CN116880319A - Method, system, terminal and medium for identifying upper computer in industrial control system - Google Patents
Method, system, terminal and medium for identifying upper computer in industrial control system Download PDFInfo
- Publication number
- CN116880319A CN116880319A CN202310984965.8A CN202310984965A CN116880319A CN 116880319 A CN116880319 A CN 116880319A CN 202310984965 A CN202310984965 A CN 202310984965A CN 116880319 A CN116880319 A CN 116880319A
- Authority
- CN
- China
- Prior art keywords
- data packet
- equipment
- plc
- industrial control
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004891 communication Methods 0.000 claims abstract description 23
- 230000003993 interaction Effects 0.000 claims abstract description 17
- 238000012544 monitoring process Methods 0.000 claims abstract description 12
- 238000004458 analytical method Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012790 confirmation Methods 0.000 claims description 6
- 239000000523 sample Substances 0.000 claims description 3
- 238000010200 validation analysis Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000001514 detection method Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000007792 addition Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004083 survival effect Effects 0.000 description 2
- 241001397173 Kali <angiosperm> Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 238000010921 in-depth analysis Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002853 ongoing effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0423—Input/output
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25257—Microcontroller
Abstract
The application discloses an upper computer identification method in an industrial control system, which comprises the following steps: confirming an IP address range of the PLC equipment; setting the PLC equipment as one of ARP spoofing targets, sequentially attempting to set the rest of IPs as another target address in an enumeration mode, spoofing the PLC equipment to obtain a first data packet, capturing and monitoring the first data packet, wherein the first data packet comprises industrial control protocol interaction information; analyzing the industrial control protocol to obtain equipment information and protocol interaction for communication with the PLC equipment; using the data packet generated when the different IP address is used as another deception target as a second data packet, analyzing and decoding the first data packet and the second data packet, and determining the IP address of the equipment communicating with the first data packet and the second data packet; and confirming the upper computer equipment according to the IP address communicated with the PLC equipment. Based on ARP spoofing technology, the upper computer which is in industrial control protocol communication with the PLC equipment can be detected rapidly and effectively.
Description
Technical Field
The application relates to the technical field of industrial control, in particular to an upper computer identification method, an upper computer identification system, a terminal and a medium in an industrial control system.
Background
Industrial control systems are important infrastructure, and with the deep integration of informatization and industrialization, the information security situation of the industrial control systems is increasingly severe. Today's industrial control systems have undergone tremendous changes in control scale, control technology and information sharing, from initially simple controlled closed systems to now complex or advanced controlled open systems, with increasing incidents of cyber attacks against industrial control systems, which are facing unprecedented cyber security threats. Industrial control system protocols are becoming more and more interesting as important components of industrial control systems, communication of industrial control systems usually adopts communication protocols specific to industrial control systems, and the purpose of the industrial control system protocols is often to meet real-time operation requirements of large-scale distributed systems, and other functional requirements are mainly ignored in consideration of efficiency problems.
In modern industrial control systems, PLCs (programmable logic controllers) have become a common control device. PLCs control machines and processes by running programs, which have become an integral part of many industrial applications. However, industrial control systems also present some security risks, such as malicious attacks and cyber threats. Therefore, protecting the safety of industrial control systems has become an important task.
In industrial control systems, an upper computer is often used to communicate with a PLC to perform tasks such as monitoring and control. Since the PLC is generally connected to a network, an attacker may gain control over the PLC or tamper with the PLC's program through a network attack, thereby causing damage to the industrial control system. Therefore, a safe method is needed to detect and identify the host computer in communication with the PLC to protect the safety of the industrial control system.
In the prior art, some methods use network scanning techniques to probe PLC devices and then monitor and analyze the communications. This approach requires scanning the entire network, is inefficient, and is easily detected by network security devices. Other methods identify the host computer by directly monitoring network traffic on the PLC device, but such methods require changes or additions of devices to the PLC device, which may affect the normal operation of the PLC device.
In the field of industrial control systems, there have been many methods proposed to protect the safety of PLC devices and industrial control systems. The following are some common prior art:
a firewall: firewalls are commonly used to protect the network security of industrial control systems. They may deter attacks from external networks and limit access to internal networks. However, firewalls typically cannot detect and identify a host computer in communication with a PLC and thus cannot provide complete security protection.
Network scanning: network scanning is typically used to probe PLC devices on a network. However, this approach requires scanning the entire network, is inefficient, and is easily detected by network security devices.
Direct monitoring: the upper computer in communication with the PLC can be identified by directly monitoring the network traffic on the PLC device. However, this method requires modification or addition of equipment on the PLC equipment, which may affect the normal operation of the PLC equipment.
Signature detection: signature detection is a common intrusion detection method that identifies intrusion behavior by detecting specific patterns in network traffic. However, signature detection methods are generally unable to detect unknown attacks and may produce a large number of false positives.
Encrypted communication: the encryption communication can protect the communication security between the PLC device and the upper computer. However, encrypting communications requires encrypting and decrypting data, may reduce the speed of the communications, and may increase the complexity of the system.
While these techniques can provide some degree of protection, they all suffer from limitations that do not provide complete security. Therefore, a new method is needed to detect and identify the host computer in communication with the PLC to improve the safety of the industrial control system.
Disclosure of Invention
Aiming at the technical defects mentioned in the background art, the embodiment of the application aims to provide an upper computer identification method, an upper computer identification system, an upper computer identification terminal and an upper computer identification medium in an industrial control system, which can quickly and effectively detect an upper computer in industrial control protocol communication with a PLC device based on an ARP spoofing technology.
In order to achieve the above object, in a first aspect, an embodiment of the present application provides a method for identifying an upper computer in an industrial control system, including:
confirming an IP address range of the PLC equipment;
setting the PLC equipment as one of ARP spoofing targets, sequentially attempting to set the rest of IPs as another target address in an enumeration mode, and spoofing the PLC equipment to obtain a first data packet;
capturing and monitoring a first data packet, wherein the first data packet comprises industrial control protocol interaction information;
analyzing the industrial control protocol to obtain equipment information and protocol interaction for communication with the PLC equipment;
taking a data packet generated when the different IP address is taken as another spoofing target as a second data packet, analyzing and decoding the first data packet and the second data packet, and determining the IP address of equipment communicating with the PLC equipment;
and confirming the upper computer equipment according to the IP address of the equipment communicating with the PLC equipment.
In a second aspect, an embodiment of the present application provides an identification system for an upper computer in an industrial control system, which is characterized in that the identification system includes: the system comprises a confirmation module, a deception module, a capturing module, an analysis module and an upper computer identification module;
the confirmation module is used for confirming the IP address range of the PLC equipment;
the spoofing module is used for setting the PLC equipment as one of ARP spoofing targets, sequentially attempting to set the rest of IPs as another target address in an enumeration mode, and spoofing the PLC equipment to obtain a first data packet;
the capture module is used for capturing and monitoring a first data packet, and the first data packet comprises industrial control protocol interaction information;
the analysis module is used for analyzing the industrial control protocol to obtain equipment information and protocol interaction for communicating with the PLC equipment, taking a data packet generated when a different IP address is taken as another spoofing target as a second data packet, analyzing and decoding the first data packet and the second data packet, and determining the IP address of the equipment for communicating with the PLC equipment;
and the upper computer identification module confirms the upper computer equipment according to the IP address of the equipment communicating with the PLC equipment.
In a third aspect, an embodiment of the present application further provides an intelligent terminal, including a processor, an input device, an output device, and a memory, where the processor, the input device, the output device, and the memory are connected to each other, where the memory is configured to store a computer program, and the computer program includes program instructions, and the processor is configured to invoke the program instructions to perform a method according to the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program comprising program instructions which, when executed by a processor, implement a method as described in the first aspect above.
The method for identifying the upper computer in the industrial control system provided by the embodiment of the application has the following advantages:
1. and the IP address of the upper computer of the PLC is accurately positioned, so that a manager can conveniently track and control network security.
2. Through ARP spoofing attack, the IP address of the upper computer of the PLC can be detected rapidly and effectively, and the success rate is high.
3. Capturing sniffing packets can help the manager to get deep knowledge of the traffic between the PLC and the host computer, helping to discover network security threats.
4. Industrial protocol analysis can help the manager to know the type of protocol used by the PLC and better grasp the operating condition of the PLC.
5. The IP identification function of the upper computer can provide more comprehensive information for the manager, and is beneficial to further improving the network security level.
The upper computer identification system, the terminal and the medium in the industrial control system provided by the embodiment of the application have the same inventive concept and the same beneficial effects as the upper computer identification method in the industrial control system, and are not described in detail herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a flowchart of a method for identifying an upper computer in an industrial control system according to a first embodiment of the present application;
FIG. 2 is a block diagram of an industrial control system according to another embodiment of the present application;
fig. 3 is a block diagram of an intelligent terminal according to another embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Referring to fig. 1, an upper computer identification method in an industrial control system provided by an embodiment of the application includes the following steps:
s1, confirming an IP address range of a PLC device;
s2, setting the PLC equipment as one of ARP spoofing targets, sequentially attempting to set the rest of IPs as another target address in an enumeration mode, and spoofing the PLC equipment to obtain a first data packet;
s3, capturing and monitoring a first data packet, wherein the first data packet comprises industrial control protocol interaction information;
s4, analyzing the industrial control protocol to obtain equipment information and protocol interaction for communication with the PLC equipment;
s5, taking the data packet generated when the different IP address is taken as another deception target as a second data packet, analyzing and decoding the first data packet and the second data packet, and determining the IP address of the equipment which communicates with the PLC equipment;
and S6, confirming the upper computer equipment according to the IP address of the equipment communicating with the PLC equipment.
Specifically, in industrial control systems, the IP address of a PLC device is typically statically configured. The IP address field where the PLC device is located may be determined by scanning the management interface of the industrial switch or router, or manually probing the IP address range in the network.
ARP (Address Resolution Protocol), a TCP/IP protocol that obtains a physical address from an IP address. Broadcasting an ARP request containing a target IP address to all hosts on a local area network when the hosts send information, and receiving a return message so as to determine the physical address of the target; after receiving the return message, the IP address and the physical address are stored in the local ARP cache and kept for a certain time, and the ARP cache is directly inquired when the request is next time so as to save resources. And sending the forged ARP broadcast packet to the target PLC device by using an ARP spoofing technology. The specific method comprises the following steps: by setting the PLC device as one of the targets of ARP spoofing and then using an exhaustion or enumeration mode to try to set other IPs as another target address, the PLC device can be spoofed to mistaking the MAC address of a spoofer as the MAC address of a real gateway or an upper computer, and therefore the data packet is sent to the spoofer.
The specific method for capturing and monitoring the first data packet comprises the following steps: network traffic is monitored by a sniffer, such as Wireshark, to capture communication packets of the PLC device with other devices. The data packets contain detailed information of industrial control protocol interaction.
Analysis industry control protocols may use protocol analysis tools, such as Scapy or wireshark, to perform in-depth analysis on captured data packets to learn protocol interactions between PLC devices and other devices. By identifying and decoding the various fields and parameters in the industrial protocol, it is possible to understand the ongoing activities in the control system, through which it is possible to know which devices are in communication with the PLC device.
And confirming the IP address of the upper computer by analyzing the data packet. Before confirming which device is the upper computer, the data packet (second data packet) generated when the different IP is targeted for another ARP spoofing needs to be deeply analyzed and decoded, and the control protocol interaction between which device and the PLC device is determined. By analyzing the data packets, the IP address of the equipment communicating with the PLC equipment can be determined, and the detection and identification of the IP address of the upper computer are realized. And confirming the upper computer equipment according to the IP address of the equipment communicating with the PLC equipment.
The above embodiment will be described below using a specific example:
preparing a notebook computer carrying a kali system, accessing a current industrial control network environment by using a network cable connection mode, detecting the survival condition of equipment in the whole network section by using an Nmap tool in the notebook computer to obtain an equipment list of equipment survival, then carrying out full-port scanning or specific industrial control port scanning on each IP (Internet protocol) in the equipment list, carrying out fingerprint detection on a corresponding port after confirming the opening condition of the port, and preliminarily determining to be PLC equipment or other industrial control equipment. The notebook computer is used for starting the Ettercap to perform ARP spoofing, the spoofed target is divided into a target A and a target B, the target A is a PLC device determined through port fingerprint detection, and the target B is a non-industrial control device detected in a network segment, such as Windows system device. If 3 non-PLC devices are detected, the communication data packets of the target A and each device are respectively sniffed through ARP spoofing, and the data packets communicated with the industrial control protocol and the specific industrial control port are screened to confirm and locate which device is the upper computer of the target A.
The method for identifying the upper computer in the industrial control system can be used for safety protection of the industrial control system, can rapidly identify the network segment where the PLC equipment is located, and detects the upper computer which communicates with the industrial control protocol of the PLC equipment based on ARP spoofing technology. Through detection and identification of the upper computer, malicious attacks and security vulnerabilities can be effectively detected and prevented. Therefore, the upper computer identification method in the industrial control system provided by the embodiment has the characteristics of high efficiency, accuracy and reliability, and is suitable for various industrial control systems and computer networks.
The method for identifying the upper computer in the industrial control system has the advantages that:
1. and the IP address of the upper computer of the PLC is accurately positioned, so that a manager can conveniently track and control network security.
2. Through ARP spoofing attack, the IP address of the upper computer of the PLC can be detected rapidly and effectively, and the success rate is high.
3. Capturing sniffing packets can help the manager to get deep knowledge of the traffic between the PLC and the host computer, helping to discover network security threats.
4. Industrial protocol analysis can help the manager to know the type of protocol used by the PLC and better grasp the operating condition of the PLC.
5. The IP identification function of the upper computer can provide more comprehensive information for the manager, and is beneficial to further improving the network security level.
Referring to fig. 2, another embodiment of the present application provides an identification system of an upper computer in an industrial control system, including: the system comprises a confirmation module, a spoofing module, a capturing module, an analysis module and an upper computer identification module, wherein the confirmation module is used for confirming the IP address range of the PLC equipment, the spoofing module is used for setting the PLC equipment as one of the targets of ARP spoofing, sequentially attempting to set other IPs as the other target address by using an enumeration mode, spoofing the PLC equipment to obtain a first data packet, the capturing module is used for capturing and monitoring the first data packet, the first data packet comprises industrial control protocol interaction information, the analysis module is used for analyzing the industrial control protocol to obtain equipment information and protocol interaction communicated with the PLC equipment, the data packet generated when different IP addresses are used as the other spoofing targets is used as a second data packet, the first data packet and the second data packet are analyzed and decoded, the IP address of equipment communicated with the PLC equipment is determined, and the upper computer identification module confirms the upper computer equipment according to the IP address of the equipment communicated with the PLC equipment.
The validation module includes a scanning unit for scanning an industrial switch or router management interface and a manual probing unit for manually probing an IP address range in the network.
The analysis module comprises a protocol analysis unit for identifying and decoding fields and parameters in the industrial control protocol.
The capture module employs a sniffer to capture the listening first data packet.
The upper computer identification system in the industrial control system provided by the embodiment of the application has the following advantages:
1. and the IP address of the upper computer of the PLC is accurately positioned, so that a manager can conveniently track and control network security.
2. Through ARP spoofing attack, the IP address of the upper computer of the PLC can be detected rapidly and effectively, and the success rate is high.
3. Capturing sniffing packets can help the manager to get deep knowledge of the traffic between the PLC and the host computer, helping to discover network security threats.
4. Industrial protocol analysis can help the manager to know the type of protocol used by the PLC and better grasp the operating condition of the PLC.
5. The IP identification function of the upper computer can provide more comprehensive information for the manager, and is beneficial to further improving the network security level.
Referring to fig. 3, another embodiment of the present application provides an intelligent terminal, which includes a processor, an input device, an output device, and a memory, where the processor is connected to the input device, the output device, and the memory, respectively, and the memory is used to store a computer program, where the computer program includes program instructions, and the processor is configured to call the program instructions to perform the method described in the foregoing embodiment.
It should be appreciated that in embodiments of the present application, the processor may be a central processing unit (Central Processing Unit, CPU), which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The input devices may include a touch pad, a fingerprint sensor (for collecting fingerprint information of a user and direction information of a fingerprint), a microphone, etc., and the output devices may include a display (LCD, etc.), a speaker, etc.
The memory may include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include non-volatile random access memory. For example, the memory may also store information of the device type.
In a specific implementation, the processor, the input device, and the output device described in the embodiments of the present application may execute the implementation described in the method embodiment provided in the embodiments of the present application, or may execute the implementation of the system embodiment described in the embodiments of the present application, which is not described herein again.
In a further embodiment of the application, a computer-readable storage medium is provided, in which a computer program is stored, the computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method described in the above embodiment.
The computer readable storage medium may be an internal storage unit of the terminal according to the foregoing embodiment, for example, a hard disk or a memory of the terminal. The computer readable storage medium may also be an external storage device of the terminal, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the terminal. Further, the computer-readable storage medium may also include both an internal storage unit and an external storage device of the terminal. The computer-readable storage medium is used to store the computer program and other programs and data required by the terminal. The computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working procedures of the terminal and the unit described above may refer to the corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In several embodiments provided by the present application, it should be understood that the disclosed terminal and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application, and are intended to be included within the scope of the appended claims and description.
Claims (10)
1. An upper computer identification method in an industrial control system is characterized by comprising the following steps:
confirming an IP address range of the PLC equipment;
setting the PLC equipment as one of ARP spoofing targets, sequentially attempting to set the rest of IPs as another target address in an enumeration mode, and spoofing the PLC equipment to obtain a first data packet;
capturing and monitoring a first data packet, wherein the first data packet comprises industrial control protocol interaction information;
analyzing the industrial control protocol to obtain equipment information and protocol interaction for communication with the PLC equipment;
taking a data packet generated when the different IP address is taken as another spoofing target as a second data packet, acquiring the second data packet, analyzing and decoding the first data packet and the second data packet, and determining the IP address of equipment communicating with the PLC equipment;
and confirming the upper computer equipment according to the IP address of the equipment communicating with the PLC equipment.
2. The method of claim 1, wherein the specific method for confirming the IP address range of the PLC device comprises:
the IP address range in the network is either detected manually by scanning the management interface of the industrial switch or router.
3. The method of claim 1, wherein the specific method of analyzing an industrial control protocol comprises: fields and parameters in the industrial control protocol are identified and decoded.
4. The method of claim 1, wherein the specific method for capturing the first data packet is: sniffer is employed to monitor network traffic of the PLC device.
5. An upper computer identification system in an industrial control system, comprising: the system comprises a confirmation module, a deception module, a capturing module, an analysis module and an upper computer identification module;
the confirmation module is used for confirming the IP address range of the PLC equipment;
the spoofing module is used for setting the PLC equipment as one of ARP spoofing targets, sequentially attempting to set the rest of IPs as another target address in an enumeration mode, and spoofing the PLC equipment to obtain a first data packet;
the capture module is used for capturing and monitoring a first data packet, and the first data packet comprises industrial control protocol interaction information;
the analysis module is used for analyzing the industrial control protocol to obtain equipment information and protocol interaction for communicating with the PLC equipment, taking a data packet generated when a different IP address is taken as another spoofing target as a second data packet, analyzing and decoding the first data packet and the second data packet, and determining the IP address of the equipment for communicating with the PLC equipment;
and the upper computer identification module confirms the upper computer equipment according to the IP address of the equipment communicating with the PLC equipment.
6. The system of claim 5, wherein the validation module comprises a scanning unit to scan an industrial switch or router management interface and a manual probing unit to manually probe a range of IP addresses in a network.
7. The system of claim 5, wherein the analysis module comprises a protocol analysis unit for identifying and decoding fields and parameters in an industrial control protocol.
8. The system of claim 5, the capture module employs a sniffer to capture the listening first data packet.
9. An intelligent terminal comprising a processor, an input device, an output device, and a memory, the processor, the input device, the output device, and the memory being interconnected, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-4.
10. A computer readable storage medium storing a computer program comprising program instructions, which when executed by a processor, implement the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310984965.8A CN116880319B (en) | 2023-08-04 | 2023-08-04 | Method, system, terminal and medium for identifying upper computer in industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310984965.8A CN116880319B (en) | 2023-08-04 | 2023-08-04 | Method, system, terminal and medium for identifying upper computer in industrial control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116880319A true CN116880319A (en) | 2023-10-13 |
| CN116880319B CN116880319B (en) | 2024-04-09 |
Family
ID=88264480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310984965.8A Active CN116880319B (en) | 2023-08-04 | 2023-08-04 | Method, system, terminal and medium for identifying upper computer in industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116880319B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103314A1 (en) * | 2002-11-27 | 2004-05-27 | Liston Thomas F. | System and method for network intrusion prevention |
| CN106899612A (en) * | 2017-04-01 | 2017-06-27 | 汕头大学 | A kind of method of automatic detection personation host A RP deceptions |
| US20180013788A1 (en) * | 2016-07-07 | 2018-01-11 | Attivo Networks Inc. | Detecting man-in-the-middle attacks |
| CN109039989A (en) * | 2017-06-08 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Address resolution protocol cheat detecting method and device |
| US20180373868A1 (en) * | 2017-06-25 | 2018-12-27 | ITsMine Ltd. | Utilization of deceptive decoy elements to identify data leakage processes invoked by suspicious entities |
| CN110325929A (en) * | 2016-12-07 | 2019-10-11 | 阿瑞路资讯安全科技股份有限公司 | System and method for detecting the waveform analysis of cable network variation |
| CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
| CN114257413A (en) * | 2021-11-19 | 2022-03-29 | 南方电网数字电网研究院有限公司 | Application container engine-based anti-braking blocking method and device and computer equipment |
-
2023
- 2023-08-04 CN CN202310984965.8A patent/CN116880319B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040103314A1 (en) * | 2002-11-27 | 2004-05-27 | Liston Thomas F. | System and method for network intrusion prevention |
| US20180013788A1 (en) * | 2016-07-07 | 2018-01-11 | Attivo Networks Inc. | Detecting man-in-the-middle attacks |
| CN110325929A (en) * | 2016-12-07 | 2019-10-11 | 阿瑞路资讯安全科技股份有限公司 | System and method for detecting the waveform analysis of cable network variation |
| CN106899612A (en) * | 2017-04-01 | 2017-06-27 | 汕头大学 | A kind of method of automatic detection personation host A RP deceptions |
| CN109039989A (en) * | 2017-06-08 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Address resolution protocol cheat detecting method and device |
| US20180373868A1 (en) * | 2017-06-25 | 2018-12-27 | ITsMine Ltd. | Utilization of deceptive decoy elements to identify data leakage processes invoked by suspicious entities |
| CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
| CN114257413A (en) * | 2021-11-19 | 2022-03-29 | 南方电网数字电网研究院有限公司 | Application container engine-based anti-braking blocking method and device and computer equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116880319B (en) | 2024-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110445770B (en) | Network attack source positioning and protecting method, electronic equipment and computer storage medium | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| Sayegh et al. | Internal security attacks on SCADA systems | |
| CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| CN110912927B (en) | Method and device for detecting control message in industrial control system | |
| CN112306019A (en) | Industrial control safety audit system based on protocol deep analysis and application thereof | |
| EP2448211B1 (en) | Method, system and equipment for detecting botnets | |
| CN111510436B (en) | Network security system | |
| CN111541670A (en) | Novel dynamic honeypot system | |
| CN106878339A (en) | A kind of vulnerability scanning system and method based on internet-of-things terminal equipment | |
| CN111556473A (en) | Abnormal access behavior detection method and device | |
| CN113783886A (en) | Intelligent operation and maintenance method and system for power grid based on intelligence and data | |
| CN113079185A (en) | Industrial firewall control method and equipment for realizing deep data packet detection control | |
| CN115150208A (en) | Zero-trust-based Internet of things terminal secure access method and system | |
| CN113746810A (en) | Network attack inducing method, device, equipment and storage medium | |
| Lovinger et al. | Detection of wireless fake access points | |
| Kang et al. | Whitelists based multiple filtering techniques in SCADA sensor networks | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN116880319B (en) | Method, system, terminal and medium for identifying upper computer in industrial control system | |
| CN111726810A (en) | Wireless signal monitoring and wireless communication behavior auditing system in numerical control processing environment | |
| KR101186873B1 (en) | Wireless intrusion protecting system based on signature | |
| Rattanalerdnusorn et al. | IoTDePT: Detecting security threats and pinpointing anomalies in an IoT environment | |
| Mabsali et al. | Effectiveness of Wireshark Tool for Detecting Attacks and Vulnerabilities in Network Traffic | |
| CN107070861B (en) | Method and system for discovering worm victim nodes of Internet of things equipment under sampling flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |