CN112055003A - Method for generating private protocol fuzzy test case based on byte length classification - Google Patents
Method for generating private protocol fuzzy test case based on byte length classification Download PDFInfo
- Publication number
- CN112055003A CN112055003A CN202010872171.9A CN202010872171A CN112055003A CN 112055003 A CN112055003 A CN 112055003A CN 202010872171 A CN202010872171 A CN 202010872171A CN 112055003 A CN112055003 A CN 112055003A
- Authority
- CN
- China
- Prior art keywords
- byte
- length
- test case
- protocol
- private protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 112
- 238000000034 method Methods 0.000 title claims abstract description 74
- 230000035772 mutation Effects 0.000 claims description 41
- 238000004891 communication Methods 0.000 claims description 11
- 238000010998 test method Methods 0.000 claims description 9
- 238000004904 shortening Methods 0.000 claims description 3
- 238000005065 mining Methods 0.000 abstract description 4
- 238000004458 analytical method Methods 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 230000007547 defect Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000306 component Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000306 recurrent effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method for generating a private protocol fuzzy test case based on byte length classification, which comprises the steps of utilizing MSA data stream to compare and analyze the characteristics of a private protocol to determine whether the byte length of the private protocol is variable or not; if the length of the private protocol byte is variable, carrying out content variation on the variable field; if the byte length of the private protocol is not changed, carrying out content variation and variation of the upper and lower limits of the byte length on the unchanged field; and generating a new test case according to the mutated result, and sending the test case to the target equipment to complete the generation of the test case. The method combines the characteristics of high real-time performance and high reliability of the proprietary protocol of the industrial control system to carry out vulnerability mining on the proprietary protocol, thereby preventing the vulnerability from happening in the bud.
Description
Technical Field
The invention relates to the technical field of private protocol fuzzing test, in particular to a method for generating a private protocol fuzzing test case based on byte length classification.
Background
In recent years, an attack event of a programmable controller in a power grid system occurs sometimes, which seriously harms national economic construction, for example, a large-area power failure accident and the like caused by hacker attack on an ukrainian power grid in the world are shocked, and the safe operation of the power grid needs higher requirements.
The invention focuses on the communication security research of the programmable controller in the power grid, and carries out security experiment verification on the communication protocol of the programmable controller by using a real environment, and for the known problems, people can take security protection measures to make up the defects and prevent the defects from being utilized by hackers, but the invention is incapable of solving the problem of unknown vulnerabilities.
Fuzz testing is widely used for vulnerability mining, but most of these tests do not consider cross-protocol or multi-protocol testing, which is a communication protocol that is not suitable for industrial control systems. The fuzzy test method of the current industrial control system has the defects of too simple and random fuzzy data, low abnormal positioning precision, low test efficiency and the like, and is particularly suitable for the fuzzy test case generation method of the proprietary protocol of the industrial control system.
The invention provides a method for generating a private protocol fuzzy test case based on byte length classification by combining the characteristics of high instantaneity and high reliability of a private protocol of an industrial control system, and vulnerability mining is carried out on the private protocol fuzzy test case, so that the situation is prevented in the bud. The method has low requirements on the technical level of testers, does not need to carry out deep analysis on the protocol, and does not need to have higher requirements on the testing technology.
Disclosure of Invention
This section is for the purpose of summarizing some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. In this section, as well as in the abstract and the title of the invention of this application, simplifications or omissions may be made to avoid obscuring the purpose of the section, the abstract and the title, and such simplifications or omissions are not intended to limit the scope of the invention.
The invention is provided in view of the problems of low abnormal positioning precision and low testing efficiency in the prior art.
Therefore, the technical problem solved by the invention is as follows: and the abnormal positioning precision and the testing efficiency are improved.
In order to solve the technical problems, the invention provides the following technical scheme: comparing and analyzing characteristics of a private protocol by using an MSA data stream to determine whether the byte length of the private protocol is variable; if the length of the private protocol byte is variable, carrying out content variation on the variable field of the private protocol byte; if the private protocol byte length is not changed, carrying out content variation and the variation of the upper and lower limits of the byte length on the unchanged field; and generating a new test case according to the mutated result, and sending the test case to the target equipment to complete the generation of the test case.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the characteristics of the private protocol include a protocol characteristic value, a protocol version number, a field length, a function code characteristic value, and a data value.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the private-protocol field includes variable-length bytes and constant-length bytes.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the definition of variation of upper and lower limits of private protocol field value comprises breaking the range of byte length specified by the protocol characteristics, lengthening or shortening the byte length, and again varying the content.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the field format mutation includes mutation according to a class defined by the input field format call.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: and the new byte data comprises the steps of defining byte inversion mutation to generate the test case, and generating new byte data according to a binary bit inversion method based on the specified variant byte.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the byte block mutation comprises, defining to copy a byte block from a default value, each mutation moving forward one byte class; if some contents in the communication protocol are fixed values, the fields to be mutated are converted into fixed values, and the fields are shifted by half a byte at a time.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the executing block data variation comprises that the copied data is placed behind the required variation bytes according to the executing block data of the copying part during variation, and then the data of the description length is changed.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the variation based on the length byte of the seed field comprises the steps of defining a base class based on the execution block mutation, generating a seed of variation in the test case according to the variation, and performing variation based on the length byte of the seed field.
As a preferred scheme of the method for generating the fuzzy test case of the private protocol based on byte length classification, the method comprises the following steps: the sequential variation comprises a method of utilizing 0-9 full permutation based on a specified length range, including a correlation test method and a hierarchical test method.
The invention has the beneficial effects that: the method combines the characteristics of high real-time performance and high reliability of the proprietary protocol of the industrial control system to carry out vulnerability mining on the proprietary protocol, thereby preventing the vulnerability from happening in the bud.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise. Wherein:
FIG. 1 is a flowchart of test case generation for a method for generating a fuzzy test case of a private protocol based on byte length classification according to an embodiment of the present invention;
FIG. 2 is a flow chart of fuzz testing for a method for generating a private protocol fuzz test case based on byte length classification according to an embodiment of the present invention;
fig. 3 is a diagram of the proprietary protocol feature recognition and data structure design of a method for generating a proprietary protocol fuzz test case based on byte length classification according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, specific embodiments accompanied with figures are described in detail below, and it is apparent that the described embodiments are a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present invention, shall fall within the protection scope of the present invention.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those specifically described and will be readily apparent to those of ordinary skill in the art without departing from the spirit of the present invention, and therefore the present invention is not limited to the specific embodiments disclosed below.
Furthermore, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
The present invention will be described in detail with reference to the drawings, wherein the cross-sectional views illustrating the structure of the device are not enlarged partially in general scale for convenience of illustration, and the drawings are only exemplary and should not be construed as limiting the scope of the present invention. In addition, the three-dimensional dimensions of length, width and depth should be included in the actual fabrication.
Meanwhile, in the description of the present invention, it should be noted that the terms "upper, lower, inner and outer" and the like indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of describing the present invention and simplifying the description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation and operate, and thus, cannot be construed as limiting the present invention. Furthermore, the terms first, second, or third are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The terms "mounted, connected and connected" in the present invention are to be understood broadly, unless otherwise explicitly specified or limited, for example: can be fixedly connected, detachably connected or integrally connected; they may be mechanically, electrically, or directly connected, or indirectly connected through intervening media, or may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
Example 1
For the disclosed industrial control system communication protocol, the content of the protocol can be clearly known according to the protocol specification, and then a test strategy is specified, but for the proprietary protocol, the content of the protocol specification cannot be known, and preliminary analysis of the protocol is needed. In addition, testers need to be familiar with protocols, and the current method can not meet the requirements of high standard, high coverage rate and high efficiency for the fuzzy test of the proprietary protocol of the industrial control system.
Referring to fig. 1 to 3, an embodiment of the present invention provides a method for generating a private protocol fuzzing test case based on byte length classification, including:
s1: the characteristics of the private protocol are analyzed using MSA data stream comparison to determine if the private protocol byte length is variable. It should be noted that the characteristics of the private protocol include a protocol characteristic value, a protocol version number, a field length, a function code characteristic value, and a data value; the private-protocol field includes variable-length bytes and constant-length bytes.
The variable field length of the private protocol means that the length of the byte of the protocol characteristic is uncertain, and the length can be adjusted according to the requirement.
Specifically, the proprietary protocol in the industrial control system is generally more complex than other protocols according to the needs of functional tasks, and its characteristics mainly include protocol characteristic value, protocol version number, field length, function code characteristic value and data value. Firstly, performing characteristic analysis by comparing MSA data streams according to original data of a test target protocol, identifying the byte length of a field, and then performing the next operation.
The byte length of its private-protocol field can be divided into variable-length bytes and constant-length bytes. The byte length of some protocol features is fixed, but the byte length of some fields is adjusted according to the data transmission needs, and different fields in the same message have corresponding relation, for example, the value of the previous field is the length of the next field, and the field with fixed byte length is separated from the field with non-fixed byte length.
S2: if the length of the private protocol byte is variable, carrying out content variation on the variable field; if the private protocol byte length is not changed, the content and the upper and lower limits of the byte length are varied on the unchanged field.
Wherein, the upper and lower limit variation definition of the private protocol field value comprises breaking the byte length range specified by the protocol characteristics, lengthening or shortening the byte length, and varying the content again;
the field format variation comprises the variation according to the class defined by the input field format call;
the new byte data comprises a defined byte turning mutation generation test case, and new byte data is generated according to a binary bit turning method based on the specified variant byte;
the byte block mutation comprises, defining to copy a byte block from a default value, each mutation moving forward one byte class; if some contents in the communication protocol are fixed values, the fields to be mutated are converted into fixed values, and the fields are shifted by half a byte at a time.
Performing block data mutation comprises, according to the block data of the copy part during mutation, placing the copied data after the bytes needing mutation, and changing the data of the description length;
the variation based on the length byte of the seed field comprises defining base classes based on the execution block mutation, generating varied seeds in the test case according to the variation, and performing the variation based on the length byte of the seed field.
The sequence variation comprises a method of utilizing 0-9 full arrangement in a range based on a specified length, and comprises a correlation test method and a hierarchical test method.
Specifically, for a field with a fixed byte length of the field, only the variation of the content is performed to generate a test case, the variation of the upper and lower limits of the length is not considered any more, if the length of the field exceeds the length of the field, the exceeding part is analyzed according to the next characteristic value during protocol analysis, the content of the variation of the field is not changed any more, and the variation of the next field can be reflected in the numerical variation of the next field. Based on the field with unfixed byte length, we need to perform variation of the upper and lower limits of the field length in addition to the variation of the content. The variation of the upper and lower limits of the field length is defined, which mainly breaks the length range specified by the protocol, and new content variation is carried out once every adding or reducing one byte outside the specified length range of the protocol.
Among them, there are several variation methods for content variation strategy, which mainly include:
the method comprises the steps of defining fields to execute bit flipping mutation classes of N continuous bits, and after the mutated fields are designated, carrying out binary flipping operation on the fields needing to be mutated to generate test cases.
And secondly, defining that a byte block is copied from a default value, each mutation is moved forward by one byte class, part of contents in a communication protocol are fixed values, fields needing mutation are converted into the fixed values, and half bytes are moved at a time.
And thirdly, defining the use of a plurality of repeated execution block copies, wherein each time the test case is mutated, only the fields needing mutation are subjected to repeated execution block copy, and the fields without mutation are subjected to repeated execution block copy, so that the integrity of the communication message is ensured.
And defining a base class for executing block mutation, wherein the test case generated by the mutation is subjected to the mutation based on the length byte of the seed field by utilizing a seed with the mutation.
And defining to delete one byte block from the default value, moving one byte class forward for each mutation, deleting a certain byte block to generate a new test case when a plurality of byte blocks exist in the communication message.
And defining that a byte block is set to a specific value from a default value, each mutation is moved forward by one byte class, fields needing mutation are set to be fixed values of certain protocols, and each mutation is moved by one byte.
And a seventh step of defining the number of continuous bytes in the flip message, and moving forward one byte class for each mutation.
And eighthly, carrying out mutation according to the class defined by the input field format call.
Furthermore, in the first method, a test case is generated by byte flipping and mutation, new byte data is generated in the specified variant byte according to a binary bit flipping method, and the new byte data is used as the new test case. In the second method, in the byte to be mutated, the byte content is converted into a fixed value, such as a function code identification character, and in the process of mutation, the byte is moved backward by 1Bit each time from the first Bit of the mutated byte, then the byte is moved backward by 2 bits from the first Bit, and so on, until the next moving digit is greater than the byte length after the first Bit of the mutated byte; in the third method, the copy part executes block data during mutation, places the copied data behind the required mutation bytes, and then changes the data with the description length as a new test case. In the fourth method, the varied bytes are determined, the length and the value range of the bytes are determined, and random mutation is performed on the basis to generate a new test case. In the fifth method, one byte is deleted from the variant byte, new test cases are sequentially generated from the beginning to the end, then two bytes are deleted, and the new test cases are sequentially generated from the beginning to the end until all the contents needing to be variant are deleted.
The method can cover other related test and layered test methods, and because the mutation strategy used by the method is to mutate one protocol feature at a time, and other protocol features are not changed, the method covers the related test and the layered test methods.
S3: and generating a new test case according to the mutated result, and sending the test case to the target equipment to complete the generation of the test case.
More specifically, as shown in fig. 2, the target is determined, and what is first determined by the fuzz test is the test target and the test range, and in the case where the test object and the test range are not determined, the fuzz test tool or technique cannot be selected. Generally we need to consider the following: the type of the target to be tested, such as what type of controller the target to be tested is, identifies whether the communication protocol used is an application layer protocol or a transport layer protocol, whether the target to be tested has a bug historically, where the cause of the bug historically, and the like, according to the version information of the programmable controller. As input is identified in fig. 2, almost all vulnerabilities that can be exploited are due to the fact that the device accepts input of illegal data and, when processing the input data, does not first clear or operate on instructions for the illegal data, enumerating the input data is critical to the success of the fuzz test. The input data to the target equipment cannot be positioned, which has serious influence on the fuzzy test and can not accurately position bugs, any input data to the target equipment should be constructed and designed, the inputs must be set according to a protocol specification format, the input data should contain information headers, parameter information, function codes, data types and the like, and all the data should be considered as test cases of the fuzzy test and should be fuzzy test variables. As shown in fig. 2, once the client identifies the input vector, it can generate the fuzz test variable data according to the identification information, and can make a corresponding fuzz test data generation strategy according to the characteristics of the test object, for example, it can dynamically generate data by changing the existing data, and no matter what strategy is selected, automation should be introduced in the process of generating the fuzz test data. As in FIG. 2, where fuzz testing is performed, the execution may include sending a data packet to the target device, initiating the device, or downloading the program. Similarly, in the process, functions of continuously generating test cases, sending the test cases, monitoring abnormity and the like exist, so that automation of the test process is also important, and effective fuzzy test cannot be successfully executed without automation. As shown in fig. 2 for detecting an anomaly, in the fuzz testing process, the monitoring process of a fault or an anomaly is significant, for example, if we have no way to accurately indicate which data packet causes a crash, 10000 fuzz testing data packets are sent to the target device, which eventually causes the device to crash and lose significance, and the monitoring can take various forms, and should not depend on the target device and the selected fuzz testing type. As shown in fig. 2, when a potential bug is detected, and an anomaly monitoring function is provided in the fuzzy test process, once a target is detected to be faulty by the anomaly monitoring function, it is necessary to determine whether the discovered bug is reproducible, the recurrent bug should be located first, and then replay detection is performed by using the most common means, that is, a packet replay tool is called to replay a dumped network packet. After the reproduction is successful, whether the Bug can be utilized or not needs to be further judged, which is a typical manual process and needs professional knowledge in the safety field.
As shown in fig. 3, the protocol features are extracted, whether the length of the protocol field is variable or not is classified, and then different mutation strategies are performed. The invention can be used not only for proprietary protocols, but also for public protocols.
Example 2
The technical effects adopted in the method are verified and explained, in the embodiment, the OpenVAS (open vulnerability assessment system) and the method are selected for comparison and test, and the test results are compared by means of scientific demonstration to verify the real effect of the method.
The OpenVAS (open vulnerability assessment system) is a network scanner including related tools, and the core component of the OpenVAS is a server including a set of network vulnerability testing programs, which can detect security problems in remote systems and applications. As shown in fig. 1, a Kitty fuzzy test framework is used in combination with an industrial control protocol component in the ISF and a conventional technical scheme to perform fuzzy test on the siemens S7comm protocol to dig vulnerabilities. Firstly, Kitty sets an interface and a target, can be connected with the target for three times and can be connected with the target for two times by COTP, then protocol original data in an ISF industrial control protocol assembly is called, a fuzzy test module can perform variation on the original data according to a variation method to generate a test case and send the test case to target equipment, and an open vulnerability assessment system directly sends a tested hole to a server through a network vulnerability test program. The results of comparing the test data are shown in the following table:
comparison object | The method of the invention | OpenVAS |
Number of detected leaks | 3 are provided with | 1 is provided with |
Vulnerability database | CVE | NVT |
Unknown vulnerability detection | Support for | Do not support |
Manual verification | Need to make sure that | Does not need to use |
Consuming time | 24s | 840s |
Compared with the OpenVAS method, the method can detect three bugs, can detect 2 more bugs, can detect unknown bugs, reduces the consumed time by 816s compared with the traditional scheme, greatly reduces the time cost, can perform fuzzy test on the private protocol without deep analysis, avoids the need of a tester to master the relevant knowledge of the protocol when a test case is generated by the traditional fuzzy test, greatly reduces the burden of the tester, improves the abnormal positioning precision and the test efficiency, and increases the test range.
It should be noted that the above-mentioned embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention, which should be covered by the claims of the present invention.
Claims (10)
1. A method for generating a private protocol fuzzing test case based on byte length classification is characterized by comprising the following steps:
comparing and analyzing characteristics of a private protocol by using an MSA data stream to determine whether the byte length of the private protocol is variable;
if the length of the private protocol byte is variable, carrying out content variation on the variable field of the private protocol byte;
if the private protocol byte length is not changed, carrying out content variation and the variation of the upper and lower limits of the byte length on the unchanged field;
and generating a new test case according to the mutated result, and sending the test case to the target equipment to complete the generation of the test case.
2. The byte-length-classification-based private protocol fuzzing test case generation method of claim 1, wherein: the characteristics of the private protocol include a protocol characteristic value, a protocol version number, a field length, a function code characteristic value, and a data value.
3. The byte-length-classification-based private protocol fuzzing test case generation method according to claim 1 or 2, characterized in that: the private-protocol field includes variable-length bytes and constant-length bytes.
4. The byte-length-classification-based private protocol fuzzing test case generation method of claim 3, wherein: the upper and lower bounds variation definitions of the private protocol field value include,
and breaking the byte length range specified by the protocol characteristics, lengthening or shortening the byte length, and mutating the content of the byte length again.
5. The byte-length-classification-based private protocol fuzzing test case generation method of claim 4, wherein: the field format mutation includes mutation according to a class defined by the input field format call.
6. The byte-length-classification-based private protocol fuzzing test case generation method of claim 5, wherein: the new byte of data may include, for example,
defining byte inversion mutation to generate the test case, and generating new byte data according to a binary bit inversion method based on the specified variant byte.
7. The byte-length-classification-based private protocol fuzzing test case generation method of claim 6, wherein: the byte-block variations comprise a variation of the byte block,
defining a byte block to be copied from a default value, each jump being moved forward by one byte class;
if some contents in the communication protocol are fixed values, the fields to be mutated are converted into fixed values, and the fields are shifted by half a byte at a time.
8. The byte-length-classification-based private protocol fuzzing test case generation method of claim 7, wherein: the performing block data variations includes performing block data variations including,
and according to the copy-on-variation part execution block data, putting the copied data after the bytes needing variation, and changing the data of the description length.
9. The byte-length-classification-based private protocol fuzz test case generation method of claim 8, wherein: the varying based on the seed field length bytes includes,
and defining a base class based on the execution block mutation, generating a mutated seed in the test case according to the mutation, and performing the mutation based on the length byte of the seed field.
10. The byte-length-classification-based private protocol fuzzing test case generation method of claim 9, wherein: the sequence variation includes a variation of the sequence,
the method for utilizing 0-9 full arrangement in the range based on the specified length comprises a correlation test method and a layered test method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010872171.9A CN112055003B (en) | 2020-08-26 | 2020-08-26 | Method for generating private protocol fuzzy test case based on byte length classification |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010872171.9A CN112055003B (en) | 2020-08-26 | 2020-08-26 | Method for generating private protocol fuzzy test case based on byte length classification |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112055003A true CN112055003A (en) | 2020-12-08 |
CN112055003B CN112055003B (en) | 2022-12-23 |
Family
ID=73600894
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010872171.9A Active CN112055003B (en) | 2020-08-26 | 2020-08-26 | Method for generating private protocol fuzzy test case based on byte length classification |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112055003B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113381998A (en) * | 2021-06-08 | 2021-09-10 | 上海天旦网络科技发展有限公司 | Deep learning-based application protocol auxiliary analysis system and method |
CN114205340A (en) * | 2021-12-23 | 2022-03-18 | 绿盟科技集团股份有限公司 | Fuzzy test method and device based on intelligent power equipment |
WO2022247738A1 (en) * | 2021-05-24 | 2022-12-01 | 国网湖北电力有限公司电力科学研究院 | Electric internet-of-things protocol vulnerability detection system and method based on fuzzy testing |
CN117453573A (en) * | 2023-12-22 | 2024-01-26 | 信联科技(南京)有限公司 | Fuzzy test case generation method and engine based on protocol feature matching and mutation policy selection |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014082908A1 (en) * | 2012-11-28 | 2014-06-05 | Siemens Aktiengesellschaft | Method and apparatus for generating test case for fuzz test |
CN105763392A (en) * | 2016-02-19 | 2016-07-13 | 中国人民解放军理工大学 | Industrial control protocol fuzzing test method based on protocol state |
CN106330601A (en) * | 2016-08-19 | 2017-01-11 | 北京匡恩网络科技有限责任公司 | Test case generating method and device |
CN108173854A (en) * | 2017-12-28 | 2018-06-15 | 广东电网有限责任公司东莞供电局 | Safety monitoring method for power private protocol |
CN109040081A (en) * | 2018-08-10 | 2018-12-18 | 哈尔滨工业大学(威海) | A kind of protocol fields conversed analysis system and method based on BWT |
CN110597734A (en) * | 2019-09-23 | 2019-12-20 | 电子科技大学 | Fuzzy test case generation method suitable for industrial control private protocol |
-
2020
- 2020-08-26 CN CN202010872171.9A patent/CN112055003B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014082908A1 (en) * | 2012-11-28 | 2014-06-05 | Siemens Aktiengesellschaft | Method and apparatus for generating test case for fuzz test |
CN105763392A (en) * | 2016-02-19 | 2016-07-13 | 中国人民解放军理工大学 | Industrial control protocol fuzzing test method based on protocol state |
CN106330601A (en) * | 2016-08-19 | 2017-01-11 | 北京匡恩网络科技有限责任公司 | Test case generating method and device |
CN108173854A (en) * | 2017-12-28 | 2018-06-15 | 广东电网有限责任公司东莞供电局 | Safety monitoring method for power private protocol |
CN109040081A (en) * | 2018-08-10 | 2018-12-18 | 哈尔滨工业大学(威海) | A kind of protocol fields conversed analysis system and method based on BWT |
CN110597734A (en) * | 2019-09-23 | 2019-12-20 | 电子科技大学 | Fuzzy test case generation method suitable for industrial control private protocol |
Non-Patent Citations (2)
Title |
---|
刘金永等: "一种西门子S7私有协议的Fuzzing漏洞检测方法", 《上海电力大学学报》 * |
张亚丰等: "基于范式语法的工控协议Fuzzing测试技术", 《计算机应用研究》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022247738A1 (en) * | 2021-05-24 | 2022-12-01 | 国网湖北电力有限公司电力科学研究院 | Electric internet-of-things protocol vulnerability detection system and method based on fuzzy testing |
CN113381998A (en) * | 2021-06-08 | 2021-09-10 | 上海天旦网络科技发展有限公司 | Deep learning-based application protocol auxiliary analysis system and method |
CN113381998B (en) * | 2021-06-08 | 2022-11-22 | 上海天旦网络科技发展有限公司 | Deep learning-based application protocol auxiliary analysis system and method |
CN114205340A (en) * | 2021-12-23 | 2022-03-18 | 绿盟科技集团股份有限公司 | Fuzzy test method and device based on intelligent power equipment |
CN114205340B (en) * | 2021-12-23 | 2024-04-02 | 绿盟科技集团股份有限公司 | Fuzzy test method and device based on intelligent power equipment |
CN117453573A (en) * | 2023-12-22 | 2024-01-26 | 信联科技(南京)有限公司 | Fuzzy test case generation method and engine based on protocol feature matching and mutation policy selection |
CN117453573B (en) * | 2023-12-22 | 2024-04-02 | 信联科技(南京)有限公司 | Fuzzy test case generation method and engine based on protocol feature matching and mutation policy selection |
Also Published As
Publication number | Publication date |
---|---|
CN112055003B (en) | 2022-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112055003B (en) | Method for generating private protocol fuzzy test case based on byte length classification | |
CN109379329B (en) | Network security protocol fuzzy test method and system based on LSTM | |
Yang et al. | Anomaly-based intrusion detection for SCADA systems | |
Tavallaee et al. | Toward credible evaluation of anomaly-based intrusion-detection methods | |
US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
US8006136B2 (en) | Automatic grammar based fault detection and isolation | |
US9639456B2 (en) | Network-based testing service and method of testing in a network | |
CN113572760B (en) | Device protocol vulnerability detection method and device | |
CN112184091A (en) | Industrial control system security threat assessment method, device and system | |
CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
Lim et al. | Attack induced common-mode failures on PLC-based safety system in a nuclear power plant: practical experience report | |
CN115065623B (en) | Active and passive combined reverse analysis method for private industrial control protocol | |
CN111966604A (en) | Fuzzy industrial control protocol vulnerability mining system | |
Iturbe et al. | On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control | |
CN110572296B (en) | Internet of things terminal equipment communication protocol consistency safety detection method | |
CN118101250A (en) | Network security detection method and system | |
CN111625448B (en) | Protocol packet generation method, device, equipment and storage medium | |
CN113328914A (en) | Fuzzy test method and device for industrial control protocol, storage medium and processor | |
CN115514582B (en) | Industrial Internet attack chain correlation method and system based on ATT & CK | |
CN112235244A (en) | Construction method of abnormal message, detection method, device and medium of industrial control network equipment | |
CN114553551B (en) | Method and device for testing intrusion prevention system | |
CN113760753B (en) | QUIC protocol testing method based on gray box blurring technology | |
CN113836539A (en) | Power engineering control system leak full-flow disposal system and method based on precise test | |
CN118409951B (en) | Typical fuzzy test sample generation method | |
CN115426124B (en) | Method and device for predicting abnormal network behavior of user |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |