CN115550470A

CN115550470A - Industrial control network data packet analysis method and device, electronic equipment and storage medium

Info

Publication number: CN115550470A
Application number: CN202110736560.3A
Authority: CN
Inventors: 梁一
Original assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Current assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Priority date: 2021-06-30
Filing date: 2021-06-30
Publication date: 2022-12-30

Abstract

The invention provides an industrial control network data packet analyzing method, an industrial control network data packet analyzing device, electronic equipment and a storage medium, wherein the method comprises the following steps: receiving a target industrial control network data packet; extracting characteristic data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset characteristic data extraction mode corresponding to the protocol type; and determining the analysis result of the target industrial control network data packet according to the characteristic data of the target industrial control network data packet and a predetermined mapping relation set between the characteristic data and the analysis result. According to the method and the device, the characteristic data of the target industrial control network data packet are extracted, and the analysis result is searched in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data, so that the real-time analysis operation on the target industrial control network data packet can be avoided, the resource consumption is reduced, and the processing time is saved.

Description

Industrial control network data packet analysis method and device, electronic equipment and storage medium

Technical Field

The invention relates to the technical field of network security, in particular to an industrial control network data packet analyzing method, an industrial control network data packet analyzing device, electronic equipment and a storage medium.

Background

The industrial control network is a specific application of network technology in the field of industrial control, and relates to various technologies such as local area networks, wide area networks, distributed computing and the like.

In order to improve the security of the industrial control network, network security devices, such as an industrial control firewall, a threat detection device, and the like, need to be arranged in the industrial control network. When the network security equipment operates, the network data packets transmitted in the industrial control network are analyzed.

The industrial control process has the characteristics of large data transmission quantity and high requirement on data timeliness, so that the network security equipment in the industrial control network needs to have the capacity of analyzing a large number of network data packets in a short time.

The high performance network security device inevitably brings a problem of high cost. How to improve the performance of the network security device to the maximum extent and reduce the device cost on the basis of not reducing the analysis capability of the network security device is a problem to be solved urgently at present.

In the prior art, some technical means are adopted to improve the resolving capability of the network security device, such as optimizing codes, allocating variable memories, increasing caches, optimizing data management, reducing memory copy, and processing parallel CPUs.

The above techniques have been applied to existing network security devices, and thus the potential for continuing to improve the performance of network security devices through the above techniques is limited; in addition, performance is improved through the technology, and performance space of other performances of the network security device is also compressed.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides an industrial control network data packet analyzing method, an industrial control network data packet analyzing device, electronic equipment and a storage medium.

The invention provides an industrial control network data packet analyzing method, an industrial control network data packet analyzing device, electronic equipment and a storage medium, wherein the method comprises the following steps:

receiving a target industrial control network data packet;

extracting characteristic data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset characteristic data extraction mode corresponding to the protocol type;

and determining the analysis result of the target industrial control network data packet according to the characteristic data of the target industrial control network data packet and a predetermined mapping relation set between the characteristic data and the analysis result.

According to the industrial control network data packet analysis method provided by the invention, the extraction of the characteristic data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and the preset characteristic data extraction mode corresponding to the protocol type comprises the following steps:

judging whether the target industrial control network data packet is an industrial control network data packet to be recombined or not;

determining the protocol type of the target industrial control network data packet under the condition that the target industrial control network data packet is not the industrial control network data packet to be recombined, and determining a characteristic data extraction mode corresponding to the protocol type according to the protocol type; and extracting the characteristic data from the target industrial control network data packet according to the determined characteristic data extraction mode.

According to the industrial control network data packet analyzing method provided by the invention, the protocol type of the target industrial control network data packet is determined, and the characteristic data extraction mode corresponding to the protocol type is determined according to the protocol type; extracting the characteristic data from the target industrial control network data packet according to the determined characteristic data extraction mode, wherein the characteristic data extraction method comprises the following steps:

determining the target industrial control network data packet as a link layer network protocol data packet;

and taking data which does not contain a link layer header part and does not contain a protocol header part in the target industrial control network data packet as characteristic data, or taking data which does not contain the link layer header part in the target industrial control network data packet as the characteristic data.

determining the target industrial control network data packet as an application layer network protocol data packet, wherein the application layer network protocol is carried by a UDP protocol or a TCP protocol;

all data contained in TCP (transmission control protocol) structural data or UDP (user datagram protocol) structural data in the target industrial control network data packet are used as characteristic data; or, taking the data of the specified part contained in the TCP structure data or UDP structure data in the target industrial control network data packet as the characteristic data.

According to the industrial control network data packet analyzing method provided by the invention, the characteristic data is extracted from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and the preset characteristic data extraction mode corresponding to the protocol type, and the method further comprises the following steps:

when the target industrial control network data packet is an industrial control network data packet to be recombined, recombining the target industrial control network data packet with other industrial control network data packets in the same group to obtain a recombined industrial control network data packet;

determining the type of the recombined industrial control network data packet, and extracting characteristic data from the recombined industrial control network data packet according to the type and a preset characteristic data extraction mode corresponding to the type.

According to the industrial control network data packet analysis method provided by the invention, the step of determining the analysis result of the target industrial control network data packet according to the feature data of the target industrial control network data packet and the predetermined mapping relation set between the feature data and the analysis result comprises the following steps:

and searching the analysis result of the recombined industrial control network data packet corresponding to the characteristic data of the recombined industrial control network data packet from the mapping relation set between the characteristic data and the analysis result.

According to the industrial control network data packet analysis method provided by the invention, the method for extracting the feature data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and the preset feature data extraction mode corresponding to the protocol type further comprises the following steps:

determining the protocol types of the target industrial control network data packet and other industrial control network data packets in the same group under the condition that the target industrial control network data packet is an industrial control network data packet to be recombined, and determining a characteristic data extraction mode corresponding to the protocol type according to the protocol types; according to the determined characteristic data extraction mode, respectively extracting characteristic data from the target industrial control network data packet and other industrial control network data packets in the same group;

correspondingly, the determining the analysis result of the target industrial control network data packet according to the feature data of the target industrial control network data packet and the predetermined mapping relationship set between the feature data and the analysis result includes:

determining a first industrial control network data packet; the first industrial control network data packet is a target industrial control network data packet and the first industrial control network data packet in the other industrial control network data packets in the same group;

searching the characteristic data of the first industrial control network data packet in the mapping relation set between the characteristic data and the analysis result;

and under the condition that the characteristic data of the first industrial control network data packet can be found, acquiring the analysis results of the first industrial control network data packet and other industrial control network data packets in the same group from the mapping relation set between the characteristic data and the analysis results.

According to the industrial control network data packet analysis method provided by the invention, the mapping relation set between the characteristic data and the analysis result is the mapping relation set between the hash value of the characteristic data and the analysis result;

correspondingly, the determining the analysis result of the target industrial control network data packet according to the feature data and the predetermined mapping relationship set between the feature data and the analysis result includes:

calculating a hash value of the characteristic data of the target industrial control network data packet;

and searching the analysis result of the target industrial control network data packet corresponding to the hash value of the characteristic data of the target industrial control network data packet from the mapping relation set between the hash value of the characteristic data and the analysis result.

According to the industrial control network data packet analyzing method provided by the invention, the method further comprises the following steps:

according to the feature data of the target industrial control network data packet and a predetermined mapping relation set between the feature data and an analysis result, the analysis result of the target industrial control data cannot be determined;

and analyzing the target industrial control network data packet.

According to the industrial control network data packet analyzing method provided by the invention, after the target industrial control network data packet is analyzed, the method further comprises the following steps:

and storing the mapping relation between the characteristic data of the target industrial control network data packet and the analysis result of the target industrial control network data packet in the mapping relation set.

The invention also provides an industrial control network data packet analyzing device, which comprises:

the receiving module is used for receiving a target industrial control network data packet;

the characteristic data extraction module is used for extracting characteristic data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset characteristic data extraction mode corresponding to the protocol type;

and the analysis result acquisition module is used for determining the analysis result of the target industrial control network data packet according to the characteristic data of the target industrial control network data packet and a predetermined mapping relation set between the characteristic data and the analysis result.

The invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the steps of the industrial control network data packet analysis method.

The invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the method for parsing an industrial control network packet.

The invention also provides a computer program product comprising computer executable instructions for implementing the steps of the industrial control network data packet parsing method when executed.

According to the method, the device, the electronic equipment and the storage medium for analyzing the industrial control network data packet, provided by the invention, the characteristic data of the target industrial control network data packet is extracted, and the analysis result is searched in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data, so that the real-time analysis operation on the target industrial control network data packet can be avoided, the resource consumption is reduced, and the processing time is saved.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a flowchart of an industrial control network data packet parsing method provided by the present invention;

fig. 2 is a schematic diagram of an industrial control network data packet parsing device provided by the present invention;

fig. 3 is a schematic structural diagram of an electronic device provided in the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The industrial control network data packet parsing method, device, electronic device and storage medium according to the present invention are described below with reference to fig. 1 to 3.

Fig. 1 is a flowchart of an analysis method for an industrial control network data packet provided by the present invention, and as shown in fig. 1, the analysis method for an industrial control network data packet provided by the present invention includes:

step 101, receiving a target industrial control network data packet.

In this embodiment, the network data packet transmitted in the industrial control network is referred to as an industrial control network data packet. In an industrial control network, various types of protocols can be run, such as the data link layer protocol Profinet DCP, the application layer protocol DNP3, etc. The types of the industrial control network data packets can be various according to different protocols. Such as industrial control network data packets generated based on the protocol Profinet DCP, industrial control network data packets generated based on the protocol DNP 3.

In this embodiment, the target industrial control network data packet refers to an industrial control network data packet to be analyzed.

And 102, extracting characteristic data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset characteristic data extraction mode corresponding to the protocol type.

The invention can store the analysis result of the analyzed industrial control network data packet, and then when the industrial control network data packet with the same content as the analyzed industrial control network data packet is received again, the newly received industrial control network data packet is not analyzed any more, but the existing analysis result is directly given to the industrial control network data packet.

As is known to those skilled in the art, some information in the network packet is irrelevant to the content contained in the network packet itself, and may change with external factors, and is referred to as variable information in this embodiment. Some typical variable information may be, for example, a frame number (FrameID), a sequence number (sequence), a negotiation packet, etc. in the network data packet.

For example, user a sends a control command "start" to the blower through the industrial control network at time a, and sends a control command "start" again to the blower through the industrial control network at time b. Since the two control commands are transmitted at different times, they are necessarily transmitted separately through two independent network packets. The two network packets are transmitting the same content, namely the 'start' command, but the frame numbers of the two network packets are different.

The remaining information in different network packets of the same content is the same, except for the variable information described previously. In the present embodiment, the data for distinguishing different content network packets is referred to as feature data, and therefore the remaining information after removing the variable information can be used as feature data for distinguishing different network packets, and the feature data does not generally change with external information.

Specifically, which information in the network data packet is selected as the characteristic data is related to the protocol type based on the network data packet. In the following embodiments, the process of extracting the feature data in the network data packet will be further described.

103, determining an analysis result of the target industrial control network data packet according to the feature data of the target industrial control network data packet and a predetermined mapping relation set between the feature data and the analysis result.

The mapping relationship between the feature data and the analysis result reflects the one-to-one correspondence relationship between the feature data and the analysis result. Based on the mapping relation, on the premise that the characteristic data of the target industrial control network data packet is known, the analysis result corresponding to the characteristic data can be found.

In this embodiment, the mapping relationship set between the industrial control network data packet feature data and the industrial control network data packet analysis result may be represented in a cache table. The cache table at least comprises two items, wherein one item is used for storing the characteristic data, the other item is used for storing the analysis result, and the corresponding relation exists between the characteristic data and the analysis result. After the characteristic data of the target industrial control network data packet is obtained, searching in the characteristic data items of the cache table according to the characteristic data, if a certain characteristic data item can be found to be in accordance with the characteristic data item, reading the content of an analysis result item corresponding to the characteristic data item from the cache table, wherein the read analysis result is the analysis result of the target industrial control network data packet.

In the present embodiment, the set of mapping relationships between the feature data and the analysis result is predetermined, and in the following embodiments, a process of generating the set of mapping relationships will be described.

It should be noted that, as an optional implementation manner, on the basis that the feature data is extracted from the target industrial control network data packet and the analysis result is searched in the predefined cache table based on the feature data, variable information may be extracted from the target industrial control network data packet, and the variable information is analyzed in real time. The obtained real-time analysis result is combined with the analysis result found in the cache table, and the real-time analysis result can be used as a complete analysis result of the target industrial control network data packet.

According to the industrial control network data packet analysis method provided by the invention, the characteristic data of the target industrial control network data packet is extracted, and the analysis result is searched in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data, so that the real-time analysis operation of the target industrial control network data packet can be avoided, the resource consumption is reduced, and the processing time is saved.

Based on any one of the foregoing embodiments, in this embodiment, the extracting feature data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset feature data extraction manner corresponding to the protocol type includes:

It is known to those skilled in the art that the size of the data units defined by the different layers in the network model is not the same. For example, a UDP packet can accommodate 1472 bytes at the maximum, excluding the IP header and the UDP header; one TCP packet can accommodate 1460 bytes at most, excluding the IP header and the TCP header. When the size of data contained in a data packet of the application layer exceeds the capacity of a data unit in the transport layer, the data packet needs to be transmitted in a slicing manner.

If the received target industrial control network data packet is an industrial control network data packet transmitted in a fragmentation mode, before the data packet is analyzed, the data packet needs to be recombined. In the present invention, such data packets are referred to as industrial control network data packets to be reassembled.

In this embodiment, it is determined whether the target industrial control network data packet is an industrial control network data packet to be reassembled, and then a discussion is performed on a condition that the target industrial control network data packet is not the industrial control network data packet to be reassembled.

As known to those skilled in the art, when a data packet is transmitted in a fragmented manner, a corresponding flag is set for the data packet, so that the prior art can be used to determine the industrial control network data packet to be reassembled.

The target industrial control network data packet is not the industrial control network data packet to be recombined, which means that the data packet can be directly processed. During processing, firstly, determining a protocol type of a target industrial control network data packet, and then determining a characteristic data extraction mode corresponding to the protocol type according to the protocol type; and finally, extracting the characteristic data from the target industrial control network data packet according to the determined characteristic data extraction mode.

Specifically, if the target industrial control network data packet is a link layer network protocol data packet, data which does not include a link layer header part and does not include a protocol header part in the target industrial control network data packet is used as feature data, or data which does not include the link layer header part in the target industrial control network data packet is used as feature data. If the target industrial control network data packet is an application layer network protocol data packet (the application layer network protocol is borne by a UDP (user Datagram protocol) protocol or a TCP (transmission control protocol)), all data contained in TCP structural data or UDP structural data in the target industrial control network data packet are used as feature data; or, the data of the specified part contained in the TCP structure data or UDP structure data in the target industrial control network data packet is used as the characteristic data.

For the convenience of understanding, the following description will classify the extraction process of feature data according to the features of different types of network protocols.

The type one industrial control network data packet is realized based on a two-layer (link layer) protocol, and the data structure of the industrial control network data packet comprises: a link layer header part for implementing network transmission, a protocol header (header) part for protocol negotiation and transmission, and a content part.

The link layer header part and the protocol header part are variable information related to the transmission flow, so that the content part except the link layer header part and the protocol header part in the type of industrial control network data packet can be used as characteristic data.

Typical representatives of such industrial control network data packets are industrial control network data packets based on Profinet DCP protocol, industrial control network data packets based on siemens S7 protocol.

For example, the code of an industrial control network data packet based on the Profinet DCP protocol is:

Frame 1∶28bytes on wire(224bits),28bytes captured(224bits)

EthernetⅡ,Src：Vmware_ba：2e∶2b(00:0c∶29∶ba:2e:2b),

Dst：Vmware_9d:09：7a(00：50:56:9d：09：7a)

PROFINET acyclic Real-Time,ID：0xfefd,len：12

FrameID：0xfefd(Real-Time：DCP(Dynamic Configuration Protocol)get/set)

PROFINET DCP,Get Req,Xid：0x4000003,Status from IP-MAC address

ServiceID：Get(3)

ServiceType：Request(0)

Xid：0x04000003

Reserved：0

DCPDataLength：2

Option：IP(1)

Suboption：MAC address(1)

in this piece of code, the code is written from "PROFINET DCP, get Req, xid:0x4000003, status from IP-MAC address ", and the following contents all belong to the" content part "except for the link layer header part and the protocol header part, and can be used as the feature data.

Type two, type two is a special form of type one. In type two, if there is no frequently changing value such as a timestamp or a sequence number (sequence) in the payload (payload) of the industrial control network data packet, the entire payload can be used as the feature data, and therefore, the data after the link layer header portion in the industrial control network data packet can be used as the feature data.

A typical representative of such a network packet is a network packet based on SMV (Sampled Measured Value).

For example, a SMV-based network packet is coded as:

Frame 2∶56bytes on wire(448bits),56bytes captured(448bits)

EthernetⅡ,Src：Xerox_01∶20∶01(00∶00∶01∶01∶20∶01),

Dst：Iec-Tc57_01∶20∶01(01：0c：cd∶01∶20∶01)

802.1Q Virtual LAN,PRI:0,DEI:0,ID：1

IEC61850 Sampled Values

APPID：0x2001

length：38

Reserved 1：0x0000(0)

Reserved 2：0x0000(0)

savPdu

noASDU：1

seqASDU 1item

in this code, the value included in the "IEC61850 Sampled Values" field and the fields following it can be used as the feature data, and the value included in the "IEC61850 Sampled Values" field is, for example, "20 01 00 26 0000 00 00.

Type three, such industrial control network packets are implemented based on application layer protocols carried by TCP or UDP.

As known to those skilled in the art, when a network data packet generated based on an application layer protocol is transmitted, if the application layer protocol is carried by TCP or UDP, the structural data of TCP or UDP is encapsulated outside the network data packet.

The part of the structure data is variable information related to transmission flow, so that the part contained in the TCP or UDP structure data in the industrial control network data packet can be used as characteristic data.

Such industrial control Network packets are in a wide range, and typically represent Network packets including DNP3 (discrete Network Protocol 3.0) based Network packets, modBus based Network packets, MMS (Microsoft Media Server Protocol) based Network packets, and IEC104 based Network packets.

For example, a code of an industrial control network data packet based on the DNP3 protocol is:

Frame 6∶153bytes on wire(1224bits),153bytes captured(1224bits)

EthernetⅡ,Src：PcsCompu_e2：e7：ab(00∶00：27：e2：e7：ab),

PcsCompu_ff：2f：c5(08∶00∶27：ff：2f：c5)

Internet Protocol Version 4,Src：192.168.1.2,Dst：192.168.1.1

Transmission Control Protocol,Src Port：49159,Dst Port：20000,Seq：22,ACK：41,Len：99

Disturbed Network Protocol 3.0

in this code, the "Disturbed Network Protocol 3.0" field contains contents as feature data, and if the contents are "05 54c4 04 00 03.

Type four, such industrial control network data packets are also realized based on application layer protocols carried by TCP or UDP.

Unlike the third type, such industrial control network data packets cannot be used as feature data except for the structure data of TCP or UDP, and part of data in the application layer protocol cannot be used as feature data.

A typical representation of such network packets is a network packet based on the ohronf FINS protocol.

For example, a network packet based on the FINS protocol is coded as:

Frame 97∶104bytes on wire(832bits),104bytes captured(832bits)

EthernetⅡ,Src：OmronTat_9b：85：5a(00∶00:0a：9b：85：5a),

Dst：Vmware-f7：75：bb(00:0c:29:01:20:01)

Internet Protocol Version 4,Src：169.254.91.133,Dst：169.254.92.32

Transmission Control Protocol,Src Port：9600,Dst Port：49187,Seq：4294225823,ACK：41,Len：99

OMRON FINS Protocol

FINS/TCP Header

FINS Header

Command Data

in this section of code, the part preceding the "OMRON FINS Protocol" is the transport layer's configuration data, and the contents of the "FINS/TCP Header" field are considered as variable information, and therefore, the contents of the "FINS Header" field and thereafter are taken as feature data.

The above is a description of how the characteristic data is extracted from the industrial control network packets of different protocol types.

It should be noted that, the size of the variable information of the industrial control network data packet corresponding to some communication protocols is fixed. Aiming at the characteristic, a fixed offset relative to a data packet header can be determined according to the type of a communication protocol corresponding to the industrial control network data packet, and the variable information can be quickly eliminated according to the fixed offset, so that the aim of quickly positioning the characteristic data of the industrial control network data packet is fulfilled.

The industrial control network data packet analysis method provided by the invention can be used for rapidly finding out the analysis result in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data by analyzing the protocol type of the target industrial control network and determining the characteristic data extraction mode according to the protocol type so as to extract the characteristic data, thereby avoiding the real-time analysis operation on the target industrial control network data packet, being beneficial to reducing the resource consumption and saving the processing time.

Based on any one of the foregoing embodiments, in this embodiment, the extracting feature data from a target industrial control network data packet according to a protocol type of the target industrial control network data packet and a preset feature data extraction manner corresponding to the protocol type further includes:

In the former embodiment, a process of how the target industrial control network data packet extracts the feature data in the case of not the industrial control network data packet to be reassembled is described. In this embodiment, a description is given of how to extract feature data when a target industrial control network data packet is an industrial control network data packet to be reassembled.

Firstly, other industrial control network data packets in the same group can be obtained according to the target industrial control network data packet.

In this embodiment, a plurality of network packets obtained by fragmenting one network packet are referred to as a network packet of the same group. If the target industrial control network data packet is the industrial control network data packet to be recombined, the industrial control network data packet necessarily has the industrial control network data packet which is the same as the target industrial control network data packet. And obtaining other industrial control network data packets of the same group of the target industrial control network data packet based on the marking information of the industrial control network data packet.

And then, recombining the target industrial control network data packet with other industrial control network data packets in the same group to obtain a recombined industrial control network data packet.

How to reassemble the industrial control network data packet is common knowledge of those skilled in the art, and therefore, the description is not repeated here.

And finally, determining the type of the recombined industrial control network data packet, and extracting characteristic data from the recombined industrial control network data packet according to the type and a preset characteristic data extraction mode corresponding to the type.

In the previous embodiments, it has been described how to extract feature data from a target industrial control network data packet without reassembly. For the recombined industrial control network data packet, the characteristic data extraction mode is determined according to the protocol type of the industrial control network data packet, and the specific implementation process for extracting the characteristic data has no essential difference, so that repeated description is not provided here. It should be particularly noted that the feature data finally obtained in this embodiment is feature data of the recombined industrial control network data packet, and is not only feature data of a single segment.

For example, in a network packet based on the FINS protocol, 2973 bytes of data to be transmitted by the application layer exceeds the capacity of a TCP packet, and thus is divided into two TCP packets. Before parsing, the two related TCP packets are reassembled. And judging the protocol type of the recombined network data packet, and finding that the recombined network data packet conforms to the type four described in the embodiment, so that the feature data is extracted according to the feature data extraction method described in the type four.

The industrial control network data packet analysis method provided by the invention recombines the industrial control network data packet to be recombined, and then extracts the characteristic data from the recombined industrial control network data packet, thereby providing a basis for obtaining the analysis result of the recombined industrial control network data packet based on the characteristic data subsequently, being beneficial to reducing the resource consumption and saving the processing time.

Based on any one of the foregoing embodiments, in this embodiment, the determining an analysis result of the target industrial control network data packet according to the feature data of the target industrial control network data packet and a mapping relationship set between predetermined feature data and an analysis result includes:

searching the analysis result of the recombined industrial control network data packet corresponding to the characteristic data of the recombined industrial control network data packet from the mapping relation set between the characteristic data and the analysis result.

For the case that the target industrial control network data packet is the industrial control network data packet to be reassembled, there is a certain change when determining the analysis result, and a corresponding description is made in this embodiment.

In the foregoing embodiment, when the target industrial control network data packet is an industrial control network data packet to be reassembled, before parsing, the target industrial control network data packet needs to be reassembled to obtain a reassembled industrial control network data packet, and then feature data is extracted from the reassembled industrial control network data packet. During analysis, whether corresponding characteristic data items exist or not can be directly searched in a mapping relation set between the characteristic data and an analysis result based on the characteristic data of the recombined industrial control network data packet. If the analysis result can be found, the corresponding analysis result is the analysis result of the recombined whole industrial control network data packet. Rather than the parsed result of a single slice.

The analysis method of the industrial control network data packet provided by the invention is based on the feature data of the recombined industrial control network data packet, and the analysis result is quickly searched in the predetermined mapping relation set between the feature data and the analysis result, so that the real-time analysis operation of the recombined industrial control network data packet can be avoided, the resource consumption is reduced, and the processing time is saved.

determining the protocol types of the target industrial control network data packet and other industrial control network data packets in the same group under the condition that the target industrial control network data packet is an industrial control network data packet to be recombined, and determining a characteristic data extraction mode corresponding to the protocol type according to the protocol types; according to the determined characteristic data extraction mode, extracting characteristic data from the target industrial control network data packet and other industrial control network data packets in the same group respectively;

determining a first industrial control network data packet; the first industrial control network data packet is a target industrial control network data packet and the industrial control network data packet which is sequenced most in other industrial control network data packets in the same group;

and under the condition that the characteristic data of the first industrial control network data packet can be found, acquiring the analysis result of the first industrial control network data packet and other industrial control network data packets in the same group from the mapping relation set between the characteristic data and the analysis result.

In this embodiment, another characteristic data extraction method in which the target industrial control network data packet is an industrial control network data packet to be reassembled is described.

The applicant finds that: according to the generation rule of the network data packet, after the application layer data packets are fragmented, when the two application layer data packets have the same fragment data, the probability that the two application layer data packets are different integrally is very low.

For example, there are an application layer packet a and an application layer packet B, the application layer packet a is divided into fragmented data A1 and A2, and the application layer packet B is divided into fragmented data B1 and B2. If A1 and B1 are the same, then the probability of A and B being different is low.

For this feature, after receiving multiple fragments (e.g. multiple TCP packets or UDP packets) of the same application layer packet, the fragments are not reassembled, but feature data is extracted from the fragments individually. And then searching the analysis result of the whole application layer network data packet based on the fragmented characteristic data.

When feature data are extracted for the individual segments, feature data extraction methods of corresponding types can be selected to extract the feature data according to the protocol types (such as the type three or the type four). How to select the corresponding type of feature data extraction method to extract feature data is described in detail in the previous embodiment, and therefore, the description is not repeated here.

Finding the analysis result of the whole application layer network data packet based on the feature data of the fragments means that once the feature data of a certain fragment is found in the mapping relationship set between the feature data and the analysis result, the analysis result of the fragment and the analysis results of other fragments in the same group with the fragment can be returned together to be used as the analysis result of the application layer network data packet before the fragmentation.

For example, an application layer data packet a is divided into fragment data A1 and A2, and after receiving A1, feature data of A1 is extracted; if the feature data of A1 can be found, the analysis result of A1 and the analysis result of A2 corresponding to the feature data of A1 can be returned together based on a preset association relationship. After A2 is received next time, it is no longer necessary to search for the analysis result of A2, and only a relevant operation such as forwarding needs to be performed on A2.

It should be noted that the processing method described in this embodiment is not applicable to all network protocols, but is generally applicable to network protocols in which the network packet is in a pure data state, for example, the network packet has no timestamp and has no sequence number change. The processing manner as described in this embodiment can be used for the FINS protocol.

The method for analyzing the industrial control network data packet extracts the feature data for the fragment data packet, and quickly finds the analysis result of the complete application layer network data packet before fragmentation in the predetermined mapping relation set between the feature data and the analysis result based on the feature data of the fragment data packet, thereby being beneficial to reducing resource consumption and saving processing time.

Based on any one of the foregoing embodiments, in this embodiment, the set of mapping relationships between the feature data and the analysis result is a set of mapping relationships between hash values of the feature data and the analysis result;

In the previous embodiment, after the feature data of the target industrial control network data packet is obtained, the corresponding analysis result is searched by using the feature data. But in practical applications it is found that: because the data volume of the feature data is generally large, a large storage space is occupied during storage, and the problems of long time consumption and low efficiency exist during searching.

Therefore, in this embodiment, after the feature data of the target industrial control network data packet is obtained, the hash value is calculated for the feature data. Correspondingly, the mapping relation set between the feature data and the analysis result is the mapping relation set between the hash value of the feature data and the analysis result. Based on the hash value of the feature data of the target industrial control network data packet, a corresponding hash value item can be searched in a mapping relation set between the hash value of the feature data and an analysis result, and the analysis result corresponding to the searched hash value item is the analysis result of the target industrial control network data packet.

Compared with the characteristic data, the industrial control network data packet analysis method provided by the invention has the advantages that the storage space is small, and the searching efficiency is high by calculating the hash value for the characteristic data and searching the analysis result of the industrial control network data packet according to the hash value.

Based on any of the above embodiments, in this embodiment, the method further includes:

and analyzing the target industrial control network data packet.

In the previous embodiment, the process of obtaining the analysis result is described on the premise that the feature data of the target industrial control network data packet can be found in the mapping relationship set between the feature data and the analysis result. In practical application, however, the characteristic data of the target industrial control network data packet cannot be found in the mapping relation set. For example, an industrial control network data packet with a certain content is transmitted in an industrial control network for the first time.

In this embodiment, if the feature data of the target industrial control network data packet cannot be found in the mapping relationship set, the target industrial control network data packet is directly analyzed.

Since this implementation is not substantially different from the prior art, the description is not repeated here.

The industrial control network data packet analyzing method provided by the invention can be used for analyzing the industrial control network data packet which cannot be found in the mapping relation set in real time, so that the defect that all industrial control network data packets cannot be found through the mapping relation set is overcome.

Based on any of the foregoing embodiments, in this embodiment, after the analyzing the target industrial control network data packet, the method further includes:

If the analysis result of the target industrial control network data packet is not stored in the mapping relation set in advance but obtained through real-time analysis, the feature data and the analysis result of the target industrial control network data packet can be stored in the mapping relation set.

When the industrial control network data packet with the same content arrives next time, the corresponding item can be found in the mapping relation set according to the characteristic data of the industrial control network data packet, so that the analysis operation on the industrial control network data packet is avoided. This helps to reduce resource consumption and save processing time.

Preferably, in this embodiment, a hash value may be calculated for the feature data, and then the hash value of the feature data and the analysis result may be stored in the mapping relationship set. When the industrial control network data packet with the same content arrives next time, the corresponding item can be found in the mapping relation set according to the hash value of the characteristic data of the industrial control network data packet, and the corresponding analysis result is obtained, so that the analysis operation on the industrial control network data packet is avoided.

According to the industrial control network data packet analysis method provided by the invention, the real-time analysis result of the industrial control network data packet is stored in the mapping relation set, so that the analysis result can be directly obtained through searching operation after the next industrial control network data packet with the same content arrives, and the real-time analysis operation is not required, so that the resource consumption is reduced, and the processing time is saved.

The industrial control network data packet analysis device provided by the invention is described below, and the industrial control network data packet analysis device described below and the industrial control network data packet analysis method described above can be referred to correspondingly.

Fig. 2 is a schematic diagram of an industrial control network packet parsing apparatus provided in the present invention, and as shown in fig. 2, the industrial control network packet parsing apparatus provided in the present invention includes:

a receiving module 201, configured to receive a target industrial control network data packet;

the characteristic data extraction module 202 is configured to extract characteristic data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset characteristic data extraction manner corresponding to the protocol type;

and the analysis result acquisition module 203 is configured to determine an analysis result of the target industrial control network data packet according to the feature data of the target industrial control network data packet and a predetermined mapping relationship set between the feature data and the analysis result.

The industrial control network data packet analysis device provided by the invention can avoid real-time analysis operation on the target industrial control network data packet by extracting the characteristic data of the target industrial control network data packet and searching the analysis result in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data, thereby being beneficial to reducing the resource consumption and saving the processing time.

Based on any one of the foregoing embodiments, in this embodiment, the extracting, according to the protocol type of the target industrial control network data packet and a preset feature data extraction manner corresponding to the protocol type, feature data from the target industrial control network data packet includes:

The industrial control network data packet analysis device provided by the invention can rapidly find out the analysis result in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data by analyzing the protocol type of the target industrial control network and determining the characteristic data extraction mode according to the protocol type so as to extract the characteristic data, thereby avoiding the real-time analysis operation on the target industrial control network data packet, being beneficial to reducing the resource consumption and saving the processing time.

Based on any one of the above embodiments, in this embodiment, the protocol type of the target industrial control network data packet is determined, and a feature data extraction manner corresponding to the protocol type is determined according to the protocol type; extracting feature data from the target industrial control network data packet according to the determined feature data extraction mode, wherein the feature data extraction method comprises the following steps:

Based on any one of the foregoing embodiments, in this embodiment, the protocol type of the target industrial control network data packet is determined, and a feature data extraction manner corresponding to the protocol type is determined according to the protocol type; extracting feature data from the target industrial control network data packet according to the determined feature data extraction mode, wherein the feature data extraction method comprises the following steps:

determining the target industrial control network data packet as an application layer network protocol data packet, wherein the application layer network protocol is carried by a UDP (user Datagram protocol) protocol or a TCP (Transmission control protocol);

all data contained in TCP (transmission control protocol) structural data or UDP (user datagram protocol) structural data in the target industrial control network data packet are used as characteristic data; or, the data of the specified part contained in the TCP structure data or UDP structure data in the target industrial control network data packet is used as the characteristic data.

Based on any one of the above embodiments, in this embodiment, the extracting feature data from a target industrial control network data packet according to a protocol type of the target industrial control network data packet and a preset feature data extraction manner corresponding to the protocol type further includes:

and determining the type of the recombined industrial control network data packet, and extracting characteristic data from the recombined industrial control network data packet according to the type and a preset characteristic data extraction mode corresponding to the type.

The industrial control network data packet analysis device provided by the invention recombines the industrial control network data packet to be recombined, extracts the characteristic data from the recombined industrial control network data packet, provides a basis for obtaining the analysis result of the recombined industrial control network data packet based on the characteristic data subsequently, and is beneficial to reducing the resource consumption and saving the processing time.

Based on any one of the foregoing embodiments, in this embodiment, the determining, according to the feature data of the target industrial control network data packet and a predetermined mapping relationship set between the feature data and an analysis result, an analysis result of the target industrial control network data packet includes:

The industrial control network data packet analysis device provided by the invention is used for quickly finding out the analysis result in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data of the recombined industrial control network data packet, so that the real-time analysis operation on the recombined industrial control network data packet can be avoided, the resource consumption is reduced, and the processing time is saved.

determining the protocol type of the target industrial control network data packet and other industrial control network data packets in the same group under the condition that the target industrial control network data packet is an industrial control network data packet to be recombined, and determining a characteristic data extraction mode corresponding to the protocol type according to the protocol type; according to the determined characteristic data extraction mode, extracting characteristic data from the target industrial control network data packet and other industrial control network data packets in the same group respectively;

The industrial control network data packet analysis device provided by the invention extracts the characteristic data for the fragment data packet, and quickly finds out the analysis result of the complete application layer network data packet before fragmentation in the predetermined mapping relation set between the characteristic data and the analysis result based on the characteristic data of the fragment data packet, thereby being beneficial to reducing resource consumption and saving processing time.

Compared with the characteristic data, the industrial control network data packet analysis device provided by the invention has the advantages that the storage space is small, and the search efficiency is high.

according to the characteristic data of the target industrial control network data packet and a predetermined mapping relation set between the characteristic data and an analysis result, the analysis result of the target industrial control data cannot be determined;

and analyzing the target industrial control network data packet.

The industrial control network data packet analysis device provided by the invention analyzes the industrial control network data packet which cannot be found in the mapping relation set in real time, so that the defect that all industrial control network data packets cannot be found through the mapping relation set is overcome.

The industrial control network data packet analysis device provided by the invention saves the real-time analysis result of the industrial control network data packet in the mapping relation set, so that the analysis result can be directly obtained through searching operation after the next industrial control network data packet with the same content arrives, the real-time analysis operation is not needed, the resource consumption is reduced, and the processing time is saved.

Fig. 3 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 3, the electronic device may include: a processor (processor) 310, a communication Interface (communication Interface) 320, a memory (memory) 330 and a communication bus 340, wherein the processor 310, the communication Interface 320 and the memory 330 communicate with each other via the communication bus 340. The processor 310 may call logic instructions in the memory 330 to perform a method for parsing industrial control network packets, the method comprising:

receiving a target industrial control network data packet;

In addition, the logic instructions in the memory 330 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the method for parsing industrial control network packets provided by the above methods, the method includes:

receiving a target industrial control network data packet;

In another aspect, the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to execute the method for parsing an industrial control network packet provided in the foregoing embodiments, and the method includes:

receiving a target industrial control network data packet;

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on the understanding, the above technical solutions substantially or otherwise contributing to the prior art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the various embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A method for analyzing industrial control network data packets is characterized by comprising the following steps:

receiving a target industrial control network data packet;

2. The method for analyzing the industrial control network data packet according to claim 1, wherein the extracting the feature data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset feature data extracting manner corresponding to the protocol type includes:

3. The industrial control network data packet analyzing method according to claim 2, wherein the protocol type of the target industrial control network data packet is determined, and a feature data extraction mode corresponding to the protocol type is determined according to the protocol type; extracting feature data from the target industrial control network data packet according to the determined feature data extraction mode, wherein the feature data extraction method comprises the following steps:

4. The method for analyzing industrial control network data packets according to claim 2, wherein the protocol type of the target industrial control network data packet is determined, and a characteristic data extraction mode corresponding to the protocol type is determined according to the protocol type; extracting the characteristic data from the target industrial control network data packet according to the determined characteristic data extraction mode, wherein the characteristic data extraction method comprises the following steps:

5. The method for analyzing the industrial control network data packet according to claim 2, wherein the method for extracting the feature data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset feature data extraction manner corresponding to the protocol type further comprises:

6. The method for analyzing the industrial control network data packet according to claim 5, wherein the determining the analysis result of the target industrial control network data packet according to the feature data of the target industrial control network data packet and a predetermined mapping relationship set between the feature data and the analysis result comprises:

7. The method for analyzing the industrial control network data packet according to claim 2, wherein the method for extracting the feature data from the target industrial control network data packet according to the protocol type of the target industrial control network data packet and a preset feature data extraction manner corresponding to the protocol type further comprises:

8. The method for parsing the industrial control network data packet according to claim 1, wherein the set of mapping relationships between the feature data and the parsing result is a set of mapping relationships between hash values of the feature data and the parsing result;

9. The industrial control network data packet parsing method according to one of claims 1-8, wherein the method further comprises:

and analyzing the target industrial control network data packet.

10. The method for parsing the industrial control network data packet according to claim 9, wherein after the parsing the target industrial control network data packet, the method further comprises:

11. An industrial control network data packet analyzing device is characterized by comprising:

12. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to implement the steps of the method for packet parsing in an industrial control network according to any one of claims 1 to 10.

13. A non-transitory computer readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the industrial network packet parsing method according to any one of claims 1-10.

14. A computer program product comprising computer executable instructions, wherein the instructions, when executed, are adapted to implement the steps of the method for parsing an industrial network packet according to any of claims 1 to 10.