CN114584477B - Industrial control asset detection method, device, terminal and storage medium - Google Patents

Industrial control asset detection method, device, terminal and storage medium Download PDF

Info

Publication number
CN114584477B
CN114584477B CN202210125179.8A CN202210125179A CN114584477B CN 114584477 B CN114584477 B CN 114584477B CN 202210125179 A CN202210125179 A CN 202210125179A CN 114584477 B CN114584477 B CN 114584477B
Authority
CN
China
Prior art keywords
detection
node
target
asset
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210125179.8A
Other languages
Chinese (zh)
Other versions
CN114584477A (en
Inventor
刘思尧
张提
雷承霖
龚亮华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fengtai Technology Beijing Co ltd
Original Assignee
Fengtai Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fengtai Technology Beijing Co ltd filed Critical Fengtai Technology Beijing Co ltd
Priority to CN202210125179.8A priority Critical patent/CN114584477B/en
Publication of CN114584477A publication Critical patent/CN114584477A/en
Application granted granted Critical
Publication of CN114584477B publication Critical patent/CN114584477B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application is applicable to the technical field of network security, and provides a detection method, a device, a terminal and a storage medium of industrial control assets, wherein the method comprises the following steps: matching detection modes and detection parameters corresponding to the asset detection tasks; under the detection mode, based on detection parameters, carrying out message detection interaction with the target detection node according to a protocol rule corresponding to the target detection node; determining the port state of a target port of the target detection node based on a feedback data packet of the target detection node in message detection interaction; if the target port of the target detection node is in an open state, identifying node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library; and establishing and storing the association relation between the node service and the identity identification number. The scheme can realize effective detection, discovery and identification of the industrial control equipment.

Description

Industrial control asset detection method, device, terminal and storage medium
Technical Field
The application belongs to the technical field of network security, and particularly relates to a detection method, a detection device, a detection terminal and a storage medium of industrial control assets.
Background
With the increasing importance of the safety of industrial control networks, more and more enterprises begin to perform safety evaluation on the industrial control networks. The primary work of carrying out safety evaluation on the industrial control network is to effectively comb the assets in the industrial control network and clearly determine the asset conditions in the industrial control network. However, compared with the traditional IT network, the industrial control network has numerous asset models and complex communication connection, which results in higher difficulty in defining asset information in the industrial control network.
Existing industrial control networks are, for example, typical ICS (Internet Connection Sharing ) networks, in which controllers from various vendors are included, such as PLC (Programmable Logic Controller ), RTU (Remote Terminal Unit, remote terminal unit), DCS (Distributed control system ), different vendors such as general-purpose electrical, rocweil automation, siemens and schrader electrical. Each technology has its unique requirements and difficulties, and it is difficult to plan maintenance projects and design effective protection if it is unclear what kind of asset is deployed within range.
Disclosure of Invention
The embodiment of the application provides a detection method, a detection device, a detection terminal and a detection storage medium for industrial control assets, and aims to solve the problems that in the prior art, industrial control networks are numerous in asset model, complex in communication connection, and difficult to plan maintenance projects and design for effective protection.
A first aspect of an embodiment of the present application provides a method for detecting an industrial control asset, including:
acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and detection parameters corresponding to the detection mode;
under the detection mode, carrying out message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter;
determining a port state of a target port of the target detection node based on a feedback data packet of the target detection node in the message detection interaction;
if the target port of the target detection node is in an open state, identifying node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library;
and establishing and storing an association relationship between the node service provided by the target detection node under the target port and an identity identification number of the target detection node.
A second aspect of embodiments of the present application provides a detection apparatus for an industrial control asset, including:
the acquisition module is used for acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and detection parameters corresponding to the detection mode;
the interaction module is used for carrying out message detection interaction with the target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter in the detection mode;
the state determining module is used for determining the port state of the target port of the target detection node based on the feedback data packet of the target detection node in the message detection interaction;
the service identification module is used for identifying node services provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library if the target port of the target detection node is in an open state;
and the storage module is used for establishing and storing the association relation between the node service provided by the target detection node under the target port and the identity identification number of the target detection node.
A third aspect of the embodiments of the present application provides a terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to the first aspect when executing the computer program.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method according to the first aspect.
A fifth aspect of the present application provides a computer program product for causing a terminal to carry out the steps of the method of the first aspect described above when the computer program product is run on the terminal.
From the above, in the embodiment of the present application, by matching a detection mode corresponding to an asset detection task and a corresponding detection parameter, in the detection mode, performing a packet detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter, determining, based on a feedback data packet of the target detection node in the packet detection interaction, a port state where a target port of the target detection node is located, identifying and obtaining a node service provided by the target detection node under the target port when the target port is in an open state, and establishing and storing an association relationship between the node service and an identity identifier of the target detection node. The method and the device realize the detection, discovery and identification of the industrial control equipment by the light industrial control active detection technology and the interaction of industrial specific communication protocol and industrial control resources and searching the necessary information of the industrial control equipment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart I of a method for detecting industrial control assets according to an embodiment of the present application;
FIG. 2 is a second flowchart of a method for detecting an industrial control asset according to an embodiment of the present application;
FIG. 3 is a block diagram of an industrial control asset detection device according to an embodiment of the present application;
fig. 4 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
In particular implementations, the terminals described in embodiments of the present application include, but are not limited to, other portable devices such as mobile phones, laptop computers, or tablet computers having a touch-sensitive surface (e.g., a touch screen display and/or a touch pad). It should also be appreciated that in some embodiments, the device is not a portable communication device, but a desktop computer having a touch-sensitive surface (e.g., a touch screen display and/or a touch pad).
In the following discussion, a terminal including a display and a touch sensitive surface is described. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and/or joystick.
The terminal supports various applications, such as one or more of the following: drawing applications, presentation applications, word processing applications, website creation applications, disk burning applications, spreadsheet applications, gaming applications, telephony applications, video conferencing applications, email applications, instant messaging applications, workout support applications, photo management applications, digital camera applications, digital video camera applications, web browsing applications, digital music player applications, and/or digital video player applications.
Various applications that may be executed on the terminal may use at least one common physical user interface device such as a touch sensitive surface. One or more functions of the touch-sensitive surface and corresponding information displayed on the terminal may be adjusted and/or changed between applications and/or within the corresponding applications. In this way, the common physical architecture (e.g., touch-sensitive surface) of the terminal may support various applications with user interfaces that are intuitive and transparent to the user.
It should be understood that the sequence number of each step in this embodiment does not mean the sequence of execution, and the execution sequence of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiment of the present application.
In order to illustrate the technical solutions described in the present application, the following description is made by specific examples.
Referring to fig. 1, fig. 1 is a flowchart one of a method for detecting an industrial control asset according to an embodiment of the present application. As shown in fig. 1, a method for detecting industrial control assets includes the following steps:
step 101, acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and detection parameters corresponding to the detection mode.
Information such as an industrial control asset detection object, an industrial control asset detection requirement, an industrial control asset detection condition and the like is arranged in the industrial control asset detection task.
And obtaining the detection mode of the industrial control asset corresponding to the industrial control asset and the detection parameters corresponding to the detection mode based on the content contained in the industrial control asset detection task.
Specifically, when the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode are matched, data matching can be specifically performed by means of a preset configuration database, so that the detection mode and the detection parameter corresponding to the detection mode are obtained.
In a specific embodiment, the matching the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode includes:
based on the industrial control asset detection task, determining a detection mode indicated by the industrial control asset detection task and at least one target detection node;
based on at least one target detection node, matching detection parameters corresponding to each target detection node in the detection mode from a preset configuration database.
The target detection node is specifically a device node which is located in the same network segment or connected with the same switch as the detection device of the industrial control asset.
The detection mode comprises active detection and passive detection.
In the active detection mode, the detection device of the industrial control asset needs to perform information interaction to the node where the detected object is located, so that active asset information detection is realized. Under the detection mode of passive detection, the detection device of the industrial control asset does not directly interact with the node where the detected object is located, and the passive asset information detection is realized by adopting the information capturing and analyzing mode.
Different target detection nodes are correspondingly provided with corresponding detection parameters under different detection modes.
The probing parameters are, for example, a communication address (ip address) of the probing node, a communication port, a protocol rule corresponding to the probing node, a data acquisition rate, and the like.
The data acquisition rate can be adjusted by controlling the number of data acquisition threads, and the number of the data acquisition threads is positively correlated with the data acquisition rate.
The industry-specific communication protocols corresponding to different probing nodes may differ, and the protocol features transmitted by different industrial control devices correspond to each other.
Specifically, in an optional implementation manner, the matching, based on at least one target detection node, detection parameters corresponding to each target detection node in a detection manner from a preset configuration database includes:
When the detection mode is active detection, based on at least one target detection node, matching a communication address of each target detection node, at least one communication port and a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database;
when the detection mode is passive detection, based on at least one target detection node, matching a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database.
The at least one target probing node is in particular a probing node marked as the same probing mode.
Further, the at least one target probing node is in particular a probing node within the same network segment as the probing means of the industrial asset or connected to the same switch.
102, under a detection mode, carrying out message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on detection parameters;
the message detection interaction specifically requires a detection device of an industrial control asset to send out a detection message to a target detection node and acquire a feedback message of the target detection node.
In the process of message detection interaction, message generation and feedback message analysis are required to be implemented based on protocol rules corresponding to target detection nodes.
In a specific embodiment, in a detection manner, performing a packet detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on a detection parameter includes:
when the detection mode is active detection, generating a session confirmation data packet indicating the communication address and the target port of the target detection node according to the protocol rule corresponding to each target detection node;
and transmitting the session confirmation data packet to the corresponding target detection node.
The process realizes the generation of the session confirmation data packet, and sends the session confirmation data packet to the target detection node to trigger the message detection interaction with the target detection node.
In order to further ensure the message detection interaction and the detection efficiency of the industrial control asset, in a detection mode, the message detection interaction is performed with the target detection node according to a protocol rule corresponding to the target detection node based on detection parameters, and the method comprises the following steps:
downloading the detection mode and the detection parameters in the configuration database to the local; based on the locally stored detection mode and detection parameters, the method carries out message detection interaction with the target detection node according to the protocol rule corresponding to the target detection node.
Step 103, determining the port state of the target port of the target detection node based on the feedback data packet of the target detection node in the message detection interaction.
The detection device of the industrial control asset required in the active detection sends a session confirmation data packet which is camouflaged and generated according to a protocol rule corresponding to the target detection node based on the communication address of the detection node in the detection parameter, wherein the target address of the session confirmation data packet is the communication address of the target detection node, and meanwhile, a feedback data packet returned by the target detection node can be received in an asynchronous mode; the feedback data packet includes the port state and the identity number of the target detection node, so as to determine the industrial control network asset corresponding to the feedback data packet, judge whether the corresponding port of the industrial control network asset is in an open state, and according to the identity number (such as a CPU number, a system version number, a network card number, etc.) included in the feedback data packet.
104, if the target port of the target detection node is in an open state, identifying node service provided by the target detection node under the target port according to a preset port and service feature comparison relation library;
If the target port of the target detection node corresponding to the industrial control network asset is in an open state, identifying the service provided by the industrial control network asset according to a preset port and service characteristic comparison relation library.
And 105, establishing and storing an association relationship between the node service provided by the target detection node under the target port and the identity number of the target detection node.
And determining the node service provided by the target detection node under the target port as a detection result of the asset in the industrial control network.
In the process, the asset identification and scanning function is used for discovering and identifying software and hardware of industrial control equipment of at least 100 manufacturers such as Siemens, schneider, rockwell, general electric, mitsubishi, oncomelania, MOXA, mitsubishi and the like of main industrial control manufacturers, so that the asset information in an industrial control network can be simply and rapidly discovered.
Further, when the detection mode is passive detection, in an optional implementation manner, after the industrial control asset detection task is acquired and the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode are matched, the method further includes:
when the detection mode is passive detection, acquiring network flow in the industrial control network;
Matching to obtain a system interconnection protocol corresponding to the network flow according to preset protocol characteristics in a protocol characteristic library;
based on the system interconnection protocol, the network traffic is subjected to protocol format analysis to obtain the node service and the identity number provided by the detection node corresponding to the network traffic, and the node service and the identity number are stored in an associated mode.
In this step, specifically, when the network traffic in the industrial control network is acquired, the network traffic of the switch mirror port may be continuously and passively received.
In one application, the network traffic is specifically traffic information that is communicated between assets.
The equipment and the upper computer in the industrial control network are connected with the interaction machine, and at the moment, the network flow of all industrial control protocol communication interfaces in the industrial control network can be obtained by receiving the network flow of the mirror image port of the interaction machine.
Therefore, the network flow in the industrial control network is passively acquired, so that interference and influence on the industrial control network are avoided, and the safety of the industrial control network is ensured.
In particular applications, the automatically discoverable assets include, but are not limited to, the following types of assets:
general/private industrial control protocols (such as Modbus, IEC104, DNP3, OPC UA, MQTT, DLT645 and other industrial control protocols), PLC/RTU/DTU (Siemens, schneider, general, ohm Dragon, mitsubishi, red lion, horniweil, taida, phoenix, telecommon, macroelectricity and other devices), SCADA (sub-control, force control, grinding and other SCADA configuration software), video monitoring (video monitoring devices such as Kagawa, davida and the like), real-time database (RTDB) (Horniweil PHD and the like), industrial control system protocols (Moxa serial port servers, grinding and other industrial control communication classes (Moxa serial port servers and other) and equipment, service assets, and asset information discovery is carried out according to matching of flow and protocols.
The preset protocol features in the protocol library are, for example, message structure composition, key field value, protocol identifier and other information corresponding to the communication protocol.
The system interconnection protocol is in particular OSI (Open System Interconnect, open system interconnection protocol). The protocol comprises an application layer, a presentation layer, a session layer, a transmission layer, a network layer, a data link layer and a physical layer. The protocol of which layer the system interconnection protocol corresponding to the network flow belongs to can be obtained by matching according to different characteristics of each layer.
And further, based on a system interconnection protocol, carrying out protocol format analysis on the network traffic to obtain node service and an identity number provided by the detection node corresponding to the network traffic, and carrying out association storage on the node service and the identity number.
For example, asset mac address information is parsed by a data link layer protocol format, ip address information of an asset is parsed by a network layer, an asset open port is acquired by a transport layer, service information (including device type and manufacturer) of the asset is parsed by an application layer, and the like.
In the process, a passive detection processing process is introduced, and because the environment of the industrial control system is complicated, information collection cannot be carried out on asset information at times, and the problem is solved by adopting a passive identification function in the embodiment.
Further, in the above process, both the active detection and the passive detection processes may perform data operations according to the configured detection rate. Specifically, the detection rate can be configured, and the size of the acquisition line number is controlled according to specific requirements, so that the grabbing rate of network traffic in an industrial control network in passive detection and the interaction frequency of message detection interaction with a target detection node in active detection are controlled.
And finally, after the association relation between the node service provided by the target detection node under the target port and the identity identification number of the target detection node is established and stored, generating a report.
In the embodiment of the application, by matching a detection mode corresponding to an asset detection task and a corresponding detection parameter, under the detection mode, message detection interaction is performed with a target detection node based on the detection parameter according to a protocol rule corresponding to the target detection node, a port state of a target port of the target detection node is determined based on a feedback data packet of the target detection node in the message detection interaction, when the target port is in an open state, node service provided by the target detection node under the target port is identified, and an association relationship between the node service of the target detection node and an identity identifier is established and stored. The method and the device realize the detection, discovery and identification of the industrial control equipment by the light industrial control active detection technology and the interaction of industrial specific communication protocol and industrial control resources and searching the necessary information of the industrial control equipment.
Different implementations of the method for detecting industrial control assets are also provided in the embodiments of the present application.
Referring to fig. 2, fig. 2 is a second flowchart of a method for detecting an industrial control asset according to an embodiment of the present application. As shown in fig. 2, a method for detecting industrial control assets includes the following steps:
step 201, acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and detection parameters corresponding to the detection mode;
the implementation process of this step is the same as that of step 101 in the foregoing embodiment, and will not be described here again.
Step 202, under the detection mode, performing message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on detection parameters;
the implementation process of this step is the same as that of step 102 in the foregoing embodiment, and will not be described here again.
Step 203, determining a port state of a target port of the target detection node based on a feedback data packet of the target detection node in the message detection interaction;
the implementation process of this step is the same as that of step 103 in the foregoing embodiment, and will not be described here again.
Step 204, if the target port of the target detection node is in an open state, identifying node service provided by the target detection node under the target port according to a preset port and service feature comparison relation library;
The implementation process of this step is the same as that of step 104 in the foregoing embodiment, and will not be described here again.
Step 205, an association relationship between the node service provided by the target probe node under the target port and the identity number of the target probe node is established and stored.
The implementation procedure of this step is the same as that of step 105 in the foregoing embodiment, and will not be described here again.
Step 206, if the target port of the target detection node is in an open state, and when the node service provided by the target detection node under the target port is not identified according to the preset port and service feature comparison relation library, extracting service signature information from the feedback data packet, and performing data matching on the service signature information from the fuzzy information database to obtain the extension information of the service signature information;
in the step, for node service which cannot be identified according to the comparison relation between a preset port and service characteristics, fuzzy identification is required to be carried out on service signature information fed back by industrial control network assets based on a preset basic service characteristic library, a service identification probe set can be introduced, corresponding probes are scheduled to carry out accurate identification of service according to fuzzy identification content, and the probes comprise connection instruction initiation, instruction echo capture and regular matching of echo information aiming at the service, so that automatic expansion of the service signature information is realized.
Further, after determining the port opened by the target detection node and the service opening information based on the feedback data packet of the target detection node in the message detection interaction, a large number of built-in asset fingerprint information plugins can be utilized to match corresponding fingerprint information plugins according to the port information in the opening state to perform calling, and calling return results of the fingerprint information plugins, such as asset model information, equipment type, manufacturer information and the like, are obtained, so that finer asset information is obtained.
Step 207, establishing and storing the association relation between the service signature information and the expansion information and the identity identification number of the target detection node.
In the embodiment of the application, by matching a detection mode corresponding to an asset detection task and a corresponding detection parameter, under the detection mode, message detection interaction is performed with a target detection node based on the detection parameter according to a protocol rule corresponding to the target detection node, a port state of a target port of the target detection node is determined based on a feedback data packet of the target detection node in the message detection interaction, when the target port is in an open state, node service provided by the target detection node under the target port is identified, an association relation between the node service of the target detection node and an identity identification number is established and stored, and further data matching is performed on service signature information by utilizing a fuzzy information database to obtain extension information of service signature information, so that the detection, discovery and identification of industrial control equipment are realized by using a lightweight industrial control active detection technology to interact with industrial control resources by using an industrial specific communication protocol.
Referring to fig. 3, fig. 3 is a block diagram of an industrial control asset detection device according to an embodiment of the present application, and for convenience of explanation, only a portion related to the embodiment of the present application is shown.
The industrial asset detection device 300 includes:
the acquisition module 301 is configured to acquire an industrial control asset detection task, and match a detection mode corresponding to the asset detection task with a detection parameter corresponding to the detection mode;
the interaction module 302 is configured to perform message detection interaction with the target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter in the detection manner;
a state determining module 303, configured to determine, based on a feedback data packet of the target detection node in the packet detection interaction, a port state where a target port of the target detection node is located;
the service identifying module 304 is configured to identify, if the target port of the target detection node is in an open state, a node service provided by the target detection node under the target port according to a preset port-service feature comparison relation library;
and the storage module 305 is configured to establish and store an association relationship between the node service provided by the target probe node under the target port and an identity number of the target probe node.
The acquiring module 301 is specifically configured to:
based on the industrial asset detection task, determining a detection mode indicated by the industrial asset detection task and at least one target detection node;
and based on the at least one target detection node, matching the detection parameters corresponding to each target detection node in the detection mode from a preset configuration database.
Wherein, the obtaining module 301 is more specifically configured to:
when the detection mode is active detection, based on the at least one target detection node, matching a communication address, at least one communication port and a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database;
and when the detection mode is passive detection, based on the at least one target detection node, matching a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database.
The interaction module 302 is specifically configured to:
when the detection mode is active detection, generating a session confirmation data packet indicating the communication address of the target detection node and the target port according to a protocol rule corresponding to each target detection node;
And sending the session confirmation data packet to the corresponding target detection node.
The apparatus further comprises:
the matching module is used for extracting service signature information from the feedback data packet and carrying out data matching on the service signature information from a fuzzy information database to obtain the extension information of the service signature information if the target port of the target detection node is in an open state and the node service provided by the target detection node under the target port is not identified according to a preset port and service characteristic comparison relation library;
the storage module 305 is further configured to establish and store an association relationship between the service signature information and the extension information, and the id of the target detection node.
Wherein the apparatus further comprises:
when the detection mode is passive detection, network flow in the industrial control network is obtained;
according to the preset protocol characteristics in the protocol characteristic library, matching to obtain a system interconnection protocol corresponding to the network flow;
and carrying out protocol format analysis on the network traffic based on the system interconnection protocol to obtain node service and an identity identifier provided by a detection node corresponding to the network traffic, and carrying out association storage on the node service and the identity identifier.
The industrial control asset detection device provided by the embodiment of the application can realize each process of the embodiment of the industrial control asset detection method, can achieve the same technical effect, and is not repeated here.
Fig. 4 is a block diagram of a terminal according to an embodiment of the present application. As shown in the figure, the terminal 4 of this embodiment includes: at least one processor 40 (only one is shown in fig. 4), a memory 41 and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the processor 40 implementing the steps in any of the various method embodiments described above when executing the computer program 42.
The terminal 4 may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, etc. The terminal 4 may include, but is not limited to, a processor 40, a memory 41. It will be appreciated by those skilled in the art that fig. 4 is merely an example of the terminal 4 and is not limiting of the terminal 4, and may include more or fewer components than shown, or may combine some components, or different components, e.g., the terminal may further include input and output devices, network access devices, buses, etc.
The processor 40 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may be an internal storage unit of the terminal 4, such as a hard disk or a memory of the terminal 4. The memory 41 may also be an external storage device of the terminal 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the terminal 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the terminal 4. The memory 41 is used for storing the computer program as well as other programs and data required by the terminal. The memory 41 may also be used for temporarily storing data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal and method may be implemented in other manners. For example, the apparatus/terminal embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each method embodiment described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.
The present application may implement all or part of the procedures in the methods of the above embodiments, and may also be implemented by a computer program product, which when run on a terminal causes the terminal to implement steps in the embodiments of the methods described above.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.

Claims (10)

1. A method of probing an industrial asset, comprising:
acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and detection parameters corresponding to the detection mode;
under the detection mode, carrying out message detection interaction with a target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter;
Determining a port state of a target port of the target detection node based on a feedback data packet of the target detection node in the message detection interaction;
if the target port of the target detection node is in an open state, identifying node service provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library;
establishing and storing an association relationship between the node service provided by the target detection node under the target port and an identity identification number of the target detection node;
the detection mode comprises active detection or passive detection, under the detection mode of the active detection, the detection device of the industrial control asset performs information interaction to the node where the detected object is located to perform asset information detection, and under the detection mode of the passive detection, the detection device of the industrial control asset performs asset information detection in an information capturing and analyzing mode.
2. The method of claim 1, wherein the matching the probe manner corresponding to the asset probe task and the probe parameters corresponding to the probe manner comprises:
Based on the industrial asset detection task, determining a detection mode indicated by the industrial asset detection task and at least one target detection node;
and based on the at least one target detection node, matching the detection parameters corresponding to each target detection node in the detection mode from a preset configuration database.
3. The method according to claim 2, wherein the matching, based on the at least one target detection node, the detection parameter corresponding to each target detection node in the detection manner from a preset configuration database includes:
when the detection mode is active detection, based on the at least one target detection node, matching a communication address, at least one communication port and a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database;
and when the detection mode is passive detection, based on the at least one target detection node, matching a protocol rule corresponding to each target detection node in the detection mode from a preset configuration database.
4. A method according to claim 3, wherein said performing, in said probing mode, packet probing interaction with a target probing node according to a protocol rule corresponding to said target probing node based on said probing parameter comprises:
when the detection mode is active detection, generating a session confirmation data packet indicating the communication address of the target detection node and the target port according to a protocol rule corresponding to each target detection node;
and sending the session confirmation data packet to the corresponding target detection node.
5. The method according to claim 1, wherein after determining the port state of the target port of the target probe node based on the feedback packet of the target probe node in the packet probe interaction, the method further comprises:
if the target port of the target detection node is in an open state and node service provided by the target detection node under the target port is not identified according to a preset port and service feature comparison relation library, service signature information is extracted from the feedback data packet, and data matching is carried out on the service signature information from a fuzzy information database to obtain extension information of the service signature information;
And establishing and storing the association relation between the service signature information and the expansion information and the identity identification number of the target detection node.
6. The method of claim 1, wherein after the acquiring the industrial asset detection task and matching the detection mode corresponding to the asset detection task and the detection parameter corresponding to the detection mode, further comprises:
when the detection mode is passive detection, network flow in the industrial control network is obtained;
according to the preset protocol characteristics in the protocol characteristic library, matching to obtain a system interconnection protocol corresponding to the network flow;
and carrying out protocol format analysis on the network traffic based on the system interconnection protocol to obtain node service and an identity identifier provided by a detection node corresponding to the network traffic, and carrying out association storage on the node service and the identity identifier.
7. An industrial asset detection device, comprising:
the acquisition module is used for acquiring an industrial control asset detection task, and matching a detection mode corresponding to the asset detection task and detection parameters corresponding to the detection mode;
the interaction module is used for carrying out message detection interaction with the target detection node according to a protocol rule corresponding to the target detection node based on the detection parameter in the detection mode;
The state determining module is used for determining the port state of the target port of the target detection node based on the feedback data packet of the target detection node in the message detection interaction;
the service identification module is used for identifying node services provided by the target detection node under the target port according to a preset port and service characteristic comparison relation library if the target port of the target detection node is in an open state;
the storage module is used for establishing and storing an association relationship between the node service provided by the target detection node under the target port and an identity identification number of the target detection node;
the detection mode comprises active detection or passive detection, under the detection mode of the active detection, the detection device of the industrial control asset performs information interaction to the node where the detected object is located to perform asset information detection, and under the detection mode of the passive detection, the detection device of the industrial control asset performs asset information detection in an information capturing and analyzing mode.
8. The apparatus of claim 7, wherein the obtaining module is specifically configured to:
Based on the industrial asset detection task, determining a detection mode indicated by the industrial asset detection task and at least one target detection node;
and based on the at least one target detection node, matching the detection parameters corresponding to each target detection node in the detection mode from a preset configuration database.
9. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 6 when the computer program is executed.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method according to any one of claims 1 to 6.
CN202210125179.8A 2022-02-10 2022-02-10 Industrial control asset detection method, device, terminal and storage medium Active CN114584477B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210125179.8A CN114584477B (en) 2022-02-10 2022-02-10 Industrial control asset detection method, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210125179.8A CN114584477B (en) 2022-02-10 2022-02-10 Industrial control asset detection method, device, terminal and storage medium

Publications (2)

Publication Number Publication Date
CN114584477A CN114584477A (en) 2022-06-03
CN114584477B true CN114584477B (en) 2023-06-27

Family

ID=81770684

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210125179.8A Active CN114584477B (en) 2022-02-10 2022-02-10 Industrial control asset detection method, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN114584477B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114793204B (en) * 2022-06-27 2022-09-02 山东林天信息科技有限责任公司 Network asset detection method
CN115242692B (en) * 2022-07-08 2023-06-09 北京华顺信安科技有限公司 Network asset custom protocol identification method, device, terminal and storage medium
CN115277483A (en) * 2022-07-27 2022-11-01 西安热工研究院有限公司 Industrial control network monitoring method, device and storage medium
CN115442259A (en) * 2022-08-30 2022-12-06 奇安信网神信息技术(北京)股份有限公司 System identification method and device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713449A (en) * 2016-12-21 2017-05-24 中国电子科技网络信息安全有限公司 Method for quickly identifying networked industrial control device
CN107733581A (en) * 2017-10-11 2018-02-23 杭州安恒信息技术有限公司 Based on the fast Internet assets feature detection method and device under the whole network environment
CN109525427A (en) * 2018-11-12 2019-03-26 广东省信息安全测评中心 Distributed assets information detection method and system
CN109660401A (en) * 2018-12-20 2019-04-19 中国电子科技集团公司第三十研究所 A kind of distributed network assets detection method
CN109768870A (en) * 2017-11-09 2019-05-17 国网青海省电力公司电力科学研究院 A kind of industry control network assets discovery method and system based on active probing technique
CN110635971A (en) * 2019-10-16 2019-12-31 杭州安恒信息技术股份有限公司 Industrial control asset detection and management method and device and electronic equipment
CN112202609A (en) * 2020-09-28 2021-01-08 全球能源互联网研究院有限公司 Industrial control asset detection method and device, electronic equipment and storage medium
CN113240258A (en) * 2021-04-30 2021-08-10 山东云天安全技术有限公司 Industrial asset detection method, equipment and device
CN113259197A (en) * 2021-05-13 2021-08-13 北京天融信网络安全技术有限公司 Asset detection method and device and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100064362A1 (en) * 2008-09-05 2010-03-11 VolPshield Systems Inc. Systems and methods for voip network security

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713449A (en) * 2016-12-21 2017-05-24 中国电子科技网络信息安全有限公司 Method for quickly identifying networked industrial control device
CN107733581A (en) * 2017-10-11 2018-02-23 杭州安恒信息技术有限公司 Based on the fast Internet assets feature detection method and device under the whole network environment
CN109768870A (en) * 2017-11-09 2019-05-17 国网青海省电力公司电力科学研究院 A kind of industry control network assets discovery method and system based on active probing technique
CN109525427A (en) * 2018-11-12 2019-03-26 广东省信息安全测评中心 Distributed assets information detection method and system
CN109660401A (en) * 2018-12-20 2019-04-19 中国电子科技集团公司第三十研究所 A kind of distributed network assets detection method
CN110635971A (en) * 2019-10-16 2019-12-31 杭州安恒信息技术股份有限公司 Industrial control asset detection and management method and device and electronic equipment
CN112202609A (en) * 2020-09-28 2021-01-08 全球能源互联网研究院有限公司 Industrial control asset detection method and device, electronic equipment and storage medium
CN113240258A (en) * 2021-04-30 2021-08-10 山东云天安全技术有限公司 Industrial asset detection method, equipment and device
CN113259197A (en) * 2021-05-13 2021-08-13 北京天融信网络安全技术有限公司 Asset detection method and device and electronic equipment

Also Published As

Publication number Publication date
CN114584477A (en) 2022-06-03

Similar Documents

Publication Publication Date Title
CN114584477B (en) Industrial control asset detection method, device, terminal and storage medium
CN112653618B (en) Gateway registration method and device of micro-service application API (application program interface) endpoint
CN110225104A (en) Data capture method, device and terminal device
CN101771565B (en) Analogy method for realizing multitudinous or different baseboard management controllers by single server
CN111935177B (en) Service control method and device
CN112583797B (en) Multi-protocol data processing method, device, equipment and computer readable storage medium
CN111176202A (en) Safety management method, device, terminal equipment and medium for industrial control network
CN112948224A (en) Data processing method, device, terminal and storage medium
CN112165445A (en) Method, device, storage medium and computer equipment for detecting network attack
CN112653693A (en) Industrial control protocol analysis method and device, terminal equipment and readable storage medium
CN113485282B (en) Message tracking display method, system, equipment and storage medium for distributed control system
CN117176802B (en) Full-link monitoring method and device for service request, electronic equipment and medium
CN117130318B (en) Industrial data acquisition method, device, system and readable storage medium
CN112667512A (en) Data drive test method, device, equipment and computer readable storage medium
CN113726612B (en) Method and device for acquiring test data, electronic equipment and storage medium
CN111858525B (en) Log tracking method, generation method, tracking device, generation device and system
CN110417574B (en) Topology analysis method and device and storage medium
CA3163595A1 (en) A system and method for determining authenticity of a mobile device
CN112235367A (en) Method, system, terminal and storage medium for subscribing entity behavior relation message
CN112367298B (en) Service control method and device
US20240028745A1 (en) System and method for hunt, incident response, and forensic activities on an agnostic platform
CN112367297A (en) Service control method and device
CN113839957B (en) Unauthorized vulnerability detection method and device
CN115941358B (en) Vulnerability discovery method, vulnerability discovery device, terminal equipment and storage medium
CN113242205B (en) Network traffic classification control method, device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant