[go: up one dir, main page]

CN114500005A - Protection method, device, terminal and storage medium for ModbusTcp instruction - Google Patents

Protection method, device, terminal and storage medium for ModbusTcp instruction Download PDF

Info

Publication number
CN114500005A
CN114500005A CN202210007569.5A CN202210007569A CN114500005A CN 114500005 A CN114500005 A CN 114500005A CN 202210007569 A CN202210007569 A CN 202210007569A CN 114500005 A CN114500005 A CN 114500005A
Authority
CN
China
Prior art keywords
modbustcp
instruction
initial
command
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210007569.5A
Other languages
Chinese (zh)
Other versions
CN114500005B (en
Inventor
于新宇
冉幼松
孙双永
谢一鸣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Anji Technology Co ltd
Original Assignee
Shanghai Anji Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Anji Technology Co ltd filed Critical Shanghai Anji Technology Co ltd
Priority to CN202210007569.5A priority Critical patent/CN114500005B/en
Publication of CN114500005A publication Critical patent/CN114500005A/en
Application granted granted Critical
Publication of CN114500005B publication Critical patent/CN114500005B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40228Modbus
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method, a device, a terminal and a storage medium for protecting a ModbusTcp instruction. The method comprises the following steps: the method comprises the steps that a zero-trust gateway client receives an initial ModbusTcp instruction transmitted by a master device, encrypts the initial ModbusTcp instruction, sends the encrypted initial ModbusTcp instruction to a zero-trust gateway through a Tcp communication tunnel, then the zero-trust gateway conducts identity authentication, decryption and danger monitoring on the encrypted initial ModbusTcp instruction in sequence, and if the initial ModbusTcp instruction is a non-dangerous instruction, the initial ModbusTcp instruction is forwarded to a slave device according to a preset strategy. According to the method, the initial ModbusTcp instruction is encrypted, and is subjected to identity authentication, authorization and danger monitoring, the initial ModbusTcp instruction is protected from multiple angles of communication link safety, access behavior authentication, access authorization, data packet continuous authentication, ModbusTcp instruction control and the like of the ModbusTcp, an IoT system based on the ModbusTcp is protected, and attacks on the IoT system from multiple angles of a physical network, an IoT application system, a network identity, flow attack and the like are effectively prevented from a third party.

Description

ModbusTcp指令的保护方法、装置、终端及存储介质Protection method, device, terminal and storage medium for ModbusTcp instruction

技术领域technical field

本申请涉及物联网技术领域,具体而言,涉及一种ModbusTcp指令的保护方法、装置、终端及存储介质。The present application relates to the technical field of the Internet of Things, and in particular, to a method, device, terminal and storage medium for protecting a ModbusTcp instruction.

背景技术Background technique

Modbus通讯是Modicon(现为施耐德公司的品牌)1979年发明的主要应用于工业领域的应用层报文传输协议,因其开放、稳定、高效、廉价等原因,成为IoT领域最受欢迎的通讯协议之一。但是,在ModbusTcp协议通讯过程中,如何对ModbusTcp指令进行有效保护成为亟待解决的问题。Modbus communication is an application layer message transmission protocol invented by Modicon (now a brand of Schneider) in 1979 and mainly used in the industrial field. Because of its openness, stability, efficiency and low cost, it has become the most popular communication protocol in the IoT field. one. However, in the communication process of the ModbusTcp protocol, how to effectively protect the ModbusTcp command has become an urgent problem to be solved.

目前,在ModbusTcp协议通讯过程中,物联网应用系统通过主设备(ModbusTcpMaster)定期向从设备(ModbusTcp Slave)发送ModbusTcp指令,以实现传统控制领域的四遥(遥测、遥信、遥控、遥调)功能,其中,指令包括写寄存器、读寄存器、写线圈、读线圈等。At present, in the process of ModbusTcp protocol communication, the IoT application system regularly sends ModbusTcp commands to the slave device (ModbusTcp Slave) through the master device (ModbusTcpMaster) to realize the four remote control (telemetry, remote signaling, remote control, and remote adjustment) in the traditional control field. function, wherein the instructions include write register, read register, write coil, read coil, etc.

但是,上述ModbusTcp协议通讯过程中,主从设备之间传输的ModbusTcp指令缺乏有效的保护机制。However, in the communication process of the above-mentioned ModbusTcp protocol, the ModbusTcp command transmitted between the master and slave devices lacks an effective protection mechanism.

发明内容SUMMARY OF THE INVENTION

本申请的主要目的在于提供一种ModbusTcp指令的保护方法、装置、终端及存储介质,以解决相关技术中ModbusTcp指令缺乏有效的保护机制的问题。The main purpose of the present application is to provide a protection method, device, terminal and storage medium for ModbusTcp instructions, so as to solve the problem that the ModbusTcp instruction lacks an effective protection mechanism in the related art.

为了实现上述目的,第一方面,本申请提供了一种ModbusTcp指令的保护方法,包括:In order to achieve the above purpose, in the first aspect, the present application provides a method for protecting a ModbusTcp instruction, including:

零信任网关客户端接收主设备传输的初始ModbusTcp指令,对初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关;The zero-trust gateway client receives the initial ModbusTcp command transmitted by the master device, encrypts the initial ModbusTcp command, and uses the Tcp communication tunnel to send the encrypted initial ModbusTcp command to the zero-trust gateway;

零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。The zero-trust gateway performs identity authentication, decryption, and danger monitoring on the encrypted initial ModbusTcp command in sequence. If the initial ModbusTcp command is a non-hazardous command, it forwards the initial ModbusTcp command to the slave device according to the preset policy.

在一种可能的实现方式中,零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,包括:In a possible implementation, the zero-trust gateway performs identity authentication, decryption, and risk monitoring on the encrypted initial ModbusTcp command in sequence, including:

识别加密后的初始ModbusTcp指令对应的第一身份标识;Identify the first identity corresponding to the encrypted initial ModbusTcp command;

若第一身份标识满足第一预设条件,对加密后的初始ModbusTcp指令进行解密,得到初始ModbusTcp指令;If the first identity identifier satisfies the first preset condition, decrypt the encrypted initial ModbusTcp command to obtain the initial ModbusTcp command;

将初始ModbusTcp指令与预设危险指令库中的所有危险指令进行对比,判断初始ModbusTcp指令是否为危险指令。Compare the initial ModbusTcp command with all dangerous commands in the preset dangerous command library to determine whether the initial ModbusTcp command is a dangerous command.

在一种可能的实现方式中,若身份标识满足第一预设条件之后,还包括:In a possible implementation manner, if the identity identifier satisfies the first preset condition, the method further includes:

对加密后的初始ModbusTcp指令进行授权。Authorize the encrypted initial ModbusTcp command.

在一种可能的实现方式中,判断初始ModbusTcp指令是否为危险指令之后,还包括:In a possible implementation manner, after judging whether the initial ModbusTcp command is a dangerous command, the method further includes:

若初始ModbusTcp指令是危险指令,将初始ModbusTcp指令发送至报警服务器进行处理。If the initial ModbusTcp command is a dangerous command, send the initial ModbusTcp command to the alarm server for processing.

在一种可能的实现方式中,依据预设策略将初始ModbusTcp指令转发至从设备之后,还包括:In a possible implementation manner, after forwarding the initial ModbusTcp command to the slave device according to a preset policy, the method further includes:

零信任网关接收从设备传输的执行回执;The zero trust gateway receives the execution receipt transmitted from the device;

对执行回执进行加密,并采用Tcp通讯隧道将加密后的执行回执发送至零信任网关客户端。Encrypt the execution receipt, and use the Tcp communication tunnel to send the encrypted execution receipt to the zero-trust gateway client.

在一种可能的实现方式中,对执行回执进行加密,并采用Tcp通讯隧道将加密后的执行回执发送至零信任网关客户端之后,还包括:In a possible implementation manner, after encrypting the execution receipt and sending the encrypted execution receipt to the zero-trust gateway client by using a Tcp communication tunnel, the method further includes:

零信任网关客户端对加密后的执行回执进行身份验证;The zero trust gateway client authenticates the encrypted execution receipt;

若身份验证通过,对加密后的执行回执进行解密,并将执行回执发送至主设备。If the authentication is passed, decrypt the encrypted execution receipt, and send the execution receipt to the master device.

在一种可能的实现方式中,零信任网关客户端对加密后的执行回执进行身份验证,包括:In a possible implementation, the zero trust gateway client authenticates the encrypted execution receipt, including:

零信任网关客户端识别加密后的执行回执对应的第二身份标识。The zero-trust gateway client identifies the second identity identifier corresponding to the encrypted execution receipt.

第二方面,本发明实施例提供了一种ModbusTcp指令的保护装置,包括:In a second aspect, an embodiment of the present invention provides a protection device for a ModbusTcp instruction, including:

指令加密模块,用于零信任网关客户端接收主设备传输的初始ModbusTcp指令,对初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关;The command encryption module is used for the zero trust gateway client to receive the initial ModbusTcp command transmitted by the master device, encrypt the initial ModbusTcp command, and use the Tcp communication tunnel to send the encrypted initial ModbusTcp command to the zero trust gateway;

指令控制模块,用于零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。The command control module is used for the zero trust gateway to perform identity authentication, decryption and risk monitoring on the encrypted initial ModbusTcp command in turn. If the initial ModbusTcp command is a non-hazardous command, the initial ModbusTcp command is forwarded to the slave device according to the preset strategy.

第三方面,本发明实施例提供了一种终端,包括存储器、处理器以及存储在存储器中并可在处理器上运行的计算机程序,处理器执行计算机程序时实现如上任一种ModbusTcp指令的保护方法的步骤。In a third aspect, an embodiment of the present invention provides a terminal, including a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the computer program, the protection of any of the above ModbusTcp instructions is implemented. steps of the method.

第四方面,本发明实施例提供了一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,计算机程序被处理器执行时实现如上任一种ModbusTcp指令的保护方法的步骤。In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, implements the steps of any of the above protection methods for ModbusTcp instructions.

本发明实施例提供了一种ModbusTcp指令的保护方法、装置、终端及存储介质,包括:零信任网关客户端接收主设备传输的初始ModbusTcp指令,对初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关,然后零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。本发明通过对初始ModbusTcp指令进行加密以及身份认证、授权、危险监控,从ModbusTcp的通讯链路安全、访问行为认证、访问授权、数据包持续认证、ModbusTcp指令控制等多个角度,对初始ModbusTcp指令进行保护,更使基于ModbusTcp的IoT系统得到全方位保护,有效防止了第三者从物理网络、IoT应用系统、网络身份、流量攻击等多个角度对IoT系统进行的攻击。The embodiments of the present invention provide a method, device, terminal and storage medium for protecting a ModbusTcp instruction, including: a zero-trust gateway client receives an initial ModbusTcp instruction transmitted by a master device, encrypts the initial ModbusTcp instruction, and uses a Tcp communication tunnel to The encrypted initial ModbusTcp command is sent to the zero-trust gateway, and then the zero-trust gateway performs identity authentication, decryption, and danger monitoring on the encrypted initial ModbusTcp command. Forward to the slave device. The present invention encrypts the initial ModbusTcp command, performs identity authentication, authorization, and danger monitoring, from the aspects of ModbusTcp communication link security, access behavior authentication, access authorization, data packet continuous authentication, and ModbusTcp command control. For protection, the ModbusTcp-based IoT system is fully protected, effectively preventing third parties from attacking the IoT system from multiple perspectives such as physical network, IoT application system, network identity, and traffic attacks.

附图说明Description of drawings

构成本申请的一部分的附图用来提供对本申请的进一步理解,使得本申请的其它特征、目的和优点变得更明显。本申请的示意性实施例附图及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The accompanying drawings, which constitute a part of this application, are used to provide a further understanding of the application and make other features, objects and advantages of the application more apparent. The accompanying drawings and descriptions of the exemplary embodiments of the present application are used to explain the present application, and do not constitute an improper limitation of the present application. In the attached image:

图1是本发明实施例提供的一种传统ModbusTcp通讯系统的结构示意图;1 is a schematic structural diagram of a traditional ModbusTcp communication system provided by an embodiment of the present invention;

图2是本发明一实施例提供的一种ModbusTcp指令的保护装置的结构示意图;2 is a schematic structural diagram of a protection device for a ModbusTcp instruction provided by an embodiment of the present invention;

图3是本发明实施例提供的一种ModbusTcp指令的保护方法的实现流程图;Fig. 3 is the realization flow chart of the protection method of a kind of ModbusTcp instruction provided by the embodiment of the present invention;

图4是本发明另一实施例提供的一种ModbusTcp指令的保护装置的结构示意图;4 is a schematic structural diagram of a protection device for a ModbusTcp instruction provided by another embodiment of the present invention;

图5是本发明实施例提供的终端的示意图。FIG. 5 is a schematic diagram of a terminal provided by an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。The terms "first", "second", "third", "fourth", etc. (if present) in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to Describe a particular order or sequence. It is to be understood that the data so used may be interchanged under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein.

应当理解,在本发明的各种实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of each process does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present invention. Implementation constitutes any limitation.

应当理解,在本发明中,“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be understood that in the present invention, "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to Those steps or elements that are expressly listed may instead include other steps or elements that are not expressly listed or are inherent to the process, method, product or apparatus.

应当理解,在本发明中,“多个”是指两个或两个以上。“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“包含A、B和C”、“包含A、B、C”是指A、B、C三者都包含,“包含A、B或C”是指包含A、B、C三者之一,“包含A、B和/或C”是指包含A、B、C三者中任1个或任2个或3个。It should be understood that, in the present invention, "plurality" refers to two or more. "And/or" is only an association relationship that describes the associated objects, indicating that there can be three kinds of relationships, for example, and/or B, it can mean that A exists alone, A and B exist at the same time, and B exists alone. . The character "/" generally indicates that the associated objects are an "or" relationship. "Contains A, B and C", "contains A, B, C" means that A, B, and C are all contained, "contains A, B or C" means that one of A, B, and C is contained, "Comprising A, B and/or C" means including any one or any two or three of A, B, and C.

应当理解,在本发明中,“与A对应的B”、“与A相对应的B”、“A与B相对应”或者“B与A相对应”,表示B与A相关联,根据A可以确定B。根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其他信息确定B。A与B的匹配,是A与B的相似度大于或等于预设的阈值。It should be understood that in the present invention, "B corresponding to A", "B corresponding to A", "A corresponds to B" or "B corresponds to A" means that B is associated with A, according to A B can be determined. Determining B based on A does not mean determining B based only on A, but also determining B based on A and/or other information. The matching between A and B means that the similarity between A and B is greater than or equal to a preset threshold.

取决于语境,如在此所使用的“若”可以被解释成为“在……时”或“当……时”或“响应于确定”或“响应于检测”。"If" as used herein may be interpreted as "at" or "when" or "in response to determining" or "in response to detecting," depending on the context.

下面以具体地实施例对本发明的技术方案进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例不再赘述。The technical solutions of the present invention will be described in detail below with specific examples. The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图通过具体实施例来进行说明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the following descriptions will be given through specific embodiments in conjunction with the accompanying drawings.

图1是传统的ModbusTcp的主从设备(Master/Slave)架构。物联网应用系统通过ModbusTcp Master模块,定期向ModbusTcp Slave发送指令,指令包括写寄存器、读寄存器、写线圈、读线圈等。以实现传统控制领域的四遥(遥测、遥信、遥控、遥调)功能。Figure 1 is a traditional ModbusTcp master-slave (Master/Slave) architecture. The IoT application system regularly sends instructions to the ModbusTcp Slave through the ModbusTcp Master module, and the instructions include write register, read register, write coil, read coil, etc. In order to realize the four remote functions (telemetry, remote signaling, remote control, and remote adjustment) in the traditional control field.

而传统的ModbusTcp通讯系统存在“无认证”、“无授权”、“无传输安全”、“指令无保护”等问题,具体的,“无认证”,即Modbus协议没有任何认证方面的定义,只要能够访问Modbus服务站点,就可以使用功能码收集设备信息和发送控制指令,从而扰乱或破坏整个系统的运行;“无授权”,即Modbus没有用户分类,没有角色控制,也没有对访问者的权限进行划分,这就导致访问人可以执行任何功能;“指令无保护”也就是没有加密机制,即网络通讯的加密机制保证了通讯双方的数据不被第三者监听和篡改。Modbus协议通讯过程中,指令和地址完全明文发送,很容易被监听者解析和修改。The traditional ModbusTcp communication system has problems such as "no authentication", "no authorization", "no transmission security", "no instruction protection", etc. Specifically, "no authentication" means that the Modbus protocol does not have any definition of authentication, as long as If you can access the Modbus service site, you can use function codes to collect device information and send control commands, thereby disrupting or destroying the operation of the entire system; "No Authorization", that is, Modbus has no user classification, no role control, and no authority for visitors. This allows the visitor to perform any function; "instruction without protection" means there is no encryption mechanism, that is, the encryption mechanism of network communication ensures that the data of both parties in the communication will not be monitored and tampered with by a third party. In the Modbus protocol communication process, the instructions and addresses are sent in clear text, which can be easily parsed and modified by the listener.

基于上述问题,本发明提供了一整套的保护机制,如图2所示,从而全面地保护现有IoT系统ModbusTcp通讯的安全。Based on the above problems, the present invention provides a complete set of protection mechanisms, as shown in FIG. 2 , so as to comprehensively protect the security of the ModbusTcp communication of the existing IoT system.

结合图2,相对于现有技术(图1),本发明添加了5个部分组成,分别是:零信任网关客户端、零信任网关以及三个服务:认证服务、授权服务、危险指令控制策略服务。下面对各个部分进行说明,具体如下:With reference to FIG. 2 , compared with the prior art ( FIG. 1 ), the present invention adds five components, namely: a zero-trust gateway client, a zero-trust gateway, and three services: authentication service, authorization service, and dangerous command control strategy Serve. Each part is described below, as follows:

(1)零信任网关客户端(1) Zero Trust Gateway Client

物联网应用系统服务器上的所有的ModbusTcp流量都要经过零信任网关客户端,零信任网关客户端获取设备身份,这个设备身份包括但不限于设备的硬件ID,设备的证书等,零信任网关客户端还将ModbusTcp Master下发的所有通讯包附上身份信息,此身份信息将用于零信任网关认证(即身份识别)。其中,身份信息是网关客户端通过ModbusTcpMaster服务器硬件特征生成的。零信任网关客户端将ModbusTcp流量,通过mTLS加密,并采用隧道技术传输到零信任网关。All ModbusTcp traffic on the IoT application system server must pass through the zero-trust gateway client, and the zero-trust gateway client obtains the device identity. This device identity includes but is not limited to the hardware ID of the device, the certificate of the device, etc. The zero-trust gateway client The terminal also attaches identity information to all communication packets sent by the ModbusTcp Master, and this identity information will be used for zero-trust gateway authentication (that is, identity recognition). The identity information is generated by the gateway client through the hardware features of the ModbusTcpMaster server. The Zero Trust Gateway client encrypts ModbusTcp traffic through mTLS and tunnels it to the Zero Trust Gateway.

(2)零信任网关(2) Zero Trust Gateway

通过认证与授权服务验证所有请求(每一个通讯包)的设备身份,此处的设备身份包括设备的唯一ID,如果设备身份验证不成功,将引导用户到认证与授权服务以建立会话标识(一般是设备第一次接入时出现此情况),在认证和权限通过后,将收到的mTLS流量,还原为ModbusTcp流量,如控制策略服务判定某个通讯流量中含危害指令,对其进行拦截,其中,控制策略服务是按预先定义的策略处理外部/内部路由映射。The device identity of all requests (each communication packet) is verified through the authentication and authorization service, where the device identity includes the unique ID of the device. If the device authentication is unsuccessful, the user will be directed to the authentication and authorization service to establish a session identity (generally This happens when the device is connected for the first time), after the authentication and authority pass, the received mTLS traffic will be restored to ModbusTcp traffic. If the control policy service determines that a certain communication traffic contains harmful instructions, it will be intercepted. , where the control policy service handles external/internal route mappings according to predefined policies.

(3)认证服务(3) Authentication service

根据需要验证数据包中自带的设备身份信息,而设备第一次访问时建立设备身份会话的OIDC(OpenId Connect)身份认证令牌,其中,设备身份OIDC令牌在数据缓存中存储,当设备身份OIDC令牌过期后,采用静默认证方式更新令牌。The device identity information in the data package is verified as needed, and the OIDC (OpenId Connect) identity authentication token of the device identity session is established when the device accesses for the first time. The device identity OIDC token is stored in the data cache. After the identity OIDC token expires, the token is updated by static authentication.

(4)授权服务(4) Authorized service

按策略授予每个ModbusTcp Master服务的权限,检查所有设备身份的会话权限,如果需要,引导零信任网关启动设备身份验证流程。Grant permissions to each ModbusTcp Master service by policy, check session permissions for all device identities, and, if needed, bootstrap the Zero Trust Gateway to initiate the device authentication flow.

(5)危险指令控制策略服务(5) Dangerous order control strategy service

对经过零信任网关的ModbusTcp流量进行持续监测,记录近期内(通常为7天)的ModbusTcp Master到Slave的指令。采用指令安全策略,判定下发到Slave的指令是否存在危害,如存在危害,则通知零信任网关拦截。安全策略包括危险指令库(黑名单),指令逻辑树(不宜出现的指令执行顺序),由安全运维人员在网关策略中配置;对于明显超过ModbusTcp Slave所在的工业设备处理能力的流量进行拦截,防止流量攻击。Continuously monitor the ModbusTcp traffic passing through the zero-trust gateway, and record the recent (usually 7 days) commands from the ModbusTcp Master to the Slave. The command security policy is used to determine whether the command issued to the slave is harmful. If there is any harm, the zero-trust gateway is notified to intercept it. The security policy includes the dangerous command library (blacklist), the command logic tree (the command execution order that should not appear), and is configured by the security operation and maintenance personnel in the gateway policy; for the traffic that obviously exceeds the processing capacity of the industrial equipment where the ModbusTcp Slave is located, intercept, Prevent traffic attacks.

基于上述保护机制,如图3所示,本发明提供了一种ModbusTcp指令的保护方法,包括以下步骤:Based on the above protection mechanism, as shown in FIG. 3 , the present invention provides a method for protecting a ModbusTcp instruction, including the following steps:

步骤S301:零信任网关客户端接收主设备传输的初始ModbusTcp指令,对初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关;Step S301: the zero-trust gateway client receives the initial ModbusTcp command transmitted by the master device, encrypts the initial ModbusTcp command, and uses a Tcp communication tunnel to send the encrypted initial ModbusTcp command to the zero-trust gateway;

步骤S302:零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。Step S302: The zero-trust gateway sequentially performs identity authentication, decryption and risk monitoring on the encrypted initial ModbusTcp command. If the initial ModbusTcp command is a non-hazardous command, it forwards the initial ModbusTcp command to the slave device according to a preset policy.

具体的,加密是通过mTLS对初始ModbusTcp指令进行加密处理,得到加密后的初始ModbusTcp指令,即mTLS指令。解密是将mTLS指令进行还原的过程,即将mTLS指令还原为初始ModbusTcp指令。Specifically, the encryption is to perform encryption processing on the initial ModbusTcp command through mTLS to obtain the encrypted initial ModbusTcp command, that is, the mTLS command. Decryption is the process of restoring the mTLS command, that is, restoring the mTLS command to the original ModbusTcp command.

本发明实施例提供了一种ModbusTcp指令的保护方法,包括:零信任网关客户端接收主设备传输的初始ModbusTcp指令,对初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关,然后零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。本发明通过对初始ModbusTcp指令进行加密以及身份认证、授权、危险监控,从ModbusTcp的通讯链路安全、访问行为认证、访问授权、数据包持续认证、ModbusTcp指令控制等多个角度,对初始ModbusTcp指令进行保护,更使基于ModbusTcp的IoT系统得到全方位保护,有效防止了第三者从物理网络、IoT应用系统、网络身份、流量攻击等多个角度对IoT系统进行的攻击。An embodiment of the present invention provides a method for protecting a ModbusTcp instruction, including: a zero-trust gateway client receives an initial ModbusTcp instruction transmitted by a master device, encrypts the initial ModbusTcp instruction, and uses a Tcp communication tunnel to send the encrypted initial ModbusTcp instruction to the zero-trust gateway, and then the zero-trust gateway performs identity authentication, decryption, and danger monitoring on the encrypted initial ModbusTcp command in turn. If the initial ModbusTcp command is a non-hazardous command, it forwards the initial ModbusTcp command to the slave device according to the preset strategy. The present invention encrypts the initial ModbusTcp command, performs identity authentication, authorization, and danger monitoring, from the aspects of ModbusTcp communication link security, access behavior authentication, access authorization, data packet continuous authentication, and ModbusTcp command control. For protection, the ModbusTcp-based IoT system is fully protected, effectively preventing third parties from attacking the IoT system from multiple perspectives such as physical network, IoT application system, network identity, and traffic attacks.

在一实施例中,步骤S302包括:In one embodiment, step S302 includes:

步骤S401:识别加密后的初始ModbusTcp指令对应的第一身份标识;Step S401: Identify the first identity identifier corresponding to the encrypted initial ModbusTcp instruction;

步骤S402:若第一身份标识满足第一预设条件,对加密后的初始ModbusTcp指令进行解密,得到初始ModbusTcp指令;Step S402: if the first identity identifier satisfies the first preset condition, decrypt the encrypted initial ModbusTcp command to obtain the initial ModbusTcp command;

步骤S403:将初始ModbusTcp指令与预设危险指令库中的所有危险指令进行对比,判断初始ModbusTcp指令是否为危险指令。Step S403: Compare the initial ModbusTcp command with all the dangerous commands in the preset dangerous command library to determine whether the initial ModbusTcp command is a dangerous command.

具体的,对加密后的初始ModbusTcp指令进行身份验证,即先识别加密后的初始ModbusTcp指令对应的第一身份标识,然后判断第一身份标识是否满足第一预设条件,如果满足,则对加密后的初始ModbusTcp指令进行解密;如果不满足,则将加密后的初始ModbusTcp指令进行丢弃。其中,对于第一身份标识满足第一预设条件的情况下,还对加密后的初始ModbusTcp指令进行授权。Specifically, performing identity verification on the encrypted initial ModbusTcp command, that is, first identifying the first identity identifier corresponding to the encrypted initial ModbusTcp command, and then judging whether the first identity identifier satisfies the first preset condition, and if so, the encrypted The encrypted initial ModbusTcp command is decrypted; if it is not satisfied, the encrypted initial ModbusTcp command is discarded. Wherein, when the first identity identifier satisfies the first preset condition, the encrypted initial ModbusTcp instruction is also authorized.

在一实施例中,判断初始ModbusTcp指令是否为危险指令之后,若初始ModbusTcp指令是危险指令,将初始ModbusTcp指令发送至报警服务器进行处理;若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。In one embodiment, after judging whether the initial ModbusTcp command is a dangerous command, if the initial ModbusTcp command is a dangerous command, the initial ModbusTcp command is sent to the alarm server for processing; if the initial ModbusTcp command is a non-hazardous command, the initial ModbusTcp command is ModbusTcp commands are forwarded to slave devices.

当从设备接收到初始ModbusTcp指令后,会依据初始ModbusTcp指令执行对应的行为,当执行完之后,则将执行回执回传至零信任网关,然后零信任网关通过TLS对执行回执进行加密,并采用Tcp通讯隧道将加密后的执行回执发送至零信任网关客户端,零信任网关客户端对加密后的执行回执进行身份验证,若身份验证通过,对加密后的执行回执进行解密,并将执行回执发送至主设备。其中,零信任网关客户端对加密后的执行回执进行身份验证,即零信任网关客户端识别加密后的执行回执对应的第二身份标识,若第二身份标识满足第二预设条件,则说明身份验证通过,若身份验证不通过,则将加密后的执行回执进行丢弃。When the slave device receives the initial ModbusTcp command, it will execute the corresponding behavior according to the initial ModbusTcp command. After the execution is completed, the execution receipt will be sent back to the zero-trust gateway, and then the zero-trust gateway will encrypt the execution receipt through TLS, and use The Tcp communication tunnel sends the encrypted execution receipt to the zero-trust gateway client. The zero-trust gateway client authenticates the encrypted execution receipt. If the authentication passes, it decrypts the encrypted execution receipt and sends the execution receipt. sent to the master device. The zero-trust gateway client performs identity verification on the encrypted execution receipt, that is, the zero-trust gateway client identifies the second identity corresponding to the encrypted execution receipt. If the second identity satisfies the second preset condition, it indicates that If the authentication is passed, if the authentication fails, the encrypted execution receipt will be discarded.

应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the steps in the above embodiments does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.

以下为本发明的装置实施例,对于其中未详尽描述的细节,可以参考上述对应的方法实施例。The following are apparatus embodiments of the present invention, and for details that are not described in detail, reference may be made to the above-mentioned corresponding method embodiments.

图4示出了本发明实施例提供的一种ModbusTcp指令的保护装置的结构示意图,为了便于说明,仅示出了与本发明实施例相关的部分,一种ModbusTcp指令的保护装置包括指令加密模块41和指令控制模块42,具体如下:FIG. 4 shows a schematic structural diagram of a ModbusTcp instruction protection device provided by an embodiment of the present invention. For convenience of description, only parts related to the embodiment of the present invention are shown. A ModbusTcp instruction protection device includes an instruction encryption module 41 and the instruction control module 42, as follows:

指令加密模块41,用于零信任网关客户端接收主设备传输的初始ModbusTcp指令,对初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关;The command encryption module 41 is used for the zero-trust gateway client to receive the initial ModbusTcp command transmitted by the master device, encrypt the initial ModbusTcp command, and use the Tcp communication tunnel to send the encrypted initial ModbusTcp command to the zero-trust gateway;

指令控制模块42,用于零信任网关对加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若初始ModbusTcp指令为非危险指令,依据预设策略将初始ModbusTcp指令转发至从设备。The command control module 42 is used for the zero trust gateway to perform identity authentication, decryption and risk monitoring on the encrypted initial ModbusTcp command in sequence. If the initial ModbusTcp command is a non-hazardous command, the initial ModbusTcp command is forwarded to the slave device according to a preset strategy.

在一种可能的实现方式中,指令控制模块42包括:In a possible implementation, the instruction control module 42 includes:

指令身份验证子模块,用于识别加密后的初始ModbusTcp指令对应的第一身份标识;The instruction authentication sub-module is used to identify the first identity identifier corresponding to the encrypted initial ModbusTcp instruction;

指令解密子模块,用于若第一身份标识满足第一预设条件,对加密后的初始ModbusTcp指令进行解密,得到初始ModbusTcp指令;an instruction decryption submodule, configured to decrypt the encrypted initial ModbusTcp instruction to obtain the initial ModbusTcp instruction if the first identity identifier satisfies the first preset condition;

指令判别子模块,用于将初始ModbusTcp指令与预设危险指令库中的所有危险指令进行对比,判断初始ModbusTcp指令是否为危险指令。The command discrimination sub-module is used to compare the initial ModbusTcp command with all the dangerous commands in the preset dangerous command library, and judge whether the initial ModbusTcp command is a dangerous command.

在一种可能的实现方式中,指令解密子模块之后,还包括:In a possible implementation manner, after the instruction decryption submodule, further includes:

指令授权子模块,用于对加密后的初始ModbusTcp指令进行授权。The command authorization sub-module is used to authorize the encrypted initial ModbusTcp command.

在一种可能的实现方式中,指令判别子模块之后,还包括:In a possible implementation manner, after the instruction discriminates the sub-module, it further includes:

报警处理子模块,用于若初始ModbusTcp指令是危险指令,将初始ModbusTcp指令发送至报警服务器进行处理。The alarm processing sub-module is used to send the initial ModbusTcp command to the alarm server for processing if the initial ModbusTcp command is a dangerous command.

在一种可能的实现方式中,指令控制模块42之后,还包括:In a possible implementation manner, after the instruction control module 42, further includes:

回执接收子模块,用于零信任网关接收从设备传输的执行回执;The receipt receiving sub-module is used for the zero trust gateway to receive the execution receipt transmitted from the device;

加密子模块,用于对执行回执进行加密,并采用Tcp通讯隧道将加密后的执行回执发送至零信任网关客户端。The encryption sub-module is used to encrypt the execution receipt, and use the Tcp communication tunnel to send the encrypted execution receipt to the zero-trust gateway client.

在一种可能的实现方式中,加密子模块之后,还包括:In a possible implementation manner, after the encryption sub-module, it also includes:

回执验证子模块,用于零信任网关客户端对加密后的执行回执进行身份验证;The receipt verification sub-module is used for the zero trust gateway client to authenticate the encrypted execution receipt;

回执解密子模块,用于若身份验证通过,对加密后的执行回执进行解密,并将执行回执发送至主设备。The receipt decryption sub-module is used to decrypt the encrypted execution receipt if the identity verification is passed, and send the execution receipt to the main device.

在一种可能的实现方式中,回执验证子模块包括:In a possible implementation, the receipt verification sub-module includes:

标识识别单元,用于零信任网关客户端识别加密后的执行回执对应的第二身份标识。The identification identification unit is used for the zero trust gateway client to identify the second identification corresponding to the encrypted execution receipt.

图5是本发明实施例提供的终端的示意图。如图5所示,该实施例的终端5包括:处理器50、存储器51以及存储在存储器51中并可在处理器50上运行的计算机程序52。处理器50执行计算机程序52时实现上述各个ModbusTcp指令的保护方法实施例中的步骤,例如图3所示的步骤301至步骤302。或者,处理器50执行计算机程序52时实现上述各个ModbusTcp指令的保护装置实施例中各模块/单元的功能,例如图4所示模块/单元41至42的功能。FIG. 5 is a schematic diagram of a terminal provided by an embodiment of the present invention. As shown in FIG. 5 , the terminal 5 of this embodiment includes: a processor 50 , a memory 51 , and a computer program 52 stored in the memory 51 and executable on the processor 50 . When the processor 50 executes the computer program 52, it implements the steps in each of the foregoing embodiments of the protection method for ModbusTcp instructions, for example, steps 301 to 302 shown in FIG. 3 . Alternatively, when the processor 50 executes the computer program 52, the functions of the modules/units in the protection device embodiments of the various ModbusTcp instructions described above are realized, for example, the functions of the modules/units 41 to 42 shown in FIG. 4 .

本发明还提供一种可读存储介质,可读存储介质中存储有计算机程序,计算机程序被处理器执行时用于实现上述的各种实施方式提供的方法。The present invention further provides a readable storage medium, where a computer program is stored in the readable storage medium, and when the computer program is executed by a processor, is used to implement the methods provided by the above-mentioned various embodiments.

其中,可读存储介质可以是计算机存储介质,也可以是通信介质。通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。计算机存储介质可以是通用或专用计算机能够存取的任何可用介质。例如,可读存储介质耦合至处理器,从而使处理器能够从该可读存储介质读取信息,且可向该可读存储介质写入信息。当然,可读存储介质也可以是处理器的组成部分。处理器和可读存储介质可以位于专用集成电路(ApplicationSpecific Integrated Circuits,简称:ASIC)中。另外,该ASIC可以位于用户设备中。当然,处理器和可读存储介质也可以作为分立组件存在于通信设备中。可读存储介质可以是只读存储器(ROM)、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。The readable storage medium may be a computer storage medium or a communication medium. Communication media includes any medium that facilitates transfer of a computer program from one place to another. Computer storage media can be any available media that can be accessed by a general purpose or special purpose computer. For example, a readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the readable storage medium. Of course, the readable storage medium can also be an integral part of the processor. The processor and the readable storage medium may be located in application specific integrated circuits (Application Specific Integrated Circuits, ASIC for short). Alternatively, the ASIC may be located in the user equipment. Of course, the processor and the readable storage medium may also exist in the communication device as discrete components. The readable storage medium may be read only memory (ROM), random access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and the like.

本发明还提供一种程序产品,该程序产品包括执行指令,该执行指令存储在可读存储介质中。设备的至少一个处理器可以从可读存储介质读取该执行指令,至少一个处理器执行该执行指令使得设备实施上述的各种实施方式提供的方法。The present invention also provides a program product including execution instructions stored in a readable storage medium. At least one processor of the device can read the execution instruction from the readable storage medium, and the execution of the execution instruction by the at least one processor causes the device to implement the methods provided by the various embodiments described above.

在上述设备的实施例中,应理解,处理器可以是中央处理单元(英文:CentralProcessing Unit,简称:CPU),还可以是其他通用处理器、数字信号处理器(英文:DigitalSignal Processor,简称:DSP)、专用集成电路(英文:Application Specific IntegratedCircuit,简称:ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。In the embodiment of the above device, it should be understood that the processor may be a central processing unit (English: Central Processing Unit, referred to as: CPU), or other general-purpose processors, digital signal processors (English: Digital Signal Processor, referred to as: DSP) ), application specific integrated circuit (English: Application Specific Integrated Circuit, referred to as: ASIC) and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the present invention can be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.

以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围,均应包含在本发明的保护范围之内。The above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The recorded technical solutions are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be included in the present invention. within the scope of protection.

Claims (10)

1.一种ModbusTcp指令的保护方法,其特征在于,包括:1. a protection method of ModbusTcp instruction, is characterized in that, comprises: 零信任网关客户端接收主设备传输的初始ModbusTcp指令,对所述初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关;The zero-trust gateway client receives the initial ModbusTcp command transmitted by the master device, encrypts the initial ModbusTcp command, and uses the Tcp communication tunnel to send the encrypted initial ModbusTcp command to the zero-trust gateway; 零信任网关对所述加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若所述初始ModbusTcp指令为非危险指令,依据预设策略将所述初始ModbusTcp指令转发至从设备。The zero-trust gateway sequentially performs identity authentication, decryption and danger monitoring on the encrypted initial ModbusTcp command, and if the initial ModbusTcp command is a non-hazardous command, forwards the initial ModbusTcp command to the slave device according to a preset policy. 2.如权利要求1所述的ModbusTcp指令的保护方法,其特征在于,所述零信任网关对所述加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,包括:2. The protection method of ModbusTcp instruction as claimed in claim 1, is characterized in that, described zero trust gateway carries out identity authentication, decryption and danger monitoring to described encrypted initial ModbusTcp instruction successively, comprising: 识别所述加密后的初始ModbusTcp指令对应的第一身份标识;Identify the first identity corresponding to the encrypted initial ModbusTcp instruction; 若所述第一身份标识满足第一预设条件,对所述加密后的初始ModbusTcp指令进行解密,得到所述初始ModbusTcp指令;If the first identity identifier satisfies the first preset condition, decrypt the encrypted initial ModbusTcp command to obtain the initial ModbusTcp command; 将所述初始ModbusTcp指令与预设危险指令库中的所有危险指令进行对比,判断所述初始ModbusTcp指令是否为危险指令。The initial ModbusTcp command is compared with all the dangerous commands in the preset dangerous command library to determine whether the initial ModbusTcp command is a dangerous command. 3.如权利要求2所述的ModbusTcp指令的保护方法,其特征在于,所述若所述身份标识满足第一预设条件之后,还包括:3. The protection method of ModbusTcp instruction as claimed in claim 2, is characterized in that, after described if described identity mark satisfies the first preset condition, also comprises: 对所述加密后的初始ModbusTcp指令进行授权。Authorize the encrypted initial ModbusTcp command. 4.如权利要求2所述的ModbusTcp指令的保护方法,其特征在于,所述判断所述初始ModbusTcp指令是否为危险指令之后,还包括:4. The protection method of ModbusTcp instruction as claimed in claim 2, is characterized in that, after described judging whether described initial ModbusTcp instruction is dangerous instruction, also comprises: 若所述初始ModbusTcp指令是危险指令,将所述初始ModbusTcp指令发送至报警服务器进行处理。If the initial ModbusTcp command is a dangerous command, the initial ModbusTcp command is sent to the alarm server for processing. 5.如权利要求1-4中任一项所述的ModbusTcp指令的保护方法,其特征在于,所述依据预设策略将所述初始ModbusTcp指令转发至从设备之后,还包括:5. The method for protecting a ModbusTcp instruction according to any one of claims 1-4, wherein after the initial ModbusTcp instruction is forwarded to the slave device according to a preset strategy, the method further comprises: 零信任网关接收所述从设备传输的执行回执;The zero-trust gateway receives the execution receipt transmitted from the device; 对所述执行回执进行加密,并采用Tcp通讯隧道将加密后的执行回执发送至零信任网关客户端。The execution receipt is encrypted, and the encrypted execution receipt is sent to the zero-trust gateway client by using a Tcp communication tunnel. 6.如权利要求5所述的ModbusTcp指令的保护方法,其特征在于,所述对所述执行回执进行加密,并采用Tcp通讯隧道将加密后的执行回执发送至零信任网关客户端之后,还包括:6. The protection method of ModbusTcp instruction as claimed in claim 5, it is characterised in that the described execution receipt is encrypted, and the encrypted execution receipt is sent to the zero-trust gateway client by using a Tcp communication tunnel, and further include: 零信任网关客户端对所述加密后的执行回执进行身份验证;The zero-trust gateway client authenticates the encrypted execution receipt; 若所述身份验证通过,对所述加密后的执行回执进行解密,并将所述执行回执发送至所述主设备。If the identity verification is passed, decrypt the encrypted execution receipt, and send the execution receipt to the main device. 7.如权利要求6所述的ModbusTcp指令的保护方法,其特征在于,所述零信任网关客户端对所述加密后的执行回执进行身份验证,包括:7. The method for protecting a ModbusTcp instruction according to claim 6, wherein the zero-trust gateway client performs identity verification on the encrypted execution receipt, comprising: 所述零信任网关客户端识别所述加密后的执行回执对应的第二身份标识。The zero-trust gateway client identifies the second identity identifier corresponding to the encrypted execution receipt. 8.一种ModbusTcp指令的保护装置,其特征在于,包括:8. A protection device for a ModbusTcp command, comprising: 指令加密模块,用于零信任网关客户端接收主设备传输的初始ModbusTcp指令,对所述初始ModbusTcp指令进行加密,并采用Tcp通讯隧道将加密后的初始ModbusTcp指令发送至零信任网关;The instruction encryption module is used for the zero-trust gateway client to receive the initial ModbusTcp instruction transmitted by the master device, encrypt the initial ModbusTcp instruction, and use the Tcp communication tunnel to send the encrypted initial ModbusTcp instruction to the zero-trust gateway; 指令控制模块,用于零信任网关对所述加密后的初始ModbusTcp指令依次进行身份认证、解密和危险监控,若所述初始ModbusTcp指令为非危险指令,依据预设策略将所述初始ModbusTcp指令转发至从设备。The instruction control module is used for the zero-trust gateway to perform identity authentication, decryption and danger monitoring on the encrypted initial ModbusTcp instruction in sequence. If the initial ModbusTcp instruction is a non-dangerous instruction, forward the initial ModbusTcp instruction according to a preset strategy to the slave device. 9.一种终端,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1至7中任一项所述ModbusTcp指令的保护方法的步骤。9. A terminal, comprising a memory, a processor and a computer program stored in the memory and running on the processor, wherein the processor implements the computer program as claimed in claim 1 when the processor executes the computer program Steps of the protection method for the ModbusTcp instruction described in any one of to 7. 10.一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行所述计算机程序时实现如权利要求1至7中任一项所述ModbusTcp指令的保护方法的步骤。10. A computer-readable storage medium storing a computer program, wherein the computer program is implemented by a processor when the computer program is executed as claimed in any one of claims 1 to 7 The steps of the protection method of the ModbusTcp instruction.
CN202210007569.5A 2022-01-05 2022-01-05 ModbusTcp instruction protection method, device, terminal and storage medium Active CN114500005B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210007569.5A CN114500005B (en) 2022-01-05 2022-01-05 ModbusTcp instruction protection method, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210007569.5A CN114500005B (en) 2022-01-05 2022-01-05 ModbusTcp instruction protection method, device, terminal and storage medium

Publications (2)

Publication Number Publication Date
CN114500005A true CN114500005A (en) 2022-05-13
CN114500005B CN114500005B (en) 2025-01-14

Family

ID=81510453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210007569.5A Active CN114500005B (en) 2022-01-05 2022-01-05 ModbusTcp instruction protection method, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN114500005B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119583171A (en) * 2024-11-29 2025-03-07 天翼云科技有限公司 Distributed cloud monitoring system and data monitoring method

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030226017A1 (en) * 2002-05-30 2003-12-04 Microsoft Corporation TLS tunneling
CN106100836A (en) * 2016-08-09 2016-11-09 中京天裕科技(北京)有限公司 A kind of industrial user's authentication and the method and system of encryption
CN107438071A (en) * 2017-07-28 2017-12-05 北京信安世纪科技有限公司 cloud storage security gateway and access method
CN109951479A (en) * 2019-03-19 2019-06-28 中国联合网络通信集团有限公司 A communication method, device and communication system
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
US10581865B1 (en) * 2019-02-20 2020-03-03 Xage Security, Inc. Inline filtering to secure access and data between user and application to device and between device to device
CN111510453A (en) * 2020-04-15 2020-08-07 深信服科技股份有限公司 Business system access method, device, system and medium
CN112887282A (en) * 2021-01-13 2021-06-01 国网新疆电力有限公司电力科学研究院 Identity authentication method, device and system and electronic equipment
CN113839958A (en) * 2021-09-29 2021-12-24 广州河东科技有限公司 Communication encryption method and device for smart home, control system and storage medium
CN113852681A (en) * 2021-09-22 2021-12-28 深信服科技股份有限公司 Gateway authentication method and device and security gateway equipment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030226017A1 (en) * 2002-05-30 2003-12-04 Microsoft Corporation TLS tunneling
CN106100836A (en) * 2016-08-09 2016-11-09 中京天裕科技(北京)有限公司 A kind of industrial user's authentication and the method and system of encryption
CN107438071A (en) * 2017-07-28 2017-12-05 北京信安世纪科技有限公司 cloud storage security gateway and access method
US10581865B1 (en) * 2019-02-20 2020-03-03 Xage Security, Inc. Inline filtering to secure access and data between user and application to device and between device to device
CN109951479A (en) * 2019-03-19 2019-06-28 中国联合网络通信集团有限公司 A communication method, device and communication system
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN111510453A (en) * 2020-04-15 2020-08-07 深信服科技股份有限公司 Business system access method, device, system and medium
CN112887282A (en) * 2021-01-13 2021-06-01 国网新疆电力有限公司电力科学研究院 Identity authentication method, device and system and electronic equipment
CN113852681A (en) * 2021-09-22 2021-12-28 深信服科技股份有限公司 Gateway authentication method and device and security gateway equipment
CN113839958A (en) * 2021-09-29 2021-12-24 广州河东科技有限公司 Communication encryption method and device for smart home, control system and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119583171A (en) * 2024-11-29 2025-03-07 天翼云科技有限公司 Distributed cloud monitoring system and data monitoring method
CN119583171B (en) * 2024-11-29 2025-11-28 天翼云科技有限公司 Distributed cloud monitoring system and data monitoring method

Also Published As

Publication number Publication date
CN114500005B (en) 2025-01-14

Similar Documents

Publication Publication Date Title
CN112260995B (en) Access authentication method, device and server
JP4579969B2 (en) Method, apparatus and computer program product for sharing encryption key among embedded agents at network endpoints in a network domain
US6886102B1 (en) System and method for protecting a computer network against denial of service attacks
US6971028B1 (en) System and method for tracking the source of a computer attack
US7321971B2 (en) System and method for secure remote access
JP4911018B2 (en) Filtering apparatus, filtering method, and program causing computer to execute the method
CN110933078B (en) H5 unregistered user session tracking method
US20100250921A1 (en) Authorizing a Login Request of a Remote Device
CN106060003A (en) One-way isolated transmission device for network border
WO2001004758A1 (en) System and method for quickly authenticating messages using sequence numbers
Yoon et al. Remote security management server for IoT devices
US20140351924A1 (en) Method and system for providing limited secure access to sensitive data
CN112968910B (en) Replay attack prevention method and device
CN101197828B (en) A method for implementing secure ARP and network equipment
CN114745202A (en) Method for actively defending web attack and web security gateway based on active defense
RU2163745C2 (en) Protective system for virtual channel of corporate network using authentication router and built around shared communication network channels and switching facilities
CN114500005B (en) ModbusTcp instruction protection method, device, terminal and storage medium
CN113794563B (en) Communication network security control method and system
CN119583226B (en) A Geographic Data Processing System Based on Cryptography
CN113612790B (en) Data security transmission method and device based on equipment identity pre-authentication
KR101881279B1 (en) Apparatus and method for inspecting the packet communications using the Secure Sockets Layer
CN109587134B (en) Method, apparatus, device and medium for secure authentication of interface bus
CN114662080B (en) Data protection method and device and desktop cloud system
CN111669746B (en) Protection system for information security of Internet of things
CN111917800B (en) External authorization system and method based on protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant