CN206181087U - Active leak detecting system towards industrial control system - Google Patents

Abstract

The utility model discloses an active application detecting system towards industrial control system relates to industrial control system security domain, leak detecting system adoption client server mode, including controller, customer end, server, assessment report and data center, wherein the controller links to each other with the server, and the server links to each other with different customer ends, and the customer end accessible is prevented also can being connected with data center and carrying out the data interaction in hot wall, router connection internet, and the while server links to each other with data center and carries out the data interaction, and the data that provide according to data center generate the assessment report. The utility model has the advantages of a steady operation does not have an influence that's leak detecting system need not develop the attack code, compares with the MBSA leak detecting system of microsoft development, detects fastly, and the degree of accuracy is high, can satisfy industrial control system's high stability, high real -time requirement well, is suitable for the safe situation that the administrator evaluateed whole industrial control system, just to industrial control system is proposed.

Description

A kind of active leakage location towards industrial control system

Technical field

The utility model is related to industrial information security fields, more particularly to a kind of active leak towards industrial control system is examined Examining system.

Background technology

The information security of industrial control system is related to safety and the stable operation of national energy and infrastructure industry, is The severe challenge that enterprise and national security face.System product is increasingly employed puppy parc, common hardware and general soft Part, is connected in a variety of ways with the public network such as internet, and virus, wooden horse etc. are threatened and spread to industrial control system, are System information security issue becomes increasingly conspicuous.Process Control System from unit, it is distributed develop towards networking direction, set in network Different types of information and mechanics of communication (ICT), including Internet and wireless technology are introduced during meter.These new technologies Introducing also bring new challenge, including electric power, water conservancy, communications and transportation and large-scale manufacture row to the safety of basic activity Industry.

The agreement of industrial control system and design, bias toward the real-time and reliability of functional realiey.Security attack is lacked The design of weary early stage and effectively resist method.Due to system compatible sex chromosome mosaicism, industrial control system does not generally upgrade, does not beat benefit Fourth, in addition the work station supplier having be distinctly claimed user must not voluntarily upgrade-system.Therefore, can accumulate after system longtime running Substantial amounts of security breaches, it is extremely fragile during network security attacks that these defects face industrial control system, and to safety in production pole is brought Big hidden danger.State of the present situation of industry control safety in " inadequate natural endowment, will lose and support the day after tomorrow, and future causes anxiety "：System cannot upgrade in time, Itself leak is hidden, it is impossible to which, by detection in time and reparation, the potential safety hazard of system itself can not be ignored；System protocol itself is short of Safety factor, safety policy and management system and imperfection, are easily utilized by attacker；Violation that can not well in auditing system Operation behavior, for the administrative mechanism imperfection of system user access rights；System operators lack necessary awareness of safety, Operating process is lack of standardization.

In recent years, industry control information security Frequent Accidents, industry control leak quantity is presented explosive growth.Industrial control system it So facing, refusal service, control command are distorted, senior continuation threatens (APT) etc. to attack, most the underlying cause is system The leak that presence can be saturated.Leak is the root of safety problem, and Hole Detection is to solve the basis of safety problem.Only The potential safety hazard that solution system is present, just can accomplish targetedly to protect.

Therefore, those skilled in the art is devoted to a kind of active leakage location towards industrial control system of exploitation, Strengthen the Hole Detection of industrial control system, fundamentally solve the safety problem of industrial control system.

Utility model content

In view of the drawbacks described above of prior art, technical problem to be solved in the utility model is how to realize industrial control The active safety detection of system processed.

For achieving the above object, the utility model provides a kind of active leakage location towards industrial control system, Including controller, client, server, assessment report module and data center, wherein, the controller and the server phase Even, the server is connected from the different clients, and the client is by fire wall and/or router connection interconnection Net, and be connected with the data center and carry out data interaction, the server is connected with the data center carries out data interaction； The leakage location is configured to gather software, user, process and the application configuration information of industrial control system, is then patrolled Volume judge to find security breaches present in the industrial control system, and according to the data of data center offer by institute's commentary Estimate reporting modules and generate assessment report.

Further, the controller is configured to control the start and stop of the leakage location and according to need by keeper Detection parameter and detection target are set.

Further, the server is configured to notice client and carries out Data Collection and detection logical condition judgement, After the message that all clients detection is finished is received, notify that the assessment report module generates assessment report.

Further, the client is configured to receive after the message that the server is sent, and read the machine is System and configuration information, determine whether whether the logical condition that leak is present is set up, and finally detection judged result are sent to described Data center, while notifying that the server detection is completed.

Further, the data center is configured to the common interface of the client and the assessment report module, The all information of storage system, including logical condition and the CVE lists of client detection of vulnerability scan, leak presence.

Further, the assessment report module is configured to provide the vulnerability information of assessment target to system manager, The vulnerability information includes leak title, leak issue date, leak content Description, leak danger classes, loss type, leak Type, exposed system component, coherent reference information, fragile software and its version and remedial measure.

The utility model has the advantage of propose leakage location need not develop attack code, with Microsoft exploitation MBSA leakage locations are compared, and detection speed is fast, and the degree of accuracy is high, can meet well industrial control system high stability, High real-time requires, are suitable for the safe condition that keeper assesses whole industrial control system, and to the stable fortune of control system Row is without impact.

The technique effect of design of the present utility model, concrete structure and generation is made furtherly below with reference to accompanying drawing It is bright, to be fully understood from the purpose of this utility model, feature and effect.

Description of the drawings

Fig. 1 is the active leakage location structure chart of a preferred embodiment of the present utility model；

Fig. 2 is the Hole Detection hum pattern of a preferred embodiment of the present utility model；

Fig. 3 is the Hole Detection flowchart of a preferred embodiment of the present utility model；

Fig. 4 is the experiment test environment map of a preferred embodiment of the present utility model.

Specific embodiment

Below in conjunction with the accompanying drawings the utility model is described in further detail with specific embodiment.

A kind of active security breaches detecting system towards industrial control system described in the utility model, using client computer/ Server C/S model, is mainly included such as lower module：Controller, client (client), server (server), assessment report And data center, its architecture is as shown in figure 1, where the dotted line signifies that control signal, the flow direction of arrow directional signal；It is real Line represents data message, and arrow points to the flow direction of data, and wherein controller is connected with server, server and different clients End is connected, and client can connect internet by fire wall, router, and also can be connected with data center carries out data interaction, together When server be connected with data center and carry out data interaction, according to the data genaration assessment report that data center provides.Safety leakage The software of hole detecting system acquisition system first, user, process and application configuration information, then carry out logic judgment to find to be Security breaches present in system.

In system architecture the function of each module and its between relation it is as follows：Controller is the user of Hole Detection system Interface, mainly the start and stop of keeper's control system and be arranged as required to detect parameter and detection target；Server is responsible for The coordination of system, notifies that client carries out Data Collection and detection logical condition judges, detects what is finished when all clients are received After message, vulnerability assessment reporting modules are notified, export assessment report；Client is received after the message that server is sent, and is read The system and configuration information of the machine, determines whether whether the logical condition that leak is present is set up, finally detection judged result Data center is sent to, while notifying that server module detection is completed；Data center is client modules and assessment report module Common interface, all of information is all deposited here in system, including logical condition and the client of vulnerability scan, leak presence CVE lists (Common Vulnerabilities＆Exposures, public leak and exposure) of end module detection etc.；Leak is commented Estimate and be reported as the vulnerability information that system manager provides assessment target, mainly including in leak title, leak issue date, leak Hold summary, leak danger classes, loss type, leak type, exposed system component, coherent reference information, fragile software And its version and remedial measure.

The core of the lossless formula Hole Detection is that the configuration information to system carries out logic judgment, and then is obtained in system The vulnerability information of presence.Firstly the need of read operation system version, have leaky file name, application version and patch shape State, to judge that the software of fragility whether there is.Then obtain whether corresponding service runs, concrete configuration is arranged and other work Area, judges that fragile configuration whether there is.Its concrete principle is given below.

First, some set are defined：(1) file name FN={ fn1, fn2 ... ..., fnn }, (2) Software Edition AV ={ av1, av2 ... ..., avm }, (3) software patch PS={ ps1, ps2 ... ..., psk }, (4) operation service RS=rs1, Rs2 ... ..., rst }, (5) configuration arranges CS={ cs1, cs2 ... ..., csi }.Above all elements are three in this five set State variable, its codomain is { 0,1, Φ }.When the judgement of leak does not use a certain variable, its value is Φ, when system has phase Information variations per hour value is answered to be 1, otherwise value is 0.

Secondly, three functions are defined：

(1) judge that system has the discriminant function of fragile software

Wherein, fn ∈ FN, av ∈ AV, ps ∈ PS, the output result of its function represents that the fragile software that leak is deposited is present Whether.

(2) judge that system has the discriminant function of fragile configuration

Wherein, rs ∈ RS_,Cs ∈ CS, the output result of its function represents that the fragile configuration related to leak whether there is.

(3) the system discriminant function fragile to leak is judged

F (g, h)=g (fn, av, ps) ∩ h (rs, cs) (3)

The conclusion that the output result of formula (3) whether there is for leak, value is that 1 expression has leak, and value is 0 expression leakage Hole is not present.When judgement system whether there is a certain leak, judge whether is fragile software that leak deposited first with formula (1) Exist, followed by the fragile configuration that formula (2) judgement system is depended on the presence or absence of leak, can be using formula (3) finally The whether fragile judged result of system.

Here verify and do not encrypt Lou with remote data protocol (RDP) plain text session in detection Windows operating system It is introduced as a example by hole, here the ∈ FN of fn=Terminal Server 5.0, cs=Φ ∈ CS, av=rdpwd.sys Versions ∈ AV, rs=RDP service ∈ RS, ps=Patch Q324380_W2K_SP4_X86_EN.exe ∈ PS, by This obtains following 2 discriminant functions：

The ∩ of g=Terminal Server 5.0 (rdpwd.sys versions ＜ 5.0.2195.5880) ∩！Patch Q324380_W2K_SP4_X86_EN.exe(4)

F=RDP service ∩ Φ (5)

By the registry value and file system attributes that read system, so that it may the value of function g and f is obtained, finally using formula (3) leak that system is verified with the presence or absence of the session of entitled remote data protocol (RDP) plain text and do not encrypted can be judged (CAN-2002-0863)。

The information, the judgment rule of leak logical condition, the system that implement including definition collection of leakage location Coordination between controller, server and client side etc..By taking Windows systems as an example, it realizes that process is as follows.

(1) system information is collected

Definition needs the first step that the system information collected is leakage location work, for Windows systems, to receive The main information for integrating is system file, registration table, process, register user and IIS server registration information etc..

(2) rule detection

Detected rule is the core of leakage location, fragile condition and how to judge fragility that its regulation leak is relied on Whether condition is set up, and detection information is as shown in Figure 2.Leak is possibly one-to-one with the corresponding relation of fragile condition in figure, also may be used It can be one-to-many.(i=1,2 ... ..., are n) the fragile condition of leak to Conditions (i), and RULE is the judgement of fragile condition Rule, its form is IF ..., THEN ....Such as, one of leak CAN-2002-0863 fragile condition is：Conditions(1) =Terminal Server 5.0, its judgment rule is：

IF RegistryKey=

'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' AND EntryName='ProductVersion'AND EntryValue='5.0'in TABLE Win2K_ RegistryKeys, THEN Terminal Server 5.0.

(3) data center

Data center preserves all data that evaluation process is used, including system configuration information, vulnerability information, testing result And the system information that leakage location is gathered in evaluation process.The system information that wherein leakage location is collected directly is determined Assessment result is determined, these data are determined by the pattern (Schema) related to platform.

(4) flow process is realized

As shown in figure 3, the system is realized including that information table is set up, system information is obtained, detects logic judgment and assessment knot Fruit exports：

Step 1,：Information table is set up

First, the information for being provided according to Mitre websites sets up vulnerability information Table V UL_LIST and corresponding Query Information table Detail_LIST, and manually add corresponding information；

Secondly, set up:

A. system registration information table Win2K_RegistryKeys and its allocation list Win2K_RegistryKeys_Conf；

B. file attribute table Win2K_FileAttributes and its allocation list Win2K_FileAttributes_Conf, MetabaseKeys；

C. attribute list Win2K_MetabaseKeys and its allocation list Win2K_MetabaseKeys_Conf.

Step 2：System information is obtained

First, using database schema INSERT sentences filling allocation list Win2K_RegistryKeys_Conf, The value of Win2K_FileAttributes_Conf and Win2K_MetabaseKeys_Conf；

Secondly, it is right with it in reading system according to the RegistryKey of allocation list Win2K_RegistryKeys_Conf EntryName, the EntryType and EntryValue value answered, and fill out in Win2K_RegistryKeys tables；

Again, it is corresponding in reading system according to the FilePath of allocation list Win2K_FileAttributes_Conf Owner, Filesize, Modified, MSChecksum, MD5 and Version value, and fill out Win2K_ In FileAttributes tables；

Finally, it is right with it in reading system according to the MetabaseKey of allocation list Win2K_MetabaseKeys_Conf Id, Name for answering etc., and fill out in Win2K_MetabaseKeys tables.

Step 3：Detection logic judgment

The CVE_ID being successively read in VUL_LIST, according to its corresponding fragile condition C onditions (i) Detail_ is arrived Its corresponding RULE is inquired about in LIST tables, reading corresponding information in correspondence table carries out rule match, must spring a leak and whether there is Judgement.

Step 4：Assessment result is exported

For the system vulnerability for finding, associated corresponding information is searched in vulnerability scan according to its CVE title, Classification is carried out according to host ip and leak severity level to show.

Leakage location to designing carries out experimental enviroment test, and its experimental enviroment is as shown in Figure 4.Experimental situation is interior Portion 10M LAN segment 192.168.1.0/24, share a C classes address 202.117.14.189 and link Internet. 192.168.1.19, the controller and server end of leakage location are installed, 192.168.1.231 is used as database on main frame Server, three main websites：192.168.1.226,192.168.1.218 and 192.168.1.18 as detection target, and at it The upper client for installing leakage location.The operating system of 3 main websites is Windows 2K, 192.168.1.226 services Device is mounted with all security patch in addition to IE browser patch.

For comparative test result, the vulnerability scanners Microsoft Baseline Security of Microsoft are have chosen Analyzer (MBSA), it is the most powerful leakage location of current Microsoft windows platforms function.Be given and be Scanning result of system two detecting systems of ICS-VS and MBSA to main website 192.168.1.226：

1) for same simple target main frame, 40 seconds MBSA used times, 21 seconds ICS-VS used times, almost simply the one of MBSA Half, this fully shows the rapidity of ICS-VS.This utilizes system configuration information mainly due to ICS-VS, using internal queries Mode obtains the leak of system.Therefore, compared with the vulnerability assessment system worked using external scan mode, ICS-VS detection speed Degree is fast.

2) leak found before IE6.0SP1 is installed in quantity, MBSA is found that 3, and ICS-VS is found that 7. The leak of discovery is gone through, with reference to the data of Microsoft's Web site, it is found that the leak repairing program that ICS-VS has found all is received Enter IE6.0SP1.Find out from this point, the system is point-device.

In order to further test the detection speed of ICS-VS, 3 main websites are carried out with 3 vulnerability scannings, used by ICS-VS Minimum time is 30 seconds, and the minimum time of MBSA is 150s.This test further highlights the great advantage of the system：Hurry up Speed.This further illustrates the system and can apply in large scale industry control system environment, and this has been fully demonstrated is matched somebody with somebody using system Confidence breath, the benefit brought using the vulnerability assessment mode of internal queries mode.

The utility model proposes the lossless formula leakage location ICS-VS of the active towards industrial control system, can very well Meet the requirement of industrial control system high stability and high real-time.Can from the experiment to main website and industry control network system Go out, network system Hole Detection evaluation system ICS-VS for being proposed has that accuracy of detection is high, fireballing advantage, and it is not required to Attack code is developed, the runnability zero for detecting target is affected.The detecting system is applied to network manager and analyzes industry control The safe condition of system, with preferable application prospect.

Preferred embodiment of the present utility model described in detail above.It should be appreciated that the ordinary skill of this area without Need creative work just can make many modifications and variations according to design of the present utility model.Therefore, it is all in the art Technical staff on the basis of existing technology can by logical analysis, reasoning, or a limited experiment according to design of the present utility model With the technical scheme for obtaining, all should be in the protection domain being defined in the patent claims.

Claims (6)

1. a kind of active leakage location towards industrial control system, it is characterised in that including controller, client, service Device, assessment report module and data center, wherein, the controller is connected with the server, the server from it is different The client is connected, and the client connects internet by fire wall and/or router, and is connected with the data center Data interaction is carried out, the server is connected with the data center carries out data interaction；The leakage location is configured To gather software, user, process and the application configuration information of industrial control system, then carry out logic judgment to find the industry control system Security breaches present in system, and the data provided according to the data center generate assessment report by the assessment report module Accuse.

2. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the controller It is configured to control the start and stop of the leakage location by keeper and is arranged as required to detect parameter and detection target.

3. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the server It is configured to notify that client carries out Data Collection and detection logical condition judges, detects that what is finished disappears when all clients are received After breath, notify that the assessment report module generates assessment report.

4. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the client It is configured to receive after the message that the server is sent, reads the system and configuration information of the machine, determines whether leak Whether the logical condition of presence is set up, and finally detection judged result is sent to the data center, while notifying the server Detection is completed.

5. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that in the data The heart is configured to the common interface of the client and the assessment report module, all information of storage system, including leak number The logical condition existed according to storehouse, leak and the CVE lists of client detection.

6. as claimed in claim 1 towards the active leakage location of industrial control system, it is characterised in that the assessment report Accuse module to be configured to provide the vulnerability information of assessment target to system manager, the vulnerability information includes leak title, leakage Hole issue date, leak content Description, leak danger classes, loss type, leak type, exposed system component, related ginseng Examine information, fragile software and its version and remedial measure.