CN111966074A - Industrial control equipment safety test system and method - Google Patents
Industrial control equipment safety test system and method Download PDFInfo
- Publication number
- CN111966074A CN111966074A CN202010774354.7A CN202010774354A CN111966074A CN 111966074 A CN111966074 A CN 111966074A CN 202010774354 A CN202010774354 A CN 202010774354A CN 111966074 A CN111966074 A CN 111966074A
- Authority
- CN
- China
- Prior art keywords
- unit
- test
- detection unit
- program
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011076 safety test Methods 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 title claims description 60
- 238000012360 testing method Methods 0.000 claims abstract description 189
- 238000001514 detection method Methods 0.000 claims abstract description 167
- 238000012544 monitoring process Methods 0.000 claims abstract description 14
- 238000003745 diagnosis Methods 0.000 claims abstract description 8
- 230000035515 penetration Effects 0.000 claims description 29
- 230000015654 memory Effects 0.000 claims description 28
- 238000005516 engineering process Methods 0.000 claims description 23
- 230000003068 static effect Effects 0.000 claims description 20
- 238000010586 diagram Methods 0.000 claims description 12
- 230000004083 survival effect Effects 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 8
- 238000009781 safety test method Methods 0.000 claims description 8
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 7
- 230000009545 invasion Effects 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 claims 1
- 230000008595 infiltration Effects 0.000 abstract 1
- 238000001764 infiltration Methods 0.000 abstract 1
- 230000005856 abnormality Effects 0.000 description 4
- 238000001914 filtration Methods 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013154 diagnostic monitoring Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005272 metallurgy Methods 0.000 description 1
- 210000005036 nerve Anatomy 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0213—Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of safety test, in particular to a safety test system of industrial control equipment. The system comprises a global configuration unit, a test engine unit, a vulnerability library unit, an information detection unit, a vulnerability detection unit, an infiltration test unit, a network robustness test unit, a diagnosis and monitoring unit and an authority management unit.
Description
Technical Field
The invention relates to the technical field of safety test, in particular to a safety test system and a safety test method for industrial control equipment.
Background
Industrial Control Systems (ICS) are a general term for several types of control systems, including supervisory control and data acquisition Systems (SCADA), Distributed Control Systems (DCS), and other control systems such as Programmable Logic Controllers (PLC). The industrial control system is widely applied to the operation control process of national key infrastructures such as nuclear facilities, electric power, petrifaction, chemical industry, metallurgy, food, municipal administration and advanced manufacturing, is the central nerve of the national key infrastructures, and along with the continuous deepening of the binary integration work of China, the internal and external security threats of the industrial control system are increasingly serious, the information security of the industrial control system is ensured to be raised to the security strategy of the national level, and in order to ensure the security of the industrial control system, a series of security tests need to be carried out on industrial control equipment.
In addition, in the prior art, industrial control systems are responsible for controlling, managing and monitoring national critical infrastructure. In view of this, it is necessary to detect security holes in industrial control systems that could be potential targets for attackers. The attacker controlling the ICS can lead to paralysis of the national key infrastructure. This not only causes economic loss, but also results in the citizens not being able to obtain important services in life.
Therefore, in the prior art, the vulnerability of the industrial control system is generally queried in a group mode, and only the vulnerability is queried from the industrial control device level and is repaired, but the system is not modified from the physical level or is directly prevented from being accessed. In fact, the industrial control system operates limited industrial control commands, and different operation permission rights need to be provided for different operation control commands, so as to prevent misoperation. In view of the above technical problems, no effective solution is currently available.
Disclosure of Invention
The present invention is directed to a system and a method for safety testing of industrial control equipment, so as to solve the problems in the background art.
In order to achieve the above object, in one aspect, the present invention provides a safety test system for industrial control equipment, including a global configuration unit, a test engine unit, a vulnerability library unit, an information detection unit, a vulnerability detection unit, a penetration test unit, a network robustness test unit, a diagnosis monitoring unit, an authority management unit, and a control command and authority module;
the control manipulation command and authority module stores the control manipulation command and authority of each control module;
the global configuration unit is used for configuring test parameters and flexibly braking different test strategies aiming at different test objects;
the test engine unit is used for scheduling the information detection unit, the vulnerability detection unit, the penetration test unit and the network robustness test unit to carry out automatic test;
the leakage library unit is used for searching a corresponding solution in the leakage library according to the leakage tested by the information detection unit, the leakage detection unit, the penetration test unit and the network robustness test unit after the test is finished, and releasing a test report;
the control operation command and authority module sends corresponding control operation test signals to corresponding industrial control equipment to test whether the corresponding control commands exist or not and whether the control commands are correctly responded or not, and if the control commands are incorrectly responded, abnormal signals are output; in addition, other random commands are input, whether the control operation corresponding to the authority is correct or not is judged, if the control operation outside the non-authority can be controlled by adopting the incorrect authority, a bug exists, and a bug repairing scheme is started;
the information detection unit is used for acquiring the survival equipment information of the industrial control network to be detected, and the information detection unit is used for laying the vulnerability detection unit and the penetration test unit;
the vulnerability detection unit is used for extracting test characteristics from the vulnerability library unit to form a test message, sending the test message to a test object, then monitoring the response of a detection target, collecting information, and then combining the vulnerability library unit to judge whether a network has a security vulnerability;
the penetration testing unit is used for attacking the industrial control network and the system so as to detect the safety of the network and the system under a real application environment;
the network robustness testing unit is used for testing the network robustness of industrial control equipment, main testing objects are a Programmable Logic Controller (PLC), a Distributed Control System (DCS) controller and the like, and any equipment which is realized by an Ethernet port and a network stack can be tested, so that tens of thousands of 'zero-day bugs' and other unpublished bugs or hidden dangers are effectively prevented;
the diagnosis monitoring unit is used for monitoring the states of the industrial control network and the system and ensuring the operation safety;
the rights management unit is used to ensure that only users with system access rights can access the application and only through the corresponding gateway, including login or remote access to the system, tested to verify that only operators with system and application access rights can access the system and application.
Preferably, the information detection unit comprises a device discovery unit, an open port detection unit, a service identification unit and an operating system detection unit;
the device discovery unit is used for detecting whether the device is alive or not and identifying the alive information; for non-EPA equipment, the equipment can be detected whether the equipment is alive or not by sending PING or ARP message, wherein ARP can bypass the filtering of firewall to PING, for EPA equipment, a capturing thread is opened up to analyze the EPA equipment declaration message, thereby identifying the equipment survival information and the equipment information such as MAC, IP, redundant number and the like and finding illegal EPA equipment
The open port detection unit is used for testing a UDP port and a TCP port of a target system and identifying the state of each port; testing a UDP port and a TCP port of a target system by adopting various port scanning technologies such as full-open scanning, half-open scanning, UDP scanning and the like;
the service identification unit is used for identifying services according to the open port detection unit and the service identification unit, and identifying trojan threats and service types on some ports; and performing first service identification according to the open port detection unit and the service identification unit. The process can identify Trojan threats on some ports, the second identification is to collect returned Banner information after establishing connection with a target system, and to query a service feature library to roughly identify the service type, even the name and version of software
The operating system detection unit is used for identifying the operating system of the target system, the vulnerability detection unit is required to test the system vulnerability for equipment depending on the general operating system, and the system vulnerability test can be bypassed for real-time operating systems such as UC/OS and EPA network equipment and field equipment without operating systems.
Preferably, the vulnerability detection unit comprises a static detection unit, a dynamic detection unit and a hybrid detection unit; the static detection unit is used for analyzing the tested program code in the aspects of semantics and grammar, analyzing the characteristics of the program and finding out the reason of abnormality; the dynamic detection unit is used for detecting and analyzing the variable, the memory, the heap and the stack codes of the operating environment so as to improve the safety factor of the use of the computer; the hybrid detection unit fuses and innovates the static detection unit and the dynamic detection unit mutually, and is used for improving the use safety detection technology of the equipment hybrid software.
Preferably, the static detection unit comprises a lexical detection unit, a program comment technical unit, a type inference detection technical unit and a data stream detection unit;
the lexical detection unit is used for detecting a method for grammar of a program, namely detecting whether the program has library functions and system calls of dangerous elements; the program comment technical unit is used for detecting comment information of the program, analyzing the comment information and analyzing security holes hidden in the program; the type inference detection technical unit is used for applying safety constraint to the program and improving the safety factor of the program; the data flow detection unit is used for detecting program breakpoints and mainly analyzing the trend of data so as to judge whether the program has potential security vulnerabilities.
Preferably, the dynamic detection unit includes a non-execution stack unit, a non-execution stack and data technology unit, and a memory mapping technology unit;
the non-execution stack unit is used for prohibiting the code from being executed in the state that the malicious code is input into the program, and eliminating the damage of the code to the program; the non-execution heap and data technology unit is used for preventing the invasion of malicious codes, namely forbidding the running of a malicious program in the memory when the malicious program runs; the memory mapping technology unit is used for effectively protecting the memory, and a hacker or a malicious attacker is difficult to enter the memory area through the data code at the end of the fixed program and transfer the malicious code of the hacker to a random address.
Preferably, the attacks of the penetration test unit are an EPA service attack, an ARP attack, a Dos attack and a SQL attack.
Preferably, the network robustness testing unit comprises a connection configuration unit and a detection execution unit;
the connection configuration unit is used for specifically configuring an ATP configuration interface into the detection execution unit to make a preliminary preparation after the ATP realizes physical connection with the DUT; the detection execution unit is used for selecting different test items in ATP required by the test through test setting to serve as test cases for test execution, executing the selected test items on a test execution interface, and carrying out network robustness detection on the tested equipment.
Preferably, the failure rate calculation formula of the network robustness test unit is as follows:
wherein N is the number of objects to be measured, wiIs a weight value set according to the number of times of appearance of the tested object, generally 1/N, for the robustness of a specific application program in the test system, wiThe value f is obtained according to the occurrence times of the measured objects in the programiIs the number of failures, t, of the object i to be measurediIs the number of tests of the object i to be tested.
Preferably, in another aspect, the present invention further provides a method for safety testing of an industrial control device, including any one of the above-mentioned industrial control device safety testing systems, and the method includes the following steps:
s1, global configuration: each independent module can be operated to carry out independent manual test through a human-computer interface, test parameters can also be configured through a global configuration module, and a user can flexibly formulate a test strategy aiming at different test objects;
s2, test engine: dispatching the information detection unit, the vulnerability detection unit, the penetration test unit and the network robustness test unit through a test engine unit to carry out automatic test;
s3, information detection: firstly, detecting whether equipment is alive or not, and identifying information of the survival; then, testing UDP ports and TCP ports of the target system and identifying the states of the ports; then, according to the open port detection unit and the service identification unit, service identification is carried out, and Trojan threats on some ports are identified and service types are identified; then, operating system identification is carried out on a target system, and the target system is used for obtaining the survival equipment information of the industrial control network to be tested, and the information detection unit is used for laying the vulnerability detection unit and the penetration test unit;
s4, vulnerability static detection: the method for detecting the grammar of the program comprises the steps of detecting whether the program has library functions and system calls of dangerous elements or not; detecting comment information of the program, analyzing the comment information, analyzing a security hole hidden in the program, and then performing security constraint on the program to improve the security coefficient of the program; detecting program breakpoints, mainly analyzing the trend of data so as to judge whether the program has potential security holes, analyzing the semantics and syntax of the code of the program to be detected, analyzing the characteristics of the program and finding out the reasons of abnormality;
s5, detecting the vulnerability map: the code is prohibited to be executed under the state that the malicious code is input into the program, and the damage of the code to the program is eliminated; then preventing the invasion of malicious codes, namely forbidding the running of the changed program when the malicious program in the memory runs; then, the memory is effectively protected, a hacker or a malicious attacker is difficult to enter the memory area through the data code at the end of the fixed program, the malicious code of the hacker is transferred to a random address, and then the codes of the variable, the memory, the heap and the stack of the operating environment are detected and analyzed, so that the safety factor of the use of the computer is improved;
s6, mixed detection: the static detection unit and the dynamic detection unit are fused and innovated with each other and are used for improving the detection of the use safety detection technology of the equipment mixing software;
s7, penetration test: attacks are launched on the industrial control network and the industrial control system through EPA service attack, ARP attack, Dos attack and SQL attack so as to detect the safety of the network and the industrial control system in a real application environment;
s8, testing network robustness: after the physical connection of the ATP to the DUT is realized, the ATP configuration interface is specifically configured, then different test items in the ATP required by the test are selected through test setting to serve as test cases for test execution, the selected test items are executed on the test execution interface and used for testing objects such as a Programmable Logic Controller (PLC), a Distributed Control System (DCS) controller and the like, and any equipment realized by an Ethernet port and a network stack can be tested, so that tens of thousands of 'zero-day bugs' and other unpublished bugs or hidden dangers are effectively prevented, and the network robustness of the tested equipment is detected;
s9, authority management: the access is prohibited by setting an irrelevant IP, and the user password gives proper authority to the strong password and the user; it is ensured that only users with system access rights can access the application and only through the corresponding gateway, including login or remote access to the system.
Further, testing the software of the control system, specifically decomposing the control flow chart of the software into an inter-process call control flow chart and an intra-process call control flow chart according to the inter-process function call relation and the intra-process basic block jump relation;
calling a control flow diagram from the process to extract a characteristic basic block as an inter-process judgment block, and forming an inter-process judgment block control flow by each inter-process judgment block according to the program execution context; calling a control flow diagram from the process to extract features basically as in-process judgment blocks, and forming in-process judgment block control flows by each in-process judgment block according to the program execution context, wherein the judgment block control flows comprise an inter-process judgment block control flow and an in-process judgment block control flow.
Compared with the prior art, the invention has the beneficial effects that:
1. in the system and the method for the safety test of the industrial control equipment, the information, the leak, the penetration and the network robustness of the industrial control system are safely tested through an information detection unit, a leak detection unit, a penetration test unit and a network robustness test unit, then the state of the industrial control network and the system is monitored and diagnosed in real time through a diagnosis and monitoring unit, the operation safety is ensured, and irrelevant IP is set to forbid access, and a user password is used for endowing proper authority for a strong password and a user; and only users with system access authority can access the application program and can only access the application program through a corresponding gateway, including login or remote access to the system, so that the safety of the industrial control equipment is further ensured.
Drawings
FIG. 1 is a block diagram of the overall structure of the present invention;
FIG. 2 is a block diagram of an information detection unit according to the present invention;
FIG. 3 is a block diagram of a vulnerability detection unit of the present invention;
FIG. 4 is a block diagram of a static detection unit of the present invention;
FIG. 5 is a block diagram of a dynamic detection unit of the present invention;
FIG. 6 is a block diagram of a network robustness testing unit of the present invention.
The various reference numbers in the figures mean:
100. a global configuration unit;
200. a test engine unit;
300. a leak library unit;
400. an information detection unit; 410. a device discovery unit; 420. an open port detection unit; 430. A service identification unit; 440. an operating system detection unit;
500. a vulnerability detection unit; 510. a static state detection unit; 511. a lexical detection unit; 512. program comment technical unit; 513. a type inference detection technique unit; 514. a data stream detection unit; 520. A dynamic detection unit; 521. a non-execution stack unit; 522. a non-execution heap and data technology unit; 523. A memory mapping technique unit; 530. a mixing detection unit;
600. a penetration test unit;
700. a network robustness testing unit; 701. a connection configuration unit; 702. a detection execution unit;
800. a diagnostic monitoring unit;
900. and a right management unit.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1 to fig. 6, the present embodiment provides a security testing system for industrial control equipment, which includes a global configuration unit 100, a test engine unit 200, a vulnerability library unit 300, an information detection unit 400, a vulnerability detection unit 500, a penetration test unit 600, a network robustness test unit 700, a diagnosis monitoring unit 800, an authority management unit 900, and a control command and authority module;
the control manipulation command and authority module stores the control manipulation command and authority of each control module;
the global configuration unit 100 is configured to configure test parameters, and flexibly brake different test strategies for different test objects;
the test engine unit 200 is used for scheduling the information detection unit 400, the vulnerability detection unit 500, the penetration test unit 600 and the network robustness test unit 700 for automatic testing;
the vulnerability database unit 300 is used for searching a corresponding solution in the vulnerability database according to the vulnerabilities tested by the information detection unit 400, the vulnerability detection unit 500, the penetration test unit 600 and the network robustness test unit 700 after the test is finished, and releasing a test report;
the control operation command and authority module sends corresponding control operation test signals to corresponding industrial control equipment to test whether the corresponding control commands exist or not and whether the control commands are correctly responded or not, and if the control commands are incorrectly responded, abnormal signals are output; in addition, other random commands are input, whether the control operation corresponding to the authority is correct or not is judged, if the control operation outside the non-authority can be controlled by adopting the incorrect authority, a bug exists, and a bug repairing scheme is started;
the information detection unit 400 is used for acquiring the survival equipment information of the industrial control network to be detected, and the information detection unit 400 is used for laying a vulnerability detection unit 500 and a penetration test unit 600;
the vulnerability detection unit 500 is used for extracting test features from the vulnerability library unit 300 to form a test message, sending the test message to a test object, then monitoring the response of a detection target, collecting information, and then judging whether a security vulnerability exists in the network by combining the vulnerability library unit 300;
the penetration testing unit 600 is used for launching attacks on the industrial control network and the system so as to detect the security of the network and the system under the real application environment;
the network robustness testing unit 700 is used for testing the network robustness of the industrial control equipment, main test objects are a Programmable Logic Controller (PLC), a Distributed Control System (DCS) controller and the like, and any equipment which is realized by an Ethernet port and a network stack can be tested, so that tens of thousands of 'zero-day bugs' and other unpublished bugs or hidden dangers are effectively prevented;
the diagnosis monitoring unit 800 is used for monitoring the states of the industrial control network and the system, and ensuring the operation safety;
the rights management unit 900 is used to ensure that only users with system access rights can access the application and only through the corresponding gateway, including login or remote access to the system, tested to verify that only operators with system and application access rights can access the system and application.
Further, the information detection unit 400 includes a device discovery unit 410, an open port detection unit 420, a service identification unit 430, and an operating system detection unit 440;
the device discovery unit 410 is configured to detect whether a device is alive and identify information of the alive; for non-EPA equipment, the equipment can be detected whether the equipment is alive or not by sending PING or ARP message, wherein ARP can bypass the filtering of firewall to PING, for EPA equipment, a capturing thread is opened up to analyze the EPA equipment declaration message, thereby identifying the equipment survival information and the equipment information such as MAC, IP, redundant number and the like and finding illegal EPA equipment
The open port detection unit 420 is configured to test a UDP port and a TCP port of the target system, and identify a state of each port; testing UDP port and TCP port of target system by using multiple port scanning technologies such as full-open scanning, half-open scanning and UDP scanning
The service identification unit 430 is used for identifying services according to the open port detection unit 420 and the service identification unit 430, and identifying trojan threats and service types on some ports; according to the open port detection unit 420 and the service identification unit 430, a first service identification is performed. The process can identify Trojan threats on some ports, the second identification is to collect returned Banner information after establishing connection with a target system, and to query a service feature library to roughly identify the service type, even the name and version of software
The OS detection unit 440 is used to identify the target system, and for devices that depend on the common OS, the vulnerability detection unit 500 is required to test the system vulnerability, and for real-time OS such as UC/OS and EPA network devices and field devices without OS, the system vulnerability test can be bypassed.
Further, the vulnerability detection unit 500 includes a static detection unit 510, a dynamic detection unit 520, and a hybrid detection unit 530; the static detection unit 510 is configured to analyze the semantics and syntax of the code of the program to be detected, analyze the characteristics of the program, and find out the cause of the abnormality; the dynamic detection unit 520 is used for detecting and analyzing variables, memories, heaps and stacks of the operating environment so as to improve the safety factor of the use of the computer; the hybrid detection unit 530 integrates and innovatively the static detection unit 510 and the dynamic detection unit 520, and is used for improving the use safety detection technology of the device hybrid software.
Specifically, the static detection unit 510 includes a lexical detection unit 511, a program annotation technology unit 512, a type inference detection technology unit 513, and a data stream detection unit 514;
the lexical detection unit 511 is used for detecting a syntax of the program, that is, detecting whether the program has a library function and a system call of a dangerous element; the program comment technical unit 512 is configured to detect comment information of the program, analyze the comment information, and analyze a security vulnerability hidden in the program; the type inference detection technology unit 513 is used for applying security constraint to the program and improving the security factor of the program; the data stream detection unit 514 is configured to detect a breakpoint of a program, and mainly analyze a trend of data, so as to determine whether the program has a potential security vulnerability.
Specifically, the dynamic detection unit 520 includes a non-execution stack unit 521, a non-execution heap and data technology unit 522, and a memory mapping technology unit 523;
the non-execution stack unit 521 is used for prohibiting the code from being executed in the state that malicious code is input into the program, and eliminating the damage of the code to the program; the non-execution heap and data technology unit 522 is used for preventing the invasion of malicious codes, namely forbidding the running of a malicious program in the memory when the malicious program runs; the memory mapping technique unit 523 is used to effectively protect the memory, and it is difficult for a hacker or a malicious attacker to enter the memory area through the data code at the end of the fixed program and transfer the malicious code of the hacker to a random address.
It should be noted that the attacks of the penetration test unit 600 are an EPA service attack, an ARP attack, a Dos attack, and an SQL attack.
Further, the network robustness testing unit 700 includes a connection configuration unit 701 and a detection execution unit 702;
the connection configuration unit 701 is configured to specifically configure the ATP configuration interface as the detection execution unit 702 and perform preliminary preparation after the ATP is physically connected to the DUT; the detection execution unit 702 is configured to select different test items in the ATP required by the test through the test setting, and execute the selected test items on the test execution interface as test cases for test execution, so as to perform network robustness detection on the device under test.
Specifically, the failure rate calculation formula of the network robustness testing unit 700 is as follows:
wherein N is the number of objects to be measured, wiIs a weight value set according to the number of times of appearance of the tested object, generally 1/N, for the robustness of a specific application program in the test system, wiThe value f is obtained according to the occurrence times of the measured objects in the programiIs the number of failures, t, of the object i to be measurediIs the number of tests of the object i to be tested.
On the other hand, the invention also provides a method for the safety test of the industrial control equipment, which comprises the following operation steps:
s1, global configuration: each independent module can be operated to carry out independent manual test through a human-computer interface, test parameters can also be configured through a global configuration module, and a user can flexibly formulate a test strategy aiming at different test objects;
s2, test engine: the information detection unit 400, the vulnerability detection unit 500, the penetration test unit 600 and the network robustness test unit 700 are scheduled by the test engine unit 200 for automatic testing;
s3, information detection: firstly, detecting whether equipment is alive or not, and identifying information of the survival; then, testing UDP ports and TCP ports of the target system and identifying the states of the ports; then, according to the open port detection unit 420 and the service identification unit 430, service identification is performed, and Trojan threats on some ports are identified and service types are identified; then, operating system identification is carried out on the target system for obtaining the survival equipment information of the industrial control network to be tested, and the information detection unit 400 is used for laying a vulnerability detection unit 500 and a penetration test unit 600;
s4, vulnerability static detection: the method for detecting the grammar of the program comprises the steps of detecting whether the program has library functions and system calls of dangerous elements or not; detecting comment information of the program, analyzing the comment information, analyzing a security hole hidden in the program, and then performing security constraint on the program to improve the security coefficient of the program; detecting program breakpoints, mainly analyzing the trend of data so as to judge whether the program has potential security holes, analyzing the semantics and syntax of the code of the program to be detected, analyzing the characteristics of the program and finding out the reasons of abnormality;
s5, detecting the vulnerability map: the code is prohibited to be executed under the state that the malicious code is input into the program, and the damage of the code to the program is eliminated; then preventing the invasion of malicious codes, namely forbidding the running of the changed program when the malicious program in the memory runs; then, the memory is effectively protected, a hacker or a malicious attacker is difficult to enter the memory area through the data code at the end of the fixed program, the malicious code of the hacker is transferred to a random address, and then the codes of the variable, the memory, the heap and the stack of the operating environment are detected and analyzed, so that the safety factor of the use of the computer is improved;
s6, mixed detection: the static detection unit 510 and the dynamic detection unit 520 are fused and innovated with each other and are used for improving the detection technology of the use safety of the equipment mixing software;
s7, penetration test: attacks are launched on the industrial control network and the industrial control system through EPA service attack, ARP attack, Dos attack and SQL attack so as to detect the safety of the network and the industrial control system in a real application environment;
s8, testing network robustness: after the physical connection of the ATP to the DUT is realized, the ATP configuration interface is specifically configured, then different test items in the ATP required by the test are selected through test setting to serve as test cases for test execution, the selected test items are executed on the test execution interface and used for testing objects such as a Programmable Logic Controller (PLC), a Distributed Control System (DCS) controller and the like, and any equipment realized by an Ethernet port and a network stack can be tested, so that tens of thousands of 'zero-day bugs' and other unpublished bugs or hidden dangers are effectively prevented, and the network robustness of the tested equipment is detected;
s9, authority management: the access is prohibited by setting an irrelevant IP, and the user password gives proper authority to the strong password and the user; it is ensured that only users with system access rights can access the application and only through the corresponding gateway, including login or remote access to the system.
Further, testing the software of the control system, specifically decomposing the control flow chart of the software into an inter-process call control flow chart and an intra-process call control flow chart according to the inter-process function call relation and the intra-process basic block jump relation;
calling a control flow diagram from the process to extract a characteristic basic block as an inter-process judgment block, and forming an inter-process judgment block control flow by each inter-process judgment block according to the program execution context; calling a control flow diagram from the process to extract features basically as in-process judgment blocks, and forming in-process judgment block control flows by each in-process judgment block according to the program execution context, wherein the judgment block control flows comprise an inter-process judgment block control flow and an in-process judgment block control flow.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and the preferred embodiments of the present invention are described in the above embodiments and the description, and are not intended to limit the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (10)
1. The utility model provides an industrial control equipment safety test system which characterized in that: the system comprises a global configuration unit (100), a test engine unit (200), a leak library unit (300), an information detection unit (400), a vulnerability detection unit (500), a penetration test unit (600), a network robustness test unit (700), a diagnosis monitoring unit (800), an authority management unit (900) and a control operation command and authority module;
the control manipulation command and authority module stores the control manipulation command and authority of each control module;
the global configuration unit (100) is used for configuring test parameters and flexibly braking different test strategies aiming at different test objects;
the test engine unit (200) is used for scheduling the information detection unit (400), the vulnerability detection unit (500), the penetration test unit (600) and the network robustness test unit (700) to carry out automatic test;
the leak library unit (300) is used for searching a corresponding solution in the leak library according to the leak tested by the information detection unit (400), the leak detection unit (500), the penetration test unit (600) and the network robustness test unit (700) after the test is finished, and releasing a test report;
the control operation command and authority module sends corresponding control operation test signals to corresponding industrial control equipment to test whether the corresponding control commands exist or not and whether the control commands are correctly responded or not, and if the control commands are incorrectly responded, abnormal signals are output; in addition, other random commands are input, whether the control operation corresponding to the authority is correct or not is judged, if the control operation outside the non-authority can be controlled by adopting the incorrect authority, a bug exists, and a bug repairing scheme is started;
the information detection unit (400) is used for acquiring the survival equipment information of the industrial control network to be detected, and the information detection unit (400) is used for laying the vulnerability detection unit (500) and the penetration test unit (600);
the vulnerability detection unit (500) is used for extracting test characteristics from the vulnerability library unit (300) to form a test message and sending the test message to a test object;
the penetration testing unit (600) is used for launching attacks on the industrial control network and the system so as to detect the safety of the network and the system under a real application environment;
the network robustness testing unit (700) is used for testing the network robustness of the industrial control equipment;
the diagnosis monitoring unit (800) is used for monitoring the states of the industrial control network and the system and ensuring the operation safety;
the rights management unit (900) is used to ensure that only users with system access rights can access the application.
2. The industrial control device safety test system of claim 1, wherein: the information detection unit (400) comprises a device discovery unit (410), an open port detection unit (420), a service identification unit (430) and an operating system detection unit (440);
the device discovery unit (410) is configured to detect whether a device is alive and identify information of the alive;
the open port detection unit (420) is used for testing a UDP port and a TCP port of a target system and identifying the state of each port;
the service identification unit (430) is used for identifying the service according to the open port detection unit (420) and the service identification unit (430);
the operating system detection unit (440) is used for performing operating system identification on a target system.
3. The industrial control device safety test system of claim 1, wherein: the vulnerability detection unit (500) comprises a static detection unit (510), a dynamic detection unit (520) and a hybrid detection unit (530); the static detection unit (510) is used for analyzing the semantics and grammar of the tested program code, analyzing the characteristics of the program and finding out the reason of the abnormity; the dynamic detection unit (520) is used for detecting and analyzing the variable, the memory, the heap and the stack codes of the operating environment; the hybrid detection unit (530) fuses the static detection unit (510) and the dynamic detection unit (520) to each other.
4. The industrial control device safety testing system of claim 3, wherein: the static detection unit (510) comprises a lexical detection unit (511), a program comment technology unit (512), a type inference detection technology unit (513) and a data stream detection unit (514);
the lexical detection unit (511) is used for detecting grammar of the program; the program comment technical unit (512) is used for detecting comment information of a program; the type inference detection technique unit (513) is used for imposing security constraints on the program; the data flow detection unit (514) is used for detecting program breakpoints.
5. The industrial control device safety testing system of claim 3, wherein: the dynamic detection unit (520) comprises a non-execution stack unit (521), a non-execution stack and data technology unit (522) and a memory mapping technology unit (523);
the non-execution stack unit (521) is used for prohibiting the execution of the code under the condition that the malicious code is input into the program; the non-executing heap and data technology unit (522) is used for preventing the invasion of malicious codes; the memory mapping technology unit (523) is used for effectively protecting the memory.
6. The industrial control device safety test system of claim 1, wherein: the attacks of the penetration test unit (600) are EPA service attack, ARP attack, Dos attack and SQL attack.
7. The industrial control device safety test system of claim 1, wherein: the network robustness testing unit (700) comprises a connection configuration unit (701) and a detection execution unit (702);
the connection configuration unit (701) is used for specifically configuring an ATP configuration interface; the detection execution unit (702) is used for selecting different test items in ATP required by the test through test setting.
8. The industrial control device safety testing system of claim 7, wherein: the failure rate calculation formula of the network robustness test unit (700) is as follows:
wherein N is the number of objects to be measured, wiIs a weight value, w, set according to the number of times the object appearsiThe value f is obtained according to the occurrence times of the measured objects in the programiIs the number of failures, t, of the object i to be measurediIs the number of tests of the object i to be tested.
9. A method for safety test of industrial control equipment is characterized by comprising the following steps: the safety test system for industrial control equipment, comprising any one of claims 1 to 8, comprising the following operating steps:
s1, global configuration: configuring test parameters, and making a test strategy by a user aiming at different test objects;
s2, test engine: dispatching the information detection unit (400), the vulnerability detection unit (500), the penetration test unit (600) and the network robustness test unit (700) through a test engine unit (200) to carry out automatic test for carrying out automatic test;
s3, information detection: firstly, detecting whether equipment is alive or not, and identifying information of the survival; then, testing UDP ports and TCP ports of the target system and identifying the states of the ports; then, according to the open port detection unit (420) and the service identification unit (430), service identification is carried out, and Trojan threats on ports are identified and service types are identified; then, identifying an operating system of the target system, and acquiring the survival equipment information of the industrial control network to be tested;
s4, vulnerability static detection: the method for detecting the grammar of the program detects whether the program has library functions and system calls of dangerous elements; detecting comment information of the program, analyzing the comment information, analyzing a security vulnerability hidden in the program, and then performing security constraint on the program; detecting program breakpoints, judging whether the program has potential security holes, performing semantic and syntax analysis on the codes of the detected program, and analyzing the characteristics of the program;
s5, detecting the vulnerability map: the code is prohibited to be executed under the state that the program inputs the malicious code, and the damage of the code to the program is eliminated; then preventing the invasion of malicious codes, and forbidding the operation of the changed program when the malicious program in the memory operates; then, effectively protecting the memory, and then detecting and analyzing variables, the memory, the heap and the stack codes of the operating environment;
s6, mixed detection: fusing the static detection unit (510) and the dynamic detection unit (520) with each other;
s7, penetration test: attacks are launched on the industrial control network and the industrial control system through EPA service attack, ARP attack, Dos attack and SQL attack so as to detect the safety of the network and the industrial control system in a real application environment;
s8, testing network robustness: after the ATP realizes physical connection with the DUT, specific configuration is carried out on an ATP configuration interface, then different test items in the ATP required by the test are selected through test setting to serve as test cases for test execution, and the selected test items are executed on the test execution interface;
s9, authority management: the access is prohibited by setting an irrelevant IP, and the user password gives proper authority to the strong password and the user; it is ensured that only users with system access rights can access the application.
10. A method of safety testing of an industrial control device according to the preceding claim 9, characterized in that: testing software of the control system, specifically decomposing a control flow chart of the software into an inter-process call control flow chart and an intra-process call control flow chart according to an inter-process function call relation and an intra-process basic block jump relation;
calling a control flow diagram from the process to extract a characteristic basic block as an inter-process judgment block, and forming an inter-process judgment block control flow by each inter-process judgment block according to the program execution context; calling a control flow diagram from the process to extract features basically as in-process judgment blocks, and forming in-process judgment block control flows by each in-process judgment block according to the program execution context, wherein the judgment block control flows comprise an inter-process judgment block control flow and an in-process judgment block control flow.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010774354.7A CN111966074A (en) | 2020-08-04 | 2020-08-04 | Industrial control equipment safety test system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010774354.7A CN111966074A (en) | 2020-08-04 | 2020-08-04 | Industrial control equipment safety test system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111966074A true CN111966074A (en) | 2020-11-20 |
Family
ID=73363498
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010774354.7A Pending CN111966074A (en) | 2020-08-04 | 2020-08-04 | Industrial control equipment safety test system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111966074A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1422039A (en) * | 2001-11-29 | 2003-06-04 | 上海交通大学 | Distributed hacker tracking system in controllable computer network |
| CN105120788A (en) * | 2013-03-15 | 2015-12-02 | 直观外科手术操作公司 | System and methods for managing multiple null-space objectives and sli behaviors |
| CN107886000A (en) * | 2017-11-13 | 2018-04-06 | 华中科技大学 | A kind of software vulnerability detection method, response at different level method and software bug detection system |
-
2020
- 2020-08-04 CN CN202010774354.7A patent/CN111966074A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1422039A (en) * | 2001-11-29 | 2003-06-04 | 上海交通大学 | Distributed hacker tracking system in controllable computer network |
| CN105120788A (en) * | 2013-03-15 | 2015-12-02 | 直观外科手术操作公司 | System and methods for managing multiple null-space objectives and sli behaviors |
| CN107886000A (en) * | 2017-11-13 | 2018-04-06 | 华中科技大学 | A kind of software vulnerability detection method, response at different level method and software bug detection system |
Non-Patent Citations (3)
| Title |
|---|
| 宋晓彤: "《云服务的健壮性测试研》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 崔涛: "《计算机软件安全漏洞检测技术解析》", 《电子技术与软件工程》 * |
| 靳智超: "《EPA工业控制网络安全测试系统设计与实现》", 《计算机测量与控制》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20070067623A1 (en) | Detection of system compromise by correlation of information objects | |
| Sekar et al. | Synthesizing Fast Intrusion {Prevention/Detection} Systems from {High-Level} Specifications | |
| CN113660296B (en) | Method and device for detecting anti-attack performance of industrial control system and computer equipment | |
| CN109558726B (en) | Control flow hijacking attack detection method and system based on dynamic analysis | |
| CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
| EP3151152B1 (en) | Non-intrusive software agent for monitoring and detection of cyber security events and cyber-attacks in an industrial control system | |
| CN102541729A (en) | Detection device and method for security vulnerability of software | |
| CN112380542B (en) | Internet of things firmware vulnerability mining method and system based on error scene generation | |
| KR101880162B1 (en) | Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System | |
| CN106991328B (en) | A kind of vulnerability exploit detection recognition method based on dynamic memory fingerprint anomaly analysis | |
| CN104506495A (en) | Intelligent network APT attack threat analysis method | |
| Ten et al. | Cybersecurity for electric power control and automation systems | |
| Dalimunthe et al. | Intrusion detection system and modsecurity for handling sql injection attacks | |
| CN111966074A (en) | Industrial control equipment safety test system and method | |
| CN116318783B (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| CN115033881B (en) | PLC (programmable logic controller) virus detection method, device, equipment and storage medium | |
| CN108446557B (en) | Security threat active sensing method based on honeypot defense | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN113672933A (en) | Hongmen security vulnerability detection method and system | |
| CN113761539A (en) | Hongmen security vulnerability defense method and system | |
| Mishra et al. | Multi tree view of complex attack–stuxnet | |
| CN112861141A (en) | Data export security detection method and detection system | |
| CN112565246A (en) | Network anti-attack system and method based on artificial intelligence | |
| CN106411816A (en) | Industrial control system, secure interconnection system and processing method thereof | |
| CN111404919A (en) | Method for sensing diversity of network security states of nuclear power control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Lin Ruijin Inventor after: Ye Ruizhe Inventor after: Sui Tao Inventor after: Hong Weilin Inventor after: Lin Haozhen Inventor before: Lin Ruijin Inventor before: Ye Ruizhe Inventor before: Sui Tao |
|
| CB03 | Change of inventor or designer information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201120 |
|
| RJ01 | Rejection of invention patent application after publication |