, the energy and time of the user are greatly saved, the device is more intuitive and more easy to use, and the protocol content does not need to be disclosed.
Corresponding to the Lua-based industrial control proprietary protocol detection and customization method, the invention also provides electronic equipment. Since the embodiment of the electronic device is similar to the above method embodiment, the description is relatively simple, and please refer to the description of the above method embodiment, and the electronic device described below is only schematic. Fig. 3 is a schematic view of an electronic device according to an embodiment of the present invention.
The electronic device specifically includes: a processor 301 and a memory 302; the memory 302 is configured to run one or more program instructions, and is configured to store a program of the Lua-based industrial control private protocol detection and customization method, and after the server is powered on and runs the program of the Lua-based industrial control private protocol detection and customization method through the processor 301, the Lua-based industrial control private protocol detection and customization method is executed. The electronic device of the present invention may be a server.
Corresponding to the Lua-based industrial control proprietary protocol detection and customization method, the invention also provides a computer storage medium. Since the embodiment of the computer storage medium is similar to the above method embodiment, the description is simple, and please refer to the description of the above method embodiment, and the computer storage medium described below is only schematic.
The computer storage medium contains one or more program instructions for executing the Lua-based Industrial control proprietary protocol detection and customization method by a server.
In an embodiment of the invention, the processor or processor module may be an integrated circuit chip having signal processing capabilities. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or which may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.
The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example and not limitation, many forms of RAM are available, such as Static random access memory (Static RAM, SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (ddr Data Rate SDRAM), Enhanced SDRAM (ESDRAM), synclink DRAM (SLDRAM), and Direct memory bus RAM (DRRAM).
The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory. Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.

Claims (10)

1. A Lua-based industrial control private protocol detection method is characterized by comprising the following steps:
carrying out configuration and Lua programming in a visual mode by utilizing a UI component, and defining an industrial control private protocol; the industrial control proprietary protocol comprises a protocol format and an expanded detection logic;
triggering a preset Lua virtual machine to start, and loading a protocol format and an expanded detection logic included in the defined industrial control private protocol;
and realizing the analysis and detection of the protocol based on a preset industrial control DPI engine and the Lua virtual machine.
2. The Lua-based industrial control proprietary protocol detection method according to claim 1, wherein the configuring and Lua programming are performed in a visual manner by using a UI component, and the defining of the industrial control proprietary protocol specifically includes:
generating basic logic unit components in advance;
utilizing the UI component to carry out configuration definition of the industrial control protocol to form a protocol format described by the Lua script language;
utilizing Lua script language programming to realize the extended private protocol data complex detection logic;
forming snort rules of an industrial control protocol by using a configuration mode;
and combining the Snort rule, the expanded keywords and the protocol format described by the Lua script language to form the industrial control protocol safety rule.
3. The Lua-based industrial control proprietary protocol detection method according to claim 1, wherein the parsing and detection based on the preset industrial control DPI engine and the Lua virtual machine implementation protocol specifically comprises: communicating with the Lua virtual machine through a specific interface by utilizing the industrial control DPI engine; receiving a message content segment sent by the industrial control DPI engine through the Lua virtual machine; and loading the protocol format and the expanded detection logic included by the industrial control private protocol through the Lua virtual machine to analyze and detect to obtain a detection result, and sending the detection result to the industrial control DPI engine to realize protocol detection.
4. The Lua-based industrial control proprietary protocol detection method according to claim 2, wherein the configuration definition of the industrial control protocol by using the UI component specifically comprises: and by using a preset protocol editing tool, carrying out configuration definition on a basic logic unit component in the industrial control protocol, editing the protocol format, further programming and expanding the detection logic, and finally exporting the format described by the Lua script language and the expanded detection script.
5. An industrial control proprietary protocol detection device based on Lua is characterized by comprising:
the industrial control private protocol definition unit is used for carrying out configuration and Lua programming in a visual mode by utilizing a UI component and defining an industrial control private protocol, wherein the industrial control private protocol comprises a protocol format and extended detection logic;
the industrial control private protocol loading unit is used for triggering a preset Lua virtual machine to start and loading a defined protocol format and an extended detection logic included in the industrial control private protocol;
and the protocol detection unit is used for realizing the analysis and detection of the protocol based on a preset industrial control DPI engine and the Lua virtual machine.
6. A Lua-based industrial control proprietary protocol customization method is characterized by comprising the following steps:
generating basic logic unit components in advance;
utilizing the UI component to carry out configuration definition of the industrial control protocol;
forming snort rules of an industrial control protocol by using a configuration mode;
and combining the Snort rule, the extended Snort key words and the Lua script to form the safety rule of the industrial control private protocol.
7. The Lua-based industrial control proprietary protocol customization method according to claim 6, wherein the configuration definition of the industrial control protocol by using the UI component specifically comprises: and a preset protocol editing tool is utilized to carry out configuration definition on the basic logic unit component in the industrial control protocol in an intuitive and draggable mode, the protocol format is edited, the detection logic can be further programmed and expanded, and finally the format described by the Lua script language and the expanded detection script are exported.
8. An industrial control proprietary protocol customization device based on Lua, comprising:
the component generation unit is used for generating basic logic unit components in advance;
the configuration definition unit is used for carrying out configuration definition on the industrial control protocol by utilizing the UI component;
the rule forming unit is used for forming snort rules of the industrial control protocol by using a configuration mode;
and the industrial control private protocol safety rule definition unit is used for combining the Snort rule, the expanded Snort keyword and the Lua script to form the safety rule of the industrial control private protocol.
9. An electronic device, comprising:
a processor; and
a memory for storing a Lua-based industrial control proprietary protocol detection or customization method program, wherein the electronic device executes the Lua-based industrial control proprietary protocol detection or customization method program according to any one of claims 1 to 4 or 6 when the electronic device is powered on and the Lua-based industrial control proprietary protocol detection or customization method program is executed by the processor.
10. A computer readable storage medium containing one or more program instructions for execution by a server of the Lua-based industrial proprietary protocol detection or customization method according to any one of claims 1-4 or 6.
CN202010457125.2A 2020-05-26 2020-05-26 Industrial control private protocol detection method and device based on Lua Pending CN111800379A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010457125.2A CN111800379A (en) 2020-05-26 2020-05-26 Industrial control private protocol detection method and device based on Lua

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010457125.2A CN111800379A (en) 2020-05-26 2020-05-26 Industrial control private protocol detection method and device based on Lua

Publications (1)

Publication Number Publication Date
CN111800379A true CN111800379A (en) 2020-10-20

Family

ID=72805988

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010457125.2A Pending CN111800379A (en) 2020-05-26 2020-05-26 Industrial control private protocol detection method and device based on Lua

Country Status (1)

Country Link
CN (1) CN111800379A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112256276A (en) * 2020-10-30 2021-01-22 上海锘科智能科技有限公司 Method, device and storage medium for defining edge device behavior
CN113507449A (en) * 2021-06-17 2021-10-15 北京惠而特科技有限公司 Deep identification method and device for GE private protocol

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288104A1 (en) * 2008-05-19 2009-11-19 Rohati Systems, Inc. Extensibility framework of a network element
CN103825811A (en) * 2013-10-11 2014-05-28 江苏飞尚安全监测咨询有限公司 Implementation scheme for accessing sensor protocol self-identification IOT (internet of things) gateway
CN104298534A (en) * 2014-10-23 2015-01-21 广州华多网络科技有限公司 Programming method and device based on Lua language
CN104579795A (en) * 2015-01-28 2015-04-29 武汉虹信技术服务有限责任公司 Protocol feature library maintaining and using method for network data flow recognition
CN109951500A (en) * 2019-04-29 2019-06-28 宜人恒业科技发展(北京)有限公司 Network attack detecting method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090288104A1 (en) * 2008-05-19 2009-11-19 Rohati Systems, Inc. Extensibility framework of a network element
CN103825811A (en) * 2013-10-11 2014-05-28 江苏飞尚安全监测咨询有限公司 Implementation scheme for accessing sensor protocol self-identification IOT (internet of things) gateway
CN104298534A (en) * 2014-10-23 2015-01-21 广州华多网络科技有限公司 Programming method and device based on Lua language
CN104579795A (en) * 2015-01-28 2015-04-29 武汉虹信技术服务有限责任公司 Protocol feature library maintaining and using method for network data flow recognition
CN109951500A (en) * 2019-04-29 2019-06-28 宜人恒业科技发展(北京)有限公司 Network attack detecting method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112256276A (en) * 2020-10-30 2021-01-22 上海锘科智能科技有限公司 Method, device and storage medium for defining edge device behavior
CN113507449A (en) * 2021-06-17 2021-10-15 北京惠而特科技有限公司 Deep identification method and device for GE private protocol

Similar Documents

Publication Publication Date Title
US11947943B2 (en) Industrial automation smart object inheritance
CN111800379A (en) Industrial control private protocol detection method and device based on Lua
CN112988599B (en) Page debugging method and device, electronic equipment and storage medium
CN107330028A (en) Expansion application methods and system of a kind of Apache NiFi in terms of source data input database
CN112631908A (en) Browser page testing method and device, computer equipment and storage medium
CN114138244A (en) Method and device for automatically generating model files, storage medium and electronic equipment
EP4137937A1 (en) Industrial automation project library cross sharing
CN111913889A (en) Test system building method and test system
CN110795353A (en) Debugging method, device and equipment for fast application and storage medium
WO2020158460A1 (en) Debugging assistance system and debugging assistance method
Awad et al. Towards generic memory forensic framework for programmable logic controllers
KR20140116438A (en) Graphical representation of an order of operations
CN114116443A (en) Page data transmission method, device, system and medium
CN113778405A (en) Cross-platform APP construction method, device, system and medium
CN116880825A (en) Code generation method, device, electronic equipment and storage medium
US20230152790A1 (en) System model smart object configuration
CN115470152B (en) Test code generation method, test code generation device, and storage medium
CN116521538A (en) Automatic testing method and device for command line interface, electronic equipment and storage medium
CN116107557A (en) Page visual development method and device, storage medium and electronic equipment
CN115562971A (en) Continuous integration method, device, equipment and storage medium for e2e test
CN114297088A (en) Method, device, equipment and medium for testing front end vue frame assembly
US20220292457A1 (en) Industrial automation smart object inheritance break and singleton creation
CN111143227B (en) Data operation method, device, terminal and storage medium
CN112328476A (en) Local page debugging method, system, electronic device and storage medium
van Eijk Hardware-in-the-loop simulation using a digital twin

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201020

RJ01 Rejection of invention patent application after publication