CN114866282A - Nuclear power industry control protocol analysis system and method based on network behavior reconstruction - Google Patents

Nuclear power industry control protocol analysis system and method based on network behavior reconstruction Download PDF

Info

Publication number
CN114866282A
CN114866282A CN202210330768.XA CN202210330768A CN114866282A CN 114866282 A CN114866282 A CN 114866282A CN 202210330768 A CN202210330768 A CN 202210330768A CN 114866282 A CN114866282 A CN 114866282A
Authority
CN
China
Prior art keywords
protocol
module
field
network
nuclear power
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210330768.XA
Other languages
Chinese (zh)
Inventor
丁鼎定
冯蔚
高汉军
许克珂
梁景煊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Nuclear Power Operation Technology Corp Ltd
Original Assignee
China Nuclear Power Operation Technology Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Nuclear Power Operation Technology Corp Ltd filed Critical China Nuclear Power Operation Technology Corp Ltd
Priority to CN202210330768.XA priority Critical patent/CN114866282A/en
Publication of CN114866282A publication Critical patent/CN114866282A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a nuclear power industry control protocol analysis system based on network behavior reconstruction, which comprises a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module, wherein the protocol function analysis module is used for knowing the actual nuclear power industry control network environment and analyzing the protocol function; the network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends; the network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module; the protocol field dividing module divides the binary stream into a plurality of fields with fixed length on the basis of binary data; the field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division. The system provides a bottom-layer technical support for the research and development of network security products suitable for the nuclear power industrial control system.

Description

Nuclear power industry control protocol analysis system and method based on network behavior reconstruction
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a nuclear power industrial control protocol analysis system and method based on network behavior reconstruction.
Background
The development policy of the two-way integration promotes the integration of informatization and industrialization, and with the development of the informatization service of the nuclear power industrial control system, the nuclear power industrial control system is no longer an isolated information system, and the network security threat is increased continuously. Therefore, network security research aiming at the nuclear power industrial control system needs to be vigorously carried out, a network security product suitable for the nuclear power industrial control system is researched and developed, and network security protection on the nuclear power industrial control system is enhanced.
The key point of the research on the network security of the nuclear power industrial control system is the research on the communication protocol of the nuclear power industrial control system, and the research and development of numerous network security products need analysis results based on the communication protocol, so that a system and a method for analyzing the communication protocol of the nuclear power industrial control system are needed.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a nuclear power industry control protocol analysis system and method based on network behavior reconstruction.
In order to achieve the above purpose, the invention provides the following technical scheme:
a nuclear power industry control protocol analysis system based on network behavior reconstruction comprises a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module,
the protocol function analysis module is used for knowing the actual nuclear power industrial control network environment and analyzing the protocol function;
the network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends;
the network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module;
the protocol field dividing module divides a binary stream into a plurality of fields with fixed length on the basis of binary data;
the field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, provided by the invention, the nuclear power industry control network environment comprises network equipment, network topology, protocol types and a communication process.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, the network behavior analysis module comprises a positioning communication double-end sub-module, a distinguishing logic connection sub-module and an analysis interaction sequence sub-module.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, the positioning communication dual-terminal module selects a certain section of a communication path on the basis that a protocol function analysis module already knows the communication path between devices, and knows a protocol stack used by the communication of the section.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, the distinguishing logic connection sub-module is used for positioning network connection associated with a specific function when flow analysis is carried out.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, provided by the invention, the analysis interaction sequence submodule is used for analyzing the interaction behavior of the data packet.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, provided by the invention, the field semantic understanding module successively modifies the value of a single field in the protocol through the network behavior reconstruction module, and contrasts and analyzes the semantic corresponding to each value of the field.
A nuclear power industry control protocol analysis method based on network behavior reconstruction comprises the following steps:
step S1: inputting a network environment of a target nuclear power industrial control system as an input item into a protocol function analysis module, and outputting to obtain the network equipment, network topology, protocol type, communication process and protocol function;
step S2: working is carried out based on the result of the protocol function analysis module, and the communication rule of the specific application layer protocol is analyzed aiming at the two communication ends;
step S3: constructing a data packet or a data packet interaction sequence required by a protocol field division module and a field semantic understanding module;
step S4: presuming a protocol field, and verifying the protocol field through a network behavior reconstruction module until a correct protocol field division result is output;
step S5: and analyzing the meaning of each value of the field based on the result of the protocol field dividing module and the input of the network behavior reconstruction module.
Compared with the prior art, the nuclear power industry control protocol analysis system and method based on network behavior reconstruction provided by the invention have the following beneficial effects:
the nuclear power industry control protocol analysis system and method based on network behavior reconstruction are used for analyzing the private communication protocol of the nuclear power industry control system, provide a bottom-layer technical support for the research and development of network safety products suitable for the nuclear power industry control system, and the network behavior reconstruction module can solve the problem that an original data packet is lacked during protocol analysis research.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a nuclear power industry control protocol analysis method based on network behavior reconstruction provided by an embodiment of the present invention.
Detailed Description
Although the system and method for analyzing nuclear power control protocol based on network behavior reconfiguration according to the present invention can be implemented in many different ways, the exemplary embodiments will be described in detail herein with reference to the accompanying drawings, and it is to be understood that the description herein is not intended to limit the scope of the present invention to the exemplary embodiments. Accordingly, the drawings and description of the specific embodiments are to be regarded as illustrative in nature, and not as restrictive.
The following is a more detailed description of the present invention by way of specific embodiments.
The invention provides a nuclear power industry control protocol analysis system based on network behavior reconstruction, which comprises a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module.
The protocol function analysis module is a first working link of the protocol analysis method, and aims to know the actual nuclear power industrial control network environment including network equipment, network topology, protocol types and communication processes and analyze the protocol function.
Network equipment generally refers to various types of communication terminals in a nuclear power industrial control system, for example: operator stations, engineer stations, communication servers, process servers, controllers, and the like.
The network topology is generally formed by a two-level bus network in a nuclear power industrial control system, wherein the two-level bus network is connected with an operator station, a process processing server and the like, and the one-level bus network is connected with an engineer station, a communication server, a controller and the like.
The type of protocol refers to the different kinds of protocols that the application layer may use when communicating between various network devices. Network protocol models used by various network devices in a nuclear power industrial control system during communication are generally TCP/IP five-layer network models which are respectively as follows: physical layer, link layer, network layer, transport layer, application layer. The protocol layers associated with the encoding of the communication data packet are: link layer, network layer, transport layer, application layer. Wherein the first three layers of protocols are typically: link layer ethernet protocol, network layer IPv4 protocol, and transport layer TCP protocol, while the application layer protocol used by various types of network devices may be different, even without network layer, transport layer protocols.
The communication process refers to a data transmission path in various service flows of the nuclear power industrial control system. If the operator station issues an instruction, the data is transmitted to the controller along a certain path.
The protocol function refers to the function of analyzing various protocols in the communication process of the industrial control system, such as connection state test, configuration downloading, operation instruction issuing and the like.
The network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends, and comprises a positioning communication double-end sub-module, a distinguishing logic connection sub-module and an analysis interaction sequence sub-module.
Locating the communication bi-terminal module means selecting a certain segment of the communication path, for example, based on the protocol function analysis module having known the communication path between the devices: device a and device B know the protocol stack used for this segment of communication. Because the functions responsible for the communication process of each segment may be different, and the protocol stacks used may be different, when performing traffic analysis, it should be processed in segments, and the communication for each segment should be analyzed independently.
The distinguish logic connection submodule, when used for traffic analysis, locates to a network connection associated with a particular function. Between the two communicating ends, there are typically multiple logical connections. Taking a TCP/IP protocol stack as an example, in a nuclear power industry control network, there may be several to hundreds of TCP connections between a device a and a device B, in an actual environment, it is impractical to know the functions of all TCP connections at both communication ends, and it is appropriate to select a TCP connection related to a specific function for deep analysis.
And the analysis interaction sequence submodule is used for analyzing the interaction behavior of the data packet. Usually, a protocol for accomplishing a certain function requires that two communication ends interact with a plurality of data packets, and the data packets are sent according to a sequence.
The network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module. Under the appointed working condition of the nuclear power industrial control system, the data packet or the data packet interactive sequence of any communication segment can be output and supplied to the protocol field division module and the field semantic understanding module for analysis.
The difference between the communication protocol of the nuclear power industrial control system and the traditional network protocol is that the communication protocol of the nuclear power industrial control system usually has no standard document to refer to, and the encoding mode of the protocol is unknown. The traditional flow analysis tool has very limited support on a communication protocol of a nuclear power industrial control system, when a data packet is analyzed, the load part of TCP cannot be continuously and completely analyzed generally by layer, and the load part is represented as binary data which cannot be identified.
The protocol field dividing module is used for dividing the binary stream into a plurality of fields with fixed length based on the binary data. This process involves details of protocol encoding, requiring specific analysis according to a particular protocol. The type of the field, the storage mode, the length of the field, and the association between the preceding and following fields need to be considered. The types of fields generally include: integer numbers, floating point numbers, character strings, and the like. The storage mode comprises the following steps: little endian, big endian. The field length indicates the number of binary bits or bytes occupied by the field. The association of the preceding and following fields means that the encoding of the following field depends on the value of the preceding field, for example: the header of the string field will typically add a 4-byte integer number identifying the length.
The protocol field division process is a process which is alternately carried out by carrying out speculation, verification and correction based on a network behavior reconstruction module.
The field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division. And successively modifying the value of a single field in the protocol through a network behavior reconstruction module, and comparing and analyzing the semantics corresponding to each value of the field.
As shown in fig. 1, the invention further provides a nuclear power industry control protocol analysis method based on network behavior reconstruction, which includes the following steps:
the network environment of the target nuclear power industrial control system is used as an input item and input to the protocol function analysis module, and network equipment, network topology, protocol types, communication processes and protocol functions are output and obtained.
The network behavior analysis module works based on the result of the protocol function analysis module, and analyzes the communication rule of the specific application layer protocol aiming at the two communication ends. The network behavior analysis module consists of a positioning communication double-end sub-module, a distinguishing logic connection sub-module and an analysis interaction sequence sub-module.
And the network behavior reconstruction module is used as the input of the protocol field division module and the field semantic understanding module and constructs data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module.
And the protocol field division module carries out protocol field speculation based on the result of the network behavior analysis module and the input of the network behavior reconstruction module, and carries out verification through the network behavior reconstruction module until a correct protocol field division result is output.
And the field semantic understanding module analyzes the meaning of each value of the field based on the result of the protocol field dividing module and the input of the network behavior reconstruction module.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (8)

1. A nuclear power industry control protocol analysis system based on network behavior reconstruction is characterized by comprising a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module,
the protocol function analysis module is used for knowing the actual nuclear power industrial control network environment and analyzing the protocol function;
the network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends;
the network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module;
the protocol field dividing module divides a binary stream into a plurality of fields with fixed length on the basis of binary data;
the field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division.
2. The system for analyzing the nuclear power industry control protocol based on the network behavior reconstruction as claimed in claim 1, wherein the nuclear power industry control network environment includes network devices, network topology, protocol types, and communication processes.
3. The system for analyzing the nuclear power industry control protocol based on network behavior reconstruction as claimed in claim 1, wherein the network behavior analysis module comprises a positioning communication dual-terminal module, a logic-distinguished connection sub-module and an interaction sequence analysis sub-module.
4. The system for analyzing the communication protocol of the nuclear power industry control system based on the network behavior reconstruction as claimed in claim 3, wherein the positioning communication dual-terminal module is used for selecting a certain section of the communication path to know a protocol stack used by the communication of the section of the communication path on the basis that the protocol function analysis module already knows the communication path between the devices.
5. The system of claim 3, wherein the logical connection differentiation submodule is configured to locate a network connection associated with a specific function when performing traffic analysis.
6. The system for analyzing the nuclear power industry control protocol based on network behavior reconstruction as claimed in claim 3, wherein the analysis interaction sequence submodule is configured to analyze the interaction behavior of the data packet.
7. The system for analyzing the nuclear power industry control protocol based on network behavior reconstruction according to claim 1, wherein the field semantic understanding module successively modifies the value of a single field in the protocol through the network behavior reconstruction module, and contrasts and analyzes the semantic corresponding to each value of the field.
8. A nuclear power industry control protocol analysis method based on network behavior reconstruction is characterized by comprising the following steps:
step S1: inputting a network environment of a target nuclear power industrial control system as an input item into a protocol function analysis module, and outputting to obtain the network equipment, network topology, protocol type, communication process and protocol function;
step S2: working is carried out based on the result of the protocol function analysis module, and the communication rule of the specific application layer protocol is analyzed aiming at the two communication ends;
step S3: constructing a data packet or a data packet interaction sequence required by a protocol field division module and a field semantic understanding module;
step S4: presuming a protocol field, and verifying the protocol field through a network behavior reconstruction module until a correct protocol field division result is output;
step S5: and analyzing the meaning of each value of the field based on the result of the protocol field dividing module and the input of the network behavior reconstruction module.
CN202210330768.XA 2022-03-30 2022-03-30 Nuclear power industry control protocol analysis system and method based on network behavior reconstruction Pending CN114866282A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210330768.XA CN114866282A (en) 2022-03-30 2022-03-30 Nuclear power industry control protocol analysis system and method based on network behavior reconstruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210330768.XA CN114866282A (en) 2022-03-30 2022-03-30 Nuclear power industry control protocol analysis system and method based on network behavior reconstruction

Publications (1)

Publication Number Publication Date
CN114866282A true CN114866282A (en) 2022-08-05

Family

ID=82629881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210330768.XA Pending CN114866282A (en) 2022-03-30 2022-03-30 Nuclear power industry control protocol analysis system and method based on network behavior reconstruction

Country Status (1)

Country Link
CN (1) CN114866282A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429764A (en) * 2018-05-28 2018-08-21 烽火通信科技股份有限公司 A method of the data transmission based on proprietary protocol and parsing
CN109462590A (en) * 2018-11-15 2019-03-12 成都网域复兴科技有限公司 A kind of unknown protocol conversed analysis method based on fuzz testing
US20200082231A1 (en) * 2018-09-11 2020-03-12 International Business Machines Corporation Automatic protocol discovery using text analytics
CN111314279A (en) * 2019-11-25 2020-06-19 北京航空航天大学 Unknown protocol reverse system based on network flow
CN111371651A (en) * 2020-03-12 2020-07-03 杭州木链物联网科技有限公司 Industrial communication protocol reverse analysis method
CN112751845A (en) * 2020-12-28 2021-05-04 北京恒光信息技术股份有限公司 Network protocol analysis method, system and device
CN113194010A (en) * 2021-04-28 2021-07-30 浙江大学 Field semantic analysis method of non-public industrial communication protocol
US20220035322A1 (en) * 2021-02-20 2022-02-03 Kingtronics Institute of Science and Technology (Xiamen) Co., Ltd. Intelligent operation control apparatus and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108429764A (en) * 2018-05-28 2018-08-21 烽火通信科技股份有限公司 A method of the data transmission based on proprietary protocol and parsing
US20200082231A1 (en) * 2018-09-11 2020-03-12 International Business Machines Corporation Automatic protocol discovery using text analytics
CN109462590A (en) * 2018-11-15 2019-03-12 成都网域复兴科技有限公司 A kind of unknown protocol conversed analysis method based on fuzz testing
CN111314279A (en) * 2019-11-25 2020-06-19 北京航空航天大学 Unknown protocol reverse system based on network flow
CN111371651A (en) * 2020-03-12 2020-07-03 杭州木链物联网科技有限公司 Industrial communication protocol reverse analysis method
CN112751845A (en) * 2020-12-28 2021-05-04 北京恒光信息技术股份有限公司 Network protocol analysis method, system and device
US20220035322A1 (en) * 2021-02-20 2022-02-03 Kingtronics Institute of Science and Technology (Xiamen) Co., Ltd. Intelligent operation control apparatus and system
CN113194010A (en) * 2021-04-28 2021-07-30 浙江大学 Field semantic analysis method of non-public industrial communication protocol

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程必成等: "非标工业控制协议格式逆向方法研究", 《电子技术应用》 *

Similar Documents

Publication Publication Date Title
CN102143148B (en) Parameter acquiring and general protocol analyzing method and device
US9521120B2 (en) Method for securely transmitting control data from a secure network
CN111191767B (en) Vectorization-based malicious traffic attack type judging method
CN102932203B (en) Method and device for inspecting deep packets among heterogeneous platforms
EP1722509B1 (en) Traffic analysis on high-speed networks
US20100027429A1 (en) Packet Switch Modeling and Using a Packet Switch Model to Test a Packet Switch
CN109962847A (en) The packaging method and device and computer readable storage medium of business function chain message
CN103733590A (en) Compiler for regular expressions
CN103004158A (en) Network device with a programmable core
CN115941363B (en) Network communication security analysis method based on http protocol
CN103475537A (en) Method and device for message feature extraction
CN108011850B (en) Data packet reassembly method and apparatus, computer device, and readable medium
CN115766242A (en) Environment-friendly management system based on safety isolation communication
CN100574312C (en) Analyze the analyzer of packet
CN104205764A (en) Frame passing based on ethertype
CN106059964B (en) Message forwarding method and device
CN108234452A (en) A kind of system and method for network packet multi-layer protocol identification
CN114866282A (en) Nuclear power industry control protocol analysis system and method based on network behavior reconstruction
CN106790230A (en) Data processing method, device, system and data server
Khoumsi et al. A formal approach to verify completeness and detect anomalies in firewall security policies
CN109922087A (en) Analytic method, device, system and the computer storage medium of industry control agreement
CN106445928A (en) Classification model based information processing method and classification model
CN112256753B (en) Data encryption secure transmission method
CN109379214B (en) Configuration method and device of Flexe link
CN112994931A (en) Rule matching method and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination