CN115442154B - Method and system for verifying deep analysis of modular industrial control protocol packet - Google Patents

Method and system for verifying deep analysis of modular industrial control protocol packet Download PDF

Info

Publication number
CN115442154B
CN115442154B CN202211314618.6A CN202211314618A CN115442154B CN 115442154 B CN115442154 B CN 115442154B CN 202211314618 A CN202211314618 A CN 202211314618A CN 115442154 B CN115442154 B CN 115442154B
Authority
CN
China
Prior art keywords
industrial control
control protocol
protocol packet
time sequence
state transition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211314618.6A
Other languages
Chinese (zh)
Other versions
CN115442154A (en
Inventor
周磊
姜双林
王自强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Andi Technology Co ltd
Original Assignee
Beijing Andi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Andi Technology Co ltd filed Critical Beijing Andi Technology Co ltd
Priority to CN202211314618.6A priority Critical patent/CN115442154B/en
Publication of CN115442154A publication Critical patent/CN115442154A/en
Application granted granted Critical
Publication of CN115442154B publication Critical patent/CN115442154B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application belongs to the field of industrial safety, and discloses a method and a system for deep analysis verification of a modular industrial control protocol packet. The invention analyzes the industrial control protocol packet, extracts key fields in the industrial control protocol packet, converts the key fields into input quantity and imports the input quantity into a simulator of an industrial control system; the industrial control system simulator establishes a state transition time sequence model of the industrial control system, and verifies the state time sequence transition of the simulator caused by the input quantity of the industrial control protocol packet, so that whether deep malicious behaviors exist in the industrial control protocol packet is analyzed and judged.

Description

Method and system for verifying deep analysis of modular industrial control protocol packet
Technical Field
The application relates to the technical field of industrial control system safety, in particular to a method and a system for deep analysis verification of a modular industrial control protocol packet.
Background
With the establishment and popularization of smart factories, industrial control systems with digital informatization and networking functions play increasingly significant roles. The industrial control system is composed of various automatic components, is communicated and matched with each other, and commonly undertakes functions in the aspects of data acquisition, control, monitoring and the like. Industrial control systems generally include a field layer, an intermediate process layer, and a management layer. The field layer comprises various digital devices, instruments, DCS or PLC control stations and the like on the factory field; the middle process layer comprises an engineer operation station, a POC server, a real-time database server, a monitoring center and the like; and the management layer comprises an MES system, a supply chain management system and the like.
The field layer and the intermediate process layer bear most of the functions of data acquisition, transmission and control instruction execution of the whole industrial control system. In order to meet the communication requirements of data and instructions at the field layer and the intermediate process layer, a large number of specialized industrial control protocols exist, and compared with communication protocols in other fields, the protocols pay more attention to the control capability of the facilities, namely, the protocols including predetermined functional code segments can start, stop, execute process regulation and control, check and modify monitoring data and the like on the facilities at the field layer and the intermediate process layer. In addition to the more common industrial control protocols, many facilities at the field level and the middle process level require support of their specific proprietary protocols, which brings a more complex situation for industrial control security. In the safety event of the industrial control system, an attacker often bypasses a management layer and directly exerts influence on a field layer and a middle process layer based on a specially written industrial control protocol packet, so that the purpose of damaging or invading facilities of the field layer and the middle process layer is achieved. Therefore, it is of particular interest to enhance industrial control security towards the field and intermediate process layers.
The deep packet analysis and verification oriented to the industrial control protocol packet are realized by extracting the typical characteristics of the industrial control protocol packet and monitoring and verifying the state of an industrial control system influenced by the industrial control protocol packet on the basis of the characteristics, so that the malicious industrial control protocol packet is effectively identified. At present, there are many researches on specific field identification, protocol feature extraction and analysis and the like of an industrial control protocol packet, but a scientific and effective method is not yet available for system state verification based on analysis of the industrial control protocol packet. However, there is no proper verification means for the system state timing transition and the influence thereof of the industrial control system under the influence of the industrial control protocol packet, so that it is impossible to make effective judgment and prevention for the potential malicious behavior at a deeper level.
Disclosure of Invention
Object of the application
Based on the method, the application discloses a method and a system for deep analysis verification of a modular industrial control protocol packet. The invention analyzes the industrial control protocol packet, extracts key fields in the industrial control protocol packet, converts the key fields into input quantity and imports the input quantity into a simulator of an industrial control system; the industrial control system simulator establishes a state transition time sequence model of the industrial control system, and verifies the state time sequence transition of the simulator caused by the input quantity of the industrial control protocol packet, so that whether deep malicious behaviors exist in the industrial control protocol packet is analyzed and judged.
(II) technical scheme
The application discloses a deep analysis verification method for a modular industrial control protocol packet, which is characterized by comprising the following steps of:
analyzing the industrial control protocol packet, namely splitting the industrial control protocol packet layer by layer based on the followed industrial control protocol, extracting the effective load information in each layer of field of the industrial control protocol packet, and determining the parameters related to the state transition of the industrial control protocol packet and the industrial control system according to the effective load information;
establishing a state transition input quantity, namely forming a state transition time sequence according to parameters related to state transition aiming at an industrial control protocol packet received according to time sequence in a preset verification time window; forming a state transition input quantity to the industrial control system simulator according to the state transition time sequence;
a time sequence migration state generation step, namely inputting the state migration input quantity into an industrial control system simulator, and determining the time sequence state of the industrial control system simulator caused by the state migration input quantity through rolling optimization of model coefficients based on a state migration time sequence model of the industrial control system simulator;
and a verification step, namely judging a non-preset state according to the time sequence state of the industrial control system simulator, and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-preset state.
Preferably, in the parsing step of the industrial control protocol packet, the name and version of the industrial control protocol to be followed are determined from the header related information of the industrial control protocol packet, and then the file is defined according to the corresponding protocol format, the industrial control protocol packet is split into complete messages according to layers, then the field name and the field value in the message of each layer are decoded and analyzed, the invalid field name or the field value irrelevant to the parsing and verification of the industrial control protocol packet is eliminated, the field name and the field value thereof relevant to the parsing and verification of the industrial control protocol packet in each layer of field of the industrial control protocol packet are extracted as the payload information, and the parameters relevant to the state transition of the industrial control protocol packet and the industrial control system are determined according to the payload information.
Preferably, the state transition related parameter is represented as an array formed by a series of triples, and the triplet array includes a data field value, a type field value, and a time sequence number field value.
Preferably, in the step of establishing the state transition input amount, for each triple of the parameters related to the state transition, an expected response type and an expected response value caused by the data domain value and the type domain value to the industrial control system are determined, and the expected response values are arranged according to a time sequence to form a state transition time sequence in the whole verification time window.
Preferably, in the time-series transition state generating step, the state-series transition model is expressed as:
Figure 197103DEST_PATH_IMAGE001
wherein,
Figure 687603DEST_PATH_IMAGE002
indicating the length of prediction, i.e. the succession of the simulation of the model starting from the kth time sequence number
Figure 443200DEST_PATH_IMAGE002
The time sequence number is the serial number of each hour,
Figure 490922DEST_PATH_IMAGE003
to predict the length
Figure 380380DEST_PATH_IMAGE002
Under the condition of
Figure 483245DEST_PATH_IMAGE004
The response value of the industrial control system under each time sequence number;
Figure 206481DEST_PATH_IMAGE005
and
Figure 820128DEST_PATH_IMAGE006
for the kth and the kth of the state transition input quantity
Figure 372332DEST_PATH_IMAGE007
Expected response values of the industrial control system under the time sequence numbers;
Figure 243948DEST_PATH_IMAGE008
is a first
Figure 403665DEST_PATH_IMAGE007
The initial state response value of the industrial control system under each time sequence number is the response value of the industrial control system under the condition that no influence is brought by the state transition input quantity;
Figure 409667DEST_PATH_IMAGE009
is a proportionality coefficient;
Figure 100002_DEST_PATH_IMAGE011A
and
Figure 100002_DEST_PATH_IMAGE013A
and the number of reference quantities obtained by modeling the actual measurement industrial control system is represented.
Furthermore, the invention provides a system for deep analysis and verification of a modular industrial control protocol packet, which is characterized by comprising the following components:
the industrial control protocol packet analysis module is used for splitting the industrial control protocol packet layer by layer based on the followed industrial control protocol, extracting the effective load information in each layer of field of the industrial control protocol packet, and determining the parameters related to the state transition of the industrial control protocol packet and the industrial control system according to the effective load information;
the state transition input quantity establishing module is used for forming a state transition time sequence according to the parameters related to the state transition aiming at the industrial control protocol packet received according to the time sequence in a preset verification time window; forming a state transition input quantity to the industrial control system simulator according to the state transition time sequence;
the industrial control simulator is used for determining the time sequence state of the industrial control system simulator caused by the state transition input quantity through the rolling optimization of model coefficients based on a state transition time sequence model according to the input state transition input quantity;
and the verification module is used for judging the non-predetermined state according to the time sequence state of the industrial control system simulator and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-predetermined state.
Preferably, the analysis module of the industrial control protocol packet is configured to determine an industrial control protocol name and a version followed by the industrial control protocol packet from information related to a header of the industrial control protocol packet, further define a file according to a corresponding protocol format, split the industrial control protocol packet into complete messages according to layers, decode and analyze field names and field values in the messages of each layer, exclude invalid field names or field values that are not related to analysis and verification of the industrial control protocol packet, extract field names and field values related to analysis and verification of the industrial control protocol packet in fields of each layer of the industrial control protocol packet, and determine parameters related to state transition of the industrial control protocol packet and the industrial control system according to payload information.
Preferably, the state transition related parameter is represented as an array of a series of triples, where the triplet array includes a data field value, a type field value, and a timing number field value.
Preferably, the state transition input quantity establishing module is configured to, for each triple of the state transition related parameters, determine an expected response type and an expected response value that are caused by the data domain value and the type domain value to the industrial control system, and form a state transition time sequence in the entire verification time window by arranging the expected response values according to a time sequence.
Preferably, the state transition timing model is expressed as:
Figure 359038DEST_PATH_IMAGE001
wherein,
Figure 881898DEST_PATH_IMAGE002
indicating the length of prediction, i.e. the succession of the simulation of the model starting from the kth time sequence number
Figure 133888DEST_PATH_IMAGE002
The time sequence number is the serial number of each hour,
Figure 909077DEST_PATH_IMAGE003
to predict the length
Figure 350554DEST_PATH_IMAGE002
Under the condition of
Figure 931184DEST_PATH_IMAGE004
The response value of the industrial control system under each time sequence number;
Figure 980173DEST_PATH_IMAGE005
and
Figure 695188DEST_PATH_IMAGE006
for the kth and the kth of the state transition input quantity
Figure 143618DEST_PATH_IMAGE007
The expected response value of the industrial control system under each time sequence number;
Figure 109913DEST_PATH_IMAGE008
is as follows
Figure 969284DEST_PATH_IMAGE007
The initial state response value of the industrial control system under each time sequence number is the response value of the industrial control system under the condition that no influence is brought by the state transition input quantity;
Figure 391170DEST_PATH_IMAGE009
is a proportionality coefficient;
Figure 100002_DEST_PATH_IMAGE011AA
and
Figure DEST_PATH_IMAGE013AA
and the number of reference quantities obtained by modeling the actual measurement industrial control system is represented.
(III) advantageous effects
In summary, on the basis of performing characterization analysis on the key fields of the industrial control protocol packet, the present invention characterizes the quantified and time sequence as a state time sequence transition sequence, so as to form an effective input quantity; furthermore, the state transition time sequence model of the industrial control system simulator is used for verifying the state time sequence transition of the simulator caused by the input quantity of the industrial control protocol packet, so that the evolution rule of the response state of the actual industrial control system caused by the industrial control protocol packet can be effectively simulated, the analysis and judgment of whether deep malicious behaviors exist in the industrial control protocol packet are realized, and compared with the traditional deep packet analysis mode, the analysis and judgment of the industrial control protocol packet are deeper through verifying the response closer to the real industrial control system, and the judgment capability of the malicious industrial control protocol packet with the complex strategy of high disguise and fragmentation is stronger.
Drawings
The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining and illustrating the present application and should not be construed as limiting the scope of the present application.
FIG. 1 is a flow chart of a method for deep parsing verification of a modular industrial control protocol packet disclosed in the present application;
fig. 2 is a block diagram of a modular industrial control protocol packet deep parsing verification system disclosed in the present application.
Detailed Description
In order to make the implementation objects, technical solutions and advantages of the present application clearer, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the drawings in the embodiments of the present application.
The application provides a method and a system for deep analysis and verification of a modular industrial control protocol packet. The method comprises the steps of analyzing an industrial control protocol packet, extracting key fields in the industrial control protocol packet, converting the key fields into state transition input quantity, and importing the state transition input quantity into a simulator of an industrial control system; the industrial control system simulator establishes a state transition time sequence model of the industrial control system, and verifies the state time sequence transition of the simulator caused by the input quantity of the industrial control protocol packet, so that whether deep malicious behaviors and potential risk levels exist in the industrial control protocol packet or not is analyzed and judged.
Referring to fig. 1, the method for deep analysis and verification of the modular industrial control protocol packet according to the present invention includes the following steps:
analyzing the industrial control protocol packet, namely splitting the industrial control protocol packet layer by layer based on the followed industrial control protocol, extracting the effective load information in each layer of field of the industrial control protocol packet, and determining the parameters related to the state transition of the industrial control protocol packet and the industrial control system according to the effective load information;
establishing a state transition input quantity, namely forming a state transition time sequence according to the parameters related to state transition aiming at an industrial control protocol packet received according to the time sequence in a preset verification time window; forming a state transition input quantity to the industrial control system simulator according to the state transition time sequence;
a time sequence migration state generation step, namely inputting the state migration input quantity into an industrial control system simulator, and determining the time sequence state of the industrial control system simulator caused by the state migration input quantity through rolling optimization of model coefficients based on a state migration time sequence model of the industrial control system simulator;
and a verification step, namely judging a non-preset state according to the time sequence state of the industrial control system simulator, and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-preset state.
Specifically, in the step of analyzing the industrial control protocol packet, the industrial control protocols that can be supported include common IEC 60870-104, modbus/TCP, BACnet/IP, CC-Link, and the like, and also include proprietary protocols that may be provided in various facilities in the industrial control system. The method can determine the name and version of the industrial control protocol followed by the industrial control protocol packet from the header related information of the industrial control protocol packet, further define a file according to a corresponding protocol format, divide the industrial control protocol packet into complete messages according to layers, decode and analyze the field name and field value in the message of each layer, and eliminate invalid field name or field value irrelevant to the analysis and verification of the industrial control protocol packet, thereby extracting the field name and field value relevant to the analysis and verification of the industrial control protocol packet in each layer of field of the industrial control protocol packet as payload information, and determining the parameters relevant to the state transition of the industrial control protocol packet and an industrial control system according to the payload information.
For example, for an industrial control protocol packet conforming to IEC 60870-104 protocol, first, the fixed header related information in the industrial control protocol packet is parsed, a protocol type identifier, a message total length, and the like are determined, and a data link layer protocol identifier is determined; furthermore, for the data link layer message split from the industrial control protocol packet, because the source MAC address, the target MAC address and the network layer protocol identifier are analyzed, the network layer protocol identifier includes IPv4, ARP, IPv6, and the like; aiming at the network layer data packet split from the industrial control protocol packet, a source IP, a target IP and a transport layer protocol identifier are further extracted, wherein the transport layer protocol identifier comprises TCP, UDP and the like; analyzing a transport layer data packet split from the industrial control protocol packet, and further analyzing a source Port number and a target Port number; further, the application layer data packet is extracted from the industrial control protocol packet, and fields such as a protocol identifier, an APDU length, a control field, a type identifier, a variable structure qualifier, a transmission cause, a public address, and field names and field values thereof included in a header of the application layer packet are analyzed, and field names such as a register object address, a register value, a function identifier, an event identifier, an overflow identifier, a lock identifier, a priority, a caller ID, a reception sequence number, a transmission sequence number, and field values thereof in each information frame of the application layer packet are analyzed. For another example, similarly, for an industrial control protocol packet conforming to the CC-Link protocol, by sequentially parsing messages or data packets of a physical layer, a data Link layer, and an application layer, field names such as a source MAC address, a destination MAC address, a preamble, a sender address, a receiver address, state information, a CRC check code, and a register value, and field values thereof are extracted. And in the process of analyzing the messages of all the layers, eliminating invalid field names or field values which are irrelevant to the analysis and the verification of the industrial control protocol packet, thereby extracting the field names and the field values thereof relevant to the analysis and the verification of the industrial control protocol packet in the fields of all the layers of the industrial control protocol packet as effective load information.
And furthermore, in the analysis step of the industrial control protocol packet, determining parameters related to the state transition of the industrial control protocol packet and the industrial control system according to the effective load information. Representing the parameters related to state migration as an array formed by a series of triples, wherein the triplet array comprises three field values of data, types and time sequence numbers; the data field value is mainly the value of fields such as transmission reason, register address, function identification, event identification, caller ID and the like obtained from the effective load information; the type field value represents the function type of the industrial control system indicated by the effective load information; and the time sequence number field value represents a time sequence number arranged in all industrial control protocol packets sent to the industrial control system in a preset verification time window.
And establishing a state transition input quantity, namely forming a state transition time sequence according to the parameters related to state transition aiming at the industrial control protocol packet received according to the time sequence in the verification time window. As described above, the parameter related to state transition is a triple array composed of a series of data field values, type field values, and timing number field values. In this step, for each triple, an expected response type and an expected response value caused by a data domain value and a type domain value of each triple to the industrial control system are judged, and whether the expected response type is a response type which already exists before or a new response type in the range of the verification time window is firstly analyzed; if the response type is a new response type, registering the new response type corresponding to the verification time window, and directly adding a default initial value as an expected response value aiming at the new response type in a state transition time sequence corresponding to the verification time window; if the response type exists, the expected response value is determined according to the above triplets for the response type, and the expected response value of the state transition time sequence is counted. Therefore, for the industrial control protocol packets received according to the time sequence in the whole verification time window, a state transition time sequence on the whole verification time window formed by arranging expected response values according to the time sequence is generated according to the triplet arrays analyzed from the industrial control protocol packets. Further, in this step, a state transition input amount to the simulation machine of the industrial control system is formed based on the state transition timing sequence, and expressed as
Figure 594356DEST_PATH_IMAGE005
(ii) a Wherein k represents the kth time sequence number of the state transition timing sequence, the
Figure 667354DEST_PATH_IMAGE005
Is the expected response value of the corresponding industrial control system under the k time sequence number.
And a time sequence migration state generation step, namely inputting the state migration input quantity into the industrial control system simulator, wherein the simulation mechanism of the simulator is based on a state migration time sequence model of the industrial control system simulator, and the time sequence state of the industrial control system simulator caused by the state migration input quantity is determined through rolling optimization of a model coefficient. The state transition timing model is represented as:
Figure 448359DEST_PATH_IMAGE001
formula (I)
Wherein,
Figure 419857DEST_PATH_IMAGE002
indicating the length of prediction, i.e. the succession of the simulation of the model starting from the kth time sequence number
Figure 193778DEST_PATH_IMAGE002
The time sequence number is stored in the memory,
Figure 603507DEST_PATH_IMAGE003
to predict the length
Figure 539101DEST_PATH_IMAGE002
Under the condition of
Figure 466737DEST_PATH_IMAGE004
The response value of the industrial control system under each time sequence number, namely the time sequence state of the industrial control system;
Figure 795082DEST_PATH_IMAGE005
and
Figure 577093DEST_PATH_IMAGE006
input quantities for the state transitions described aboveThe k-th and the kth
Figure 949168DEST_PATH_IMAGE007
Expected response values of the industrial control system under the time sequence numbers;
Figure 98521DEST_PATH_IMAGE008
is as follows
Figure 251064DEST_PATH_IMAGE007
The initial state response value of the industrial control system under each time sequence number is the response value of the industrial control system under the condition that no influence is brought by the state transition input quantity;
Figure 418740DEST_PATH_IMAGE014
as a scale factor by calculation
Figure 712449DEST_PATH_IMAGE014
Can obtain the product
Figure 942574DEST_PATH_IMAGE008
Figure 347141DEST_PATH_IMAGE006
Figure 103745DEST_PATH_IMAGE005
The proportion in the model is based on the three parameters after the cycle rolling optimization to determine the time sequence state simulated by the industrial control system simulator
Figure 96584DEST_PATH_IMAGE003
Lower pair
Figure 220529DEST_PATH_IMAGE014
The manner of circular rolling optimization of the parameters is explained. First, the reference quantity for executing the circular rolling optimization is called
Figure 474793DEST_PATH_IMAGE015
And
Figure 571056DEST_PATH_IMAGE016
formed reference quantity matrix
Figure 986994DEST_PATH_IMAGE017
,
Figure 67076DEST_PATH_IMAGE018
Wherein
Figure 328293DEST_PATH_IMAGE019
Representing the reference quantity
Figure 541712DEST_PATH_IMAGE020
The number of the (c) is,
Figure 597393DEST_PATH_IMAGE021
representing a reference quantity
Figure 164772DEST_PATH_IMAGE016
The number of (2); each of the above actual values
Figure 964101DEST_PATH_IMAGE022
And
Figure 300535DEST_PATH_IMAGE016
the method is obtained by modeling an actual measurement industrial control system. Further, the calculation is performed in the following circular rolling optimization manner:
(1) To pair
Figure 58276DEST_PATH_IMAGE023
Performing a loop roll calculation:
setting initial conditions:
Figure 644109DEST_PATH_IMAGE024
formula 2
Assigning values according to initial conditions
Figure 339139DEST_PATH_IMAGE025
(ii) a Further, the following cyclic scrolling is started:
for j=2,…,
Figure 44927DEST_PATH_IMAGE026
do
for i=1,…,p do
Figure 193143DEST_PATH_IMAGE027
end for
end for
Wherein for
Figure 984381DEST_PATH_IMAGE028
According to the formula (three), the following can be obtained:
Figure 141824DEST_PATH_IMAGE029
formula (III)
(2) To pair
Figure 777817DEST_PATH_IMAGE030
Performing a loop roll calculation:
the initial conditions are set by the formula (four):
Figure 346202DEST_PATH_IMAGE031
formula (IV)
Assigning values according to initial conditions
Figure 641048DEST_PATH_IMAGE032
(ii) a Further, the following circular scrolling is initiated:
for j=2,…,
Figure 585870DEST_PATH_IMAGE026
do
for i=1,…,p do
Figure 751404DEST_PATH_IMAGE033
end for
end for
wherein for
Figure 38159DEST_PATH_IMAGE034
From equation (five) we can obtain:
Figure 272832DEST_PATH_IMAGE035
formula (V)
(3) To pair
Figure 565885DEST_PATH_IMAGE036
Performing a loop roll calculation:
the initial conditions are set by the formula (six):
Figure 913821DEST_PATH_IMAGE037
= 0 equation (six)
Assigning values according to initial conditions
Figure 574741DEST_PATH_IMAGE038
Figure 296709DEST_PATH_IMAGE039
(ii) a Further, the following circular scrolling is initiated:
for i=1,…,
Figure 661963DEST_PATH_IMAGE026
do
Figure 799158DEST_PATH_IMAGE040
end for
wherein for
Figure 880247DEST_PATH_IMAGE041
From equation (seven) we can obtain:
Figure 636981DEST_PATH_IMAGE042
formula (seven)
In the verification step, the simulation is carried out according to the industrial control system simulator in the step
Figure 196139DEST_PATH_IMAGE026
Predicting time sequence state on length
Figure 174459DEST_PATH_IMAGE003
And judging the occurrence rate of the non-predetermined state, and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-predetermined state. If it is not
Figure 442760DEST_PATH_IMAGE026
Predicting the time sequence state of the length not preset by the industrial control system
Figure 139321DEST_PATH_IMAGE003
If the occupation ratio is higher than the preset occupation ratio threshold, the industrial control protocol packet verified at this time is considered to have a risk in the aspect of safety.
The invention further provides a system for deep analysis and verification of the modularized industrial control protocol packet, which is shown in fig. 2 and comprises the following steps:
the industrial control protocol packet analysis module is used for splitting an industrial control protocol packet layer by layer based on the followed industrial control protocol, extracting effective load information in each layer of field of the industrial control protocol packet and determining parameters related to state transition of the industrial control protocol packet and an industrial control system according to the effective load information;
the state transition input quantity establishing module is used for forming a state transition time sequence according to the parameters related to state transition aiming at the industrial control protocol packet received according to the time sequence in a preset verification time window; forming a state transition input quantity to the industrial control system simulator according to the state transition time sequence;
the industrial control simulator is used for determining the time sequence state of the industrial control system simulator caused by the state transition input quantity through the rolling optimization of model coefficients based on a state transition time sequence model according to the input state transition input quantity;
and the verification module is used for judging the non-preset state according to the time sequence state of the industrial control system simulator and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-preset state.
Preferably, the industrial control protocol packet parsing module is configured to determine an industrial control protocol name and a version that are followed by the industrial control protocol packet from header related information of the industrial control protocol packet, further define a file according to a corresponding protocol format, split the industrial control protocol packet into complete messages according to layers, decode and analyze field names and field values in the messages of each layer, exclude invalid field names or field values that are not related to parsing and verification of the industrial control protocol packet, extract field names and field values that are related to parsing and verification of the industrial control protocol packet in fields of each layer of the industrial control protocol packet, and determine parameters related to state migration of the industrial control protocol packet and the industrial control system according to payload information.
Preferably, the state transition related parameter is represented as an array formed by a series of triples, and the triplet array includes a data field value, a type field value, and a time sequence number field value.
Preferably, the state transition input quantity establishing module is configured to, for each triple of the state transition related parameters, determine an expected response type and an expected response value that are caused by the data domain value and the type domain value to the industrial control system, and form a state transition time sequence in the entire verification time window by arranging the expected response values according to a time sequence.
Preferably, the state transition timing model is expressed as:
Figure 252902DEST_PATH_IMAGE001
formula (eight)
Wherein,
Figure 351308DEST_PATH_IMAGE002
indicating the length of prediction, i.e. the succession of the simulation of the model starting from the kth time sequence number
Figure 522001DEST_PATH_IMAGE002
The time sequence number is the serial number of each hour,
Figure 971437DEST_PATH_IMAGE003
to predict the length
Figure 872397DEST_PATH_IMAGE002
Under the condition of
Figure 841621DEST_PATH_IMAGE004
The response value of the industrial control system under each time sequence number;
Figure 700993DEST_PATH_IMAGE005
and
Figure 857299DEST_PATH_IMAGE006
for the kth and the kth of the state transition input quantity
Figure 93108DEST_PATH_IMAGE007
Expected response values of the industrial control system under the time sequence numbers;
Figure 916839DEST_PATH_IMAGE008
is as follows
Figure 681533DEST_PATH_IMAGE007
The initial state response value of the industrial control system under each time sequence number is the response value of the industrial control system under the condition that no influence is brought by the state transition input quantity;
Figure 204697DEST_PATH_IMAGE043
is a proportionality coefficient;
Figure DEST_PATH_IMAGE011AAA
and
Figure DEST_PATH_IMAGE013AAA
and the number of reference quantities obtained by modeling the actual measurement industrial control system is represented.
In summary, on the basis of performing characterization analysis on the key fields of the industrial control protocol packet, the present invention characterizes the quantified and time sequence as a state time sequence transition sequence, so as to form an effective input quantity; furthermore, the state transition time sequence model of the industrial control system simulator is used for verifying the state time sequence transition of the simulator caused by the input quantity of the industrial control protocol packet, so that the evolution rule of the response state of an actual industrial control system caused by the industrial control protocol packet can be effectively simulated, the analysis judgment on whether deep malicious behaviors exist in the industrial control protocol packet is realized, and compared with the traditional deep packet analysis mode, the analysis level of the industrial control protocol packet is deeper by verifying the response closer to the real industrial control system, and the judgment capability on the malicious industrial control protocol packet with the complex strategy of complex combination of strong disguise and fragmentation is stronger.
The division of modules, units or components herein is merely a logical division, and other divisions may be possible in an actual implementation, for example, a plurality of modules and/or units may be combined or integrated in another system. Modules, units, or components described as separate parts may or may not be physically separate. The components displayed as the cells may or may not be physical cells, may be located in a specific place, or may be distributed in grid cells. Therefore, some or all of the units can be selected according to actual needs to implement the scheme of the embodiment.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method for verifying the deep analysis of a modular industrial control protocol packet is characterized by comprising the following steps:
analyzing the industrial control protocol packet, namely splitting the industrial control protocol packet layer by layer based on the followed industrial control protocol, extracting the effective load information in each layer of field of the industrial control protocol packet, and determining the parameters related to the state transition of the industrial control protocol packet and the industrial control system according to the effective load information;
establishing a state transition input quantity, namely forming a state transition time sequence according to the parameters related to state transition aiming at an industrial control protocol packet received according to the time sequence in a preset verification time window; forming a state transition input quantity to the industrial control system simulator according to the state transition time sequence;
a time sequence migration state generation step, namely inputting the state migration input quantity into an industrial control system simulator, and determining the time sequence state of the industrial control system simulator caused by the state migration input quantity through rolling optimization of model coefficients based on a state migration time sequence model of the industrial control system simulator;
and a verification step, namely judging a non-preset state according to the time sequence state of the industrial control system simulator, and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-preset state.
2. The method according to claim 1, wherein in the parsing step of the industrial control protocol packet, the industrial control protocol name and version followed by the industrial control protocol packet are determined from the header related information of the industrial control protocol packet, and further, the industrial control protocol packet is divided into complete messages according to the corresponding protocol format definition file, then, the field name and field value in the message of each layer are decoded and analyzed, the invalid field name or field value irrelevant to the parsing and verification of the industrial control protocol packet is excluded, the field name and field value relevant to the parsing and verification of the industrial control protocol packet in each layer of field of the industrial control protocol packet are extracted as payload information, and the parameters relevant to the state migration of the industrial control protocol packet and the industrial control system are determined according to the payload information.
3. The method as claimed in claim 2, wherein the state migration related parameter is represented as an array of a series of triples, and the triplet array includes a data field value, a type field value, and a timing number field value.
4. The method according to claim 3, wherein in the step of establishing the state transition input quantity, for each triplet of the parameter related to the state transition, an expected response type and an expected response value, which are caused by a data field value and a type field value of the triplet to the industrial control system, are determined, and the expected response values are arranged according to a time sequence to form a state transition time sequence on the whole verification time window.
5. The deep analysis verification method for the modularized industrial control protocol packet according to claim 4, wherein in the time sequence transition state generating step, the state transition time sequence model is expressed as:
Figure 395352DEST_PATH_IMAGE001
wherein,
Figure 499443DEST_PATH_IMAGE002
indicating the length of prediction, i.e. the succession of the simulation of the model starting from the kth time sequence number
Figure 420125DEST_PATH_IMAGE002
The time sequence number is the serial number of each hour,
Figure 346493DEST_PATH_IMAGE003
to predict the length
Figure 111930DEST_PATH_IMAGE002
Under the condition of
Figure 75338DEST_PATH_IMAGE004
The response value of the industrial control system under each time sequence number;
Figure 794901DEST_PATH_IMAGE005
and
Figure 931485DEST_PATH_IMAGE006
for the kth and the kth of the state transition input quantity
Figure 819937DEST_PATH_IMAGE007
Expected response values of the industrial control system under the time sequence numbers;
Figure 141197DEST_PATH_IMAGE008
is a first
Figure 629947DEST_PATH_IMAGE007
The initial state response value of the industrial control system under each time sequence number is the response value of the industrial control system under the condition that no influence is brought by the state transition input quantity;
Figure DEST_PATH_IMAGE009
is a proportionality coefficient;
Figure DEST_PATH_IMAGE011A
and
Figure DEST_PATH_IMAGE013
and the number of the reference quantities obtained by modeling the actually measured industrial control system is represented.
6. A deep analysis verification system for a modular industrial control protocol packet is characterized by comprising the following components:
the industrial control protocol packet analysis module is used for splitting the industrial control protocol packet layer by layer based on the followed industrial control protocol, extracting the effective load information in each layer of field of the industrial control protocol packet, and determining the parameters related to the state transition of the industrial control protocol packet and the industrial control system according to the effective load information;
the state transition input quantity establishing module is used for forming a state transition time sequence according to the parameters related to the state transition aiming at the industrial control protocol packet received according to the time sequence in a preset verification time window; forming a state transition input quantity to the industrial control system simulator according to the state transition time sequence;
the industrial control simulator is used for determining the time sequence state of the industrial control system simulator caused by the state transition input quantity through the rolling optimization of model coefficients based on a state transition time sequence model according to the input state transition input quantity;
and the verification module is used for judging the non-predetermined state according to the time sequence state of the industrial control system simulator and verifying the safety of the industrial control protocol packet according to the occurrence probability of the non-predetermined state.
7. The system of claim 6, wherein the parsing module of the industrial control protocol packet is configured to determine a name and a version of an industrial control protocol that the industrial control protocol packet conforms to from information related to a header of the industrial control protocol packet, further define a file according to a corresponding protocol format, split the industrial control protocol packet into complete packets according to layers, decode and analyze a field name and a field value in the packet of each layer, exclude an invalid field name or a field value that is not related to parsing and verification of the industrial control protocol packet, extract a field name and a field value that are related to parsing and verification of the industrial control protocol packet in fields of each layer of the industrial control protocol packet, and determine parameters related to state transition of the industrial control protocol packet and the industrial control system according to payload information.
8. The system of claim 7, wherein the state migration related parameter is represented as an array of a series of triples, the triplet array including a data field value, a type field value, and a timing number field value.
9. The system of claim 8, wherein the state transition input quantity creation module is configured to determine an expected response type and an expected response value, which are caused by a data field value and a type field value of each triplet of the parameter related to the state transition to the industrial control system, and form a state transition time sequence on the entire verification time window by arranging the expected response values according to a time sequence.
10. The system of claim 9, wherein the state transition timing model is expressed as:
Figure 396653DEST_PATH_IMAGE001
wherein,
Figure 185617DEST_PATH_IMAGE002
indicating the length of prediction, i.e. the succession of the simulation of the model starting from the kth time sequence number
Figure 973051DEST_PATH_IMAGE002
The time sequence number is the serial number of each hour,
Figure 683518DEST_PATH_IMAGE003
to predict the length
Figure 145593DEST_PATH_IMAGE002
Under the condition of
Figure 930009DEST_PATH_IMAGE004
The response value of the industrial control system under each time sequence number;
Figure 219170DEST_PATH_IMAGE005
and
Figure 885775DEST_PATH_IMAGE006
for the kth and the kth of the state transition input quantity
Figure 230169DEST_PATH_IMAGE007
The expected response value of the industrial control system under each time sequence number;
Figure 180676DEST_PATH_IMAGE008
is a first
Figure 93268DEST_PATH_IMAGE007
The initial state response value of the industrial control system under each time sequence number is the response value of the industrial control system under the condition that no influence is brought by the state transition input quantity;
Figure 729393DEST_PATH_IMAGE014
is a proportionality coefficient;
Figure DEST_PATH_IMAGE011AA
and
Figure DEST_PATH_IMAGE013A
and the number of reference quantities obtained by modeling the actual measurement industrial control system is represented.
CN202211314618.6A 2022-10-26 2022-10-26 Method and system for verifying deep analysis of modular industrial control protocol packet Active CN115442154B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211314618.6A CN115442154B (en) 2022-10-26 2022-10-26 Method and system for verifying deep analysis of modular industrial control protocol packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211314618.6A CN115442154B (en) 2022-10-26 2022-10-26 Method and system for verifying deep analysis of modular industrial control protocol packet

Publications (2)

Publication Number Publication Date
CN115442154A CN115442154A (en) 2022-12-06
CN115442154B true CN115442154B (en) 2022-12-30

Family

ID=84252232

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211314618.6A Active CN115442154B (en) 2022-10-26 2022-10-26 Method and system for verifying deep analysis of modular industrial control protocol packet

Country Status (1)

Country Link
CN (1) CN115442154B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN209264854U (en) * 2018-11-13 2019-08-16 贵州清水江水电有限公司 A kind of industrial control system abnormal behaviour monitoring device
CN114501458A (en) * 2022-01-27 2022-05-13 重庆邮电大学 WIA-PA protocol fuzz test data generation method based on extended finite-state machine
CN114553983A (en) * 2022-03-03 2022-05-27 沈阳化工大学 Deep learning-based high-efficiency industrial control protocol analysis method
CN114595448A (en) * 2022-03-14 2022-06-07 山东省计算中心(国家超级计算济南中心) Industrial control anomaly detection method, system and equipment based on correlation analysis and three-dimensional convolution and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11599100B2 (en) * 2019-06-10 2023-03-07 Fisher-Rosemount Systems, Inc. Ease of node switchovers in process control systems

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN209264854U (en) * 2018-11-13 2019-08-16 贵州清水江水电有限公司 A kind of industrial control system abnormal behaviour monitoring device
CN114501458A (en) * 2022-01-27 2022-05-13 重庆邮电大学 WIA-PA protocol fuzz test data generation method based on extended finite-state machine
CN114553983A (en) * 2022-03-03 2022-05-27 沈阳化工大学 Deep learning-based high-efficiency industrial control protocol analysis method
CN114595448A (en) * 2022-03-14 2022-06-07 山东省计算中心(国家超级计算济南中心) Industrial control anomaly detection method, system and equipment based on correlation analysis and three-dimensional convolution and storage medium

Also Published As

Publication number Publication date
CN115442154A (en) 2022-12-06

Similar Documents

Publication Publication Date Title
CN111191767B (en) Vectorization-based malicious traffic attack type judging method
CN107222491A (en) A kind of inbreak detection rule creation method based on industrial control network mutation attacks
CN108092854B (en) Test method and device for train-level Ethernet equipment based on IEC61375 protocol
CN109660518B (en) Communication data detection method and device of network and machine-readable storage medium
CN113378899B (en) Abnormal account identification method, device, equipment and storage medium
CN111277602B (en) Network data packet identification processing method and device, electronic equipment and storage medium
CN112822223B (en) DNS hidden tunnel event automatic detection method and device and electronic equipment
CN116662184B (en) Industrial control protocol fuzzy test case screening method and system based on Bert
CN116170224A (en) Penetration test method, device, equipment and medium
CN112787875B (en) Equipment identification method, device and equipment, and storage medium
CN111597411B (en) Method and system for distinguishing and identifying power specification data frames
CN108847983A (en) Intrusion detection method based on MQTT agreement
CN114629718A (en) Hidden malicious behavior detection method based on multi-model fusion
CN115396324A (en) Network security situation perception early warning processing system
CN116471592A (en) Network-connected automobile network communication process analysis method and related equipment thereof
CN115442154B (en) Method and system for verifying deep analysis of modular industrial control protocol packet
CN112448963A (en) Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN113098837B (en) Industrial firewall state detection method and device, electronic equipment and storage medium
CN116545871A (en) Multi-mode network traffic prediction method, device and medium
CN115883169A (en) Industrial control network attack message response method and response system based on honeypot system
CN114205146B (en) Processing method and device for multi-source heterogeneous security log
CN114697230A (en) Energy station safety monitoring system and method based on zero trust
CN114779737A (en) Novel industrial control system information physical security system architecture
CN110855602B (en) Internet of things cloud platform event identification method and system
CN115412376B (en) Attack mode verification method and system based on intelligent feature matching

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant