CN115883574A - Access equipment identification method and device in industrial control network - Google Patents
Access equipment identification method and device in industrial control network Download PDFInfo
- Publication number
- CN115883574A CN115883574A CN202211461002.1A CN202211461002A CN115883574A CN 115883574 A CN115883574 A CN 115883574A CN 202211461002 A CN202211461002 A CN 202211461002A CN 115883574 A CN115883574 A CN 115883574A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- address
- control network
- target
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the technical field of network security, and provides an access equipment identification method and device in an industrial control network. The method comprises the following steps: passive sniffing is carried out on the industrial control network, and a data message comprising at least one data packet is obtained; determining a device identifier of access equipment corresponding to the data message in the industrial control network according to a source IP address of a target data packet in each data packet of the data message; matching the device identifier with the device information of each target device in a preset device list, and determining the legality identification result of the access device accessing the industrial control network; the target equipment is industrial control equipment which is legally accessed to an industrial control network. The method for identifying the access equipment in the industrial control network can accurately identify the legality of the access equipment of the industrial control network accessing the industrial control network on the premise of not influencing the operation stability of the industrial control network.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for identifying an access device in an industrial control network.
Background
The access device refers to various devices which can be accessed into a network, such as an office computer, a mobile phone, a programmable logic controller and the like. When the access device is an unauthorized device, i.e., a device illegally accessing the internal network, a backdoor is formed for the security-sensitive internal network, and an attacker can access a protected network through the backdoor, thereby bypassing security measures such as a firewall and the like, and bringing great threat to the security of the internal network.
In order to detect whether the access device is illegally accessed, a login authentication or active scanning technology is usually adopted in the related art to determine whether the access of the access device is legal. The login authentication is to prevent unauthorized devices from accessing the internal network, and the active scanning technique is to send special data packets to the access devices and then to discover unauthorized devices in the network according to the response of the access devices. However, the industrial control network is composed of industrial control devices such as a programmable logic controller, and the network protocol stack of the industrial control device has a single function, and cannot implement login authentication logic, and the industrial control device has a small memory and weak network processing capability, and its protocol stack is not completely implemented, and the use of an active scanning technology may cause the industrial control device to crash. Therefore, the related art cannot effectively identify the validity of the access device in the industrial control network for accessing the industrial control network.
Disclosure of Invention
The present application is directed to solving at least one of the technical problems occurring in the related art. Therefore, the application provides an access device identification method in an industrial control network, which can accurately identify the legality of the access device of the industrial control network accessing the industrial control network on the premise of not influencing the operation stability of the industrial control network.
The application also provides an access equipment identification device in the industrial control network.
The application also provides an electronic device.
The application also provides a computer readable storage medium.
According to the embodiment of the first aspect of the application, the method for identifying the access equipment in the industrial control network comprises the following steps:
passive sniffing is carried out on the industrial control network, and a data message comprising at least one data packet is obtained;
determining a device identifier of access equipment corresponding to the data message in the industrial control network according to a source IP address of a target data packet in each data packet of the data message;
matching the device identifier with device information of each target device in a preset device list, and determining a legality identification result of the access device accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
According to the method for identifying the access equipment in the industrial control network, the data message comprising each data packet is obtained by passively sniffing the industrial control network, the equipment identifier of the access equipment sending the data message is determined according to the source IP address of the target data packet in each data packet, and then the legality identification result of the access equipment accessing the industrial control network is determined according to the matching result of the equipment identifier and the equipment information of each target equipment in the preset equipment list.
According to an embodiment of the present application, the passively sniffing the industrial control network to obtain a data packet including at least one data packet includes:
and according to the sniffer of the bypass accessed to the industrial control network, passively sniffing the industrial control network to obtain a data message comprising at least one data packet.
According to an embodiment of the present application, the passively sniffing the industrial control network to obtain a data packet including at least one data packet includes:
passive sniffing is carried out on the industrial control network, and a transport layer message is obtained;
and carrying out flow recombination on the data packets in the transport layer message to generate the data message.
According to an embodiment of the present application, determining, according to a source ip address of a target packet in each packet of the data packet, a device identifier of an access device in the industrial control network, where the access device corresponds to the data packet, includes:
acquiring the source IP address from the target data packet;
determining that the source IP address is matched with an internal network address set of the industrial control network, and determining the source IP address as a target IP address;
determining a device identifier of the access device according to the target IP address;
the intranet address set comprises at least one intranet address element, and the intranet address element is an internal network IP address or an internal network IP address segment.
According to an embodiment of the present application, determining that the source ip address matches an intranet address set of the industrial control network, and determining the source ip address as a target ip address, includes:
determining that the source IP address is matched with an internal network address set of the industrial control network, and acquiring a TTL field from the target data packet;
and determining the TTL field as a preset value, and determining the source IP address as a target IP address.
According to an embodiment of the present application, determining a device identifier of the access device according to the target ip address includes:
matching the source IP address with a preset DHCP address set;
determining that the target IP address is not matched with a preset DHCP address set, and taking the target IP address as an equipment identifier of the access equipment;
and the preset DHCP address set is a subset of the intranet address set.
According to an embodiment of the present application, further comprising:
determining that the target IP address is matched with a preset DHCP address set, and extracting a source MAC address from the target data packet;
determining the source MAC address as a device identifier of the access device.
According to an embodiment of the present application, further comprising:
determining that the legality identification result is legal access, and updating the active time of the target equipment information including the equipment identifier in the preset equipment list in the equipment information of each target equipment according to the receiving time of the data message;
the active time is the starting time of a preset active time limit, and the preset active time limit is the storable time length of the device information of the target device in the preset device list.
According to an embodiment of the present application, further comprising:
and determining that the legality identification result is illegal access, recording the equipment information of the access equipment and generating alarm information.
According to an embodiment of the present application, further comprising:
and determining that the alarm information is a false alarm, and synchronizing the equipment information of the access equipment to the preset equipment list.
The access equipment identification device in the industrial control network according to the second aspect of the application includes:
the data message acquisition module is used for passively sniffing the industrial control network to acquire a data message comprising at least one data packet;
the device identifier determining module is used for determining a device identifier of the access device corresponding to the data packet in the industrial control network according to a source IP address of a target data packet in each data packet of the data packet;
the access equipment identification module is used for matching the equipment identifier with the equipment information of each target equipment in a preset equipment list and determining the legality identification result of the access equipment accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
The electronic device according to the third aspect of the present application includes a processor and a memory storing a computer program, and when the processor executes the computer program, the processor implements the method for identifying an access device in an industrial control network according to any of the embodiments.
The computer readable storage medium according to the fourth aspect of the present application, has a computer program stored thereon, and when executed by a processor, the computer program implements the method for identifying an access device in an industrial control network according to any of the embodiments.
The computer program product according to an embodiment of the fifth aspect of the application comprises: the computer program, when executed by a processor, implements a method for access device identification in an industrial control network as described in any of the embodiments above.
One or more technical solutions in the embodiments of the present application have at least one of the following technical effects:
the method comprises the steps of passively sniffing the industrial control network to obtain a data message comprising a data packet, determining an equipment identifier of access equipment for sending the data message according to a source IP address of a target data packet in each data packet, and then determining a legality identification result of the access equipment for accessing the industrial control network according to a matching result of the equipment identifier and equipment information of each target equipment in a preset equipment list.
Furthermore, passive sniffing is performed on the industrial control network through a sniffer of a bypass accessed to the industrial control network to obtain a data message comprising at least one data packet, so that the existing industrial control network structure is not influenced when the data message is obtained. Meanwhile, the passive sniffing is to acquire the data packet copied from the mirror image port, so that the time delay of the original data packet is avoided, and the network speed of the industrial control network is not influenced. In addition, the server passively sniffs the industrial control network through the bypass, so that once the server fails or stops running, the existing industrial control network is not affected, and the running safety of the industrial control network is guaranteed.
Furthermore, after the industrial control network is passively sniffed and the transport layer message is acquired, the data packets in the transport layer message are subjected to stream reassembly to generate the data message, so that the data message recorded with at least one data packet sent by the same access device is generated in a mode of carrying out stream reassembly on the data packet of the acquired transport layer message, and the problems of data packet disorder and data packet repetition in the acquired data message are avoided.
Further, after the data message is obtained, a source IP address is obtained from any target data packet of the data message, the source IP address is matched with an intranet address set of the industrial control network, when the source IP address is determined to be matched with the intranet address set of the industrial control network, the source IP address is determined to be the target IP address, and a device identifier of the access device is determined according to the source IP address, so that the access device accessing the intranet can be accurately screened out, the device identifier of the access device accessing the intranet of the industrial control network is effectively determined, and the access of the access device is conveniently legally identified according to the device identifier.
Furthermore, after the source IP address of the target data packet is determined to be matched with the intranet address set of the industrial control network, the TTL field is obtained from the target data packet and compared with the preset value, and when the TTL field is determined to be the preset value, the source IP address is determined to be the target IP address, so that the equipment identifier determined according to the target IP address in the following process is the identifier of the access equipment for sending the target data packet, the identification accuracy of the access equipment is ensured, and the effectiveness of the subsequently obtained legal identification result is further ensured.
Furthermore, the target IP address is matched with the preset DHCP address set, and after the target IP address is determined to be not matched with the preset DHCP address set, the target IP address is used as the equipment identifier of the access equipment, so that the finally determined equipment identifier is not a dynamically allocated IP address, the uniqueness of the equipment identifier is ensured, and the accuracy of the obtained equipment identifier is improved.
Furthermore, the target IP address is matched with the preset DHCP address set, and after the target IP address is matched with the preset DHCP address set, the source MAC address is extracted from the target data packet to be used as the equipment identifier of the access equipment, so that when the target IP address is the dynamically distributed IP address, the source MAC address unique to the access equipment is used as the equipment identifier of the access equipment, the uniqueness of the equipment identifier is ensured, and the accuracy of the obtained equipment identifier is improved.
Furthermore, when the legality identification result is determined to be legal access, the active time of the target equipment information including the equipment identifier in the preset equipment list in the equipment information of each target equipment is updated according to the receiving time of the data message, so that the equipment information of the active target equipment is prevented from being deleted, and false alarm is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a topology of an industrial control network provided by an embodiment of the present application;
fig. 2 is a schematic flowchart of an access device identification method in an industrial control network according to an embodiment of the present disclosure;
FIG. 3 is a flow chart of the determination of a target IP address in an embodiment of the present application;
FIG. 4 is a flow chart further detailing the determination of a device identifier in the method of access device identification in the industrial control network of FIG. 1;
fig. 5 is a schematic structural diagram of an access device identification apparatus in an industrial control network according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
To make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The topological diagram of the industrial control network provided by the embodiment of the application is shown in fig. 1. Each access device 100 accesses a switch 110 in an industrial control network, and the access devices 100 may be industrial control devices such as programmable logic controllers or the like. The switch 110 is provided with a mirror port, and the server 120 is connected to the mirror port of the switch 110 to connect to the industrial control network. The server can be an independent server or a server cluster formed by a plurality of servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN (content delivery network) and large data and artificial intelligence sampling point equipment.
When the access device 100 in the industrial control network establishes a TCP (transmission control protocol) connection with other devices in the industrial control network, the server 120 may perform passive sniffing on a data packet sent by the access device 100 through the mirror interface to receive a data packet including the data packet. The server 120 is configured to, after receiving the data packet, extract a source ip Address (internet protocol Address) of a target data packet in each data packet of the data packet, so as to obtain, according to the source ip Address, a device identifier of an access device that sends the data packet, for example, using the source ip Address as a device identifier of the access device. And then, matching the equipment identifier with the equipment information of the industrial control equipment which is legally accessed to the industrial control network, and judging whether the access equipment corresponding to the equipment identifier is legally accessed to the industrial control network according to a matching result.
Hereinafter, the method and apparatus for identifying an access device in an industrial control network according to the embodiments of the present application will be described in detail by several specific embodiments.
In one embodiment, an access device identification method in an industrial control network is provided, and the method is applied to a server shown in fig. 1 and used for identifying whether an access device in the industrial control network is legally accessed. As shown in fig. 2, the method for identifying an access device in an industrial control network according to this embodiment includes:
step 101, performing passive sniffing on an industrial control network to obtain a data message comprising at least one data packet;
step 102, determining a device identifier of an access device corresponding to the data packet in the industrial control network according to a source IP address of a target data packet in each data packet of the data packet;
103, matching the device identifier with device information of each target device in a preset device list, and determining a legality identification result of the access device accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
The method comprises the steps of acquiring a data message comprising at least one data packet by passively sniffing the industrial control network, determining an equipment identifier of access equipment for sending the data message according to a source IP address of a target data packet in each data packet, and then determining a legality identification result of the access equipment for accessing the industrial control network according to a matching result of the equipment identifier and equipment information of each target equipment in a preset equipment list.
In an embodiment, the server passively sniffs the industrial control network, which may be a sniffer accessing the industrial control network to obtain packets flowing through the industrial control network, such as ip packets like TCP packets. Wherein the sniffer can be accessed on a switch of the industrial control network. Since a switch can receive traffic on a port and then retransmit the traffic on all other ports, by accessing the sniffer to the switch of the industrial control network, all network traffic flowing through the switch can be directly captured, and the sniffer can also silently monitor a behavior in the industrial control network for a long time.
In an embodiment, the sniffer of the server may be a sniffer of a bypass accessing the industrial control network, and the server passively sniffs the industrial control network according to the sniffer of the bypass accessing the industrial control network, thereby acquiring the data packet including at least one data packet.
Illustratively, the sniffer of the server may be connected to a mirror port of a switch configuration of the industrial control network by way of bypass deployment, so as to perform passive sniffing on the industrial control network. When the access device in the industrial control network sends a data packet, the server can acquire a transport layer message including the data packet through the sniffer. And then obtaining a data message comprising at least one data packet according to the transport layer message, for example, determining the transport layer message as the data message.
The industrial control network is passively sniffed through the sniffer of the bypass accessed to the industrial control network to obtain the data message comprising at least one data packet, so that the existing industrial control network structure is not influenced when the data message is obtained. Meanwhile, the passive sniffing is to acquire the data packet copied from the mirror image port, so that the time delay of the original data packet is avoided, and the network speed of the industrial control network is not influenced. In addition, the server passively sniffs the industrial control network through the bypass, so that once the server fails or stops running, the existing industrial control network is not affected, and the running safety of the industrial control network is guaranteed.
In an embodiment, since the packet uses the ip to deliver its segment, and the ip does not provide the functions of duplicate elimination and order correctness, after the server acquires the transport layer packet including the packet through passive sniffing, the server needs to perform stream reassembly on the packet of the acquired transport layer packet to generate a data packet including at least one packet, so as to handle the problems of packet out-of-order and packet duplication.
Specifically, after a transport layer packet is acquired from an industrial control network through passive sniffing, a data packet of the transport layer packet is analyzed to analyze configuration information of the data packet including a source ip address, a source MAC address, a source port number, a destination port number, a TTL field value in an ip header, and the like. Then, the configuration information of the analyzed data packet is searched for whether the configuration information recorded by a certain preset linked list exists in each preset linked list recorded with the configuration information of other data packets, and the configuration information is the same as the configuration information of the analyzed data packet. And if the configuration information recorded by a certain preset linked list is the same as the configuration information of the analyzed data packet, taking the preset linked list as a target linked list, and adding the TCP data segment in the data packet to the target linked list. When the TCP data segments in the data packet are added to the target linked list, the proper position of the sequence number of the data packet in the target linked list needs to be searched first, and then the TCP data segments in the data packet are added to the target linked list, so that all the TCP data segments in the target linked list are sorted from small to large according to the sequence numbers of the data packets corresponding to the TCP data segments.
Exemplarily, it is assumed that a data packet acquired from the industrial control network by passive sniffing is a data packet pkt1, and configuration information obtained by analyzing the data packet includes a source ip address a, a destination ip address B, a source port number C, and a destination port number D. At this time, the configuration information of the data packet pkt1 is matched with the configuration information recorded in the preset linked list, and if the configuration information recorded in a certain preset linked list fb is the same as the configuration information of the data packet pkt1 and also includes a source ip address a, a destination ip address B, a source port number C, and a destination port number D, the preset linked list fb is used as a target linked list. And puts the TCP segments of packet pkt1 into the destination linked list. When the TCP data segment of the data packet pkt1 is placed in the target linked list, the data packet pkt1 needs to be compared with the sequence number of the data packet corresponding to the existing TCP data segment in the target linked list, so as to determine the placement position of the TCP data segment of the data packet pkt 1. For example, if the TCP data segment of the data packet pkt2 is recorded in the target linked list, the sequence number of the data packet pkt2 is 2, and the sequence number of the data packet pkt1 is 1, the TCP data segment of the data packet pkt1 is added before the TCP data segment of the data packet pkt 2.
In an embodiment, if the configuration information recorded by the preset linked list is different from the configuration information of the data packet obtained by passive sniffing, a new preset linked list is added as a target linked list, and the TCP data segment in the data packet is added to the target linked list.
After TCP data segments in the data packet are added to the target linked list, whether all the TCP data segments in the target linked list are aligned is judged, if so, the data parts of all the TCP data segments in the target linked list can be spliced, so that a data message recording at least one data packet sent by the same access equipment is generated, and the target linked list is released.
The determination of whether each TCP data segment in the target linked list is aligned may be performed by obtaining a sequence number of a first data packet of the current TCP connection of the access device that sends the data packet and a sequence number of a last data packet of the current TCP connection, and then comparing a difference between the sequence number of the last data packet and the sequence number of the first data packet with a sum of lengths of data portions of all TCP data segments in the target linked list. If the difference is equal to the sum of the lengths of the data parts of all the TCP data segments in the target linked list, the TCP data segments in the target linked list are equal.
The method comprises the steps of carrying out passive sniffing on an industrial control network, carrying out stream recombination on data packets in the transport layer messages after the transport layer messages are obtained, and generating the data messages, so that the data messages recorded with at least one data packet sent by the same access equipment are generated in a mode of carrying out stream recombination on the data packets of the obtained transport layer messages, and further the problems of data packet disorder and data packet repetition in the obtained data messages are avoided.
In an embodiment, after the data packet is obtained, any one data packet may be extracted from the data packet as a target data packet, and the source ip address of the target data packet is extracted from the target data packet. And after the source IP address of the target data packet is obtained, matching the source IP address with an intranet address set of the industrial control network stored in advance by the server. The intranet address set comprises at least one intranet address element, and the intranet address element is a single internal network IP address or an internal network IP address segment. If an intranet address element matching the source ip address of the target data packet exists in the intranet address set, if an internal network ip address identical to the source ip address of the target data packet exists, or an internal network ip address segment including the source ip address of the target data packet exists, the access device is indicated as an internal device, and at this time, the source ip address may be determined as the target ip address, so as to determine the device identifier of the access device according to the target ip address. If the target IP address is determined as the device identifier of the access device, the source IP address is determined as the device ID of the access device.
After the data message is obtained, a source IP address is obtained from any target data packet of the data message, the source IP address is matched with an intranet address set of the industrial control network, when the source IP address is determined to be matched with the intranet address set of the industrial control network, the source IP address is determined to be a target IP address, and a device identifier of access equipment is determined according to the target IP address, so that the access equipment accessing the intranet can be accurately screened out, the device identifier of the access equipment accessing the intranet of the industrial control network is effectively determined, and the access of the access equipment is conveniently identified legally according to the device identifier.
In an embodiment, if the target ip address does not match the intranet address set of the industrial control network, it indicates that the target data packet is a data packet sent by the non-intranet access device, that is, the target data packet is a data packet verified by security measures such as a firewall, and at this time, the target data packet may be ignored.
When the device identifier of the access device is determined according to the target IP address, the target IP address can be directly used as the device identifier of the access device. However, since the target data packet may be a forwarded data packet, the access device corresponding to the target ip address is not necessarily the access device generating the target data packet at this time, which causes inaccurate identification of the access device, and further affects validity of the validity identification result. To this end, in an embodiment, as shown in fig. 3, determining that the source ip address matches an intranet address set of the industrial control network, and determining the source ip address as a target ip address includes:
In one embodiment, after determining that the source ip address of the target packet matches the intranet address set of the industrial control network, a TTL (time to live) field is obtained from the target packet. And then, comparing the TTL field with each preset value, and detecting whether the TTL field is a certain preset value so as to identify whether the target data packet is a forwarded data packet. Wherein the preset values include 255, 128, 64 and 32. In the absence of modification or forwarding, the TTL field value of UN IX and UN IX-like operating system ICMP echo responses is 255, the TTL field value of Compaq Tru64 5.0I CMP echo responses is 64, the TTL field value of Microsoft Wi windows NT/2K operating system ICMP echo responses is 128, the TTL field value of Microsoft Wi windows 95 operating system ICMP echo responses is 32, and the TTL field value of L I NUX Kernel 2.2.X &2.4.X I CMP echo responses is 64. Therefore, if the value of the TTL field is identified as a preset value, it indicates that the target data packet is not forwarded, and at this time, the access device corresponding to the source ip address may be determined, and the access device is the access device that sends the target data packet, so that the source ip address may be determined as the target ip address, and the device identifier of the access device may be determined according to the target ip address.
After the source IP address of the target data packet is determined to be matched with the intranet address set of the industrial control network, the TTL field is obtained from the target data packet and compared with the preset value, and when the TTL field is determined to be the preset value, the source IP address is determined to be the target IP address, so that the equipment identifier determined according to the target IP address in the following process is the identifier of the access equipment for sending the target data packet, the identification accuracy of the access equipment is ensured, and the effectiveness of the subsequently obtained legal identification result is further ensured.
In an embodiment, if the TTL field of the target packet does not match the preset value, it indicates that the target packet is a forwarded packet, and at this time, to avoid an error in the identification result of the access device, the target packet may be ignored.
Considering that an intranet address set usually includes some DHCP (dynamic Host configuration I) addresses, and the DHCP addresses are dynamically allocated ip addresses, this may cause that, at different times, the same ip address may correspond to different access devices, and thus, when a target ip address is directly determined as a device identifier of the access device, it may occur that the target ip address is a dynamically allocated ip address, and thus, the determined device identifier is inaccurate. To this end, in one embodiment, determining a device identifier of the access device based on the target ip address includes:
matching the target IP address with a preset DHCP address set;
determining that the target IP address is not matched with a preset DHCP address set, and taking the target IP address as an equipment identifier of the access equipment;
and the preset DHCP address set is a subset of the intranet address set.
In one embodiment, after extracting a source ip address from a destination packet of a data packet, the source ip address is matched with an intranet address set of an industrial control network stored in advance by a server. If the source IP address is located in the intranet address set, the source IP address can be determined as a target IP address, and the target IP address is matched with a preset DHCP address set. In order to ensure the accuracy and validity of the device identifier, in an embodiment, as shown in fig. 4, after determining that the source ip address is located in the intranet address set, the TTL field may be obtained from the target data packet and compared with a preset value, and when determining that the TTL field is the preset value, the source ip address is determined to be the target ip address and matched with the preset DHCP address set. If the target ip address is outside the preset DHCP address set, it indicates that the target ip address is not a dynamically allocated ip address, and at this time, the target ip address may be determined as the device identifier of the access device.
The target IP address is matched with the preset DHCP address set, and after the target IP address is determined not to be matched with the preset DHCP address set, the target IP address is used as the equipment identifier of the access equipment, so that the finally determined equipment identifier is not a dynamically allocated IP address, the uniqueness of the equipment identifier is ensured, and the accuracy of the obtained equipment identifier is improved.
In an embodiment, as shown in fig. 4, if it is determined that the target ip address matches the preset DHCP address set, it indicates that the target ip address is a dynamically allocated ip address, and at this time, the source MAC address is extracted from the target packet, and the source MAC address is determined as the device identifier of the access device.
By matching the target IP address with the preset DHCP address set and extracting the source MAC address from the target data packet as the equipment identifier of the access equipment after the target IP address is determined to be matched with the preset DHCP address set, when the target IP address is the dynamically allocated IP address, the source MAC address unique to the access equipment is used as the equipment identifier of the access equipment, so that the uniqueness of the equipment identifier is ensured, and the accuracy of the obtained equipment identifier is improved.
In an embodiment, after the device identifier of the access device is obtained, the device identifier is matched with the device information of each target device recorded in a preset device list stored in a server. The target device is an industrial control device which is legally accessed to an industrial control network, and the device information of the target device comprises information such as an IP address, an MAC address, a device manufacturer and an operating system type of the target device. The device information of the target device is obtained by analyzing the source IP address and the source MAC address in the data packet sent by the target device, the fingerprint information of the TCP SYN and SYN/ACK data packet in the TCP connection of the target device and the fingerprint characteristics of the upper layer protocol for identification. After acquiring the device information of each target device, the server may first collect and record the device information of each target device into the asset list, and then synchronize the device information of the target device recorded in the asset list to the preset device list at regular time when an illegally-accessed access device is not identified.
In the process of matching the device identifier of the access device with the device information of each target device in the preset device list, if the device information of any target device has the device identifier of the access device, if the device information of a certain target device includes an MAC address B and the device identifier of the access device is also the MAC address B, the access device can be determined to be the target device, and at the moment, the legality identification result of the access device accessing the industrial control network can be judged to be legal access; if the device identifier of the access device does not exist in the device information of each target device, the access device is determined not to be any target device, and at this time, the legality identification result of the access device accessing the industrial control network can be determined to be illegal access.
In consideration of the fact that replacement of some target devices may occur, in order to reduce the storage of redundant information, the device information of each target device is set with a corresponding preset active time limit in a preset device list, that is, the storable time of the device information of the target device in the preset device list. And if the storage time length of the device information of the target device in the preset device list reaches a preset activity time limit, directly deleting the target device from the preset device list, or deleting the target device from the asset list, and synchronizing the asset list with the deleted target device to the preset device list. Therefore, in order to avoid the situation that the device information of the active target device is deleted, which may cause frequent false alarms in the following, in an embodiment, the method further includes:
determining that the legality identification result is legally accessed, and updating the active time of the target equipment information including the equipment identifier in the preset equipment list in the equipment information of each target equipment according to the receiving time of the data message;
the active time is the starting time of a preset active time limit, and the preset active time limit is the storable time length of the device information of the target device in the preset device list.
In an embodiment, when it is determined that the result of legitimacy identification of the access device accessing the industrial control network is legal access, it indicates that the access device is a certain target device, and at this time, the device information of the target device corresponding to the access device, that is, the device information including the device identifier of the access device, may be marked as target device information. Then, according to the receiving time of the server for the data message, the active time of the target device information in the preset device list is updated, so that the starting time of the preset active deadline of the target device information in the preset device list is updated.
For example, the preset active period of the device information of a certain target device is 8 hours, and the starting time is 12:00p.m, i.e. the device information of the target device is deleted from the preset device list when the current time is 8. If the legality identification result is determined to be legally accessed, the receiving time of the data message is 2:00a.m, and the device information of the target device includes a device identifier, the start time of the device information of the target device is updated to 2.
When the legality identification result is determined to be legal access, the active time of the target equipment information including the equipment identifier in the preset equipment list in the equipment information of each target equipment is updated according to the receiving time of the data message, so that the equipment information of the active target equipment is prevented from being deleted, and false alarms are reduced.
In an embodiment, if it is determined that the validity identification result of the access device is illegal access, it may be determined that the access device is not a known device, and at this time, an alarm message may be generated to prompt the access device to be illegal access. Meanwhile, in order to facilitate the staff to check the access device, the device information of the access device can be recorded, for example, in an asset list and marked when the legality identification result of the access device is determined to be illegal access. And because the preset device list can be obtained by synchronizing the asset list, in order to avoid that the device information of the illegally accessed access device is recorded in the preset device list, when the legality identification result of the access device is illegal access, the device information recorded in the asset list is stopped being synchronized to the preset device list.
In an embodiment, after recording the device information of the illegally accessed access device and generating the warning information in the form of short message or mail, the warning information and the marked device information of the access device may be sent to the target terminal, and the network administrator analyzes the device information of the access device, so that the network administrator may configure an ACL policy on the firewall device to block the access right of the illegally accessed device when confirming that the access device is the illegally accessed device. And before the server does not receive the operation information for prompting that the alarm information is processed from the target terminal, updating or synchronizing the preset equipment list is not carried out any more. And if the server receives the operation information which determines that the alarm information is processed from the target terminal, the alarm information is eliminated. If the operation information indicates that the alarm information is false alarm, the equipment information of the access equipment is synchronized to a preset equipment list from the asset list while the alarm information is eliminated, so that the equipment information of the access equipment is stored in the preset equipment list as the equipment information of the target equipment, and the legality of the equipment accessing the industrial control network can be identified more accurately subsequently.
The following describes an access device identification apparatus in an industrial control network provided by the present application, and the access device identification apparatus in the industrial control network described below and the access device identification method in the industrial control network described above may be referred to correspondingly.
In an embodiment, as shown in fig. 5, there is provided an access device identification apparatus in an industrial control network, including:
a data packet obtaining module 210, configured to perform passive sniffing on an industrial control network, and obtain a data packet including at least one data packet;
a device identifier determining module 220, configured to determine, according to a source ip address of a target data packet in each data packet of the data packet, a device identifier of an access device in the industrial control network, where the access device corresponds to the data packet;
an access device identification module 230, configured to match the device identifier with device information of each target device in a preset device list, and determine a validity identification result of accessing the access device to the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
The method comprises the steps of passively sniffing the industrial control network to obtain a data message comprising a data packet, determining an equipment identifier of access equipment for sending the data message according to a source IP address of a target data packet in each data packet, and then determining a legality identification result of the access equipment for accessing the industrial control network according to a matching result of the equipment identifier and equipment information of each target equipment in a preset equipment list.
In an embodiment, the data packet obtaining module 210 is specifically configured to:
and according to the sniffer of the bypass accessed to the industrial control network, passively sniffing the industrial control network to obtain a data message comprising at least one data packet.
In an embodiment, the data packet obtaining module 210 is specifically configured to:
passive sniffing is carried out on the industrial control network, and a transport layer message is obtained;
and carrying out flow recombination on the data packets in the transport layer message to generate the data message.
In an embodiment, the device identifier determining module 220 is specifically configured to:
acquiring the source IP address from the target data packet;
determining that the source IP address is matched with an internal network address set of the industrial control network, and determining the source IP address as a target IP address;
determining a device identifier of the access device according to the target IP address;
the intranet address set comprises at least one intranet address element, and the intranet address element is an internal network IP address or an internal network IP address segment.
In an embodiment, the device identifier determining module 220 is specifically configured to:
determining that the source IP address is matched with an internal network address set of the industrial control network, and acquiring a TTL field from the target data packet;
and determining the TTL field as a preset value, and determining the source IP address as a target IP address.
In an embodiment, the device identifier determining module 220 is specifically configured to:
matching the target IP address with a preset DHCP address set;
determining that the target IP address is not matched with a preset DHCP address set, and taking the target IP address as an equipment identifier of the access equipment;
and the preset DHCP address set is a subset of the intranet address set.
In an embodiment, the device identification determining module 220 is further configured to:
determining that the target IP address is matched with a preset DHCP address set, and extracting a source MAC address from the target data packet;
determining the source MAC address as a device identifier of the access device.
In an embodiment, the access device identification module 230 is further configured to:
determining that the legality identification result is legally accessed, and updating the active time of the target equipment information including the equipment identifier in the preset equipment list in the equipment information of each target equipment according to the receiving time of the data message;
the active time is the starting time of a preset active time limit, and the preset active time limit is the storable time length of the device information of the target device in the preset device list.
In an embodiment, the access device identification module 230 is further configured to:
and determining that the legality identification result is illegal access, recording the equipment information of the access equipment and generating alarm information.
In an embodiment, the access device identification module 230 is further configured to:
and determining that the alarm information is false alarm, and synchronizing the equipment information of the access equipment to the preset equipment list.
Fig. 6 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 6: a processor (processor) 810, a communication interface (Commun I cat I on I interface) 820, a memory (memory) 830 and a communication bus 840, wherein the processor 810, the communication interface 820 and the memory 830 communicate with each other via the communication bus 840. The processor 810 may invoke computer programs in the memory 830 to perform access device identification methods in an industrial control network, including, for example:
passive sniffing is carried out on the industrial control network, and a data message comprising at least one data packet is obtained;
determining a device identifier of access equipment corresponding to the data message in the industrial control network according to a source IP address of a target data packet in each data packet of the data message;
matching the device identifier with device information of each target device in a preset device list, and determining a legality identification result of the access device accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
In addition, the logic instructions in the memory 830 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present application further provides a storage medium, where the storage medium includes a computer program, where the computer program may be stored on a non-transitory computer-readable storage medium, and when the computer program is executed by a processor, the computer is capable of executing the method for identifying an access device in an industrial control network, which includes:
passive sniffing is carried out on the industrial control network, and a data message comprising at least one data packet is obtained;
determining a device identifier of access equipment corresponding to the data message in the industrial control network according to a source IP address of a target data packet in each data packet of the data message;
matching the device identifier with device information of each target device in a preset device list, and determining a legality identification result of the access device accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (13)
1. An access device identification method in an industrial control network, comprising:
passive sniffing is carried out on the industrial control network, and a data message comprising at least one data packet is obtained;
determining a device identifier of an access device corresponding to the data packet in the industrial control network according to a source IP address of a target data packet in each data packet of the data packet;
matching the device identifier with device information of each target device in a preset device list, and determining a legality identification result of the access device accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
2. The method as claimed in claim 1, wherein the passively sniffing the industrial control network to obtain the data packet including at least one data packet comprises:
according to a sniffer of a bypass accessed to the industrial control network, passively sniffing the industrial control network to obtain a data message comprising at least one data packet;
the sniffer is connected to a mirror interface configured by a switch of the industrial control network so as to access a bypass of the industrial control network.
3. The method according to claim 1 or 2, wherein the passively sniffing the industrial control network to obtain the data packet including at least one data packet comprises:
passive sniffing is carried out on the industrial control network, and a transport layer message is obtained;
and carrying out flow recombination on the data packets in the transport layer message to generate the data message.
4. The method of claim 1, wherein determining the device identifier of the access device corresponding to the data packet in the industrial control network according to a source IP address of a destination data packet in each data packet of the data packet comprises:
acquiring the source IP address from the target data packet;
determining that the source IP address is matched with an internal network address set of the industrial control network, and determining the source IP address as a target IP address;
determining a device identifier of the access device according to the target IP address;
the intranet address set comprises at least one intranet address element, and the intranet address element is an internal network IP address or an internal network IP address segment.
5. The method for identifying the access device in the industrial control network according to claim 4, wherein determining that the source IP address matches with an intranet address set of the industrial control network and determining the source IP address as a target IP address comprises:
determining that the source IP address is matched with an internal network address set of the industrial control network, and acquiring a TTL field from the target data packet;
and determining the TTL field as a preset value, and determining the source IP address as a target IP address.
6. The method as claimed in claim 4 or 5, wherein determining the device identifier of the access device according to the target IP address comprises:
matching the target IP address with a preset DHCP address set;
determining that the target IP address is not matched with a preset DHCP address set, and taking the target IP address as an equipment identifier of the access equipment;
and the preset DHCP address set is a subset of the intranet address set.
7. The method for identifying the access device in the industrial control network as claimed in claim 6, further comprising:
determining that the target IP address is matched with a preset DHCP address set, and extracting a source MAC address from the target data packet;
determining the source MAC address as a device identifier of the access device.
8. The method for identifying the access device in the industrial control network according to claim 1, further comprising:
determining that the legality identification result is legal access, and updating the active time of the target equipment information including the equipment identifier in the preset equipment list in the equipment information of each target equipment according to the receiving time of the data message;
the active time is the starting time of a preset active time limit, and the preset active time limit is the storable time length of the device information of the target device in the preset device list.
9. The method for identifying the access device in the industrial control network according to claim 1 or 8, further comprising:
and determining that the legality identification result is illegal access, recording the equipment information of the access equipment and generating alarm information.
10. The method for identifying the access device in the industrial control network according to claim 9, further comprising:
and determining that the alarm information is a false alarm, and synchronizing the equipment information of the access equipment to the preset equipment list.
11. An apparatus for identifying an access device in an industrial control network, comprising:
the data message acquisition module is used for passively sniffing the industrial control network to acquire a data message comprising at least one data packet;
the device identifier determining module is used for determining a device identifier of the access device corresponding to the data message in the industrial control network according to a source IP address of a target data packet in each data packet of the data message;
the access equipment identification module is used for matching the equipment identifier with the equipment information of each target equipment in a preset equipment list and determining the legality identification result of the access equipment accessing the industrial control network;
and the target equipment is industrial control equipment which is legally accessed to the industrial control network.
12. An electronic device comprising a processor and a memory storing a computer program, wherein the processor, when executing the computer program, implements the method of access device identification in an industrial control network according to any of claims 1 to 10.
13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method for access device identification in an industrial control network according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211461002.1A CN115883574A (en) | 2022-11-17 | 2022-11-17 | Access equipment identification method and device in industrial control network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211461002.1A CN115883574A (en) | 2022-11-17 | 2022-11-17 | Access equipment identification method and device in industrial control network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115883574A true CN115883574A (en) | 2023-03-31 |
Family
ID=85760464
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211461002.1A Pending CN115883574A (en) | 2022-11-17 | 2022-11-17 | Access equipment identification method and device in industrial control network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883574A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596651A (en) * | 2024-01-18 | 2024-02-23 | 煤炭科学技术研究院有限公司 | Industrial equipment access method, device, equipment and storage medium |
-
2022
- 2022-11-17 CN CN202211461002.1A patent/CN115883574A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117596651A (en) * | 2024-01-18 | 2024-02-23 | 煤炭科学技术研究院有限公司 | Industrial equipment access method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9729655B2 (en) | Managing transfer of data in a data network | |
| CN106063222B (en) | The method and apparatus classified for the TCP connection to transmission HTTP business | |
| US10721244B2 (en) | Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| KR20000054538A (en) | System and method for intrusion detection in network and it's readable record medium by computer | |
| JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
| CN108270722B (en) | Attack behavior detection method and device | |
| CN111314381A (en) | Safety isolation gateway | |
| CN111917701A (en) | Passive checking online violation external connection technology based on non-client mode | |
| CN108683631B (en) | Method and system for preventing scanning of authority file | |
| CN112311722B (en) | Access control method, device, equipment and computer readable storage medium | |
| CN115883574A (en) | Access equipment identification method and device in industrial control network | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| CN110602130A (en) | Terminal authentication system and method, equipment terminal and authentication server | |
| Rødfoss | Comparison of open source network intrusion detection systems | |
| JPH09266475A (en) | Address information management equipment and network system | |
| CN109587134B (en) | Method, apparatus, device and medium for secure authentication of interface bus | |
| CN112565203B (en) | Centralized management platform | |
| CN110995738B (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
| KR20150026187A (en) | System and Method for dropper distinction | |
| CN113938314A (en) | Encrypted flow detection method and device and storage medium | |
| KR100862321B1 (en) | Method and apparatus for detecting and blocking network attack without attack signature | |
| CN117499267B (en) | Asset mapping method and device for network equipment and storage medium | |
| CN116015876B (en) | Access control method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |