CN114422249A - A modbus security detection method - Google Patents
A modbus security detection method Download PDFInfo
- Publication number
- CN114422249A CN114422249A CN202210067486.5A CN202210067486A CN114422249A CN 114422249 A CN114422249 A CN 114422249A CN 202210067486 A CN202210067486 A CN 202210067486A CN 114422249 A CN114422249 A CN 114422249A
- Authority
- CN
- China
- Prior art keywords
- modbus
- filtering
- message
- modbus message
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
- H04L2012/40208—Bus networks characterized by the use of a particular bus standard
- H04L2012/40228—Modbus
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a modbus safety detection method, which comprises the following steps: based on an ACL strategy, a protocol stack fingerprint strategy and a DPI rule, filtering the modbus message structure layer; and setting a subsequence sequence of the messages based on the modbus message structure layer filtering, performing permutation and combination on values of a plurality of bytes of the subsequence sequence to obtain point value data corresponding to the modbus messages, and performing modbus message content layer filtering based on the point value data. The invention discloses a Modbus security detection method, which is characterized in that after message structure level filtering is carried out on Modbus messages according to a set ACL strategy, a protocol stack fingerprint strategy and a DPI rule, values of a plurality of bytes in the Modbus messages are arranged and combined according to a set word sequence, and then content level filtering is carried out on the Modbus messages, so that the security of data messages is improved.
Description
Technical Field
The invention belongs to the technical field of industrial information safety, and particularly relates to a modbus safety detection method.
Background
A commercial firewall is a common network security device, and its functions include access control, network address translation, attack protection, traffic audit, etc. The access control technology is a security guarantee method for realizing different network security domains, and is used for filtering data of a network layer and a transmission layer, detecting a source IP address, an Internet protocol address, a target IP address, a source port number, a target port number, a protocol type and the like of each data packet in data flow, and determining whether the data packets are allowed to pass through.
Industrial control such as data acquisition and monitoring systems, distributed control systems, process control systems, programmable logic controllers, etc. are widely used in the operation of production equipment in the field of industrial control, such as nuclear facilities, steel, chemical industry, hydroelectric power, electric power, natural gas, advanced manufacturing, hydro-hubs, environmental protection, railways, urban rail transit, civil aviation, urban water, gas, and heat supply, etc. However, in the industrial control system, communication protocols used in an industrial network, such as modbus, are all application layer protocols, and an access control method of a commercial firewall can only complete matching and filtering of key fields of a network layer and a transport layer of a data packet, and a technology for deep analysis and filtering of the industrial protocol data packet is lacked, so that deep analysis and detection of the industrial protocol data cannot be realized, and a potential safety hazard of being attacked exists.
Disclosure of Invention
The invention aims to provide a modbus security detection method, which improves the security of data messages.
In order to achieve the purpose, the invention provides a modbus security detection method, which comprises the following steps:
based on an ACL strategy, a protocol stack fingerprint strategy and a DPI rule, filtering the modbus message structure layer;
and setting a subsequence sequence of the messages based on the modbus message structure layer filtering, performing permutation and combination on values of a plurality of bytes of the subsequence sequence to obtain point value data corresponding to the modbus messages, and performing modbus message content layer filtering based on the point value data.
Optionally, the modbus message structure layer filtering includes:
if the ACL strategy filtering fails, discarding the modbus message and generating an alarm log; and if the TCP strategy passes the filtering, filtering the modbus message according to a protocol stack fingerprint strategy.
Optionally, the protocol stack fingerprint policy filtering and determining includes:
if the protocol stack fingerprint strategy filtering fails, discarding the modbus message and generating an alarm log; and if the protocol stack fingerprint strategy passes the filtering, filtering the modbus message according to a DPI rule.
Optionally, the DPI rule filtering determination includes:
if the dpi rule filtering fails, executing to discard the modbus message, and generating an alarm log; and if the dpi rule filtering is passed, judging the operation type of the modbus message.
Optionally, the operation type determination includes:
if the operation type is read operation, determining that the modbus message detection is passed; and if the operation type is write operation, arranging and combining values of a plurality of bytes in the modbus message according to a word sequence order to obtain point value data corresponding to the modbus message.
Optionally, the point value data judgment corresponding to the modbus message includes:
whether the point value data corresponding to the modbus message is within a threshold value range or not; if the point value data corresponding to the modbus message is within the set threshold value range, determining that the modbus message passes the detection; and if the point value data corresponding to the modbus message is not in the set threshold value range, discarding the modbus message and generating an alarm log.
Optionally, the modbus message structure layer filtering includes: and checking according to the message, and performing flow monitoring early warning, abnormal instruction warning and access safety early warning through event statistics, flow statistics, association analysis and abnormal time analysis.
Optionally, the modbus message content layer filtering includes: and filtering, NAT, state monitoring, dynamic port opening, address binding, denial of service attack resistance and network scanning protection are carried out through each piece of data and white list data input by a user, and the states of the assets and the configuration equipment are managed.
The invention has the technical effects that: the invention discloses a Modbus security detection method, which is characterized in that after a message structure layer of a Modbus message is filtered according to a set ACL strategy, a protocol stack fingerprint strategy and a DPI rule, values of a plurality of bytes in the Modbus message are arranged and combined according to a set word sequence, so that point value data corresponding to the Modbus message is obtained, and then content layer filtering is carried out on the Modbus message.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a schematic flow chart of a modbus security detection method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a modbus security detection method according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
As shown in fig. 1-2, the present embodiment provides a modbus security detection method, including:
based on an ACL strategy, a protocol stack fingerprint strategy and a DPI rule, filtering the modbus message structure layer;
and setting a subsequence sequence of the messages based on the modbus message structure layer filtering, performing permutation and combination on values of a plurality of bytes of the subsequence sequence to obtain point value data corresponding to the modbus messages, and performing modbus message content layer filtering based on the point value data.
Further optimizing the scheme, the modbus message structure layer filtering includes:
if the ACL strategy filtering fails, discarding the modbus message and generating an alarm log; and if the TCP strategy passes the filtering, filtering the modbus message according to a protocol stack fingerprint strategy.
Further optimizing the scheme, the protocol stack fingerprint strategy filtering judgment comprises:
if the protocol stack fingerprint strategy filtering fails, discarding the modbus message and generating an alarm log; and if the protocol stack fingerprint strategy passes the filtering, filtering the modbus message according to a DPI rule.
Further optimizing the scheme, the DPI rule filtering judgment comprises the following steps:
if the dpi rule filtering fails, executing to discard the modbus message, and generating an alarm log; and if the dpi rule filtering is passed, judging the operation type of the modbus message.
Further optimizing the scheme, the operation type judgment comprises:
if the operation type is read operation, determining that the modbus message detection is passed; and if the operation type is write operation, arranging and combining values of a plurality of bytes in the modbus message according to a word sequence order to obtain point value data corresponding to the modbus message.
Further, in the optimization scheme, the judgment of the point value data corresponding to the modbus message comprises the following steps:
whether the point value data corresponding to the modbus message is within a threshold value range or not; if the point value data corresponding to the modbus message is within the set threshold value range, determining that the modbus message passes the detection; and if the point value data corresponding to the modbus message is not in the set threshold value range, discarding the modbus message and generating an alarm log.
Further optimizing the scheme, the modbus message structure layer filtering includes: and checking according to the message, and performing flow monitoring early warning, abnormal instruction warning and access safety early warning through event statistics, flow statistics, association analysis and abnormal time analysis.
Further optimizing the scheme, the modbus message content layer filtering includes: and filtering, NAT, state monitoring, dynamic port opening, address binding, denial of service attack resistance and network scanning protection are carried out through each piece of data and white list data input by a user, and the states of the assets and the configuration equipment are managed.
Basic functions are as follows: the output data (input nodes in the website page) taken from the upper computer is compared with the white list data in the database. In the comparison process, starting state detection, ip mac address binding, service attack rejection and network scanning are carried out to monitor and detect that if the difference between the data input by the upper computer and the data in the white list of the user is large and abnormal, the abnormal data are directly filtered,
enhancing the function: the modbus data captured by the upper computer are provided with detection and early warning, and alarm prompts can be given out if the modbus data are abnormal. And (3) testing the packet filtering: and (4) testing by a default prohibition principle, wherein the test purpose is to consider whether the firewall forbids all messages to pass the requirement or not by default, and to send data packets of TCP, UDP and the like at one end of the network performance tester, and to observe whether the messages are received at the other end. Configuring a permission Modbus TCP service on the virtual firewall to pass; the virtual PC accesses the Modbus TCP service (virtual server).
A configuration test step: interface addresses are configured, such as eth0 and eth1, 192.168.10.1 and 192.168.80.1, respectively; dividing eth0 into a security domain untrusty, and dividing eth1 into a security domain trusth; a modbus virtual test was performed.
The invention discloses a Modbus security detection method, which is characterized in that after a message structure layer of a Modbus message is filtered according to a set ACL strategy, a protocol stack fingerprint strategy and a DPI rule, values of a plurality of bytes in the Modbus message are arranged and combined according to a set word sequence order, so that point value data corresponding to the Modbus message is obtained, and further the content layer of the Modbus message is filtered.
The above description is only for the preferred embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A modbus security detection method is characterized by comprising the following steps:
based on an ACL strategy, a protocol stack fingerprint strategy and a DPI rule, filtering the modbus message structure layer;
and setting a subsequence sequence of the messages based on the modbus message structure layer filtering, performing permutation and combination on values of a plurality of bytes of the subsequence sequence to obtain point value data corresponding to the modbus messages, and performing modbus message content layer filtering based on the point value data.
2. A modbus security detection method as recited in claim 1,
the modbus message structure layer filtering comprises the following steps:
if the ACL strategy filtering fails, discarding the modbus message and generating an alarm log; and if the TCP strategy passes the filtering, filtering the modbus message according to a protocol stack fingerprint strategy.
3. A modbus security detection method as recited in claim 2,
the protocol stack fingerprint strategy filtering judgment comprises the following steps:
if the protocol stack fingerprint strategy filtering fails, discarding the modbus message and generating an alarm log; and if the protocol stack fingerprint strategy passes the filtering, filtering the modbus message according to a DPI rule.
4. A modbus security detection method as recited in claim 3,
the DPI rule filtering judgment comprises the following steps:
if the dpi rule filtering fails, executing to discard the modbus message, and generating an alarm log; and if the dpi rule filtering is passed, judging the operation type of the modbus message.
5. A modbus security detection method as recited in claim 4,
the operation type judgment comprises the following steps:
if the operation type is read operation, determining that the modbus message detection is passed; and if the operation type is write operation, arranging and combining values of a plurality of bytes in the modbus message according to a word sequence order to obtain point value data corresponding to the modbus message.
6. A modbus security detection method as recited in claim 5,
the judgment of the point value data corresponding to the modbus message comprises the following steps:
whether the point value data corresponding to the modbus message is within a threshold value range or not; if the point value data corresponding to the modbus message is within the set threshold value range, determining that the modbus message passes the detection; and if the point value data corresponding to the modbus message is not in the set threshold value range, discarding the modbus message and generating an alarm log.
7. A modbus security detection method as recited in claim 6,
the modbus message structure layer filtering comprises the following steps: and checking according to the message, and performing flow monitoring early warning, abnormal instruction warning and access safety early warning through event statistics, flow statistics, association analysis and abnormal time analysis.
8. A modbus security detection method as recited in claim 7,
the modbus message content layer filtering comprises the following steps: and filtering, NAT, state monitoring, dynamic port opening, address binding, denial of service attack resistance and network scanning protection are carried out through each piece of data and white list data input by a user, and the states of the assets and the configuration equipment are managed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210067486.5A CN114422249A (en) | 2022-01-20 | 2022-01-20 | A modbus security detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210067486.5A CN114422249A (en) | 2022-01-20 | 2022-01-20 | A modbus security detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114422249A true CN114422249A (en) | 2022-04-29 |
Family
ID=81274958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210067486.5A Pending CN114422249A (en) | 2022-01-20 | 2022-01-20 | A modbus security detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422249A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1992716A (en) * | 2005-12-31 | 2007-07-04 | 中兴通讯股份有限公司 | Method for realizing port triggering function in Linux protocol stack |
| US20080295175A1 (en) * | 2007-05-25 | 2008-11-27 | Nirwan Ansari | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS |
| CN110099058A (en) * | 2019-05-06 | 2019-08-06 | 江苏亨通工控安全研究院有限公司 | Modbus message detecting method, device, electronic equipment and storage medium |
-
2022
- 2022-01-20 CN CN202210067486.5A patent/CN114422249A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1992716A (en) * | 2005-12-31 | 2007-07-04 | 中兴通讯股份有限公司 | Method for realizing port triggering function in Linux protocol stack |
| US20080295175A1 (en) * | 2007-05-25 | 2008-11-27 | Nirwan Ansari | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS |
| CN110099058A (en) * | 2019-05-06 | 2019-08-06 | 江苏亨通工控安全研究院有限公司 | Modbus message detecting method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Xu et al. | Network security situation awareness based on semantic ontology and user-defined rules for Internet of Things | |
| Zhou et al. | A fog computing based approach to DDoS mitigation in IIoT systems | |
| Lin et al. | Cyber attack and defense on industry control systems | |
| CN109922085B (en) | Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller) | |
| Li et al. | SCADAWall: A CPI-enabled firewall model for SCADA security | |
| Mallouhi et al. | A testbed for analyzing security of SCADA control systems (TASSCS) | |
| CN110495138B (en) | Industrial control system and monitoring method for network security thereof | |
| Jardine et al. | Senami: Selective non-invasive active monitoring for ics intrusion detection | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN105429963A (en) | Intrusion Detection and Analysis Method Based on Modbus/Tcp | |
| Sayegh et al. | Internal security attacks on SCADA systems | |
| CN110099058B (en) | Modbus message detection method and device, electronic equipment and storage medium | |
| CN105204487A (en) | Intrusion detection method and intrusion detection system for industrial control system based on communication model | |
| EP1776823A1 (en) | Anomaly-based intrusion detection | |
| CN111510436B (en) | Network security system | |
| CN114125083B (en) | Industrial network distributed data acquisition method, device, electronic equipment and medium | |
| CN106911529A (en) | Power network industry control safety detecting system based on protocol analysis | |
| Alruwaili | Intrusion detection and prevention in industrial IoT: A technological survey | |
| CN116451215A (en) | Correlation analysis method and related equipment | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| Hink et al. | Characterization of cyberattacks aimed at integrated industrial control and enterprise systems: a case study | |
| CN114422195A (en) | Pseudo control instruction identification and early warning system and method suitable for industrial control system | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| RU2739864C1 (en) | System and method of correlating events for detecting information security incident | |
| Chang et al. | The Modbus protocol vulnerability test in industrial control systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220429 |
|
| RJ01 | Rejection of invention patent application after publication |