CN114189570B - Method for carrying out deep analysis on industrial protocol - Google Patents

Method for carrying out deep analysis on industrial protocol Download PDF

Info

Publication number
CN114189570B
CN114189570B CN202111485150.2A CN202111485150A CN114189570B CN 114189570 B CN114189570 B CN 114189570B CN 202111485150 A CN202111485150 A CN 202111485150A CN 114189570 B CN114189570 B CN 114189570B
Authority
CN
China
Prior art keywords
data
data message
message
similarity
industrial protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111485150.2A
Other languages
Chinese (zh)
Other versions
CN114189570A (en
Inventor
孟繁荣
周鑫
李忱
陈忠国
江何
门殿春
姚志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Testor Technology Co ltd
Beijing Tongtech Co Ltd
Original Assignee
Beijing Testor Technology Co ltd
Beijing Tongtech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Testor Technology Co ltd, Beijing Tongtech Co Ltd filed Critical Beijing Testor Technology Co ltd
Priority to CN202111485150.2A priority Critical patent/CN114189570B/en
Publication of CN114189570A publication Critical patent/CN114189570A/en
Application granted granted Critical
Publication of CN114189570B publication Critical patent/CN114189570B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/12Protocol engines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for carrying out deep analysis on an industrial protocol, which particularly relates to the technical field of industrial communication.

Description

Method for carrying out deep analysis on industrial protocol
Technical Field
The invention relates to the technical field of industrial communication, in particular to a method for carrying out deep analysis on an industrial protocol.
Background
The industrial control network has special information exchange mechanism and automatic production control equipment. To protect the industrial control network, the industrial control communication protocol needs to be identified and analyzed with high probability, so that various operation instructions and receiving and transmitting parties contained in the data flow can be known, and abnormal messages and violation business logic operations are processed, thereby achieving the purpose of protection or audit.
Besides general network communication protocols (such as OPC, modbus, IEC104 and the like) of various industrial control systems and private industrial protocols (such as S7, profinet and the like) defined by automation manufacturers, special communication protocols for special industries (nuclear power, military and the like) are also provided; the private protocol does not have public data support because of the requirements on security and privacy, and the private protocol does not allow any detail to be exposed, so that the restrictions on the conditions make the protocol very easy to mix with malicious instructions to be sent to industrial equipment or systems when in use, and cannot be effectively monitored, so that great potential safety hazards exist.
Disclosure of Invention
In order to overcome the defects in the prior art, the invention provides a method for carrying out deep analysis on an industrial protocol, which aims to solve the technical problems that: under the requirement of guaranteeing the safety and privacy of the private industrial protocol, the data frame identification and monitoring are completed, so that the safe delivery of the instruction is guaranteed, and an effective supervision system is formed.
In order to achieve the above purpose, the present invention provides the following technical solutions: a method for deep parsing an industrial protocol, comprising the steps of:
s1, setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols.
S2, establishing gateway serial port communication to classify different private industrial protocols according to different transmission ports, and extracting key characteristics of messages under the same classification condition.
S3, installing an analysis engine to the upper layer of the matched knowledge base, and adding a protocol decoding module, a matched rule module and a flow matching module to unpack the data message.
And S4, transmitting the message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the message decoding data, and matching the identified message decoding data with a corresponding assembly instruction in a matched knowledge base through an analysis engine.
S5, calling a relevant program of the analysis engine by adopting a file reading mode through the assembly instructions matched in the matched knowledge base by the analysis engine to compare the similarity between the key characteristics of the classified and extracted messages and the corresponding internal characteristic description files of the matched knowledge base.
S6, if the similarity comparison is true, completing instruction identification, and if the similarity comparison fails, entering a debugging mode and starting a safety mode.
As a further aspect of the invention: in step S5, the similarity comparison formula is as follows:
Similarity λe =λ ve /[(λ αβ )/2]。
wherein: similarity of Similarity λe Describing the similarity among n templates in the template queue for the message characteristics.
λ ve The length of the longest common subsequence of templates α and message β is described for message characteristics.
Wherein lambda is α Describing the template length lambda for the message characteristics β Is the message length.
As a further aspect of the invention: the characteristic description file of the private industrial protocol in step S1 is specifically an assembly storage execution instruction corresponding to a data frame sent by the private industrial protocol, and the data frame structure of the assembly storage execution instruction includes a device address, a function code, a data address and an error checking code.
As a further aspect of the invention: the key characteristics of the message in S2 are the length of the message data and the distinguishing value of the first half section and the second half section of the message data bytes.
As a further aspect of the invention: in the similarity comparison, the message and the corresponding characteristic description file of the private industrial protocol are the same execution instruction, the comparison processing is synchronously carried out according to the first half section of the message data byte, if the first half section is searched to obtain a single instruction, the second half section of the message data byte is compared, if the single instruction is consistent with the first half section, the message is output, if the first half section is searched to obtain a plurality of instructions, the second half section of the message data byte is compared, until the finally matched characteristic description file appears, and if no matched data exists, the debugging mode is entered.
As a further aspect of the invention: and the debugging mode needs the intervention of engineers, the unidentified data frames are compiled and defined as corresponding instructions and then are input into a matched knowledge base to form a characteristic description file, and if the data frames are malicious data frames, the data frames enter a safety mode to carry out corresponding checking and killing processing.
As a further aspect of the invention: in step S4, the data conversion module performs targeted format conversion on the data, where the conversion mode is compatible with the mainstream unencrypted industrial protocol conversion mode and the access private industrial protocol specific conversion mode.
As a further aspect of the invention: the analysis engine is provided with a transverse function transplanting port, and can be compatible with a special internal industrial firewall.
The invention has the beneficial effects that:
1. the invention establishes a set of point-to-point analysis engines aiming at a plurality of non-universal private industrial protocols, the analysis engines are established at the upper layer of a corresponding private industrial protocol matched knowledge base, the matched knowledge base is internally provided with characteristic description files corresponding to the private industrial protocols, so that the point-to-point analysis is correspondingly carried out, the message identification mode of a search type data frame of the matched knowledge base is adopted, the flow white list and the self-defined alarm capability are realized on the premise of ensuring that any details of the private industrial protocols are not exposed, the description rule of a single exposure protocol is achieved, and the confidential decoding mode, business rule, version management and the like are hidden;
2. according to the invention, the matching mode of similarity comparison and distinguishing comparison of the first half section and the second half section is adopted, so that after similarity retrieval is completed, a single instruction is directly output, a debug is entered if no similar instruction exists, and a two-section distinguishing comparison mode of frame data is performed if a plurality of instructions exist, so that the response speed of the instructions is improved to a certain extent.
Drawings
FIG. 1 is a schematic diagram of the overall frame principle of the present invention;
fig. 2 is a schematic view of the flow chart of the present invention.
Detailed Description
The following description of the technical solutions in the embodiments of the present invention will be clear and complete, and it is obvious that the described embodiments are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides a method for carrying out deep analysis on an industrial protocol, which comprises the following steps:
s1, setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols.
S2, establishing gateway serial port communication to classify different private industrial protocols according to different transmission ports, and extracting key characteristics of messages under the same classification condition.
S3, installing an analysis engine to the upper layer of the matched knowledge base, and adding a protocol decoding module, a matched rule module and a flow matching module to unpack the data message.
And S4, transmitting the message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the message decoding data, and matching the identified message decoding data with a corresponding assembly instruction in a matched knowledge base through an analysis engine.
S5, calling a relevant program of the analysis engine by adopting a file reading mode through the assembly instructions matched in the matched knowledge base by the analysis engine to compare the similarity between the key characteristics of the classified and extracted messages and the corresponding internal characteristic description files of the matched knowledge base.
S6, if the similarity comparison is true, completing instruction identification, and if the similarity comparison fails, entering a debugging mode and starting a safety mode.
In step S5, the similarity comparison formula is as follows:
Similarity λe =λ ve /[(λ αβ )/2]。
wherein: similarity of Similarity λe Describing the similarity among n templates in the template queue for the message characteristics.
λ ve The length of the longest common subsequence of templates α and message β is described for message characteristics.
Wherein lambda is α Describing the template length lambda for the message characteristics β Is the message length.
In other embodiments, the profile of the private industrial protocol in step S1 is specifically an assembly storage execution instruction corresponding to a data frame sent by the private industrial protocol, where the data frame structure includes a device address, a function code, a data address, and an error checking code. The private industrial protocol feature description file adopts the corresponding execution instruction which is directly matched, so that the private industrial protocol feature description file can ensure good adaptation and accurate corresponding instruction, ensure stable operation and greatly improve the adaptation effect of the private industrial protocol feature description file to various private industrial protocols.
In other embodiments, the key feature of the message in S2 is the length of the message data and the distinguishing value of the first half and the second half of the message data bytes. The key features can facilitate providing the necessary input information for the similarity, and meanwhile, the numerical values of the first half section and the second half section can be distinguished to a certain extent, so that the processing speed of the data processing can be improved.
In other embodiments, in the similarity comparison, the message and the corresponding feature description file of the private industrial protocol are the same execution instruction, where the feature description file is an explanation of the message of the corresponding private industrial protocol, so that the message is not required to be parsed, meaning expressed by the message can be known to be the same execution instruction through the corresponding matched feature description file, so that the corresponding judgment can be performed without knowing the rule of the private protocol, the description rule of a single exposed protocol is achieved, the effect that all the confidential decoding mode, business rule, version management and other tasks are hidden is achieved, the comparison processing is synchronously performed according to the first half of the message data byte, the second half of the message data byte is compared if the first half is searched to obtain a single instruction, if the first half is consistent, the message is output, the second half of the message data byte is compared if the first half is searched to obtain a plurality of instructions, and the final matched feature description file is performed until the final matched feature description file appears, and if no matched data is entered into the debug mode. The method can be used for rapidly and widely screening in a library in a similarity comparison mode, and meanwhile, can be matched with the accurate positioning of distinguishing numerical values of the follow-up front half section and the follow-up rear half section, so that the matching speed and accuracy of corresponding instructions can be guaranteed.
In other embodiments, the debug mode requires the intervention of an engineer, the unidentified data frame is compiled and defined as a corresponding instruction and then is input into a matched knowledge base to form a feature description file, and if the unidentified data frame is a malicious data frame, the debug mode is entered into a safe mode to carry out corresponding check and kill processing. By adopting the debugging mode, the system can complete systematic function improvement and system perfection in the long-time operation process, the long-time operation stability can be gradually improved, the system is synchronously matched with the safety mode, quick response can be realized when malicious data frames appear, and the operation safety is improved.
In other embodiments, in step S4, the data conversion module performs targeted format conversion on the data, where the conversion mode is compatible with the mainstream unencrypted industrial protocol conversion mode and the access private industrial protocol specific conversion mode. The mode compatible with the mutual conversion of OPC UA/DA, modbus, fins, profinet, gem, mewtocol, BACnet, MC, etherNet/IP, HTTP and MQTT SUB in the mainstream unencrypted industrial protocol is adopted, so that the synchronous docking of the proprietary industrial protocol and the mainstream unencrypted industrial protocol can be realized, and the use suitability is improved.
In other embodiments, the parsing engine is provided with a lateral function migration port compatible with a proprietary internal industrial firewall. The adoption of the set transverse function transplanting port can improve the use flexibility, and meanwhile, the operation mode of the device and the whole system can be improved in an adaptation coordination mode, and the safety protection can be guaranteed to a certain extent to be more specialized.
Example 1:
a method for deep parsing an industrial protocol, comprising the steps of:
s1, setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols.
S2, establishing gateway serial port communication to classify different private industrial protocols according to different transmission ports, and extracting key characteristics of messages under the same classification condition.
S3, installing an analysis engine to the upper layer of the matched knowledge base, and adding a protocol decoding module, a matched rule module and a flow matching module to unpack the data message.
And S4, transmitting the message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the message decoding data, and matching the identified message decoding data with a corresponding assembly instruction in a matched knowledge base through an analysis engine.
S5, calling a relevant program of the analysis engine by adopting a file reading mode through the assembly instructions matched in the matched knowledge base by the analysis engine to compare the similarity between the key characteristics of the classified and extracted messages and the corresponding internal characteristic description files of the matched knowledge base.
S6, if the similarity comparison is true, completing instruction identification, and if the similarity comparison fails, entering a debugging mode and starting a safety mode.
The characteristic description file of the private industrial protocol in step S1 is specifically an assembly storage execution instruction corresponding to a data frame sent by the private industrial protocol, and the data frame structure of the assembly storage execution instruction includes a device address, a function code, a data address and an error checking code.
The key characteristics of the message in S2 are the length of the message data and the distinguishing value of the first half section and the second half section of the message data bytes.
In the similarity comparison, the message and the corresponding characteristic description file of the private industrial protocol are the same execution instruction, the comparison processing is synchronously carried out according to the first half section of the message data byte, if the first half section is searched to obtain a single instruction, the second half section of the message data byte is compared, if the single instruction is consistent with the first half section, the message is output, if the first half section is searched to obtain a plurality of instructions, the second half section of the message data byte is compared, until the finally matched characteristic description file appears, and if no matched data exists, the debugging mode is entered.
And the debugging mode needs the intervention of engineers, the unidentified data frames are compiled and defined as corresponding instructions and then are input into a matched knowledge base to form a characteristic description file, and if the data frames are malicious data frames, the data frames enter a safety mode to carry out corresponding checking and killing processing.
In step S4, the data conversion module performs targeted format conversion on the data, where the conversion mode is compatible with the mainstream unencrypted industrial protocol conversion mode and the access private industrial protocol specific conversion mode.
The analysis engine is provided with a transverse function transplanting port, and can be compatible with a special internal industrial firewall.
In step S3, the similarity comparison formula is as follows:
Similarity λe =λ ve /[(λ αβ )/2]。
wherein: similarity of Similarity λe Describing the similarity among n templates in the template queue for the message characteristics.
λ ve The length of the longest common subsequence of templates α and message β is described for message characteristics.
Wherein lambda is α Describing the template length lambda for the message characteristics β Is the message length.
Example 2:
a method for deep parsing an industrial protocol, comprising the steps of:
s1, setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols.
S2, establishing gateway serial port communication to classify different private industrial protocols according to different transmission ports, and extracting key characteristics of messages under the same classification condition.
S3, installing an analysis engine to the upper layer of the matched knowledge base, and adding a protocol decoding module, a matched rule module and a flow matching module to unpack the data message.
And S4, transmitting the message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the message decoding data, and matching the identified message decoding data with a corresponding assembly instruction in a matched knowledge base through an analysis engine.
S5, calling a relevant program of the analysis engine by adopting a file reading mode through the assembly instructions matched in the matched knowledge base by the analysis engine to compare the similarity between the key characteristics of the classified and extracted messages and the corresponding internal characteristic description files of the matched knowledge base.
S6, if the similarity comparison is true, completing instruction identification, and if the similarity comparison fails, entering a debugging mode and starting a safety mode.
The characteristic description file of the private industrial protocol in step S1 is specifically an assembly storage execution instruction corresponding to a data frame sent by the private industrial protocol, and the data frame structure of the assembly storage execution instruction includes a device address, a function code, a data address and an error checking code.
The key feature of the message in S2 is the length of the message data.
In the similarity comparison, the message and the corresponding characteristic description file of the private industrial protocol are the same execution instruction, and if no matching data exists, the debugging mode is entered.
And the debugging mode needs the intervention of engineers, the unidentified data frames are compiled and defined as corresponding instructions and then are input into a matched knowledge base to form a characteristic description file, and if the data frames are malicious data frames, the data frames enter a safety mode to carry out corresponding checking and killing processing.
In step S4, the data conversion module performs targeted format conversion on the data, where the conversion mode is compatible with the mainstream unencrypted industrial protocol conversion mode and the access private industrial protocol specific conversion mode.
The analysis engine is provided with a transverse function transplanting port, and can be compatible with a special internal industrial firewall.
In step S3, the similarity comparison formula is as follows:
Similarity λe =λ ve /[(λ αβ )/2]。
wherein: similarity of Similarity λe Describing the similarity among n templates in the template queue for the message characteristics.
λ ve The length of the longest common subsequence of templates α and message β is described for message characteristics.
Wherein lambda is α Describing the template length lambda for the message characteristics β Is the message length.
Example 3:
a method for deep parsing an industrial protocol, comprising the steps of:
s1, setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols.
S2, establishing gateway serial port communication to classify different private industrial protocols according to different transmission ports, and extracting key characteristics of messages under the same classification condition.
S3, installing an analysis engine to the upper layer of the matched knowledge base, and adding a protocol decoding module, a matched rule module and a flow matching module to unpack the data message.
And S4, transmitting the message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the message decoding data, and matching the identified message decoding data with a corresponding assembly instruction in a matched knowledge base through an analysis engine.
S5, calling a relevant program of the analysis engine by adopting a file reading mode through the assembly instructions matched in the matched knowledge base by the analysis engine to compare the similarity between the key characteristics of the classified and extracted messages and the corresponding internal characteristic description files of the matched knowledge base.
S6, if the similarity comparison is true, completing instruction identification, and if the similarity comparison fails, entering a debugging mode and starting a safety mode.
The characteristic description file of the private industrial protocol in step S1 is specifically an assembly storage execution instruction corresponding to a data frame sent by the private industrial protocol, and the data frame structure of the assembly storage execution instruction includes a device address, a function code, a data address and an error checking code.
The key characteristics of the message in S2 are the length of the message data and the distinguishing value of the first half section and the second half section of the message data bytes.
And performing contrast processing according to the first half of the message data bytes, performing second half contrast of the message data bytes if the first half is searched to obtain a single instruction, outputting the message if the single instruction is consistent with the first half, performing second half contrast processing of the message data bytes if the first half is searched to obtain a plurality of instructions, until the finally matched characteristic description file appears, and entering a debugging mode if no matching data exists.
And the debugging mode needs the intervention of engineers, the unidentified data frames are compiled and defined as corresponding instructions and then are input into a matched knowledge base to form a characteristic description file, and if the data frames are malicious data frames, the data frames enter a safety mode to carry out corresponding checking and killing processing.
In step S4, the data conversion module performs targeted format conversion on the data, where the conversion mode is compatible with the mainstream unencrypted industrial protocol conversion mode and the access private industrial protocol specific conversion mode.
The analysis engine is provided with a transverse function transplanting port, and can be compatible with a special internal industrial firewall.
Comparative example 1: (compared with example 1, the difference is that a direct alignment method is used)
A method for deep parsing an industrial protocol, comprising the steps of:
s1, setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols.
S2, establishing gateway serial port communication to classify different private industrial protocols according to different transmission ports, and extracting key characteristics of messages under the same classification condition.
S3, installing an analysis engine to the upper layer of the matched knowledge base, and adding a protocol decoding module, a matched rule module and a flow matching module to unpack the data message.
And S4, transmitting the message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the message decoding data, and matching the identified message decoding data with a corresponding assembly instruction in a matched knowledge base through an analysis engine.
S5, calling a relevant program of the analysis engine by adopting a file reading mode through the assembly instructions matched in the matched knowledge base by the analysis engine to compare the similarity between the key characteristics of the classified and extracted messages and the corresponding internal characteristic description files of the matched knowledge base.
S6, if the similarity comparison is true, completing instruction identification, and if the similarity comparison fails, entering a debugging mode and starting a safety mode.
The characteristic description file of the private industrial protocol in step S1 is specifically an assembly storage execution instruction corresponding to a data frame sent by the private industrial protocol, and the data frame structure of the assembly storage execution instruction includes a device address, a function code, a data address and an error checking code.
The key feature of the message in S2 is the length of the message data.
And comparing the message with the matched instruction with the same specification in the characteristic description file of the private industrial protocol, and entering a debugging mode if no matched data exists.
And the debugging mode needs the intervention of engineers, the unidentified data frames are compiled and defined as corresponding instructions and then are input into a matched knowledge base to form a characteristic description file, and if the data frames are malicious data frames, the data frames enter a safety mode to carry out corresponding checking and killing processing.
In step S4, the data conversion module performs targeted format conversion on the data, where the conversion mode is compatible with the mainstream unencrypted industrial protocol conversion mode and the access private industrial protocol specific conversion mode.
The analysis engine is provided with a transverse function transplanting port, and can be compatible with a special internal industrial firewall.
In step S3, the similarity comparison formula is as follows:
Similarity λe =λ ve /[(λ αβ )/2]。
wherein: similarity of Similarity λe Describing the similarity among n templates in the template queue for the message characteristics.
λ ve The length of the longest common subsequence of templates α and message β is described for message characteristics.
Wherein lambda is α Describing the template length lambda for the message characteristics β Is the message length.
The following table is given in accordance with examples 1-3 and comparative example 1:
from the comparison in the table above, it can be seen that: on the premise of ensuring that any details of the private industrial protocol are not exposed, the flow white list and the custom alarm capability are realized, the description rule of the protocol alone is achieved, the secret decoding mode, the business rule, the version management and other works are hidden, the comparison among the above embodiments can be used for obtaining the best implementation mode, the embodiment 1 is the fastest in average response speed, and therefore the advantage is ensured, and the response speed is improved to a certain extent.
The last points to be described are: while the invention has been described in detail in the foregoing general description and with reference to specific embodiments, the foregoing embodiments are merely illustrative of the technical aspects of the invention and are not limiting thereof; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the invention.

Claims (7)

1. A method for deep parsing an industrial protocol, comprising the steps of:
setting up a data storage server, establishing a matched knowledge base and summarizing characteristic description files of a plurality of private industrial protocols;
establishing gateway serial port communication, classifying different private industrial protocols according to different transmission ports, and extracting key characteristics of a data message under the same classification condition;
installing an analysis engine to the upper layer of the matched knowledge base, adding a protocol decoding module, a matched rule module and a flow matching module, and unpacking the data message;
transmitting the data message decoding data processed by the protocol decoding module to the data conversion module, enabling the data conversion module to identify the data format of the data message decoding data, and matching the identified data message decoding data with a corresponding feature description file in a matched knowledge base through an analysis engine;
the analysis engine matches the characteristic description file in the matched knowledge base, specifically, a file reading mode is adopted to call the analysis engine related program to compare the similarity between the key characteristics of the classified extracted data message and the corresponding characteristic description file in the matched knowledge base;
if the similarity comparison is true, completing the identification of the execution instruction, and if the similarity comparison fails, entering a debugging mode and starting a safety mode;
in the similarity comparison, the data message and the corresponding feature description file of the private industrial protocol correspond to the same execution instruction, the comparison processing is synchronously performed according to the first half section of the data message data byte, if the first half section is searched to obtain a single execution instruction, the second half section of the data message data byte is compared, if the single execution instruction is consistent, the data message is output, if the first half section is searched to obtain a plurality of execution instructions, the second half section of the data message data byte is compared until the final matched feature description file appears, and if no matching data exists, the debugging mode is entered.
2. A method for deep parsing an industrial protocol according to claim 1, wherein: the similarity comparison formula is as follows:
Similarity λeve /[(λ αβ )/2];
wherein: similarity of Similarity λe Describing the similarity among n templates in the template queue for the characteristics of the data message;
λ ve describing the length of the longest common subsequence of the template alpha and the data message beta for the message characteristics;
wherein lambda is α Describing the template length lambda for the characteristics of the data message β A data message length.
3. A method for deep parsing an industrial protocol according to claim 1, wherein: the characteristic description file of the private industrial protocol is specifically a characteristic description file corresponding to a data message sent by the private industrial protocol, and the data message architecture of the characteristic description file comprises a device address, a function code, a data address and an error checking code.
4. A method for deep parsing an industrial protocol according to claim 1, wherein: the key characteristics of the data message are the length of the data message and the distinguishing value of the first half section and the second half section of the data bytes of the data message.
5. A method for deep parsing an industrial protocol according to claim 1, wherein: the debugging mode requires the intervention of engineers, the unidentified data message is defined as a corresponding feature description file and then is input into a matched knowledge base to form the feature description file, and if the data message is a malicious data message, the data message enters a safety mode to carry out corresponding checking and killing treatment.
6. A method for deep parsing an industrial protocol according to claim 1, wherein: the data conversion module carries out targeted format conversion on the data, and the conversion mode is compatible with a mainstream unencrypted industrial protocol conversion mode and a conversion mode specific to an access private industrial protocol.
7. A method for deep parsing an industrial protocol according to claim 1, wherein: the analysis engine is provided with a transverse function transplanting port, and is compatible with a special internal industrial firewall.
CN202111485150.2A 2021-12-07 2021-12-07 Method for carrying out deep analysis on industrial protocol Active CN114189570B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111485150.2A CN114189570B (en) 2021-12-07 2021-12-07 Method for carrying out deep analysis on industrial protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111485150.2A CN114189570B (en) 2021-12-07 2021-12-07 Method for carrying out deep analysis on industrial protocol

Publications (2)

Publication Number Publication Date
CN114189570A CN114189570A (en) 2022-03-15
CN114189570B true CN114189570B (en) 2023-10-20

Family

ID=80603634

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111485150.2A Active CN114189570B (en) 2021-12-07 2021-12-07 Method for carrying out deep analysis on industrial protocol

Country Status (1)

Country Link
CN (1) CN114189570B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022366B (en) * 2022-06-02 2023-11-03 深信服科技股份有限公司 Asset identification method and device, electronic equipment and storage medium
CN115134434A (en) * 2022-06-17 2022-09-30 奇安信科技集团股份有限公司 Session connection monitoring method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789416A (en) * 2016-12-13 2017-05-31 中兴软创科技股份有限公司 The recognition methods of industrial control system specialized protocol and system
CN110445815A (en) * 2019-09-20 2019-11-12 北京天地和兴科技有限公司 A kind of industry control protocol depth analytic method
CN112260872A (en) * 2020-10-22 2021-01-22 北京理工大学 Identification heterogeneous recognition method and system based on character string matching
CN112788015A (en) * 2020-12-31 2021-05-11 天津大学 Industrial control protocol identification and analysis method based on industrial gateway

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11582132B2 (en) * 2019-11-01 2023-02-14 Verizon Patent And Licensing Inc. Systems and methods for identifying unknown protocols associated with industrial control systems

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789416A (en) * 2016-12-13 2017-05-31 中兴软创科技股份有限公司 The recognition methods of industrial control system specialized protocol and system
CN110445815A (en) * 2019-09-20 2019-11-12 北京天地和兴科技有限公司 A kind of industry control protocol depth analytic method
CN112260872A (en) * 2020-10-22 2021-01-22 北京理工大学 Identification heterogeneous recognition method and system based on character string matching
CN112788015A (en) * 2020-12-31 2021-05-11 天津大学 Industrial control protocol identification and analysis method based on industrial gateway

Also Published As

Publication number Publication date
CN114189570A (en) 2022-03-15

Similar Documents

Publication Publication Date Title
CN114189570B (en) Method for carrying out deep analysis on industrial protocol
CN112468488B (en) Industrial anomaly monitoring method, industrial anomaly monitoring device, computer equipment and readable storage medium
US20200012785A1 (en) Self-adaptive application programming interface level security monitoring
CN111478966A (en) Internet of things protocol analysis method and device, computer equipment and storage medium
US9838289B2 (en) Security network processor system and method
US9697058B2 (en) Method, computer program and apparatus for controlling access to a computer resource and obtaining a baseline therefor
CN110012005B (en) Method and device for identifying abnormal data, electronic equipment and storage medium
CN110610196B (en) Desensitization method, system, computer device and computer readable storage medium
US20100153420A1 (en) Dual-stage regular expression pattern matching method and system
CN106921676B (en) Intrusion detection method based on OPCClasic
CN112640381B (en) Method and system for detecting undesirable behaviors of internet of things equipment
US20170124211A1 (en) Automated generation of web api descriptions from usage data
US11546295B2 (en) Industrial control system firewall module
CN110912944B (en) CAN equipment safety test system and test method
EP1607823A2 (en) Method and system for virus detection based on finite automata
CN113420032A (en) Classification storage method and device for logs
CN115033407B (en) System and method for collecting and identifying flow suitable for cloud computing
CN114006831B (en) Message data processing method and device
CN113301049B (en) Industrial control equipment auditing method, device, equipment and readable storage medium
CN115604343A (en) Data transmission method, system, electronic equipment and storage medium
CN115150483A (en) Network data packet analysis method, system and readable storage medium
CN112291118A (en) Multi-core data processing device and method based on FPGA
CN112584383B (en) Intelligent firewall configuration method and device based on multiple network ports of wireless network equipment
CN111314278A (en) Safety detection method based on Ethernet IP industrial control protocol
US20240064163A1 (en) System and method for risk-based observability of a computing platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant