CN115883381A - Industrial Internet asset identification method based on network protocol fingerprints - Google Patents
Industrial Internet asset identification method based on network protocol fingerprints Download PDFInfo
- Publication number
- CN115883381A CN115883381A CN202211503535.1A CN202211503535A CN115883381A CN 115883381 A CN115883381 A CN 115883381A CN 202211503535 A CN202211503535 A CN 202211503535A CN 115883381 A CN115883381 A CN 115883381A
- Authority
- CN
- China
- Prior art keywords
- equipment
- network
- data
- industrial
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an industrial internet asset identification method based on network protocol fingerprints, which utilizes a packet capturing probe to capture flow data in the industrial internet in a passive mode; carrying out protocol analysis on the captured data; extracting equipment characteristics and comparing the equipment characteristics with an industrial control fingerprint database; the devices found through comparison are used for constructing a device network topology; the successful equipment is not detected in the fingerprint database in a lightweight mode, so that the equipment type is further determined and added to the network topology; the equipment assets in the industrial Internet are identified through a passive scanning and lightweight active detection mode, the influence on industrial control equipment in network asset identification is reduced, and the defect that the passive identification mode is incomplete in asset identification is overcome.
Description
Technical Field
The invention belongs to the field of network asset detection, and particularly relates to an industrial internet asset identification method based on network protocol fingerprints.
Background
The industrial internet assets refer to network assets such as terminals, equipment, services and the like with network connection in the industrial internet. Asset detection refers to a process of tracking and mastering the condition of industrial internet assets, generally comprising host discovery, operating system identification, service identification and the like, and is an important premise for realizing industrial network security management.
The industrial internet asset detection can provide an information basis for the work of unifying software and hardware versions, updating upgrading software and the like of equipment in the industrial internet, the software and hardware versions of the equipment can be identified through the asset detection, response measures can be accurately started according to threat information, and the threat brought by a leak is avoided. Asset detection provides a system cognitive basis for network security monitoring and threat situation awareness. According to the asset condition, various safety rules can be accurately configured, the equipment operation efficiency is improved, and the system operation safety is ensured. The method can provide technical support for safe and stable operation of the industrial Internet through asset detection, protocol analysis, rule matching, topology analysis, big data, application safety, visual expression and the like.
The asset detection method is roughly divided into two types, namely active detection and passive detection, wherein the active detection means a detection mode that a data packet is actively sent to target equipment, the target equipment returns a response data packet after receiving data, and target equipment information is obtained by analyzing the response data packet; the passive detection means that a network sniffer is used for acquiring data messages of a target network, and network asset information is obtained by analyzing message data.
In a traditional asset detection technical method, relevant software and hardware assets are identified by actively scanning and analyzing response data of equipment, however, due to the reasons that computing and communication resources of industrial control equipment in the industrial internet are limited, safety consideration of products during design is not enough, and the like, excessive active scanning and detection of the equipment may affect normal operation of the equipment. However, the passive scanning mode is often used, so that the detection efficiency is low, even data representing the device fingerprint cannot be obtained, and the device type cannot be judged.
Disclosure of Invention
The invention provides an industrial internet asset identification method based on network protocol fingerprints.
The method is used for identifying equipment assets in the industrial Internet based on a passive mode and a light-weight active detection mode, and specifically comprises the following steps:
step 1, capturing flow data in an industrial internet in a passive mode by using a network probe:
the network probe is deployed in a target industrial internet to be identified as a single hardware device, and can also be deployed in the target industrial internet to be identified as a software plug-in form, and is used for passively collecting flow data in a network.
Step 2, performing protocol analysis on the data captured by the network probe:
and analyzing the flow data based on the message format of the TCP/IP protocol and various protocol formats of the industrial control equipment, and extracting the content of the flow data.
Step 3, extracting the equipment characteristics, and comparing the equipment characteristics with an industrial control fingerprint database:
and 2, extracting network fingerprint data representing the equipment characteristics from the protocol format data and the content data analyzed in the step 2, and searching and comparing the data in an industrial control fingerprint database.
Step 4, the devices discovered by comparison are used for constructing a device network topology:
and for the equipment characteristics which are found to be consistent by searching and comparing in the industrial control fingerprint database, judging the equipment type as a target equipment type, using the equipment to construct an industrial internet network topology, adding and marking the equipment in the topological graph, and gradually supplementing and perfecting the network topological graph according to the analysis content.
Step 5, light detection is not needed for successful equipment in the fingerprint database:
and for the device characteristics which are not found to be consistent in the industrial control fingerprint library, the device characteristics are searched and compared, the type of the target device is judged to be unidentified, a certain query request is sent to the target device by means of a lightweight active detection module, the type of the device is further determined according to device response data, and the device is added and marked to the network topology after the device type is determined.
Step 1, in the industrial internet to be identified, a network probe in the form of hardware, software or software plug-in is deployed, and the probe does not actively send any equipment identification request, but collects flow data in the industrial internet in a passive manner.
And 2, analyzing the network data passively acquired by the network probes in the form of software and hardware based on TCP/IP protocol and various protocol formats opened by different industrial control equipment manufacturers. The resolvable industrial control equipment protocol format comprises the following steps: on the basis of common formats such as MODBUS, S7COMM-PLUS, CIPCCC, CIPCLS and the like, the content in the common formats is extracted, and preparation is made for equipment feature recognition.
And 3, extracting the equipment characteristics and comparing the equipment characteristics with an industrial control fingerprint library, wherein various types of industrial control equipment fingerprint information of market mainstream manufacturers with various types are stored in the industrial control fingerprint library. The analyzed protocol format data and the analyzed content data can be combined to extract network fingerprint data representing the equipment characteristics, the network fingerprint data are searched and compared in an industrial control fingerprint database according to the network fingerprint data, and the representative flow data come from the corresponding industrial control equipment after the network fingerprint data and the industrial control fingerprint database are compared to be consistent.
And 4, searching and comparing the device characteristics found to be consistent in the industrial control fingerprint database, and judging the device type marked in the industrial control fingerprint database. The equipment is used for constructing the network topology of the industrial Internet through a network topology drawing module, the equipment is added or marked in a topological graph, the connection relation with other equipment is determined according to the context information of the analyzed communication content, and the network topological graph is gradually supplemented and perfected.
In the step 5, for the device features which are not found to be consistent by searching and comparing in the industrial control fingerprint database, the device features may be new device types, or the device fingerprint feature data may be insufficient, and all the device features are determined as unidentified industrial control device types. For such a device, the connection relationship with other devices may be preliminarily determined based on the context information of the communication content. And then, sending certain query request data to the target equipment by virtue of the lightweight active detection module, and further determining the equipment type according to the equipment response data, wherein the equipment type can be gradually determined only by sending the query request data for multiple times.
The equipment assets in the industrial Internet are identified through a passive scanning and lightweight active detection mode, the equipment type and the connection relation among the equipment can be gradually determined, so that the equipment type information is added or marked to the network topology, and finally, a complete network topology graph is drawn. The influence on industrial control equipment in network asset identification is reduced by a passive scanning method, a lightweight active detection mode is adopted, equipment information is gradually determined by a small number of query requests, and the defect that the passive identification mode is incomplete for asset identification is overcome.
In order to realize the industrial internet asset identification method, an industrial internet asset identification system is constructed, and the system comprises a network probe module, a lightweight active detection module, a data analysis module, an industrial control fingerprint database and a network topology drawing module. A network probe in the network probe module captures flow data in the industrial internet in a passive mode; carrying out protocol analysis on the data captured by the network probe through a data analysis module, and extracting equipment characteristics; comparing the extracted equipment characteristics in an industrial control fingerprint library, and using the equipment found by comparison to construct an equipment network topology through a network topology drawing module; and the successful equipment is not detected in the fingerprint database in a lightweight mode through a lightweight active detection module.
In the process of detecting equipment in the industrial Internet, a probe in a passive detection mode is deployed, flow data in the industrial Internet is collected in a sniffing mode, protocol analysis is carried out on the collected data, equipment characteristics in the data are extracted and compared with an industrial control fingerprint database, and equipment type information discovered by comparison is used for constructing equipment network topology; and for the equipment which is not successfully compared in the fingerprint library, a lightweight active detection mode is adopted, and the equipment type is further determined by sending a small amount of equipment type request packets and receiving response information. Through passive scanning, the influence on industrial control equipment in network asset identification is reduced, and for a small amount of equipment which cannot be identified, a lightweight active detection mode is used for identifying the equipment type, so that the defect that the passive identification mode is incomplete for asset identification is overcome.
Drawings
FIG. 1 is a flow chart of a method for identifying industrial Internet assets based on network protocol fingerprints according to the invention;
fig. 2 is a block diagram illustrating the method for identifying industrial internet assets based on network protocol fingerprints according to the present invention.
Detailed Description
The invention is further explained below by way of example with reference to the accompanying drawings:
as shown in FIG. 1, the industrial Internet asset identification method based on the network protocol fingerprint identifies the equipment assets in the industrial Internet based on a combination of a passive mode and a lightweight active detection mode. The industrial internet asset identification system is realized based on the industrial internet asset identification system shown in fig. 2, and comprises a network probe module, a lightweight active detection module, a data analysis module, an industrial control fingerprint library and a network topology drawing module.
The method specifically comprises the following steps:
step 1, capturing flow data in an industrial internet in a passive mode by using a network probe:
in the industrial internet to be identified, a network probe in the form of hardware, or software plug-in is deployed, which does not actively send any device identification request, but collects traffic data in the industrial internet in a passive manner. The purpose of collection is to judge the survival of the equipment and collect the target information. The target information collection includes open port, operating system type, and system open service information.
The passive detection method is used for acquiring the flow of a target network and analyzing the fingerprint characteristics of special fields of a Banner or protocol data packets such as IP, TCP three-way handshake and DHCP in protocol data packets such as HTTP, FTP, SMTP and the like in the flow so as to realize the passive detection of the network asset information. Generally, some network asset information is contained in a part of application layer protocol data packets, for example, a User-Agent field of the HTTP protocol contains information such as an operating system and a browser version, but the field is very easy to modify and has low reliability, and the analysis mode is invalid for data packets using an encryption protocol. Therefore, the research is focused on analyzing the characteristics of the protocols, such as IP, TCP, DHCP, etc., below the application layer.
Step 2, carrying out protocol analysis on the data captured by the network probe:
and analyzing the network data passively acquired by the network probes in the form of software and hardware based on TCP/IP protocol and various protocol formats opened by different industrial control equipment manufacturers. The resolvable industrial control equipment protocol format comprises the following steps: common formats such as MODBUS, S7COMM PLUS, CIPPCCC, CIPCLS, etc., as in MODBUS protocol universal function code definitions, 43 (0X 2B) is to read the device identification code, allowing reading of the identification code and additional messages related to the physical and functional description of the remote device. The reader device id interface is modeled as an address space comprising a set of addressable data elements. The data element refers to a data element determined by the called object and the object ID. The interface consists of three objects: basic equipment identification code, normal equipment identification code and extended equipment identification code. MODBUS identifies read alias requests by assigning an encapsulated interface number 14, requiring multiple request/response transactions if a single response is not appropriate. On the basis, the content of the flow data is extracted, and the flow data is analyzed into 4-bit header length, fragmentation flag bit, ACK flag, SYN flag, 16-bit window size and TCP optional part to prepare for equipment feature identification.
And 3, extracting equipment characteristics and comparing the equipment characteristics with an industrial control fingerprint database:
the industrial control fingerprint library stores various types of industrial control equipment fingerprint information of market mainstream manufacturers with various types. For the analyzed protocol format data and the analyzed content data, network fingerprint data representing equipment characteristics can be extracted in a combined mode, wherein the network fingerprint data comprises a protocol type, an MAC address, a port number, a sliding window, survival time, clock offset and the like; and searching and comparing the fingerprint data in an industrial control fingerprint database, wherein if the comparison is consistent, the flow data comes from the corresponding industrial control equipment.
Step 4, using the devices discovered by comparison to construct a device network topology:
and for the equipment characteristics which are found to be consistent by searching and comparing in the industrial control fingerprint database, judging the equipment type marked in the industrial control fingerprint database. The equipment is used for constructing the network topology of the industrial internet through a network topology drawing module, the equipment is added or marked in the topological graph, the connection relation with other equipment is determined according to the context information of the analyzed communication content, and the network topological graph is supplemented and perfected step by step.
Step 5, no light detection is needed for successful equipment in the fingerprint database:
and for the device characteristics which are not found to be consistent by searching and comparing in the industrial control fingerprint database, the device characteristics may be a new device type, or the device fingerprint characteristic data is insufficient, and the device types are all judged to be unidentified industrial control device types. For such a device, the connection relationship with other devices may be preliminarily determined based on the context information of the communication content. And then, sending certain query request data to the target equipment by virtue of the lightweight active detection module, and further determining the equipment type according to the equipment response data, wherein the equipment type can be gradually determined only by sending the query request data for multiple times.
If the Schneider PLC equipment is detected, a specific data packet is constructed and sent to a 502 port of the industrial control system equipment based on an open industrial Ethernet standard protocol MODBUS communication protocol, then a response data packet is received and analyzed, and detailed information about the industrial equipment can be obtained.
The passive detection method obtains asset information by analyzing the acquired network traffic, has little influence on the operation of a target network and has no extra network traffic insertion; the network assets protected by the safety equipment also have detection capability; the accumulation of long-term historical data is facilitated, and therefore the process of network asset development and change is mastered. The comprehensiveness and efficiency of probing is limited by the comprehensiveness of the analyzed network traffic. Because a large amount of flow data of a target network needs to be acquired as an analysis basis, the method is applicable to a limited network scale; network assets that are not online or that do not generate network traffic during the probing process are invalidated.
The equipment assets in the industrial Internet are identified through a passive scanning and lightweight active detection mode, the equipment type and the connection relation among the equipment can be gradually determined, so that the equipment type information is added or marked to the network topology, and finally, a complete network topology graph is drawn. The influence on industrial control equipment in network asset identification is reduced by a passive scanning method, a lightweight active detection mode is adopted, equipment information is determined step by step through a small number of query requests, and the defect that the passive identification mode is incomplete in asset identification is overcome.
Claims (7)
1. An industrial Internet asset identification method based on network protocol fingerprints is used for identifying equipment assets in the industrial Internet based on a mode combining a passive mode and lightweight active detection, and is characterized in that: the method specifically comprises the following steps:
step 1, capturing flow data in an industrial internet in a passive mode by using a network probe:
the network probe is deployed in a target industrial internet to be identified as an independent hardware device, and also can be deployed in the target industrial internet to be identified as a software plug-in for passively collecting flow data in the network;
step 2, performing protocol analysis on the data captured by the network probe:
analyzing the flow data based on the message format of a TCP/IP protocol and various protocol formats of industrial control equipment, and extracting the content of the flow data;
and 3, extracting equipment characteristics and comparing the equipment characteristics with an industrial control fingerprint database:
extracting network fingerprint data representing equipment characteristics from the protocol format data and the content data analyzed in the step 2, and searching and comparing the data in an industrial control fingerprint database;
step 4, using the devices discovered by comparison to construct a device network topology:
for the device characteristics which are found to be consistent by searching and comparing in the industrial control fingerprint database, the type of the target device is judged, the device is used for constructing the industrial internet network topology, the device is added and labeled in the topological graph, and the network topological graph is gradually supplemented and perfected according to the analysis content;
step 5, no light detection is needed for successful equipment in the fingerprint database:
and for the device characteristics which are not found to be consistent in the industrial control fingerprint library, the device characteristics are searched and compared, the type of the target device is judged to be unidentified, a certain query request is sent to the target device by means of a lightweight active detection module, the type of the device is further determined according to device response data, and the device is added and marked to the network topology after the device type is determined.
2. The method for identifying an industrial internet asset based on internet protocol fingerprint as claimed in claim 1, wherein: in the step 1, a network probe in the form of hardware, software or software plug-in is deployed in the industrial internet to be identified, and the probe does not actively send any equipment identification request, but collects flow data in the industrial internet in a passive manner.
3. The method for identifying industrial internet assets based on network protocol fingerprints as claimed in claim 1, wherein in the step 2, the flow data is analyzed for the network data passively collected by the network probes in the form of software and hardware based on TCP/IP protocol and various protocol formats opened by different industrial control equipment manufacturers; the resolvable industrial control equipment protocol formats comprise MODBUS, S7COMM-PLUS, CIPCCC and CIPCLS, and the content of the protocols is extracted on the basis to prepare for equipment characteristic recognition.
4. The method for identifying an industrial internet asset based on internet protocol fingerprint as claimed in claim 1, wherein: in the step 3, extracting the equipment characteristics and comparing the equipment characteristics with an industrial control fingerprint library, wherein various industrial control equipment fingerprint information of various market mainstream manufacturers is stored in the industrial control fingerprint library; and (3) combining the protocol format data and the content data analyzed in the step (2) to extract network fingerprint data representing the equipment characteristics, searching and comparing the network fingerprint data in an industrial control fingerprint database according to the network fingerprint data, and if the network fingerprint data and the content data are consistent, representing that the flow data come from the corresponding industrial control equipment.
5. The method for identifying an industrial internet asset based on internet protocol fingerprint as claimed in claim 1, wherein: in the step 4, the device characteristics which are found to be consistent by searching and comparing in the industrial control fingerprint database are judged as the device types marked in the industrial control fingerprint database; the equipment is used for constructing the network topology of the industrial internet through a network topology drawing module, the equipment is added or marked in the topological graph, the connection relation with other equipment is determined according to the context information of the analyzed communication content, and the network topological graph is supplemented and perfected step by step.
6. The method for identifying an industrial internet asset based on internet protocol fingerprint as claimed in claim 1, wherein: in the step 5, the device features which are not found to be consistent by searching and comparing in the industrial control fingerprint database may be a new device type, or the device fingerprint feature data is insufficient, and both the new device type and the insufficient device fingerprint feature data are determined as unidentified industrial control device types; for the device, the connection relation with other devices can be preliminarily determined according to the context information of the communication content; then, certain query request data is sent to the target equipment by virtue of the lightweight active detection module, the equipment type is further determined according to the equipment response data, and the equipment type can be gradually determined only by sending the query request data for multiple times;
identifying equipment assets in the industrial Internet in a passive scanning and lightweight active detection mode, and gradually determining the equipment type and the connection relation between the equipment, so that the equipment type information is added or marked into a network topology, and finally a complete network topology graph is drawn; the influence on industrial control equipment in network asset identification is reduced by a passive scanning method, a lightweight active detection mode is adopted, equipment information is determined step by step through a small number of query requests, and the defect that the passive identification mode is incomplete in asset identification is overcome.
7. An industrial internet asset identification system based on network protocol fingerprints is characterized in that: the system comprises a network probe module, a lightweight active detection module, a data analysis module, an industrial control fingerprint database and a network topology drawing module. A network probe in the network probe module captures flow data in the industrial internet in a passive mode; carrying out protocol analysis on the data captured by the network probe through a data analysis module, and extracting equipment characteristics; comparing the extracted equipment characteristics in an industrial control fingerprint library, and using the equipment found by comparison to construct an equipment network topology through a network topology drawing module; and the successful equipment is not detected in the fingerprint database in a lightweight mode through a lightweight active detection module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211503535.1A CN115883381A (en) | 2022-11-28 | 2022-11-28 | Industrial Internet asset identification method based on network protocol fingerprints |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211503535.1A CN115883381A (en) | 2022-11-28 | 2022-11-28 | Industrial Internet asset identification method based on network protocol fingerprints |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115883381A true CN115883381A (en) | 2023-03-31 |
Family
ID=85764374
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211503535.1A Pending CN115883381A (en) | 2022-11-28 | 2022-11-28 | Industrial Internet asset identification method based on network protocol fingerprints |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883381A (en) |
-
2022
- 2022-11-28 CN CN202211503535.1A patent/CN115883381A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112714045B (en) | Rapid protocol identification method based on device fingerprint and port | |
| CN101741644B (en) | Flow detection method and apparatus | |
| CN111385297B (en) | Wireless device fingerprint identification method, system, device and readable storage medium | |
| US8065722B2 (en) | Semantically-aware network intrusion signature generator | |
| CN110113345A (en) | A method of the assets based on Internet of Things flow are found automatically | |
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| CN109450733B (en) | Network terminal equipment identification method and system based on machine learning | |
| CN114157502B (en) | Terminal identification method and device, electronic equipment and storage medium | |
| CN110351251B (en) | Industrial control equipment asset detection method based on filtering technology | |
| CN113973059A (en) | Passive industrial internet asset identification method and device based on network protocol fingerprint | |
| CN114168968A (en) | Vulnerability mining method based on Internet of things equipment fingerprints | |
| CN112261046A (en) | Industrial control honeypot identification method based on machine learning | |
| CN110472410B (en) | Method and device for identifying data and data processing method | |
| CN112887289B (en) | Network data processing method, device, computer equipment and storage medium | |
| CN114189348A (en) | Asset identification method suitable for industrial control network environment | |
| CN113746849A (en) | Method, device, equipment and storage medium for identifying equipment in network | |
| CN109274551A (en) | A kind of accurate efficient industry control resource location method | |
| CN113395367B (en) | HTTPS service identification method and device, storage medium and electronic equipment | |
| CN115883381A (en) | Industrial Internet asset identification method based on network protocol fingerprints | |
| CN111200543A (en) | Encryption protocol identification method based on active service detection engine technology | |
| CN111865724B (en) | Information acquisition control implementation method for video monitoring equipment | |
| CN116405261A (en) | Malicious flow detection method, system and storage medium based on deep learning | |
| CN112989315B (en) | Fingerprint generation method, device and equipment for terminal of Internet of things and readable storage medium | |
| CN114172980A (en) | Method, system, device, equipment and medium for identifying type of operating system | |
| CN112118256B (en) | Industrial control equipment fingerprint normalization method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |