CN115174245A - Test method and system based on DoIP protocol detection - Google Patents
Test method and system based on DoIP protocol detection Download PDFInfo
- Publication number
- CN115174245A CN115174245A CN202210835181.4A CN202210835181A CN115174245A CN 115174245 A CN115174245 A CN 115174245A CN 202210835181 A CN202210835181 A CN 202210835181A CN 115174245 A CN115174245 A CN 115174245A
- Authority
- CN
- China
- Prior art keywords
- attack
- information
- server
- client
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 120
- 238000010998 test method Methods 0.000 title claims abstract description 15
- 238000000034 method Methods 0.000 claims abstract description 88
- 238000012360 testing method Methods 0.000 claims abstract description 47
- 230000004044 response Effects 0.000 claims abstract description 46
- 230000008569 process Effects 0.000 claims description 30
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 8
- 230000002452 interceptive effect Effects 0.000 claims description 7
- 230000000694 effects Effects 0.000 abstract description 5
- 238000004891 communication Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 7
- 230000003993 interaction Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000004171 remote diagnosis Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a test method and a test system based on DoIP protocol detection, and relates to the technical field of network security detection. The test method comprises the following steps: acquiring file data to be analyzed of DoIP protocol detection flow; generating client information, server information and attack end information according to the file data to be analyzed; creating a corresponding client according to the client information; creating a corresponding server according to the server information, establishing connection between the client and the server and sending a data packet, and enabling the server to acquire the data packet and return response data according to a preset response format; and creating a corresponding attack end according to the attack end information, wherein the attack end acquires the data packet and/or the response data and carries out attack test on the DoIP protocol detection tool according to the data packet and/or the response data. The method can achieve the technical effects of improving the testing range and the testing efficiency of the DoIP protocol detection tool.
Description
Technical Field
The present application relates to the field of network security detection technologies, and in particular, to a test method and system based on DoIP protocol detection, an electronic device, and a computer-readable storage medium.
Background
At present, vehicle communication network buses with more applications mainly comprise CAN, LIN, flexRay, most and the like, and with the increasing complexity of vehicle-mounted electronic systems, the increasing demand of the number of controllers and interfaces on network bandwidth is increased, and the demand of communication between a control unit and a domain in a vehicle is also increased, which means that the traditional buses are gradually difficult to meet, and become a chance for deep application of Ethernet in vehicles. In the current in-vehicle gateway, an intrusion detection system is deployed to ensure the security of the in-vehicle ethernet, wherein a Diagnostic communication over network (DoIP) based on a network Protocol is one of the major points of the in-vehicle ethernet for security detection by the intrusion detection system.
In the prior art, because the DoIP protocol exists in a real vehicle, a real DoIP message cannot be acquired under the condition of not damaging the vehicle; a general method for testing the DoIP protocol detection engine is to directly call an Application Programming Interface (API) for detecting the DoIP packet, and transmit manually constructed Application data into the API to test whether the DoIP protocol detection engine can normally detect the packet exception. However, although the above method can detect whether the detection engine can work normally, the method cannot restore a real DoIP message interaction scene, and cannot detect an abnormal situation that can be detected only by combining the context.
Disclosure of Invention
An embodiment of the present application aims to provide a test method, a test system, an electronic device, and a computer-readable storage medium based on DoIP protocol detection, which can achieve the technical effects of improving the test range and the test efficiency of a DoIP protocol detection tool.
In a first aspect, an embodiment of the present application provides a test method based on DoIP protocol detection, including:
acquiring file data to be analyzed of DoIP protocol detection flow;
generating client information, server information and attack end information according to the file data to be analyzed;
creating a corresponding client according to the client information;
creating a corresponding server according to the server information, establishing connection between the client and the server and sending a data packet, and enabling the server to acquire the data packet and return response data according to a preset response format;
and creating a corresponding attack end according to the attack end information, wherein the attack end acquires the data packet and/or the response data and carries out attack test on the DoIP protocol detection tool according to the data packet and/or the response data.
In the implementation process, the test method based on the DoIP protocol detection generates client information, server information and attack end information by detecting the data of the file to be analyzed of the flow according to the DoIP protocol, and creates a client and a server and tests a DoIP protocol detection tool according to the client information, the server information and the attack end information; the method can simulate a real DoIP client and a real DoIP server, and generate DoIP flow messages which comprise normal flow messages and malicious attack messages; therefore, the method solves the problem that the detection engine can be tested only by deploying the DoIP protocol detection engine in a real vehicle part and modifying the part to generate attack flow in the prior art, is convenient to operate, quick in environment building and simple to implement, and can achieve the technical effects of improving the test range and the test efficiency of the DoIP protocol detection tool.
Further, the step of generating client information, server information and attack end information according to the file data to be analyzed includes:
generating an XML configuration document according to the file data to be analyzed, wherein the XML configuration document comprises client information, server information and attack end information in the operation process;
and analyzing the XML configuration document to acquire the client information, the server information and the attack end information.
In the implementation process, the XML configuration document is analyzed to extract client information, server information and attack end information; therefore, the attack can be automatically completed only by configuring the XML configuration document, and the method is more automatic compared with the prior art.
Further, the step of creating a corresponding client according to the client information includes:
and configuring a plurality of clients according to the client information, wherein the clients are created in a multi-process form, and the clients establish connection with the server according to a package sending process in the XML configuration document and send the data package.
In the implementation process, a corresponding client is established according to the client information acquired after analysis; the method comprises the steps that a plurality of different clients can be configured, the clients are created in a multi-process mode, after the clients are started, connection is established with a server according to a packet sending process in an XML configuration document, and data packets are sent to the server, wherein the data packets comprise connection requests and/or message data.
Further, the step of creating a corresponding server according to the server information includes:
and configuring a plurality of service terminals according to the service terminal information, wherein the service terminals are created in a multi-process form, and the service terminals return response data according to a preset response format in the XML configuration document.
In the implementation process, a corresponding server is established according to the server information acquired after analysis; a plurality of different service terminals can be configured, and a plurality of service terminals are created in a multi-process mode; and the server side acquires the connection request or the message data of the client side after starting, and returns response data to the connection request or the message data according to a preset response format in the XML configuration document.
Further, after the step of creating the corresponding attack end according to the attack end information, the method further includes:
and performing offline flow detection according to the XML configuration document, storing the message flow in the interactive process of the client and the server locally in a pcap data packet during offline flow detection, and performing offline detection on the DoIP protocol detection tool according to the pcap data packet.
In the implementation process, the off-line flow detection is started or closed through setting in an XML configuration document; when the off-line flow detection is started, the message flow in the interactive process of the client and the server is stored locally in a pcap format, and at the moment, the off-line detection of the DoIP protocol detection tool is used, and whether the DoIP protocol detection tool works normally is tested through a pcap data packet.
Further, the attack end information includes attack frequency information and attack type information, and the attack type information includes one or more of source address tampering, destination address tampering, version number tampering, destination port tampering, unknown load type attack, high-frequency attack and logic attack.
Further, when the attack type is one or more of source address tampering, destination port tampering, and high frequency attack, the method further includes:
calling an API (application program interface) of the client to generate an attack message according to the attack end information, and sending the attack message to the server;
when the attack type is one or more of version number tampering, unknown load type attack and logic attack, the method further comprises the following steps:
and calling a preset API of the attack end, and sending the tampered data message content to the server through the client or to the client through the server.
In the implementation process, source address tampering attack, destination port tampering attack and high-frequency attack in the attack types need the attack end to automatically generate an attack message according to the API of the client and send the message to the server end; other types of attacks require that a client or a server calls a preset API of an attack end before sending a message, and the attack end is responsible for tampering the content of the message and then sending the message out by the client or the server.
In a second aspect, an embodiment of the present application provides a test system based on DoIP protocol detection, including:
the acquisition module is used for acquiring file data to be analyzed of the detection flow of the DoIP protocol;
the analysis module is used for generating client information, server information and attack end information according to the file data to be analyzed;
the client module is used for creating a corresponding client according to the client information;
the server module is used for creating a corresponding server according to the server information, the client establishes connection with the server and sends a data packet, and the server acquires the data packet and returns response data according to a preset response format;
and the attack module is used for creating a corresponding attack end according to the attack end information, acquiring the data packet and/or the response data by the attack end, and carrying out attack test on the DoIP protocol detection tool according to the data packet and/or the response data.
Further, the parsing module is specifically configured to:
generating an XML configuration document according to the file data to be analyzed, wherein the XML configuration document comprises client information, server information and attack end information in the operation process;
and analyzing the XML configuration document to acquire the client information, the server information and the attack end information.
Further, the client module is specifically configured to:
and configuring a plurality of clients according to the client information, wherein the clients are created in a multi-process form, and the clients establish connection with the server according to a package sending process in the XML configuration document and send the data package.
Further, the server module is specifically configured to:
and configuring a plurality of service terminals according to the service terminal information, wherein the service terminals are created in a multi-process form, and the service terminals return response data according to a preset response format in the XML configuration document.
Further, the test system based on the DoIP protocol detection further includes:
and the offline detection module is used for performing offline flow detection according to the XML configuration document, storing the message flow in the interactive process of the client and the server locally in a pcap data packet during offline flow detection, and performing offline detection on the DoIP protocol detection tool according to the pcap data packet.
Further, when the attack type is one or more of source address tampering, destination port tampering, and high-frequency attack, the attack module is configured to:
calling an API (application program interface) of the client to generate an attack message according to the attack end information, and sending the attack message to the server;
when the attack type is one or more of version number tampering, unknown load type attack and logic attack, the attack module is used for:
and calling a preset API of the attack end, and sending the tampered data message content to the server through the client or to the client through the server.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the above-described techniques.
In order to make the aforementioned objects, features and advantages of the present application comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a test method based on DoIP protocol detection according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another testing method based on DoIP protocol detection according to an embodiment of the present application;
fig. 3 is a block diagram of a test structure of a DoIP protocol detection tool according to an embodiment of the present application;
fig. 4 is a block diagram of a structure of a test system based on DoIP protocol detection according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The embodiment of the application provides a test method, a test system, electronic equipment and a computer readable storage medium based on DoIP protocol detection, which can be applied to safety equipment such as a vehicle-mounted firewall, a vehicle-mounted gateway and the like; the test method based on the DoIP protocol detection generates client information, server information and attack end information by detecting the data of the file to be analyzed of the flow according to the DoIP protocol, creates a client and a server according to the client information, the server information and the attack end information, and tests a DoIP protocol detection tool; the method can simulate a real DoIP client and a real DoIP server, and generate DoIP flow messages which comprise normal flow messages and malicious attack messages; therefore, the method solves the problem that the detection engine can be tested only by deploying the DoIP protocol detection engine in a real vehicle part and modifying the part to generate attack flow in the prior art, is convenient to operate, quick in environment building and simple to implement, and can achieve the technical effects of improving the test range and the test efficiency of the DoIP protocol detection tool.
Referring to fig. 1, fig. 1 is a schematic flow chart of a test method based on DoIP protocol detection according to an embodiment of the present application, where the test method based on DoIP protocol detection includes the following steps:
s100: and acquiring the file data to be analyzed of the DoIP protocol detection flow.
Illustratively, the DoIP protocol, ISO13400 published by the ISO organization, is simply an IP-based diagnostic communication protocol. The remote diagnosis, over-the-Air Technology (OTA), and other technologies which are partially popular in the market currently are facilitated by utilizing the characteristic that Ethernet has a higher communication rate compared with other communication protocols (such as CAN and the like).
S200: and generating client information, server information and attack end information according to the file data to be analyzed.
Illustratively, the client information includes the client IP, the port, the destination IP, the port, and information such as the protocol version, the load type, the physical source address, the physical destination address, and the load content in the DoIP header format in the sending message.
Illustratively, the server information includes the server IP, port, transport layer protocol type, supported services, and the content of the response packet.
Illustratively, the attacker information includes information such as attack type and frequency.
Illustratively, the client information, the server information and the attack end information obtained based on the file data to be analyzed are used for further simulating the client and the server of a real DoIP protocol and generating corresponding DoIP flow messages, wherein the corresponding DoIP flow messages comprise normal flow messages and malicious attack messages.
S300: and creating a corresponding client according to the client information.
S400: and establishing a corresponding server according to the server information, establishing connection between the client and the server and sending a data packet, and obtaining the data packet and returning response data according to a preset response format by the server.
Illustratively, a client and a server of a real DoIP protocol are simulated through client information and server information, connection is established between the client and the server, the client sends a data packet to the server, and the server acquires the data packet and sends return response data to the client to generate a corresponding DoIP flow message.
S500: and establishing a corresponding attack end according to the attack end information, acquiring the data packet and/or the response data by the attack end, and carrying out attack test on the DoIP protocol detection tool according to the data packet and/or the response data.
Illustratively, the attack end can play a role of a man-in-the-middle, the client and the server need to send the message to the attack end before sending the message, and the attack end modifies the message and generates a malicious attack message or assembles the attack message to directly attack.
In some embodiments, the test method based on the DoIP protocol detection generates client information, server information and attack end information by detecting the file data to be analyzed of the flow according to the DoIP protocol, and creates a client and a server according to the client information, the server information and the attack end information and tests a DoIP protocol detection tool; the method can simulate a real DoIP client and a real DoIP server, and generate DoIP flow messages which comprise normal flow messages and malicious attack messages; therefore, the method solves the problem that the detection engine can be tested only by deploying the DoIP protocol detection engine in a real vehicle part and modifying the part to generate attack flow in the prior art, is convenient to operate, quick in environment building and simple to implement, and can achieve the technical effects of improving the test range and the test efficiency of the DoIP protocol detection tool.
Referring to fig. 2, fig. 2 is a schematic flowchart of another testing method based on DoIP protocol detection according to an embodiment of the present application.
Exemplarily, S200: the method comprises the steps of generating client information, server information and attack end information according to file data to be analyzed, and comprises the following steps:
s210: generating an XML configuration document according to file data to be analyzed, wherein the XML configuration document comprises client information, server information and attack end information in the operation process;
s220: and analyzing the XML configuration document to acquire client information, server information and attack end information.
Illustratively, by analyzing an XML configuration document, extracting client information, server information and attack end information; therefore, the attack can be automatically completed only by configuring the XML configuration document, and compared with the prior art, the method is more automatic.
Illustratively, an Extensible Markup Language (XML) configuration document is a configuration document of an application running process in an embodiment of the present application, and the XML configuration document includes client information (including information such as a client IP, a port, a destination IP, a port, and a protocol version, a load type, a physical source address, a physical destination address, and load content in a DoIP header format in a sending message) in the application running process, server information (including information such as a server IP, a port, a transport layer protocol type, a supported service, and content of a response message), and attack information (including information such as an attack type, a frequency, and the like).
Exemplarily, S300: the step of creating the corresponding client according to the client information comprises the following steps:
s310: and configuring a plurality of clients according to the client information, wherein the clients are created in a multi-process form, and the clients establish connection with the server and send data packets according to a packet sending process in the XML configuration document.
Exemplarily, a corresponding client is created according to the client information obtained after the analysis; after the client is started, connection is established with the server according to a package sending flow in the XML configuration document, and a data package is sent to the server, wherein the data package comprises a connection request and/or message data.
Exemplarily, S400: the step of creating the corresponding server according to the server information comprises the following steps:
s410: and configuring a plurality of service terminals according to the information of the service terminals, wherein the plurality of service terminals are created in a multi-process form, and the service terminals return response data according to a preset response format in the XML configuration document.
Exemplarily, a corresponding server is created according to the server information acquired after analysis; a plurality of different service terminals can be configured, and a plurality of service terminals are created in a multi-process mode; and the server side acquires the connection request or the message data of the client side after starting, and returns response data to the connection request or the message data according to a preset response format in the XML configuration document.
Exemplarily, S500: after the step of creating the corresponding attack end according to the attack end information, the method further comprises:
s600: and performing offline flow detection according to the XML configuration document, storing the message flow in the interactive process of the client and the server locally in a pcap data packet during offline flow detection, and performing offline detection on the DoIP protocol detection tool according to the pcap data packet.
Illustratively, offline traffic detection is turned on or off by settings in the XML configuration document; when the off-line flow detection is started, the message flow in the interactive process of the client and the server is stored locally in a pcap format, and at the moment, the off-line detection of the DoIP protocol detection tool is used, and whether the DoIP protocol detection tool works normally is tested through a pcap data packet.
Illustratively, the attack end information includes attack frequency information and attack type information, and the attack type information includes one or more of source address tampering, destination address tampering, version number tampering, destination port tampering, unknown load type attack, high-frequency attack and logic attack.
Exemplarily, when the attack type is one or more of source address tampering, destination port tampering, and high frequency attack, the method further includes:
calling an API (application program interface) of the client to generate an attack message according to the attack end information and sending the attack message to the server;
when the attack type is one or more of version number tampering, unknown load type attack and logic attack, the method further comprises the following steps:
and calling a preset API of the attack end, tampering the content of the data message, and then sending the data message to the server end through the client end or sending the data message to the client end through the server end.
Illustratively, according to the ISO13400 specification, 7 different types of attack types are defined and supported, including source address tampering, destination address tampering, version number tampering, destination port tampering, unknown load type attack, high-frequency attack, and logic attack (i.e., attack which does not conform to the communication logic between the client and the server, such as repeated request or lost response).
Exemplarily, source address tampering attack, destination port tampering attack and high-frequency attack in the attack types require an attack module to automatically generate an attack message according to an API (application program interface) of a client and send the attack message to a server; other types of attacks require that a client or a server calls a preset API of an attack end before sending a message, and the attack end is responsible for tampering the content of the message and then sending the message out by the client or the server.
Referring to fig. 3, fig. 3 is a block diagram of a test structure of a DoIP protocol detection tool according to an embodiment of the present disclosure.
Illustratively, the method and the device operate in an environment where a DoIP protocol detection tool operates, configure an XML configuration document of the application according to a detection function supported by the DoIP protocol detection tool, generate attack traffic according to the application, and judge whether a detection engine works normally by checking information such as whether the DoIP protocol detection tool generates an alarm log; with reference to fig. 3, the operation is as follows:
(1) The client module and the server module perform DoIP protocol interaction through a network card of a host machine, when the client or the server module sends an attack message, an attack module interface needs to be called, and the attack message is generated and then sent to network card equipment of the host machine;
(2) The DoIP protocol detection tool corresponds to a DoIP protocol detection process, wherein the DoIP protocol detection tool runs in a host machine in a proceeding mode, captures a network card of the host machine through a network interface and analyzes and detects DoIP flow, and performs alarm operation when abnormal flow is detected.
In some implementation scenarios, the method and the device provided by the embodiment of the present application can be applied to security devices such as a vehicle-mounted firewall and a vehicle-mounted gateway, and are used as a tool for testing whether the function of a DoIP protocol detection tool in the above devices is normal; the specific implementation flow example of the test method based on the DoIP protocol detection in the embodiment of the present application is as follows:
(1) Sending the installation catalog of the application to the environment of the equipment to be tested, compiling and installing the invention;
(2) Counting information such as abnormal message detection and equipment IP, ports and the like supported by a DoIP protocol detection engine in equipment to be detected, and compiling an XML configuration document according to the statistical information;
(3) Starting a DoIP protocol detection engine in the test equipment, running an executable program (TestDoIP) of the invention, and specifying a path (such as./TestDoIP-f/var/config.xml) of an XML file through a-f parameter when starting; the method is an online detection function, and if the DoIP protocol detection engine supports an offline mode, the method can generate a pcap flow file for the analysis and detection of the detection engine.
Exemplarily, compared with the prior art, the method and the device can more fully simulate a real DoIP environment, can automatically complete the attack only by configuring the XML document, and are more automatic compared with the prior art; in addition, some attack types which can be detected only by the detection engine according to the context can be simulated, such as logic attacks and the like, so the detection range is wider.
Referring to fig. 4, fig. 4 is a block diagram of a structure of a test system based on DoIP protocol detection according to an embodiment of the present application, where the test system based on DoIP protocol detection includes:
an obtaining module 100, configured to obtain file data to be analyzed of a DoIP protocol detection flow;
the analysis module 200 is used for generating client information, server information and attack end information according to the file data to be analyzed;
a client module 300 for creating a corresponding client according to the client information;
the server module 400 is configured to create a corresponding server according to the server information, establish a connection between the client and the server, and send a data packet, and the server acquires the data packet and returns response data according to a preset response format;
the attack module 500 is configured to create a corresponding attack end according to the attack end information, where the attack end obtains the data packet and/or the response data, and performs an attack test on the DoIP protocol detection tool according to the data packet and/or the response data.
Illustratively, the parsing module 200 is specifically configured to:
generating an XML configuration document according to file data to be analyzed, wherein the XML configuration document comprises client information, server information and attack end information in the operation process;
and analyzing the XML configuration document to acquire client information, server information and attack end information.
Illustratively, the client module 300 is specifically configured to:
and configuring a plurality of clients according to the client information, wherein the clients are created in a multi-process form, and the clients establish connection with the server and send data packets according to a packet sending process in the XML configuration document.
Illustratively, the server module 400 is specifically configured to:
and configuring a plurality of service terminals according to the information of the service terminals, wherein the plurality of service terminals are established in a multi-process form, and the service terminals return response data according to a preset response format in the XML configuration document.
Illustratively, the test system based on the DoIP protocol detection further includes:
and the offline detection module is used for performing offline flow detection according to the XML configuration document, storing the message flow in the interactive process of the client and the server locally in a pcap data packet during offline flow detection, and performing offline detection on the DoIP protocol detection tool according to the pcap data packet.
Illustratively, when the attack type is one or more of source address tampering, destination port tampering, and high frequency attack, the attack module is configured to:
calling an API (application program interface) of the client to generate an attack message according to the attack end information and sending the attack message to the server;
when the attack type is one or more of version number tampering, unknown load type attack and logic attack, the attack module is used for:
and calling a preset API of the attack end, tampering the content of the data message, and then sending the data message to the server end through the client end or sending the data message to the client end through the server end.
Fig. 5 shows a block diagram of an electronic device according to an embodiment of the present disclosure, where fig. 5 is a block diagram of the electronic device. The electronic device may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. In this embodiment, the communication interface 520 of the electronic device is used for performing signaling or data communication with other node devices. Processor 510 may be an integrated circuit chip having signal processing capabilities.
The Processor 510 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, which when executed by the processor 510, enable the electronic device to perform the steps involved in the method embodiments of fig. 1-3 described above.
Optionally, the electronic device may further include a memory controller, an input output unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly, so as to implement data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is used to execute executable modules stored in the memory 530, such as software functional modules or computer programs included in the electronic device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 5 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 5 or may have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
The embodiment of the present application further provides a storage medium, where the storage medium stores instructions, and when the instructions are run on a computer, when the computer program is executed by a processor, the method in the method embodiment is implemented, and in order to avoid repetition, details are not repeated here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A test method based on DoIP protocol detection is characterized by comprising the following steps:
acquiring file data to be analyzed of DoIP protocol detection flow;
generating client information, server information and attack end information according to the file data to be analyzed;
creating a corresponding client according to the client information;
creating a corresponding server according to the server information, establishing connection between the client and the server and sending a data packet, and enabling the server to acquire the data packet and return response data according to a preset response format;
and creating a corresponding attack end according to the attack end information, wherein the attack end acquires the data packet and/or the response data and carries out attack test on the DoIP protocol detection tool according to the data packet and/or the response data.
2. The DoIP protocol detection-based testing method according to claim 1, wherein the step of generating client information, server information and attack end information according to the file data to be analyzed comprises:
generating an XML configuration document according to the file data to be analyzed, wherein the XML configuration document comprises client information, server information and attack end information in the operation process;
and analyzing the XML configuration document to acquire the client information, the server information and the attack end information.
3. The DoIP protocol detection-based testing method of claim 2, wherein the step of creating the corresponding client according to the client information comprises:
and configuring a plurality of clients according to the client information, wherein the clients are established in a multi-process form, and the clients establish connection with the server according to a package sending process in the XML configuration document and send the data package.
4. The DoIP protocol detection-based testing method according to claim 2, wherein the step of creating the corresponding server according to the server information includes:
and configuring a plurality of service terminals according to the service terminal information, wherein the service terminals are created in a multi-process form, and the service terminals return response data according to a preset response format in the XML configuration document.
5. The DoIP protocol detection-based testing method of claim 2, wherein after the step of creating the corresponding aggressor according to the aggressor information, the method further comprises:
and performing offline flow detection according to the XML configuration document, storing the message flow in the interactive process of the client and the server locally in a pcap data packet during offline flow detection, and performing offline detection on the DoIP protocol detection tool according to the pcap data packet.
6. The DoIP protocol detection-based testing method according to claim 1, wherein the attack end information includes attack frequency information and attack type information, and the attack type information includes one or more of source address tampering, destination address tampering, version number tampering, destination port tampering, unknown load type attack, high frequency attack, and logic attack.
7. The DoIP protocol detection-based testing method according to claim 6, wherein when the attack type is one or more of source address tampering, destination port tampering, and high frequency attack, the method further comprises:
calling an API (application program interface) of the client to generate an attack message according to the attack end information, and sending the attack message to the server;
when the attack type is one or more of version number tampering, unknown load type attack and logic attack, the method further comprises the following steps:
and calling a preset API of the attack end, tampering the content of the data message, and then sending the content of the data message to the server end through the client end or sending the content of the data message to the client end through the server end.
8. A test system based on DoIP protocol detection is characterized by comprising:
the acquisition module is used for acquiring file data to be analyzed of the detection flow of the DoIP protocol;
the analysis module is used for generating client information, server information and attack end information according to the file data to be analyzed;
the client module is used for creating a corresponding client according to the client information;
the server module is used for creating a corresponding server according to the server information, the client establishes connection with the server and sends a data packet, and the server acquires the data packet and returns response data according to a preset response format;
and the attack module is used for creating a corresponding attack end according to the attack end information, acquiring the data packet and/or the response data by the attack end, and carrying out attack test on the DoIP protocol detection tool according to the data packet and/or the response data.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method for DoIP protocol detection based testing according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium having stored thereon instructions which, when run on a computer, cause the computer to perform the method of DoIP protocol detection-based testing of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210835181.4A CN115174245A (en) | 2022-07-15 | 2022-07-15 | Test method and system based on DoIP protocol detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210835181.4A CN115174245A (en) | 2022-07-15 | 2022-07-15 | Test method and system based on DoIP protocol detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115174245A true CN115174245A (en) | 2022-10-11 |
Family
ID=83495601
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210835181.4A Pending CN115174245A (en) | 2022-07-15 | 2022-07-15 | Test method and system based on DoIP protocol detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115174245A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115525576A (en) * | 2022-10-31 | 2022-12-27 | 广州市易鸿智能装备有限公司 | MES communication interface device, test method, test equipment and computer storage medium |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
| CN101447898A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test system used for network safety product and test method thereof |
| CN108509201A (en) * | 2018-03-20 | 2018-09-07 | 深圳神州数码云科数据技术有限公司 | A kind of code generating method and device |
| US20190363961A1 (en) * | 2018-05-25 | 2019-11-28 | Comcast Cable Communications, Llc | Content Delivery Network Server Testing |
| US20200342099A1 (en) * | 2018-01-16 | 2020-10-29 | C2A-Sec, Ltd. | Intrusion anomaly monitoring in a vehicle environment |
| CN111901200A (en) * | 2020-07-29 | 2020-11-06 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| CN112714047A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Industrial control protocol flow based test method, device, equipment and storage medium |
| CN113238925A (en) * | 2021-04-13 | 2021-08-10 | 厦门路桥信息股份有限公司 | Application service test method, medium, device and system |
| CN113485920A (en) * | 2021-07-01 | 2021-10-08 | 中瓴智行(成都)科技有限公司 | Method and device for realizing DoIP entity, readable storage medium and electronic equipment |
| US20220046031A1 (en) * | 2020-08-05 | 2022-02-10 | Paypal, Inc. | Client-side attack detection via simulation |
| CN114285588A (en) * | 2020-09-21 | 2022-04-05 | 奇安信科技集团股份有限公司 | Method, device, equipment and storage medium for acquiring attack object information |
| CN114328217A (en) * | 2021-12-03 | 2022-04-12 | 腾讯数码(天津)有限公司 | Application testing method, device, equipment, medium and computer program product |
| CN114415646A (en) * | 2022-03-28 | 2022-04-29 | 北京远特科技股份有限公司 | Remote vehicle diagnosis method, system and terminal equipment based on DoIP protocol |
| CN114465710A (en) * | 2022-01-21 | 2022-05-10 | 安徽华云安科技有限公司 | Vulnerability detection method, device, equipment and storage medium based on flow |
-
2022
- 2022-07-15 CN CN202210835181.4A patent/CN115174245A/en active Pending
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
| CN101447898A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test system used for network safety product and test method thereof |
| US20200342099A1 (en) * | 2018-01-16 | 2020-10-29 | C2A-Sec, Ltd. | Intrusion anomaly monitoring in a vehicle environment |
| CN108509201A (en) * | 2018-03-20 | 2018-09-07 | 深圳神州数码云科数据技术有限公司 | A kind of code generating method and device |
| US20190363961A1 (en) * | 2018-05-25 | 2019-11-28 | Comcast Cable Communications, Llc | Content Delivery Network Server Testing |
| CN111901200A (en) * | 2020-07-29 | 2020-11-06 | 许继集团有限公司 | Power control protection industrial control protocol security test method and system |
| US20220046031A1 (en) * | 2020-08-05 | 2022-02-10 | Paypal, Inc. | Client-side attack detection via simulation |
| CN114285588A (en) * | 2020-09-21 | 2022-04-05 | 奇安信科技集团股份有限公司 | Method, device, equipment and storage medium for acquiring attack object information |
| CN112714047A (en) * | 2021-03-29 | 2021-04-27 | 北京网测科技有限公司 | Industrial control protocol flow based test method, device, equipment and storage medium |
| CN113238925A (en) * | 2021-04-13 | 2021-08-10 | 厦门路桥信息股份有限公司 | Application service test method, medium, device and system |
| CN113485920A (en) * | 2021-07-01 | 2021-10-08 | 中瓴智行(成都)科技有限公司 | Method and device for realizing DoIP entity, readable storage medium and electronic equipment |
| CN114328217A (en) * | 2021-12-03 | 2022-04-12 | 腾讯数码(天津)有限公司 | Application testing method, device, equipment, medium and computer program product |
| CN114465710A (en) * | 2022-01-21 | 2022-05-10 | 安徽华云安科技有限公司 | Vulnerability detection method, device, equipment and storage medium based on flow |
| CN114415646A (en) * | 2022-03-28 | 2022-04-29 | 北京远特科技股份有限公司 | Remote vehicle diagnosis method, system and terminal equipment based on DoIP protocol |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115525576A (en) * | 2022-10-31 | 2022-12-27 | 广州市易鸿智能装备有限公司 | MES communication interface device, test method, test equipment and computer storage medium |
| CN115525576B (en) * | 2022-10-31 | 2023-08-25 | 广州市易鸿智能装备有限公司 | MES communication interface device, test method, test equipment and computer storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10135702B2 (en) | Methods, systems, and computer readable media for testing network function virtualization (NFV) | |
| CN110266737B (en) | Method, device, equipment and medium for detecting vulnerability of cross-domain resource sharing | |
| CN106330483B (en) | Information acquisition method, client device and server device | |
| CN110830330B (en) | Firewall testing method, device and system | |
| CN109167762B (en) | IEC104 message checking method and device | |
| CN111800412A (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
| CN112134893A (en) | Internet of things safety protection method and device, electronic equipment and storage medium | |
| CN104468265A (en) | Method and device for detecting online states of local area network terminals | |
| CN115174245A (en) | Test method and system based on DoIP protocol detection | |
| US20160140345A1 (en) | Information processing device, filtering system, and filtering method | |
| CN111756716A (en) | Flow detection method and device and computer readable storage medium | |
| CN107517248B (en) | Network connection method and device based on SDK | |
| US10666671B2 (en) | Data security inspection mechanism for serial networks | |
| CN111079140B (en) | Method, device and system for preventing cheating | |
| CN109462617B (en) | Method and device for detecting communication behavior of equipment in local area network | |
| CN114039883B (en) | Proxy testing method and device, electronic equipment and storage medium | |
| CN108363922B (en) | Automatic malicious code simulation detection method and system | |
| CN114301796B (en) | Verification method, device and system for prediction situation awareness | |
| CN115174244B (en) | Safety detection method and system | |
| CN111343167A (en) | Information processing method based on network and electronic equipment | |
| EP3640830B1 (en) | Method and system for determining risk in automotive ecu components | |
| KR101680736B1 (en) | Process for checking status of network device | |
| CN116170240B (en) | Access method and device for privately-allocated service, electronic equipment and storage medium | |
| CN115001829B (en) | Protocol vulnerability discovery method, device, equipment and storage medium | |
| CN115426301B (en) | Device detection method, device, equipment and storage medium based on self-generated message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |