CN117909699A - Industrial control asset identification method and device, electronic equipment and storage medium - Google Patents
Industrial control asset identification method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117909699A CN117909699A CN202311841646.8A CN202311841646A CN117909699A CN 117909699 A CN117909699 A CN 117909699A CN 202311841646 A CN202311841646 A CN 202311841646A CN 117909699 A CN117909699 A CN 117909699A
- Authority
- CN
- China
- Prior art keywords
- asset
- information
- communication protocol
- knowledge
- initial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 239000013598 vector Substances 0.000 claims abstract description 147
- 238000004891 communication Methods 0.000 claims description 142
- 238000010276 construction Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 14
- 238000000605 extraction Methods 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 abstract 1
- 230000008569 process Effects 0.000 description 11
- 238000001514 detection method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000009471 action Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application relates to an industrial control asset identification method, an industrial control asset identification device, electronic equipment and a storage medium, which are applied to the technical field of asset identification, wherein the industrial control asset identification method comprises the following steps: acquiring web session log information, and extracting initial asset information of the identified asset from the web session log information; constructing an asset information acquisition request according to the initial asset information, and sending the asset information acquisition request to the identified asset; receiving asset version information returned by the identified asset; adding the asset version information to the initial asset information to obtain target asset information; the target asset information is expressed as asset knowledge vectors, and a target asset fingerprint vector with highest similarity with the asset knowledge vectors is selected from asset fingerprint vectors contained in an asset fingerprint library; and determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset. The application can improve the accuracy of asset identification without interfering the identified asset.
Description
Technical Field
The present application relates to the field of asset identification technologies, and in particular, to an industrial control asset identification method, an industrial control asset identification device, an electronic device, and a storage medium.
Background
Industrial control assets include various industrial control devices in an industrial control system. The identification of the industrial control asset is a technical means for monitoring the industrial control asset, and the industrial control safety is ensured by timely identifying the abnormality of the industrial control asset and alarming.
In the related art, a method for asset identification based on network scanning obtains asset information by transmitting a large number of network probe messages to a probe target. However, industrial control system networks are susceptible to detection messages. The method for identifying the assets based on the flow and the log does not affect the industrial control system, but the passive flow does not contain accurate information of asset manufacturer, model and version, so that the passive asset identification can only obtain information of asset IP (Internet Protocol ) address, MAC (MEDIA ACCESS control) address, asset port and the like, and the actual requirement of asset management cannot be met.
Disclosure of Invention
In order to solve the technical problems, the application provides an industrial control asset identification method, an industrial control asset identification device, electronic equipment, a storage medium and a computer program product.
According to a first aspect of the present application, there is provided an industrial control asset identification method, comprising:
acquiring web session log information, and extracting initial asset information of the identified asset from the web session log information;
constructing an asset information acquisition request according to the initial asset information, and sending the asset information acquisition request to the identified asset;
receiving asset version information returned by the identified asset for the asset information acquisition request;
adding the asset version information to the initial asset information to obtain target asset information;
the target asset information is expressed as asset knowledge vectors, and a target asset fingerprint vector with highest similarity with the asset knowledge vectors is selected from asset fingerprint vectors contained in an asset fingerprint library;
And determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset.
Optionally, the industrial control asset identification method further includes:
After extracting the initial asset information, representing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model;
The step of adding the asset version information to the initial asset information to obtain target asset information specifically includes:
adding the asset version information to the initial asset knowledge meta-information to obtain target asset knowledge meta-information;
the method for representing the target asset information as an asset knowledge vector specifically comprises the following steps:
and representing the target asset knowledge meta-information as an asset knowledge vector.
Optionally, the knowledge metamodel includes: a communication protocol type field, an IP address field, a request content field, and a return content field; the initial asset information includes: data in communication protocol messages of all open ports of the identified asset;
The method for representing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model comprises the following steps:
constructing knowledge meta-information corresponding to each communication protocol type aiming at the communication protocol types used by the communication protocol messages of all the open ports of the identified asset;
the knowledge meta-information corresponding to all communication protocol types used by the communication protocol messages of all the open ports is used as initial asset knowledge meta-information;
the construction of knowledge meta information corresponding to each communication protocol type comprises the following steps:
adding the communication protocol type used by the communication protocol message in the communication protocol type field;
adding the IP address of the identified asset in the communication protocol message in the IP address field;
adding the request information transmitted in the communication protocol message in the request content field;
and adding the return information transmitted in the communication protocol message in the return content field.
Optionally, the adding the asset version information to the initial asset knowledge meta-information includes:
Determining the communication protocol type used by the asset information acquisition request as a target communication protocol type;
And adding the asset version information into a returned content field corresponding to the target communication protocol type in the initial asset knowledge meta-information.
Optionally, the constructing an asset information obtaining request according to the initial asset information includes:
Determining the communication protocol type supported by the identified asset according to the initial asset information;
If the communication protocol type supported by the identified asset comprises a universal protocol type, constructing a universal asset information acquisition request corresponding to the universal protocol type;
And if the communication protocol type supported by the identified asset comprises an industrial control protocol type and does not comprise a general protocol type, constructing a special asset information acquisition request corresponding to the industrial control protocol type.
Optionally, the asset fingerprint library includes asset fingerprint vectors corresponding to each communication protocol type;
the selecting the target asset fingerprint vector with the highest similarity with the asset knowledge vector from the asset fingerprint vectors contained in the asset fingerprint library comprises the following steps:
Taking an asset fingerprint vector corresponding to the communication protocol type supported by the identified asset in the asset fingerprint library as a candidate asset fingerprint vector;
calculating the similarity between each candidate asset fingerprint vector and the asset knowledge vector;
and determining the candidate asset fingerprint vector corresponding to the maximum similarity as a target asset fingerprint vector.
According to a second aspect of the present application, there is provided an industrial control asset identification device comprising:
The initial asset information extraction module is used for acquiring web session log information and extracting initial asset information of the identified asset from the web session log information;
an asset information acquisition request construction module for constructing an asset information acquisition request according to the initial asset information;
an asset information acquisition request sending module, configured to send the asset information acquisition request to the identified asset;
The asset version information receiving module is used for receiving asset version information returned by the identified asset aiming at the asset information acquisition request;
The asset version information complementing module is used for adding the asset version information into the initial asset information to obtain target asset information;
The target asset fingerprint vector determining module is used for representing the target asset information as asset knowledge vectors, and selecting a target asset fingerprint vector with highest similarity with the asset knowledge vectors from asset fingerprint vectors contained in an asset fingerprint library;
And the manufacturer and model information determining module is used for determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset.
Optionally, the industrial control asset identification device further includes:
the initial asset knowledge meta-information construction module is used for expressing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model after the initial asset information is extracted;
The asset version information complementing module is specifically configured to add the asset version information to the initial asset knowledge meta-information to obtain target asset knowledge meta-information;
The target asset fingerprint vector determining module is specifically configured to represent the target asset knowledge meta information as an asset knowledge vector, and select a target asset fingerprint vector with highest similarity with the asset knowledge vector from asset fingerprint vectors contained in an asset fingerprint library.
Optionally, the knowledge metamodel includes: a communication protocol type field, an IP address field, a request content field, and a return content field; the initial asset information includes: data in communication protocol messages of all open ports of the identified asset;
The initial asset knowledge meta-information construction module is specifically configured to construct knowledge meta-information corresponding to each communication protocol type for the communication protocol types used by the communication protocol messages of all the open ports of the identified asset after the initial asset information is extracted; the knowledge meta-information corresponding to all communication protocol types used by the communication protocol messages of all the open ports is used as initial asset knowledge meta-information;
The initial asset knowledge meta-information construction module is specifically configured to construct knowledge meta-information corresponding to each communication protocol type through the following steps:
adding the communication protocol type used by the communication protocol message in the communication protocol type field;
adding the IP address of the identified asset in the communication protocol message in the IP address field;
adding the request information transmitted in the communication protocol message in the request content field;
and adding the return information transmitted in the communication protocol message in the return content field.
Optionally, the asset version information complementing module is specifically configured to determine a communication protocol type used by the asset information obtaining request as a target communication protocol type; and adding the asset version information into a returned content field corresponding to the target communication protocol type in the initial asset knowledge meta-information to obtain target asset knowledge meta-information.
Optionally, the asset information acquisition request construction module is specifically configured to determine, according to the initial asset information, a communication protocol type supported by the identified asset; if the communication protocol type supported by the identified asset comprises a universal protocol type, constructing a universal asset information acquisition request corresponding to the universal protocol type; and if the communication protocol type supported by the identified asset comprises an industrial control protocol type and does not comprise a general protocol type, constructing a special asset information acquisition request corresponding to the industrial control protocol type.
Optionally, the asset fingerprint library includes asset fingerprint vectors corresponding to each communication protocol type;
The target asset fingerprint vector determining module is specifically configured to represent the target asset knowledge meta information as an asset knowledge vector, and use an asset fingerprint vector corresponding to a communication protocol type supported by the identified asset in an asset fingerprint library as a candidate asset fingerprint vector; calculating the similarity between each candidate asset fingerprint vector and the asset knowledge vector; and determining the candidate asset fingerprint vector corresponding to the maximum similarity as a target asset fingerprint vector.
According to a third aspect of the present application, there is provided an electronic device comprising: a processor for executing a computer program stored in a memory, which when executed by the processor implements the method according to the first aspect.
According to a fourth aspect of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of the first aspect.
According to a fifth aspect of the present application, there is provided a computer program product for, when run on a computer, causing the computer to perform the method of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the application has the following advantages:
After extracting the initial asset information of the identified asset from the web session log information, asset version information of the identified asset is acquired by constructing an asset information acquisition request and sending the asset information acquisition request to the identified asset. And complementing the asset version information to the initial asset information to obtain complete target asset information. And expressing the target asset information as asset knowledge vectors, and selecting a target asset fingerprint vector with highest similarity with the asset knowledge vectors from an asset fingerprint library. The asset fingerprint library contains the correspondence between the asset fingerprint vector and manufacturer and model information, so that the manufacturer and model information corresponding to the target asset fingerprint vector can be directly determined as the manufacturer and model information of the identified asset. In the embodiment of the application, through the process of completing and matching the asset information, the comprehensive and accurate asset information can be obtained. And the method avoids sending a network detection message, and sends an asset information acquisition request to the identified asset, wherein the asset information acquisition request belongs to a normal network request and does not affect the identified asset unlike the network detection message.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of a method for identifying industrial control assets in an embodiment of the application;
FIG. 2 is a schematic diagram of constructing an asset information acquisition request in accordance with an embodiment of the present application;
FIG. 3 is a schematic diagram of a method for identifying industrial control assets according to an embodiment of the application;
FIG. 4 is a flowchart of another method for identifying industrial control assets according to an embodiment of the application;
FIG. 5 is a schematic diagram of a configuration of an industrial asset identification device according to an embodiment of the present application;
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the application.
Detailed Description
In order that the above objects, features and advantages of the application will be more clearly understood, a further description of the application will be made. It should be noted that, without conflict, the embodiments of the present application and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the application.
Referring to fig. 1, fig. 1 is a flowchart of a method for identifying industrial control assets according to an embodiment of the application, which may include the following steps:
step S102, obtaining web session log information, and extracting initial asset information of the identified asset from the web session log information.
The web session log information includes web session logs reported by web security devices (e.g., firewalls, traffic audits, etc.). The extracted initial asset information includes: data in communication protocol messages for all open ports of the identified asset. The data in the communication protocol message includes: the communication protocol used by the message, the source IP address and the destination IP address in the message, the source port information and the destination port information in the message, the request information transmitted in the message, the return information transmitted in the message and the like.
Step S104, constructing an asset information acquisition request according to the initial asset information, and sending the asset information acquisition request to the identified asset.
Asset information based on web sessions is often incomplete, so asset information acquisition requests may be constructed to acquire relatively complete asset information. Because the communication protocols supported by different assets are different, in order to meet the identification requirements of different types of assets, in the embodiment of the application, different asset information acquisition requests can be constructed based on different communication protocol types.
Since the data in the communication protocol message includes the source IP address and the destination IP address, the IP address of the identified asset can be determined from the source IP address, the destination IP address, and the IP segment in which the identified asset is located in the message. And constructing an asset information acquisition request by taking the IP address of the identified asset as a destination IP address.
The communication protocol types include a general protocol type including telnet (standard protocol of internet telnet service), snmp (Simple Network Management Protocol ), http (Hypertext Transfer Protocol, hypertext transfer protocol), etc., and an industrial control protocol type including MODBUS (a serial communication protocol), ETHERNETIP (an industrial application layer protocol for industrial automation application), s7, IEC104, bacnet (communication protocol for intelligent architecture), etc.
Alternatively, the type of communication protocol supported by the identified asset may be determined based on the initial asset information. If the communication protocol type supported by the identified asset comprises a generic protocol type, constructing a generic asset information acquisition request corresponding to the generic protocol type. If the communication protocol type supported by the identified asset comprises an industrial control protocol type and does not comprise a general protocol type, constructing a special asset information acquisition request corresponding to the industrial control protocol type.
Compared with the construction method of the special asset information acquisition request, the construction method of the universal asset information acquisition request is simpler, so that the universal asset information acquisition request is constructed no matter whether the communication protocol type supported by the identified asset comprises the industrial control protocol type or not in the case that the communication protocol type supported by the identified asset comprises the universal protocol type. In the event that the communication protocol type supported by the identified asset does not include a generic protocol type, the dedicated asset information acquisition request is reconstructed.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating construction of an asset information obtaining request according to an embodiment of the present application. For the generic protocol type, a generic asset information acquisition request may be constructed, and version information may be acquired by sending the generic asset information acquisition request. For industrial control protocol types, a dedicated asset information acquisition request can be constructed, and version information can be acquired by sending the dedicated asset information acquisition request.
For example, for a PLC (Programmable Logic Controller ) of a manufacturer, supporting the HTTP protocol, a generic asset information acquisition request corresponding to the HTTP protocol type may be constructed, specifically, an HTTP client code is used to construct a POST request with the IP address of the identified asset as the destination IP address. The HTTP client code may be a message of a client version request built based on the python development language. And then, sending the constructed request to the identified asset, and returning version and model information of the identified asset after receiving the request.
For example, for an asset supporting the S7 proprietary protocol, a proprietary asset information acquisition request corresponding to the S7 proprietary protocol may be constructed at this time. First, a Snap7 client program may be created, connecting to the designated PLC device. And then constructing an SZL query request, namely a special asset information acquisition request. And then, sending the constructed request to the identified asset, and returning version and model information and the like after the identified asset receives the request.
And step S106, receiving asset version information returned by the identified asset for the asset information acquisition request.
And step S108, adding the asset version information to the initial asset information to obtain target asset information.
After the asset version information is added in the initial asset information, the obtained target asset information is more complete.
And step S110, representing the target asset information as asset knowledge vectors, and selecting a target asset fingerprint vector with highest similarity with the asset knowledge vectors from asset fingerprint vectors contained in an asset fingerprint library.
It should be noted that the identified asset may support one protocol type, or may support multiple protocol types. For example, the identified asset may support one universal protocol type and one industrial control protocol type, may support only one universal protocol type, and may support only one industrial control protocol type. The target asset information may be divided into a plurality of data sets according to the communication protocol type, and each data set contains a plurality of information, so that the target asset information may be expressed as an asset knowledge vector by ordering data corresponding to each communication protocol type according to the information type in units of the communication protocol type.
And matching the asset knowledge vector with the asset fingerprint vector in the asset fingerprint library to obtain the target asset fingerprint vector with the highest similarity with the asset knowledge vector. The similarity between the asset knowledge vector and the asset fingerprint vector can be obtained by calculating the Euclidean distance between the asset knowledge vector and the asset fingerprint vector, and the smaller the Euclidean distance is, the higher the similarity is.
Alternatively, the asset fingerprint library includes asset fingerprint vectors corresponding to each communication protocol type, and asset fingerprint vectors corresponding to communication protocol types supported by the identified asset in the asset fingerprint library may be used as candidate asset fingerprint vectors. And calculating the similarity between each candidate asset fingerprint vector and the asset knowledge vector, and determining the candidate asset fingerprint vector corresponding to the maximum value of the similarity as a target asset fingerprint vector. By grouping asset fingerprint vectors in the asset fingerprint library by communication protocol type, it is possible to more quickly match to a target asset fingerprint vector.
And step S112, determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset.
The asset fingerprint library comprises asset fingerprint vectors and manufacturer and model information corresponding to the asset fingerprint vectors. The similarity between the target asset fingerprint vector and the asset knowledge vector is highest, so that manufacturer and model information corresponding to the target asset fingerprint vector can be used as manufacturer and model information of the identified asset.
It should be noted that the identified asset may support one or more communication protocol types, where multiple communication protocol types are supported, each communication protocol type corresponds to a knowledge vector. And matching each knowledge vector with the asset fingerprint vectors in the asset fingerprint library, so that a plurality of target asset fingerprint vectors can be obtained. If the plurality of target asset fingerprint vectors correspond to the same manufacturer and model information, the manufacturer and model information is the manufacturer and model information of the identified asset.
According to the industrial control asset identification method, after initial asset information of the identified asset is extracted from network session log information, an asset information acquisition request is constructed, and the asset information acquisition request is sent to the identified asset to acquire asset version information of the identified asset. And complementing the asset version information to the initial asset information to obtain complete target asset information. And expressing the target asset information as asset knowledge vectors, and selecting a target asset fingerprint vector with highest similarity with the asset knowledge vectors from an asset fingerprint library. The asset fingerprint library contains the correspondence between the asset fingerprint vector and manufacturer and model information, so that the manufacturer and model information corresponding to the target asset fingerprint vector can be directly determined as the manufacturer and model information of the identified asset. In the embodiment of the application, through the process of completing and matching the asset information, the comprehensive and accurate asset information can be obtained. And the method avoids sending a network detection message, and sends an asset information acquisition request to the identified asset, wherein the asset information acquisition request belongs to a normal network request and does not affect the identified asset unlike the network detection message.
Referring to fig. 3, fig. 3 is a schematic diagram of an industrial asset identification method according to an embodiment of the application. After the initial asset information is extracted from the web session log information, the initial asset information may be represented and stored according to a pre-constructed knowledge meta-model, i.e., the initial asset information is represented and stored as initial asset knowledge meta-information. And constructing an asset information acquisition request, sending the asset information acquisition request to acquire asset version information, and adding the asset version information into the initial asset knowledge meta-information to acquire target asset knowledge meta-information. And representing the target asset knowledge meta information as an asset knowledge vector, selecting a target asset fingerprint vector with highest similarity with the asset knowledge vector from an asset fingerprint library, and determining manufacturer and model information corresponding to the target asset fingerprint vector as manufacturer and model information of the identified asset.
Referring to fig. 4, fig. 4 is a flowchart of another method for identifying industrial control assets according to an embodiment of the application, which may include the following steps:
Step S402, obtaining web session log information, and extracting initial asset information of the identified asset from the web session log information.
Step S404, the initial asset information is represented as initial asset knowledge meta-information through a pre-constructed knowledge meta-model.
In the embodiment of the present application, the pre-constructed knowledge meta model may include: a communication protocol type field, an IP address field, a request content field, and a return content field. Communication protocol type: indicating the communication protocol used for the message, such as SNMP, TELNET, HTTP, S, etc. IP address: the IP address representing the message sent or received, i.e., the IP address of the identified asset, may be determined based on the source IP address, the destination IP address, and the IP segment in the message where the identified asset is located. Request content: the request information transmitted in the representation message can be in text, JSON (JavaScript Object Notation, JS object numbered musical notation) format or other formats. Returning the content: the return information transmitted in the message is represented, and can be in different formats.
In an embodiment of the present application, the initial asset information may include: data in communication protocol messages for all open ports of the identified asset. Constructing knowledge meta-information corresponding to each communication protocol type aiming at the communication protocol types used by the communication protocol messages of all the open ports of the identified asset; and taking knowledge meta-information corresponding to all communication protocol types used by the communication protocol messages of all the open ports as initial asset knowledge meta-information.
The construction of knowledge meta information corresponding to each communication protocol type comprises the following steps:
adding the communication protocol type used by the communication protocol message in the communication protocol type field;
Adding the IP address of the identified asset in the communication protocol message in the IP address field;
Adding request information transmitted in a communication protocol message in a request content field;
And adding the return information transmitted in the communication protocol message in the return content field.
That is, the data in the communication protocol messages of all open ports of the identified asset is described into standardized data fields in terms of communication protocol type, IP address, protocol request content, protocol return content.
In the process of standardizing the data through the knowledge meta model, each message can be analyzed and converted according to actual conditions. For example, for the HTTP protocol, the request content may be split according to the HTTP request header, the request body, and the like, and finally all the packets are converted into a unified format and stored as standardized data fields. This facilitates subsequent analysis, mining and application of the data.
For example, the process of extracting IP asset communication protocol message data using JSON format description is as follows:
in the JSON object, an array named "communication_data" is defined, which contains the communication protocol type, IP address, request content, and return content of each asset. The JSON format may well describe the process of extracting IP asset communication protocol message data.
Step S406, constructing an asset information acquisition request according to the initial asset information, and sending the asset information acquisition request to the identified asset.
Step S408, asset version information returned by the identified asset for the asset information acquisition request is received.
In step S410, the asset version information is added to the initial asset knowledge meta-information to obtain the target asset knowledge meta-information.
As previously described, the identified asset may support one or more communication protocol types, each with a corresponding returned content field. The communication protocol type used by the asset information acquisition request may be determined as a target communication protocol type; and adding the asset version information into a returned content field corresponding to the target communication protocol type in the initial asset knowledge meta-information. That is, asset version information returned by the identified asset is added to the returned content field corresponding to the type of communication protocol used by the asset information acquisition request.
In step S412, the target asset knowledge meta-information is represented as an asset knowledge vector, and the target asset fingerprint vector with the highest similarity to the asset knowledge vector is selected from the asset fingerprint vectors contained in the asset fingerprint library.
Step S414, determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as the manufacturer and model information of the identified asset.
According to the industrial control asset identification method, after the initial asset information of the identified asset is extracted from the network session log information, the initial asset information can be standardized into the initial asset knowledge meta-information through the knowledge meta-model. Asset version information of the identified asset is obtained by constructing an asset information acquisition request and sending the asset information acquisition request to the identified asset. And complementing the asset version information to the initial asset knowledge meta-information to obtain complete target asset knowledge meta-information. And representing the target asset knowledge meta-information as an asset knowledge vector, and selecting a target asset fingerprint vector with highest similarity with the asset knowledge vector from an asset fingerprint library. The asset fingerprint library contains the correspondence between the asset fingerprint vector and manufacturer and model information, so that the manufacturer and model information corresponding to the target asset fingerprint vector can be directly determined as the manufacturer and model information of the identified asset. In the embodiment of the application, through the processes of establishing, complementing and identifying and matching the asset knowledge elements, comprehensive and accurate asset information can be obtained. And the method avoids sending a network detection message, and sends an asset information acquisition request to the identified asset, wherein the asset information acquisition request belongs to a normal network request and does not affect the identified asset unlike the network detection message.
Corresponding to the above method embodiment, the embodiment of the present application further provides an industrial control asset identification device, referring to fig. 5, an industrial control asset identification device 500 includes:
An initial asset information extraction module 502, configured to obtain web session log information, and extract initial asset information of the identified asset from the web session log information;
an asset information acquisition request construction module 504 for constructing an asset information acquisition request from the initial asset information;
An asset information acquisition request sending module 506 configured to send an asset information acquisition request to the identified asset;
An asset version information receiving module 508, configured to receive asset version information returned by the identified asset for the asset information acquisition request;
The asset version information complementing module 510 is configured to add asset version information to the initial asset information to obtain target asset information;
a target asset fingerprint vector determining module 512, configured to represent the target asset information as asset knowledge vectors, and select a target asset fingerprint vector with highest similarity to the asset knowledge vectors from the asset fingerprint vectors included in the asset fingerprint library;
the manufacturer and model information determining module 514 is configured to determine manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset.
Optionally, the industrial asset identification device 500 further includes:
the initial asset knowledge meta-information construction module is used for expressing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model after the initial asset information is extracted;
The asset version information complementing module 510 is specifically configured to add asset version information to the initial asset knowledge meta-information to obtain target asset knowledge meta-information;
the target asset fingerprint vector determining module 512 is specifically configured to represent the target asset knowledge metadata as asset knowledge vectors, and select a target asset fingerprint vector with highest similarity to the asset knowledge vectors from the asset fingerprint vectors included in the asset fingerprint library.
Optionally, the knowledge metamodel includes: a communication protocol type field, an IP address field, a request content field, and a return content field; the initial asset information includes: data in communication protocol messages of all open ports of the identified asset;
The initial asset knowledge meta-information construction module is specifically used for constructing knowledge meta-information corresponding to each communication protocol type aiming at the communication protocol type used by the communication protocol messages of all the open ports of the identified asset after the initial asset information is extracted; the knowledge meta-information corresponding to all communication protocol types used by the communication protocol messages of all the open ports is used as initial asset knowledge meta-information;
The initial asset knowledge meta-information construction module is specifically configured to construct knowledge meta-information corresponding to each communication protocol type through the following steps:
adding the communication protocol type used by the communication protocol message in the communication protocol type field;
Adding the IP address of the identified asset in the communication protocol message in the IP address field;
Adding request information transmitted in a communication protocol message in a request content field;
And adding the return information transmitted in the communication protocol message in the return content field.
Optionally, the asset version information completion module 510 is specifically configured to determine a communication protocol type used by the asset information acquisition request as a target communication protocol type; and adding the asset version information into a returned content field corresponding to the target communication protocol type in the initial asset knowledge meta-information to obtain the target asset knowledge meta-information.
Optionally, the asset information obtaining request construction module 504 is specifically configured to determine, according to the initial asset information, a communication protocol type supported by the identified asset; if the communication protocol type supported by the identified asset comprises a universal protocol type, constructing a universal asset information acquisition request corresponding to the universal protocol type; if the communication protocol type supported by the identified asset comprises an industrial control protocol type and does not comprise a general protocol type, constructing a special asset information acquisition request corresponding to the industrial control protocol type.
Optionally, the asset fingerprint library comprises asset fingerprint vectors corresponding to each communication protocol type;
The target asset fingerprint vector determining module 512 is specifically configured to represent the target asset knowledge meta-information as an asset knowledge vector, and use an asset fingerprint vector corresponding to the communication protocol type supported by the identified asset in the asset fingerprint library as a candidate asset fingerprint vector; calculating the similarity between each candidate asset fingerprint vector and the asset knowledge vector; and determining the candidate asset fingerprint vector corresponding to the maximum similarity as a target asset fingerprint vector.
Specific details of each module or unit in the above apparatus have been described in the corresponding method, and thus are not described herein.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
In an exemplary embodiment of the present application, there is also provided an electronic apparatus including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to perform the industrial control asset identification method described above in this example embodiment.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the application. It should be noted that, the electronic device 600 shown in fig. 6 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.
As shown in fig. 6, the electronic device 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for system operation are also stored. The central processing unit 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a Local Area Network (LAN) card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. When being executed by the central processing unit 601, performs the various functions defined in the apparatus of the present application.
In an embodiment of the present application, there is also provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-mentioned industrial control asset identification method.
The computer readable storage medium according to the present application may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory, a read-only memory, an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, radio frequency, and the like, or any suitable combination of the foregoing.
In an embodiment of the present application, a computer program product is provided, which when run on a computer, causes the computer to execute the industrial control asset identification method described above.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An industrial control asset identification method, characterized in that the method comprises:
acquiring web session log information, and extracting initial asset information of the identified asset from the web session log information;
constructing an asset information acquisition request according to the initial asset information, and sending the asset information acquisition request to the identified asset;
receiving asset version information returned by the identified asset for the asset information acquisition request;
adding the asset version information to the initial asset information to obtain target asset information;
the target asset information is expressed as asset knowledge vectors, and a target asset fingerprint vector with highest similarity with the asset knowledge vectors is selected from asset fingerprint vectors contained in an asset fingerprint library;
And determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset.
2. The method according to claim 1, wherein the method further comprises:
After extracting the initial asset information, representing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model;
The step of adding the asset version information to the initial asset information to obtain target asset information specifically includes:
adding the asset version information to the initial asset knowledge meta-information to obtain target asset knowledge meta-information;
the method for representing the target asset information as an asset knowledge vector specifically comprises the following steps:
and representing the target asset knowledge meta-information as an asset knowledge vector.
3. The method of claim 2, wherein the knowledge metamodel comprises: a communication protocol type field, an internet protocol IP address field, a request content field, and a return content field; the initial asset information includes: data in communication protocol messages of all open ports of the identified asset;
The method for representing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model comprises the following steps:
constructing knowledge meta-information corresponding to each communication protocol type aiming at the communication protocol types used by the communication protocol messages of all the open ports of the identified asset;
the knowledge meta-information corresponding to all communication protocol types used by the communication protocol messages of all the open ports is used as initial asset knowledge meta-information;
the construction of knowledge meta information corresponding to each communication protocol type comprises the following steps:
adding the communication protocol type used by the communication protocol message in the communication protocol type field;
adding the IP address of the identified asset in the communication protocol message in the IP address field;
adding the request information transmitted in the communication protocol message in the request content field;
and adding the return information transmitted in the communication protocol message in the return content field.
4. The method of claim 3, wherein the adding the asset version information to the initial asset knowledge meta-information comprises:
Determining the communication protocol type used by the asset information acquisition request as a target communication protocol type;
And adding the asset version information into a returned content field corresponding to the target communication protocol type in the initial asset knowledge meta-information.
5. The method of claim 1, wherein said constructing an asset information acquisition request from said initial asset information comprises:
Determining the communication protocol type supported by the identified asset according to the initial asset information;
If the communication protocol type supported by the identified asset comprises a universal protocol type, constructing a universal asset information acquisition request corresponding to the universal protocol type;
And if the communication protocol type supported by the identified asset comprises an industrial control protocol type and does not comprise a general protocol type, constructing a special asset information acquisition request corresponding to the industrial control protocol type.
6. The method of claim 1, wherein the asset fingerprint library comprises asset fingerprint vectors corresponding to each communication protocol type;
the selecting the target asset fingerprint vector with the highest similarity with the asset knowledge vector from the asset fingerprint vectors contained in the asset fingerprint library comprises the following steps:
Taking an asset fingerprint vector corresponding to the communication protocol type supported by the identified asset in the asset fingerprint library as a candidate asset fingerprint vector;
calculating the similarity between each candidate asset fingerprint vector and the asset knowledge vector;
and determining the candidate asset fingerprint vector corresponding to the maximum similarity as a target asset fingerprint vector.
7. An industrial asset identification device, the device comprising:
The initial asset information extraction module is used for acquiring web session log information and extracting initial asset information of the identified asset from the web session log information;
an asset information acquisition request construction module for constructing an asset information acquisition request according to the initial asset information;
an asset information acquisition request sending module, configured to send the asset information acquisition request to the identified asset;
The asset version information receiving module is used for receiving asset version information returned by the identified asset aiming at the asset information acquisition request;
The asset version information complementing module is used for adding the asset version information into the initial asset information to obtain target asset information;
The target asset fingerprint vector determining module is used for representing the target asset information as asset knowledge vectors, and selecting a target asset fingerprint vector with highest similarity with the asset knowledge vectors from asset fingerprint vectors contained in an asset fingerprint library;
And the manufacturer and model information determining module is used for determining manufacturer and model information corresponding to the target asset fingerprint vector in the asset fingerprint library as manufacturer and model information of the identified asset.
8. The apparatus of claim 7, wherein the apparatus further comprises:
the initial asset knowledge meta-information construction module is used for expressing the initial asset information as initial asset knowledge meta-information through a pre-constructed knowledge meta-model after the initial asset information is extracted;
The asset version information complementing module is specifically configured to add the asset version information to the initial asset knowledge meta-information to obtain target asset knowledge meta-information;
The target asset fingerprint vector determining module is specifically configured to represent the target asset knowledge meta information as an asset knowledge vector, and select a target asset fingerprint vector with highest similarity with the asset knowledge vector from asset fingerprint vectors contained in an asset fingerprint library.
9. An electronic device, comprising: a processor for executing a computer program stored in a memory, which when executed by the processor implements the method of any of claims 1-6.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311841646.8A CN117909699A (en) | 2023-12-28 | 2023-12-28 | Industrial control asset identification method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311841646.8A CN117909699A (en) | 2023-12-28 | 2023-12-28 | Industrial control asset identification method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117909699A true CN117909699A (en) | 2024-04-19 |
Family
ID=90693876
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311841646.8A Pending CN117909699A (en) | 2023-12-28 | 2023-12-28 | Industrial control asset identification method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117909699A (en) |
-
2023
- 2023-12-28 CN CN202311841646.8A patent/CN117909699A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107360261B (en) | HTTP request processing method and device and electronic equipment | |
| US20060058982A1 (en) | Data relay device and data management system using the same | |
| CN114500690B (en) | Interface data processing method and device, electronic equipment and storage medium | |
| CN115146712B (en) | Internet of things asset identification method, device, equipment and storage medium | |
| CN113242236A (en) | Method for constructing network entity threat map | |
| CN110135590B (en) | Information processing method, information processing apparatus, information processing medium, and electronic device | |
| CN110912782B (en) | Data acquisition method, device and storage medium | |
| CA3017523C (en) | Technologies for auto discover and connect to a rest interface | |
| CN113625683B (en) | Vehicle diagnosis method, vehicle diagnosis device, electronic device, and storage medium | |
| CN116709275A (en) | Asset fingerprint identification method and system based on BLE low-power Bluetooth technology | |
| CN113157523A (en) | Service monitoring method and device, computer equipment and storage medium | |
| AlKishri et al. | Expert system for identifying and analyzing the IoT devices using Augmented Reality Approach | |
| CN112685115A (en) | International cue language generating method, system, computer equipment and storage medium | |
| CN117909699A (en) | Industrial control asset identification method and device, electronic equipment and storage medium | |
| CN112948733B (en) | Interface maintenance method, device, computing equipment and medium | |
| CN113315769B (en) | Industrial control asset information collection method and device | |
| CN112003837B (en) | Intelligent equipment adaptation method and device based on Modbus protocol and storage medium | |
| CN114374745A (en) | Protocol format processing method and system | |
| CN114253808A (en) | Object state monitoring method and device | |
| CN113326506A (en) | Applet monitoring method and device | |
| CN111711605A (en) | Data protocol active analysis method for Internet of things platform | |
| CN114978953B (en) | Network card identification method and device and computer readable medium | |
| CN116033048B (en) | Multi-protocol analysis method of Internet of things, electronic equipment and storage medium | |
| CN112887442B (en) | Method and device for processing domain name resolution query request | |
| CN116304901B (en) | Webpage server fingerprint identification method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |