CN114330363A - Industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis - Google Patents
Industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis Download PDFInfo
- Publication number
- CN114330363A CN114330363A CN202111540917.7A CN202111540917A CN114330363A CN 114330363 A CN114330363 A CN 114330363A CN 202111540917 A CN202111540917 A CN 202111540917A CN 114330363 A CN114330363 A CN 114330363A
- Authority
- CN
- China
- Prior art keywords
- data set
- module
- vulnerability
- industrial control
- training data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 50
- 238000005065 mining Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 title claims abstract description 17
- 239000013598 vector Substances 0.000 claims abstract description 65
- 238000012360 testing method Methods 0.000 claims abstract description 53
- 238000012549 training Methods 0.000 claims abstract description 44
- 238000000605 extraction Methods 0.000 claims abstract description 25
- 238000007781 pre-processing Methods 0.000 claims abstract description 22
- 238000004364 calculation method Methods 0.000 claims description 9
- 230000014509 gene expression Effects 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis, which relates to the technical field of vulnerability mining and comprises the following steps: acquiring a historical test case data set, dividing the historical test case data set into a training data set and a test data set, respectively acquiring the training data set and the test data set through a network sniffing module, and sequentially performing data preprocessing and feature extraction on the acquired training data set and the acquired test data set to obtain a feature vector of the training data set and a feature vector of the test data set; performing vector grouping on the feature vectors of the training data set, calculating the feature vectors of the grouped training data set to obtain a centroid vector of the training data set, inputting the centroid vector of the training data set and the feature vectors of the test data set, performing similarity matching, and constructing a semantic analysis model; and inputting a vulnerability mining command of the industrial control protocol, and performing semantic analysis on the industrial control protocol through a semantic analysis model to obtain a vulnerability mining result of the industrial control protocol.
Description
Technical Field
The invention relates to the technical field of vulnerability mining, in particular to an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis.
Background
The industrial control network protocol has the very distinct characteristics, and firstly, the industrial control network protocol is closed, and perfect safety mechanisms are not considered in the design of control systems such as SCADA (supervisory control and data acquisition), DCS (distributed control system) and the like and control equipment such as PLC (programmable logic controller) and the like; secondly, the complexity is high, and the common bus protocol and application layer protocol of the industrial control network are dozens, so that not only the data interfaces of each communication protocol are not completely the same, but also the protocol realization of the protocols is different; finally, the industrial control network is not changeable, and the industrial control network is difficult to be reformed and patch upgraded. In the above way, the traditional semantic analysis technology and equipment are not suitable for industrial control network protocols, and not only need workers to intervene in time, but also the analysis range is narrow and narrow, and the requirements cannot be met. Therefore, the invention provides an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis, which is used for overcoming the problems.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis.
The technical scheme of the invention is as follows:
an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis comprises the following steps:
s1: acquiring historical test case data to form a historical data set, dividing the historical data set into a training data set and a test data set, respectively acquiring the training data set and the test data set through a network sniffing module, sequentially performing data preprocessing and feature extraction on the acquired training data set and the acquired test data set to obtain a feature vector of the training data set and a feature vector of the test data set, and entering step S2;
s2, carrying out vector grouping on the feature vectors of the training data set, calculating the feature vectors of the grouped training data set to obtain a centroid vector of the training data set, simultaneously inputting the centroid vector of the training data set and the feature vectors of the test data set, carrying out similarity matching, constructing a semantic analysis model, and entering the step S3;
s3: and inputting a vulnerability mining command of the industrial control protocol, and performing semantic analysis on the industrial control protocol through a semantic analysis model to obtain a vulnerability mining result of the industrial control protocol.
Preferably, the data preprocessing in step S1 includes protocol parsing and data truncation;
the protocol analysis is used for splitting the training data set and the test data set into a plurality of independent data packets according to the basic protocol grammar and deleting the header of the basic protocol;
the data truncation is used to truncate individual packets that exceed a set byte and discard individual packets that are less than the set byte.
Preferably, the mathematical expressions of the training data set and the test data set after data preprocessing in step S1 are as follows:
d[x][y]
wherein x is the length of the independent data packet, and y is the number of the independent data packets participating in the statistical feature extraction.
Preferably, the feature extraction in step S1 is specifically performed from the value ranges, randomness, and statistical parameters of the training data set and the test data set.
Preferably, the network sniffing module in step S1 selects a Wireshark module to collect communication flows of all protocols.
Preferably, in step S2, similarity matching is performed between the centroid vector of the training data set and the feature vector of the test data set, where jffereys & Matusita is used as a similarity function, and a mathematical expression thereof is as follows:
wherein m is a centroid vector, N is a feature vector, d (m, N) is the distance between the centroid vector m and the feature vector N, N is the number of vectors, i is an arbitrary constant, the value is between 0 and N, and m is a valueiIs the ith centroid vector, niIs the ith feature vector.
An industrial control protocol vulnerability mining system based on vulnerability semantic intelligent analysis comprises: the system comprises a data acquisition module, a first network sniffing module, a second network sniffing module, a first data preprocessing module, a second data preprocessing module, a first feature extraction module, a second feature extraction module, a vector grouping module, a calculation module, a similarity matching module, an analysis module, a command acquisition module and a result output module; the first network sniffing module and the second network sniffing module are respectively connected with the data acquisition module; the first network sniffing module, the first data preprocessing module, the first feature extraction module, the vector grouping module and the calculation module are sequentially connected; the second network sniffing module, the second data preprocessing module and the second feature extraction module are sequentially connected; the second feature extraction module and the calculation module are respectively connected with the similarity matching module; the similarity matching module and the command acquisition module are respectively connected with the analysis module; the analysis module is connected with the result output module.
The invention has the beneficial effects that:
the invention provides an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis, which not only avoids manual intervention and improves the efficiency of semantic analysis, but also reduces the restriction conditions of the semantic analysis, increases the scope of the semantic analysis, can effectively select and analyze the grammatical features of the industrial control protocol, and has good practicability.
Drawings
FIG. 1 is a schematic flow chart provided by the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby.
As shown in fig. 1, an industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis includes the following steps:
s1: acquiring historical test case data to form a historical data set, dividing the historical data set into a training data set and a test data set, respectively acquiring the training data set and the test data set through a network sniffing module, sequentially performing data preprocessing and feature extraction on the acquired training data set and the acquired test data set to obtain a feature vector of the training data set and a feature vector of the test data set, and entering step S2;
s2, carrying out vector grouping on the feature vectors of the training data set, calculating the feature vectors of the grouped training data set to obtain a centroid vector of the training data set, simultaneously inputting the centroid vector of the training data set and the feature vectors of the test data set, carrying out similarity matching, constructing a semantic analysis model, and entering the step S3;
s3: and inputting a vulnerability mining command of the industrial control protocol, and performing semantic analysis on the industrial control protocol through a semantic analysis model to obtain a vulnerability mining result of the industrial control protocol.
Preferably, the data preprocessing in step S1 includes protocol parsing and data truncation;
the protocol analysis is used for splitting the training data set and the test data set into a plurality of independent data packets according to the basic protocol grammar and deleting the header of the basic protocol;
the data truncation is used to truncate individual packets that exceed a set byte and discard individual packets that are less than the set byte.
Preferably, the mathematical expressions of the training data set and the test data set after data preprocessing in step S1 are as follows:
d[x][y]
wherein x is the length of the independent data packet, and y is the number of the independent data packets participating in the statistical feature extraction.
Preferably, the feature extraction in step S1 is specifically performed from the value ranges, randomness, and statistical parameters of the training data set and the test data set.
Preferably, the network sniffing module in step S1 selects a Wireshark module to collect communication flows of all protocols.
Preferably, in step S2, similarity matching is performed between the centroid vector of the training data set and the feature vector of the test data set, where jffereys & Matusita is used as a similarity function, and a mathematical expression thereof is as follows:
wherein m is a centroid vector, N is a feature vector, d (m, N) is the distance between the centroid vector m and the feature vector N, N is the vector number, i is an arbitrary constant, the value is taken between 0 and N, and m is a constantiIs the ith centroid vector, niIs the ith feature vector.
An industrial control protocol vulnerability mining system based on vulnerability semantic intelligent analysis comprises: the system comprises a data acquisition module, a first network sniffing module, a second network sniffing module, a first data preprocessing module, a second data preprocessing module, a first feature extraction module, a second feature extraction module, a vector grouping module, a calculation module, a similarity matching module, an analysis module, a command acquisition module and a result output module; the first network sniffing module and the second network sniffing module are respectively connected with the data acquisition module; the first network sniffing module, the first data preprocessing module, the first feature extraction module, the vector grouping module and the calculation module are sequentially connected; the second network sniffing module, the second data preprocessing module and the second feature extraction module are sequentially connected; the second feature extraction module and the calculation module are respectively connected with the similarity matching module; the similarity matching module and the command acquisition module are respectively connected with the analysis module; the analysis module is connected with the result output module.
In addition, in this embodiment, a vulnerability mining result of the industrial control protocol may be summarized and combined with the relevant device data of the industrial control protocol to construct and form a vulnerability management database.
The vulnerability management database includes the following functions:
and (4) project management functions:
mechanisms for project and task management are introduced, each project may be composed of a variety of tasks of the same or different types. Projects are created by workers with administrator privileges, logging in with the identity of the administrator will first enter the project management interface. In the interface, the progress and the task real-time completion condition of each project can be known most intuitively, and a new project can be created as required.
And (4) task management function:
mechanisms for project and task management are introduced, each project may be composed of various tasks of the same or different types, and the completion of the project is driven by the tasks.
The device library management function:
the device libraries (such as SIMATIC, Schneider, ABB, Supcon and the like) of industrial automation control device suppliers are introduced, and managers can add new manufacturers and device models according to actual use conditions.
The user management function:
the manager can manage different authorities for the local and remote users and perform operations such as adding, activating, deleting, editing and the like on the users.
The log management function:
and the manager can check, clear and export the user and task operation logs.
The system management function is as follows:
the current vulnerability management database can be checked, the version of the vulnerability management database is further upgraded, the system time of the vulnerability management database can be modified, the default management address of the vulnerability management database is changed, the vulnerability management database is restarted, the vulnerability management database is closed, and the like.
In addition, besides the semantic analysis based on the industrial control protocol, the method also comprises a testing link of the industrial control protocol, and the testing link comprises the following aspects:
conformance test (Conformance testing): and testing certain implementation of the protocol according to the description of the protocol, and judging whether the implementation of one protocol is consistent with the corresponding protocol standard or not.
Interoperability Testing (Interoperability Testing): the inter-working and inter-operational capabilities between different implementations of the same protocol are examined. Whether a protocol implementation can pass a consistency test and an interoperability test is a decisive guarantee whether it can successfully interwork with other protocols in the same system.
Performance Testing (Performance Testing): some performances of the protocol implementation are tested, and whether the performance characteristics of one protocol implementation conform to the protocol description is judged, such as data transmission rate, connection time, execution speed, throughput, concurrency and the like.
Robustness test (Robustness Testing): the protocol implemented device or system is tested for proper handling and analysis under various invalid, abnormal input or stressful environmental conditions. The protocol robustness test is mainly based on an intelligent fuzzy test engine, and the test means comprises the following steps:
buffer overflow type input: for some variable fields, it is difficult to delimit the cache by entering an excess of characters or numbers, eventually overflowing, the system stops responding or goes down.
Inputting an integer type: for some fields of similar length, the conditional statement is invalidated by entering a boundary or limit value and the service terminates.
Underflow type input: for some mandatory-length fields, such as MAC addresses, the variables may not get enough assignments by missing or truncating part of the information, thereby causing logic failure.
Inputting a format type: for some continuous fields, character delimiting rules are generally provided, for example, boundaries are represented after how many continuous all zeros, and by violating the rules, a program cannot complete the delimitation and the system is down; for some fields with specific formats, such as characters or integers, the program logic is lengthened or directly exited by entering an illegal format.
Message order error type input: by modifying the occurrence sequence of the messages, the system is difficult to judge, and the state machine cannot complete normal transfer, thereby causing service delay or grade reduction.
Repeated input: and circularly generating a certain specific field information in the normal message, so that the program detection is abnormal and the system stops responding.
In the application scenes, the vulnerability management database can play a role in multiple roles, and on one hand, the vulnerability management database can be used for detecting the safety of an industrial control protocol and mining unknown vulnerabilities; on the other hand, the method can be used as a simulated malicious attacker to check and protect whether the industrial control equipment can play a role.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (7)
1. An industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis is characterized by comprising the following steps:
s1: acquiring historical test case data to form a historical data set, dividing the historical data set into a training data set and a test data set, respectively acquiring the training data set and the test data set through a network sniffing module, sequentially performing data preprocessing and feature extraction on the acquired training data set and the acquired test data set to obtain a feature vector of the training data set and a feature vector of the test data set, and entering step S2;
s2, carrying out vector grouping on the feature vectors of the training data set, calculating the feature vectors of the grouped training data set to obtain a centroid vector of the training data set, simultaneously inputting the centroid vector of the training data set and the feature vectors of the test data set, carrying out similarity matching, constructing a semantic analysis model, and entering the step S3;
s3: and inputting a vulnerability mining command of the industrial control protocol, and performing semantic analysis on the industrial control protocol through a semantic analysis model to obtain a vulnerability mining result of the industrial control protocol.
2. The industrial control protocol vulnerability discovery method based on vulnerability semantic intelligent analysis of claim 1, wherein the data preprocessing in step S1 includes protocol analysis, data truncation;
the protocol analysis is used for splitting the training data set and the test data set into a plurality of independent data packets according to the basic protocol grammar and deleting the header of the basic protocol;
the data truncation is used to truncate individual packets that exceed a set byte and discard individual packets that are less than the set byte.
3. The industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis according to any one of claims 1-2, wherein the mathematical expressions of the training data set and the test data set after data preprocessing in step S1 are as follows:
d[x][y]
wherein x is the length of the independent data packet, and y is the number of the independent data packets participating in the statistical feature extraction.
4. The industrial control protocol vulnerability discovery method based on vulnerability semantic intelligent analysis according to claim 1, wherein the feature extraction in step S1 is specifically to extract from the value ranges, randomness and statistical parameters of the training data set and the test data set.
5. The industrial control protocol vulnerability discovery method based on vulnerability semantic intelligent analysis of claim 1, wherein the network sniffing module in step S1 selects a Wireshark module for collecting communication streams of all protocols.
6. The industrial control protocol vulnerability discovery method based on vulnerability semantic intelligent analysis of claim 1, wherein the similarity matching of the centroid vector of the training data set and the feature vector of the test data set in step S2 is performed by selecting Jffreys & Matusita as a similarity function, and its mathematical expression is as follows:
wherein m is a centroid vector, N is a feature vector, d (m, N) is the distance between the centroid vector m and the feature vector N, N is the number of vectors, i is an arbitrary constant, the value is between 0 and N, and m is a valueiIs the ith centroid vector, niIs the ith feature vector.
7. The utility model provides an industrial control protocol vulnerability discovery system based on intelligent analysis of vulnerability semantics which is characterized in that includes: the system comprises a data acquisition module, a first network sniffing module, a second network sniffing module, a first data preprocessing module, a second data preprocessing module, a first feature extraction module, a second feature extraction module, a vector grouping module, a calculation module, a similarity matching module, an analysis module, a command acquisition module and a result output module; the first network sniffing module and the second network sniffing module are respectively connected with the data acquisition module; the first network sniffing module, the first data preprocessing module, the first feature extraction module, the vector grouping module and the calculation module are sequentially connected; the second network sniffing module, the second data preprocessing module and the second feature extraction module are sequentially connected; the second feature extraction module and the calculation module are respectively connected with the similarity matching module; the similarity matching module and the command acquisition module are respectively connected with the analysis module; the analysis module is connected with the result output module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111540917.7A CN114330363A (en) | 2021-12-16 | 2021-12-16 | Industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111540917.7A CN114330363A (en) | 2021-12-16 | 2021-12-16 | Industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114330363A true CN114330363A (en) | 2022-04-12 |
Family
ID=81053173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111540917.7A Pending CN114330363A (en) | 2021-12-16 | 2021-12-16 | Industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114330363A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115277198A (en) * | 2022-07-27 | 2022-11-01 | 西安热工研究院有限公司 | Vulnerability detection method and device for industrial control system network and storage medium |
-
2021
- 2021-12-16 CN CN202111540917.7A patent/CN114330363A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115277198A (en) * | 2022-07-27 | 2022-11-01 | 西安热工研究院有限公司 | Vulnerability detection method and device for industrial control system network and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| CN113392402B (en) | Power Internet of things protocol vulnerability detection system and method based on fuzzy test | |
| CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
| Bossert et al. | Towards automated protocol reverse engineering using semantic information | |
| RU2608464C2 (en) | Device, method and network server for detecting data structures in data stream | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| CN114050979B (en) | Industrial control protocol safety test system and device | |
| CN111935063B (en) | Abnormal network access behavior monitoring system and method for terminal equipment | |
| CN109561106A (en) | A kind of marine communication message real time parsing filter method | |
| CN109684052A (en) | Transaction analysis method, apparatus, equipment and storage medium | |
| Faisal et al. | Modeling Modbus TCP for intrusion detection | |
| CN116723136B (en) | Network data detection method applying FCM clustering algorithm | |
| CN117201646A (en) | Deep analysis method for electric power Internet of things terminal message | |
| CN114330363A (en) | Industrial control protocol vulnerability mining method based on vulnerability semantic intelligent analysis | |
| CN114444096B (en) | Network data storage encryption detection system based on data analysis | |
| CN108055166A (en) | A kind of the state machine extraction system and its extracting method of the application layer protocol of nesting | |
| CN114172715B (en) | Industrial control intrusion detection system and method based on secure multiparty calculation | |
| CN102932179A (en) | Comprehensive inter-network multi-protection reliability analysis method for power communication services | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| CN113259367A (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN112486706A (en) | Internet of things local equipment linkage method based on MQTT message driving mechanism | |
| CN106326096A (en) | Formalized modeling method for warship equipment software interface protocol | |
| CN115333915B (en) | Heterogeneous host-oriented network management and control system | |
| CN117201045A (en) | Method and device for detecting network traffic abnormality | |
| CN107566187B (en) | SLA violation monitoring method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 330096 No. 88, Minqiang Road, private science and Technology Park, Qingshanhu District, Nanchang City, Jiangxi Province Applicant after: STATE GRID JIANGXI ELECTRIC POWER COMPANY LIMITED Research Institute Applicant after: State Grid Co., Ltd. Address before: 330096 No.88 Minqiang Road, private science and Technology Park, high tech Zone, Nanchang City, Jiangxi Province Applicant before: STATE GRID JIANGXI ELECTRIC POWER COMPANY LIMITED Research Institute Applicant before: State Grid Co., Ltd. |
|
| CB02 | Change of applicant information |