CN117610027B - Private protocol vulnerability detection method and system - Google Patents
Private protocol vulnerability detection method and system Download PDFInfo
- Publication number
- CN117610027B CN117610027B CN202410089014.9A CN202410089014A CN117610027B CN 117610027 B CN117610027 B CN 117610027B CN 202410089014 A CN202410089014 A CN 202410089014A CN 117610027 B CN117610027 B CN 117610027B
- Authority
- CN
- China
- Prior art keywords
- message
- probability
- vulnerability
- random
- seed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 59
- 238000012360 testing method Methods 0.000 claims abstract description 45
- 238000004364 calculation method Methods 0.000 claims abstract description 16
- 238000005516 engineering process Methods 0.000 claims abstract description 12
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 11
- 238000012217 deletion Methods 0.000 claims description 20
- 230000037430 deletion Effects 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 20
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000010586 diagram Methods 0.000 claims description 13
- 238000003780 insertion Methods 0.000 claims description 8
- 230000037431 insertion Effects 0.000 claims description 8
- 238000000342 Monte Carlo simulation Methods 0.000 claims description 7
- 230000035772 mutation Effects 0.000 claims description 7
- 230000001960 triggered effect Effects 0.000 claims description 7
- 239000012634 fragment Substances 0.000 claims description 6
- 238000005259 measurement Methods 0.000 claims description 6
- 238000000926 separation method Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 claims description 3
- 230000004927 fusion Effects 0.000 claims description 3
- 238000012502 risk assessment Methods 0.000 abstract description 2
- 230000002159 abnormal effect Effects 0.000 description 17
- 230000006870 function Effects 0.000 description 8
- 238000012986 modification Methods 0.000 description 8
- 230000005856 abnormality Effects 0.000 description 7
- 230000004048 modification Effects 0.000 description 7
- 230000004044 response Effects 0.000 description 6
- 238000012216 screening Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- 238000005065 mining Methods 0.000 description 2
- 238000004445 quantitative analysis Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000009827 uniform distribution Methods 0.000 description 1
Abstract
The invention discloses a private protocol vulnerability detection method and system, and belongs to the technical field of industrial private protocol vulnerability detection. The method comprises the following steps: acquiring metadata of a private protocol; carrying out semantic association on the metadata based on a knowledge graph technology; generating an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; forming a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result: if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, the random generation strategy is adjusted, and the fuzzy test set is optimized. The method and the device for detecting the private protocol loopholes efficiently realize a private protocol loophole detection test set, dynamically adjust a loophole detection method and realize automatic risk assessment of the protocol loopholes.
Description
Technical Field
The invention belongs to the technical field of industrial private protocol vulnerability detection, and particularly relates to a private protocol vulnerability detection method and system.
Background
The safety risk and vulnerability mining analysis is the basis for guaranteeing the safe and stable operation in the industrial production safety field. Because of the complexity of the proprietary protocol, security risk and vulnerability mining are usually tested manually, automation cannot be realized, and scientific quantitative analysis is also lacking.
Disclosure of Invention
The invention aims to: in order to solve the problems, the invention provides a private protocol vulnerability detection method and a private protocol vulnerability detection system.
The technical scheme is as follows: a private protocol vulnerability detection method comprises the following steps:
acquiring metadata of a private protocol; carrying out semantic association on the metadata based on a knowledge graph technology;
generating an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; wherein the predetermined operation includes at least: cross variation, sequence random exchange, random deletion, random repetition and forced interruption;
forming a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result:
if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, a random generation strategy is adjusted, and the occurrence probability of the Monte Carlo method of the instruction in the fuzzy test set is optimized.
Further, semantically associating the metadata based on knowledge-graph technology includes the steps of:
defining security association knowledge of the private protocol as data and relations required by the knowledge graph, and generating a knowledge graph association graph; the security association knowledge at least comprises a working principle, a data format and a protocol;
an automatic message construction method is constructed based on the knowledge graph association diagram, the pre-condition, the post-condition, the sequence association and the control process;
the control process at least comprises a first control method, a second control method and a third control method;
the first control method comprises the following steps: downloading a logic file into the programmable logic controller; in the downloading logic file flow, a plurality of request messages are included; wherein the protocol request design function includes at least the following categories: newly creating an object, modifying a plurality of parameters, acquiring data, starting transmission, ending transmission, modifying parameters and deleting the object;
the second control method includes: controlling the running state of the programmable logic controller;
the third control method includes: the IP address of the programmable logic controller is modified.
Further, performing vulnerability risk probability calculation includes the following steps:
defining a priori probabilities of the occurrence of known nodes as,/>Is a functional module, and is used for the control of the power supply,representation->The prior probability of the occurrence of the functional module;
after the fuzzy test instruction is input into the test system, the conditional probability is calculated according to the number of times that the vulnerability is triggered, and the calculation formula is as follows:;
wherein,P T in order to be a conditional probability of a probability,N i ,N j is the firsti,jIs provided with a functional module of the (c),N a is a vulnerability quiltThe number of times of the trigger is,Nthe total test times;
according to the full probability formula and the Bayes formula, the posterior probability is calculated, and the calculation formula is as follows:
;
wherein the method comprises the steps ofIs->Posterior probability of functional module.
Further, judging whether the prior probability and the posterior probability meet a judgment condition or not includes the following steps:
and judging the difference between the posterior probability and the prior probability based on a measurement formula, wherein the measurement formula is as follows:
;
wherein the method comprises the steps ofIs 2 norms; if K is less than threshold->The decision probability is stable and the corresponding posterior probability is outputAnd the posterior probability is taken as the risk degree of the vulnerability.
Further, the cross-over variation comprises the steps of:
selecting more than 2 flow seeds, carrying out cross fusion on partial messages of the flow seeds, and simulating to simultaneously execute a plurality of tasks;
the cross variation is used for generating a use case group by taking the difference of the position of the seed 2 inserted into the seed 1, the separation interval of the seed 1 and the separation interval of the seed 2;
setting the number of seed 1 request messages as n1 and the number of seed 2 request messages as n2; splitting the seed 1 standard from splitting every 1 message to splitting every len (n 1) message;
splitting the seed 2 standard from splitting every 1 message to splitting every len (n 2) message; crossing the split group of the seed 1 and the split group of the seed 2 pairwise, wherein the crossing times are len (n 1) times len (n 2); after any disassembly to the tail, the other group of the rest parts is supplemented to the tail, and the total number of the producible cases len (n 1) and len (n 2) are generated; where len is the message length.
Further, the sequential random exchange includes at least the steps of:
selecting data messages or message groups which are related up and down from the data preprocessing, and exchanging message data of the data messages or message groups; generating a use case group according to the different positions of the selected data messages or message groups associated up and down;
selecting a message flow seed, selecting an exchange object 1 according to the number of messages, and dividing the rest part into fragments according to the number of the messages contained in the exchange object, wherein the fragments are regarded as insertion objects, and generating a section of use cases after each time the exchange object is inserted into different positions of the objects.
Further, the random deletion includes the steps of:
selecting one or more pieces of data from the seeds for deletion; selecting a message flow seed, selecting a deletion object according to the sequence from less to more, and generating use cases in the rest parts.
Further, the random repetition includes the steps of:
selecting one or more pieces of data from the seeds to repeat once or more times, and randomly generating repeated positions; selecting a message flow seed, selecting repeated objects according to the sequence from less to more, and inserting repeated messages at any insertable position of the message to generate a use case.
Further, the forced interruption comprises the steps of:
selecting any position from the seeds, and directly interrupting communication connection; and selecting a message flow seed, deleting the subsequent operations according to the sequence, and generating a use case.
In another technical scheme, a private protocol vulnerability detection system is provided, for implementing a private protocol vulnerability detection method as described above, the system includes:
the first module is used for acquiring metadata of the private protocol; carrying out semantic association on the metadata based on a knowledge graph technology;
the second module is configured to generate an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; wherein the predetermined operation includes at least: cross variation, sequence random exchange, random deletion, random repetition and forced interruption;
the third module is arranged to form a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result:
if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, a random generation strategy is adjusted, and the occurrence probability of the Monte Carlo method of the instruction in the fuzzy test set is optimized.
The beneficial effects are that: firstly, carrying out semantic association on security metadata such as equipment, loopholes, topological structures and the like based on a knowledge graph technology to form classification such as instruction codes, function codes, operation objects and the like; secondly, generating an initial message for a normal instruction by using a Monte Carlo algorithm, and generating a fuzzy test instruction by using operations such as intelligent cross mutation, sequence random exchange, random deletion, random repetition, forced interruption and the like; finally, inputting a fuzzy test instruction into a test system, and calculating vulnerability risk probability by adopting a Bayesian posterior probability theory to realize quantitative analysis of the security risk of a certain vulnerability; the method and the device for detecting the private protocol loopholes efficiently realize a private protocol loophole detection test set, dynamically adjust a loophole detection method and realize automatic risk assessment of the protocol loopholes.
Drawings
FIG. 1 is a flow chart of an algorithm of the present invention;
FIG. 2 is a data interaction flow;
FIG. 3 is a schematic diagram of semantic association using knowledge-graph;
FIG. 4 is a basic block diagram of an automatic message construction method;
FIG. 5 is an initial message diagram;
FIG. 6 is a schematic diagram of crossover variation;
FIG. 7 is a diagram of new message insertion;
FIG. 8 is a sequential exchange schematic;
FIG. 9 is a schematic deletion diagram;
FIG. 10 is a repetitive schematic;
FIG. 11 is a schematic diagram of a forced interrupt;
FIG. 12 is a schematic diagram of random scrambling;
fig. 13 is a schematic diagram of directional screening deletion.
Description of the embodiments
Examples
The embodiment provides a private protocol vulnerability detection method (hereinafter referred to as the method). The method comprises the following steps:
s100, acquiring metadata of a private protocol; and carrying out semantic association on the metadata based on a knowledge graph technology.
The application of the knowledge graph plays a key role in the field of vulnerability discovery. The knowledge graph provides support for fuzzy testing, and can integrate information of various vulnerabilities, vulnerability patterns and attack methods from multiple sources. And carrying out semantic association on private protocol metadata such as equipment, loopholes, topological structures and the like based on a knowledge graph technology. The method mainly considers the key knowledge graph information of three aspects in the fuzzy test.
S101, carrying out semantic association on the metadata based on a knowledge graph technology comprises the following steps:
as shown in fig. 3, defining security association knowledge of a private protocol as data and relations required by a knowledge graph, and generating a knowledge graph association graph; the security association knowledge at least comprises a working principle, a data format and a protocol.
As shown in fig. 4, an automatic message construction method is constructed based on the knowledge graph association diagram, the preconditions, the post-conditions, the sequential associations, and the control process.
The control process at least comprises a first control method, a second control method and a third control method;
the first control method comprises the following steps: downloading a logic file into the programmable logic controller; in the downloading logic file flow, a plurality of request messages are included; wherein the protocol request design function includes at least the following categories: newly creating an object, modifying a plurality of parameters, acquiring data, starting transmission, ending transmission, modifying parameters and deleting the object;
the second control method includes: controlling the running state of the programmable logic controller;
the third control method includes: the IP address of the programmable logic controller is modified.
The following specifically describes the control process:
(1) Downloading logic files into a PLC (programmable logic controller)
In the downloading logic file flow, a plurality of request messages (data transmission package is regarded as one) are included altogether, wherein the protocol request relates to the function 8 class, and the method comprises the following steps: new object, modifying multiple parameters, obtaining data, starting transmission, ending transmission, modifying parameters, deleting object.
The flow is based on the current running state of the PLC (programmable logic controller), and when the PLC is in a stop running state, a parameter modification request for modifying the running of the PLC does not appear in the flow. When the PLC is in the running state, if the PLC is in the running state in the reply received by the sub-data obtaining request, the upper computer software of the PLC can add and send a parameter modifying request in the process, and the PLC is stopped.
(2) PLC running state control
The flow is embodied in the process that the PLC upper computer independently controls the PLC operation state, and the PLC operation state is modified. Typically only running and stopped states exist.
(3) Modifying IP address of PLC
This operation involves the extraction and downloading of PLC internal data, with slightly more data messages, mainly of similar type to (1), lacking start and end sequence operations. When the flow goes to half, the device will automatically restart to interrupt the communication with the outside. After the operation is resumed, the connection is re-established, part of parameters are set, and the process is formally ended.
S200, generating an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; wherein the predetermined operation includes at least: cross mutation, sequential random exchange, random deletion, random repetition, forced interruption.
And (3) referring to a normal message system by using a Monte Carlo algorithm, and generating an initial message. The structure of the initial message can be represented by a network structure diagram, wherein the functional module is a key knowledge graph information key sentence (or function).
S201, as shown in a program 1, the cross mutation comprises the following steps:
selecting more than 2 flow seeds, carrying out cross fusion on partial messages of the flow seeds, and simulating to simultaneously execute a plurality of tasks;
the cross variation is used for generating a use case group by taking the difference of the position of the seed 2 inserted into the seed 1, the separation interval of the seed 1 and the separation interval of the seed 2;
setting the number of seed 1 request messages as n1 and the number of seed 2 request messages as n2; splitting the seed 1 standard from splitting every 1 message to splitting every len (n 1) message;
splitting the seed 2 standard from splitting every 1 message to splitting every len (n 2) message; crossing the split group of the seed 1 and the split group of the seed 2 pairwise, wherein the crossing times are len (n 1) times len (n 2); after any disassembly to the tail, the other group of the rest parts is supplemented to the tail, and the total number of the producible cases len (n 1) and len (n 2) are generated; where len is the message length.
The cross mutation operation simulates the condition that the PLC is influenced by a plurality of operations at the same time, and when the plurality of operations are performed at the same time, whether the PLC is abnormal or not due to the conflict of part of operations is caused.
The cross mutation operation does not damage the flow integrity of the operation, and the passing rate of the generated use cases is higher.
Program 1:
s202, as shown in a program 2, the sequential random exchange at least comprises the following steps:
selecting data messages or message groups which are related up and down from the data preprocessing, and exchanging message data of the data messages or message groups; generating a use case group according to the different positions of the selected data messages or message groups associated up and down;
selecting a message flow seed, selecting an exchange object 1 according to the number of messages, and dividing the rest part into fragments according to the number of the messages contained in the exchange object, wherein the fragments are regarded as insertion objects, and generating a section of use cases after each time the exchange object is inserted into different positions of the objects.
The sequence random switching operation simulates the condition of abnormal sequence of the PLC message, and when the equipment is operated by network abnormality, wrong receiving and transmitting process and personnel error, the abnormality of the PLC is caused by the error of part of operation sequence.
The sequential random exchange operation slightly damages the flow integrity of the operation, and generates a device abnormal response caused by misoperation of a use case simulation operator, so that potential logic loopholes are found in a targeted mode.
Program 2:
s203, as shown in program 3, the random deletion includes the following steps:
selecting one or more pieces of data from the seeds for deletion; selecting a message flow seed, selecting a deletion object according to the sequence from less to more, and generating use cases in the rest parts.
The random deleting operation simulates the condition of abnormal packet loss of the output and transmission of the PLC message, and when the equipment is operated by network abnormality, wrong receiving and transmitting processes and personnel errors, the condition of partial operation loss can cause the abnormality of the PLC.
The random deleting operation slightly damages the flow integrity of the operation, and the generation use case simulation operator skips part of the operation or the data packet loss to cause the abnormal response of the equipment, so that potential logic loopholes are found in a targeted mode.
Program 3:
s204, as shown in a program 4, the random repetition comprises the following steps:
selecting one or more pieces of data from the seeds to repeat once or more times, and randomly generating repeated positions; selecting a message flow seed, selecting repeated objects according to the sequence from less to more, and inserting repeated messages at any insertable position of the message to generate a use case.
The random repeated operation simulates the abnormal repeated condition of the PLC message, and when the equipment is affected by the reasons of repeated operations by personnel errors or data replay caused by network anomalies, whether the PLC is abnormal or not caused by repeated partial operations.
The random repeated operation slightly damages the integrity of the operation flow, and the generation of the use case simulates misoperation of an operator to cause abnormal response of equipment, so that potential logic loopholes are found in a targeted mode.
Program 4:
s205, as shown in program 5, the forced interruption includes the following steps:
selecting any position from the seeds, and directly interrupting communication connection; and selecting a message flow seed, deleting the subsequent operations according to the sequence, and generating a use case.
The forced interrupt operation simulates the condition of abnormal interrupt of a PLC message, and when equipment is abnormal due to network or the conditions of wrong receiving and transmitting processes, wrong personnel operation, power-off of a control end and the like, whether the PLC is abnormal due to the error of abnormal interrupt operation or not is judged.
The forced interrupt operation can destroy the flow integrity of the operation, and the generation of the use case simulation data flow interrupt triggers the abnormal response of the equipment, so that potential logic loopholes are found in a targeted manner.
Program 5:
the predetermined operation is not limited to the steps provided in S201 to S205, and further includes the following operations:
s205, as shown in a program 6, a new message is inserted; the new message insertion comprises the following steps:
and selecting a type of message from the data preprocessing, and inserting the message into the seed message. The use case group is generated according to the different insertion positions and the different number. Selecting a message flow seed and a single inserted message, and regarding as generating a use case for storage if each inserted position is in the message flow sequence.
The new message insertion operation simulates the situation that the PLC is interfered by other data or is replayed by abnormal data transmission when being operated, and when the operation is carried out, whether the PLC is abnormal due to the replay of part of the operation or not is judged.
The new message insertion operation slightly damages the flow integrity of the operation, the passing rate of the generated use case is higher, and the specific vulnerability of the target can be found more pertinently because the inserted data is actively selected.
Program 6:
s207, randomly scrambling; the random scrambling includes the steps of:
and calculating all results, generating random numbers according to given probability distribution generated by Bayesian posterior distribution, and randomly disturbing.
The random scrambling operation cannot simulate the normal and abnormal data flow conditions of the PLC, and only the random data composition aspect is used for testing whether the conditions cause the abnormality of the PLC.
The random scrambling operation completely breaks the flow integrity of the operation, and generates a use case random triggering device abnormal response. The number of cases is large, covering all possible cases.
S208, directionally screening and deleting; the directional screening deletion includes the steps of:
and selecting one type of message from the data preprocessing, comparing the same type of message in the seed message, and deleting the same type of message(s). One or more sets of cases are generated. Selecting a message flow seed and a single deleted message. And according to the sequence of the message flow, each position is deleted, and the position is regarded as a generated use case to be stored until all the positions are deleted. And part is deleted and part is reserved, and the part is regarded as a use case.
The directional screening deleting operation simulates the condition that partial data in the normal data flow of the PLC is intercepted by a firewall or safety equipment, and tests whether special conditions exist in the aspect of specific data to cause the abnormality of the PLC.
The directional screening delete operation slightly destroys the flow integrity of the operation, and the generated use case lacks a certain class of specific messages, attempting to trigger an equipment exception response. The number of the use cases is small, and potential logic loopholes are found in a targeted mode. The vulnerability discovery efficiency is higher.
S300, forming a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result:
if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, a random generation strategy is adjusted, and the occurrence probability of the Monte Carlo method of the instruction in the fuzzy test set is optimized.
And (3) inputting the random message into a test system as a fuzzy test instruction, and calculating the conditional probability and updating the posterior probability.
S301, performing vulnerability risk probability calculation comprises the following steps:
defining a priori probabilities of the occurrence of known nodes as,/>Is a functional module (or function)>Representation->The prior probability of the occurrence of a functional module is also a measure of the importance of the individual modules.
After the fuzzy test instruction is input into the test system, the conditional probability is calculated according to the number of times that the vulnerability is triggered, and the calculation formula is as follows:;
wherein,P T in order to be a conditional probability of a probability,N i ,N j is the firsti,jIs provided with a functional module of the (c),N a as a function of the number of times the vulnerability is triggered,Nthe total test times;
according to the full probability formula and the Bayes formula, the posterior probability is calculated, and the calculation formula is as follows:
;
wherein the method comprises the steps ofIs->The posterior probability of the functional module, which is updated according to the number of times the vulnerability is triggered (or causes system anomaly feedback), is applied to S200, and is used in intelligent cross mutation, sequential random exchange, random deletion, random repetition, forced interruptionAnd generating a random message according to the rate.
S302, judging whether the prior probability and the posterior probability meet a judging condition or not, and comprising the following steps:
and judging the difference between the posterior probability and the prior probability based on a measurement formula, thereby judging the quantization of the final vulnerability risk. Wherein, the measurement formula is:
;
wherein the method comprises the steps ofIs 2 norms; if K is less than threshold->The decision probability is stable and the corresponding posterior probability is outputAnd the posterior probability is taken as the risk degree of the vulnerability. Wherein (1)>In this embodiment, the value is 10 -2 。
And after judging that the prior probability and the posterior probability do not accord with the judgment conditions, adjusting a random generation strategy and optimizing the occurrence probability of the Monte Carlo method of the instruction in the fuzzy test set. The adjusting process is as follows:
assume that the original test instruction set isThe initial occurrence probability distribution is +.>Through vulnerability practical test, the posterior probability is +.>. The posterior probability is used as the prior probability for the next cycle. I.e. generating pseudo-random numbers according to the Monte Carlo algorithm>Obeys a uniform distribution between 0 and 1 whenThe instruction(s) then appear in the next test message.
The method carries out vulnerability detection on the S7 private protocol, and specifically comprises the discovery and evaluation of two vulnerabilities.
(1): when the device receives the session deletion message in advance, the device operates abnormally, enters a service rejecting state and cannot recover normally. And recovering after restarting after power failure.
Use case generation process of hit loopholes:
firstly, constructing an initial message: in the downloading logic file flow, a total of 13 request messages (data transmission package is regarded as one), wherein the S7 protocol requests 9 requests, and relates to the function 8 class, and the method comprises the following steps: new object, modifying multiple parameters, obtaining data, starting transmission, ending transmission, modifying parameters, deleting object.
The flow is dependent on the current running state of the PLC, and when the PLC is in a stop running state, a parameter modification request for modifying the running of the PLC cannot occur in the flow. When the PLC is in the running state, if the PLC is in the running state in the reply received by the sub-data obtaining request, the upper computer software of the PLC can add and send a parameter modifying request in the process, and the PLC is stopped.
A, initiating TCP handshake request to P,102 port;
p is to A, respond to TCP request;
a, P, completing TCP handshake request;
a, constructing a COTP path and configuring COTP parameters towards P;
p is to A, and a COTP path is determined;
a, constructing an S7 protocol-new object request towards P;
p is to A, respond to S7 agreement-newly built object request;
a is to P, S7 protocol is constructed-a plurality of parameter requests are modified, and the modification object is LID_SessionVersionStruct
P is to A, respond to and modify a plurality of parameter request results;
a, constructing an S7 protocol, namely acquiring a sub-data request, wherein an acquisition object is a native objects;
p-way A, respond to request data content
A is to P, S7 protocol-modified parameter request is constructed, and the modified object is native objects. The PLCProgram_Rid
P is a, and the result is modified according to the parameters;
a, constructing an S7 protocol-starting transmission sequence request to P, wherein the request ID is native objects. The PLCProgram_Rid;
p is to A, respond to and begin transmitting the sequence result;
the A direction P transmits S7 protocol data;
p is to A, respond to S7 protocol data receiving result;
a, constructing an S7 protocol-ending transmission sequence request to P without parameters;
p is to A, respond to and begin transmitting the sequence result;
a is to P, S7 protocol-modified parameter request is constructed, and the modified object is PLCProgram
P is a, and the result is modified according to the parameters;
a, constructing an S7 protocol deleting object request to P, wherein the ID is ObjectQualifier;
p is to A, respond to and delete the object request;
a, P, disconnecting TCP connection, FIN, ack;
p is to A, confirm disconnection, FIN, ack;
p is to A, RST, ack;
p is toward A, rst.
Taking a private protocol vulnerability detection method integrating message variation and posterior probability as a strategy, selecting the inserted data as follows: a, constructing S7 protocol deleting object request, wherein ID is ObjectQualifier, and the generated use cases are a plurality of use cases of the request for inserting PLCProgram.
Vulnerability principle analysis: the triggering reason of the loophole is that when the PLC receives a request, an object ID is assigned to each operation flow, the object deleting operation is triggered in advance before the operation is completed, so that the management of objects in the PLC is disordered, a PLC dispatching queue is caused to enter abnormality, and all indicator lamps of the equipment flash.
Recovery principle after vulnerability triggering: and (5) clearing the PLC memory by restarting after power failure, and clearing the operation request scheduling queue. The queue is abnormally disappeared, and the equipment is recovered to be normal
(2) When the equipment does not receive part of ESconstent, the equipment cannot recover the running state, enters the stopping running state, cannot recover normally, cannot recover after power-off restarting, and recovers after program downloading by reusing the configuration software.
The data to be deleted is selected as follows: and A, constructing an S7 protocol-modification parameter request, wherein the modification object is PLCProgram. Generating a use case is a request that does not include modifying the PLCProgram. ESConsistent parameter
Vulnerability principle analysis: the reason for the vulnerability triggering is that the plcprogram.esconsite parameter is a parameter strongly associated with the device resume operation, which is operated 2 times in the first flow, the parameter is modified (presumably to successfully execute the download process) the first time, and the PLC is re-operated after the parameter is reset the second time.
After deleting the data flow for resetting the parameter for the second time, when the PLC detects the internal parameter, the parameter is found to be out of compliance with the recovery operation condition, and the process is waited until the parameter is reset. Resulting in a denial of service state for the device.
The power-off restart cannot reset the parameter state, so that the normal operation of the equipment cannot be restored by the means.
Recovery principle after vulnerability triggering: in the process of downloading the program by reusing the configuration software, the modification and the reset operation of the PLCProgram.ESconstancy parameter are included, and the parameter can be effectively reset by re-executing the whole process.
The parameter can be reset by executing the S7 protocol-parameter modification request in a single step, and the modification object is PLCProgram.
Examples
The embodiment provides a private protocol vulnerability detection system for implementing the private protocol vulnerability detection method described in embodiment 1, where the system includes:
the first module is used for acquiring metadata of the private protocol; carrying out semantic association on the metadata based on a knowledge graph technology;
the second module is configured to generate an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; wherein the predetermined operation includes at least: cross variation, sequence random exchange, random deletion, random repetition and forced interruption;
the third module is arranged to form a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result:
if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, a random generation strategy is adjusted, and the occurrence probability of the Monte Carlo method of the instruction in the fuzzy test set is optimized.
Claims (8)
1. The private protocol vulnerability detection method is characterized by comprising the following steps of:
acquiring metadata of a private protocol; carrying out semantic association on the metadata based on a knowledge graph technology;
semantic association of the metadata based on knowledge-graph technology comprises the following steps:
defining security association knowledge of the private protocol as data and relations required by the knowledge graph, and generating a knowledge graph association graph; the security association knowledge at least comprises a working principle, a data format and a protocol;
an automatic message construction method is constructed based on the knowledge graph association diagram, the pre-condition, the post-condition, the sequence association and the control process;
the control process at least comprises a first control method, a second control method and a third control method;
the first control method comprises the following steps: downloading a logic file into the programmable logic controller; in the downloading logic file flow, a plurality of request messages are included; wherein the protocol request design function includes at least the following categories: newly creating an object, modifying a plurality of parameters, acquiring data, starting transmission, ending transmission, modifying parameters and deleting the object;
the second control method includes: controlling the running state of the programmable logic controller;
the third control method includes: modifying the IP address of the programmable logic controller;
generating an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; wherein the predetermined operation includes at least: cross variation, sequence random exchange, random deletion, random repetition and forced interruption;
forming a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result:
if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, a random generation strategy is adjusted, and the occurrence probability of a Monte Carlo method of the instruction in the fuzzy test set is optimized;
the vulnerability risk probability calculation comprises the following steps:
defining a priori probabilities of the occurrence of known nodes as,/>Is a functional module, and is used for the control of the power supply,representation->The prior probability of the occurrence of the functional module;
after the fuzzy test instruction is input into the test system, the conditional probability is calculated according to the number of times that the vulnerability is triggered, and the calculation formula is as follows:;
wherein,P T in order to be a conditional probability of a probability,N i ,N j is the firsti,jIs provided with a functional module of the (c),N a as a function of the number of times the vulnerability is triggered,Nthe total test times;
according to the full probability formula and the Bayes formula, the posterior probability is calculated, and the calculation formula is as follows:;
wherein the method comprises the steps ofIs->Posterior probability of functional module.
2. The private protocol vulnerability detection method of claim 1, wherein judging whether the prior probability and the posterior probability meet a judging condition comprises the steps of:
and judging the difference between the posterior probability and the prior probability based on a measurement formula, wherein the measurement formula is as follows:;
wherein the method comprises the steps ofIs 2 norms; if K is less than threshold->The decision probability is stable and the corresponding posterior probability is outputAnd the posterior probability is taken as the risk degree of the vulnerability.
3. The method for detecting a proprietary protocol vulnerability according to claim 1, wherein the cross mutation comprises the steps of:
selecting more than 2 flow seeds, carrying out cross fusion on partial messages of the flow seeds, and simulating to simultaneously execute a plurality of tasks;
the cross variation is used for generating a use case group by taking the difference of the position of the seed 2 inserted into the seed 1, the separation interval of the seed 1 and the separation interval of the seed 2;
setting the number of seed 1 request messages as n1 and the number of seed 2 request messages as n2; splitting the seed 1 standard from splitting every 1 message to splitting every len (n 1) message;
splitting the seed 2 standard from splitting every 1 message to splitting every len (n 2) message; crossing the split group of the seed 1 and the split group of the seed 2 pairwise, wherein the crossing times are len (n 1) times len (n 2); after any disassembly to the tail, the other group of the rest parts is supplemented to the tail, and the total number of the producible cases len (n 1) and len (n 2) are generated; where len is the message length.
4. The method for detecting private protocol vulnerabilities of claim 1, wherein the sequential random exchange comprises at least the steps of:
selecting data messages or message groups which are related up and down from the data preprocessing, and exchanging message data of the data messages or message groups; generating a use case group according to the different positions of the selected data messages or message groups associated up and down;
selecting a message flow seed, selecting an exchange object 1 according to the number of messages, and dividing the rest part into fragments according to the number of the messages contained in the exchange object, wherein the fragments are regarded as insertion objects, and generating a section of use cases after each time the exchange object is inserted into different positions of the objects.
5. The method for detecting a proprietary protocol vulnerability according to claim 1, wherein the randomly deleting comprises the steps of:
selecting one or more pieces of data from the seeds for deletion; selecting a message flow seed, selecting a deletion object according to the sequence from less to more, and generating use cases in the rest parts.
6. The method for detecting a proprietary protocol vulnerability according to claim 1, wherein the random repetition comprises the steps of:
selecting one or more pieces of data from the seeds to repeat once or more times, and randomly generating repeated positions; selecting a message flow seed, selecting repeated objects according to the sequence from less to more, and inserting repeated messages at any insertable position of the message to generate a use case.
7. The method for detecting a proprietary protocol vulnerability according to claim 1, wherein the forced interruption comprises the steps of:
selecting any position from the seeds, and directly interrupting communication connection; and selecting a message flow seed, deleting the subsequent operations according to the sequence, and generating a use case.
8. A private protocol vulnerability detection system for implementing a private protocol vulnerability detection method according to any one of claims 1-7, the system comprising:
the first module is used for acquiring metadata of the private protocol; carrying out semantic association on the metadata based on a knowledge graph technology;
the second module is configured to generate an initial message based on a Monte Carlo algorithm; performing preset operation on the initial message to generate a random message; wherein the predetermined operation includes at least: cross variation, sequence random exchange, random deletion, random repetition and forced interruption;
the third module is arranged to form a fuzzy test instruction based on the random message; based on the fuzzy test instruction, performing vulnerability risk probability calculation to obtain prior probability and posterior probability; judging whether the prior probability and the posterior probability meet a judging condition or not, and obtaining a judging result:
if yes, outputting the posterior probability, and taking the posterior probability as the risk degree of the vulnerability; otherwise, a random generation strategy is adjusted, and the occurrence probability of the Monte Carlo method of the instruction in the fuzzy test set is optimized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410089014.9A CN117610027B (en) | 2024-01-23 | 2024-01-23 | Private protocol vulnerability detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410089014.9A CN117610027B (en) | 2024-01-23 | 2024-01-23 | Private protocol vulnerability detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117610027A CN117610027A (en) | 2024-02-27 |
| CN117610027B true CN117610027B (en) | 2024-03-29 |
Family
ID=89946557
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410089014.9A Active CN117610027B (en) | 2024-01-23 | 2024-01-23 | Private protocol vulnerability detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117610027B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2016091402A (en) * | 2014-11-07 | 2016-05-23 | 株式会社日立製作所 | Risk evaluation system and risk evaluation method |
| CN111988285A (en) * | 2020-08-03 | 2020-11-24 | 中国电子科技集团公司第二十八研究所 | Network attack tracing method based on behavior portrait |
| CN113572760A (en) * | 2021-07-22 | 2021-10-29 | 全球能源互联网研究院有限公司 | Equipment protocol vulnerability detection method and device |
| CN115102796A (en) * | 2022-08-26 | 2022-09-23 | 中国科学技术大学 | Vulnerability correlation assessment method and system based on knowledge graph and random walk strategy |
| CN116405307A (en) * | 2023-04-21 | 2023-07-07 | 博智安全科技股份有限公司 | User-defined system and method for protocol vulnerability discovery based on data packet |
| CN116561818A (en) * | 2023-05-11 | 2023-08-08 | 浙江腾珑网安科技有限公司 | Industrial control system internal logic analysis method, system, equipment and medium |
| CN116668057A (en) * | 2023-03-14 | 2023-08-29 | 北京计算机技术及应用研究所 | Knowledge graph-based network security situation understanding and analyzing method |
| CN116684200A (en) * | 2023-07-31 | 2023-09-01 | 北京天防安全科技有限公司 | Knowledge completion method and system for attack mode of network security vulnerability |
| CN116743447A (en) * | 2023-05-30 | 2023-09-12 | 国网山东省电力公司电力科学研究院 | Electric power Internet of things equipment vulnerability mining method and system based on fuzzy test |
| CN117009974A (en) * | 2023-06-28 | 2023-11-07 | 博智安全科技股份有限公司 | Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network |
| CN117061236A (en) * | 2023-09-25 | 2023-11-14 | 北京京航计算通讯研究所 | Fuzzy test method for network protocol |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170329972A1 (en) * | 2016-05-10 | 2017-11-16 | Quest Software Inc. | Determining a threat severity associated with an event |
| WO2019144039A1 (en) * | 2018-01-18 | 2019-07-25 | Risksense, Inc. | Complex application attack quantification, testing, detection and prevention |
-
2024
- 2024-01-23 CN CN202410089014.9A patent/CN117610027B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2016091402A (en) * | 2014-11-07 | 2016-05-23 | 株式会社日立製作所 | Risk evaluation system and risk evaluation method |
| CN111988285A (en) * | 2020-08-03 | 2020-11-24 | 中国电子科技集团公司第二十八研究所 | Network attack tracing method based on behavior portrait |
| CN113572760A (en) * | 2021-07-22 | 2021-10-29 | 全球能源互联网研究院有限公司 | Equipment protocol vulnerability detection method and device |
| CN115102796A (en) * | 2022-08-26 | 2022-09-23 | 中国科学技术大学 | Vulnerability correlation assessment method and system based on knowledge graph and random walk strategy |
| CN116668057A (en) * | 2023-03-14 | 2023-08-29 | 北京计算机技术及应用研究所 | Knowledge graph-based network security situation understanding and analyzing method |
| CN116405307A (en) * | 2023-04-21 | 2023-07-07 | 博智安全科技股份有限公司 | User-defined system and method for protocol vulnerability discovery based on data packet |
| CN116561818A (en) * | 2023-05-11 | 2023-08-08 | 浙江腾珑网安科技有限公司 | Industrial control system internal logic analysis method, system, equipment and medium |
| CN116743447A (en) * | 2023-05-30 | 2023-09-12 | 国网山东省电力公司电力科学研究院 | Electric power Internet of things equipment vulnerability mining method and system based on fuzzy test |
| CN117009974A (en) * | 2023-06-28 | 2023-11-07 | 博智安全科技股份有限公司 | Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network |
| CN116684200A (en) * | 2023-07-31 | 2023-09-01 | 北京天防安全科技有限公司 | Knowledge completion method and system for attack mode of network security vulnerability |
| CN117061236A (en) * | 2023-09-25 | 2023-11-14 | 北京京航计算通讯研究所 | Fuzzy test method for network protocol |
Non-Patent Citations (8)
| Title |
|---|
| SATFuzz A Stateful Network Protocol Fuzzing Framework from a Novel Perspective;Zulie Pan;《applied sciences》;20220824;全文 * |
| SATFuzz: A Stateful Network Protocol Fuzzing Framework from a Novel Perspective;Zulie Pan;《applied science》;20220824;全文 * |
| 一种基于知识图谱的扩展攻击图生成方法;叶子维;郭渊博;李涛;琚安康;;计算机科学(第12期);全文 * |
| 一种无证书聚合签名方案的改进;王启明;樊爱宛;;现代电子技术;20150501(第09期);全文 * |
| 一种西门子S7 私有协议的Fuzzing 漏洞检测方法;刘永金;《上海电力大学学报》;20200831;第第36卷卷(第第4期期);全文 * |
| 刘金永.一种西门子S7 私有协议的Fuzzing 漏洞检测方法.《上海电力大学学报》.2020,第36卷(第4期),全文. * |
| 团树传播算法在贝叶斯网络攻击图中概率计算分析;顾士星;;软件导刊(第07期);全文 * |
| 基于遗传算法和Fuzzing技术的Web应用漏洞挖掘研究;闫飞;;信息通信;20180915(第09期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117610027A (en) | 2024-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Nourian et al. | A systems theoretic approach to the security threats in cyber physical systems applied to stuxnet | |
| JP2011175639A (en) | Method and system for security maintenance in network | |
| CN107800783B (en) | Method and device for remotely monitoring server | |
| WO2012013509A1 (en) | A method and device for predicting faults in an it system | |
| JP5198154B2 (en) | Fault monitoring system, device, monitoring apparatus, and fault monitoring method | |
| CN112256593B (en) | Program processing method and device, computer equipment and readable storage medium | |
| Xiong et al. | A vulnerability detecting method for Modbus-TCP based on smart fuzzing mechanism | |
| CN113935178B (en) | Explosion radius control system and method for cloud-originated chaos engineering experiment | |
| Lim et al. | Attack induced common-mode failures on PLC-based safety system in a nuclear power plant: practical experience report | |
| CN112055003A (en) | Method for generating private protocol fuzzy test case based on byte length classification | |
| CN117610027B (en) | Private protocol vulnerability detection method and system | |
| CN111199400A (en) | Safety monitoring method and device for block chain network | |
| JP2021106323A (en) | Anomaly detection system and anomaly detection method | |
| CN111427305B (en) | Method for Siemens PLC vulnerability mining | |
| US11750635B2 (en) | Minimizing production disruption through a scan rule engine | |
| CN116743447A (en) | Electric power Internet of things equipment vulnerability mining method and system based on fuzzy test | |
| Tan et al. | CoToRu: automatic generation of network intrusion detection rules from code | |
| KR102357710B1 (en) | Method for Fuzzing for Software Defined Network Using Code Coverage | |
| CN110809873A (en) | Detecting undefined actions in an industrial system | |
| CN103475465A (en) | MACsec key update method and device in ISSU process | |
| EP3251303B1 (en) | Method for running a computer network and computer network | |
| Liu et al. | Situational awareness for improving network resilience management | |
| CN115577365A (en) | Industrial control system protocol fuzzy test method based on state conversion | |
| KR20210081551A (en) | System and method for restoring missing data in distributed solar power system | |
| McMinn | External verification of scada system embedded controller firmware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |