CN115622963A - Message detection method, device, equipment and medium based on industrial switch - Google Patents
Message detection method, device, equipment and medium based on industrial switch Download PDFInfo
- Publication number
- CN115622963A CN115622963A CN202211524109.6A CN202211524109A CN115622963A CN 115622963 A CN115622963 A CN 115622963A CN 202211524109 A CN202211524109 A CN 202211524109A CN 115622963 A CN115622963 A CN 115622963A
- Authority
- CN
- China
- Prior art keywords
- message
- messages
- reading
- data
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 73
- 238000004891 communication Methods 0.000 claims abstract description 49
- 230000003993 interaction Effects 0.000 claims abstract description 39
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000007405 data analysis Methods 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims description 26
- 230000004044 response Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008520 organization Effects 0.000 claims description 11
- 230000002159 abnormal effect Effects 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000010276 construction Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000003745 diagnosis Methods 0.000 claims description 2
- 239000002699 waste material Substances 0.000 abstract description 5
- 230000006870 function Effects 0.000 description 35
- 238000010586 diagram Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 6
- 239000003795 chemical substances by application Substances 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/55—Prevention, detection or correction of errors
- H04L49/555—Error detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/28—Timers or timing mechanisms used in protocols
Abstract
The embodiment of the disclosure discloses a message detection method, a device, equipment and a medium based on an industrial switch. One embodiment of the method comprises: collecting an industrial protocol information frame in a target industrial switch; performing data analysis on the connection request message to obtain an internet interconnection protocol and port characteristics, a function code, a grammar identifier and an access data type which comprise a data channel; reading a data interaction standard message set in a target industrial switch, wherein the data interaction standard message set comprises: the method comprises the steps of reading a message of a data block in a database, reading an input message, reading a mark, reading an output message and reading a global variable; and constructing a message detection library according to the Internet interconnection protocol and port characteristics including the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set. This embodiment reduces the waste of communication resources.
Description
Technical Field
The disclosed embodiments relate to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for packet detection based on an industrial switch.
Background
With the rapid iteration of the industrial control network, the information security of the industrial control system is increasingly highlighted while the informatization level of the industrial control system is improved. At present, the detection of the message in the industrial switch is usually performed in the following manner: and performing source authentication on the received message.
However, the following technical problems generally exist in the above manner: the message receiving or transmitting itself (for example, the message format) is not detected, and when an error message occurs, the industrial switch is easy to transmit the error information, so that the communication resource is wasted.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Some embodiments of the present disclosure provide a method, an apparatus, an electronic device, and a computer-readable medium for message detection based on an industrial switch, to solve one or more of the technical problems mentioned in the background section above.
In a first aspect, some embodiments of the present disclosure provide a method for detecting a packet based on an industrial switch, where the method includes: collecting an industrial protocol information frame in a target industrial switch, wherein the industrial protocol information frame comprises a connection request message; performing data analysis on the connection request message to obtain an internet interconnection protocol and port characteristics, a function code, a grammar identifier and an access data type which comprise a data channel; reading a data interaction standard message set in the target industrial switch, wherein the data interaction standard message set comprises: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services; and constructing a message detection library according to an internet interconnection protocol and port characteristic containing a data channel, a function code, a grammar identifier, an access data type and the data interaction standard message set.
In a second aspect, some embodiments of the present disclosure provide an apparatus for detecting a packet based on an industrial switch, where the apparatus includes: the system comprises a collecting unit, a processing unit and a processing unit, wherein the collecting unit is configured to collect an industrial protocol information frame in a target industrial switch, and the industrial protocol information frame comprises a connection request message; the analysis unit is configured to perform data analysis on the connection request message to obtain an internet interconnection protocol and port characteristic containing a data channel, a function code, a grammar identifier and an access data type; a reading unit configured to read a data interaction standard message set in the target industrial switch, wherein the data interaction standard message set includes: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services; and the construction unit is configured to construct a message detection library according to the Internet interconnection protocol and port characteristics comprising the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set.
In a third aspect, some embodiments of the present disclosure provide an electronic device, comprising: one or more processors; a storage device having one or more programs stored thereon, which when executed by one or more processors, cause the one or more processors to implement the method described in any of the implementations of the first aspect.
In a fourth aspect, some embodiments of the present disclosure provide a computer readable medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method described in any of the implementations of the first aspect.
The above embodiments of the present disclosure have the following beneficial effects: by the message detection method based on the industrial switch, transmission of error messages is reduced, and waste of communication resources is reduced. Specifically, the reason why the communication resources are wasted is that: the message itself (e.g., message format) received or transmitted is not detected, and when an error message occurs, it is easy to cause the industrial switch to transmit the error message. Based on this, the message detection method based on the industrial switch according to some embodiments of the present disclosure first collects the industrial protocol information frame in the target industrial switch. Therefore, data support is provided for constructing the message detection library. And then, performing data analysis on the connection request message to obtain an internet protocol and port characteristic, a function code, a grammar identifier and an access data type which comprise a data channel. And then, reading the data interaction standard message set in the target industrial switch. Wherein, the data interaction standard message set comprises: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services. Therefore, verification detection can be carried out on the transmitted message according to the data interaction standard message set, so that the outflow of abnormal messages is reduced. And finally, constructing a message detection library according to the Internet interconnection protocol and port characteristics including the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set. Therefore, the transmitted message can be detected according to the message detection library. Thus, the format of the message itself can be detected to reduce the transmission of erroneous messages. Further, waste of communication resources is reduced.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and components are not necessarily drawn to scale.
Fig. 1 is a flow diagram of some embodiments of an industrial switch-based message detection method according to the present disclosure;
FIG. 2 is a schematic block diagram of some embodiments of an industrial switch based message detection apparatus according to the present disclosure;
FIG. 3 is a schematic block diagram of an electronic device suitable for use in implementing some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the disclosure are shown in the drawings, it is to be understood that the disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and the embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Fig. 1 is a flow diagram of some embodiments of an industrial switch-based message detection method according to the present disclosure. A flow 100 of some embodiments of an industrial switch-based message detection method according to the present disclosure is shown. The message detection method based on the industrial switch comprises the following steps:
In some embodiments, an executing agent (e.g., a server) of the industrial switch-based message detection method can collect industrial protocol information frames in a target industrial switch by means of wired connection or wireless connection. Wherein, the industrial protocol information frame comprises a connection request message. The target industrial switch may refer to a switch currently to collect industrial protocol information frames. The industrial protocol information frame may represent industrial protocol information (Comm protocol information frame). The connection request message can represent a request for connecting to the target industrial switch.
And 102, performing data analysis on the connection request message to obtain an internet interconnection protocol and port characteristic, a function code, a grammar identifier and an access data type which comprise a data channel.
In some embodiments, the execution agent may perform data parsing on the connection request packet to obtain an internet protocol and port characteristic including a data channel, a function code, a syntax identifier, and an access data type. In practice, the execution main body may perform data analysis on the Connection request packet through Protocol analysis of a data frame of an S7 Comm (Connection-Oriented Transport Protocol, COTP) layer, so as to obtain an internet interconnection Protocol and port characteristics including a data channel, a function code, a syntax identifier, and an access data type. Here, the Internet Protocol including a data channel may refer to an IP (Internet Protocol) including a data channel. A port characteristic may represent an output port or an input port, or a particular transmission port. The syntax identifier may refer to a data identifier referred to in the message. The function code may contain the following functions: CPU servicing, establishing communications, reading variable values, writing variable values, requesting downloads, downloading blocks, ending downloads, starting uploads, ending uploads, program call servicing, PLC (Programmable Logic Controller) shutdown, etc. That is, the function code may be a code package. The access data type may indicate a type of data accessed. For example, accessing data types may include: s7-200 series system information, S7-200 series system flags, S7-200 series analog input, S7-200 series analog output, direct access peripheral access, input, output, internal flags, data blocks, background data blocks, local variables, global variables, S7 counters, S7 timers, IEC counters (S7-200 series), IEC timers (S7-200 series).
And 103, reading the data interaction standard message set in the target industrial switch.
In some embodiments, the execution subject may read the set of data interaction standard messages in the target industrial switch by means of a wired connection or a wireless connection. Wherein, the data interaction standard message set comprises: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services.
It should be noted that the data interaction standard packet in the data interaction standard packet set may refer to a packet in a standard format of a certain application/function that is preset. That is, a message for reading a data block in a database, a message for reading an input, a message for reading a flag, a message for reading an output, a message for reading a global variable, a message for reading timer data, a message for reading a clock, a message for reading block information, a message for reading a block list, a message for reading a message service, a message for reading diagnostic data, a message for writing a data block, a message for writing an output, a message for writing a flag, a message for setting a communication connection, a message for downloading a block, a message for downloading an organization block, a message for starting a program call service may be a message of a preset standard format.
That is, the data interaction standard packet in the data interaction standard packet set may be any one of the following: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services.
And step 104, constructing a message detection library according to the Internet interconnection protocol and port characteristics including the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set.
In some embodiments, the execution agent may construct the message detection library according to the ip and port characteristics including data channel, function code, syntax identifier, access data type, and the data interaction standard message set. In practice, the executive master may store the ip and port characteristics including the data channel, the function code, the syntax identifier, the access data type, and the data interaction standard packet set in a predetermined database for packet inspection, so as to construct a packet inspection library.
Optionally, in response to detecting the current transmission packet of the target industrial switch, determining whether the transmission packet is abnormal according to the packet detection library.
In some embodiments, the execution subject may determine whether the transmission message is abnormal according to the message detection library in response to detecting a current transmission message of the target industrial switch. For example, a message corresponding to the transmission message (for example, a message having the same use as the transmission message) is retrieved from the message detection library, and the format of the transmission message is compared with the format of the retrieved message. Namely, whether the transmission message is abnormal is determined.
Optionally, in response to determining that the transmission packet is abnormal, generating a packet abnormality prompt message.
In some embodiments, the execution agent may generate a message exception notification message in response to determining that the transmission message is abnormal. Here, the message abnormality presentation information may be information indicating that the format of the transmission message is abnormal.
Optionally, an industrial protocol message exception alarm library is established.
In some embodiments, the execution agent may establish an industrial protocol message exception alarm library. The protocol message abnormity alarm library comprises an industrial protocol message detection type set.
The above set of industrial protocol packet detection types includes:
a communication message of write operation occurs in the industrial control network;
a message with inconsistent function codes and frequency statistics data (which can be a message indicating that the function codes and the frequency statistics data of the communication message between two industrial switches are inconsistent) appears in the communication message between the devices;
a message of a protocol function code related to system behavior appears in a communication message between the equipment (which can be a message of a protocol function code related to system behavior appearing in a communication message between two industrial switches);
messages for illegal requests (e.g., messages for requesting account passwords) in the industrial control network;
response messages with errors occur in the industrial control network;
a message in which the assignment of a certain transmission parameter deviates from the set mean value and exceeds 3 standard deviations (for example, the assignment of a certain transmission parameter is not equal to the set mean value) in the communication message;
the method comprises the steps that the assignment of a certain transmission parameter in communication messages is not in an assignment setting range;
the target address is the communication message of engineer station or operator station (the engineer station can be a new generation open distributed control system which uses Windows NT as operation system and runs on general PC machine;
carrying the message of the data packet after the function code;
a message for closing the instruction of the programmable logic controller appears in the message;
a message for a download operation of a device (switch) appears;
a message called by a program appears in the industrial control network;
a message for deleting the network diagnosis information appears in the industrial control network;
a message aiming at the password operation of the programmable logic controller appears in the industrial control network;
a message for reading system area data of equipment (switch) appears in an industrial control network;
the message with the data length larger than a preset threshold value;
a message with the type set by the service port not matched with the communication protocol type;
a message with a format not matched with the set message format;
a message of an internet protocol address (IP address) of an unrecorded device appears in network connection;
the equipment monitoring messages of which the number of the messages of the same industrial control protocol received by the same equipment in unit time exceeds a set rate threshold value;
the same equipment does not receive the equipment communication prompt message of the set communication protocol within the set time;
and prompt messages with inconsistent quantity of the request messages and the quantity of the connection-oriented transmission protocol messages.
The device monitoring message may indicate that the number of messages of the same industrial control protocol received by the same device (the same IP address) in a unit time exceeds a set rate threshold. The device communication alert message may indicate that the same device (based on the IP address) has not received any message of a prescribed protocol (a set communication protocol) within a set time. The Connection-Oriented Transport Protocol packet may be a COTP (Connection-organized Transport Protocol) packet.
It should be noted that the industrial protocol packet detection type in the industrial protocol packet detection type set may indicate a type of a certain packet. For example, the industrial protocol message detection type may indicate the type of any one of the messages. For example, the industrial protocol message detection type can represent a communication message in which a write operation occurs in the industrial control network.
In practice, the execution main body may store a preset industrial protocol message detection type set into a preset database for alarming the abnormality of the industrial protocol message, so as to construct an industrial protocol message abnormality alarm library.
Optionally, in response to detecting the current received packet of the target industrial switch, determining whether an industrial protocol packet detection type consistent with the packet type of the received packet exists in the industrial protocol packet anomaly alarm library.
In some embodiments, the execution subject may determine, in response to detecting a currently received packet of the target industrial switch, whether an industrial protocol packet detection type consistent with a packet type of the received packet exists in the industrial protocol packet anomaly alarm library. The received message may be a message currently received by the target industrial switch.
In practice, the execution subject may determine whether an industrial protocol packet detection type set included in the industrial protocol packet anomaly alarm library has an industrial protocol packet detection type that is the same as the packet type of the received packet.
Optionally, in response to determining that an industrial protocol message detection type consistent with the message type of the received message exists in the industrial protocol message exception alarm library, generating detection information corresponding to the received message, and sending the detection information to an associated detection terminal.
In some embodiments, the execution main body may generate detection information corresponding to the received packet in response to determining that an industrial protocol packet detection type consistent with the packet type of the received packet exists in the industrial protocol packet anomaly alarm library, and send the detection information to an associated detection terminal. Here, the detection information may be information for performing field detection on the received packet. The associated detection terminal may refer to a terminal for detecting a message, which is in communication connection with the execution body.
The above embodiments of the present disclosure have the following beneficial effects: by the message detection method based on the industrial switch, the transmission of error messages is reduced, and the waste of communication resources is reduced. Specifically, the reason why the communication resources are wasted is that: the message itself (e.g., message format) received or transmitted is not detected, and when an error message occurs, it is easy to cause the industrial switch to transmit the error message. Based on this, the message detection method based on the industrial switch according to some embodiments of the present disclosure first collects the industrial protocol information frame in the target industrial switch. Therefore, data support is provided for constructing the message detection library. And then, performing data analysis on the connection request message to obtain an internet interconnection protocol and port characteristics, a function code, a grammar identifier and an access data type which comprise a data channel. And then, reading the data interaction standard message set in the target industrial switch. Wherein, the data interaction standard message set comprises: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services. Therefore, the transmitted message can be verified and detected according to the data interaction standard message set, so that the outflow of abnormal messages is reduced. And finally, constructing a message detection library according to the Internet interconnection protocol and port characteristics including the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set. Therefore, the transmitted message can be detected according to the message detection library. Thus, the format of the message itself can be detected to reduce the transmission of erroneous messages. Further, waste of communication resources is reduced.
With further reference to fig. 2, as an implementation of the methods shown in the above-mentioned figures, the present disclosure provides some embodiments of an industrial switch-based message detection apparatus, which correspond to those of the method embodiments shown in fig. 1, and which can be applied in various electronic devices.
As shown in fig. 2, an industrial switch-based message detection apparatus 200 of some embodiments includes: an acquisition unit 201, a parsing unit 202, a reading unit 203 and a construction unit 204. The acquisition unit 201 is configured to acquire an industrial protocol information frame in a target industrial switch, where the industrial protocol information frame includes a connection request message; an analysis unit 202, configured to perform data analysis on the connection request packet to obtain an internet protocol and port feature including a data channel, a function code, a syntax identifier, and an access data type; a reading unit 203 configured to read a data interaction standard message set in the target industrial switch, where the data interaction standard message set includes: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services; the constructing unit 204 is configured to construct a message detection library according to the internet protocol and port characteristics including the data channel, the function code, the syntax identifier, the access data type, and the data interaction standard message set.
It is to be understood that the units described in the industrial switch-based message detection apparatus 200 correspond to the respective steps in the method described with reference to fig. 1. Therefore, the operations, features and advantageous effects of the method described above are also applicable to the message detection apparatus 200 based on the industrial switch and the units included therein, and are not described herein again.
Referring now to FIG. 3, a block diagram of an electronic device (e.g., server) 300 suitable for use in implementing some embodiments of the present disclosure is shown. The electronic device in some embodiments of the present disclosure may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a vehicle-mounted terminal (e.g., a car navigation terminal), and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. The electronic device shown in fig. 3 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 3, electronic device 300 may include a processing device (e.g., central processing unit, graphics processor, etc.) 301 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 302 or a program loaded from a storage device 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data necessary for the operation of the electronic apparatus 300 are also stored. The processing device 301, the ROM302, and the RAM303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Generally, the following devices may be connected to the I/O interface 305: input devices 306 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, or the like; an output device 307 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage devices 308 including, for example, magnetic tape, hard disk, etc.; and a communication device 309. The communication means 309 may allow the electronic device 300 to communicate wirelessly or by wire with other devices to exchange data. While fig. 3 illustrates an electronic device 300 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided. Each block shown in fig. 3 may represent one device or may represent multiple devices, as desired.
In particular, according to some embodiments of the present disclosure, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, some embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In some such embodiments, the computer program may be downloaded and installed from a network through the communication device 309, or installed from the storage device 308, or installed from the ROM 302. The computer program, when executed by the processing apparatus 301, performs the above-described functions defined in the methods of some embodiments of the present disclosure.
It should be noted that the computer readable medium described in some embodiments of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In some embodiments of the disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In some embodiments of the present disclosure, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: collecting an industrial protocol information frame in a target industrial switch, wherein the industrial protocol information frame comprises a connection request message; performing data analysis on the connection request message to obtain an internet interconnection protocol and port characteristics, a function code, a grammar identifier and an access data type which comprise a data channel; reading a data interaction standard message set in the target industrial switch, wherein the data interaction standard message set comprises: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services; and constructing a message detection library according to the Internet interconnection protocol and port characteristics including the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in some embodiments of the present disclosure may be implemented by software, and may also be implemented by hardware. The described units may also be provided in a processor, and may be described as: a processor includes an acquisition unit, an analysis unit, a reading unit, and a construction unit. Where the names of these units do not in some cases constitute a limitation on the unit itself, for example, the acquisition unit may also be described as a "unit that acquires industrial protocol information frames in the target industrial switch".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems on a chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the embodiments of the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is made without departing from the inventive concept as defined above. For example, the above features and (but not limited to) technical features with similar functions disclosed in the embodiments of the present disclosure are mutually replaced to form the technical solution.
Claims (7)
1. A message detection method based on an industrial switch comprises the following steps:
collecting an industrial protocol information frame in a target industrial switch, wherein the industrial protocol information frame comprises a connection request message;
performing data analysis on the connection request message to obtain an internet interconnection protocol and port characteristics, a function code, a grammar identifier and an access data type which comprise a data channel;
reading a data interaction standard message set in the target industrial switch, wherein the data interaction standard message set comprises: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services;
and constructing a message detection library according to an internet interconnection protocol and port characteristic containing a data channel, a function code, a grammar identifier, an access data type and the data interaction standard message set.
2. The method of claim 1, wherein the method further comprises:
in response to the detection of the current transmission message of the target industrial switch, determining whether the transmission message is abnormal according to the message detection library;
and generating message abnormity prompt information in response to the determination that the transmission message is abnormal.
3. The method of claim 1, wherein the method further comprises:
establishing an industrial protocol message abnormity alarm library, wherein the protocol message abnormity alarm library comprises an industrial protocol message detection type set; and
the set of industrial protocol message detection types comprises:
a communication message of write operation occurs in the industrial control network;
the communication message between the devices has a message with inconsistent function codes and frequency statistic data;
the communication message between the devices has a message of a protocol function code related to the system behavior;
an illegal request message appears in the industrial control network;
response messages with errors occur in the industrial control network;
the method comprises the steps of (1) communicating messages, wherein the assignment of a certain transmission parameter deviates from a set mean value and exceeds 3 standard deviations;
the assignment of a certain transmission parameter in the communication message is not in the assignment setting range;
the target address is a communication message of an engineer station or an operator station;
carrying the message of the data packet after the function code;
a message for closing the instruction of the programmable logic controller appears in the message;
a message for a download operation of the device appears;
a message called by a program appears in the industrial control network;
a message for deleting the network diagnosis information appears in the industrial control network;
a message aiming at the password operation of the programmable logic controller appears in the industrial control network;
a message for reading the system area data of the equipment appears in the industrial control network;
the data length of the message is larger than a preset threshold value;
a message with the type set by the service port not matched with the communication protocol type;
the message format is not matched with the set message format;
a message of an internet protocol address of equipment which is not recorded appears in network connection;
the equipment monitoring messages of which the number of the messages of the same industrial control protocol received by the same equipment in unit time exceeds a set rate threshold value;
the same equipment does not receive the equipment communication prompt message of the set communication protocol within the set time;
and prompt messages with inconsistent quantity of the request messages and the quantity of the connection oriented transmission protocol messages.
4. The method of claim 3, wherein the method further comprises:
responding to the detection of the current received message of the target industrial switch, and determining whether an industrial protocol message detection type consistent with the message type of the received message exists in the industrial protocol message abnormity alarm library;
and in response to determining that the industrial protocol message detection type consistent with the message type of the received message exists in the industrial protocol message abnormity alarm library, generating detection information corresponding to the received message, and sending the detection information to a related detection terminal.
5. A message detection device based on an industrial switch comprises:
a collecting unit configured to collect an industrial protocol information frame in a target industrial switch, wherein the industrial protocol information frame comprises a connection request message;
the analysis unit is configured to perform data analysis on the connection request message to obtain an internet interconnection protocol and port characteristic containing a data channel, a function code, a grammar identifier and an access data type;
a reading unit configured to read a data interaction standard message set in the target industrial switch, wherein the data interaction standard message set includes: messages for reading data blocks in a database, messages for reading input, messages for reading flags, messages for reading output, messages for reading global variables, messages for reading timer data, messages for reading clocks, messages for reading block information, messages for reading block lists, messages for reading messaging services, messages for reading diagnostic data, messages for writing data blocks, messages for writing output, messages for writing flags, messages for setting communication connections, messages for downloading blocks, messages for downloading organization blocks, messages for starting program call services;
and the construction unit is configured to construct a message detection library according to the Internet interconnection protocol and port characteristics including the data channel, the function code, the grammar identifier, the access data type and the data interaction standard message set.
6. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method recited in any of claims 1-4.
7. A computer-readable medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, carries out the method according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211524109.6A CN115622963A (en) | 2022-12-01 | 2022-12-01 | Message detection method, device, equipment and medium based on industrial switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211524109.6A CN115622963A (en) | 2022-12-01 | 2022-12-01 | Message detection method, device, equipment and medium based on industrial switch |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115622963A true CN115622963A (en) | 2023-01-17 |
Family
ID=84880837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211524109.6A Pending CN115622963A (en) | 2022-12-01 | 2022-12-01 | Message detection method, device, equipment and medium based on industrial switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115622963A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471130A (en) * | 2023-06-20 | 2023-07-21 | 荣耀终端有限公司 | Network asset detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170054751A1 (en) * | 2015-08-20 | 2017-02-23 | Cyberx Israel Ltd. | Method for mitigation of cyber attacks on industrial control systems |
| CN110912927A (en) * | 2019-12-09 | 2020-03-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting control message in industrial control system |
| CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
| CN114205126A (en) * | 2021-11-25 | 2022-03-18 | 北京国泰网信科技有限公司 | Method, device and medium for attack detection in industrial system |
-
2022
- 2022-12-01 CN CN202211524109.6A patent/CN115622963A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170054751A1 (en) * | 2015-08-20 | 2017-02-23 | Cyberx Israel Ltd. | Method for mitigation of cyber attacks on industrial control systems |
| CN110912927A (en) * | 2019-12-09 | 2020-03-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting control message in industrial control system |
| CN112468488A (en) * | 2020-11-25 | 2021-03-09 | 杭州安恒信息技术股份有限公司 | Industrial anomaly monitoring method and device, computer equipment and readable storage medium |
| CN114205126A (en) * | 2021-11-25 | 2022-03-18 | 北京国泰网信科技有限公司 | Method, device and medium for attack detection in industrial system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471130A (en) * | 2023-06-20 | 2023-07-21 | 荣耀终端有限公司 | Network asset detection method and device |
| CN116471130B (en) * | 2023-06-20 | 2023-11-10 | 荣耀终端有限公司 | Network asset detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111930709B (en) | Data storage method, apparatus, electronic device, and computer readable medium | |
| CN112953791B (en) | Network detection method and device, electronic equipment and computer readable storage medium | |
| CN115640285B (en) | Power abnormality information transmission method, device, electronic equipment and medium | |
| CN115622963A (en) | Message detection method, device, equipment and medium based on industrial switch | |
| CN113722369A (en) | Method, device, equipment and storage medium for predicting field monitoring data | |
| CN111198853B (en) | Data processing method, device, electronic equipment and computer readable storage medium | |
| CN115016794A (en) | Code generation method, device, equipment and medium | |
| CN114611483A (en) | Method and device for automatically upgrading nuclear power DCS control logic diagram and function diagram association | |
| CN115391770A (en) | Program monitoring method, device, electronic equipment and computer readable storage medium | |
| CN113987471A (en) | Executable file execution method and device, electronic equipment and computer readable medium | |
| CN112256714A (en) | Data synchronization method and device, electronic equipment and computer readable medium | |
| CN111628913A (en) | Online time length determining method and device, readable medium and electronic equipment | |
| CN115391827B (en) | Log information storage method, apparatus, device, computer readable medium and product | |
| CN114693313B (en) | Identification code-based warehousing equipment detection method and device, electronic equipment and medium | |
| CN112084440B (en) | Data verification method, device, electronic equipment and computer readable medium | |
| CN115842819B (en) | Automatic driving system test data downloading method, device and equipment | |
| CN115604147A (en) | Industrial control network-based host testing method, device, equipment and computer medium | |
| CN111078259B (en) | Audio packaging method and device, electronic equipment and storage medium | |
| CN115883423A (en) | Communication load monitoring method, electronic device, and computer-readable medium | |
| CN113760590A (en) | Fault processing method and device, electronic equipment and computer readable medium | |
| CN115934461A (en) | Service system monitoring method, device, medium and equipment | |
| CN115080267A (en) | Communication method, apparatus, medium, and device | |
| CN115292162A (en) | Report generation method, report generation device, report generation apparatus, report generation medium, and program product | |
| CN112596753A (en) | Dependency package installation method and device, electronic equipment and computer readable medium | |
| CN115827415A (en) | System process performance test method, device, equipment and computer medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230117 |
|
| RJ01 | Rejection of invention patent application after publication |