CN114584477A - Industrial control asset detection method and device, terminal and storage medium - Google Patents
Industrial control asset detection method and device, terminal and storage medium Download PDFInfo
- Publication number
- CN114584477A CN114584477A CN202210125179.8A CN202210125179A CN114584477A CN 114584477 A CN114584477 A CN 114584477A CN 202210125179 A CN202210125179 A CN 202210125179A CN 114584477 A CN114584477 A CN 114584477A
- Authority
- CN
- China
- Prior art keywords
- detection
- target
- node
- port
- target detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The application is applicable to the technical field of network security, and provides a method, a device, a terminal and a storage medium for detecting industrial control assets, wherein the method comprises the following steps: matching detection modes and detection parameters corresponding to the asset detection tasks; under a detection mode, performing message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on detection parameters; determining a port state of a target port of a target detection node based on a feedback data packet of the target detection node in message detection interaction; if the target port of the target detection node is in an open state, identifying the node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library; and establishing and storing an association relation between the node service and the identity identification number. The scheme can realize effective detection, discovery and identification of the industrial control equipment.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a method, a device, a terminal and a storage medium for detecting industrial control assets.
Background
With the improvement of the attention on the safety of the industrial control network, more and more enterprises begin to perform safety assessment on the industrial control network. The first work of safety evaluation on the industrial control network is to effectively card assets in the industrial control network and clarify the asset condition in the industrial control network. However, compared with the conventional IT network, the industrial control network has many asset models and complex communication connection, which results in higher difficulty in defining asset information in the industrial control network.
The existing industrial control network is, for example, a typical ICS (Internet Connection Sharing) network, and includes controllers of various manufacturers, such as PLC (Programmable Logic Controller), RTU (Remote Terminal Unit), DCS (Distributed control system), and various manufacturers such as general electric, rocwell automation, siemens, and schneider electric. Each technology has its own unique requirements and difficulties, making it difficult to plan maintenance projects and design effective protection if it is unclear which assets are deployed within range.
Disclosure of Invention
The embodiment of the application provides a method, a device, a terminal and a storage medium for detecting industrial control assets, and aims to solve the problems that in the prior art, industrial control networks are numerous in asset models, complex in communication connection, and difficult to plan maintenance projects and design effective protection.
A first aspect of an embodiment of the present application provides a method for detecting an industrial control asset, including:
acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and a detection parameter corresponding to the detection mode;
under the detection mode, performing message detection interaction with a target detection node based on the detection parameters according to a protocol rule corresponding to the target detection node;
determining a port state of a target port of the target detection node based on a feedback data packet of the target detection node in the message detection interaction;
if the target port of the target detection node is in an open state, identifying the node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library;
and establishing and storing an association relation between the node service provided by the target detection node under the target port and the identity identification number of the target detection node.
A second aspect of the embodiments of the present application provides a device for detecting an industrial control asset, including:
the acquisition module is used for acquiring an industrial control asset detection task and matching a detection mode corresponding to the asset detection task and a detection parameter corresponding to the detection mode;
the interaction module is used for carrying out message detection interaction with the target detection node based on the detection parameters according to a protocol rule corresponding to the target detection node in the detection mode;
a state determination module, configured to determine, based on a feedback data packet of the target detection node in the packet detection interaction, a port state where a target port of the target detection node is located;
the service identification module is used for identifying the node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library if the target port of the target detection node is in an open state;
and the storage module is used for establishing and storing the association relationship between the node service provided by the target detection node under the target port and the identity identification number of the target detection node.
A third aspect of embodiments of the present application provides a terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to the first aspect when executing the computer program.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, performs the steps of the method according to the first aspect.
A fifth aspect of the present application provides a computer program product, which, when run on a terminal, causes the terminal to perform the steps of the method of the first aspect described above.
As can be seen from the above, in the embodiment of the present application, by matching a detection mode corresponding to an asset detection task and a corresponding detection parameter, in the detection mode, a packet detection interaction is performed with a target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter, a port state where a target port of the target detection node is located is determined based on a feedback data packet of the target detection node in the packet detection interaction, when the target port is in an open state, a node service provided by the target detection node under the target port is identified and obtained, and an association relationship between the node service of the target detection node and an identity identifier is established and stored. The industrial control active detection technology with light weight is realized, the industrial control resource is interacted by an industrial special communication protocol, the necessary information of the industrial control equipment is searched, and the detection, discovery and identification of the industrial control equipment are realized.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a first flowchart of a method for detecting an industrial asset according to an embodiment of the present disclosure;
FIG. 2 is a second flowchart of a method for detecting an industrial asset according to an embodiment of the present disclosure;
FIG. 3 is a block diagram of a detection device for industrial assets according to an embodiment of the present disclosure;
fig. 4 is a structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
In particular implementations, the terminals described in embodiments of the present application include, but are not limited to, other portable devices such as mobile phones, laptop computers, or tablet computers having touch sensitive surfaces (e.g., touch screen displays and/or touch pads). It should also be understood that in some embodiments, the device is not a portable communication device, but is a desktop computer having a touch-sensitive surface (e.g., a touch screen display and/or touchpad).
In the discussion that follows, a terminal that includes a display and a touch-sensitive surface is described. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and/or joystick.
The terminal supports various applications, such as one or more of the following: a drawing application, a presentation application, a word processing application, a website creation application, a disc burning application, a spreadsheet application, a gaming application, a telephone application, a video conferencing application, an email application, an instant messaging application, an exercise support application, a photo management application, a digital camera application, a web browsing application, a digital music player application, and/or a digital video player application.
Various applications that may be executed on the terminal may use at least one common physical user interface device, such as a touch-sensitive surface. One or more functions of the touch-sensitive surface and corresponding information displayed on the terminal can be adjusted and/or changed between applications and/or within respective applications. In this way, a common physical architecture (e.g., touch-sensitive surface) of the terminal can support various applications with user interfaces that are intuitive and transparent to the user.
It should be understood that, the sequence numbers of the steps in this embodiment do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of the process, and should not constitute any limitation to the implementation process of the embodiment of the present application.
In order to explain the technical solution described in the present application, the following description will be given by way of specific examples.
Referring to fig. 1, fig. 1 is a first flowchart of a method for detecting an industrial control asset according to an embodiment of the present application. As shown in fig. 1, a method for detecting an industrial control asset includes the following steps:
And the industrial control asset detection task is provided with information such as an industrial control asset detection object, an industrial control asset detection requirement, an industrial control asset detection condition and the like.
And obtaining the industrial control asset detection mode corresponding to the industrial control asset detection task and the detection parameters corresponding to the detection mode based on the content contained in the industrial control asset detection task.
Specifically, when the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode are matched, data matching can be performed by means of a preset configuration database, so that the detection mode and the detection parameter corresponding to the detection mode can be obtained.
In a specific embodiment, the matching of the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode includes:
determining a detection mode indicated by the industrial control asset detection task and at least one target detection node based on the industrial control asset detection task;
and matching detection parameters corresponding to each target detection node in the detection mode from a preset configuration database based on at least one target detection node.
The target detection node is specifically an equipment node which is located in the same network segment or connected with the same switch as the detection device of the industrial control asset.
The detection modes comprise active detection and passive detection.
In the active detection mode, the industrial control asset detection device needs to perform information interaction on a node where a detected object is located, so that active asset information detection is realized. Under the detection mode of passive detection, the detection device of the industrial control asset does not perform direct information interaction with the node where the detected object is located, and the passive asset information detection is realized by adopting an information capturing and analyzing mode.
Different target detection nodes correspond to corresponding detection parameters in different detection modes.
The detection parameters are, for example, a communication address (ip address) of the detection node, a communication port, a protocol rule corresponding to the detection node, a data acquisition rate, and the like.
The data acquisition rate can be adjusted by controlling the number of the data acquisition threads, and the number of the data acquisition threads is positively correlated with the data acquisition rate.
The industry-specific communication protocols corresponding to different detection nodes may have differences, and correspond to different protocol characteristics transmitted by industrial control equipment.
Specifically, in an optional implementation manner, the matching, based on at least one target detection node, detection parameters respectively corresponding to each target detection node in a detection mode from a preset configuration database includes:
when the detection mode is active detection, on the basis of at least one target detection node, matching the communication address of each target detection node, at least one communication port and a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database;
when the detection mode is passive detection, based on at least one target detection node, matching a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database.
The at least one target probe node is specifically a probe node marked as the same probing means.
Further, the at least one target detection node is specifically a detection node in the same network segment or connected to the same switch as the detection device of the industrial control asset.
102, under a detection mode, performing message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on detection parameters;
the message detection interaction specifically requires that a detection device of the industrial assets sends a detection message to a target detection node and obtains a feedback message of the target detection node.
In the detection interaction process of the message, the generation of the message and the analysis of the feedback message need to be implemented based on a protocol rule corresponding to the target detection node.
In a specific embodiment, in the detection mode, performing a packet detection interaction with the target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter includes:
when the detection mode is active detection, generating a session confirmation data packet indicating a communication address and a target port of each target detection node according to a protocol rule corresponding to each target detection node;
and sending the session confirmation data packet to the corresponding target detection node.
The process realizes the generation of the session confirmation data packet, sends the session confirmation data packet to the target detection node and triggers the message detection interaction with the target detection node.
Wherein, in order to further ensure the detection efficiency of message detection interaction and industrial control assets, under the detection mode, based on the detection parameters according to the protocol rules corresponding to the target detection nodes, the message detection interaction is carried out with the target detection nodes, which includes:
downloading the detection modes and detection parameters in the configuration database to the local; and carrying out message detection interaction with the target detection node according to a protocol rule corresponding to the target detection node based on the locally stored detection mode and the detection parameters.
The method comprises the steps that a detection device needing industrial control assets in active detection sends a session confirmation data packet generated by disguising according to a protocol rule corresponding to a target detection node to the target detection node based on a communication address of the detection node in detection parameters, wherein the target address of the session confirmation data packet is the communication address of the target detection node, and meanwhile, a feedback data packet returned by the target detection node can be received in an asynchronous mode; the feedback data packet includes a port state and an identity number of a target detection node, so as to determine an industrial control network asset corresponding to the feedback data packet, determine whether a corresponding port of the industrial control network asset is in an open state, and determine whether the corresponding port of the industrial control network asset is in an open state according to the identity number (such as a CPU number, a system version number, a network card number, and the like) included in the feedback data packet.
and if the target port of the target detection node corresponding to the industrial control network asset is in an open state, identifying the service provided by the industrial control network asset according to the preset port and service characteristic comparison relation library.
And 105, establishing and storing an association relation between the node service provided by the target detection node under the target port and the identity identification number of the target detection node.
And determining the node service provided by the target detection node under the target port as the detection result of the assets in the industrial control network.
In the process, the asset identification and scanning function is capable of finding and identifying the software and hardware of industrial control equipment of at least 100 main industrial control manufacturers such as Siemens, Schneider, Roxwell, general electric, Mitsubishi, ohm dragon, MOXA, Mohua and the like, so that the asset information in the industrial control network can be simply and quickly found.
Further, when the detection mode is passive detection, in an optional embodiment, after obtaining the industrial control asset detection task and matching the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode, the method further includes:
when the detection mode is passive detection, network flow in the industrial control network is obtained;
matching according to the preset protocol features in the protocol feature library to obtain a system interconnection protocol corresponding to the network flow;
and analyzing the protocol format of the network flow based on a system interconnection protocol to obtain node service and an identity number provided by the detection node corresponding to the network flow, and performing association storage on the node service and the identity number.
In this step, specifically, when the network traffic in the industrial control network is acquired, the network traffic of the mirror image port of the switch may be continuously and passively received.
In one application, the network traffic is specifically traffic information communicated between the assets.
The equipment and the upper computer in the industrial control network are connected with the interactive machine, and the network flow of all industrial control protocol communication interfaces in the industrial control network can be obtained by receiving the network flow of the mirror image interface of the interactive machine.
Therefore, by passively acquiring the network flow in the industrial control network, the interference and the influence on the industrial control network can be avoided, and the safety of the industrial control network is ensured.
In a particular application, automatically discoverable assets include, but are not limited to, the following types of assets:
general/private industrial control protocol classes (such as industrial control protocols like Modbus, IEC104, DNP3, OPC UA, MQTT, DLT645, etc.), PLC/RTU/DTU classes (Siemens, Schneider, general, Oilong, Mitsubishi, Red lion, Honizwell, Taida, Phoenix, Quxin, Macro, etc.), SCADA classes (SCADA configuration software like sub-control, force control, Mohua, etc.), video monitoring classes (video monitoring devices like Haokwegian, Dahua, etc.), real-time database (RTDB) classes (Honiweil PHD, etc.), industrial control system protocols, devices, services such as industrial control communication classes (Moxa serial server, Mohua EKI serial server, etc.), etc., and asset information discovery is performed according to matching of flow and protocols.
The protocol features preset in the protocol library are, for example, message structure composition, key field values, protocol identifiers and other information corresponding to the communication protocol.
The System interconnection protocol is specifically OSI (Open System interconnection ). The protocol comprises an application layer, a presentation layer, a session layer, a transmission layer, a network layer, a data link layer and a physical layer. The protocol of which layer the system interconnection protocol corresponding to the network traffic belongs to can be obtained by matching according to different characteristics of each layer.
And further, based on a system interconnection protocol, carrying out protocol format analysis on the network flow to obtain node service and an identity number provided by the detection node corresponding to the network flow, and carrying out association storage on the node service and the identity number.
For example, asset mac address information is parsed through a data link layer protocol format, ip address information of an asset is parsed through a network layer, an asset open port is acquired by a transport layer, service information (which may also include a device type and a manufacturer) of the asset is parsed by an application layer, and the like.
In the process, a passive detection processing process is introduced, and because the industrial control system is complex in environment, sometimes, information acquisition cannot be directly carried out on asset information, and the problem is solved by adopting a passive identification function in the embodiment.
Further, in the above process, both the active probing and the passive probing processes may perform data operations according to configured probing rates. Specifically, the detection rate can be configured, and the size of the number of acquisition threads is controlled according to specific requirements, so that the capturing rate of network traffic in the industrial control network in passive detection is controlled, and the interaction frequency of message detection interaction with a target detection node in active detection is controlled.
And finally, after establishing and storing the incidence relation between the node service provided by the target detection node under the target port and the identification number of the target detection node, generating a report.
In the embodiment of the application, by matching a detection mode corresponding to an asset detection task and a corresponding detection parameter, in the detection mode, based on the detection parameter, according to a protocol rule corresponding to a target detection node, a message detection interaction is performed with the target detection node, based on a feedback data packet of the target detection node in the message detection interaction, a port state where a target port of the target detection node is located is determined, when the target port is in an open state, a node service provided by the target detection node under the target port is identified and obtained, and an association relationship between the node service and an identity identification number of the target detection node is established and stored. The industrial control active detection technology with light weight is realized, the industrial control resource is interacted by an industrial special communication protocol, the necessary information of the industrial control equipment is searched, and the detection, discovery and identification of the industrial control equipment are realized.
The embodiment of the application also provides different implementation modes of the industrial control asset detection method.
Referring to fig. 2, fig. 2 is a second flowchart of a method for detecting an industrial control asset according to an embodiment of the present application. As shown in fig. 2, a method for detecting an industrial control asset includes the following steps:
the implementation process of this step is the same as that of step 101 in the foregoing embodiment, and is not described here again.
202, under a detection mode, performing message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on detection parameters;
the implementation process of this step is the same as that of step 102 in the foregoing embodiment, and is not described here again.
the implementation process of this step is the same as the implementation process of step 103 in the foregoing embodiment, and is not described here again.
the implementation process of this step is the same as that of step 104 in the foregoing embodiment, and is not described here again.
The implementation process of this step is the same as that of step 105 in the foregoing embodiment, and is not described here again.
in the step, for node services which cannot be identified according to the preset comparison relationship between ports and service features, fuzzy identification needs to be carried out on service signature information fed back by industrial control network assets based on a preset basic service feature library, a service identification probe set can be introduced, corresponding probes are scheduled according to fuzzy identification contents to carry out accurate identification on the services, and the probes comprise connection instruction initiation, instruction echoing capture and regular matching of echoing information aiming at the services, so that automatic expansion of the service signature information is achieved.
Further, after the open port and the service opening information of the target detection node are determined based on the feedback data packet of the target detection node in the message detection interaction, a large number of asset fingerprint information plug-ins built in the device can be used, and the corresponding fingerprint information plug-ins are matched according to the port information in the open state for calling, so that the calling return result of the fingerprint information plug-ins, such as asset model information, equipment types, manufacturer information and the like, is obtained, and the more detailed asset information is obtained.
And step 207, establishing and storing the association relationship between the service signature information and the extended information and the identity identification number of the target detection node.
In the embodiment of the application, by matching a detection mode corresponding to an asset detection task and a corresponding detection parameter, under the detection mode, based on the detection parameter, according to a protocol rule corresponding to a target detection node, performing message detection interaction with the target detection node, based on a feedback data packet of the target detection node in the message detection interaction, determining a port state of a target port of the target detection node, identifying and obtaining a node service provided by the target detection node under the target port when the target port is in an open state, establishing and storing an incidence relation between the node service and an identity identification number of the target detection node, further performing data matching on service signature information by using a fuzzy information database, obtaining extended information of the service signature information, and realizing interaction with industrial control resources by an industrial specific communication protocol through a light-weight industrial control active detection technology, necessary information of the industrial control equipment is searched, and detection, discovery and identification of the industrial control equipment are achieved.
Referring to fig. 3, fig. 3 is a structural diagram of a detection apparatus for an industrial control asset according to an embodiment of the present disclosure, and for convenience of description, only a part related to the embodiment of the present disclosure is shown.
The industrial control asset detection device 300 comprises:
an obtaining module 301, configured to obtain an industrial control asset detection task, and match a detection mode corresponding to the asset detection task with a detection parameter corresponding to the detection mode;
an interaction module 302, configured to perform, in the detection mode, packet detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter;
a state determining module 303, configured to determine, based on the feedback data packet of the target detection node in the packet detection interaction, a port state of a target port of the target detection node;
a service identification module 304, configured to identify, if a target port of the target detection node is in an open state, a node service provided by the target detection node at the target port according to a preset port and service feature comparison relationship library;
the storage module 305 is configured to establish and store an association relationship between the node service provided by the target probe node under the target port and the id number of the target probe node.
The obtaining module 301 is specifically configured to:
determining a detection mode indicated by the industrial control asset detection task and at least one target detection node based on the industrial control asset detection task;
and matching the detection parameters corresponding to each target detection node in the detection mode from a preset configuration database based on the at least one target detection node.
Wherein, the obtaining module 301 is more specifically configured to:
when the detection mode is active detection, based on the at least one target detection node, matching a communication address of each target detection node, at least one communication port and a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database;
and when the detection mode is passive detection, matching a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database based on the at least one target detection node.
The interaction module 302 is specifically configured to:
when the detection mode is active detection, generating a session confirmation data packet indicating the communication address of the target detection node and the target port according to a protocol rule corresponding to each target detection node;
and sending the session confirmation data packet to the corresponding target detection node.
The device also includes:
the matching module is used for extracting service signature information from the feedback data packet and performing data matching on the service signature information from a fuzzy information database to obtain extended information of the service signature information if a target port of the target detection node is in an open state and the node service provided by the target detection node under the target port is not identified according to a preset port and service characteristic comparison relation database;
the storage module 305 is further configured to establish and store an association relationship between the service signature information and the identity identifier of the target probe node, and the extended information.
Wherein, the device still includes:
when the detection mode is passive detection, network flow in the industrial control network is obtained;
matching according to the preset protocol features in the protocol feature library to obtain a system interconnection protocol corresponding to the network traffic;
and analyzing the protocol format of the network flow based on the system interconnection protocol to obtain node service and an identity number provided by a detection node corresponding to the network flow, and performing association storage on the node service and the identity number.
The industrial control asset detection device provided by the embodiment of the application can realize each process of the industrial control asset detection method, can achieve the same technical effect, and is not repeated here to avoid repetition.
Fig. 4 is a structural diagram of a terminal according to an embodiment of the present application. As shown in the figure, the terminal 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the steps of any of the various method embodiments described above being implemented when the computer program 42 is executed by the processor 40.
The terminal 4 may be a computing device such as a desktop computer, a notebook, a palm computer, and a cloud server. The terminal 4 may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is only an example of a terminal 4 and does not constitute a limitation of terminal 4 and may include more or less components than those shown, or some components in combination, or different components, for example, the terminal may also include input output devices, network access devices, buses, etc.
The Processor 40 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may be an internal storage unit of the terminal 4, such as a hard disk or a memory of the terminal 4. The memory 41 may also be an external storage device of the terminal 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) and the like provided on the terminal 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the terminal 4. The memory 41 is used for storing the computer program and other programs and data required by the terminal. The memory 41 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal and method may be implemented in other ways. For example, the above-described apparatus/terminal embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow in the method of the embodiments described above can be realized by a computer program, which can be stored in a computer readable storage medium and can realize the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The present application realizes all or part of the processes in the method of the above embodiments, and may also be implemented by a computer program product, when the computer program product runs on a terminal, the steps in the above method embodiments may be implemented when the terminal executes the computer program product.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. A method for detecting industrial control assets is characterized by comprising the following steps:
acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and a detection parameter corresponding to the detection mode;
under the detection mode, performing message detection interaction with a target detection node based on the detection parameters according to a protocol rule corresponding to the target detection node;
determining a port state of a target port of the target detection node based on a feedback data packet of the target detection node in the message detection interaction;
if the target port of the target detection node is in an open state, identifying the node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library;
and establishing and storing an association relation between the node service provided by the target detection node under the target port and the identity identification number of the target detection node.
2. The method of claim 1, wherein matching the detection mode corresponding to the asset detection task and the detection parameters corresponding to the detection mode comprises:
determining a detection mode indicated by the industrial control asset detection task and at least one target detection node based on the industrial control asset detection task;
and matching the detection parameters corresponding to each target detection node in the detection mode from a preset configuration database based on the at least one target detection node.
3. The method according to claim 2, wherein the matching, based on the at least one target probe node, the probe parameters respectively corresponding to each target probe node in the probing mode from a preset configuration database includes:
when the detection mode is active detection, based on the at least one target detection node, matching a communication address of each target detection node, at least one communication port and a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database;
when the detection mode is passive detection, based on the at least one target detection node, matching a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database.
4. The method according to claim 3, wherein performing packet detection interaction with the target detection node based on the detection parameter according to a protocol rule corresponding to the target detection node in the detection mode includes:
when the detection mode is active detection, generating a session confirmation data packet indicating the communication address of the target detection node and the target port according to a protocol rule corresponding to each target detection node;
and sending the session confirmation data packet to the corresponding target detection node.
5. The method according to claim 1, wherein after determining a port state of a target port of the target probe node based on the feedback packet of the target probe node in the packet probe interaction, the method further comprises:
if the target port of the target detection node is in an open state and the node service provided by the target detection node under the target port is not identified according to a preset port and service characteristic comparison relation library, extracting service signature information from the feedback data packet, and performing data matching on the service signature information from a fuzzy information database to obtain extended information of the service signature information;
and establishing and storing the association relationship between the service signature information and the extended information and the identity identification number of the target detection node.
6. The method according to claim 1, wherein after the obtaining of the industrial control asset detection task and the matching of the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode, the method further comprises:
when the detection mode is passive detection, network flow in the industrial control network is obtained;
matching according to the preset protocol features in the protocol feature library to obtain a system interconnection protocol corresponding to the network traffic;
and analyzing the protocol format of the network flow based on the system interconnection protocol to obtain node service and an identity number provided by a detection node corresponding to the network flow, and performing association storage on the node service and the identity number.
7. An industrial asset detection device, comprising:
the acquisition module is used for acquiring an industrial control asset detection task and matching a detection mode corresponding to the asset detection task and a detection parameter corresponding to the detection mode;
the interaction module is used for carrying out message detection interaction with the target detection node based on the detection parameters according to a protocol rule corresponding to the target detection node in the detection mode;
a state determination module, configured to determine, based on a feedback data packet of the target detection node in the packet detection interaction, a port state where a target port of the target detection node is located;
the service identification module is used for identifying the node service provided by the target detection node under the target port according to a preset port and service characteristic contrast relation library if the target port of the target detection node is in an open state;
and the storage module is used for establishing and storing the association relationship between the node service provided by the target detection node under the target port and the identity identification number of the target detection node.
8. The apparatus of claim 7, wherein the obtaining module is specifically configured to:
determining a detection mode indicated by the industrial control asset detection task and at least one target detection node based on the industrial control asset detection task;
and matching the detection parameters corresponding to each target detection node in the detection mode from a preset configuration database based on the at least one target detection node.
9. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210125179.8A CN114584477B (en) | 2022-02-10 | 2022-02-10 | Industrial control asset detection method, device, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210125179.8A CN114584477B (en) | 2022-02-10 | 2022-02-10 | Industrial control asset detection method, device, terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584477A true CN114584477A (en) | 2022-06-03 |
| CN114584477B CN114584477B (en) | 2023-06-27 |
Family
ID=81770684
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210125179.8A Active CN114584477B (en) | 2022-02-10 | 2022-02-10 | Industrial control asset detection method, device, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584477B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114793204A (en) * | 2022-06-27 | 2022-07-26 | 山东林天信息科技有限责任公司 | Network asset detection method |
| CN115242692A (en) * | 2022-07-08 | 2022-10-25 | 北京华顺信安科技有限公司 | Network asset custom protocol identification method, device, terminal and storage medium |
| CN115277483A (en) * | 2022-07-27 | 2022-11-01 | 西安热工研究院有限公司 | Industrial control network monitoring method, device and storage medium |
| CN115442259A (en) * | 2022-08-30 | 2022-12-06 | 奇安信网神信息技术(北京)股份有限公司 | System identification method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100064362A1 (en) * | 2008-09-05 | 2010-03-11 | VolPshield Systems Inc. | Systems and methods for voip network security |
| CN106713449A (en) * | 2016-12-21 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Method for quickly identifying networked industrial control device |
| CN107733581A (en) * | 2017-10-11 | 2018-02-23 | 杭州安恒信息技术有限公司 | Based on the fast Internet assets feature detection method and device under the whole network environment |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
| CN109660401A (en) * | 2018-12-20 | 2019-04-19 | 中国电子科技集团公司第三十研究所 | A kind of distributed network assets detection method |
| CN109768870A (en) * | 2017-11-09 | 2019-05-17 | 国网青海省电力公司电力科学研究院 | A kind of industry control network assets discovery method and system based on active probing technique |
| CN110635971A (en) * | 2019-10-16 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Industrial control asset detection and management method and device and electronic equipment |
| CN112202609A (en) * | 2020-09-28 | 2021-01-08 | 全球能源互联网研究院有限公司 | Industrial control asset detection method and device, electronic equipment and storage medium |
| CN113240258A (en) * | 2021-04-30 | 2021-08-10 | 山东云天安全技术有限公司 | Industrial asset detection method, equipment and device |
| CN113259197A (en) * | 2021-05-13 | 2021-08-13 | 北京天融信网络安全技术有限公司 | Asset detection method and device and electronic equipment |
-
2022
- 2022-02-10 CN CN202210125179.8A patent/CN114584477B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100064362A1 (en) * | 2008-09-05 | 2010-03-11 | VolPshield Systems Inc. | Systems and methods for voip network security |
| CN106713449A (en) * | 2016-12-21 | 2017-05-24 | 中国电子科技网络信息安全有限公司 | Method for quickly identifying networked industrial control device |
| CN107733581A (en) * | 2017-10-11 | 2018-02-23 | 杭州安恒信息技术有限公司 | Based on the fast Internet assets feature detection method and device under the whole network environment |
| CN109768870A (en) * | 2017-11-09 | 2019-05-17 | 国网青海省电力公司电力科学研究院 | A kind of industry control network assets discovery method and system based on active probing technique |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
| CN109660401A (en) * | 2018-12-20 | 2019-04-19 | 中国电子科技集团公司第三十研究所 | A kind of distributed network assets detection method |
| CN110635971A (en) * | 2019-10-16 | 2019-12-31 | 杭州安恒信息技术股份有限公司 | Industrial control asset detection and management method and device and electronic equipment |
| CN112202609A (en) * | 2020-09-28 | 2021-01-08 | 全球能源互联网研究院有限公司 | Industrial control asset detection method and device, electronic equipment and storage medium |
| CN113240258A (en) * | 2021-04-30 | 2021-08-10 | 山东云天安全技术有限公司 | Industrial asset detection method, equipment and device |
| CN113259197A (en) * | 2021-05-13 | 2021-08-13 | 北京天融信网络安全技术有限公司 | Asset detection method and device and electronic equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114793204A (en) * | 2022-06-27 | 2022-07-26 | 山东林天信息科技有限责任公司 | Network asset detection method |
| CN115242692A (en) * | 2022-07-08 | 2022-10-25 | 北京华顺信安科技有限公司 | Network asset custom protocol identification method, device, terminal and storage medium |
| CN115277483A (en) * | 2022-07-27 | 2022-11-01 | 西安热工研究院有限公司 | Industrial control network monitoring method, device and storage medium |
| CN115442259A (en) * | 2022-08-30 | 2022-12-06 | 奇安信网神信息技术(北京)股份有限公司 | System identification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114584477B (en) | 2023-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114584477B (en) | Industrial control asset detection method, device, terminal and storage medium | |
| CN111813516B (en) | Resource control method and device, computer equipment and storage medium | |
| Hu et al. | Development and operation analysis of spectrum monitoring subsystem 2.4–2.5 GHz range | |
| CN112583797B (en) | Multi-protocol data processing method, device, equipment and computer readable storage medium | |
| CN111638690A (en) | Data acquisition method, device, system and equipment based on general information model | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN113037545A (en) | Network simulation method, device, equipment and storage medium | |
| CN113268260A (en) | Routing method and device for web front end | |
| CN112671609A (en) | Asset census and safety detection method and device and terminal equipment | |
| CN114598512A (en) | Honeypot-based network security guarantee method and device and terminal equipment | |
| CN114185743A (en) | Data processing method and device, computer equipment and storage medium | |
| CN117176802A (en) | Full-link monitoring method and device for service request, electronic equipment and medium | |
| CN112988311A (en) | On-line experimental method based on WEB server | |
| CN111935177A (en) | Service control method and device | |
| CN115242422A (en) | Data intercommunication processing method and device and information management system | |
| CN110245016B (en) | Data processing method, system, device and terminal equipment | |
| CN113590243A (en) | Energy enterprise project creation method and device, computer equipment and medium | |
| CN113726612A (en) | Method and device for acquiring test data, electronic equipment and storage medium | |
| CN113590352A (en) | Data calling method, device, equipment and readable storage medium | |
| CA3163595A1 (en) | A system and method for determining authenticity of a mobile device | |
| CN111385293A (en) | Network risk detection method and device | |
| Yang et al. | Modeling of Internet of Things service platform based on X language | |
| CN112631222B (en) | Processing method and system of Internet industrial control system and computing equipment | |
| CN112367298B (en) | Service control method and device | |
| US20240028745A1 (en) | System and method for hunt, incident response, and forensic activities on an agnostic platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |