CN111901288A - Network security protection method aiming at BACnet - Google Patents
Network security protection method aiming at BACnet Download PDFInfo
- Publication number
- CN111901288A CN111901288A CN201911364321.9A CN201911364321A CN111901288A CN 111901288 A CN111901288 A CN 111901288A CN 201911364321 A CN201911364321 A CN 201911364321A CN 111901288 A CN111901288 A CN 111901288A
- Authority
- CN
- China
- Prior art keywords
- bacnet
- information
- message
- application layer
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/18—Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a network safety protection method aiming at BACnet, which comprises the steps of distinguishing BACnet messages, specifically distinguishing BACnet messages carried by an 802.3 protocol and BACnet messages carried by a UDP protocol; analyzing the BACnet network layer message to obtain network layer information; step c, analyzing the BACnet application layer message to obtain application layer information; d, completing the network layer information of the BACnet message; and e, processing the BACnet message according to the application layer information. Therefore, the defect of the existing protection technology that the packet filtering technology is combined with the content detection point is overcome.
Description
Technical Field
The invention relates to the technical field of BACnet network safety, in particular to a BACnet-oriented network safety protection method
Background
The BACnet protocol is designed for heating, ventilation, air conditioning and refrigeration control equipment, and provides a basic principle for integration of other building control systems (such as lighting, security, fire protection and the like), and as intelligent buildings are continuously developed and internal intelligent facilities are gradually developed, control systems interconnected by the BACnet network are increasingly huge. The security requirements of the huge BACnet networks are beginning to become more and more important. However, the interconnection between the BACnet network and the IP network makes the security protection of the BACnet network have to face a completely new challenge. Especially, under the background of continuous development of network attack and intrusion means at present, higher requirements are put forward on the safety of the BACnet network.
The existing protection technology adopts a packet filtering technology combined with a content detection point, and has the following defects: 1. the traditional packet filtering technology cannot be applied to the BACnet network carried by 802.3 because the BACnet protocol and the TCP/IP protocol are parallel protocol families. For UDP (User Datagram Protocol, UDP is short for User Datagram Protocol, and a chinese name is a User Datagram Protocol, which is a connectionless transport layer Protocol in an OSI open system interconnection reference model, a transaction-oriented simple unreliable information transfer service is provided, IETF RFC 768 is a formal specification of UDP) bearing a BACnet Protocol, limited information is on a bvlc (backup Virtual Link layer) layer, and effective defense cannot be performed.
2. Because the message sent by the BACnet device has no original address, the received message has no destination address, and the source of the address information is not complete when the boundary is deployed, the packet filtering technology for the BACnet protocol message cannot acquire enough address information.
3. The sufficiency of the BACnet message header length unfixed network address information is uncertain.
Disclosure of Invention
Objects of the invention
The invention aims to overcome the defects existing in the prior art of utilizing a packet filtering technology in combination with content detection points, and provides a network security protection method aiming at BACnet.
(II) technical scheme
In order to solve the above problems, the present invention provides a network security protection method for BACnet, comprising the following steps:
a, distinguishing BACnet messages, specifically distinguishing BACnet messages carried by an 802.3 protocol and BACnet messages carried by a UDP protocol;
b, analyzing the BACnet network layer message to obtain network layer information;
step c, analyzing the BACnet application layer message to obtain application layer information;
d, completing the network layer information of the BACnet message;
and e, processing the BACnet message according to the application layer information.
Further, the BACnet message carried by the 802.3 protocol and the BACnet message carried by the UDP protocol are distinguished by the identifier of the BACnet message header.
Further, the network layer information in step b includes source address information and destination address information.
Further, the parsing the BACnet network layer message in the step b to obtain the network layer information specifically includes:
b1, acquiring Version field and Control field of BACnet message;
step b2, judging whether the message of BACnet network layer has destination address information according to the obtained Version field and Control field, if yes, executing step b3, otherwise executing step b 6;
step b3, resolving the destination network number and the destination MAC address length, if the destination MAC address length is larger than 0, executing step b4, otherwise executing step b 6;
step b4, resolving the destination MAC address;
b6, judging whether source address information exists, if so, executing the step b 7;
step b7, analyzing the source address information;
and b35, calling a processing interface of the BACnet application layer.
Further, in step c, the application layer information includes Apdu type information, service type information, ObjectId information, and PropertyId information.
Further, analyzing the BACnet application layer packet specifically includes:
step c1, analyzing the BACnet application layer message header to obtain application layer Apdu type information and service type information;
step c2, judging whether to fragment the message, if yes, executing step c3, otherwise executing step c 4;
c3, reassembling the BACnet application layer message fragments and executing the step c 4;
and c4, analyzing the BACnet application layer message to obtain the ObjectId information and PropertyId information.
Further, the BACnet application layer message fragments are recombined by utilizing Hash.
Further, in step e, the processing of the BACnet message according to the application layer information is specifically processing of the BACnet message according to the acquired ObjectId information and PropertyId information.
Further, step d is specifically to automatically complement the missing Bacnet network layer information through the configuration of the topology.
(III) advantageous effects
The invention relates to a network safety protection method aiming at BACnet, which comprises the steps of distinguishing BACnet messages, specifically distinguishing BACnet messages carried by an 802.3 protocol and BACnet messages carried by a UDP protocol; analyzing the BACnet network layer message to obtain network layer information; step c, analyzing the BACnet application layer message to obtain application layer information; d, completing the network layer information of the BACnet message; and e, processing the BACnet message according to the application layer information. Therefore, the defects of the prior protection technology that the packet filtering technology is combined with the content detection point are overcome: the method is not suitable for BACnet networks carried by 802.3, and for BACnet protocols carried by UDP, limited information is on a BVLC (BACnet Virtual Link layer) layer, so that effective defense cannot be performed. Because the message sent by the BACnet device has no original address, the received message has no destination address, and the source of the address information is not complete when the boundary is deployed, the packet filtering technology for the BACnet protocol message cannot acquire enough address information. The sufficiency of the BACnet message header length unfixed network address information is uncertain.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart of parsing a BACnet network layer packet according to an embodiment of the present invention.
Fig. 2 is a flowchart of parsing a BACnet application layer packet according to the embodiment of the present invention.
Fig. 3 is a format diagram of a header of an 802.3 message according to an embodiment of the present invention;
FIG. 4 is a diagram of a header format of an Ethernet packet according to an embodiment of the present invention;
fig. 5 is a BACnet network layer header format diagram according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
802.3 a network protocol. The implementation method of MAC sublayer of physical layer and data link layer is described, CSMA/CD access mode is adopted in multiple physical media at multiple speed, and the implementation method described in the standard for fast Ethernet is expanded.
With reference to the attached drawings, a network security protection method for BACnet comprises the following steps:
a, distinguishing BACnet messages, specifically distinguishing BACnet messages carried by an 802.3 protocol and BACnet messages carried by a UDP protocol;
b, analyzing the BACnet network layer message to obtain network layer information;
step c, analyzing the BACnet application layer message to obtain application layer information;
d, completing the network layer information of the BACnet message;
and e, processing the BACnet message according to the application layer information.
The BACnet message carried by the 802.3 protocol and the BACnet message carried by the UDP protocol are distinguished through the identification of the BACnet message header.
The invention identifies the Bacnet message carried by the 802.3 by identifying the Bacnet special identification of the 802.3 message header. Checking that the Ethernet type field is greater than 0x5dc is an Ethernet packet, otherwise it is an 802.3 packet. The 802.3 header and Ethernet header formats are shown in fig. 3 and 5, respectively. For the 802.3 message, when sdap, ssap, cntl are: 0x82,0x 82 and 0x03 are BACnet messages. For the Bacnet message carried by the UDP, when the first 2 bytes of data of the UDP data field are: 8101, 8102, 8103, 8104, 8105, 8106, 8107, 8108, 8109, 810 a, 810 b, it may be the backhaul data carried by the Udp. This data is then subjected to deep parsing to confirm validation. The format of the beginning of the Bacnet network layer is the same for Bacnet data carried by 802.3 or Bacnet data carried by UDP. And the network layer information in the step b comprises source address information and destination address information.
With reference to fig. 1, the parsing the BACnet network layer packet in step b to obtain network layer information specifically includes:
b1, acquiring Version field and Control field of BACnet message;
step b2, judging whether the message of BACnet network layer has destination address information according to the obtained Version field and Control field, if yes, executing step b3, otherwise executing step b 6;
step b3, resolving the destination network number and the destination MAC address length, if the destination MAC address length is larger than 0, executing step b4, otherwise executing step b 6;
step b4, resolving the destination MAC address;
b6, judging whether source address information exists, if so, executing the step b 7;
step b7, analyzing the source address information;
and b35, calling a processing interface of the BACnet application layer.
The BACnet network layer header format is shown in fig. 5, where Version and Control fields are fixed and the rest are variable. The Control field indicates whether other fields will exist. According to the information provided by the Control field, the existence of DNET, DLEN, DADR, SNET, SLEN, SADR can be known.
Control bit5 is 0: DNET, DLEN, DADR, HopCount are absent;
control bit5 is 1: DNET, DLEN, HopCount exist. If DLEN equals 0, this indicates a broadcast address, otherwise DADR exists;
control bit3 is 0: SNET, SLEN, SADR is absent;
control bit3 is 1: SNET, SLEN, SADR are present, wherein SLEN is not present.
In step c, the application layer information includes Apdu type information, service type information, ObjectId information, and PropertyId information.
As shown in fig. 2, the parsing the BACnet application layer packet specifically includes:
step c1, analyzing the BACnet application layer message header to obtain application layer Apdu type information and service type information;
step c2, judging whether to fragment the message, if yes, executing step c3, otherwise executing step c 4;
c3, reassembling the BACnet application layer message fragments and executing the step c 4;
and c4, analyzing the BACnet application layer message to obtain the ObjectId information and PropertyId information.
And (4) utilizing Hash to recombine the BACnet application layer message fragments.
In step e, the BACnet message is processed according to the application layer information, specifically, the BACnet message is processed according to the acquired ObjectId information and PropertyId information.
And step d is specifically to automatically complement the missing Bacnet network layer information through topology configuration. The application layer messages are grouped through Hash, and different Bacnet sessions can be distinguished. The hashkey data structure is as follows:
the Bacnet message after fragmentation and reassembly (if necessary) extracts information such as ObjectId, PropertyId and the like from the Bacnet message, and determines the processing behaviors (release, blocking, alarm) and the like of the message. And performing corresponding processing actions on the messages according to the pre-deployed rules (which determine which messages can be released and which need to be blocked or alarmed) and the information acquired from the messages. This allows messages that are expected and safe to act to be passed through, while those that should not be present and carry dangerous information to be blocked. The method has the advantages of strong universality and suitability for Bacnet protocols carried by 802.3 and Ethernet UDP. The invention can be deployed flexibly, and can be deployed at the position of a network terminal or near a network router. The method and the device can control the information of the Bacnet network layer and the application layer, and can achieve fine control of the message.
The invention can overcome the defects of the prior protection technology which adopts a packet filtering technology and combines content detection points: the method is not suitable for BACnet networks carried by 802.3, and for BACnet protocols carried by UDP, limited information is on a BVLC (BACnet virtual Link layer) layer, so that effective defense cannot be performed. Because the message sent by the BACnet device has no original address, the received message has no destination address, and the source of the address information is not complete when the boundary is deployed, the packet filtering technology for the BACnet protocol message cannot acquire enough address information. The sufficiency of the BACnet message header length unfixed network address information is uncertain.
It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
The invention has been described above with reference to embodiments thereof. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the invention, and these alternatives and modifications are intended to be within the scope of the invention.
Although the embodiments of the present invention have been described in detail, it should be understood that various changes, substitutions, and alterations can be made hereto without departing from the spirit and scope of the invention.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. A network security protection method aiming at BACnet is characterized by comprising the following steps:
a, distinguishing BACnet messages, specifically distinguishing BACnet messages carried by an 802.3 protocol and BACnet messages carried by a UDP protocol;
b, analyzing the BACnet network layer message to obtain network layer information;
step c, analyzing the BACnet application layer message to obtain application layer information;
d, completing the network layer information of the BACnet message;
and e, processing the BACnet message according to the application layer information.
2. The method of claim 1, wherein the BACnet message carried by the 802.3 protocol and the BACnet message carried by the UDP protocol are distinguished by an identifier of a BACnet message header.
3. The network security protection method for BACnet according to claim 2, wherein the network layer information in step b includes source address information and destination address information.
4. The network security protection method for the BACnet according to claim 3, wherein the parsing the BACnet network layer packet in the step b to obtain the network layer information specifically comprises:
b1, acquiring Version field and Control field of BACnet message;
step b2, judging whether the message of BACnet network layer has destination address information according to the obtained Version field and Control field, if yes, executing step b3, otherwise executing step b 6;
step b3, resolving the destination network number and the destination MAC address length, if the destination MAC address length is larger than 0, executing step b4, otherwise executing step b 6;
step b4, resolving the destination MAC address;
b6, judging whether source address information exists, if so, executing the step b 7;
step b7, analyzing the source address information;
and b35, calling a processing interface of the BACnet application layer.
5. The network security defending method for BACnet according to claim 4, wherein in step c, the application layer information comprises Apdu type information, service type information, ObjectId information and PropertyId information.
6. The network security protection method for the BACnet according to claim 5, wherein parsing the BACnet application layer packet specifically comprises:
step c1, analyzing the BACnet application layer message header to obtain application layer Apdu type information and service type information;
step c2, judging whether to fragment the message, if yes, executing step c3, otherwise executing step c 4;
c3, reassembling the BACnet application layer message fragments and executing the step c 4;
and c4, analyzing the BACnet application layer message to obtain the ObjectId information and PropertyId information.
7. The method for network security protection against BACnet according to claim 6, wherein the BACnet application layer packet fragments are reassembled using hash.
8. The method of claim 7, wherein in the step e, the processing of the BACnet message according to the application layer information is specifically performed according to the acquired ObjectId information and PropertyId information.
9. The method of claim 8, wherein processing the BACnet message comprises passing, blocking or alarming the BACnet message.
10. The method for network security protection against BACnet according to claim 9, wherein step d is to automatically complement missing BACnet network layer information through topology configuration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911364321.9A CN111901288A (en) | 2019-12-26 | 2019-12-26 | Network security protection method aiming at BACnet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911364321.9A CN111901288A (en) | 2019-12-26 | 2019-12-26 | Network security protection method aiming at BACnet |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111901288A true CN111901288A (en) | 2020-11-06 |
Family
ID=73169668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911364321.9A Pending CN111901288A (en) | 2019-12-26 | 2019-12-26 | Network security protection method aiming at BACnet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111901288A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159718A (en) * | 2007-08-03 | 2008-04-09 | 重庆邮电大学 | Embedded type industry ethernet safety gateway |
| US20090006611A1 (en) * | 2007-06-28 | 2009-01-01 | Industry-University Cooperation Foundation Hanyang University | Communication network analysis system in multi-layered communication system |
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN102075529A (en) * | 2010-12-24 | 2011-05-25 | 北京联合大学生物化学工程学院 | Open building automation and control network protocol conversion device and method |
| US20150148961A1 (en) * | 2013-11-27 | 2015-05-28 | Electronics And Telecommunications Research Institute | Building data managing apparatus and building management system comprising thereof |
| CN105592018A (en) * | 2014-10-30 | 2016-05-18 | 青岛海信日立空调系统有限公司 | Protocol conversion method, device, and building automatic control system |
| CN108092959A (en) * | 2017-12-05 | 2018-05-29 | 武汉虹信技术服务有限责任公司 | A kind of BACnet protocol analysis methods based on configuration |
-
2019
- 2019-12-26 CN CN201911364321.9A patent/CN111901288A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090006611A1 (en) * | 2007-06-28 | 2009-01-01 | Industry-University Cooperation Foundation Hanyang University | Communication network analysis system in multi-layered communication system |
| CN101159718A (en) * | 2007-08-03 | 2008-04-09 | 重庆邮电大学 | Embedded type industry ethernet safety gateway |
| CN101572700A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN102075529A (en) * | 2010-12-24 | 2011-05-25 | 北京联合大学生物化学工程学院 | Open building automation and control network protocol conversion device and method |
| US20150148961A1 (en) * | 2013-11-27 | 2015-05-28 | Electronics And Telecommunications Research Institute | Building data managing apparatus and building management system comprising thereof |
| CN105592018A (en) * | 2014-10-30 | 2016-05-18 | 青岛海信日立空调系统有限公司 | Protocol conversion method, device, and building automatic control system |
| CN108092959A (en) * | 2017-12-05 | 2018-05-29 | 武汉虹信技术服务有限责任公司 | A kind of BACnet protocol analysis methods based on configuration |
Non-Patent Citations (3)
| Title |
|---|
| FRITZ PRAUS等: "Enhanced Control Application Development in Building Automation", 《2009 7TH IEEE INTERNATIONAL CONFERENCE ON INDUSTRIAL INFORMATICS》 * |
| 王法仁: "典型工控协议深度包解析平台与方法研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 申嘉旭: "智能家居多协议网关的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11032190B2 (en) | Methods and systems for network security universal control point | |
| EP1928127B1 (en) | Method and system for tunneling MACSEC packets through non-MACSEC nodes | |
| CN102123076B (en) | High availability for network security devices | |
| US7646728B2 (en) | Network monitoring and intellectual property protection device, system and method | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| KR20170020309A (en) | Sensor network gateway | |
| CN106302371B (en) | A kind of firewall control method and system based on subscriber service system | |
| US7555774B2 (en) | Inline intrusion detection using a single physical port | |
| CN108183886B (en) | Safety enhancement equipment for safety gateway of rail transit signal system | |
| Kaur et al. | Securing BACnet’s pitfalls | |
| KR20130014226A (en) | Dns flooding attack detection method on the characteristics by attack traffic type | |
| CN108881328A (en) | Packet filtering method, device, gateway and storage medium | |
| KR102112587B1 (en) | Packet monitoring device and packet monitoring method for communication packet | |
| JP2007006054A (en) | Packet repeater and packet repeating system | |
| JP5134141B2 (en) | Unauthorized access blocking control method | |
| CN108616488B (en) | Attack defense method and defense equipment | |
| CN104283882A (en) | Intelligent safety protection method for router | |
| EP3557824B1 (en) | Network device and queue management method for network device | |
| CN112787911A (en) | Internet of things equipment integration gateway and system | |
| CN105743702A (en) | GOOSE message subscription recognizing method | |
| CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
| CN111901288A (en) | Network security protection method aiming at BACnet | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN109167774B (en) | Data message and data stream safety mutual access method on firewall | |
| CN108206828B (en) | Dual-monitoring safety control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201106 |