CN114866282A - Nuclear power industry control protocol analysis system and method based on network behavior reconstruction - Google Patents
Nuclear power industry control protocol analysis system and method based on network behavior reconstruction Download PDFInfo
- Publication number
- CN114866282A CN114866282A CN202210330768.XA CN202210330768A CN114866282A CN 114866282 A CN114866282 A CN 114866282A CN 202210330768 A CN202210330768 A CN 202210330768A CN 114866282 A CN114866282 A CN 114866282A
- Authority
- CN
- China
- Prior art keywords
- protocol
- module
- field
- network
- nuclear power
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a nuclear power industry control protocol analysis system based on network behavior reconstruction, which comprises a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module, wherein the protocol function analysis module is used for knowing the actual nuclear power industry control network environment and analyzing the protocol function; the network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends; the network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module; the protocol field dividing module divides the binary stream into a plurality of fields with fixed length on the basis of binary data; the field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division. The system provides a bottom-layer technical support for the research and development of network security products suitable for the nuclear power industrial control system.
Description
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a nuclear power industrial control protocol analysis system and method based on network behavior reconstruction.
Background
The development policy of the two-way integration promotes the integration of informatization and industrialization, and with the development of the informatization service of the nuclear power industrial control system, the nuclear power industrial control system is no longer an isolated information system, and the network security threat is increased continuously. Therefore, network security research aiming at the nuclear power industrial control system needs to be vigorously carried out, a network security product suitable for the nuclear power industrial control system is researched and developed, and network security protection on the nuclear power industrial control system is enhanced.
The key point of the research on the network security of the nuclear power industrial control system is the research on the communication protocol of the nuclear power industrial control system, and the research and development of numerous network security products need analysis results based on the communication protocol, so that a system and a method for analyzing the communication protocol of the nuclear power industrial control system are needed.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a nuclear power industry control protocol analysis system and method based on network behavior reconstruction.
In order to achieve the above purpose, the invention provides the following technical scheme:
a nuclear power industry control protocol analysis system based on network behavior reconstruction comprises a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module,
the protocol function analysis module is used for knowing the actual nuclear power industrial control network environment and analyzing the protocol function;
the network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends;
the network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module;
the protocol field dividing module divides a binary stream into a plurality of fields with fixed length on the basis of binary data;
the field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, provided by the invention, the nuclear power industry control network environment comprises network equipment, network topology, protocol types and a communication process.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, the network behavior analysis module comprises a positioning communication double-end sub-module, a distinguishing logic connection sub-module and an analysis interaction sequence sub-module.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, the positioning communication dual-terminal module selects a certain section of a communication path on the basis that a protocol function analysis module already knows the communication path between devices, and knows a protocol stack used by the communication of the section.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, the distinguishing logic connection sub-module is used for positioning network connection associated with a specific function when flow analysis is carried out.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, provided by the invention, the analysis interaction sequence submodule is used for analyzing the interaction behavior of the data packet.
According to the nuclear power industry control protocol analysis system based on network behavior reconstruction, provided by the invention, the field semantic understanding module successively modifies the value of a single field in the protocol through the network behavior reconstruction module, and contrasts and analyzes the semantic corresponding to each value of the field.
A nuclear power industry control protocol analysis method based on network behavior reconstruction comprises the following steps:
step S1: inputting a network environment of a target nuclear power industrial control system as an input item into a protocol function analysis module, and outputting to obtain the network equipment, network topology, protocol type, communication process and protocol function;
step S2: working is carried out based on the result of the protocol function analysis module, and the communication rule of the specific application layer protocol is analyzed aiming at the two communication ends;
step S3: constructing a data packet or a data packet interaction sequence required by a protocol field division module and a field semantic understanding module;
step S4: presuming a protocol field, and verifying the protocol field through a network behavior reconstruction module until a correct protocol field division result is output;
step S5: and analyzing the meaning of each value of the field based on the result of the protocol field dividing module and the input of the network behavior reconstruction module.
Compared with the prior art, the nuclear power industry control protocol analysis system and method based on network behavior reconstruction provided by the invention have the following beneficial effects:
the nuclear power industry control protocol analysis system and method based on network behavior reconstruction are used for analyzing the private communication protocol of the nuclear power industry control system, provide a bottom-layer technical support for the research and development of network safety products suitable for the nuclear power industry control system, and the network behavior reconstruction module can solve the problem that an original data packet is lacked during protocol analysis research.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a nuclear power industry control protocol analysis method based on network behavior reconstruction provided by an embodiment of the present invention.
Detailed Description
Although the system and method for analyzing nuclear power control protocol based on network behavior reconfiguration according to the present invention can be implemented in many different ways, the exemplary embodiments will be described in detail herein with reference to the accompanying drawings, and it is to be understood that the description herein is not intended to limit the scope of the present invention to the exemplary embodiments. Accordingly, the drawings and description of the specific embodiments are to be regarded as illustrative in nature, and not as restrictive.
The following is a more detailed description of the present invention by way of specific embodiments.
The invention provides a nuclear power industry control protocol analysis system based on network behavior reconstruction, which comprises a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module.
The protocol function analysis module is a first working link of the protocol analysis method, and aims to know the actual nuclear power industrial control network environment including network equipment, network topology, protocol types and communication processes and analyze the protocol function.
Network equipment generally refers to various types of communication terminals in a nuclear power industrial control system, for example: operator stations, engineer stations, communication servers, process servers, controllers, and the like.
The network topology is generally formed by a two-level bus network in a nuclear power industrial control system, wherein the two-level bus network is connected with an operator station, a process processing server and the like, and the one-level bus network is connected with an engineer station, a communication server, a controller and the like.
The type of protocol refers to the different kinds of protocols that the application layer may use when communicating between various network devices. Network protocol models used by various network devices in a nuclear power industrial control system during communication are generally TCP/IP five-layer network models which are respectively as follows: physical layer, link layer, network layer, transport layer, application layer. The protocol layers associated with the encoding of the communication data packet are: link layer, network layer, transport layer, application layer. Wherein the first three layers of protocols are typically: link layer ethernet protocol, network layer IPv4 protocol, and transport layer TCP protocol, while the application layer protocol used by various types of network devices may be different, even without network layer, transport layer protocols.
The communication process refers to a data transmission path in various service flows of the nuclear power industrial control system. If the operator station issues an instruction, the data is transmitted to the controller along a certain path.
The protocol function refers to the function of analyzing various protocols in the communication process of the industrial control system, such as connection state test, configuration downloading, operation instruction issuing and the like.
The network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends, and comprises a positioning communication double-end sub-module, a distinguishing logic connection sub-module and an analysis interaction sequence sub-module.
Locating the communication bi-terminal module means selecting a certain segment of the communication path, for example, based on the protocol function analysis module having known the communication path between the devices: device a and device B know the protocol stack used for this segment of communication. Because the functions responsible for the communication process of each segment may be different, and the protocol stacks used may be different, when performing traffic analysis, it should be processed in segments, and the communication for each segment should be analyzed independently.
The distinguish logic connection submodule, when used for traffic analysis, locates to a network connection associated with a particular function. Between the two communicating ends, there are typically multiple logical connections. Taking a TCP/IP protocol stack as an example, in a nuclear power industry control network, there may be several to hundreds of TCP connections between a device a and a device B, in an actual environment, it is impractical to know the functions of all TCP connections at both communication ends, and it is appropriate to select a TCP connection related to a specific function for deep analysis.
And the analysis interaction sequence submodule is used for analyzing the interaction behavior of the data packet. Usually, a protocol for accomplishing a certain function requires that two communication ends interact with a plurality of data packets, and the data packets are sent according to a sequence.
The network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module. Under the appointed working condition of the nuclear power industrial control system, the data packet or the data packet interactive sequence of any communication segment can be output and supplied to the protocol field division module and the field semantic understanding module for analysis.
The difference between the communication protocol of the nuclear power industrial control system and the traditional network protocol is that the communication protocol of the nuclear power industrial control system usually has no standard document to refer to, and the encoding mode of the protocol is unknown. The traditional flow analysis tool has very limited support on a communication protocol of a nuclear power industrial control system, when a data packet is analyzed, the load part of TCP cannot be continuously and completely analyzed generally by layer, and the load part is represented as binary data which cannot be identified.
The protocol field dividing module is used for dividing the binary stream into a plurality of fields with fixed length based on the binary data. This process involves details of protocol encoding, requiring specific analysis according to a particular protocol. The type of the field, the storage mode, the length of the field, and the association between the preceding and following fields need to be considered. The types of fields generally include: integer numbers, floating point numbers, character strings, and the like. The storage mode comprises the following steps: little endian, big endian. The field length indicates the number of binary bits or bytes occupied by the field. The association of the preceding and following fields means that the encoding of the following field depends on the value of the preceding field, for example: the header of the string field will typically add a 4-byte integer number identifying the length.
The protocol field division process is a process which is alternately carried out by carrying out speculation, verification and correction based on a network behavior reconstruction module.
The field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division. And successively modifying the value of a single field in the protocol through a network behavior reconstruction module, and comparing and analyzing the semantics corresponding to each value of the field.
As shown in fig. 1, the invention further provides a nuclear power industry control protocol analysis method based on network behavior reconstruction, which includes the following steps:
the network environment of the target nuclear power industrial control system is used as an input item and input to the protocol function analysis module, and network equipment, network topology, protocol types, communication processes and protocol functions are output and obtained.
The network behavior analysis module works based on the result of the protocol function analysis module, and analyzes the communication rule of the specific application layer protocol aiming at the two communication ends. The network behavior analysis module consists of a positioning communication double-end sub-module, a distinguishing logic connection sub-module and an analysis interaction sequence sub-module.
And the network behavior reconstruction module is used as the input of the protocol field division module and the field semantic understanding module and constructs data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module.
And the protocol field division module carries out protocol field speculation based on the result of the network behavior analysis module and the input of the network behavior reconstruction module, and carries out verification through the network behavior reconstruction module until a correct protocol field division result is output.
And the field semantic understanding module analyzes the meaning of each value of the field based on the result of the protocol field dividing module and the input of the network behavior reconstruction module.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (8)
1. A nuclear power industry control protocol analysis system based on network behavior reconstruction is characterized by comprising a protocol function analysis module, a network behavior reconstruction module, a protocol field division module and a field semantic understanding module,
the protocol function analysis module is used for knowing the actual nuclear power industrial control network environment and analyzing the protocol function;
the network behavior analysis module is used for analyzing the communication rule of a specific application layer protocol aiming at the two communication ends;
the network behavior reconstruction module is used for constructing data packets or data packet interaction sequences required by the protocol field division module and the field semantic understanding module;
the protocol field dividing module divides a binary stream into a plurality of fields with fixed length on the basis of binary data;
the field semantic understanding module is used for further analyzing the meaning of each value of the field on the basis of protocol field division.
2. The system for analyzing the nuclear power industry control protocol based on the network behavior reconstruction as claimed in claim 1, wherein the nuclear power industry control network environment includes network devices, network topology, protocol types, and communication processes.
3. The system for analyzing the nuclear power industry control protocol based on network behavior reconstruction as claimed in claim 1, wherein the network behavior analysis module comprises a positioning communication dual-terminal module, a logic-distinguished connection sub-module and an interaction sequence analysis sub-module.
4. The system for analyzing the communication protocol of the nuclear power industry control system based on the network behavior reconstruction as claimed in claim 3, wherein the positioning communication dual-terminal module is used for selecting a certain section of the communication path to know a protocol stack used by the communication of the section of the communication path on the basis that the protocol function analysis module already knows the communication path between the devices.
5. The system of claim 3, wherein the logical connection differentiation submodule is configured to locate a network connection associated with a specific function when performing traffic analysis.
6. The system for analyzing the nuclear power industry control protocol based on network behavior reconstruction as claimed in claim 3, wherein the analysis interaction sequence submodule is configured to analyze the interaction behavior of the data packet.
7. The system for analyzing the nuclear power industry control protocol based on network behavior reconstruction according to claim 1, wherein the field semantic understanding module successively modifies the value of a single field in the protocol through the network behavior reconstruction module, and contrasts and analyzes the semantic corresponding to each value of the field.
8. A nuclear power industry control protocol analysis method based on network behavior reconstruction is characterized by comprising the following steps:
step S1: inputting a network environment of a target nuclear power industrial control system as an input item into a protocol function analysis module, and outputting to obtain the network equipment, network topology, protocol type, communication process and protocol function;
step S2: working is carried out based on the result of the protocol function analysis module, and the communication rule of the specific application layer protocol is analyzed aiming at the two communication ends;
step S3: constructing a data packet or a data packet interaction sequence required by a protocol field division module and a field semantic understanding module;
step S4: presuming a protocol field, and verifying the protocol field through a network behavior reconstruction module until a correct protocol field division result is output;
step S5: and analyzing the meaning of each value of the field based on the result of the protocol field dividing module and the input of the network behavior reconstruction module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210330768.XA CN114866282A (en) | 2022-03-30 | 2022-03-30 | Nuclear power industry control protocol analysis system and method based on network behavior reconstruction |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210330768.XA CN114866282A (en) | 2022-03-30 | 2022-03-30 | Nuclear power industry control protocol analysis system and method based on network behavior reconstruction |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114866282A true CN114866282A (en) | 2022-08-05 |
Family
ID=82629881
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210330768.XA Pending CN114866282A (en) | 2022-03-30 | 2022-03-30 | Nuclear power industry control protocol analysis system and method based on network behavior reconstruction |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114866282A (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108429764A (en) * | 2018-05-28 | 2018-08-21 | 烽火通信科技股份有限公司 | A method of the data transmission based on proprietary protocol and parsing |
CN109462590A (en) * | 2018-11-15 | 2019-03-12 | 成都网域复兴科技有限公司 | A kind of unknown protocol conversed analysis method based on fuzz testing |
US20200082231A1 (en) * | 2018-09-11 | 2020-03-12 | International Business Machines Corporation | Automatic protocol discovery using text analytics |
CN111314279A (en) * | 2019-11-25 | 2020-06-19 | 北京航空航天大学 | Unknown protocol reverse system based on network flow |
CN111371651A (en) * | 2020-03-12 | 2020-07-03 | 杭州木链物联网科技有限公司 | Industrial communication protocol reverse analysis method |
CN112751845A (en) * | 2020-12-28 | 2021-05-04 | 北京恒光信息技术股份有限公司 | Network protocol analysis method, system and device |
CN113194010A (en) * | 2021-04-28 | 2021-07-30 | 浙江大学 | Field semantic analysis method of non-public industrial communication protocol |
US20220035322A1 (en) * | 2021-02-20 | 2022-02-03 | Kingtronics Institute of Science and Technology (Xiamen) Co., Ltd. | Intelligent operation control apparatus and system |
-
2022
- 2022-03-30 CN CN202210330768.XA patent/CN114866282A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108429764A (en) * | 2018-05-28 | 2018-08-21 | 烽火通信科技股份有限公司 | A method of the data transmission based on proprietary protocol and parsing |
US20200082231A1 (en) * | 2018-09-11 | 2020-03-12 | International Business Machines Corporation | Automatic protocol discovery using text analytics |
CN109462590A (en) * | 2018-11-15 | 2019-03-12 | 成都网域复兴科技有限公司 | A kind of unknown protocol conversed analysis method based on fuzz testing |
CN111314279A (en) * | 2019-11-25 | 2020-06-19 | 北京航空航天大学 | Unknown protocol reverse system based on network flow |
CN111371651A (en) * | 2020-03-12 | 2020-07-03 | 杭州木链物联网科技有限公司 | Industrial communication protocol reverse analysis method |
CN112751845A (en) * | 2020-12-28 | 2021-05-04 | 北京恒光信息技术股份有限公司 | Network protocol analysis method, system and device |
US20220035322A1 (en) * | 2021-02-20 | 2022-02-03 | Kingtronics Institute of Science and Technology (Xiamen) Co., Ltd. | Intelligent operation control apparatus and system |
CN113194010A (en) * | 2021-04-28 | 2021-07-30 | 浙江大学 | Field semantic analysis method of non-public industrial communication protocol |
Non-Patent Citations (1)
Title |
---|
程必成等: "非标工业控制协议格式逆向方法研究", 《电子技术应用》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102143148B (en) | Parameter acquiring and general protocol analyzing method and device | |
US9521120B2 (en) | Method for securely transmitting control data from a secure network | |
CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
CN102932203B (en) | Method and device for inspecting deep packets among heterogeneous platforms | |
EP1722509B1 (en) | Traffic analysis on high-speed networks | |
US20100027429A1 (en) | Packet Switch Modeling and Using a Packet Switch Model to Test a Packet Switch | |
CN109962847A (en) | The packaging method and device and computer readable storage medium of business function chain message | |
CN103733590A (en) | Compiler for regular expressions | |
CN103004158A (en) | Network device with a programmable core | |
CN115941363B (en) | Network communication security analysis method based on http protocol | |
CN103475537A (en) | Method and device for message feature extraction | |
CN108011850B (en) | Data packet reassembly method and apparatus, computer device, and readable medium | |
CN115766242A (en) | Environment-friendly management system based on safety isolation communication | |
CN100574312C (en) | Analyze the analyzer of packet | |
CN104205764A (en) | Frame passing based on ethertype | |
CN106059964B (en) | Message forwarding method and device | |
CN108234452A (en) | A kind of system and method for network packet multi-layer protocol identification | |
CN114866282A (en) | Nuclear power industry control protocol analysis system and method based on network behavior reconstruction | |
CN106790230A (en) | Data processing method, device, system and data server | |
Khoumsi et al. | A formal approach to verify completeness and detect anomalies in firewall security policies | |
CN109922087A (en) | Analytic method, device, system and the computer storage medium of industry control agreement | |
CN106445928A (en) | Classification model based information processing method and classification model | |
CN112256753B (en) | Data encryption secure transmission method | |
CN109379214B (en) | Configuration method and device of Flexe link | |
CN112994931A (en) | Rule matching method and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |