CN112187583A - Method, device and storage medium for recognizing action information in private industrial control protocol - Google Patents
Method, device and storage medium for recognizing action information in private industrial control protocol Download PDFInfo
- Publication number
- CN112187583A CN112187583A CN202011059751.2A CN202011059751A CN112187583A CN 112187583 A CN112187583 A CN 112187583A CN 202011059751 A CN202011059751 A CN 202011059751A CN 112187583 A CN112187583 A CN 112187583A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- protocol
- information
- private
- related information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Communication Control (AREA)
Abstract
The invention discloses a method, a device and a storage medium for identifying action information in a private industrial control protocol, which are used for solving the technical problems that the private protocol used in industrial control products cannot be identified and the executed control action cannot be identified in the prior art, and the method comprises the following steps: acquiring a first protocol identification from a received data packet; matching the first protocol identification with a private protocol identification in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by the existing industrial control product, and a first corresponding relation between industrial control related information and description information; if the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information; and matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information.
Description
Technical Field
The invention relates to the field of industrial control safety, in particular to a method, a device and a storage medium for identifying action information in a private industrial control protocol.
Background
With the continuous intersection and fusion of industrialization and informatization processes, more and more information technologies are applied to the industrial control field. Moreover, as industrial control systems are increasingly integrated into enterprise management systems, industrial control systems are increasingly open and exchange data with an intranet or even the internet.
In the traditional industrial Control industry, due to the sealing And stability of industrial Control systems, a private protocol is adopted for communication among many industrial Control products such as a Programmable Logic Controller (PLC), a Distributed Control System (DCS), And a Supervisory Control And Data Acquisition (SCADA).
Generally, each large industrial control manufacturer does not typically publish protocol details used in industrial control products for security reasons. In many industrial control system network security scenarios, it is necessary to monitor the flow in the industrial control network and analyze the communication protocols used and the control actions executed among various industrial control assets in real time. Because detailed information of protocol protocols used in industrial control products cannot be acquired, private protocols used in the industrial control products cannot be identified, and executed control actions cannot be identified.
In view of this, how to identify the control action transmitted in the private protocol in the industrial control network becomes a technical problem to be solved urgently.
Disclosure of Invention
The invention provides a method, a device and a storage medium for identifying action information in a private industrial control protocol, which are used for solving the technical problems that the private protocol used in industrial control products cannot be identified and executed control actions cannot be identified in the prior art.
In a first aspect, to solve the above technical problem, an embodiment of the present invention provides a method for identifying motion information in a private industrial control protocol, where a technical solution of the method is as follows:
acquiring a first protocol identification from a received data packet;
matching the first protocol identification with a private protocol identification in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by an existing industrial control product, and a first corresponding relation between industrial control related information and description information;
if the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information;
and matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information.
In a possible implementation manner, the industrial control related information includes an industrial control instruction, an industrial control object address, and an industrial control parameter.
In one possible embodiment, before acquiring the first protocol identifier from the received data packet, the method further includes:
configuring protocol entry information of the private protocol;
configuring the industrial control related information according to information input by a user;
and writing the configured protocol entry information and the industrial control related information into a specified configuration file to obtain the pre-configuration file.
One possible embodiment, configuring protocol entry information of the private protocol, includes:
determining a protocol type of the private protocol based on the protocol identification information input by the user; wherein the protocol types comprise a MAC layer protocol and an application layer protocol;
if the private protocol is an application layer protocol, configuring an entrance of the private protocol based on the transport layer type information and the transport layer port number information input by the user; wherein the transport layer types include TCP and UDP;
and if the private protocol is an MAC layer protocol, performing entry configuration on the private protocol according to the protocol identification information.
One possible implementation manner of configuring the industrial control related information according to information input by a user includes:
configuring the industrial control instruction in the industrial control related information according to a first data length, a first data value, second description information and a first offset relative to a message header of the industrial control instruction input by the user; the second description information is used for describing the function of the industrial control instruction; if the private protocol is an application layer protocol, the message header is an application layer message header, and if the private protocol is an MAC layer protocol, the message header is an MAC layer message header;
configuring the industrial control object address in the industrial control related information according to a second data length, a second data value and third description information of the industrial control object address input by the user and a second offset relative to the message header; the third description information is used for describing a control object corresponding to the industrial control object address, and the control object executes an action according to the industrial control instruction;
configuring the industrial control parameters in the industrial control related information according to a third data length, a third data value, fourth description information and a third offset relative to the message header of the industrial control parameters input by the user; and the fourth description information is used for describing functions realized after the industrial control instruction is used for executing the industrial control parameters.
In one possible embodiment, the method further comprises:
identifying the execution action corresponding to each execution action information;
when the execution action is identified not to belong to the action in the preset execution action set, determining the execution action as dangerous operation, and sending prompt information to a user; and the actions in the preset execution action set are acquired from the industrial control network within a set time period.
In one possible embodiment, the method further comprises:
identifying an execution control object and a controlled object corresponding to the execution action;
if the control object is not in a preset white list, determining that the control object is an illegal asset;
if the controlled object is not in a preset white list, determining that the controlled object is the illegal asset;
and reporting the illegal assets to the user.
In a second aspect, an embodiment of the present invention provides an apparatus for identifying action information in a private industrial control protocol, where the apparatus includes:
a receiving unit, configured to obtain a first protocol identifier from a received data packet;
the matching unit is used for matching the first protocol identifier with a private protocol identifier in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by an existing industrial control product, and a first corresponding relation between industrial control related information and description information;
the analysis unit is used for determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file if the matching is successful, and analyzing the data packet by using the first private protocol to obtain first industrial control related information;
and the processing unit is used for matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information.
In a possible implementation manner, the industrial control related information includes an industrial control instruction, an industrial control object address, and an industrial control parameter.
In a possible embodiment, the apparatus further comprises a pre-configuration unit configured to:
configuring protocol entry information of the private protocol;
configuring the industrial control related information according to information input by a user;
and writing the configured protocol entry information and the industrial control related information into a specified configuration file to obtain the pre-configuration file.
In a possible embodiment, the pre-configuration unit is further configured to:
determining a protocol type of the private protocol based on the protocol identification information input by the user; wherein the protocol types comprise a MAC layer protocol and an application layer protocol;
if the private protocol is an application layer protocol, configuring an entrance of the private protocol based on the transport layer type information and the transport layer port number information input by the user; wherein the transport layer types include TCP and UDP;
and if the private protocol is an MAC layer protocol, performing entry configuration on the private protocol according to the protocol identification information.
In a possible embodiment, the pre-configuration unit is further configured to:
configuring the industrial control instruction in the industrial control related information according to a first data length, a first data value, second description information and a first offset relative to a message header of the industrial control instruction input by the user; the second description information is used for describing the function of the industrial control instruction; if the private protocol is an application layer protocol, the message header is an application layer message header, and if the private protocol is an MAC layer protocol, the message header is an MAC layer message header;
configuring the industrial control object address in the industrial control related information according to a second data length, a second data value and third description information of the industrial control object address input by the user and a second offset relative to the message header; the third description information is used for describing a control object corresponding to the industrial control object address, and the control object executes an action according to the industrial control instruction;
configuring the industrial control parameters in the industrial control related information according to a third data length, a third data value, fourth description information and a third offset relative to the message header of the industrial control parameters input by the user; and the fourth description information is used for describing functions realized after the industrial control instruction is used for executing the industrial control parameters.
In one possible embodiment, the processing unit is further configured to:
identifying the execution action corresponding to each execution action information;
when the execution action is identified not to belong to the action in the preset execution action set, determining the execution action as dangerous operation, and sending prompt information to a user; and the actions in the preset execution action set are acquired from the industrial control network within a set time period.
In one possible embodiment, the processing unit is further configured to:
identifying an execution control object and a controlled object corresponding to the execution action;
if the control object is not in a preset white list, determining that the control object is an illegal asset;
if the controlled object is not in a preset white list, determining that the controlled object is the illegal asset;
and reporting the illegal assets to the user.
In a third aspect, an embodiment of the present invention further provides a device for identifying action information in a private industrial control protocol, where the device includes:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method according to the first aspect by executing the instructions stored by the memory.
In a fourth aspect, an embodiment of the present invention further provides a readable storage medium, including:
a memory for storing a plurality of data to be transmitted,
the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method as described in the first aspect above.
Through the technical solutions in one or more of the above embodiments of the present invention, the embodiments of the present invention have at least the following technical effects:
in the embodiment provided by the invention, the first protocol identification is obtained from the received data packet; matching the first protocol identification with a private protocol identification in the pre-configuration file; after the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information; matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information; the pre-configuration file comprises a private protocol identifier used by the existing industrial control product, and a first corresponding relation between industrial control related information and description information. Therefore, the private protocol in the public product can be identified, and the communication protocol and the execution action information among various industrial control products can be analyzed in real time.
Drawings
Fig. 1 is a flowchart of a method for identifying action information in a private industrial control protocol according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a connection of industrial control products according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device for identifying motion information in a private industrial control protocol according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method, a device and a storage medium for identifying action information in a private industrial control protocol, which aim to solve the technical problems that the private protocol used in industrial control products cannot be identified and executed control actions cannot be identified in the prior art.
In order to solve the technical problems, the general idea of the embodiment of the present application is as follows:
the method for recognizing the action information in the private industrial control protocol comprises the following steps: acquiring a first protocol identification from a received data packet; matching the first protocol identification with a private protocol identification in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by the existing industrial control product, and a first corresponding relation between industrial control related information and description information; if the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information; and matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information.
In the scheme, the first protocol identifier is obtained from the received data packet; matching the first protocol identification with a private protocol identification in the pre-configuration file; after the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information; matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information; the pre-configuration file comprises a private protocol identifier used by the existing industrial control product, and a first corresponding relation between industrial control related information and description information. Therefore, the private protocol in the public product can be identified, and the communication protocol and the execution action information among various industrial control products can be analyzed in real time.
In order to better understand the technical solutions of the present invention, the following detailed descriptions of the technical solutions of the present invention are provided with the accompanying drawings and the specific embodiments, and it should be understood that the specific features in the embodiments and the examples of the present invention are the detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and the examples of the present invention may be combined with each other without conflict.
Referring to fig. 1, an embodiment of the present invention provides a method for identifying action information in a private industrial control protocol, where the processing procedure of the method is as follows.
Step 101: a first protocol identification is obtained from the received data packet.
Data packets transmitted in a network usually carry an identifier of a protocol used for generating the data packets, or specific port information capable of uniquely identifying the used protocol, where the protocol identifier or the specific port information of the protocol is a first protocol identifier in the present application.
Step 102 may be performed after obtaining the first protocol identification from the received data packet.
Step 102: matching the first protocol identification with a private protocol identification in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by the existing industrial control product, and a first corresponding relation between industrial control related information and description information.
In this example, the industrial control related information includes an industrial control instruction, an industrial control object address, and an industrial control parameter.
Step 103: and if the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information.
Step 104: and matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information.
In an industrial control product, a control device executes a desired action, which is usually realized by at least one instruction, the content of the instruction comprises a control object address, an instruction and corresponding control parameters, in order to deeply identify the action which is required to be executed by a controlled party by an operator from a private protocol, the content of the instruction is divided into the industrial control instruction, the industrial control parameters and the industrial control object address, and the industrial control instruction, the industrial control parameters and the industrial control object address are configured in advance, the contents are transmitted by using different protocols in network transmission, the corresponding transmission protocols are required to be unpacked correspondingly, and the unpacked parameters can be analyzed by further using the related parameters of the industrial control, so that the execution action required to be executed in a data packet is correctly identified. Before acquiring the first protocol identifier from the received data packet, a preconfigured file needs to be generated, which may be generated by the following steps a1 and a 2:
a1, configuring the protocol entry information of the private protocol; configuring industrial control related information according to information input by a user;
a2, writing the configured protocol entry information and industrial control related information into the designated configuration file to obtain a pre-configuration file.
Further, based on the parameters that need to be configured by the pre-configuration file, the implementation details when implementing configuration for each parameter may be:
1. configuring protocol entry information of a private protocol, comprising:
the protocol type of the private protocol can be determined based on the protocol identification information input by the user; the protocol type comprises an MAC layer protocol and an application layer protocol; if the private protocol is an application layer protocol, configuring an entrance of the private protocol based on the transport layer type information and the transport layer port number information input by a user; wherein the transport layer types include TCP and UDP; and if the private protocol is the MAC layer protocol, performing entry configuration on the private protocol according to the protocol identification information.
For example, the value of the ether _ type field of the identification information input by the user may determine whether the private protocol belongs to the MAC layer or the application layer, if the private protocol is determined to be the MAC layer protocol, the value of the ether _ type field performs entry configuration on the private protocol, and if the private protocol is determined to be the application layer protocol, the user is required to input whether the transport layer is TCP or UDP and input a corresponding port number, thereby completing protocol entry configuration on the application layer protocol, and the configuration information is written into a preset configuration file, which may be an XML type configuration file, whose main attributes include a transport layer protocol type, a port number, an ether _ type value, a protocol name, and the like.
2. According to the information input by the user, the industrial control related information is configured, which comprises the following steps:
in this embodiment, because the industrial control related information includes several parts, such as an industrial control instruction, an industrial control object address, and an industrial control parameter, when implementing the configuration of the industrial control related information, the configuration may be respectively performed for each part, and the specific implementation may be:
(1) configuring industrial control instructions: configuring the industrial control instruction in the industrial control related information according to a first data length, a first data value, second description information and a first offset relative to a message header of the industrial control instruction input by a user; the second description information is used for describing the function of the industrial control instruction; if the private protocol is an application layer protocol, the message header is an application layer message header, and if the private protocol is an MAC layer protocol, the message header is an MAC layer message header.
For example, if the private protocol is an application layer protocol, a user may be required to input a first offset of an industrial control instruction, which needs to be used in the private protocol, with respect to an application layer header and a first data length of the industrial control instruction, and different second description information corresponding to different values is carried in the industrial control instruction 16, and the configuration of the industrial control instruction is completed using the information.
If the private protocol is an MAC layer protocol, a user can be required to input a first offset of an industrial control instruction of the private protocol relative to a message header of the MAC layer and a first data length of the industrial control instruction, different second description information corresponding to different values of a 16-system of the control instruction is obtained, and the information is used for completing the configuration of the industrial control instruction.
After the configuration of the parameter to be configured is completed, the configuration can be loaded into an xml configuration file of the background control instruction, and the main attributes of the configuration include a public instruction association protocol id- > a first offset- > a first data length- > a 16-system value- > second description information and the like of the industrial control instruction.
(2) And (3) configuring an industrial control object address: configuring the industrial control object address in the industrial control related information according to a second data length, a second data value, third description information and a second offset relative to the message header of the industrial control object address input by a user; and the third description information is used for describing a control object corresponding to the industrial control object address, and the control object executes actions according to the industrial control instruction.
For example, if the private protocol is an application layer protocol, the user may input a second offset of the industrial control object address of the private protocol relative to the application layer packet header, a second data length of the industrial control object address, and different third descriptions corresponding to different values of the 16-system of the industrial control object address, and complete configuration of the industrial control object address according to these pieces of information.
If the private protocol is an MAC layer protocol, a user can input a second offset of an industrial control object address of the private protocol relative to a message header of the MAC layer, a second data length of the industrial control object address and different third description information corresponding to different values of a 16-system of the industrial control object address, and the configuration of the industrial control object address is completed according to the information.
And after configuration is finished, loading the configuration information into an xml configuration file of a background control address, wherein the main attributes comprise industrial control object address association protocol id- > associated industrial control instruction id- > second offset of the industrial control object address- > second data length- > 16-system value- > third description information and the like.
(3) And (3) configuring industrial control parameters: configuring the industrial control parameters in the industrial control related information according to a third data length, a third data value, fourth description information and a third offset relative to a message header of the industrial control parameters input by a user; and the fourth description information is used for describing functions realized after the industrial control parameters are executed by the industrial control instructions.
For example, if the private protocol is an application layer protocol, the user may input a third offset of the industrial control parameter of the private industrial control protocol relative to the application layer packet header and a third data length of the industrial control parameter, and different fourth description information corresponding to different values of the 16-system of the control parameter is used to complete configuration of the industrial control parameter.
If the private protocol is an MAC layer protocol, a user can input a third offset of the industrial control parameter of the private industrial control protocol relative to a message header of the MAC layer and a third data length of the industrial control parameter, different fourth description information corresponding to different values of a 16-system of the control parameter is obtained, and the information is used for completing the configuration of the industrial control parameter.
And after configuration is finished, loading the configuration information into an xml configuration file of a background control value, wherein the main attributes comprise industrial control parameter association protocol id- > associated industrial control instruction id- > associated industrial control object address id- > third offset- > third data length- > 16-system value- > fourth description information and the like of public parameters.
And writing the configuration information into a preset configuration file to obtain a pre-configuration file.
Before analyzing a received data packet, the preconfigured file needs to be loaded, a first protocol identifier obtained from the data packet is matched with a private protocol identifier in the preconfigured file, after the first protocol identifier is matched to correspond to a first private protocol, the data packet is analyzed by using the first private protocol to obtain first industrial control related information (including industrial control instructions, industrial control parameters, values of industrial control object addresses and corresponding descriptions), the first industrial control related information is matched with the industrial control related information in a first relation, first description information corresponding to the first industrial control related information is determined, and then corresponding execution action information is generated according to the first description information.
Referring to fig. 2, which is a schematic diagram of connection of industrial control products according to an embodiment of the present invention, in an industrial control network of a company shown in fig. 2, an SCADA system is installed in a control room, a PLC and devices a to D directly controlled by the PLC are installed on a site, the SCADA system is connected to the PLC through an ethernet, a private protocol 1 used belongs to an application layer protocol, and a user can control the start or stop of the devices a on the site by operating a virtual button a on a display interface of the SCADA.
Assuming that an industrial control instruction for controlling the virtual button to start or stop is LD, the distance between LD and a header of an application layer in a data packet transmitted from SCADA to PLC is 8 bytes, a hexadecimal value of LD may be 0 or 1, where 0 indicates stop, and 1 indicates start, and a data length occupied by LD instruction is 1 byte, a first data length of the industrial control instruction LD input by a user is 1 byte, a first data value is 0 or 1, second description information is 0 corresponding to stop, 1 corresponding to close, and a first offset is 8 bytes, and configuration of the public instruction LD is completed by using these information.
In fig. 2, it can be seen that there are 4 devices to be controlled by the PLC, and it is assumed that device a is identified by SA, device B is identified by SB, device C is identified by SC, and device D is identified by SD in the program.
Assuming that the industrial control parameter of the industrial control instruction LD is X, the value of X includes SA to SD, the data length of X is 2 bytes, and 10 bytes are separated from the header, the third data length of the industrial control parameter input by the user is 2 bytes, the third data value includes SA to SD, the fourth description information corresponds to SA to SD, and is sequentially equipment a to equipment D, and the third offset is 10 bytes, and the configuration of the industrial control parameter X is completed by using these information.
Assuming that the control terminal of the device a is connected to the output terminal 1 of the PLC, so that the device a is controlled by the signal output from the output terminal 1 of the PLC, and the address of the output terminal 1 of the PLC is 0X123F (hexadecimal value), the address occupies 2 bytes, and is 12 bytes apart from the application layer header, the user inputs a second data length of 2 bytes, a second data value of 0X123F, third description information of the device a, and a second offset of 12 bytes for the address of the industrial control object SA, and the configuration of the address of the industrial control object SA is completed using these pieces of information. The configuration of other industrial control object addresses is similar to that, and is not repeated.
Through the method, the configuration of the industrial control instruction LD, the corresponding industrial control parameters and the industrial control object address can be completed, the configuration information is written into the specified configuration file, the pre-configuration file is obtained, and the pre-configuration file is loaded.
When a user presses a virtual button A on an SCADA system to start the device A, a first protocol identifier acquired from a data packet is successfully matched with a private protocol 1 in a configuration file by capturing the data packet in a public network (assuming that the data packet containing the control action is just captured), and the captured data packet is analyzed by using the private protocol 1 to obtain first industrial control related information. The first industrial control related information includes an industrial control instruction LD (value is 1), an industrial control parameter X (value is SA), and an industrial control object address is 0X 123F. Since the second description information corresponding to LD being 1 is start-up, the description information corresponding to SA as the industrial control parameter is SA, the industrial control object address is 0X123F, the first description information is information for starting up the device a, and the execution action information corresponding to the first description information is start-up device a.
It should be noted that the industrial control instruction, the industrial control object address, and the industrial control parameter are not only understood as the industrial control instruction, the industrial control object address, and the industrial control parameter in practical application.
By the above mode, the execution action required to be executed in the received data packet can be deeply identified, and on the basis, whether the execution action is dangerous operation can be further identified, so that relevant countermeasures can be further taken, and the network security is maintained.
Further, in a possible implementation manner, the execution action corresponding to each piece of execution action information may be identified; when the execution action is identified not to belong to the action in the preset execution action set, determining the execution action as dangerous operation, and sending prompt information to a user; and the preset actions in the action set are acquired from the industrial control network within a set time period.
For example, in a week, the execution action information transmitted in the industrial control network is collected to form a preset execution action set, for example, the device a is started at 6 am and closed at 7 pm, and the execution action information is recognized as the starting device a at 11 pm in the next day, which obviously does not belong to the execution actions in the preset execution action set, so that the execution action is determined as a dangerous operation, and the prompt information is formed and sent to the user.
After the execution action required to be executed in the received data packet is deeply identified, the execution control object and the controlled object corresponding to the execution action can be identified to determine whether the execution control object and the controlled object are illegal assets or not, and whether the communication between the execution control object and the controlled object belongs to abnormal communication or not, so that the industrial control assets and the communication in the network are monitored in real time, and the safety of the network is improved.
Further, in a possible implementation manner, the control object and the controlled object corresponding to the execution action are identified; if the control object is not in the preset white list, determining the control object as an illegal asset; if the controlled object is not in the preset white list, determining that the controlled object is an illegal asset; and reporting the illegal assets to the user.
For example, a white list is formed from existing industrial control products in an industrial control network of a certain company, and when an execution action corresponding to certain execution action information is analyzed in a data packet and is sent by other devices outside the white list, the other devices are determined to be illegal assets, and the illegal assets are reported to a user.
Based on the same inventive concept, an embodiment of the present invention provides a device for identifying action information in a private industrial control protocol, where details of implementation of the device may be described in the description of the embodiment of the method, and repeated details are not described again, please refer to fig. 3, and the device includes:
a receiving unit 301, configured to obtain a first protocol identifier from a received data packet;
a matching unit 302, configured to match the first protocol identifier with a private protocol identifier in a pre-configured file; the pre-configuration file comprises a private protocol identifier used by an existing industrial control product, and a first corresponding relation between industrial control related information and description information;
an analyzing unit 303, configured to determine, if matching is successful, a first private protocol corresponding to the first protocol identifier from the preconfigured file, and analyze the data packet by using the first private protocol to obtain first industrial control related information;
the processing unit 304 is configured to match the first industrial control related information with the industrial control related information in the first relationship, determine first description information corresponding to the first industrial control related information, and generate corresponding execution action information according to the first description information.
In a possible implementation manner, the industrial control related information includes an industrial control instruction, an industrial control object address, and an industrial control parameter.
In a possible embodiment, the apparatus further includes a pre-configuration unit 305, and the pre-configuration unit 305 is configured to:
configuring protocol entry information of the private protocol;
configuring the industrial control related information according to information input by a user;
and writing the configured protocol entry information and the industrial control related information into a specified configuration file to obtain the pre-configuration file.
In a possible embodiment, the pre-configuration unit 305 is further configured to:
determining a protocol type of the private protocol based on the protocol identification information input by the user; wherein the protocol types comprise a MAC layer protocol and an application layer protocol;
if the private protocol is an application layer protocol, configuring an entrance of the private protocol based on the transport layer type information and the transport layer port number information input by the user; wherein the transport layer types include TCP and UDP;
and if the private protocol is an MAC layer protocol, performing entry configuration on the private protocol according to the protocol identification information.
In a possible embodiment, the pre-configuration unit 305 is further configured to:
configuring the industrial control instruction in the industrial control related information according to a first data length, a first data value, second description information and a first offset relative to a message header of the industrial control instruction input by the user; the second description information is used for describing the function of the industrial control instruction; if the private protocol is an application layer protocol, the message header is an application layer message header, and if the private protocol is an MAC layer protocol, the message header is an MAC layer message header;
configuring the industrial control object address in the industrial control related information according to a second data length, a second data value and third description information of the industrial control object address input by the user and a second offset relative to the message header; the third description information is used for describing a control object corresponding to the industrial control object address, and the control object executes an action according to the industrial control instruction;
configuring the industrial control parameters in the industrial control related information according to a third data length, a third data value, fourth description information and a third offset relative to the message header of the industrial control parameters input by the user; and the fourth description information is used for describing functions realized after the industrial control instruction is used for executing the industrial control parameters.
In a possible implementation, the processing unit 304 is further configured to:
identifying the execution action corresponding to each execution action information;
when the execution action is identified not to belong to the action in the preset execution action set, determining the execution action as dangerous operation, and sending prompt information to a user; and the actions in the preset execution action set are acquired from the industrial control network within a set time period.
In a possible implementation, the processing unit 304 is further configured to:
identifying an execution control object and a controlled object corresponding to the execution action;
if the control object is not in a preset white list, determining that the control object is an illegal asset;
if the controlled object is not in a preset white list, determining that the controlled object is the illegal asset;
and reporting the illegal assets to the user.
Based on the same inventive concept, the embodiment of the invention provides a device for identifying action information in a private industrial control protocol, which comprises the following steps: at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, and the at least one processor executes the instructions stored by the memory to perform the method for identifying action information in a private industrial control protocol as described above.
Based on the same inventive concept, an embodiment of the present invention further provides a readable storage medium, including:
a memory for storing a plurality of data to be transmitted,
the memory is configured to store instructions that, when executed by the processor, cause the apparatus comprising the readable storage medium to perform a method of identifying action information in a private industrial control protocol as described above.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method for recognizing action information in a private industrial control protocol is characterized by comprising the following steps:
acquiring a first protocol identification from a received data packet;
matching the first protocol identification with a private protocol identification in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by an existing industrial control product, and a first corresponding relation between industrial control related information and description information;
if the matching is successful, determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file, and analyzing the data packet by using the first private protocol to obtain first industrial control related information;
and matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information.
2. The method of claim 1, wherein the industrial control related information comprises industrial control instructions, industrial control object addresses, and industrial control parameters.
3. The method of claim 2, wherein prior to obtaining the first protocol identification from the received packet, further comprising:
configuring protocol entry information of the private protocol;
configuring the industrial control related information according to information input by a user;
and writing the configured protocol entry information and the industrial control related information into a specified configuration file to obtain the pre-configuration file.
4. The method of claim 3, wherein configuring protocol entry information for the private protocol comprises:
determining a protocol type of the private protocol based on the protocol identification information input by the user; wherein the protocol types comprise a MAC layer protocol and an application layer protocol;
if the private protocol is an application layer protocol, configuring an entrance of the private protocol based on the transport layer type information and the transport layer port number information input by the user; wherein the transport layer types include TCP and UDP;
and if the private protocol is an MAC layer protocol, performing entry configuration on the private protocol according to the protocol identification information.
5. The method of claim 3, wherein configuring the industrial control related information based on the information input by the user comprises:
configuring the industrial control instruction in the industrial control related information according to a first data length, a first data value, second description information and a first offset relative to a message header of the industrial control instruction input by the user; the second description information is used for describing the function of the industrial control instruction; if the private protocol is an application layer protocol, the message header is an application layer message header, and if the private protocol is an MAC layer protocol, the message header is an MAC layer message header;
configuring the industrial control object address in the industrial control related information according to a second data length, a second data value and third description information of the industrial control object address input by the user and a second offset relative to the message header; the third description information is used for describing a control object corresponding to the industrial control object address, and the control object executes an action according to the industrial control instruction;
configuring the industrial control parameters in the industrial control related information according to a third data length, a third data value, fourth description information and a third offset relative to the message header of the industrial control parameters input by the user; and the fourth description information is used for describing functions realized after the industrial control instruction is used for executing the industrial control parameters.
6. The method of any one of claims 1-5, further comprising:
identifying the execution action corresponding to each execution action information;
when the execution action is identified not to belong to the action in the preset execution action set, determining the execution action as dangerous operation, and sending prompt information to a user; and the actions in the preset execution action set are acquired from the industrial control network within a set time period.
7. The method of claim 6, further comprising:
identifying an execution control object and a controlled object corresponding to the execution action;
if the control object is not in a preset white list, determining that the control object is an illegal asset;
if the controlled object is not in a preset white list, determining that the controlled object is the illegal asset;
and reporting the illegal assets to the user.
8. An apparatus for recognizing action information in a private industrial control protocol, comprising:
a receiving unit, configured to obtain a first protocol identifier from a received data packet;
the matching unit is used for matching the first protocol identifier with a private protocol identifier in a pre-configuration file; the pre-configuration file comprises a private protocol identifier used by an existing industrial control product, and a first corresponding relation between industrial control related information and description information;
the analysis unit is used for determining a first private protocol corresponding to the first protocol identifier from the pre-configuration file if the matching is successful, and analyzing the data packet by using the first private protocol to obtain first industrial control related information;
and the processing unit is used for matching the first industrial control related information with the industrial control related information in the first relation, determining first description information corresponding to the first industrial control related information, and generating corresponding execution action information according to the first description information.
9. An apparatus for recognizing action information in a private industrial control protocol, comprising:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any one of claims 1-7 by executing the instructions stored by the memory.
10. A readable storage medium, comprising a memory,
the memory is for storing instructions that, when executed by the processor, cause an apparatus comprising the readable storage medium to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011059751.2A CN112187583B (en) | 2020-09-30 | 2020-09-30 | Method, device and storage medium for recognizing action information in private industrial control protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011059751.2A CN112187583B (en) | 2020-09-30 | 2020-09-30 | Method, device and storage medium for recognizing action information in private industrial control protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112187583A true CN112187583A (en) | 2021-01-05 |
| CN112187583B CN112187583B (en) | 2022-03-25 |
Family
ID=73947135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011059751.2A Active CN112187583B (en) | 2020-09-30 | 2020-09-30 | Method, device and storage medium for recognizing action information in private industrial control protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112187583B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113507449A (en) * | 2021-06-17 | 2021-10-15 | 北京惠而特科技有限公司 | Deep identification method and device for GE private protocol |
| CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
| CN115334178A (en) * | 2022-07-08 | 2022-11-11 | 北京天融信网络安全技术有限公司 | Application layer data analysis method and device, electronic equipment and storage medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050199716A1 (en) * | 2004-03-10 | 2005-09-15 | Microsoft Corporation | Method and system for communicating with identification tags |
| GB0921211D0 (en) * | 2009-12-03 | 2010-01-20 | Inst Information Industry | Monitor method and monitor apparatus for monitoring data of hardware |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| US20160028601A1 (en) * | 2014-07-24 | 2016-01-28 | General Electric Company | Internet connectivity probe |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| WO2017097026A1 (en) * | 2015-12-10 | 2017-06-15 | 深圳市中兴微电子技术有限公司 | Identification processing method and apparatus for data message, and storage medium |
| CN108632525A (en) * | 2017-09-20 | 2018-10-09 | 北京视联动力国际信息技术有限公司 | A kind of method and system of business processing |
| CN110417783A (en) * | 2019-07-30 | 2019-11-05 | 北京国信华源科技有限公司 | A kind of data transmission method based on Internet of Things, device, storage medium and terminal |
| CN111371651A (en) * | 2020-03-12 | 2020-07-03 | 杭州木链物联网科技有限公司 | Industrial communication protocol reverse analysis method |
-
2020
- 2020-09-30 CN CN202011059751.2A patent/CN112187583B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050199716A1 (en) * | 2004-03-10 | 2005-09-15 | Microsoft Corporation | Method and system for communicating with identification tags |
| GB0921211D0 (en) * | 2009-12-03 | 2010-01-20 | Inst Information Industry | Monitor method and monitor apparatus for monitoring data of hardware |
| US20160028601A1 (en) * | 2014-07-24 | 2016-01-28 | General Electric Company | Internet connectivity probe |
| CN104506484A (en) * | 2014-11-11 | 2015-04-08 | 中国电子科技集团公司第三十研究所 | Proprietary protocol analysis and identification method |
| WO2017097026A1 (en) * | 2015-12-10 | 2017-06-15 | 深圳市中兴微电子技术有限公司 | Identification processing method and apparatus for data message, and storage medium |
| CN106027511A (en) * | 2016-05-13 | 2016-10-12 | 北京工业大学 | Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol) |
| CN108632525A (en) * | 2017-09-20 | 2018-10-09 | 北京视联动力国际信息技术有限公司 | A kind of method and system of business processing |
| CN110417783A (en) * | 2019-07-30 | 2019-11-05 | 北京国信华源科技有限公司 | A kind of data transmission method based on Internet of Things, device, storage medium and terminal |
| CN111371651A (en) * | 2020-03-12 | 2020-07-03 | 杭州木链物联网科技有限公司 | Industrial communication protocol reverse analysis method |
Non-Patent Citations (2)
| Title |
|---|
| 张玫,曾彬,朱成威: "工控系统安全监测及溯源系统的设计与实现", 《ITNS主题专栏:网络安全监测技术》 * |
| 马强等: "联网工业控制系统主动感知预警技术研究", 《信息技术与网络安全》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113507449A (en) * | 2021-06-17 | 2021-10-15 | 北京惠而特科技有限公司 | Deep identification method and device for GE private protocol |
| CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
| CN113645065B (en) * | 2021-07-21 | 2024-03-15 | 武汉虹旭信息技术有限责任公司 | Industrial control security audit system and method based on industrial Internet |
| CN115334178A (en) * | 2022-07-08 | 2022-11-11 | 北京天融信网络安全技术有限公司 | Application layer data analysis method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112187583B (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112187583B (en) | Method, device and storage medium for recognizing action information in private industrial control protocol | |
| US8782771B2 (en) | Real-time industrial firewall | |
| US10901392B2 (en) | Method and system for monitoring a plant of process automation | |
| CN110474790B (en) | System, cloud platform, device and method for configuring edge device | |
| WO2016172514A1 (en) | Improving control system resilience by highly coupling security functions with control | |
| CN110601896B (en) | Data processing method and equipment based on block chain nodes | |
| CN110011973A (en) | Industrial control network access rule construction method and training system | |
| CN111371651A (en) | Industrial communication protocol reverse analysis method | |
| CN110187986B (en) | Command management method, system, device and computer readable storage medium | |
| CN109450928B (en) | Cross-cloud data transparent transmission method and system based on UDP (user Datagram protocol) and Modbus TCP (Transmission control protocol) | |
| US20180270082A1 (en) | Method and device for monitoring control systems | |
| WO2020207105A1 (en) | Destination message determination method and apparatus, storage medium and electronic apparatus | |
| EP3667526A1 (en) | Rapid file authentication on automation devices | |
| KR102195016B1 (en) | Apparatus and method for checking security vulnerability and restriction guidance | |
| CN113039755B (en) | Monitoring method, device, system and computer readable medium for industrial control system | |
| CN113872951B (en) | Hybrid cloud security policy issuing method and device, electronic equipment and storage medium | |
| CN117336035A (en) | Management coordination method of side equipment based on gateway of Internet of things | |
| EP3561617A1 (en) | Automation component configuration | |
| CN115208058A (en) | Plug and play method and system for distributed power distribution terminal | |
| KR101892385B1 (en) | Profibus decentralized periphery network organization system | |
| CN109743282B (en) | Industrial control protocol-based high-risk safety risk identification method and device | |
| CN115913786B (en) | Vulnerability verification method and system for industrial Internet equipment | |
| CN111404827A (en) | Data packet processing method and device, electronic equipment and storage medium | |
| CN112261056B (en) | Communication control method and device for power system, control equipment and storage medium | |
| US12088614B2 (en) | Systems and methods for detecting anomalies in network communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |