CN113872980A - Industrial control equipment information identification method and device, storage medium and equipment - Google Patents

Industrial control equipment information identification method and device, storage medium and equipment Download PDF

Info

Publication number
CN113872980A
CN113872980A CN202111158485.3A CN202111158485A CN113872980A CN 113872980 A CN113872980 A CN 113872980A CN 202111158485 A CN202111158485 A CN 202111158485A CN 113872980 A CN113872980 A CN 113872980A
Authority
CN
China
Prior art keywords
equipment
identified
information
target
industrial control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111158485.3A
Other languages
Chinese (zh)
Other versions
CN113872980B (en
Inventor
邹玲
彭鑫
王长阳
何伟
薛金良
张志群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Guoli Network Security Technology Co ltd
Original Assignee
Zhejiang Guoli Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Guoli Network Security Technology Co ltd filed Critical Zhejiang Guoli Network Security Technology Co ltd
Priority to CN202111158485.3A priority Critical patent/CN113872980B/en
Publication of CN113872980A publication Critical patent/CN113872980A/en
Application granted granted Critical
Publication of CN113872980B publication Critical patent/CN113872980B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Human Computer Interaction (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses an identification method, device, storage medium and equipment of industrial control equipment information, and a data packet of equipment to be identified in an industrial control network is acquired through a mirror image port. And analyzing the message of the equipment to be identified to obtain a target application layer protocol, and analyzing the session information to obtain a target operation code. And acquiring the device information corresponding to the target application layer protocol and the target operation code from the protocol feature library, and identifying the device information as the target device information. And acquiring the device code corresponding to the target device information from the device knowledge base, and using the device code as the device code of the device to be identified. And decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified. And displaying the equipment information of the equipment to be identified to a user through a preset interface. Compared with the prior art, the scheme disclosed by the application can timely and effectively identify the equipment information of the industrial control equipment in the industrial control network under the condition of keeping the industrial control network smooth.

Description

Industrial control equipment information identification method and device, storage medium and equipment
Technical Field
The present application relates to the field of industrial control, and in particular, to a method and an apparatus for identifying information of industrial control devices, a storage medium, and a device.
Background
In order to ensure the safety of the industrial control system, it is very important to accurately identify the equipment information of the industrial control equipment, and by identifying the equipment information of the industrial control equipment, an administrator of the industrial control system can be assisted to judge whether the industrial control equipment accessed in the current network meets the project requirements or not.
At present, the existing industrial control equipment information identification method is mainly an active identification method, that is, equipment information of the industrial control equipment is obtained by actively detecting the industrial control equipment. However, in the active identification method, the industrial control device needs to be accessed into the network, and when the active scanning is performed, if the device needs to be scanned out quickly, the identification rate needs to be increased, which affects the resource occupation of the industrial control network and causes network congestion, and the industrial control network pays much attention to the network resource, so that the detection rate only needs to be decreased, but as a result, the scanning period is too long, and often one round of scanning needs one day or more, thereby causing the identification process of the device information to be delayed too long.
Therefore, how to timely and effectively identify the equipment information of the industrial control equipment in the industrial control network under the condition of keeping the industrial control network unobstructed becomes a problem to be solved urgently in the field.
Disclosure of Invention
The application provides an identification method, an identification device, a storage medium and equipment of industrial control equipment information, which are used for timely and effectively identifying the equipment information of the industrial control equipment in an industrial control network under the condition of keeping the industrial control network smooth.
In order to achieve the above object, the present application provides the following technical solutions:
a method for identifying industrial control equipment information comprises the following steps:
acquiring data packets of each device to be identified in the industrial control network through a preset mirror image port; the data packet comprises a message processed by the equipment to be identified;
for each device to be identified, analyzing the message of the device to be identified to obtain a target application layer protocol;
acquiring session information associated with the message, and performing operation code analysis on the session information to obtain a target operation code;
acquiring device information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the device information corresponding to the target application layer protocol and the target operation code as target device information;
acquiring a device code corresponding to the target device information from a preset device knowledge base, and taking the device code corresponding to the target device information as a device code of the device to be identified;
decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified;
and displaying the equipment information of each equipment to be identified to a user through a preset interface.
Optionally, after obtaining the data packet of each device to be identified in the industrial control network, the method includes:
for each device to be identified, counting the number of messages processed by the device to be identified within a preset time length to obtain the communication flow of the device to be identified;
judging whether the value of the communication flow is larger than a preset flow threshold value or not;
setting the running state of the equipment to be identified as on-line under the condition that the value of the communication flow is larger than the preset flow threshold;
setting the running state of the equipment to be identified as an off-line state under the condition that the value of the communication flow is not greater than the preset flow threshold;
the displaying the device information of each device to be identified to the user through the preset interface includes:
and displaying the running state and the equipment information of each equipment to be identified to a user through a preset interface.
Optionally, the analyzing the message of the device to be identified to obtain a target application layer protocol includes:
analyzing the message of the equipment to be identified to obtain basic information of the message;
judging whether the basic information contains quintuple;
under the condition that the basic information contains the quintuple, identifying the message as an industrial control message;
judging whether the industrial control message contains application layer information or not;
under the condition that the industrial control message contains the application layer information, analyzing the application layer information shown by the industrial control message to obtain a target application layer protocol;
deleting the industrial control message under the condition that the industrial control message does not contain the application layer information;
and deleting the message under the condition that the basic information does not contain the quintuple.
Optionally, the determining whether the industrial control packet contains application layer information includes:
if the value of the nth byte of the industrial control message is larger than a preset value, determining that the industrial control message contains application layer information, otherwise, determining that the industrial control message does not contain the application layer information; n is a positive integer.
Optionally, the device information includes a device type and a device model;
the acquiring, from a preset protocol feature library, device information corresponding to the target application layer protocol and corresponding to the target operation code, and identifying the device information corresponding to the target application layer protocol and corresponding to the target operation code as target device information includes:
acquiring a device type corresponding to the target application layer protocol from a preset protocol feature library, and identifying the device type corresponding to the target application layer protocol as a target device type;
and acquiring the equipment model corresponding to the target operation code from the protocol feature library, and identifying the equipment model corresponding to the target operation code as the target equipment model.
Optionally, the obtaining, from a preset device knowledge base, a device code corresponding to the target device information, and using the device code corresponding to the target device information as the device code of the device to be identified includes:
acquiring the device code corresponding to the target device type from a preset device knowledge base, and taking the device code corresponding to the target device type as the device code of the device to be identified,
acquiring a device code corresponding to the target device model from the device knowledge base, and taking the device code corresponding to the target device model as the device code of the device to be identified;
and decoding the equipment code contained in the equipment to be identified to obtain the equipment information of the equipment to be identified.
Optionally, before decoding the device code of the device to be identified to obtain the device information of the device to be identified, the method further includes:
inquiring a communication port of the message, and taking the communication port as an open port of the equipment to be identified;
the displaying the device information of each device to be identified to the user through the preset interface includes:
and displaying the open port and the equipment information of each equipment to be identified to a user through a preset interface.
An industrial control equipment information recognition device comprises:
the acquisition unit is used for acquiring data packets of each device to be identified in the industrial control network through a preset mirror image port; the data packet comprises a message processed by the equipment to be identified;
the analysis unit is used for analyzing the message of each device to be identified to obtain a target application layer protocol;
the analysis unit is used for acquiring the session information associated with the message and analyzing the session information by using the operation code to obtain a target operation code;
the identification unit is used for acquiring the equipment information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the equipment information corresponding to the target application layer protocol and the target operation code as the target equipment information;
the determining unit is used for acquiring the equipment code corresponding to the target equipment information from a preset equipment knowledge base, and taking the equipment code corresponding to the target equipment information as the equipment code of the equipment to be identified;
the decoding unit is used for decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified;
and the display unit is used for displaying the equipment information of each equipment to be identified to a user through a preset interface.
A computer-readable storage medium including a stored program, wherein the program executes the identification method of industrial control device information.
An identification device of industrial control device information comprises: a processor, a memory, and a bus; the processor and the memory are connected through the bus;
the memory is used for storing programs, and the processor is used for running the programs, wherein the programs execute the identification method of the industrial control equipment information when running.
According to the technical scheme, the data packets of the equipment to be identified in the industrial control network are acquired through the preset mirror image port. And analyzing the message of the equipment to be identified for each equipment to be identified to obtain a target application layer protocol. And acquiring session information associated with the message, and analyzing the session information by using an operation code to obtain a target operation code. And acquiring equipment information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the equipment information corresponding to the target application layer protocol and the target operation code as target equipment information. And acquiring the device code corresponding to the target device information from a preset device knowledge base, and taking the device code corresponding to the target device information as the device code of the device to be identified. And decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified. And displaying the equipment information of each equipment to be identified to a user through a preset interface. The method comprises the steps of obtaining a target application layer protocol and a target operation code of equipment to be identified in the industrial control network through a preset mirror image port, obtaining an equipment code corresponding to the target application layer protocol and the target operation code by utilizing a preset equipment knowledge base and a preset protocol feature base, and finally decoding the equipment code to obtain equipment information of the equipment to be identified. Therefore, by the scheme, the equipment information of the industrial control equipment in the industrial control network can be timely and effectively identified under the condition that the industrial control network is kept smooth.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1a is a schematic diagram of an identification method for industrial control equipment information according to an embodiment of the present application;
fig. 1b is a schematic diagram of an identification method for industrial control equipment information according to an embodiment of the present application;
fig. 2 is a schematic diagram of another identification method for industrial control device information according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an identification apparatus for industrial control device information according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As shown in fig. 1a and fig. 1b, a schematic diagram of an identification method for industrial control device information provided in an embodiment of the present application includes the following steps:
s101: and collecting the equipment information of each industrial control equipment from the Internet.
The network crawler can be used for capturing the equipment information of each industrial control equipment from the Internet. In the embodiment of the present application, the device information includes, but is not limited to, information such as a device type, a device model, a device manufacturer, and the like.
S102: and coding each piece of equipment information to obtain an equipment code corresponding to each piece of equipment information, and storing the equipment code corresponding to each piece of equipment information into a preset equipment knowledge base.
S103: and acquiring a data packet of each device to be identified in the industrial control network through a preset mirror image port.
The data packets of the equipment to be identified in the industrial control network are acquired through the preset mirror image port, so that the occupation of the industrial control network on resources is not influenced, and the network is effectively prevented from being blocked.
It should be noted that the data packet includes a message processed by the device to be identified.
S104: and for each device to be identified, counting the number of messages processed by the device to be identified in a preset time length to obtain the communication flow of the device to be identified.
S105: and judging whether the value of the communication flow is larger than a preset flow threshold value or not.
And if the value of the communication flow is larger than the preset flow threshold value, executing S106, otherwise executing S107.
S106: and setting the running state of the equipment to be identified as online.
After execution of S106, execution continues with S108.
S107: and setting the running state of the equipment to be identified as offline.
After execution of S107, execution of S108 is continued.
The industrial control environment monitoring system comprises an industrial control environment monitoring system, a monitoring system and a monitoring system, wherein the monitoring system can assist a user in detecting whether problems exist in the arrangement of the industrial control environment and whether the industrial control equipment is damaged or not based on the running state of the equipment to be identified so as to improve the maintenance efficiency of the industrial control equipment.
Specifically, taking a CPU as an example of a device to be identified, the CPU which should be on-line is handled, and is detected to be off-line at this time, which indicates that the current industrial control environment has a problem, and a user needs to be prompted to perform troubleshooting so as to check whether the CPU is successfully installed in the card slot, whether the CPU is in a starting state, and whether the CPU is damaged.
S108: and analyzing the message of the equipment to be identified to obtain the basic information of the message.
S109: and judging whether the basic information contains quintuple.
If the basic information includes the quintuple, S110 is performed, otherwise S111 is performed.
The quintuple is an existing communication term and includes a source IP address, a source port, a destination IP address, a destination port and an industrial control protocol.
S110: and marking the message as an industrial control message.
After execution of S110, execution continues with S112.
S111: and deleting the message.
S112: and judging whether the industrial control message contains application layer information.
If the industrial control message contains the application layer information, executing S113, otherwise executing S114.
If the value of the nth byte of the industrial control message is larger than a preset value, determining that the industrial control message contains application layer information, otherwise, determining that the industrial control message does not contain the application layer information; n is a positive integer.
S113: and analyzing the application layer information shown by the industrial control message to obtain a target application layer protocol.
After execution of S113, execution continues with S115.
S114: and deleting the industrial control message.
S115: and acquiring the device type corresponding to the target application layer protocol from a preset protocol feature library, and identifying the device type corresponding to the target application layer protocol as the target device type.
The protocol feature library comprises a plurality of preset application layer protocols, a device type corresponding to each application layer protocol, a plurality of preset operation codes and a device model corresponding to each operation code.
S116: and acquiring the device code corresponding to the type of the target device from the device knowledge base, and storing the device code corresponding to the type of the target device to the local as the device code of the device to be identified.
S117: and inquiring a communication port of the industrial control message, and storing the communication port to the local as an open port of the equipment to be identified.
S118: and acquiring session information associated with the industrial control message, and analyzing the session information by using an operation code to obtain a target operation code.
S119: and judging whether a target operation code is recorded in the protocol feature library.
If the target operation code is recorded in the protocol feature library, S120 is executed, otherwise S122 is executed.
S120: and acquiring the equipment model corresponding to the target operation code from the protocol feature library, and marking the equipment model corresponding to the target operation code as the target equipment model.
S121: and acquiring the equipment code corresponding to the target equipment model from the equipment knowledge base, and storing the equipment code corresponding to the target equipment model to the local as the equipment code of the equipment to be identified.
After execution of S121, execution continues with S122.
S122: and decoding the equipment codes contained in the equipment to be identified to obtain the equipment information of the equipment to be identified.
S123: and displaying the running state, the equipment information and the open port of each equipment to be identified to a user through a preset interface.
The running state, the equipment information and the open port of each equipment to be identified can be stored in a preset equipment library, so that a user can conveniently inquire at any time. In addition, each device to be identified can be classified and stored, and a plurality of devices to be identified with the same IP address shown by the open port can be divided into the same group.
Optionally, the device to be identified may also be accessed through the IP address indicated by the open port, to obtain the power supply information of the device to be identified, and store the power supply information of the device to be identified in the device library.
Based on the flow shown in the above S101-S107, the communication traffic of the device to be identified is obtained through the mirror image port, and the operating state of the device to be identified is determined according to the communication traffic of the device to be identified, which not only can avoid the industrial control network from being blocked, but also can assist the user in correcting the operating state of the device to be identified in real time; based on the above S117, the user may be assisted to query the open port of the device to be identified in real time; based on the flow shown in S115-S122, the device information of the device to be identified is determined by using the device knowledge base and the protocol feature base.
In summary, in this embodiment, a target application layer protocol and a target operation code of a device to be identified in an industrial control network are obtained through a preset mirror image port, a device code corresponding to the target application layer protocol and a device code corresponding to the target operation code are obtained by using a preset device knowledge base and a preset protocol feature base, and finally, device information of the device to be identified is obtained by decoding the device code corresponding to the target application layer protocol and the device code corresponding to the target operation code. Therefore, by using the scheme shown in the embodiment, the equipment information of the industrial control equipment in the industrial control network can be timely and effectively identified under the condition that the industrial control network is kept smooth.
It should be noted that, in the foregoing embodiment, the step S112 is an optional implementation manner of the identification method for the industrial control device information shown in this application. In addition, S114 mentioned in the above embodiment is also an optional implementation manner of the identification method for the industrial control device information shown in this application. For this reason, the flow shown in the above embodiment can be summarized as the method shown in fig. 2.
As shown in fig. 2, a schematic diagram of another method for identifying information of industrial control equipment provided in an embodiment of the present application includes the following steps:
s201: and acquiring a data packet of each device to be identified in the industrial control network through a preset mirror image port.
Wherein the data packet comprises a message processed via the device to be identified.
S202: and analyzing the message of the equipment to be identified for each equipment to be identified to obtain a target application layer protocol.
S203: and acquiring session information associated with the message, and analyzing the session information by using an operation code to obtain a target operation code.
S204: and acquiring equipment information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the equipment information corresponding to the target application layer protocol and the target operation code as target equipment information.
S205: and acquiring the device code corresponding to the target device information from a preset device knowledge base, and taking the device code corresponding to the target device information as the device code of the device to be identified.
S206: and decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified.
S207: and displaying the equipment information of each equipment to be identified to a user through a preset interface.
In summary, in this embodiment, a target application layer protocol and a target operation code of a device to be identified in an industrial control network are obtained through a preset mirror image port, a device code corresponding to the target application layer protocol and corresponding to the target operation code is obtained by using a preset device knowledge base and a preset protocol feature base, and finally the device code is decoded to obtain device information of the device to be identified. Therefore, by using the scheme shown in the embodiment, the equipment information of the industrial control equipment in the industrial control network can be timely and effectively identified under the condition that the industrial control network is kept smooth.
Corresponding to the method for identifying the industrial control equipment information provided by the embodiment of the application, the embodiment of the application also provides an identification device for the industrial control equipment information.
As shown in fig. 3, an architecture diagram of an apparatus for identifying information of an industrial control device provided in an embodiment of the present application includes:
the obtaining unit 100 is configured to obtain a data packet of each device to be identified in the industrial control network through a preset mirror image port. The data packet includes a message processed via the device to be identified.
A state setting unit 200 for: judging whether the value of the communication flow is larger than a preset flow threshold value or not; setting the running state of the equipment to be identified as online under the condition that the value of the communication flow is larger than a preset flow threshold; and setting the running state of the equipment to be identified as an off-line state under the condition that the value of the communication flow is not greater than the preset flow threshold value.
The parsing unit 300 is configured to parse, for each device to be identified, a packet of the device to be identified, so as to obtain a target application layer protocol.
The parsing unit 300 is specifically configured to: analyzing the message of the equipment to be identified to obtain basic information of the message; judging whether the basic information contains quintuple; under the condition that the basic information contains the quintuple, identifying the message as an industrial control message; judging whether the industrial control message contains application layer information or not; under the condition that the industrial control message contains application layer information, analyzing the application layer information shown by the industrial control message to obtain a target application layer protocol; deleting the industrial control message under the condition that the industrial control message does not contain application layer information; and deleting the message under the condition that the basic information does not contain the quintuple.
The analysis unit 300 is specifically configured to: if the value of the nth byte of the industrial control message is larger than a preset value, determining that the industrial control message contains application layer information, otherwise, determining that the industrial control message does not contain the application layer information; n is a positive integer.
The analysis unit 400 is configured to obtain session information associated with the packet, and perform operation code analysis on the session information to obtain a target operation code.
The identifying unit 500 is configured to obtain device information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identify the device information corresponding to the target application layer protocol and the target operation code as the target device information.
The device information includes a device type and a device model.
The identification unit 500 is specifically configured to: acquiring a device type corresponding to a target application layer protocol from a preset protocol feature library, and identifying the device type corresponding to the target application layer protocol as a target device type; and acquiring the equipment model corresponding to the target operation code from the protocol feature library, and marking the equipment model corresponding to the target operation code as the target equipment model.
The determining unit 600 is configured to obtain a device code corresponding to the target device information from a preset device knowledge base, and use the device code corresponding to the target device information as the device code of the device to be identified.
The determining unit 600 is specifically configured to: acquiring a device code corresponding to the type of target device from a preset device knowledge base, taking the device code corresponding to the type of the target device as a device code of the device to be identified, acquiring a device code corresponding to the type of the target device from the device knowledge base, and taking the device code corresponding to the type of the target device as a device code of the device to be identified; and decoding the equipment codes contained in the equipment to be identified to obtain the equipment information of the equipment to be identified.
The query unit 700 is configured to query a communication port of the packet, and use the communication port as an open port of the device to be identified.
The decoding unit 800 is configured to decode the device code of the device to be identified, so as to obtain the device information of the device to be identified.
The display unit 900 is configured to display the device information of each device to be identified to the user through a preset interface.
The display unit 900 is specifically configured to: and displaying the running state, the open port and the equipment information of each equipment to be identified to a user through a preset interface.
In summary, in this embodiment, a target application layer protocol and a target operation code of a device to be identified in an industrial control network are obtained through a preset mirror image port, a device code corresponding to the target application layer protocol and corresponding to the target operation code is obtained by using a preset device knowledge base and a preset protocol feature base, and finally the device code is decoded to obtain device information of the device to be identified. Therefore, by using the scheme shown in the embodiment, the equipment information of the industrial control equipment in the industrial control network can be timely and effectively identified under the condition that the industrial control network is kept smooth.
The application also provides a computer readable storage medium, and the computer readable storage medium comprises a stored program, wherein the program executes the industrial control equipment information identification method provided by the application.
The application also provides an identification equipment of industrial control equipment information, includes: a processor, a memory, and a bus. The processor is connected with the memory through a bus, the memory is used for storing programs, and the processor is used for running the programs, wherein when the programs are run, the industrial control equipment information identification method provided by the application is executed, and the method comprises the following steps:
acquiring data packets of each device to be identified in the industrial control network through a preset mirror image port; the data packet comprises a message processed by the equipment to be identified;
for each device to be identified, analyzing the message of the device to be identified to obtain a target application layer protocol;
acquiring session information associated with the message, and performing operation code analysis on the session information to obtain a target operation code;
acquiring device information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the device information corresponding to the target application layer protocol and the target operation code as target device information;
acquiring a device code corresponding to the target device information from a preset device knowledge base, and taking the device code corresponding to the target device information as a device code of the device to be identified;
decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified;
and displaying the equipment information of each equipment to be identified to a user through a preset interface.
Optionally, after obtaining the data packet of each device to be identified in the industrial control network, the method includes:
for each device to be identified, counting the number of messages processed by the device to be identified within a preset time length to obtain the communication flow of the device to be identified;
judging whether the value of the communication flow is larger than a preset flow threshold value or not;
setting the running state of the equipment to be identified as on-line under the condition that the value of the communication flow is larger than the preset flow threshold;
setting the running state of the equipment to be identified as an off-line state under the condition that the value of the communication flow is not greater than the preset flow threshold;
the displaying the device information of each device to be identified to the user through the preset interface includes:
and displaying the running state and the equipment information of each equipment to be identified to a user through a preset interface.
Optionally, the analyzing the message of the device to be identified to obtain a target application layer protocol includes:
analyzing the message of the equipment to be identified to obtain basic information of the message;
judging whether the basic information contains quintuple;
under the condition that the basic information contains the quintuple, identifying the message as an industrial control message;
judging whether the industrial control message contains application layer information or not;
under the condition that the industrial control message contains the application layer information, analyzing the application layer information shown by the industrial control message to obtain a target application layer protocol;
deleting the industrial control message under the condition that the industrial control message does not contain the application layer information;
and deleting the message under the condition that the basic information does not contain the quintuple.
Optionally, the determining whether the industrial control packet contains application layer information includes:
if the value of the nth byte of the industrial control message is larger than a preset value, determining that the industrial control message contains application layer information, otherwise, determining that the industrial control message does not contain the application layer information; n is a positive integer.
Optionally, the device information includes a device type and a device model;
the acquiring, from a preset protocol feature library, device information corresponding to the target application layer protocol and corresponding to the target operation code, and identifying the device information corresponding to the target application layer protocol and corresponding to the target operation code as target device information includes:
acquiring a device type corresponding to the target application layer protocol from a preset protocol feature library, and identifying the device type corresponding to the target application layer protocol as a target device type;
and acquiring the equipment model corresponding to the target operation code from the protocol feature library, and identifying the equipment model corresponding to the target operation code as the target equipment model.
Optionally, the obtaining, from a preset device knowledge base, a device code corresponding to the target device information, and using the device code corresponding to the target device information as the device code of the device to be identified includes:
acquiring the device code corresponding to the target device type from a preset device knowledge base, and taking the device code corresponding to the target device type as the device code of the device to be identified,
acquiring a device code corresponding to the target device model from the device knowledge base, and taking the device code corresponding to the target device model as the device code of the device to be identified;
and decoding the equipment code contained in the equipment to be identified to obtain the equipment information of the equipment to be identified.
Optionally, before decoding the device code of the device to be identified to obtain the device information of the device to be identified, the method further includes:
inquiring a communication port of the message, and taking the communication port as an open port of the equipment to be identified;
the displaying the device information of each device to be identified to the user through the preset interface includes:
and displaying the open port and the equipment information of each equipment to be identified to a user through a preset interface.
The functions described in the method of the embodiment of the present application, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for identifying industrial control equipment information is characterized by comprising the following steps:
acquiring data packets of each device to be identified in the industrial control network through a preset mirror image port; the data packet comprises a message processed by the equipment to be identified;
for each device to be identified, analyzing the message of the device to be identified to obtain a target application layer protocol;
acquiring session information associated with the message, and performing operation code analysis on the session information to obtain a target operation code;
acquiring device information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the device information corresponding to the target application layer protocol and the target operation code as target device information;
acquiring a device code corresponding to the target device information from a preset device knowledge base, and taking the device code corresponding to the target device information as a device code of the device to be identified;
decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified;
and displaying the equipment information of each equipment to be identified to a user through a preset interface.
2. The method according to claim 1, wherein after obtaining the data packet of each device to be identified in the industrial control network, the method comprises:
for each device to be identified, counting the number of messages processed by the device to be identified within a preset time length to obtain the communication flow of the device to be identified;
judging whether the value of the communication flow is larger than a preset flow threshold value or not;
setting the running state of the equipment to be identified as on-line under the condition that the value of the communication flow is larger than the preset flow threshold;
setting the running state of the equipment to be identified as an off-line state under the condition that the value of the communication flow is not greater than the preset flow threshold;
the displaying the device information of each device to be identified to the user through the preset interface includes:
and displaying the running state and the equipment information of each equipment to be identified to a user through a preset interface.
3. The method according to claim 1, wherein the parsing the packet of the device to be identified to obtain a target application layer protocol comprises:
analyzing the message of the equipment to be identified to obtain basic information of the message;
judging whether the basic information contains quintuple;
under the condition that the basic information contains the quintuple, identifying the message as an industrial control message;
judging whether the industrial control message contains application layer information or not;
under the condition that the industrial control message contains the application layer information, analyzing the application layer information shown by the industrial control message to obtain a target application layer protocol;
deleting the industrial control message under the condition that the industrial control message does not contain the application layer information;
and deleting the message under the condition that the basic information does not contain the quintuple.
4. The method according to claim 1, wherein said determining whether the industrial control packet contains application layer information comprises:
if the value of the nth byte of the industrial control message is larger than a preset value, determining that the industrial control message contains application layer information, otherwise, determining that the industrial control message does not contain the application layer information; n is a positive integer.
5. The method of claim 1, wherein the device information comprises a device type and a device model;
the acquiring, from a preset protocol feature library, device information corresponding to the target application layer protocol and corresponding to the target operation code, and identifying the device information corresponding to the target application layer protocol and corresponding to the target operation code as target device information includes:
acquiring a device type corresponding to the target application layer protocol from a preset protocol feature library, and identifying the device type corresponding to the target application layer protocol as a target device type;
and acquiring the equipment model corresponding to the target operation code from the protocol feature library, and identifying the equipment model corresponding to the target operation code as the target equipment model.
6. The method according to claim 5, wherein the obtaining the device code corresponding to the target device information from a preset device knowledge base and using the device code corresponding to the target device information as the device code of the device to be identified comprises:
acquiring the device code corresponding to the target device type from a preset device knowledge base, and taking the device code corresponding to the target device type as the device code of the device to be identified,
acquiring a device code corresponding to the target device model from the device knowledge base, and taking the device code corresponding to the target device model as the device code of the device to be identified;
and decoding the equipment code contained in the equipment to be identified to obtain the equipment information of the equipment to be identified.
7. The method of claim 1, wherein before decoding the device code of the device to be identified to obtain the device information of the device to be identified, the method further comprises:
inquiring a communication port of the message, and taking the communication port as an open port of the equipment to be identified;
the displaying the device information of each device to be identified to the user through the preset interface includes:
and displaying the open port and the equipment information of each equipment to be identified to a user through a preset interface.
8. An identification device for industrial control equipment information is characterized by comprising:
the acquisition unit is used for acquiring data packets of each device to be identified in the industrial control network through a preset mirror image port; the data packet comprises a message processed by the equipment to be identified;
the analysis unit is used for analyzing the message of each device to be identified to obtain a target application layer protocol;
the analysis unit is used for acquiring the session information associated with the message and analyzing the session information by using the operation code to obtain a target operation code;
the identification unit is used for acquiring the equipment information corresponding to the target application layer protocol and the target operation code from a preset protocol feature library, and identifying the equipment information corresponding to the target application layer protocol and the target operation code as the target equipment information;
the determining unit is used for acquiring the equipment code corresponding to the target equipment information from a preset equipment knowledge base, and taking the equipment code corresponding to the target equipment information as the equipment code of the equipment to be identified;
the decoding unit is used for decoding the equipment code of the equipment to be identified to obtain the equipment information of the equipment to be identified;
and the display unit is used for displaying the equipment information of each equipment to be identified to a user through a preset interface.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a stored program, wherein the program executes the industrial control device information identification method according to any one of claims 1 to 7.
10. An identification device for industrial control device information, characterized by comprising: a processor, a memory, and a bus; the processor and the memory are connected through the bus;
the memory is used for storing a program, and the processor is used for executing the program, wherein the program executes the identification method of the industrial control equipment information according to any one of claims 1 to 7 when running.
CN202111158485.3A 2021-09-29 2021-09-29 Identification method and device of industrial control equipment information, storage medium and equipment Active CN113872980B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111158485.3A CN113872980B (en) 2021-09-29 2021-09-29 Identification method and device of industrial control equipment information, storage medium and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111158485.3A CN113872980B (en) 2021-09-29 2021-09-29 Identification method and device of industrial control equipment information, storage medium and equipment

Publications (2)

Publication Number Publication Date
CN113872980A true CN113872980A (en) 2021-12-31
CN113872980B CN113872980B (en) 2023-10-27

Family

ID=79001003

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111158485.3A Active CN113872980B (en) 2021-09-29 2021-09-29 Identification method and device of industrial control equipment information, storage medium and equipment

Country Status (1)

Country Link
CN (1) CN113872980B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114647233A (en) * 2022-05-18 2022-06-21 浙江国利网安科技有限公司 PLC operation configuration monitoring method and device, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037634A1 (en) * 2018-08-24 2020-02-27 哈尔滨工程大学计算机科学与技术学院 Information monitoring system and method for industrial control device network, computer readable storage medium, and computer device
CN113364746A (en) * 2021-05-24 2021-09-07 湖南华菱涟源钢铁有限公司 Equipment identification method, device, equipment and computer storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037634A1 (en) * 2018-08-24 2020-02-27 哈尔滨工程大学计算机科学与技术学院 Information monitoring system and method for industrial control device network, computer readable storage medium, and computer device
CN113364746A (en) * 2021-05-24 2021-09-07 湖南华菱涟源钢铁有限公司 Equipment identification method, device, equipment and computer storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114647233A (en) * 2022-05-18 2022-06-21 浙江国利网安科技有限公司 PLC operation configuration monitoring method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN113872980B (en) 2023-10-27

Similar Documents

Publication Publication Date Title
CN109617868B (en) DDOS attack detection method and device and detection server
CN111585837B (en) Internet of things data link monitoring method and device, computer equipment and storage medium
CN109727027B (en) Account identification method, device, equipment and storage medium
CN109309591B (en) Traffic data statistical method, electronic device and storage medium
CN114553730B (en) Application identification method and device, electronic equipment and storage medium
CN113872980A (en) Industrial control equipment information identification method and device, storage medium and equipment
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
CN105516200B (en) Cloud system method and device of safe processing
CN112565229A (en) Hidden channel detection method and device
CN115484047A (en) Method, device, equipment and storage medium for identifying flooding attack in cloud platform
CN105491092B (en) Message pushing method and device
CN116016351A (en) eBPF-based UDP flow and packet loss observation method, system and medium
CN113630418B (en) Network service identification method, device, equipment and medium
CN110460593B (en) Network address identification method, device and medium for mobile traffic gateway
US20230359514A1 (en) Operation-based event suppression
WO2015000428A1 (en) Data processing method, server and system
CN112637223A (en) Application protocol identification method and device, computer equipment and storage medium
CN112565228A (en) Client network analysis method and device
CN111010362B (en) Monitoring method and device for abnormal host
CN108880913B (en) traffic characteristic management method and device and central node server
CN115314322A (en) Vulnerability detection confirmation method, device, equipment and storage medium based on flow
CN114143385B (en) Network traffic data identification method, device, equipment and medium
US20220368590A1 (en) Fault Detection Method, Apparatus, and System
CN108306865B (en) Modbus packet-sticking processing method and device based on Netty framework
US20240137385A1 (en) Method and apparatus for identifying malicious mining behavior, and device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant