CN115333872B

CN115333872B - Security gateway analysis function verification method and device, terminal device and storage medium

Info

Publication number: CN115333872B
Application number: CN202211264389.1A
Authority: CN
Inventors: 杨旭
Original assignee: Beijing 6Cloud Technology Co Ltd; Beijing 6Cloud Information Technology Co Ltd
Current assignee: Beijing 6Cloud Technology Co Ltd; Beijing 6Cloud Information Technology Co Ltd
Priority date: 2022-10-17
Filing date: 2022-10-17
Publication date: 2023-01-20
Anticipated expiration: 2042-10-17
Also published as: CN115333872A

Abstract

The invention discloses a method and a device for verifying the analytic function of a security gateway, a terminal device and a storage medium, which relate to the field of gateway functional verification, and the method for verifying the analytic function of the security gateway comprises the following steps: acquiring function information analyzed by a verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information; and carrying out multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result. The invention realizes the verification of the protocol analysis function of the security gateway by constructing the analysis function verification tool, provides a comprehensive, deep and efficient protocol analysis function verification method, and greatly improves the verification effect of the protocol analysis function of the security gateway.

Description

Security gateway parsing function verification method and device, terminal device and storage medium

Technical Field

The present invention relates to the field of gateway function authentication, and in particular, to a method, an apparatus, a terminal device, and a storage medium for gateway parsing function authentication.

Background

Currently, industrial control systems are widely used in industrial fields to monitor a large number of industrial instruments of a factory so as to realize information control of the factory. In order to realize the monitoring of the industrial instruments and meters, the two parties need an industrial protocol to realize mutual communication. The industrial protocol is an industrial control system communication protocol, such as: schneider Modbus Protocol, siemens S7 (S7 Communication, S7) Protocol, and rockwell Common Industrial Protocol (CIP) Protocol. With the continuous and deep knowledge of the S7 protocol, the security of the siemens PLC in the industrial field is also regarded as important. Since the S7 protocol has no anti-replay function like the Modbus protocol, once a person exploits the defect in an environment without deploying an effective security policy, serious consequences such as termination of service of the industrial control system, falsification or loss of data and the like occur. In order to protect the network security of the industrial field, industrial security gateway products (hereinafter referred to as security gateway) such as industrial firewall, industrial audit and the like appear. The industrial security gateway is essentially different from the traditional security gateway in that the industrial security gateway needs to identify, detect, deeply resolve and process more industrial protocols. The protocol analysis function in the security gateway can effectively recognize and process the S7 protocol, so that an illegal control instruction cannot access the industrial control equipment, and the attack behavior of malicious control is prevented. However, the S7 protocol parsing function of the security gateway is not always feasible, and once the function fails or the identification is inaccurate, the industrial control network has a huge potential safety hazard, and even the benefit of a factory is damaged, so that the personal safety is endangered. In order to reduce the above-mentioned hidden trouble, it is necessary to verify the validity of the S7 protocol deep parsing function of the security gateway.

The most common verification method at present is to perform verification by adopting a mode that a protocol simulator configures a CLIENT-SERVER (CLIENT-SERVER) simulation environment, although the method is simple in operation, the method is not a professional verification tool, and the simulator in the method only supports a few secondary function simulations of a Job function, does not support simulation of an extended function of an S7 protocol, and has the advantages of less protocol functions supporting verification, low verification efficiency and insufficient verification breadth and depth, so that the protocol verification capability is relatively weak in support. In addition, a common authentication method is that a traffic playback tool plays back S7 protocol data traffic, which can authenticate more protocol functions, but the deep authentication for the address domain and the value domain is seriously insufficient, so that the parsing function of the authentication security gateway cannot be effectively supported. In short, the effect of verifying the S7 protocol analysis function of the security gateway in the prior art cannot meet the requirement, in other words, no technology exists at present that can support comprehensive, deep and efficient effective verification of the S7 protocol analysis function of the security gateway.

Disclosure of Invention

The invention mainly aims to provide a security gateway analysis function verification method, a security gateway analysis function verification device, a terminal device and a storage medium, and aims to solve the technical problem that the effect of verifying an S7 protocol analysis function of a security gateway in the prior art cannot meet the requirement.

In order to achieve the above object, the present invention provides a security gateway parsing function verification method, including:

acquiring function information analyzed by a verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information;

and performing multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result.

Optionally, the step of performing multidimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result includes:

according to the function information, sending a corresponding function verification information request to a programmable logic controller through the pre-established protocol analysis function verification tool;

intercepting and analyzing the function verification information request through a security gateway to obtain a corresponding request result;

and verifying the protocol analysis function of the security gateway according to the request result to obtain a corresponding verification result.

Optionally, the protocol data unit type information includes task function information and/or user data function information, the task function information includes task primary function information and/or task secondary function information, the user data function information includes user data primary function information and/or user data secondary function information, the verification function of the pre-established protocol parsing function tool includes task function verification, user data function verification and custom function verification, and the step of sending a corresponding function verification information request to the programmable logic controller through the pre-established protocol parsing function verification tool according to the function information includes:

if the function information is the task primary function information, the task secondary function information and/or the parameter information, sending a corresponding function verification information request to the programmable logic controller through the task function verification in the pre-established protocol analysis function verification tool;

if the function information is the user data primary function information, the user data secondary function information and/or the parameter information, sending a corresponding function verification information request to the programmable logic controller through the user data function verification in the pre-established protocol analysis function verification tool;

and if the function information is the task function information and/or the user data function information, sending a corresponding function verification information request to the programmable logic controller through the self-defined function verification in the pre-established protocol analysis function verification tool.

Optionally, the step of verifying the protocol parsing function of the security gateway according to the request result to obtain a corresponding verification result includes:

according to the request result, verifying the protocol analysis function of the security gateway;

if the request result is consistent with the request, obtaining an accurate verification result;

and if the request result is inconsistent with the request, obtaining a verification result which cannot be analyzed or is inaccurate.

Optionally, the obtaining the function information parsed by the authentication protocol, where the step of the function information including the type information or the parameter information of the protocol data unit further includes:

constructing a protocol communication simulation environment;

obtaining a protocol analysis result in the protocol communication simulation environment;

and constructing the pre-established protocol analysis function verification tool according to the protocol analysis result.

Optionally, the step of obtaining a protocol analysis result in the protocol communication simulation environment includes:

acquiring S7 protocol communication data in the protocol communication simulation environment;

and analyzing the S7 protocol communication data according to different functions to obtain a protocol analysis result, wherein the protocol analysis result comprises different functional data.

Optionally, the step of constructing the pre-built protocol parsing function verification tool according to the protocol parsing result includes:

and coding according to the different functional data in the protocol analysis result, and constructing the protocol analysis function verification tool based on a browser/server mode B/S structure.

In addition, to achieve the above object, the present invention further provides a security gateway parsing function verifying apparatus, including:

the acquisition module is used for acquiring the function information analyzed by the verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information;

and the verification module is used for performing multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result.

In addition, in order to achieve the above object, the present invention further provides a terminal device, where the terminal device includes a memory, a processor, and a security gateway parsing function authentication program stored in the memory and operable on the processor, and when executed by the processor, the terminal device implements the steps of the security gateway parsing function authentication method as described above.

Furthermore, to achieve the above object, the present invention also provides a computer readable storage medium having stored thereon a security gateway parsing function authentication program, which when executed by a processor, implements the steps of the security gateway parsing function authentication method as described above.

According to the method, the device, the terminal equipment and the storage medium for verifying the analysis function of the security gateway, function information analyzed by a verification protocol is obtained, and the function information comprises protocol data unit type information and/or parameter information; and performing multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result. Based on the method and the device, the function in the pre-established protocol analysis function verification tool is determined through the acquired protocol data unit type information and/or parameter information analyzed by the verification protocol, so that the function is used for carrying out multi-dimensional verification on the protocol analysis function of the security gateway, the verification on the effectiveness of the protocol analysis function of the security gateway is realized, the effect of verifying the protocol analysis function of the security gateway is greatly improved, the problems existing in the protocol analysis function of the gateway can be found in time, the improvement and optimization of the protocol deep analysis function in the security gateway can be promoted, the protocol analysis capability of the security gateway can be improved, the overall technical level of the security gateway can be improved, and the safety of an industrial field network can be guaranteed.

Drawings

FIG. 1 is a schematic overall flow diagram of a prior art protocol simulator configuration client-server simulation environment verification;

FIG. 2 is a schematic overall flow chart of a prior art data traffic verification method for playback S7 by a traffic playback tool;

fig. 3 is a schematic diagram of functional modules of a terminal device to which the security gateway parsing function verification apparatus of the present invention belongs;

FIG. 4 is a flowchart of a security gateway parsing function authentication method according to a first exemplary embodiment of the present invention;

FIG. 5 is a flowchart illustrating a security gateway parsing function verification method according to a second exemplary embodiment of the present invention;

FIG. 6 is a flowchart illustrating a security gateway parsing function verification method according to a third exemplary embodiment of the present invention;

fig. 7 is a schematic diagram of a task primary function, a task secondary function and a function code table in an embodiment of a security gateway parsing function verification method according to the present invention;

fig. 8 is a schematic diagram of a user data primary function, a user data secondary function, and a function code table in an embodiment of a security gateway parsing function verification method of the present invention;

fig. 9 is a flowchart illustrating a security gateway parsing function authentication method according to a fourth exemplary embodiment of the present invention;

FIG. 10 is a diagram illustrating a protocol communication simulation environment in an embodiment of a security gateway parsing function verification method according to the present invention;

fig. 11 is a flowchart illustrating a security gateway parsing function authentication method according to a fifth exemplary embodiment of the present invention;

FIG. 12 is a diagram illustrating an S7 protocol data frame in an embodiment of a security gateway parsing function verification method according to the present invention;

fig. 13 is a schematic overall flowchart of a security gateway parsing function verification method according to an embodiment of the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The main solution of the embodiment of the invention is as follows: acquiring function information analyzed by a verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information; and performing multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result. Based on the invention, the function in the pre-established protocol analysis function verification tool is determined through the acquired protocol data unit type information and/or parameter information analyzed by the verification protocol, so that the function is used for carrying out multi-dimensional verification on the protocol analysis function of the security gateway, the verification on the effectiveness of the protocol analysis function of the security gateway is realized, the problems of few verification means, low verification efficiency, low verification accuracy and the like of the protocol analysis function of the security gateway in the prior art are solved, the effect of verifying the protocol analysis function of the security gateway is greatly improved, the problems existing in the protocol analysis function of the security gateway are favorably discovered in time, the improvement and optimization of the deep protocol analysis function in the security gateway are promoted, the protocol analysis capability of the security gateway is improved, the overall technical level of the security gateway is improved, and the security of an industrial field network is ensured.

The technical terms related to the embodiment of the invention are as follows:

a Programmable Logic Controller (PLC), a digital operation Controller with a microprocessor for automatic control, which can load control instructions into a memory at any time for storage and execution.

S7 (S7 Communication, S7 Comm, S7): the S7 protocol is a special protocol designed by Siemens for communication between PLCs And between a Supervisory Control And Data Acquisition (SCADA) system And the PLCs. The difference between the S7 protocol and the Modbus protocol is that the Modbus protocol discloses an official communication document (a public protocol), and a developer can perform secondary development according to the document. The S7 protocol is also referred to as a proprietary protocol since it has no public documentation nor official terminology. In recent years, a plurality of open-source projects for developers to learn the S7 protocol, such as Snap7, S7 wirehardk disassector and other tools, have appeared, so that people have increasingly deep knowledge of the S7 protocol. The structure of the S7 protocol is mainly divided into: header (Header), parameter (Parameter) and Data (Data).

Protocol Data Unit (PDU): refers to the unit of data passed between peer levels. For example, in the Open Systems Interconnection (OSI) model, protocol data units are established at each layer of the transport system. The PDU of the physical layer of the protocol data unit is a data Bit (Bit), the PDU of the data link layer is a data Frame (Frame), the PDU of the network layer is a data Packet (Packet), the PDU of the transport layer is a data Segment (Segment), and the PDU of other higher layers is a Message (Message). For example, the PDU for S7 Communication includes three types of Header (Header), parameter (Parameter), and Data (Data).

Head (Header): mainly descriptive information of data, including length information, PDU reference and message type constant, and most importantly, indicates the type of PDU.

Parameters (Parameter): there may be different types of parameters with different types of PDUs.

Data (Data): the data is an optional field to carry data, such as memory values, block codes, firmware data, etc.; this part is related to functions, such as: reading the CPU model and writing data into the CPU storage area; this part does not contain any data in the request data message.

STEP 7: STEP 7 is used for programming, monitoring and parameter setting of SimATIC S7, M7, C7 and WinAC based on PC, and is an important component of SIMATIC industrial software. It is standard software for SIMATIC S7-300/400 station to create programmable logic control programs, which can be programmed using ladder logic, function block diagrams and statements.

Wireshark: wireshark (Ethereal) is a network packet analysis software. The function of the network packet analysis software is to intercept the network packet and display the most detailed network packet data as possible. Wireshark uses WinPCAP as an interface and directly exchanges data messages with the network card.

TPKT protocol (Transport Service on top of the TCP, application data Transport protocol): transport services over TCP. Between TCP and COTP, it belongs to the transport services class of protocols. The method carries out transition for the upper COTP and the lower TCP, namely, a bridge is built between the COTP and the TCP. The contents of which include the length of the upper layer protocol packet. Typically sent with COTP as a Header section.

The COTP Protocol (Connection-Oriented Transport Protocol), i.e., the COTP Protocol, corresponds to the OSI Transport layer, and its Transport is necessarily Connection-dependent, so that there is a need to establish a link operation like TCP handshake before transmitting data. Its role is to define the basic unit of data transmission, i.e. PDU type in S7 Comm.

C/S structure (Client/Server ): the task of the client program is to submit the requirement of the user to the server program, and then display the result returned by the server program to the user in a specific form; the task of the server program is to receive the service request from the client program, to process the request correspondingly, and to return the result to the client program.

B/S architecture (Brower/Server, browser/Server): the network structure mode after the Web is started. The Web browser is the most prominent application software of the client. The B/S structure adopts the working mode of browser request and server response. The mode unifies the client, and the core part for realizing the system function is centralized on the server, so that the development, maintenance and use of the system are simplified.

The embodiment of the invention considers the prior art about the verification of the security gateway parsing function, and currently, the most common method is to adopt a protocol simulator to configure a CLIENT-SERVER (CLIENT-SERVER) to simulate environment verification. For example, the current Snap7 protocol simulator (Client) is used to establish communication with the PLC (Server). And then deploying the security gateway to the communication network, initiating various functions to the PLC through Snap7, and finally verifying the protocol analysis capability of the security gateway after the communication traffic passes through the security gateway. As shown in fig. 1, fig. 1 is a schematic overall flow chart of the protocol simulator configuration client-server simulation environment verification, and the verification flow is summarized as follows:

firstly, a strategy is deployed, namely, a protocol resolution strategy is deployed S7 on the security gateway, and authentication is waited for.

Then, the environment is configured, namely, the Snap7 simulator is started, a simulator-PLC (Client-Server) simulation environment is configured, and the security gateway is deployed between the communication networks.

Next, the verification function, i.e., snap7, initiates a corresponding function request, taking "0x05 Write Var" as an example, the simulator initiates a command, the 1 st byte "0x05" of the data frame indicates "Write Var", the 11 th byte indicates "which area to Write", the 12 th, 13 th, and 14 th bytes indicate "which address to Write", the 17 th byte indicates "type of Write data", and the 20 th byte indicates "data". When the instruction sent by the simulator passes through the security gateway, the analysis rule is triggered. And checking whether the analysis result is consistent with the meaning of the sent instruction or not on the security gateway.

Although the mode of configuring the CLIENT-SERVER (CLIENT-SERVER) with the protocol simulator to simulate the environment verification is convenient to operate, the supported protocol simulation functions are few, and only basic CPU functions, such as read and write functions (0 x04, 0x 05), partial CPU operation instructions (0 x00, 0xF 0) and the like, are provided, and the simulation of the extended function of the S7 protocol is not supported, and the protocol simulator is not a professional verification tool, has low verification efficiency and insufficient breadth and depth, so that the protocol verification capability is supported weakly.

Another common verification method is a flow playback tool playing back S7 data flow verification, as shown in fig. 2, fig. 2 is an overall flow diagram of a flow playback tool playing back S7 data flow verification method, and the overall flow is summarized as follows:

and deploying S7 protocol analysis strategy on the security gateway, and waiting for verification. And then collecting a large number of data packets with the S7 protocol function on the industrial site, sending a request through a flow playback tool, and carrying out protocol analysis on the received request by the security gateway so as to verify the protocol analysis function of the security gateway. For example, in the case of a 0x04 write variable, bytes 12, 13, and 14 in the data represent "address of the written data", although the validity of the verification of the security gateway of this piece of data can be checked by playing back the data packet, this method cannot be used if it is desired to verify whether other addresses are supported. Therefore, although this method has a certain extent in terms of the breadth of the protocol analysis function of the authentication gateway, it is insufficient for deep authentication of the address domain and the value domain, and cannot effectively support the analysis function of the authentication security gateway.

In short, the above prior art cannot support protocol analysis function verification for the security gateway in depth, breadth and efficiency, and the verification effect cannot meet the requirements.

Therefore, the embodiment of the application provides a solution to obtain the function information analyzed by the verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information; and carrying out multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result. The scheme solves the problems of few verification means, low verification efficiency, low verification accuracy and the like of the security gateway protocol analysis function in the prior art, greatly improves the effect of verifying the security gateway protocol analysis function, helps to discover the problems of the gateway protocol analysis function in time and promotes the improvement and optimization of the protocol depth analysis function in the security gateway, improves the protocol analysis capability of the security gateway, further improves the overall technical level of the security gateway, and ensures the network safety of an industrial field.

Referring to fig. 3, fig. 3 is a schematic diagram of functional modules of a terminal device to which the security gateway parsing function verification apparatus belongs. The security gateway analysis function verification device is based on the terminal equipment and can carry out multi-dimensional verification on the protocol analysis function of the security gateway, so that improvement and optimization of the security gateway protocol analysis function are promoted, and the security gateway analysis function verification device can be borne on the terminal equipment in a hardware or software mode.

In the embodiment of the present invention, the terminal device to which the security gateway parsing function verifying apparatus belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.

The memory 130 stores a security gateway parsing function verification program, and the security gateway parsing function verification device can obtain function information parsed by a verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information; performing multidimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain corresponding verification results and other information, and storing the corresponding verification results and other information in the memory 130; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.

Wherein the secure gateway in the memory 130 parses the functional verification program, which when executed by the processor implements the steps of:

Further, the security gateway parsing function verification program in the memory 130 when executed by the processor further implements the steps of:

constructing a protocol communication simulation environment;

and analyzing the S7 protocol communication data according to different functions to obtain a protocol analysis result, wherein the protocol analysis result comprises different function data.

Based on the above terminal device architecture but not limited to the above architecture, embodiments of the method of the present invention are presented.

Referring to fig. 4, fig. 4 is a flowchart illustrating a security gateway parsing function verification method according to a first exemplary embodiment of the present invention. The security gateway parsing function verification method comprises the following steps:

step S110, acquiring function information analyzed by a verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information;

specifically, the PDU includes three parts, namely, a Header (Header), a Parameter (Parameter), and Data (Data), where the Data (Data) is optional, and taking the S7 protocol as an example, the structure of the S7 protocol may be different according to different implemented functions; for example, a request data message contains only two parts, a header and a parameter. The header contains length information, PDU reference and message type constants; the content and structure of the parameters vary greatly depending on the message and function type of the PDU; data is an optional field used to carry data such as memory values, block codes, firmware data, etc. The header is 10-12 bytes in length and the acknowledgement message contains two additional error code bytes. In addition to this, the header format is consistent across all PDUs. The function information of the protocol analysis is acquired to determine the functions to be verified by the pre-established protocol analysis function verification tool, so that the tool can carry out targeted verification as required

And step S120, performing multidimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result.

Specifically, selecting a pre-established protocol analysis function verification tool according to the function information, and sending a corresponding function verification information request to the programmable logic controller through the pre-established protocol analysis function verification tool; intercepting and analyzing the function verification information request through a security gateway to obtain a corresponding request result; and verifying the protocol analysis function of the security gateway according to the request result to obtain a corresponding verification result.

For example, the user data function verification (primary function) is selected, then the Mode-transition (secondary function) is selected, corresponding parameters are changed, the protocol analysis function of the security gateway is verified, and the analysis result of the security gateway is checked, so that a corresponding verification result is obtained.

According to the scheme, the embodiment specifically obtains the function information analyzed by the verification protocol, wherein the function information comprises protocol data unit type information and/or parameter information; and carrying out multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result. Based on the scheme, the function needing to be verified is selected on the pre-established protocol analysis function verification tool through obtaining the function information, the pre-established protocol analysis function verification tool sends a corresponding function verification information request to the PLC according to the selected function, a protocol analysis strategy is deployed on the security gateway in advance, and therefore when the pre-established protocol analysis function verification tool sends the corresponding function verification information request and passes through the security gateway, the protocol analysis function of the security gateway is triggered, the security gateway conducts protocol analysis on the passed function verification information request, finally, a request result corresponding to the protocol analysis is presented on the security gateway, the protocol analysis function of the security gateway is verified through checking the request result, a corresponding verification result is obtained, multi-dimensional verification on the validity of the protocol analysis function of the security gateway is achieved, the problems that in the prior art, the verification means for the protocol analysis function of the security gateway is few, the verification efficiency is low, the verification accuracy is low and the like are solved, the effect of the protocol analysis function of the security gateway is greatly improved, the problem existing protocol analysis function of the gateway is found in time, the deep improvement of the protocol analysis function of the security gateway and the security gateway is further, the overall security level of the security gateway is improved, and the security technology is improved.

Further, referring to fig. 5, fig. 5 is a flowchart illustrating a security gateway parsing function verification method according to a second exemplary embodiment of the present invention. Based on step S120 in the embodiment shown in fig. 4, the step of performing multidimensional authentication on the protocol parsing function of the security gateway according to the function information and the pre-established protocol parsing function authentication tool to obtain a corresponding authentication result includes:

step S1201, according to the function information, sending a corresponding function verification information request to a programmable logic controller through the pre-established protocol analysis function verification tool;

specifically, based on step S110, the protocol data unit type information includes task function information and/or user data function information, the task function information includes task primary function information and/or task secondary function information, the user data function information includes user data primary function information and/or user data secondary function information, and the verification function of the pre-established protocol parsing function tool includes task function verification, user data function verification, and custom function verification.

After the function information is selected on the pre-established protocol analysis function verification tool, the pre-established protocol analysis function verification tool sends a corresponding function verification information request to the PLC, such as operations of sending a specified function, changing an address domain and a value domain parameter of the function and the like.

Step S1202, intercepting and analyzing the function verification information request through a security gateway to obtain a corresponding request result;

specifically, since the security gateway is deployed in the communication environment in advance, the function authentication information request flows through the security gateway after being sent out, a protocol analysis function of the security gateway is triggered, and the security gateway identifies and analyzes the function authentication information request to obtain a corresponding request result. The request result is the basis for verifying whether the protocol analysis function of the security gateway is valid.

And step S1203, verifying the protocol analysis function of the security gateway according to the request result to obtain a corresponding verification result.

Specifically, according to the request result, the protocol analysis function of the security gateway is verified; if the request result is consistent with the request, obtaining an accurate verification result; and if the request result is inconsistent with the request, obtaining a verification result which cannot be analyzed or is inaccurate. In other words, the request sent by the pre-established protocol analysis function verification tool and the result analyzed by the security gateway are checked, and whether the protocol analysis function of the security gateway is effective or not is determined according to whether the request sent by the pre-established protocol analysis function verification tool and the result analyzed by the security gateway are consistent or not.

Specifically, if the request result is consistent with the request, an accurate verification result is obtained, which indicates that the security gateway can accurately identify the current function code, the address domain and the value domain, and the security gateway is complete in function, can be normally used, and does not need to be improved.

If the request result is inconsistent with the request, obtaining an unresolvable or inaccurate verification result, considering two situations, and if the unresolvable verification result is obtained according to the request result, indicating that the security gateway cannot identify the current function code, the address domain and the value domain, wherein the situation indicates that the protocol deep resolution function of the security gateway needs to be completed; if an inaccurate verification result is obtained according to the request result, the security gateway cannot fully recognize, for example, the function code can be recognized, but the function code cannot be recognized for the deeper address field and value field, which indicates that the security gateway needs to improve the protocol deep resolution function to support the deeper resolution.

According to the scheme, the embodiment specifically sends a corresponding function verification information request to the programmable logic controller through the pre-established protocol analysis function verification tool according to the function information; intercepting and analyzing the function verification information request through a security gateway to obtain a corresponding request result; and verifying the protocol analysis function of the security gateway according to the request result to obtain a corresponding verification result. Based on the scheme, after the functional information is selected on the pre-established protocol analysis functional verification tool, the pre-established protocol analysis functional verification tool can send a corresponding functional verification information request to the PLC, and the security gateway can identify the request and analyze the protocol after receiving the functional verification information request and obtain a corresponding request result. Comparing the request result with the issued function verification information request, and judging whether the request result is consistent with the issued function verification information request: if the verification result is consistent with the verification result, an accurate verification result is obtained, which shows that the protocol analysis function of the security gateway is complete and no improvement is needed; if the two security gateways are inconsistent, an unresolvable or inaccurate verification result is obtained, which indicates that the protocol resolution function of the security gateway is incomplete and further optimization and improvement are needed. According to the scheme, the depth and accuracy verification of the protocol analysis function of the security gateway is realized, and whether the protocol analysis function of the security gateway is effective or not is obtained, so that the possible problems of the security gateway can be found in time, the targeted response measures can be taken favorably, the deep analysis capability of the security gateway to the protocol is improved, the potential safety hazard of an industrial control network caused by the potential safety hazard can be eliminated as early as possible, the safety of the industrial control network is maintained, and the smooth proceeding of industrial production is guaranteed.

Further, referring to fig. 6, fig. 6 is a flowchart illustrating a security gateway parsing function verification method according to a third exemplary embodiment of the present invention. Based on step S1201 in the embodiment shown in fig. 5, the protocol data unit type information includes task function information and/or user data function information, the task function information includes task primary function information and task secondary function information, the user data function information includes user data primary function information and user data secondary function information, the verification function of the pre-established protocol parsing function tool includes task function verification, user data function verification and custom function verification, and the step of sending a corresponding function verification information request to the programmable logic controller through the pre-established protocol parsing function verification tool according to the function information includes:

step S12011, if the function information is the task primary function information, the task secondary function information, and/or the parameter information, sending a corresponding function verification information request to the programmable logic controller through the task function verification in the pre-established protocol analysis function verification tool;

specifically, the determination of the function information is selected from the pre-established protocol parsing function verification tool, and the selected function information determines the corresponding function in the pre-established protocol parsing function verification tool. For example, selecting the task primary function information, the task secondary function information and adjusting the key parameter data amount (Item count) and the data content (Item), the task function verification in the pre-established protocol parsing function verification tool is used.

Taking the S7 protocol as an example, referring to fig. 7, fig. 7 shows a task-level function, and a function code table, as shown in fig. 8, the task-level function (Job function) includes 11 task-level functions (subfunctions), and each task-level function has a corresponding function code. The task function verification in the pre-established protocol analysis function verification tool is to perform deep verification on task function information and is used for verifying all task function verification information requests sent to the PLC by the main device so as to verify the breadth and the deep analysis capability of the security gateway to the protocol.

Taking 0x04 (Read variable) as an example, the pre-built protocol analysis function verification tool selects a task primary function (Job function) first, then selects a Read variable (Read Var), and arbitrarily adjusts the key parameter data volume (Item Count) and the data content (Item) to verify the protocol analysis function of the security gateway.

Step S12012, if the function information is the user data primary function information, the user data secondary function information, and/or the parameter information, sending a corresponding function verification information request to the programmable logic controller through the user data function verification in the pre-established protocol analysis function verification tool;

specifically, since the selected function information determines the corresponding function in the pre-established protocol parsing function validation tool, when the function information is the user data primary function information, the user data secondary function information, and/or the parameter information, the user data function in the pre-established protocol parsing function validation tool is used for validation.

Taking the S7 protocol as an example, referring to fig. 8, fig. 8 is a user data primary function, a user data secondary function, and a function code table, as shown in fig. 8, the user data primary function (Userdata function) belongs to an extended function of the protocol, and includes 9 user data secondary functions, each user data secondary function has a corresponding function code, and the user data function verification in the pre-established protocol analysis function verification tool is to perform deep verification on user data function information, and is used for sending a user data function information request to the PLC, so as to verify the breadth and deep analysis capability of the security gateway on the protocol.

For example, a user data primary function (Userdata function) is selected on the pre-established protocol parsing function verification tool, then a conversion work Mode-transition (secondary function) is selected, and the key parameter data volume (Item Count) and the data content (Item) are arbitrarily adjusted to verify the protocol parsing function of the security gateway.

Step S12013, if the function information is the task function information and/or the user data function information, sending a corresponding function verification information request to the programmable logic controller through the custom function verification in the pre-established protocol parsing function verification tool.

Specifically, in addition to the task function verification in the pre-built parsing function verification tool mentioned in step S12011 and the user data function verification in the pre-built parsing function verification tool mentioned in step S12012, the functions of the tool also include custom function verification, which is a supplement to the above two functions, and by this function, the user can quickly verify the validity of the protocol parsing function of the security gateway only by adjusting any function to be verified and sending a corresponding function verification information request by one key.

For example, in order to accelerate the verification efficiency, the function is used for directly sending all functional verification information requests including a task function and a user data function to the PLC, and the security gateway carries out protocol analysis after receiving the requests, so that the analysis capability of the security gateway is rapidly verified, and the verification efficiency is greatly improved.

According to the scheme, if the function information is the task primary function information, the task secondary function information and/or the parameter information, the task function verification in the pre-established protocol analysis function verification tool is used for sending a corresponding function verification information request to the programmable logic controller; if the function information is the user data primary function information, the user data secondary function information and/or the parameter information, sending a corresponding function verification information request to the programmable logic controller through the user data function verification in the pre-established protocol analysis function verification tool; and if the function information is the task function information and/or the user data function information, sending a corresponding function verification information request to the programmable logic controller through the self-defined function verification in the pre-established protocol analysis function verification tool. Based on the scheme, by determining the content of the function information, selecting the function to be verified on the pre-established protocol analysis function verification tool and adjusting the parameters, and sending a corresponding verification function information request to the PLC by using task function verification, user data function verification or custom function verification on the tool, the industrial protocol verification breadth of the security gateway is improved by at least 50%, the depth is improved by at least 100%, and the verification efficiency is improved by 40%.

Further, referring to fig. 9, fig. 9 is a schematic flowchart of a security gateway parsing function verification method according to a fourth exemplary embodiment of the present invention. Based on step S110 in the embodiment shown in fig. 4, before the step of obtaining the function information parsed by the authentication protocol, the step of obtaining the function information including the protocol data unit type information or the parameter information further includes:

s80, constructing a protocol communication simulation environment;

specifically, as shown in fig. 10, fig. 10 is a schematic diagram of a protocol communication simulation environment of the security gateway parsing function verification method of the present invention. The protocol communication simulation environment is an environment which is established for conveniently verifying the validity of the protocol analysis capability of the security gateway and can comprehensively and truly restore the communication between the client and the server, and is established based on a single-side communication mode of the client/the server.

Taking S7 protocol communication as an example, the client/server-based unilateral communication method is the most commonly used one of the two methods supported by S7 protocol communication. The two ways supported by the S7 protocol communication are: 1) Based on client/server unilateral communication, in this mode, only the client side is required to be configured and programmed, and the server (PLC) side only needs to be ready to access data. A common client: HMI interface (HMI), programmed computer (PG/PC), etc. 2) Based on the partner/partner communication mode, the mode is bilateral communication, and the application is less, and the detailed description is omitted.

The protocol communication simulation environment is constructed by using upper computer programming software STEP 7 software, a switch, a PLC and an industrial instrument. STEP 7 has the following functions: hardware configuration and parameter set-up, communication configuration, programming, testing, startup and maintenance, documentation, operation and diagnostic functions, etc. By utilizing the function of STEP 7 software, the efficiency of all automation tasks can be effectively improved. In the protocol communication simulation environment, STEP 7 is used as client software in a unilateral communication mode of protocol communication, namely as a software tool at one end of communication with the PLC.

In addition, it should be noted that the PLC may be of any type of siemens S300 or S1200. For example, a communication simulation environment can be constructed using the upper computer programming software STEP 7 software, the switch, siemens S300 and industrial instrumentation.

Step S90, obtaining a protocol analysis result in the protocol communication simulation environment;

specifically, deploying a traffic grabbing tool Wireshark at an upper computer in the protocol communication simulation environment, and acquiring protocol communication data through the Wireshark; and deeply analyzing the protocol communication data according to different functions to obtain a protocol analysis result, wherein the protocol analysis result comprises different function data and is used for forming a protocol function verification tool.

Taking S7 as an example, capturing S7 protocol communication data through Wireshark in the upper computer, performing deep analysis on the acquired S7 protocol according to different functions to obtain an S7 protocol analysis result, and forming an S7 protocol analysis function verification tool according to the obtained result.

And S100, constructing the pre-established protocol analysis function verification tool according to the protocol analysis result.

Specifically, a Python tool is used for coding and reconstructing the analysis result of the protocol communication data according to different functional data, so that a set of automatic and extensible pre-established protocol analysis function verification tool is formed. The verification functions of the pre-built protocol analysis function tool comprise task function verification, user data function verification and user-defined function verification, and the functions provide a faster and more effective verification function. The task function verification is to verify all functions of a task function verification information request sent by the main equipment, and verify the breadth and the depth analysis capability of the security gateway to the protocol; the user data function verification is an extended function of a verification protocol, so that the breadth and depth resolution capability of the security gateway on the protocol are verified; the custom function verification is to accelerate the verification efficiency, only needs to adjust any function needing verification, and sends a request by one key to quickly verify the analysis capability of the security gateway.

According to the scheme, a protocol communication simulation environment is specifically constructed; obtaining a protocol analysis result in the protocol communication simulation environment; and constructing the pre-established protocol analysis function verification tool according to the protocol analysis result. Based on the scheme, the protocol communication simulation environment is established in a client/server-based unilateral communication mode, in the protocol communication simulation environment, protocol communication data are obtained through Wireshark in a deployed upper computer and are subjected to protocol analysis, an analysis result is obtained, a Python tool is used for compiling the analysis result of the protocol communication data according to different functional data to form a protocol analysis function verification tool, the protocol analysis function verification tool is established, and conditions are provided for subsequent verification of the protocol analysis capability of the security gateway. The tool has three optional verification functions, can comprehensively and deeply analyze the protocol, provides a comprehensive protocol verification function, not only aims at certain functions but also can verify all protocol analysis functions of the security gateway, and compared with the prior art, the breadth, the depth and the efficiency of verification are greatly improved.

Further, referring to fig. 11, fig. 11 is a flowchart illustrating a security gateway parsing function verification method according to a fifth exemplary embodiment of the present invention. Based on the step S90 in the embodiment shown in fig. 9, the step of obtaining a protocol analysis result in the protocol communication simulation environment includes:

step S901, acquiring S7 protocol communication data in the protocol communication simulation environment;

specifically, the protocol communication data is communication data between STEP 7 and the PLC. The protocol communication data needs to be acquired because the formation of the protocol analysis function verification tool needs to be compiled according to different function data rules obtained by analyzing the data. The protocol communication data is obtained mainly by deploying a flow grabbing tool Wireshark on the upper computer and grabbing protocol communication data flow through the Wireshark.

Taking an S7 protocol as an example, in the protocol communication simulation environment, an S7 protocol communication data between STEP 7 and the PLC is captured by using a Wireshark tool of the upper computer.

And step S902, analyzing the S7 protocol communication data according to different functions to obtain a protocol analysis result, wherein the protocol analysis result comprises different function data.

Specifically, since the protocol analysis result is required to be used for constructing the protocol analysis function verification tool, the obtained protocol communication data needs to be deeply analyzed to obtain the protocol analysis result containing different functional data.

Taking the S7 protocol as an example, the S7 protocol is a private protocol, and the data frame is divided into 3 parts in the application layer, i.e., the TPTK protocol, COTP, and S7 Communication. TPTK and COTP are relatively simple in structure, so the S7 Communication layer is analyzed with emphasis. Taking an analysis of a certain function as an example, referring to fig. 12, fig. 12 is a data frame of the S7 Protocol, and a 1 st frame of the data is a Protocol constant (Protocol ID) and is always set to 0x32; the 2 nd frame is a request message Type (primary function comprises a Job function or a Userdata function) of a message Type (ROSCTR, PDU Type) control S7; frame 3 and frame 4 are redundant Identification (Reserved) always set to 0x0000 (but may be ignored); frame 5 and frame 6 are protocol data unit references (PDU references) generated by the master station, incremented for each new transmission, used to link responses to its requests; frame 7 and frame 8 represent the Length of the Parameter field for Parameter Length (Parameter Length); frame 9 and frame 10 represent the Length of the Data field for the Data Length (Data Length); the 11 th frame Function Code (Function Code) indicates a Function of the control request (secondary Function); frame 12 is the data volume (Item Count); followed by the data content (Item).

In the deep analysis process, a fixed variable method is adopted for analysis, firstly, a value of a fixed Function Code (Function Code) is taken, the value ranges and the value types of parameters such as a data quantity (Item Count) and a data content (Item) are analyzed, the analysis can obtain that the value range of the data quantity (Item Count) is 0-M, the value range of the data type in the data content (Item) is 0-N, if the data type is 1 for representing one type, and if the data type is 2 for representing the other type, the value laws of all the parameters under the current Function Code (Function Code) are summarized immediately. And then adjusting the Function Code, continuously analyzing the value range, the value type and the like of other parameters of the current Function Code, and finally summarizing the rule of each Function Code to obtain the protocol analysis result.

In this embodiment, by taking the S7 protocol as an example, the S7 protocol communication data is specifically acquired in the protocol communication simulation environment; and analyzing the S7 protocol communication data according to different functions to obtain a protocol analysis result, wherein the protocol analysis result comprises different functional data. Based on the scheme, the S7 protocol communication data are captured by a Wireshark tool of the upper computer, protocol analysis is carried out on the obtained data, and preparation is made for integrating the data into a protocol analysis function verification tool subsequently.

Further, based on step S100 in the embodiment shown in fig. 9, the step of constructing the pre-built protocol parsing function verification tool according to the protocol parsing result includes:

and S1001, coding according to the different function data in the protocol analysis result, and constructing the protocol analysis function verification tool based on a browser/server mode B/S structure.

Specifically, the B/S structure is an improvement of the C/S structure, and the conventional C/S structure software (i.e. client/server mode) is divided into two layers, i.e. client and server: the first layer is the integration of presentation and service logic on client systems and the second layer is the integration of database servers over a network.

The B/S structure is an improvement of the C/S structure, and can be said to belong to a three-layer C/S architecture. The method mainly utilizes the continuously mature WWW browser technology, realizes the powerful functions which can be realized by complex special software originally by using a general browser, saves the development cost and is a brand new software system construction technology.

The difference between the B/S architecture and the C/S architecture is that the B/S architecture has three layers:

the first layer is that the browser (i.e., client) has only simple input and output functions, handling a very small portion of the transactional logic. Because the client does not need to install the client and can browse the internet only by a browser, the browser is directed to a user in a large range, and the interface is designed to be simpler and more universal.

The second layer is a WEB server, which plays the role of information transfer. When a user wants to access the database, a request is sent to the WEB server at first, and the request for accessing the database is sent to the database server after the request is unified by the WEB server, wherein the request is realized by SQL statements.

The third tier is a database server that holds large amounts of data. When the database server receives the request of the WEB server, the SQL sentence is processed, the returned result is sent to the WEB server, and then the WEB server converts the received data result into an HTML text form and sends the HTML text form to the browser.

The C/S structure is suitable for a local area network, the requirement on network speed is high, the client interface lacks universality, and when the service is changed, the interface needs to be changed and rewritten. The B/S structure is suitable for realizing huge internet in a wide area network, even a global network, has very strong information sharing performance and has low requirement on network speed; the client side is not required to be installed, and the page can be browsed anytime and anywhere as long as the internet can be connected; the browser only processes some simple logic transactions, and the burden is small; the data are all stored in the database server in a centralized way, so that the phenomenon of data inconsistency does not exist; the method can effectively protect the data platform and manage the access authority, and ensure the data security of the server database. With the increase of the server load, the number of the servers can be smoothly increased, a cluster server system is built, and then load balancing is carried out among the servers.

In short, the B/S structure has many advantages compared with the C/S structure, so that the pre-established protocol analysis function verification tool can be accessed to a network at any time by adopting the B/S structure to test the security gateway.

In this embodiment, by using the above scheme, the protocol parsing function verification tool is constructed based on a browser/server mode B/S structure by specifically encoding the different function data in the protocol parsing result. Based on the scheme, the B/S structure is adopted, so that the defects of the traditional C/S structure are overcome, the constructed protocol analysis function verification tool is high in expansibility, and can be accessed to a network at any time to perform a protocol function verification test.

Further, referring to fig. 13, fig. 13 is a schematic overall flow chart of the security gateway parsing function verification method of the present invention. The overall flow of the security gateway parsing function verification method is specifically described as follows:

the method comprises the STEPs of firstly constructing a protocol communication simulation environment according to programming software STEP 7 and a PLC, carrying out deep analysis on acquired protocol communication data in the protocol communication simulation environment to obtain an analysis result, and coding according to a corresponding protocol data format according to the analysis result to obtain a pre-established protocol analysis function verification tool which supports three functions, namely task function verification (Job function verification), user data function verification (Userdata function verification) and custom function verification. Wherein, the task function verification (Job function verification) is that all the main equipment sends a protocol function verification information request, and verifies the analysis capability of the security gateway to the breadth and the depth of the protocol; user data functional verification (Userdata functional verification) is a verification protocol extension function, and verifies the breadth and depth resolution capability of a security gateway to a protocol; the custom function authentication is to accelerate the authentication efficiency, and all functions can be directly issued by using the function so as to quickly authenticate the resolving capability of the security gateway. The tool is placed in communication with the PLC.

Because the protocol analysis function of the security gateway can effectively identify and process industrial protocols including the S7 protocol, the illegal control instruction cannot access the industrial control equipment, and thus malicious control attack behaviors are prevented. It should be noted that the illegal control command includes, but is not limited to, the following situations: 1) At normal business time, an unusual read command is suddenly presented. 2) Normal service time, PLC control commands that occur. However, the protocol resolution function of the security gateway is not always feasible, and once the function fails or identification is inaccurate, the industrial control network has a great potential safety hazard, and even the benefit of a factory is damaged, so that personal safety is endangered. It is therefore necessary to verify the protocol resolution capability of the security gateway, and for this purpose, it is necessary to connect the security gateway between the tool and the PLC and deploy relevant protocol resolution policies to begin verifying protocol resolution validity.

Thirdly, the tool is used for initiating a function verification information request to the PLC, such as sending a specified function, changing the address field and value field parameters of the function and the like, and checking whether the security gateway is identified and analyzed; in addition, custom function verification may also be used in order to speed up testing. After the protocol communication data flow passes through the security gateway, the security gateway deeply analyzes the protocol communication data, and a tester can quickly verify the validity of the function by using the function.

Finally, the request result obtained by analyzing the protocol analysis function of the security gateway is presented as: the request sent by the pre-established protocol analysis function verification tool is consistent and inconsistent with the result obtained by the protocol analysis function analysis of the security gateway. If the request result is consistent with the request, an accurate verification result is obtained, which indicates that the security gateway can accurately identify the current function code, the address domain and the value domain, and the security gateway has complete functions, can be normally used and does not need to be improved.

If the request result is inconsistent with the request, obtaining an unresolvable or inaccurate verification result, considering two conditions, and if the unresolvable verification result is obtained according to the request result, indicating that the security gateway cannot identify the current function code, the address domain and the value domain, which indicates that the protocol deep resolution function needs to be perfected; if an inaccurate verification result is obtained according to the request result, the security gateway cannot fully recognize, for example, the function code can be recognized, but the function code cannot be recognized for the deeper address field and value field, which indicates that the security gateway needs to improve the protocol deep resolution function to support the deeper resolution.

According to the scheme, the interactive environment of the equipment is completely and truly restored, and the credibility of the function verification is improved; the protocol analysis function verification tool can comprehensively and deeply verify the protocol analysis function of the security gateway, and the breadth and the depth of the supported function code are obviously improved compared with the prior art; the user-defined function verification of the tool greatly improves the verification efficiency; and the tool has high expandability and can access newly discovered functions through an interface mode at any time.

In addition, an embodiment of the present invention further provides a security gateway parsing function verifying apparatus, where the security gateway parsing function verifying apparatus includes:

the acquisition module is used for acquiring functional information analyzed by the verification protocol, wherein the functional information comprises protocol data unit type information and/or parameter information;

For the principle and implementation process of the security gateway parsing function verification implemented in this embodiment, please refer to the above embodiments, which are not described herein again.

In addition, an embodiment of the present invention further provides a terminal device, where the terminal device includes a memory, a processor, and a security gateway parsing function verification program that is stored in the memory and is capable of running on the processor, and when being executed by the processor, the security gateway parsing function verification program implements the steps of the security gateway parsing function verification method described above.

Since the security gateway parsing function verification program is executed by the processor, all technical solutions of all the embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the embodiments are achieved, and detailed description is omitted here.

In addition, an embodiment of the present invention further provides a storage medium, where a security gateway parsing function verification program is stored on the storage medium, and when executed by a processor, the security gateway parsing function verification program implements the steps of the security gateway parsing function verification method described above.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or system comprising the element.

The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present invention.

The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields are also included in the scope of the present invention.

Claims

1. A security gateway analysis function verification method is characterized by comprising the following steps:

acquiring functional information analyzed by a verification protocol, wherein the functional information comprises protocol data unit type information and/or parameter information;

performing multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result, wherein the verification function of the pre-established protocol analysis function tool comprises task function verification, user data function verification and custom function verification, and the custom function verification is used for directly verifying all functions including the task function and the user data function;

the step of carrying out multidimensional verification on the protocol analysis function of the security gateway according to the function information and the pre-established protocol analysis function verification tool to obtain a corresponding verification result comprises the following steps:

and verifying the protocol analysis function of the security gateway according to the request result to obtain a corresponding verification result, wherein the verification result comprises the identification results of the function code, the address domain and the value domain.

2. The security gateway parsing function verification method of claim 1, wherein the protocol data unit type information includes task function information and/or user data function information, the task function information includes task primary function information and/or task secondary function information, the user data function information includes user data primary function information and/or user data secondary function information, and the step of sending a corresponding function verification information request to the programmable logic controller through the pre-established protocol parsing function verification tool according to the function information includes:

3. The security gateway parsing function verification method of claim 1, wherein the step of verifying the protocol parsing function of the security gateway according to the request result to obtain a corresponding verification result comprises:

if the request result is consistent with the function verification information request, obtaining an accurate verification result;

and if the request result is inconsistent with the functional verification information request, obtaining a verification result which cannot be analyzed or is inaccurate.

4. The security gateway parsing function authentication method of claim 1, wherein the step of obtaining authentication protocol parsed function information, the function information including protocol data unit type information or parameter information, is preceded by the step of:

constructing a protocol communication simulation environment;

5. The security gateway parsing function verification method of claim 4, wherein said step of obtaining a protocol parsing result in said protocol communication emulation environment comprises:

6. The security gateway parsing function verification method of claim 5, wherein the step of constructing the pre-built protocol parsing function verification tool according to the protocol parsing result comprises:

7. A security gateway parsing function verifying device, comprising:

the acquisition module is used for acquiring functional information analyzed by a verification protocol, wherein the functional information comprises protocol data unit type information and/or parameter information;

the verification module is used for performing multi-dimensional verification on the protocol analysis function of the security gateway according to the function information and a pre-established protocol analysis function verification tool to obtain a corresponding verification result, the verification function of the pre-established protocol analysis function tool comprises task function verification, user data function verification and custom function verification, and the custom function verification is used for directly verifying all functions including the task function and the user data function;

the verification module is also used for sending a corresponding function verification information request to the programmable logic controller through the pre-established protocol analysis function verification tool according to the function information;

8. A terminal device, characterized in that the terminal device comprises a memory, a processor and a secure gateway resolution function authentication program stored on the memory and executable on the processor, the secure gateway resolution function authentication program when executed by the processor implementing the steps of the secure gateway resolution function authentication method according to any one of claims 1-6.

9. A storage medium having stored thereon a security gateway resolution function authentication program, which when executed by a processor performs the steps of a security gateway resolution function authentication method according to any one of claims 1 to 6.