CN117749676A - Reverse analysis and vulnerability test method, device, equipment and medium of industrial control protocol - Google Patents
Reverse analysis and vulnerability test method, device, equipment and medium of industrial control protocol Download PDFInfo
- Publication number
- CN117749676A CN117749676A CN202311827339.4A CN202311827339A CN117749676A CN 117749676 A CN117749676 A CN 117749676A CN 202311827339 A CN202311827339 A CN 202311827339A CN 117749676 A CN117749676 A CN 117749676A
- Authority
- CN
- China
- Prior art keywords
- protocol
- field
- vulnerability
- reverse
- communication data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 85
- 238000010998 test method Methods 0.000 title description 2
- 238000004891 communication Methods 0.000 claims abstract description 189
- 238000012360 testing method Methods 0.000 claims abstract description 189
- 230000007704 transition Effects 0.000 claims abstract description 51
- 238000010586 diagram Methods 0.000 claims abstract description 50
- 238000000034 method Methods 0.000 claims abstract description 44
- 238000005206 flow analysis Methods 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims abstract description 30
- 238000012958 reprocessing Methods 0.000 claims abstract description 13
- 238000004590 computer program Methods 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 9
- 238000003909 pattern recognition Methods 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 5
- 230000000007 visual effect Effects 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000009467 reduction Effects 0.000 abstract description 4
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a reverse analysis and vulnerability testing method, device, equipment and medium of an industrial control protocol. The method comprises the steps of acquiring communication data flow to be processed in real time in target industrial control protocol equipment, and analyzing the communication data flow to obtain communication data flow analysis information; determining a communication mode identification description result and field mark description information according to the communication data traffic analysis information; performing identification processing through a reduction protocol modeling state machine to generate an initial state transition diagram; reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result and feeding back by combining an initial state transition diagram; and acquiring at least one dimension test data corresponding to the reverse protocol analysis result, performing vulnerability test on each dimension test data, generating a vulnerability test report and feeding back the vulnerability test report. The method and the device can accurately restore the industrial control protocol, improve the reverse efficiency of the protocol and reduce the manual analysis cost.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for reverse parsing and vulnerability testing of an industrial control protocol.
Background
In various industrial control systems, for example: manufacturing industry, power systems, smart grids, transportation systems, and the like. Because of the wide variety of industrial control protocols in different industrial control systems, each protocol has its own unique fields and formats, and thus separate code writing and debugging is required for each protocol.
The inventors have found that the following drawbacks exist in the prior art in the process of implementing the present invention: most of the existing industrial control protocol analysis methods are based on deep packet inspection technology to deeply analyze network data packets. However, a lot of human resources are required to interpret the protocol standards before analysis is performed. This typically requires reading the protocol document in detail, understanding the meaning, order, data type, and length of the various fields of the protocol. This information needs to be described by a code in order to be able to accurately identify and extract the values of the individual fields when parsing the data packet. This not only increases the effort, but is also prone to error. Meanwhile, because the transmission speed of the network data packet is very high, the analysis process is required to be very efficient, otherwise, the real-time requirement cannot be met.
Disclosure of Invention
The invention provides a reverse analysis and vulnerability testing method, device, equipment and medium for an industrial control protocol, which can accurately restore the industrial control protocol and improve the reverse efficiency of the protocol.
According to one aspect of the present invention, there is provided a reverse parsing and vulnerability testing method of an industrial control protocol, including:
in target industrial control protocol equipment, acquiring communication data flow to be processed in real time, and analyzing the communication data flow to be processed to obtain communication data flow analysis information;
determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information;
according to the communication mode identification description result and the field mark description information, performing identification processing through a pre-constructed restoration protocol modeling state machine to generate an initial state transition diagram;
reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining the initial state transition diagram;
acquiring at least one dimension test data corresponding to the reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report;
And feeding back the reverse protocol analysis result and the vulnerability test report to a user.
According to another aspect of the present invention, there is provided a reverse parsing and vulnerability testing apparatus of an industrial control protocol, including:
the communication data flow analysis information determining module is used for acquiring communication data flow to be processed in real time in the target industrial control protocol equipment, and analyzing the communication data flow to be processed to obtain communication data flow analysis information;
the field mark description information determining module is used for determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information;
the initial state transition diagram generation module is used for generating an initial state transition diagram through identification processing of a pre-built restoration protocol modeling state machine according to the communication mode identification description result and the field mark description information;
the reverse protocol analysis result generation module is used for obtaining a protocol grammar structure by reprocessing the communication data flow to be processed and generating a reverse protocol analysis result by combining the initial state transition diagram;
The vulnerability test report generation module is used for acquiring at least one dimension test data corresponding to the reverse protocol analysis result, carrying out vulnerability test on each dimension test data and generating a vulnerability test report;
and the feedback operation module is used for carrying out feedback operation on the reverse protocol analysis result and the vulnerability test report to a user.
According to another aspect of the present invention, there is provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements a method for reverse parsing and vulnerability testing of an industrial control protocol according to any embodiment of the present invention when executing the computer program.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement a method for reverse parsing and vulnerability testing of an industrial control protocol according to any one of the embodiments of the present invention when executed.
According to the technical scheme, communication data flow to be processed is obtained in real time in the target industrial control protocol equipment, and is analyzed to obtain communication data flow analysis information; determining a communication mode identification description result and field mark description information according to the communication data traffic analysis information; according to the communication mode identification description result and the field mark description information, carrying out identification processing through a pre-constructed reduction protocol modeling state machine to generate an initial state transition diagram; reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining an initial state transition diagram; acquiring at least one dimension test data corresponding to a reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report; and feeding back the reverse protocol analysis result and the vulnerability test report to the user. The method solves the problems of low efficiency and low accuracy of industrial control protocol analysis, realizes the accurate recovery of the industrial control protocol, improves the reverse efficiency of the protocol and reduces the manual analysis cost.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a reverse parsing and vulnerability testing method for industrial control protocol according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a reverse parsing and vulnerability testing apparatus for industrial control protocol according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "target," "current," and the like in the description and claims of the present invention and the above-described drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a reverse parsing and vulnerability testing method for an industrial control protocol according to an embodiment of the present invention, where the method may be performed by a reverse parsing and vulnerability testing device for an industrial control protocol, and the reverse parsing and vulnerability testing device for an industrial control protocol may be implemented in hardware and/or software.
Accordingly, as shown in fig. 1, the method includes:
s110, in the target industrial control protocol equipment, communication data flow to be processed is obtained in real time, and the communication data flow to be processed is analyzed to obtain communication data flow analysis information.
The target industrial control protocol device may include manufacturing industry, an electric power system, a smart grid, traffic system devices and the like, and protocols corresponding to different types of industrial control protocol devices may be different, so that the acquired communication data flow needs to be analyzed to determine parameters such as protocol reverse analysis description information and the like.
Specifically, the communication data traffic to be processed may be communication data traffic generated when different types of industrial control protocol devices communicate. The communication data flow analysis information may be an analysis information result obtained by analyzing the communication data flow, and may be description information of the communication data flow.
Optionally, the analyzing the communication data flow to be processed to obtain communication data flow analysis information includes: analyzing the communication data flow to be processed through a preset data flow analysis algorithm to obtain communication data flow analysis information; wherein the communication data traffic parsing information includes at least one of: a communication data traffic data field and communication data traffic control information.
The data flow analysis algorithm may be an algorithm that analyzes communication data traffic. The communication data traffic data field may be a data field describing communication data traffic, which may be represented by a data field. The communication data flow control information may be information describing control in the communication data flow.
In this embodiment, the data flow analysis algorithm is used to analyze the traffic data to be processed to obtain the traffic data field and the traffic control information. The method can better analyze the communication data flow to be processed, thereby realizing more accurate generation of the reverse protocol analysis result.
S120, determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information.
The communication mode identification description result may include a communication mode identification start frame, a communication mode identification end frame, and a communication mode identification data field, among others. May be the result of describing the communication pattern recognition. The field tag description information may include a field tag type, a field tag length, and a field tag effect, and may be description information obtained by performing a tag process on a communication pattern recognition data field.
Optionally, the determining, according to the traffic analysis information of the communication data, a communication pattern recognition description result and field tag description information corresponding to the communication pattern recognition description result includes: determining a communication mode identification description result according to the communication data flow analysis information; wherein the communication mode identification description result comprises at least one of the following: a communication mode identification start frame, a communication mode identification end frame, and a communication mode identification data field; marking the communication mode identification data field in the communication mode identification description result to obtain the field marking description information; wherein the field tag description information includes at least one of: field tag type, field tag length, and field tag effect.
In this embodiment, the communication data traffic is described more comprehensively by analyzing the communication mode identification start frame, the communication mode identification end frame and the communication mode identification data field corresponding to the communication data traffic analysis information, and further performing a marking process on the communication mode identification data field to determine a field marking type, a field marking length and a field marking effect.
S130, according to the communication mode identification description result and the field mark description information, an initial state transition diagram is generated through identification processing of a pre-constructed restoration protocol modeling state machine.
The restoration protocol modeling state machine may be a state description machine that restores the protocol. The initial state transition diagram may be a transition diagram obtained by initially representing a relationship between protocols.
Specifically, the state transition diagram can clearly show the behavior and response of the protocol in different states.
Optionally, the generating an initial state transition diagram according to the communication mode identification description result and the field mark description information through identification processing by a pre-constructed restoration protocol modeling state machine includes: according to the communication mode identification description result and the field mark description information, carrying out identification processing through a pre-constructed restoration protocol modeling state machine to obtain state conversion rule information; and generating an initial state transition diagram according to the state transition rule information.
The state transition rule information may be information describing state transition rules between different protocols.
In this embodiment, in order to better construct a protocol relationship, and further understand the behavior and response of the protocol in different states, the state transition rule information is obtained by restoring the protocol modeling state machine and performing recognition processing on the communication mode recognition description result and the field tag description information, so as to further construct an initial state transition diagram.
S140, reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining the initial state transition diagram.
The protocol syntax structure may be a syntax structure obtained by parsing a protocol, and syntax structures corresponding to different protocols are different. The reverse protocol analysis result may be a result obtained by performing reverse protocol analysis on the communication data traffic.
Optionally, reprocessing the communication data traffic to be processed to obtain a protocol syntax structure, and generating a reverse protocol analysis result by combining the initial state transition diagram, including: carrying out grammar inference processing on the communication data flow to be processed to obtain a protocol inference grammar structure; performing grammar perfecting treatment on the protocol inferred grammar structure to obtain a protocol grammar structure; and combining the protocol grammar structure and the initial state transition diagram to generate a reverse protocol analysis result.
The protocol inference syntax structure may be a syntax structure obtained by performing protocol inference on the communication data traffic. The protocol inference syntax structure may include parameters such as message format and field order.
In this embodiment, it is necessary to perform syntax inference processing on the communication data traffic to be processed first and then perform syntax improvement processing, so as to obtain a protocol syntax structure. The initial state transition diagram can be further perfected according to the protocol grammar structure, so that a corresponding reverse protocol analysis result is obtained. The advantages of this arrangement are that: the initial state transition diagram can be further perfected and enriched, so that the reverse protocol analysis result of the communication data flow can be better obtained, and the reverse protocol analysis result can be fed back to a user to be intuitively represented.
S150, acquiring at least one dimension test data corresponding to the reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report.
The dimension test data may be data describing the reverse protocol parsing result in a manner of different dimensions. The vulnerability test report may be a report obtained by performing vulnerability tests on test data of different dimensions.
Optionally, the dimension test data includes: field type test data, field size test data, and field order test data; acquiring field type test data, field size test data and field sequence test data corresponding to the reverse protocol analysis result; performing vulnerability testing on the field type test data, the field size test data and the field sequence test data to respectively generate a field type vulnerability test report, a field size vulnerability test report and a field sequence vulnerability test report; and combining the field type vulnerability test report, the field size vulnerability test report and the field sequence vulnerability test report to obtain a vulnerability test report.
The field type test data may be test data describing a field type, among others. The field size test data may be test data describing a field size. The field sequential test data may be test data describing field data. The field type vulnerability test report may be a report obtained by performing a vulnerability test on field type test data. The field size vulnerability test report may be a report obtained by performing a vulnerability test on the field size test data. The field sequential vulnerability test report may be a report obtained by vulnerability testing field sequential test data.
In this embodiment, the vulnerability test needs to be performed on test data with different dimensions, that is, field type test data, field size test data and field sequence test data, so as to obtain respective corresponding vulnerability test reports, and then the final vulnerability test reports are obtained by combining.
In addition, the vulnerability test report may further include an unauthorized access type vulnerability, an unauthorized modification configuration type vulnerability, and an unrecognizable result type vulnerability, and the vulnerability types corresponding to different vulnerability test data may be determined in the vulnerability test report. Furthermore, the classified reports are carried out according to the vulnerability results of different types, so that people looking for the reports can be guaranteed to quickly find out the concerned problems.
Accordingly, for vulnerability detection, the method may further include:
1) Formalizing specifications and syntax: the protocols are described using formalized specifications and grammars, such as context-free grammar or regular expressions, which concepts may help define legal structures and fields of the protocols, supporting the generation of test cases.
2) Aggregation theory: the concept of set theory can be used to describe the range of values of field values in a protocol. For example, by defining a set of field values, legal and illegal values can be generated in the mutation test, checking the processing power of the protocol.
3) Graph theory: the concept of graph theory is used to represent the protocol modeling state machine, thereby helping to understand the relationships and conversion rules between the protocol message fields. The state machine model can help to design variant test cases and cover variant scenes in different states.
4) Random algorithm and probability theory: the concepts of random algorithms and probability theory can be used to generate random variation test cases. By introducing a probabilistic model, the distribution of protocol field values can be modeled, thereby testing the robustness of the system more fully.
And S160, feeding back the reverse protocol analysis result and the vulnerability test report to a user.
Optionally, after the feedback operation is performed on the reverse protocol parsing result and the vulnerability test report to the user, the method further includes: and carrying out graphical visual display operation on the reverse protocol analysis result and the vulnerability test report.
In this embodiment, the reverse protocol analysis result and the vulnerability test report may be subjected to feedback operation, so that the reverse protocol analysis result and the vulnerability test report may be visually displayed, so that a user may intuitively perform analysis processing on the feedback result, and experience of the user may be improved.
According to the technical scheme, communication data flow to be processed is obtained in real time in the target industrial control protocol equipment, and is analyzed to obtain communication data flow analysis information; determining a communication mode identification description result and field mark description information according to the communication data traffic analysis information; according to the communication mode identification description result and the field mark description information, carrying out identification processing through a pre-constructed reduction protocol modeling state machine to generate an initial state transition diagram; reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining an initial state transition diagram; acquiring at least one dimension test data corresponding to a reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report; and feeding back the reverse protocol analysis result and the vulnerability test report to the user. The method and the device can accurately restore the industrial control protocol, improve the reverse efficiency of the protocol and reduce the manual analysis cost.
Example two
Fig. 2 is a schematic structural diagram of a reverse parsing and vulnerability testing apparatus for industrial control protocol according to a second embodiment of the present invention. The device for reverse analysis and vulnerability testing of the industrial control protocol provided by the embodiment of the invention can be realized through software and/or hardware, and can be configured in terminal equipment or a server to realize the method for reverse analysis and vulnerability testing of the industrial control protocol. As shown in fig. 2, the apparatus includes: the device comprises a communication data traffic analysis information determining module 210, a field mark description information determining module 220, an initial state transition diagram generating module 230, a reverse protocol analysis result generating module 240, a vulnerability test report generating module 250 and a feedback operation module 260.
The communication data flow analysis information determining module 210 is configured to obtain, in real time, a communication data flow to be processed in the target industrial control protocol device, and analyze the communication data flow to be processed to obtain communication data flow analysis information;
a field tag description information determining module 220, configured to determine a communication mode identification description result and field tag description information corresponding to the communication mode identification description result according to the communication data traffic analysis information;
An initial state transition diagram generating module 230, configured to generate an initial state transition diagram by performing an identification process through a pre-constructed restoration protocol modeling state machine according to the communication mode identification description result and the field tag description information;
the reverse protocol analysis result generating module 240 is configured to reprocess the communication data traffic to be processed to obtain a protocol syntax structure, and generate a reverse protocol analysis result in combination with the initial state transition diagram;
the vulnerability test report generating module 250 is configured to obtain at least one dimension test data corresponding to the reverse protocol parsing result, and perform a vulnerability test on each dimension test data to generate a vulnerability test report;
and a feedback operation module 260, configured to perform feedback operation on the reverse protocol parsing result and the vulnerability test report to a user.
According to the technical scheme, communication data flow to be processed is obtained in real time in the target industrial control protocol equipment, and is analyzed to obtain communication data flow analysis information; determining a communication mode identification description result and field mark description information according to the communication data traffic analysis information; according to the communication mode identification description result and the field mark description information, carrying out identification processing through a pre-constructed reduction protocol modeling state machine to generate an initial state transition diagram; reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining an initial state transition diagram; acquiring at least one dimension test data corresponding to a reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report; and feeding back the reverse protocol analysis result and the vulnerability test report to the user. The method and the device can accurately restore the industrial control protocol, improve the reverse efficiency of the protocol and reduce the manual analysis cost.
Based on the above embodiments, the communication data traffic analysis information determining module 210 may be specifically configured to: analyzing the communication data flow to be processed through a preset data flow analysis algorithm to obtain communication data flow analysis information; wherein the communication data traffic parsing information includes at least one of: a communication data traffic data field and communication data traffic control information.
On the basis of the above embodiments, the field tag description information determination module 220 may be specifically configured to: determining a communication mode identification description result according to the communication data flow analysis information; wherein the communication mode identification description result comprises at least one of the following: a communication mode identification start frame, a communication mode identification end frame, and a communication mode identification data field; marking the communication mode identification data field in the communication mode identification description result to obtain the field marking description information; wherein the field tag description information includes at least one of: field tag type, field tag length, and field tag effect.
Based on the foregoing embodiments, the initial state transition diagram generating module 230 may be specifically configured to: according to the communication mode identification description result and the field mark description information, carrying out identification processing through a pre-constructed restoration protocol modeling state machine to obtain state conversion rule information; and generating an initial state transition diagram according to the state transition rule information.
On the basis of the above embodiments, the dimension test data includes: field type test data, field size test data, and field order test data.
Based on the foregoing embodiments, the vulnerability test report generating module 250 may be specifically configured to: acquiring field type test data, field size test data and field sequence test data corresponding to the reverse protocol analysis result; performing vulnerability testing on the field type test data, the field size test data and the field sequence test data to respectively generate a field type vulnerability test report, a field size vulnerability test report and a field sequence vulnerability test report; and combining the field type vulnerability test report, the field size vulnerability test report and the field sequence vulnerability test report to obtain a vulnerability test report.
Based on the above embodiments, the visual display module may be specifically configured to: after the feedback operation is performed on the reverse protocol analysis result and the vulnerability test report to the user, the method can be specifically used for: and carrying out graphical visual display operation on the reverse protocol analysis result and the vulnerability test report.
Based on the above embodiments, the reverse protocol parsing result generating module 240 may be specifically configured to: carrying out grammar inference processing on the communication data flow to be processed to obtain a protocol inference grammar structure; performing grammar perfecting treatment on the protocol inferred grammar structure to obtain a protocol grammar structure; and combining the protocol grammar structure and the initial state transition diagram to generate a reverse protocol analysis result.
The reverse analysis and vulnerability testing device of the industrial control protocol provided by the embodiment of the invention can execute the reverse analysis and vulnerability testing method of the industrial control protocol provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
Fig. 3 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement a third embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 3, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as a reverse parsing and vulnerability testing method of an industrial control protocol.
In some embodiments, a reverse parsing and vulnerability testing method of an industrial control protocol may be implemented as a computer program tangibly embodied on a computer readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM13 and executed by processor 11, one or more steps of the reverse parsing and vulnerability testing method of the industrial control protocol described above may be performed. Alternatively, in other embodiments, processor 11 may be configured to perform a reverse parsing and vulnerability testing method of an industrial control protocol in any other suitable manner (e.g., by means of firmware).
The method comprises the following steps: in target industrial control protocol equipment, acquiring communication data flow to be processed in real time, and analyzing the communication data flow to be processed to obtain communication data flow analysis information; determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information; according to the communication mode identification description result and the field mark description information, performing identification processing through a pre-constructed restoration protocol modeling state machine to generate an initial state transition diagram; reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining the initial state transition diagram; acquiring at least one dimension test data corresponding to the reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report; and feeding back the reverse protocol analysis result and the vulnerability test report to a user.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Example IV
A fourth embodiment of the present invention also provides a computer-readable storage medium containing computer-readable instructions, which when executed by a computer processor, are configured to perform a method for reverse parsing and vulnerability testing of an industrial control protocol, the method comprising: in target industrial control protocol equipment, acquiring communication data flow to be processed in real time, and analyzing the communication data flow to be processed to obtain communication data flow analysis information; determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information; according to the communication mode identification description result and the field mark description information, performing identification processing through a pre-constructed restoration protocol modeling state machine to generate an initial state transition diagram; reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining the initial state transition diagram; acquiring at least one dimension test data corresponding to the reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report; and feeding back the reverse protocol analysis result and the vulnerability test report to a user.
Of course, the computer-readable storage medium provided in the embodiments of the present invention is not limited to the above-described method operations, and may also perform the related operations in the reverse parsing and vulnerability testing method of the industrial control protocol provided in any embodiment of the present invention.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
It should be noted that, in the embodiment of the device for reverse analysis and vulnerability testing of industrial control protocol, each unit and module included are only divided according to the functional logic, but not limited to the above-mentioned division, so long as the corresponding functions can be realized; in addition, the specific names of the functional units are also only for distinguishing from each other, and are not used to limit the protection scope of the present invention.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. The reverse parsing and vulnerability testing method of the industrial control protocol is characterized by comprising the following steps of:
in target industrial control protocol equipment, acquiring communication data flow to be processed in real time, and analyzing the communication data flow to be processed to obtain communication data flow analysis information;
determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information;
According to the communication mode identification description result and the field mark description information, performing identification processing through a pre-constructed restoration protocol modeling state machine to generate an initial state transition diagram;
reprocessing the communication data flow to be processed to obtain a protocol grammar structure, and generating a reverse protocol analysis result by combining the initial state transition diagram;
acquiring at least one dimension test data corresponding to the reverse protocol analysis result, and performing a vulnerability test on each dimension test data to generate a vulnerability test report;
and feeding back the reverse protocol analysis result and the vulnerability test report to a user.
2. The method according to claim 1, wherein the parsing the communication data traffic to be processed to obtain communication data traffic parsing information includes:
analyzing the communication data flow to be processed through a preset data flow analysis algorithm to obtain communication data flow analysis information;
wherein the communication data traffic parsing information includes at least one of: a communication data traffic data field and communication data traffic control information.
3. The method according to claim 2, wherein determining a communication pattern recognition description result and field tag description information corresponding to the communication pattern recognition description result according to the communication data traffic parsing information includes:
determining a communication mode identification description result according to the communication data flow analysis information;
wherein the communication mode identification description result comprises at least one of the following: a communication mode identification start frame, a communication mode identification end frame, and a communication mode identification data field;
marking the communication mode identification data field in the communication mode identification description result to obtain the field marking description information;
wherein the field tag description information includes at least one of: field tag type, field tag length, and field tag effect.
4. The method according to claim 3, wherein the generating an initial state transition diagram by performing an identification process through a pre-built restoration protocol modeling state machine according to the communication pattern identification description result and the field tag description information comprises:
according to the communication mode identification description result and the field mark description information, carrying out identification processing through a pre-constructed restoration protocol modeling state machine to obtain state conversion rule information;
And generating an initial state transition diagram according to the state transition rule information.
5. The method of claim 4, wherein the dimension test data comprises: field type test data, field size test data, and field order test data;
acquiring field type test data, field size test data and field sequence test data corresponding to the reverse protocol analysis result;
performing vulnerability testing on the field type test data, the field size test data and the field sequence test data to respectively generate a field type vulnerability test report, a field size vulnerability test report and a field sequence vulnerability test report;
and combining the field type vulnerability test report, the field size vulnerability test report and the field sequence vulnerability test report to obtain a vulnerability test report.
6. The method of claim 5, further comprising, after said feedback of said reverse protocol parsing result and said vulnerability test report to a user:
and carrying out graphical visual display operation on the reverse protocol analysis result and the vulnerability test report.
7. The method of claim 6, wherein the generating a reverse protocol parsing result by reprocessing the communication data traffic to be processed to obtain a protocol syntax structure and combining the initial state transition diagram comprises:
Carrying out grammar inference processing on the communication data flow to be processed to obtain a protocol inference grammar structure;
performing grammar perfecting treatment on the protocol inferred grammar structure to obtain a protocol grammar structure;
and combining the protocol grammar structure and the initial state transition diagram to generate a reverse protocol analysis result.
8. The reverse parsing and vulnerability testing device of the industrial control protocol is characterized by comprising the following components:
the communication data flow analysis information determining module is used for acquiring communication data flow to be processed in real time in the target industrial control protocol equipment, and analyzing the communication data flow to be processed to obtain communication data flow analysis information;
the field mark description information determining module is used for determining a communication mode identification description result and field mark description information corresponding to the communication mode identification description result according to the communication data flow analysis information;
the initial state transition diagram generation module is used for generating an initial state transition diagram through identification processing of a pre-built restoration protocol modeling state machine according to the communication mode identification description result and the field mark description information;
The reverse protocol analysis result generation module is used for obtaining a protocol grammar structure by reprocessing the communication data flow to be processed and generating a reverse protocol analysis result by combining the initial state transition diagram;
the vulnerability test report generation module is used for acquiring at least one dimension test data corresponding to the reverse protocol analysis result, carrying out vulnerability test on each dimension test data and generating a vulnerability test report;
and the feedback operation module is used for carrying out feedback operation on the reverse protocol analysis result and the vulnerability test report to a user.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the reverse parsing and vulnerability testing method of the industrial control protocol of any one of claims 1-7 when executing the computer program.
10. A computer readable storage medium storing computer instructions for causing a processor to implement the reverse parsing and vulnerability testing method of the industrial control protocol according to any one of claims 1-7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311827339.4A CN117749676A (en) | 2023-12-27 | 2023-12-27 | Reverse analysis and vulnerability test method, device, equipment and medium of industrial control protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311827339.4A CN117749676A (en) | 2023-12-27 | 2023-12-27 | Reverse analysis and vulnerability test method, device, equipment and medium of industrial control protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117749676A true CN117749676A (en) | 2024-03-22 |
Family
ID=90283128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311827339.4A Pending CN117749676A (en) | 2023-12-27 | 2023-12-27 | Reverse analysis and vulnerability test method, device, equipment and medium of industrial control protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117749676A (en) |
-
2023
- 2023-12-27 CN CN202311827339.4A patent/CN117749676A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113360711A (en) | Model training and executing method, device, equipment and medium for video understanding task | |
| CN115687406B (en) | Sampling method, device, equipment and storage medium for call chain data | |
| CN116302218A (en) | Function information adding method, device, equipment and storage medium | |
| CN116303013A (en) | Source code analysis method, device, electronic equipment and storage medium | |
| CN115665285A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN117749676A (en) | Reverse analysis and vulnerability test method, device, equipment and medium of industrial control protocol | |
| CN114330221B (en) | Score board implementation method, score board, electronic device and storage medium | |
| CN116016686A (en) | Method and device for determining node to be optimized, electronic equipment and medium | |
| CN115687031A (en) | Method, device, equipment and medium for generating alarm description text | |
| CN112989797B (en) | Model training and text expansion methods, devices, equipment and storage medium | |
| CN115048352A (en) | Log field extraction method, device, equipment and storage medium | |
| CN112560992B (en) | Method, device, electronic equipment and storage medium for optimizing picture classification model | |
| CN114791996B (en) | Information processing method, device, system, electronic equipment and storage medium | |
| CN113836291B (en) | Data processing method, device, equipment and storage medium | |
| CN115361308B (en) | Industrial control network data risk determination method, device, equipment and storage medium | |
| CN116956042A (en) | Method, device, equipment and medium for establishing fault type detection model | |
| CN117093840A (en) | Evaluation result determining method, device, equipment and storage medium | |
| CN117540718A (en) | Intelligent inspection result statistical method based on document object model | |
| CN114445682A (en) | Method, device, electronic equipment, storage medium and product for training model | |
| CN115567624A (en) | Message processing method and device, electronic equipment and medium | |
| CN113342990A (en) | Knowledge graph construction method and device | |
| CN118069942A (en) | Marketing link generation method, device, equipment and storage medium | |
| CN117076988A (en) | Abnormal behavior detection method, device, equipment and medium | |
| CN116954570A (en) | Method, device, equipment and storage medium for generating analog data | |
| CN114860965A (en) | Conference information recording method and device based on NLP technology, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |