CN112039916A - Communication method and device based on OPC protocol, electronic equipment and storage medium - Google Patents
Communication method and device based on OPC protocol, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112039916A CN112039916A CN202010937577.0A CN202010937577A CN112039916A CN 112039916 A CN112039916 A CN 112039916A CN 202010937577 A CN202010937577 A CN 202010937577A CN 112039916 A CN112039916 A CN 112039916A
- Authority
- CN
- China
- Prior art keywords
- stage
- message
- information
- communication
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The application provides a communication method, a device, electronic equipment and a storage medium based on an OPC protocol, which are applied to gateway equipment, wherein the method comprises the following steps: receiving a first message; determining whether the first message belongs to a communication message of a second stage; when the first message is determined to belong to the communication message of the second stage, searching out the key information of the first stage corresponding to the first tuple information from a first corresponding relation between prestored tuple information and the key information of the first stage according to the first tuple information carried by the first message; determining a security policy of the first stage according to the corresponding key information of the first stage; and processing the first message according to the security policy of the first stage, wherein the security policy of the first stage is inherited by the session of the second stage, so that the communication message of the second stage can pass through the gateway equipment, and finally the client can communicate with the server in the second stage.
Description
Technical Field
The present application relates to the field of network communication and network security technologies, and in particular, to a communication method and apparatus based on an OPC protocol, an electronic device, and a storage medium.
Background
Object Linking and Embedding (OPC) protocol for Process Control, which is a traditional mainstream industrial Control protocol, is jointly established by some companies with the leading technical positions in the world, and the companies also establish OPC foundation for management, and the OPC protocol is frequently used in industrial Control environments; with the development of industrial 4.0 intelligence, more and more industrial environments start to be opened from closed, the traditional closed industrial control network and the internet are combined more and more tightly, the industrial control network security problem is increasingly prominent, and the traditional industrial control gateway equipment gradually begins to be blended with the internet security equipment.
In the prior art, when a client communicates with a server based on an OPC protocol, the client initiates a connection request to a preset port of the server in a first stage, after both sides establish connection, negotiate a communication port of the server to be accessed in a next stage through a negotiation message, a gateway device dynamically opens a corresponding port of the gateway device according to the negotiation port in the negotiation message by monitoring the negotiation message, and the client performs data interaction by accessing the negotiation port of the server in a second stage.
Disclosure of Invention
In view of the above, an object of the embodiments of the present application is to provide a communication method, apparatus, electronic device and storage medium based on an OPC protocol, so as to solve the above problems.
In a first aspect, an embodiment of the present application provides a communication method based on an OPC protocol, which is applied to a gateway device, and the method includes: receiving a first message; determining whether the first message belongs to a communication message of a second stage; when the first message is determined to belong to the communication message of the second stage, searching out the key information of the first stage corresponding to the first tuple information from a first corresponding relation between prestored tuple information and the key information of the first stage according to the first tuple information carried by the first message; determining a security policy of the first stage according to the corresponding key information of the first stage; and processing the first message according to the security policy of the first stage.
In the implementation process, since the security policy of the first stage can ensure that the communication packet of the second stage can pass through the gateway device, the first corresponding relationship between the key information of the first stage and the tuple information is stored in advance, wherein the security policy of the first stage can be determined according to the key information of the first stage, then when the gateway device determines that the received first packet belongs to the communication packet of the second stage, after the key information corresponding to the first tuple information is found from the first corresponding relationship according to the first tuple information carried in the first packet, the security policy of the first stage is determined according to the corresponding key information of the first stage, then the first packet is processed according to the security policy of the first stage, because the security policy of the first stage is inherited by the session of the second stage, and then, the communication message of the second stage can pass through the gateway equipment, and finally, the client can be ensured to communicate with the server in the second stage.
In a possible design based on the first aspect, after the determining whether the first packet belongs to the second-stage communication packet, the method further includes: when the first message is determined not to belong to the communication message of the second stage, determining whether the first message belongs to a session negotiation message of the first stage according to the type of the first message; when the first message is determined to belong to the session negotiation message of the first stage, analyzing the first message to obtain second tuple information, wherein the second tuple information comprises: a negotiation port, a source IP address, a destination IP address, a source port and a destination port for the second stage communication; determining key information of a first stage corresponding to the source IP address, the destination IP address, the source port and the destination port according to the source IP address, the destination IP address, the source port and the destination port in the second tuple information; and correspondingly storing the second tuple information and the corresponding key information of the first stage. In the implementation process, when determining that the received first message belongs to the session negotiation message of the first stage, the gateway device determines the first-stage key information corresponding to the source IP address, the destination IP address, the source port and the destination port according to the source IP address and the destination IP address, the source port and the destination port in the second tuple information in the first message, and correspondingly stores the second tuple information and the corresponding first-stage key information to ensure that the security policy of the first stage can be inherited by the second-stage session, and then ensures that the second-stage communication message can pass through the gateway device to realize communication with the server.
In a possible design based on the first aspect, before the determining whether the first packet belongs to the second-stage communication packet, the method further includes: analyzing the first message to obtain third group information; when it is determined that the third triplet information does not exist in the pre-stored session information, according to the third triplet information, searching for a security policy corresponding to the third triplet information from a corresponding relationship between the pre-stored tuple information and the security policy; and storing the third group information and the corresponding security policy as first session information.
In the implementation process, the gateway device searches a security policy corresponding to the third tuple information from a pre-stored corresponding relationship between the tuple information and the security policy according to the third tuple information in the first message to be received, and stores the third tuple information and the corresponding security policy as the first session information, so as to ensure that the gateway device can process the communication message according to the security policy in the session information of the first stage when receiving the communication message sent by the client in the second stage, and then ensure that the client can communicate with the server in the second stage.
Based on the first aspect, in one possible design, determining whether the first packet belongs to the communication packet of the second stage includes: determining whether the port information carried in the first message contains a preset port; if the preset port is not included, determining that the first message belongs to the communication message of the second stage; otherwise, the first message is determined not to belong to the communication message of the second stage.
In the implementation process, the client accesses the preset port of the server in the first stage and accesses the preset port which is not the server in the second stage, so that the gateway device can accurately determine whether the received message belongs to the communication message in the second stage.
In a second aspect, an embodiment of the present application provides a communication apparatus based on an OPC protocol, which is applied to a gateway device, and the apparatus includes: a receiving unit, configured to receive a first packet; a first determining unit, configured to determine whether the first packet belongs to a second-stage communication packet; the first searching unit is used for searching the first-stage key information corresponding to the first tuple information from a first corresponding relation between prestored tuple information and the first-stage key information according to the first tuple information carried by the first message when the first message is determined to belong to the second-stage communication message; a second determining unit, configured to determine a security policy of the first stage according to the key information of the corresponding first stage; and the processing unit is used for processing the first message according to the corresponding security policy of the first stage.
Based on the second aspect, in one possible design, the apparatus further includes: a third determining unit, configured to determine, when it is determined that the first packet does not belong to the communication packet in the second stage, whether the first packet belongs to a session negotiation packet in the first stage according to a type of the first packet; a first parsing unit, configured to, when it is determined that the first packet belongs to the session negotiation packet of the first stage, parse the first packet to obtain second tuple information, where the second tuple information includes: a negotiation port, a source IP address and a destination IP address for performing the second stage of communication; a fourth determining unit, configured to determine, according to the source IP address and the destination IP address in the second tuple information, key information of the first stage corresponding to the source IP address, the destination IP address, the source port, and the destination port; and the first storage unit is used for correspondingly storing the second tuple information and the corresponding key information of the first stage.
Based on the second aspect, in one possible design, the apparatus further includes: the second analysis unit is used for analyzing the first message to obtain third group information; the second searching unit is used for searching the security policy corresponding to the third triplet information from the corresponding relation between the prestored triplet information and the security policy according to the third triplet information when the third triplet information does not exist in the prestored session information; and the second storage unit is used for storing the third group information and the corresponding security policy as first session information.
Based on the second aspect, in a possible design, the first determining unit is specifically configured to determine whether port information carried in the first packet includes a preset port; if the preset port is not included, determining that the first message belongs to the communication message of the second stage; otherwise, the first message is determined not to belong to the communication message of the second stage.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory connected to the processor, where a computer program is stored in the memory, and when the computer program is executed by the processor, the electronic device is caused to perform the method of the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, in which a computer program is stored, and when the computer program runs on a computer, the computer is caused to execute the method of the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a flowchart illustrating a communication method based on an OPC protocol according to an embodiment of the present application.
Fig. 2 is a schematic structural diagram of a communication device based on an OPC protocol according to an embodiment of the present application.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Icon: 200-communication means based on the OPC protocol; 210-a receiving unit; 220-a first determination unit; 230-a first lookup unit; 240-a second determination unit; 250-a processing unit; 300-an electronic device; 301-a processor; 302-a memory; 303-communication interface.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a flowchart of a communication method based on an OPC protocol according to an embodiment of the present application, where the method is applied to a gateway device, and the flowchart shown in fig. 1 will be described in detail below, where the method includes the steps of: s11, S12, S13, S14 and S15.
S11: a first message is received.
S12: and determining whether the first message belongs to the communication message of the second stage.
S13: and when the first message is determined to belong to the communication message of the second stage, searching the key information of the first stage corresponding to the first tuple information from a first corresponding relation between the prestored tuple information and the key information of the first stage according to the first tuple information carried by the first message.
S14: and determining the security policy of the first stage according to the corresponding key information of the first stage.
S15: and processing the first message according to the corresponding security policy of the first stage.
The above method is described in detail below.
S11: a first message is received.
The gateway device monitors the first message sent by the client or the server in real time or in an untimed manner, and then receives the first message sent by the client or the server.
The first packet may be a communication packet sent by the client to the server based on an Object Linking and Embedding for Process Control (OPC) protocol in the first stage, may also be a communication packet sent by the client to the server based on the OPC protocol in the second stage, and may also be a negotiation packet sent by the server to the client based on the OPC protocol in the first stage.
After receiving the first message, the gateway device performs step S12.
S12: and determining whether the first message belongs to the communication message of the second stage.
As an embodiment, S12 includes: determining whether the port information carried in the first message contains a preset port; if the preset port is not included, determining that the first message belongs to the communication message of the second stage; otherwise, the first message is determined not to belong to the communication message of the second stage.
After receiving the first message, analyzing the first message to obtain a first destination port and a first source port carried in the first message, determining whether the first destination port and the first source port include a preset port, if it is determined that the first destination port and the first source port do not include the preset port, determining that the first message belongs to a second-stage communication message, otherwise, determining that the first message does not belong to the second-stage communication message.
And the communication message of the second stage is the communication message sent to the server by the client according to the negotiated server port in the second stage after the client negotiates with the server for the server port used for the second stage communication in the first stage.
The preset port is set according to a user requirement, in this embodiment, the preset port is a 135 port, and in other embodiments, the preset port may also be another port of the server.
In other embodiments, it may be determined whether the first packet belongs to the second-stage communication packet in other manners.
After determining whether the first message belongs to the second-stage communication message, step S13 is executed.
S13: and when the first message is determined to belong to the communication message of the second stage, searching the key information of the first stage corresponding to the first tuple information from a first corresponding relation between the prestored tuple information and the key information of the first stage according to the first tuple information carried by the first message.
The key information may be session information or a storage address of the session information.
When the first message is determined to belong to the communication message of the second stage, according to first tuple information in the first message, wherein the first tuple information comprises: the method comprises the steps of comparing a first source port, a first destination port, a first source IP address and a first destination IP address with tuple information in a first corresponding relation of tuple information and first-stage key information stored in advance respectively to determine target tuple information simultaneously containing the first source port, the first destination port, the first source IP address and the first destination IP address, and then searching first-stage key information corresponding to the target tuple information from the first corresponding relation, wherein the first-stage key information corresponding to the target tuple information is the first-stage key information corresponding to the first tuple information.
In this case, when the tuple information is compared, it is not possible to distinguish whether the port is a destination port or a source port, nor whether the IP address is a source IP address or a destination IP address.
As an embodiment, if the first tuple information further includes: and then after the first tuple information is acquired, comparing the first source port, the first destination port, the first source IP address, the first destination IP address and the name of the OPC protocol with the tuple information in the first corresponding relationship between the tuple information stored in advance and the key information of the first stage, respectively, to determine target tuple information including the first source port, the first destination port, the first source IP address, the first destination IP address and the name of the OPC protocol at the same time.
S14: and determining the security policy of the first stage according to the corresponding key information of the first stage.
When the key information is session information, as an implementation manner, a security policy is extracted from the corresponding key information of the first stage, that is, the security policy of the first stage is extracted.
When the key information is the storage address of the session information, as an implementation manner, according to the key information, the target session information whose storage address is the key information is found, and then the security policy is extracted from the target session information, that is, the security policy in the first stage is obtained. After finding out the security policy of the first phase, the gateway device performs step S15.
S15: and processing the first message according to the security policy of the first stage.
The method for processing the first packet according to the security policy is well known in the art, and therefore, will not be described herein again.
As an embodiment, before S12, the method further includes the steps of: a1, a2 and A3.
A1: and analyzing the first message to obtain third group information.
After receiving the first message, the gateway device analyzes the first message in real time or in an indefinite time, and extracts third tuple information from the first message according to a message structure of the first message, wherein the third tuple information includes: a first source IP address, a first destination IP address, a first source port, and a first destination port.
Wherein the third triplet information may further include: OPC protocol name.
After the third triplet information is obtained, step a2 is performed.
A2: and when it is determined that the third triplet information does not exist in the pre-stored session information, searching for the security policy corresponding to the third triplet information from the corresponding relationship between the pre-stored triplet information and the security policy according to the third triplet information.
And when the third triplet information does not exist in the prestored session information, searching a security policy corresponding to the third triplet information from the corresponding relation between the prestored triplet information and the security policy according to the third triplet information.
As an example, when it is determined that the third triplet information exists in the pre-stored session information, steps a2 and A3 are not performed, and step S12 is directly performed.
After the corresponding security policy is found, step a3 is performed.
A3: and storing the third group information and the corresponding security policy as first session information.
It is understood that the first session information includes: the third triplet information and the corresponding security policy.
As an embodiment, after S12, the method further includes: b1, B2, B3 and B4.
B1: and when the first message is determined not to belong to the communication message of the second stage, determining whether the first message belongs to a session negotiation message of the first stage according to the type of the first message.
When the first message is determined not to belong to the communication message of the second stage, the type of the first message is extracted from the protocol type field of the first message, and then whether the type of the first message is Remote creation instruction Response is determined, if the type of the first message is determined to be Remote creation instruction Response, the first message is determined to belong to the session negotiation message of the first stage, otherwise, the first message is determined not to belong to the session negotiation message of the first stage.
Step B2 is performed when it is determined that the first message belongs to the session negotiation message of the first phase.
B2: when the first message is determined to belong to the session negotiation message of the first stage, analyzing the first message to obtain second tuple information, wherein the second tuple information comprises: a negotiation port, a source IP address, a destination IP address, a source port, and a destination port for performing the second stage of communication.
As an embodiment, the second tuple information may further include: OPC protocol name.
After the second tuple information is obtained, step B3 is performed.
B3: and determining key information of a first stage corresponding to the source IP address, the destination IP address, the source port and the destination port according to the source IP address, the destination IP address, the source port and the destination port in the second tuple information.
When the key information is session information, as an implementation manner, according to the source IP address, the destination IP address, the source port, and the destination port in the second tuple information, the key information including the source IP address, the destination IP address, the source port, and the destination port is found from the pre-stored key information in the first stage. .
When the key information including the source IP address, the destination IP address, the source port, and the destination port is searched from the key information in the first stage, it is not possible to distinguish whether the port is the destination port or the source port, nor to distinguish whether the IP address is the source IP address or the destination IP address.
When the key information is a storage address of session information, as an implementation manner, according to the source IP address, the destination IP address, the source port, and the destination port in the second tuple information, second target session information including the source IP address, the destination IP address, the source port, and the destination port is found from session information in a first stage stored in advance, and then the storage address of the second target session information, that is, the corresponding key information in the first stage is determined. When second target session information including the source IP address, the destination IP address, the source port, and the destination port is searched from the session information in the first stage, it is not possible to distinguish whether the port is the destination port or the source port, nor to distinguish whether the IP address is the source IP address or the destination IP address.
After determining the security policy in the second tuple information and the corresponding first-stage key information, performing step B4.
B4: storing the second tuple information and the corresponding key information of the first stage.
And establishing a first corresponding relation between the second tuple information and the corresponding key information of the first stage, and storing the first corresponding relation.
Referring to fig. 2, fig. 2 is a block diagram illustrating a communication device 200 based on an OPC protocol according to an embodiment of the present disclosure. The block diagram of fig. 2 will be explained, and the apparatus shown comprises:
the receiving unit 210 is configured to receive a first message.
The first determining unit 220 is configured to determine whether the first packet belongs to the second-stage communication packet.
The first searching unit 230 is configured to, when it is determined that the first packet belongs to the second-stage communication packet, search, according to first tuple information carried in the first packet, first-stage key information corresponding to the first tuple information from a first correspondence between pre-stored tuple information and the first-stage key information.
A second determining unit 240, configured to determine the security policy of the first stage according to the key information of the corresponding first stage.
A processing unit 250, configured to process the first packet according to the security policy of the corresponding first phase.
As an embodiment, the apparatus further comprises: a third determining unit, configured to determine, when it is determined that the first packet does not belong to the communication packet in the second stage, whether the first packet belongs to a session negotiation packet in the first stage according to a type of the first packet; a first parsing unit, configured to, when it is determined that the first packet belongs to the session negotiation packet of the first stage, parse the first packet to obtain second tuple information, where the second tuple information includes: a negotiation port, a source IP address and a destination IP address for performing the second stage of communication; a fourth determining unit, configured to determine, according to the source IP address and the destination IP address in the second tuple information, key information of the first stage corresponding to the source IP address, the destination IP address, the source port, and the destination port; and the first storage unit is used for correspondingly storing the second tuple information and the corresponding key information of the first stage.
As an embodiment, the apparatus further comprises: the second analysis unit is used for analyzing the first message to obtain third group information; the second searching unit is used for searching the security policy corresponding to the third triplet information from the corresponding relation between the prestored triplet information and the security policy according to the third triplet information when the third triplet information does not exist in the prestored session information; and the second storage unit is used for storing the third group information and the corresponding security policy as first session information.
As an implementation manner, the first determining unit 220 is specifically configured to determine whether port information carried in the first packet includes a preset port; if the preset port is not included, determining that the first message belongs to the communication message of the second stage; otherwise, the first message is determined not to belong to the communication message of the second stage.
For the process of implementing each function by each functional unit in this embodiment, please refer to the content described in the embodiment shown in fig. 1, which is not described herein again.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device 300 according to an embodiment of the present disclosure, where the electronic device 300 may be a site server in the above embodiment, and the electronic device 300 may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or the like.
The electronic device 300 may include: memory 302, process 301, communication interface 303, and a communication bus for enabling the interfacing communication of these components.
The Memory 302 is used for storing various data such as a computer program instruction corresponding to the communication method and apparatus based on the OPC protocol provided in the embodiment of the present application, where the Memory 302 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like.
The processor 301 is configured to read and execute computer program instructions corresponding to the OPC protocol-based communication method and apparatus stored in the memory, so as to receive the first message; determining whether the first message belongs to a communication message of a second stage; when the first message is determined to belong to the communication message of the second stage, searching out the key information of the first stage corresponding to the first tuple information from a first corresponding relation between prestored tuple information and the key information of the first stage according to the first tuple information carried by the first message; determining a security policy of the first stage according to the corresponding key information of the first stage; and processing the first message according to the security policy of the first stage.
The processor 301 may be an integrated circuit chip having signal processing capabilities. The Processor 301 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
A communication interface 303 for receiving or transmitting data.
In addition, a storage medium is provided in an embodiment of the present application, and a computer program is stored in the storage medium, and when the computer program runs on a computer, the computer is caused to execute the method provided in any embodiment of the present application.
To sum up, since the security policy of the first stage can ensure that the communication packet of the second stage can pass through the gateway device, the OPC protocol-based communication method, apparatus, electronic device, and storage medium provided in embodiments of the present application store the first corresponding relationship between the key information of the first stage and the tuple information in advance, wherein the security policy of the first stage can be determined according to the key information of the first stage, and then when the gateway device determines that the received first packet belongs to the communication packet of the second stage, after finding the key information corresponding to the first tuple information from the first corresponding relationship according to the first tuple information carried in the first packet, the security policy of the first stage is determined according to the corresponding key information of the first stage, and then according to the security policy of the first stage, and processing the first message, wherein the security policy of the first stage is inherited by the session of the second stage, so that the communication message of the second stage can pass through the gateway equipment, and finally the client can communicate with the server in the second stage.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based devices that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
Claims (10)
1. A communication method based on OPC protocol, applied to a gateway device, the method comprising:
receiving a first message;
determining whether the first message belongs to a communication message of a second stage;
when the first message is determined to belong to the communication message of the second stage, searching out the key information of the first stage corresponding to the first tuple information from a first corresponding relation between prestored tuple information and the key information of the first stage according to the first tuple information carried by the first message;
determining a security policy of the first stage according to the corresponding key information of the first stage;
and processing the first message according to the security policy of the first stage.
2. The method of claim 1, wherein after the determining whether the first packet belongs to the second-stage communication packet, the method further comprises:
when the first message is determined not to belong to the communication message of the second stage, determining whether the first message belongs to a session negotiation message of the first stage according to the type of the first message;
when the first message is determined to belong to the session negotiation message of the first stage, analyzing the first message to obtain second tuple information, wherein the second tuple information comprises: a negotiation port, a source IP address and a destination IP address, a source port and a destination port for the second stage communication;
determining key information of a first stage corresponding to the source IP address, the destination IP address, the source port and the destination port according to the source IP address, the destination IP address, the source port and the destination port in the second tuple information;
and correspondingly storing the second tuple information and the corresponding key information of the first stage.
3. The method of claim 1, wherein prior to said determining whether the first message belongs to a second-stage communication message, the method further comprises:
analyzing the first message to obtain third group information;
when it is determined that the third triplet information does not exist in the pre-stored session information, according to the third triplet information, searching for a security policy corresponding to the third triplet information from a corresponding relationship between the pre-stored tuple information and the security policy;
and storing the third group information and the corresponding security policy as first session information.
4. The method of claim 1, wherein determining whether the first message belongs to a second-stage communication message comprises:
determining whether the port information carried in the first message contains a preset port; if the preset port is not included, determining that the first message belongs to the communication message of the second stage; otherwise, the first message is determined not to belong to the communication message of the second stage.
5. A communication apparatus based on OPC protocol, applied to a gateway device, the apparatus comprising:
a receiving unit, configured to receive a first packet;
a first determining unit, configured to determine whether the first packet belongs to a second-stage communication packet;
the first searching unit is used for searching the first-stage key information corresponding to the first tuple information from a first corresponding relation between prestored tuple information and the first-stage key information according to the first tuple information carried by the first message when the first message is determined to belong to the second-stage communication message;
a second determining unit, configured to determine a security policy of the first stage according to the key information of the corresponding first stage;
and the processing unit is used for processing the first message according to the corresponding security policy of the first stage.
6. The apparatus of claim 5, further comprising:
a third determining unit, configured to determine, when it is determined that the first packet does not belong to the communication packet in the second stage, whether the first packet belongs to a session negotiation packet in the first stage according to a type of the first packet;
a first parsing unit, configured to, when it is determined that the first packet belongs to the session negotiation packet of the first stage, parse the first packet to obtain second tuple information, where the second tuple information includes: a negotiation port, a source IP address and a destination IP address for performing the second stage of communication;
a fourth determining unit, configured to determine, according to the source IP address and the destination IP address in the second tuple information, key information of the first stage corresponding to the source IP address, the destination IP address, the source port, and the destination port;
and the first storage unit is used for correspondingly storing the second tuple information and the corresponding key information of the first stage.
7. The apparatus of claim 5, further comprising:
the second analysis unit is used for analyzing the first message to obtain third group information;
the second searching unit is used for searching the security policy corresponding to the third triplet information from the corresponding relation between the prestored triplet information and the security policy according to the third triplet information when the third triplet information does not exist in the prestored session information;
and the second storage unit is used for storing the third group information and the corresponding security policy as first session information.
8. The apparatus according to claim 5, wherein the first determining unit is specifically configured to determine whether port information carried in the first packet includes a preset port; if the preset port is not included, determining that the first message belongs to the communication message of the second stage; otherwise, the first message is determined not to belong to the communication message of the second stage.
9. An electronic device comprising a memory and a processor, the memory having stored therein computer program instructions that, when read and executed by the processor, perform the method of any of claims 1-4.
10. A storage medium having stored thereon computer program instructions which, when read and executed by a computer, perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010937577.0A CN112039916B (en) | 2020-09-07 | 2020-09-07 | Communication method and device based on OPC protocol, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010937577.0A CN112039916B (en) | 2020-09-07 | 2020-09-07 | Communication method and device based on OPC protocol, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112039916A true CN112039916A (en) | 2020-12-04 |
| CN112039916B CN112039916B (en) | 2023-04-07 |
Family
ID=73585028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010937577.0A Active CN112039916B (en) | 2020-09-07 | 2020-09-07 | Communication method and device based on OPC protocol, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039916B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318863A (en) * | 2023-02-14 | 2023-06-23 | 深圳市利谱信息技术有限公司 | OPC industrial security gateway system |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070073879A1 (en) * | 2005-09-29 | 2007-03-29 | International Business Machines Corporation | Internet protocol security (IPSEC) packet processing for multiple clients sharing a single network address |
| US20070297393A1 (en) * | 2002-06-07 | 2007-12-27 | The Distribution Systems Research Institute | Terminal-to-terminal communication control system for IP full service |
| CN102694711A (en) * | 2012-05-03 | 2012-09-26 | 浙江宇视科技有限公司 | Wide area network bandwidth saving method and device in IP monitoring system |
| CN102932285A (en) * | 2012-10-26 | 2013-02-13 | 华为技术有限公司 | Message packaging method and message analysis method and device |
| CN104753936A (en) * | 2015-03-24 | 2015-07-01 | 西北工业大学 | Opc security gateway system |
| US20150249668A1 (en) * | 2014-02-28 | 2015-09-03 | Cisco Technology, Inc. | Smarter policy decisions based on metadata in data flows |
| US20150312216A1 (en) * | 2014-04-28 | 2015-10-29 | Honeywell International Inc. | Legacy device securitization within a microgrid system |
| CN106559382A (en) * | 2015-09-25 | 2017-04-05 | 北京计算机技术及应用研究所 | Protection system of security gateway access control method based on OPC agreements |
| CN107659485A (en) * | 2017-10-31 | 2018-02-02 | 新华三技术有限公司 | A kind of method and device of equipment and server communication in VPN VPN |
| CN108076066A (en) * | 2017-12-27 | 2018-05-25 | 杭州迪普科技股份有限公司 | A kind of method and device for protecting GRE messages |
| CN108494623A (en) * | 2018-03-14 | 2018-09-04 | 东软集团股份有限公司 | A kind of performance test methods and equipment of network forwarding equipment |
| CN108848067A (en) * | 2018-05-28 | 2018-11-20 | 北京威努特技术有限公司 | The OPC protocol security means of defence of intelligence learning and preset read-only white list rule |
| CN109104424A (en) * | 2018-08-13 | 2018-12-28 | 浙江中控技术股份有限公司 | A kind of safety protecting method and device of OPC communication |
| CN109474540A (en) * | 2018-09-12 | 2019-03-15 | 北京奇安信科技有限公司 | A kind of method and device identifying OPC flow |
| CN109639701A (en) * | 2018-12-25 | 2019-04-16 | 杭州迪普科技股份有限公司 | Access control method, device, equipment and storage medium based on OPC agreement |
| CN110430187A (en) * | 2019-08-01 | 2019-11-08 | 英赛克科技(北京)有限公司 | Communication message method for auditing safely in industrial control system |
-
2020
- 2020-09-07 CN CN202010937577.0A patent/CN112039916B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070297393A1 (en) * | 2002-06-07 | 2007-12-27 | The Distribution Systems Research Institute | Terminal-to-terminal communication control system for IP full service |
| US20070073879A1 (en) * | 2005-09-29 | 2007-03-29 | International Business Machines Corporation | Internet protocol security (IPSEC) packet processing for multiple clients sharing a single network address |
| CN102694711A (en) * | 2012-05-03 | 2012-09-26 | 浙江宇视科技有限公司 | Wide area network bandwidth saving method and device in IP monitoring system |
| CN102932285A (en) * | 2012-10-26 | 2013-02-13 | 华为技术有限公司 | Message packaging method and message analysis method and device |
| US20150249668A1 (en) * | 2014-02-28 | 2015-09-03 | Cisco Technology, Inc. | Smarter policy decisions based on metadata in data flows |
| US20150312216A1 (en) * | 2014-04-28 | 2015-10-29 | Honeywell International Inc. | Legacy device securitization within a microgrid system |
| CN104753936A (en) * | 2015-03-24 | 2015-07-01 | 西北工业大学 | Opc security gateway system |
| CN106559382A (en) * | 2015-09-25 | 2017-04-05 | 北京计算机技术及应用研究所 | Protection system of security gateway access control method based on OPC agreements |
| CN107659485A (en) * | 2017-10-31 | 2018-02-02 | 新华三技术有限公司 | A kind of method and device of equipment and server communication in VPN VPN |
| CN108076066A (en) * | 2017-12-27 | 2018-05-25 | 杭州迪普科技股份有限公司 | A kind of method and device for protecting GRE messages |
| CN108494623A (en) * | 2018-03-14 | 2018-09-04 | 东软集团股份有限公司 | A kind of performance test methods and equipment of network forwarding equipment |
| CN108848067A (en) * | 2018-05-28 | 2018-11-20 | 北京威努特技术有限公司 | The OPC protocol security means of defence of intelligence learning and preset read-only white list rule |
| CN109104424A (en) * | 2018-08-13 | 2018-12-28 | 浙江中控技术股份有限公司 | A kind of safety protecting method and device of OPC communication |
| CN109474540A (en) * | 2018-09-12 | 2019-03-15 | 北京奇安信科技有限公司 | A kind of method and device identifying OPC flow |
| CN109639701A (en) * | 2018-12-25 | 2019-04-16 | 杭州迪普科技股份有限公司 | Access control method, device, equipment and storage medium based on OPC agreement |
| CN110430187A (en) * | 2019-08-01 | 2019-11-08 | 英赛克科技(北京)有限公司 | Communication message method for auditing safely in industrial control system |
Non-Patent Citations (3)
| Title |
|---|
| ZHIHAO LING ET AL: "Research and Implementation of OPC Server Based on Data Access Specification" * |
| 刘玉岩,罗军舟: "基于NAT的混合型防火墙" * |
| 孙丽 等: "基于OPC服务网关的企业信息网与控制网的融合" * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318863A (en) * | 2023-02-14 | 2023-06-23 | 深圳市利谱信息技术有限公司 | OPC industrial security gateway system |
| CN116318863B (en) * | 2023-02-14 | 2023-10-13 | 深圳市利谱信息技术有限公司 | OPC industrial security gateway system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112039916B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102035904B (en) | Method for converting TCP network communication server into client | |
| US6732105B1 (en) | Secure authentication proxy architecture for a web-based wireless intranet application | |
| CN109639701B (en) | Access control method, device and equipment based on OPC protocol and storage medium | |
| KR100791946B1 (en) | Safe terminal provided with a smart card reader designed to communicate with a server via an internet-type network | |
| US8195806B2 (en) | Managing remote host visibility in a proxy server environment | |
| US10516666B2 (en) | Authentication method, apparatus, and system | |
| US8626689B1 (en) | Data pattern analysis using optimized deterministic finite automation | |
| CN111865583B (en) | Tunnel negotiation method, device, electronic equipment and storage medium | |
| CN113242331B (en) | Different types of address conversion method, device, computer equipment and storage medium | |
| US20090119745A1 (en) | System and method for preventing private information from leaking out through access context analysis in personal mobile terminal | |
| KR20010030638A (en) | Method and system for the identification and the suppression of executable objects | |
| CN112039916B (en) | Communication method and device based on OPC protocol, electronic equipment and storage medium | |
| CN111224878B (en) | Route forwarding method and device, electronic equipment and storage medium | |
| CN114153626A (en) | Method and device for abstracting service integration process and computer equipment | |
| CN113873057A (en) | Data processing method and device | |
| CN111240924A (en) | Detection method and system for Socket monitoring of Linux virtual machine | |
| CN111405018B (en) | File transmission method and device, electronic equipment and storage medium | |
| US20050144290A1 (en) | Arbitrary java logic deployed transparently in a network | |
| US6961772B1 (en) | Transparent connection type binding by address range | |
| CN111209029A (en) | Code modification determination method and device, electronic equipment and storage medium | |
| CN112817967B (en) | Flow data storage method and device, electronic equipment and storage medium | |
| US7580990B1 (en) | Method and system for footprint minimized, HTML/HTTP-based systems for Java-based embedded device management applications | |
| JP2008210214A (en) | Information processor, communication control processing function addition method and communication control processing function addition program | |
| CN111585992B (en) | Method, client and storage medium for detecting network attack | |
| CN115150331B (en) | Information processing method, information processing device, electronic device, and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |