CN117375962A - Industrial control system asset and threat identification method based on Modbus protocol - Google Patents
Industrial control system asset and threat identification method based on Modbus protocol Download PDFInfo
- Publication number
- CN117375962A CN117375962A CN202311422110.2A CN202311422110A CN117375962A CN 117375962 A CN117375962 A CN 117375962A CN 202311422110 A CN202311422110 A CN 202311422110A CN 117375962 A CN117375962 A CN 117375962A
- Authority
- CN
- China
- Prior art keywords
- modbus
- equipment
- industrial control
- control system
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000012544 monitoring process Methods 0.000 claims abstract description 11
- 238000012545 processing Methods 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 claims description 22
- 230000002159 abnormal effect Effects 0.000 claims description 16
- 230000000903 blocking effect Effects 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 7
- 238000007689 inspection Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 230000010365 information processing Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 9
- 238000001514 detection method Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007423 decrease Effects 0.000 description 2
- 230000003252 repetitive effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 206010000210 abortion Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an industrial control system asset and threat identification method based on Modbus protocol, which comprises the following specific steps: constructing four data structures; capturing data packets transmitted in an industrial control system, and judging whether the collected data packets are Modbus data packets or not; checking and analyzing the Modbus data packet in the second step to obtain key parameters; matching Modbus data packets, distinguishing request messages from response messages, and calculating hash values according to key parameters; processing information in the TQue, and adding a new Modbus equipment item into IDevice; and monitoring the increasing trend of newly increased Modbus equipment in the network, and carrying out threat identification. According to the method for collecting the data packets instead of sending the data packets, the identification of the assets and the threats is carried out under the condition that the stability, the instantaneity and the usability of the industrial control system are not affected, and the stability and the safety of the industrial control system are improved.
Description
Technical Field
The invention relates to the technical field of industrial network safety monitoring, in particular to an industrial control system asset and threat identification method based on a Modbus protocol.
Background
Since industrial control systems and their communication protocols have hardly considered network and communication security problems at the beginning of the design, many industrial control systems are extremely fragile, especially devices exposed to public networks, facing an increasing threat of attack. Since industrial control systems are commonly used in the major industries in relation to national and civil life, once destroyed, the resulting impact and loss will be very large. The industrial control system should participate in the level protection assessment as required by the network security level protection system. Of which the most important is the risk assessment effort, while asset identification and threat identification are the core modules of the risk assessment process, the method of which directly determines the rationality and validity of the risk assessment results.
Because the domestic network environment is relatively closed and the difficulty of entering the industrial control field is high, and asset and threat identification cannot be performed in the actual industrial production environment. Meanwhile, users tend to pay more attention to the usability, stability and real-time performance of industrial control equipment compared with the equipment safety. The general asset identification method is more dependent on various test tools, wherein the asset identification method basically sends specific data packets, and then performs fingerprint identification on the returned data packets. These methods may affect the network stability of the industrial control system by sending a large amount of data packets, thereby affecting the stability and real-time performance of the industrial control system.
It is therefore desirable to provide an industrial control system asset and threat identification method that does not affect the usability, stability, and real-time of the industrial control device.
Disclosure of Invention
The invention aims at: aiming at the defects of the prior art, the method for identifying and extracting asset information in an industrial control system by monitoring Modbus flow data is provided, so that the industrial system asset can be accurately identified under the condition that the real-time performance and the usability of the industrial control system are not affected, meanwhile, the threat in the industrial control system can be identified by flow monitoring and analysis, a message is not actively sent, any detection is not actively carried out, only a data packet in a network is collected, and the Modbus equipment newly added in the data packet is captured and analyzed, timely judged and processed, so that the stability and the safety of the industrial control system are improved.
The technical scheme of the invention is as follows:
the invention discloses an industrial control system asset and threat identification method based on Modbus protocol, which comprises the following specific steps:
step one, constructing four data structures, including IQueue, TQueue, IReq and IDevice;
capturing a data packet transmitted in an industrial control system, judging whether the collected data packet is a Modbus data packet, and if so, adding the Modbus data packet into an IQueue queue;
step three, checking and analyzing Modbus data packets in the IQueue queue in the step two according to the first-in first-out sequence, and sequentially obtaining key parameters in a TCP/IP message header of each Modbus data packet;
step four, matching Modbus data packets, distinguishing request messages from response messages, calculating hash values according to key parameters in the step three, storing the calculated hash values into IReq if the request messages are the request messages, and storing key value pairs { IReq [ a ], i } into TQ ue after judging that transactions are valid if the response messages are the response messages, wherein IReq [ a ] is the hash value calculated by the key parameters in the step three, and i is a complete Modbus data packet;
step five, sequentially processing the information in the TQ ue, and if the information is equipment which does not exist in IDevice, adding an entry related to the newly added Modbus equipment into IDevice;
and step six, the information of the newly added Modbus equipment in the monitoring network is subjected to threat identification according to the newly added Modbus equipment recorded in the step five, and log recording is performed.
According to the method, the data packet collection module captures the data packet transmitted in the industrial control system under the condition that the real-time performance and the availability of the industrial control system are not affected, modbus data packets are carried out through the collected data packets, asset information in the industrial control system is identified and extracted through inspection and analysis of the Modbus data packets, meanwhile, whether abnormal behaviors such as malicious attack exist or not is judged through trend changes of newly added Modbus equipment information, log recording is carried out, and further system monitoring, equipment fault removal, system abnormality detection and network attack reproduction are achieved; the data packet is collected and the data packet information is stored and analyzed by utilizing three data structures, so that the subsequent asset identification and threat identification analysis and recording are facilitated, the identification of the industrial control system asset and the threat is realized through the six steps, the data packet is not actively transmitted, the stability of the industrial control system is further ensured, the threat identification is carried out on Modbus equipment which suddenly appears in a short time through an identified asset list, the threat identification is timely blocked when the threat appears, the timeliness of the threat identification of the industrial control system is improved, and the damage possibly brought by the threat is reduced.
Further, the IQueue is an advanced data First in, last out (FIFO) queue for storing unprocessed Modbus data packets acquired by the data packet collecting module;
TQ ue is a temporary data structure, which is also an advanced queue of data which is output after input, and is used for storing key value pairs { IReq [ a ], i };
IReq is a hash table, which is used for storing Modbus data packets waiting to be processed, and the stored hash value is obtained by calculating according to key parameters of each Modbus data packet in a Modbus message queue, including slave device IP, master device IP, slave device port number, master device port number and transaction ID;
IDevice is a hash table for storing objects associated with a particular Modbus device, where the stored hash value is calculated from key parameters of each Modbus packet in the Modbus message queue, including the slave IP, the slave MAC address, and the unit ID (UnitId).
In the method, three key data structures are constructed, and corresponding Modbus data packets and Modbus device related objects are stored in three different algorithms by using the three key data structures.
Further, in the third step, the key parameters in the header of the TCP/IP message are obtained by checking the Modbus packet structure, the key parameters in the header of the TCP/IP message in the Modbus packet always include slave device information, and the result analyzed by the Modbus transaction inspection module is mainly concentrated in the slave device.
Further, in the fourth step, if the request message is a request message, judging whether the same request exists, if so, prompting and recording a log; if not, the key parameter calculation hash value of the request message is stored in IReq.
Further, in the fourth step, if the response message is a response message, judging whether a matching request exists, if not, prompting and recording a log; if so, further judging whether the transaction is effective, if so, adding the hash value calculated by the response message and the response message into a temporary data structure TQ ue, and making the hash value be null to indicate that the transaction is processed, and if not, prompting and recording a log.
Further, only request messages will be stored in the IReq, response messages that do not match the request will be immediately recorded to indicate an exception, and the IReq remains unchanged; if a matched response is received and verified, an entry is added to the temporary data structure TQ ue, and the request is deleted from IReq; if a matching response is not validated, a log entry is generated and the request message will remain in IReq.
Further, the information processing method in the tque in the fifth step is an incremental mapping algorithm, and first, it is determined whether a newly added Modbus device is involved, including whether master device information is included, whether function code information is included, and whether function parameter information is included.
Further, the incremental mapping algorithm sequentially judges whether the main equipment information is contained, whether the function code information is contained and whether the function parameter information is contained, and the three information are independent of each other, so long as the judgment is yes, the information is directly added into IDevice.
The above approach, since messages in SCADA networks tend to follow repetitive, predictable communication patterns, and incremental mapping algorithms are employed in algorithm 3. In most cases, therefore, the rate of new information increases and decreases over time, and new information may not be added for a relatively long period of time after the device information and network traffic have stabilized. When the information collection trend changes suddenly in a short period, abnormal activities such as malicious attack and the like can exist. At this time, the threat is identified and journaled. These logs can be used for system monitoring, device troubleshooting, detecting system anomalies, and network attack reproduction.
Further, the step of threat identification in the step six is as follows:
judging whether the slave equipment is the slave equipment which does not exist in the asset identification list according to the asset IP in the newly added Modbus equipment item in IDevice, if so, checking the slave equipment IP, the corresponding operating system type, the open port, the open service and the loaded service, further judging whether the slave equipment is a legal asset in the industrial control system according to the information, if so, adding the slave equipment into the asset list, and exiting the threat identification program; if not, analyzing and recording the function code and the sub-function code of the slave device, recording a log, displaying that new device appears and abnormal operation appears on the new device, immediately blocking the IP, and prompting an administrator to process;
judging whether to encrypt by adopting a private encryption protocol according to the newly added Modbus equipment which is not recorded in IDevice, if so, recording a log, displaying that new equipment is present and abnormal operation is present in the new equipment, immediately blocking the IP, and prompting an administrator to process; if not, checking the equipment IP, the corresponding operating system type and the opened port, judging whether the equipment IP, the corresponding operating system type and the opened port are the very-used large-port number ports or not through the ports, if so, recording logs, displaying that new equipment is present and abnormal operation is present for the new equipment, immediately blocking the IP, and prompting an administrator to process; if the port is not a very common port number port, further checking the service opened by the equipment and the loaded service, judging whether the service is the very common service or the irrelevant service in the industrial control system, if the service is not the very common service, exiting the threat identification program; if yes, recording a log, displaying that new equipment is generated and abnormal operation is generated on the new equipment, immediately blocking the IP, and prompting an administrator to process.
Compared with the prior art, the invention has the beneficial effects that:
1. according to the invention, the quick identification of the industrial control system assets and threats is realized through six steps, modbus data packets in captured data packets are firstly stored into an IQueue queue, key parameters in TCP/IP message headers of each Modbus data packet are sequentially analyzed and known through directly carrying out the Modbus data packets in the IQueue queue, then the content of the Modbus data packets is subjected to matching analysis, finally the Modbus equipment information is subjected to asset identification and threat identification, the threat identification is further judged through the asset identification, the information obtained through the asset identification is directly used for monitoring newly added Modbus equipment, and threat monitoring is carried out on the newly added Modbus equipment in a short time, so that the threat identification can be carried out quickly while the asset identification is carried out, and the stability and the safety of the industrial control system are further improved.
2. The incremental mapping algorithm employed by the present invention can identify threats and other abnormal activities present in an industrial control system by collecting and storing addresses associated with slave devices, master device addresses in communication with slave devices, and function codes and parameters seen in transactions associated with the devices. After the industrial control system stably operates for a period of time, the rate of newly added information is increased and reduced along with the time, and when equipment information and network flow tend to be stable, new information may not be added in a relatively long period of time; if the information collection trend in a short period of time suddenly changes, abnormal activities such as malicious attacks can exist, threat identification is performed on newly-added Modbus equipment, timely response is performed, an administrator is reminded to process the information, the use safety of an industrial control system is further guaranteed, and meanwhile the influence caused by the threat of the industrial control system is fully reduced.
3. The invention monitors the equipment and flow transmission change in the network in real time, identifies the threat, and records the log, and the log can be used for system monitoring, equipment fault removal, detection of system abnormality and network attack reproduction.
Drawings
FIG. 1 is a flow chart of an industrial control system asset and threat identification method based on the Modbus protocol of the present invention;
FIG. 2 is a flow chart of the data packet collection algorithm of the present invention;
FIG. 3 is a flowchart of the Modbus transaction checking module algorithm of the present invention;
FIG. 4 is a flowchart of the Modbus device object detection algorithm of the present invention;
FIG. 5 is a schematic diagram of a threat identification process in accordance with the present invention;
FIG. 6 is a Modbus device information document generated by devices in the asset identification process of the present invention;
fig. 7 is a Modbus device information document generated by the threat identification process of the invention.
Detailed Description
It is noted that relational terms such as "first" and "second", and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The technical scheme of the present invention is described in further detail below with reference to examples.
As shown in fig. 1, the invention discloses a Modbus protocol-based industrial control system asset and threat identification method flow chart:
two Programmable Logic Controllers (PLCs) were used to simulate normal Modbus communications between two devices. One of the PLCs serves as a master IP address 192.168.21.22 and the other serves as a slave IP address 192.168.21.21.
And step 1, constructing four data structures including IQueue, TQueue, IReq and IDevice.
IQueue is a FIFO (first in first out) queue. And the data packet storage module is used for storing unprocessed Modbus data packets acquired by the data packet collection module.
TQ ue is a temporary data structure, also an advanced data first-out, last-in, and last-out queue, for storing key-value pairs { IReq [ a ], i }.
IReq is a hash table used to store Modbus packets awaiting processing. The stored hash value IReq [ a ] is calculated according to Modbus message queues. I.e. a=hash (x 1, x2, x3, …, xn), where x1=slave IP, x2=master IP, x3=slave port number, x4=master port number, x5=transaction ID (TransactionId) is possible.
IDevice is a hash table that stores objects associated with a particular Modbus device. The stored hash value IDevice [ b ] is calculated according to the Modbus message queue. I.e. b=hash (y 1, y2, y3, …, yn), in which case the Modbus devices in the network can be uniquely identified. Where y1=slave IP, y2=slave MAC address, y3=unit ID (UnitId) can be made. The entities in the hash table store specific information for each device, such as: addresses associated with the slave device, master device addresses in communication with the slave device, and function codes and parameters seen in transactions associated with the device.
Step 2, starting a data packet collector, capturing a data packet transmitted in an industrial control system according to a data packet collection algorithm, wherein the data packet collection algorithm comprises the following specific operation steps of:
various aborts and overtime detection are considered as exit conditions; when the process of collecting the data packets does not meet the exit condition, judging whether the collected data packets are Modbus data packets according to judging conditions, wherein the judging conditions are based on relevant information contained in the message header, such as a transaction identifier, a protocol identifier, a data length and the like. And adding Modbus data packets into the Iqueue one by one.
And step 3, checking and analyzing the Modbus data packets in the IQueue queue in the step two according to the first-in first-out sequence, and sequentially obtaining key parameters in the TCP/IP message header of each Modbus data packet. As shown in fig. 6, by analyzing the Modbus packet, two input coil addresses are 3344 and 3408, and the output coil address is 3306.
And 4, matching Modbus data packets, distinguishing request messages from response messages, calculating hash values according to the key parameters in the third step, storing the calculated hash values into IReq if the request messages are the request messages, and storing key value pairs { IReq [ a ], i } into TQ ue after judging that the transactions are valid if the response messages are the response messages, wherein IReq [ a ] is the hash value calculated by the key parameters in the third step, and i is a complete Modbus data packet. Referring to fig. 3, the modbus transaction checking module algorithm specifically includes the following steps:
the hash value of the Modbus packet waiting to be processed is calculated using the slave IP, master IP, slave port number, master port number, transaction ID. Where slave ip= 192.168.21.21, master ip= 192.168.21.22, slave port number=502, master port number=2080, transaction id=251, a hash value of IReq [ a ] =tm9b/u+t0 jpgulIcHDuW8FoFQyDRmF8jzC1PzV4 dxzk= is calculated. And determines whether the Modbus packet is a request packet or a response packet. Comparing whether the corresponding hash value exists in the IReq, if the corresponding hash value exists in the IReq is Modbus request, displaying that a plurality of requests exist and recording logs if the corresponding hash value exists in the IReq; if the request is Modbus request and the same hash value does not exist in the IReq, writing the calculated hash value into the IReq; if the Modbus response is the Modbus response and the same hash value exists in the IReq, verifying whether the request is equal to the hash value stored in the IReq, if so, adding the hash value calculated by the response message and the response message ({ IReq [ a ], i }) into an auxiliary data structure Tvalue, if not, proving that the Modbus message request or response is invalid, displaying transaction invalidation and recording a log; if Modbus responds and the same hash value does not exist in IReq, the fact that no corresponding request message exists is proved, and a 'request without matching found' is displayed and recorded.
In the above algorithm, only the request message will be stored in the IReq, the response message without a matching request will be immediately recorded to indicate the exception, and the IReq remains unchanged. If a matching response is received and validated, an entry is added to the transaction queue TQ ue (auxiliary data structure) and the request is deleted from IReq. On the other hand, if a matching response is not validated, a log entry will be generated and the request message will remain in the IReq in case a matching response is received later.
And 5, sequentially processing the information in the TQue, recording all the equipment information detected in the network communication by the asset identification module according to the Modbus equipment object detection algorithm, and adding an entry related to the newly added Modbus equipment into IDevice if the equipment is not existing in IDevice. Referring to fig. 4, the modbus device object detection algorithm specifically includes the following steps:
the hash value of the Modbus packet awaiting processing is calculated using the slave IP, slave MAC address, unit ID (UnitId). Where slave ip= 192.168.21.22, slave MAC address=00:0d:e0:80:49:31, unit ID (UnitId) =10, the calculated hash value is m2LJHetz4N7 hbtttvpcia 4D8P2 oeieerls 78NbvFwh 4=. And judging whether the newly added Modbus equipment is involved, and if so, adding an item related to the new equipment into IDevice, wherein the item comprises related transaction information, namely a main equipment ID, a function code and a function parameter. The result of asset identification is shown in fig. 6.
Phenomena supporting multiple independent Modbus termination units for a single IP address, such as: bridges, routers, and gateways. In the modubes message there is an MBAP header containing a unit identifier, the aforementioned unit ID (UnitId), which corresponds to the slave address used in the Modbus serial link for intra-system routing. Communication to the Modbus or Modbus+ serial link slave through the gateway between the Ethernet TCP/IP network and the Modbus serial link may be accomplished by the cell ID. Therefore, for the phenomenon that a single IP address supports a plurality of independent Modbus terminal units, the Modbus devices can be uniquely identified by the unit IDs, and the process of calculating the hash value in the algorithm shown in fig. four already uses the unit IDs to calculate the hash value, so that even a plurality of independent Modbus terminal units supported by a single IP address can calculate different hash values due to different unit IDs.
And step 6, a threat identification module monitors the increasing trend of the newly-increased Modbus equipment in the network, and if the information acquisition trend in a short period changes suddenly, threat identification is carried out according to the newly-increased Modbus equipment recorded in the step five, and log recording is carried out. Since messages in SCADA networks tend to follow repetitive, predictable communication patterns, and incremental mapping algorithms are employed in algorithm 3. In most cases, therefore, the rate of new information increases and decreases over time, and new information may not be added for a relatively long period of time after the device information and network traffic have stabilized. When the information collection trend in a short period of time suddenly changes, abnormal activities such as malicious attack can exist, and at this time, when the threat identification module identifies that equipment which does not exist in the asset identification list appears in a short period of time, as shown in fig. 5, specific threat identification steps are as follows:
judging whether the new asset uses Modbus protocol according to the captured data packet, if so, further judging whether the new asset is a slave device which does not exist in the asset identification list according to the asset IP; if not, judging whether the private encryption protocol is adopted for encryption.
The new asset uses the Modbus protocol:
if the slave equipment is judged to belong to the slave equipment which does not exist in the asset identification list, checking the IP of the slave equipment, the corresponding operating system type, the open port, the open service and the loaded service, further judging whether the slave equipment is a legal asset in the industrial control system according to the information, and if the slave equipment is judged to be the legal asset in the industrial control system, adding the slave equipment into the asset list, and exiting the threat identification program;
if the slave device is judged not to belong to the slave device which does not exist in the asset identification list, the function code and the sub-function code of the slave device are analyzed and recorded, a log is recorded, new device is displayed, abnormal operation of the new device is displayed, the IP is immediately blocked, and an administrator is prompted to process.
The new asset does not use the Modbus protocol:
if the private encryption protocol is adopted for encryption, recording a log, displaying that new equipment appears and abnormal operation occurs to the new equipment, immediately blocking the IP, and prompting an administrator for processing;
if the private encryption protocol is not adopted for encryption, further checking the equipment IP, the corresponding operating system type and the open port, judging whether the equipment IP, the corresponding operating system type and the open port are the very-common large-port number ports or not through the ports, if the equipment IP, the corresponding operating system type and the open port are the very-common large-port number ports, recording logs, displaying that new equipment is present and abnormal operation is present for the new equipment, immediately blocking the IP, and prompting an administrator to process; if the port is not a very common port number port, further checking the service opened by the equipment and the loaded service, judging whether the service is the very common service or the irrelevant service in the industrial control system, if the service is not the very common service, exiting the threat identification program; if yes, recording a log, displaying that new equipment is generated and abnormal operation is generated on the new equipment, immediately blocking the IP, and prompting an administrator to process.
As shown in fig. 7, threat identification theory of operation: an attacker is added into the industrial control system, and the IP address is 192.168.21.221. Legal assets present in current industrial control systems are 192.168.21.21 and 192.168.21.22. At this time, when the threat identification module identifies that the device which does not exist in the asset identification list appears in a short time, the threat identification module firstly determines that the newly-appearing device sends a Modbus data packet according to the data packet structure, that is, the new asset uses the Modbus protocol, and meanwhile, the new asset can be known to be the slave device which does not exist in the asset identification list according to the data packet, so that the newly-appearing asset is the master device, and the device IP is 192.168.21.221. The function code and sub-function code of the slave device are analyzed and recorded in accordance with the threat analysis step, and the device is found to attempt to execute the function code 43 with the sub-function code 14, which is a diagnostic function for reading the slave device identification information via the package interface transmission. Through this function an attacker can obtain the basic device identification code (business name, product code and revision number etc.) of the device, the normal device identification code (in addition to the basic data object, the device provides additional and alternative identification code and data object description), the extended device identification code (in addition to the normal data object, the device provides additional and alternative identification code and special data description), once the attacker has obtained the above information maliciously, the industrial control system can be attacked in a number of attack modes. At this time, the IP is immediately blocked, and the administrator is prompted to process.
The detailed description of the present application is specific and detailed, but is not intended to limit the scope of the application in any way. It should be noted that, for those skilled in the art, several variations and modifications can be made without departing from the technical solution of the present application, which fall within the protection scope of the present application.
Claims (9)
1. An industrial control system asset and threat identification method based on Modbus protocol is characterized by comprising the following specific steps:
step one, constructing four data structures, including IQueue, TQueue, IReq and IDevice;
capturing a data packet transmitted in an industrial control system, judging whether the collected data packet is a Modbus data packet, and if so, adding the Modbus data packet into an IQueue queue;
step three, checking and analyzing Modbus data packets in the IQueue queue in the step two according to the first-in first-out sequence, and sequentially obtaining key parameters in a TCP/IP message header of each Modbus data packet;
step four, matching Modbus data packets, distinguishing request messages from response messages, calculating hash values according to key parameters in the step three, storing the calculated hash values into IReq if the request messages are the request messages, and storing key value pairs { IReq [ a ], i } into TQ ue after judging that transactions are valid if the response messages are the response messages, wherein IReq [ a ] is the hash value calculated by the key parameters in the step three, and i is a complete Modbus data packet;
step five, sequentially processing the information in the TQ ue, and if the information is equipment which does not exist in IDevice, adding an entry related to the newly added Modbus equipment into IDevice;
and step six, the information of the newly added Modbus equipment in the monitoring network is subjected to threat identification according to the newly added Modbus equipment recorded in the step five, and log recording is performed.
2. The industrial control system asset and threat identification method based on the Modbus protocol of claim 1, wherein,
the IQueue is an advanced data First in, last out (FIFO) queue for storing the unprocessed Modbus data packet acquired by the data packet acquisition module;
TQ ue is a temporary data structure, which is also an advanced queue of data which is output after input, and is used for storing key value pairs { IReq [ a ], i };
IReq is a hash table, which is used for storing Modbus data packets waiting to be processed, and the stored hash value is obtained by calculating according to key parameters of each Modbus data packet in a Modbus message queue, including slave device IP, master device IP, slave device port number, master device port number and transaction ID;
IDevice is a hash table for storing objects associated with a particular Modbus device, where the stored hash value is calculated from key parameters of each Modbus packet in the Modbus message queue, including the slave IP, the slave MAC address, and the unit ID (UnitId).
3. The industrial control system asset and threat identification method based on the Modbus protocol according to claim 1, wherein in the third step, key parameters in a TCP/IP message header are obtained by checking a Modbus data packet structure, the key parameters in the TCP/IP message header in the Modbus data packet always include slave device information, and the result analyzed by the Modbus transaction inspection module is mainly concentrated on the slave device.
4. The method for identifying assets and threats of an industrial control system based on Modbus protocol according to claim 1, wherein in the fourth step, if the request message is a request message, judging whether the same request exists, if so, prompting and recording a log; if not, the key parameter calculation hash value of the request message is stored in IReq.
5. The method for identifying assets and threats of an industrial control system based on Modbus protocol according to claim 4, wherein in the fourth step, if the response message is a response message, judging whether there is a matching request, if not, prompting and recording a log; if so, further judging whether the transaction is effective, if so, adding the hash value calculated by the response message and the response message into a temporary data structure TQ ue, and making the hash value be null to indicate that the transaction is processed, and if not, prompting and recording a log.
6. The Modbus protocol based industrial control system asset and threat identification method of claim 4 or 5, wherein in step four, only the request message is stored in the iraq, the response message without matching the request is immediately recorded to indicate an anomaly, and the iraq remains unchanged; if a matched response is received and verified, an entry is added to the temporary data structure TQ ue, and the request is deleted from IReq; if a matching response is not validated, a log entry is generated and the request message will remain in IReq.
7. The method for identifying assets and threats of an industrial control system based on a Modbus protocol according to claim 1, wherein the information processing in tque in the fifth step adopts an incremental mapping algorithm, and the step of determining whether a new Modbus device is involved includes determining whether master device information is included, whether function code information is included, and whether function parameter information is included.
8. The method for identifying assets and threats of an industrial control system based on a Modbus protocol according to claim 7, wherein the incremental mapping algorithm sequentially judges whether the master information is included, whether the function code information is included and whether the function parameter information is included, the three information are independent of each other, and if yes, the information is directly added into IDevice.
9. The method for identifying assets and threats of an industrial control system based on a Modbus protocol according to claim 1, wherein the step of threat identification in the step six is:
judging whether the slave equipment is the slave equipment which does not exist in the asset identification list according to the asset IP in the newly added Modbus equipment item in IDevice, if so, checking the slave equipment IP, the corresponding operating system type, the open port, the open service and the loaded service, further judging whether the slave equipment is a legal asset in the industrial control system according to the information, if so, adding the slave equipment into the asset list, and exiting the threat identification program; if not, analyzing and recording the function code and the sub-function code of the slave device, recording a log, displaying that new device appears and abnormal operation appears on the new device, immediately blocking the IP, and prompting an administrator to process;
judging whether to encrypt by adopting a private encryption protocol according to the newly added Modbus equipment which is not recorded in IDevice, if so, recording a log, displaying that new equipment is present and abnormal operation is present in the new equipment, immediately blocking the IP, and prompting an administrator to process; if not, checking the equipment IP, the corresponding operating system type and the opened port, judging whether the equipment IP, the corresponding operating system type and the opened port are the very-used large-port number ports or not through the ports, if so, recording logs, displaying that new equipment is present and abnormal operation is present for the new equipment, immediately blocking the IP, and prompting an administrator to process; if the port is not a very common port number port, further checking the service opened by the equipment and the loaded service, judging whether the service is the very common service or the irrelevant service in the industrial control system, if the service is not the very common service, exiting the threat identification program; if yes, recording a log, displaying that new equipment is generated and abnormal operation is generated on the new equipment, immediately blocking the IP, and prompting an administrator to process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311422110.2A CN117375962A (en) | 2023-10-30 | 2023-10-30 | Industrial control system asset and threat identification method based on Modbus protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311422110.2A CN117375962A (en) | 2023-10-30 | 2023-10-30 | Industrial control system asset and threat identification method based on Modbus protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117375962A true CN117375962A (en) | 2024-01-09 |
Family
ID=89398081
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311422110.2A Pending CN117375962A (en) | 2023-10-30 | 2023-10-30 | Industrial control system asset and threat identification method based on Modbus protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117375962A (en) |
-
2023
- 2023-10-30 CN CN202311422110.2A patent/CN117375962A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10673874B2 (en) | Method, apparatus, and device for detecting e-mail attack | |
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US8726382B2 (en) | Methods and systems for automated detection and tracking of network attacks | |
| US7995496B2 (en) | Methods and systems for internet protocol (IP) traffic conversation detection and storage | |
| CN109587179B (en) | SSH (Single sign indicating) protocol behavior pattern recognition and alarm method based on bypass network full flow | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| CN1656731B (en) | Multi-method gateway-based network security systems and methods | |
| US8006306B2 (en) | Exploit-based worm propagation mitigation | |
| US20070204060A1 (en) | Network control apparatus and network control method | |
| CN101803305B (en) | Network monitoring device, network monitoring method, and network monitoring program | |
| US8762515B2 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| JP2006279930A (en) | Method and device for detecting and blocking unauthorized access | |
| KR100947211B1 (en) | System for active security surveillance | |
| CN109361673B (en) | Network anomaly detection method based on flow data sample statistics and balance information entropy estimation | |
| Vaarandi et al. | Using security logs for collecting and reporting technical security metrics | |
| CN1297101C (en) | Technique of detecting denial of service attacks | |
| JP2008085819A (en) | Network abnormality detection system, network abnormality detection method, and network abnormality detection program | |
| CN111628994A (en) | Industrial control environment anomaly detection method, system and related device | |
| CN112769819A (en) | IDC information security system based on depth security | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| CN117375962A (en) | Industrial control system asset and threat identification method based on Modbus protocol | |
| CN114172881A (en) | Network security verification method, device and system based on prediction | |
| CN116094842B (en) | State recognition system and method of network cipher machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |