[go: up one dir, main page]

CN111385249B - A Vulnerability Detection Method - Google Patents

A Vulnerability Detection Method Download PDF

Info

Publication number
CN111385249B
CN111385249B CN201811622270.0A CN201811622270A CN111385249B CN 111385249 B CN111385249 B CN 111385249B CN 201811622270 A CN201811622270 A CN 201811622270A CN 111385249 B CN111385249 B CN 111385249B
Authority
CN
China
Prior art keywords
script
test
task
protocol
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811622270.0A
Other languages
Chinese (zh)
Other versions
CN111385249A (en
Inventor
何连杰
李二霞
李玉凌
亢超群
常方圆
孙智涛
许保平
樊勇华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
State Grid Shandong Electric Power Co Ltd
State Grid Corp of China SGCC
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
State Grid Shandong Electric Power Co Ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI, Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd, State Grid Shandong Electric Power Co Ltd, State Grid Corp of China SGCC filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN201811622270.0A priority Critical patent/CN111385249B/en
Publication of CN111385249A publication Critical patent/CN111385249A/en
Application granted granted Critical
Publication of CN111385249B publication Critical patent/CN111385249B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种脆弱性检测方法,所述方法包括:步骤S1:验证报文是否进行认证;步骤S2:验证报文是否进行加密。本发明具备强大的自主工控漏洞库,可检测配电自动化系统设备及软件大量未公开“0 day”漏洞。同时,通过配置相应扫描策略,可实现“无损检测漏洞”特点;可对常用的配电101/104协议是否采取认证及加密措施进行检查,从而保证系统的稳定性运行。

The present invention relates to a vulnerability detection method. The method includes: step S1: verifying whether the message is authenticated; and step S2: verifying whether the message is encrypted. The present invention has a powerful independent industrial control vulnerability library, which can detect a large number of undisclosed "0 day" vulnerabilities in power distribution automation system equipment and software. At the same time, by configuring the corresponding scanning strategy, the feature of "non-destructive detection of loopholes" can be realized; it can check whether the commonly used power distribution 101/104 protocol adopts authentication and encryption measures, so as to ensure the stable operation of the system.

Description

一种脆弱性检测方法A Vulnerability Detection Method

【技术领域】【Technical field】

本发明属于配电自动化技术领域,尤其涉及一种脆弱性检测方法。The invention belongs to the technical field of distribution automation, and in particular relates to a vulnerability detection method.

【背景技术】【Background technique】

配电自动化系统脆弱性主要包括系统漏洞、101/104协议安全风险等。早起已建成的配电自动化系统中配电终端接入主站缺乏身份认证机制,且遥信、遥测等交互数据多为明文传输,容易造成数据泄露、篡改。如果配电自动化系统中设备存在应用程序漏洞、操作系统漏洞、WEB应用漏洞、数据库漏洞等,不法者更是能利用这些漏洞攻击配电自动化系统,影响系统稳定运行。早期已建成的配电自动化系统安全防护体系制定主要参照公司《关于加强配电网自动化系统安全防护工作的通知》(国家电网调[2011]168号)的要求,其中包括配电网自动化系统应该支持基于非对称密钥技术的单向认证功能,主站下发的遥控命令应带有基于调度证书的数字签名,子站侧或终端侧应能够鉴别主站的数字签名,实现对主站系统的控制命令和参数设置指令安全鉴别和数据完整性验证。但终端上线运行时主站对其缺乏认证机制,导致主站对终端真伪缺乏鉴别能力。且主站与终端间的遥测、遥信数据交互为明文传输,容易造成数据泄露、篡改。因此,亟需一种新的脆弱性检测方法,本发明具备强大的自主工控漏洞库,可检测配电自动化系统设备及软件大量未公开“0day”漏洞。同时,通过配置相应扫描策略,可实现“无损检测漏洞”特点;可对常用的配电101/104协议是否采取认证及加密措施进行检查,从而保证系统的稳定性运行。Distribution automation system vulnerabilities mainly include system vulnerabilities, 101/104 protocol security risks, etc. In the distribution automation system that has been built in the early days, the distribution terminal access to the main station lacks an identity authentication mechanism, and the interactive data such as remote signaling and telemetry are mostly transmitted in plain text, which is easy to cause data leakage and tampering. If there are application program vulnerabilities, operating system vulnerabilities, WEB application vulnerabilities, database vulnerabilities, etc. in the equipment in the distribution automation system, lawbreakers can use these vulnerabilities to attack the distribution automation system and affect the stable operation of the system. The safety protection system of the distribution automation system that has been established in the early stage mainly refers to the requirements of the company's "Notice on Strengthening the Safety Protection of the Distribution Network Automation System" (State Grid Tiao [2011] No. 168), which includes that the distribution network automation system should Support the one-way authentication function based on asymmetric key technology. The remote control command issued by the master station should have a digital signature based on the dispatch certificate. Security authentication and data integrity verification of control commands and parameter setting instructions. However, the main station lacks an authentication mechanism for the terminal when it is running online, resulting in the main station lacking the ability to identify the authenticity of the terminal. Moreover, the telemetry and telematics data interaction between the master station and the terminal is transmitted in plain text, which is easy to cause data leakage and tampering. Therefore, there is an urgent need for a new vulnerability detection method. The present invention has a powerful independent industrial control vulnerability library, which can detect a large number of undisclosed "0day" vulnerabilities in power distribution automation system equipment and software. At the same time, by configuring the corresponding scanning strategy, the feature of "non-destructive detection of loopholes" can be realized; it can check whether the commonly used power distribution 101/104 protocol adopts authentication and encryption measures, so as to ensure the stable operation of the system.

【发明内容】【Content of invention】

为了解决现有技术中的上述问题,本发明提出了一种脆弱性检测方法,该方法包括:In order to solve the above-mentioned problems in the prior art, the present invention proposes a vulnerability detection method, which method includes:

步骤S1:验证报文是否进行认证;Step S1: Verify whether the message is authenticated;

步骤S2:验证报文是否进行加密。Step S2: Verify whether the message is encrypted.

进一步的,所述步骤S1,具体为:通过主动向已确定运行协议的终端发送报文进行验证。Further, the step S1 specifically includes: verifying by actively sending a message to a terminal that has been determined to run the protocol.

进一步的,所述通过主动向已确定运行协议的终端发送报文进行验证,具体为:Further, the verification is performed by actively sending a message to the terminal that has determined to run the protocol, specifically:

步骤S11:确定待验证的所述已确定运行协议的终端是否为运行特定协议的终端;如果是,则进入下一步,否则,进入步骤S1X;Step S11: Determine whether the terminal that has been confirmed to be running the protocol to be verified is a terminal running a specific protocol; if yes, go to the next step; otherwise, go to step S1X;

步骤S12:确定是否能够和终端之间建立链接;如果是,则进入下一步,否则;进入步骤S16;Step S12: Determine whether a link can be established with the terminal; if yes, proceed to the next step; otherwise, proceed to step S16;

步骤S13:发送协议链路请求测试报文,如果终端返回链路测试成功报文,则进入步骤S14,否则,进入步骤S17;Step S13: Send a protocol link request test message, if the terminal returns a link test success message, then go to step S14, otherwise, go to step S17;

步骤S14:发送协议总召测试报文,如果终端返回总召测试成功报文,则进入步骤S15,否则进入步骤S18;Step S14: Send a protocol general call test message, if the terminal returns a general call test success message, then go to step S15, otherwise go to step S18;

步骤S15:确定协议未进行认证;Step S15: Determine that the protocol is not authenticated;

步骤S16:连接出现异常,无法测试协议认证状态;进入步骤S1X;Step S16: The connection is abnormal, and the protocol authentication status cannot be tested; go to step S1X;

步骤S17:确定链路请求测试失败,进入步骤S14;Step S17: determine that the link request test fails, and enter step S14;

步骤S18:确定总召测试失败,进入步骤S19;Step S18: Determine that the general call test has failed, and proceed to step S19;

步骤S19:确定协议已进行认证;Step S19: determine that the protocol has been authenticated;

步骤S1X:结束。Step S1X: end.

进一步的,所述步骤S2具体为:通过主动抓取运行协议的终端的端口数据包进行分析,以确定报文是否加密。Further, the step S2 specifically includes: actively grabbing and analyzing the port data packet of the terminal running the protocol to determine whether the packet is encrypted.

进一步的,所述通过主动抓取运行协议的终端的端口数据包进行分析,以确定报文是否加密,具体为:Further, by actively grabbing and analyzing the port data packet of the terminal running the protocol, to determine whether the message is encrypted, specifically:

步骤S21:确定终端是否为运行特定协议的终端;如果是,则进入下一步,否则进入步骤S2X;Step S21: Determine whether the terminal is a terminal running a specific protocol; if yes, proceed to the next step, otherwise proceed to step S2X;

步骤S22:实时抓取端口数据包;Step S22: capture port data packets in real time;

步骤S23:确定数据包中是否包含特定类型的数据;Step S23: determine whether the data packet contains data of a specific type;

步骤S24:确定协议未进行加密,进入步骤S2X;Step S24: Determine that the protocol is not encrypted, and proceed to step S2X;

步骤S25:确定协议已进行加密;Step S25: determine that the protocol has been encrypted;

步骤S2X:结束。Step S2X: end.

进一步的,通过tshark抓取2404端口数据包。Further, capture port 2404 packets through tshark.

进一步的,所述特定类型为60870-5-105-Asdu数据。Further, the specific type is 60870-5-105-Asdu data.

进一步的,所述协议为104协议。Further, the protocol is 104 protocol.

本发明的有益效果包括:具备强大的自主工控漏洞库,可检测配电自动化系统设备及软件大量未公开“0day”漏洞。同时,通过配置相应扫描策略,可实现“无损检测漏洞”特点;可对常用的配电101/104协议是否采取认证及加密措施进行检查,从而保证系统的稳定性运行。The beneficial effects of the present invention include: possessing a powerful independent industrial control vulnerability library, capable of detecting a large number of undisclosed "0day" vulnerabilities in power distribution automation system equipment and software. At the same time, by configuring the corresponding scanning strategy, the feature of "non-destructive detection of loopholes" can be realized; it can check whether the commonly used power distribution 101/104 protocol adopts authentication and encryption measures, so as to ensure the stable operation of the system.

【附图说明】【Description of drawings】

此处所说明的附图是用来提供对本发明的进一步理解,构成本申请的一部分,但并不构成对本发明的不当限定,在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application, but do not constitute an improper limitation of the present invention. In the accompanying drawings:

图1是本发明的脆弱性检测系统的结构示意图。FIG. 1 is a schematic structural diagram of the vulnerability detection system of the present invention.

图2是本发明的脚本执行模块结构示意图。Fig. 2 is a schematic structural diagram of the script execution module of the present invention.

图3是本发明的漏洞扫描策略示意图。Fig. 3 is a schematic diagram of the vulnerability scanning strategy of the present invention.

图4是本发明的协议认证测试方法示意图。Fig. 4 is a schematic diagram of the protocol authentication testing method of the present invention.

图5是本发明的协议加密测试方法示意图。Fig. 5 is a schematic diagram of the protocol encryption testing method of the present invention.

图6是本发明的漏洞检测结果示意图。Fig. 6 is a schematic diagram of the vulnerability detection result of the present invention.

【具体实施方式】【Detailed ways】

下面将结合附图以及具体实施例来详细说明本发明,其中的示意性实施例以及说明仅用来解释本发明,但并不作为对本发明的限定。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments, wherein the schematic embodiments and descriptions are only used to explain the present invention, but are not intended to limit the present invention.

如图1所示,对本发明所应用的一种脆弱性检测系统进行详细说明;所述脆弱性检测系统包括漏洞扫描系统和配置管理模块;As shown in Figure 1, a vulnerability detection system applied in the present invention is described in detail; the vulnerability detection system includes a vulnerability scanning system and a configuration management module;

漏洞扫描系统和配置管理模块之间通信连接,以进行任务下发工作和结果返回;The communication connection between the vulnerability scanning system and the configuration management module is used to issue tasks and return results;

所述漏洞扫描系统包括任务分析器、脚本引擎、漏洞扫描测试脚本库;其中:任务分析器用于对配置管理模块下发的任务进行分析,脚本引擎用于加载完成所下发任务需要执行的测试脚本,对所述测试脚本进行语法分析和执行,并将测试脚本的执行结果返回给配置管理模块;The vulnerability scanning system includes a task analyzer, a script engine, and a vulnerability scanning test script library; wherein: the task analyzer is used to analyze the tasks issued by the configuration management module, and the script engine is used to load and complete the tests that need to be executed for the issued tasks A script, performing grammatical analysis and execution on the test script, and returning the execution result of the test script to the configuration management module;

所述任务分析器用于对配置管理模块下发的任务进行分析;具体的:任务采用指令的方式下发,指令中包含任务名称和任务详情、任务数据地址等;当接收到任务数据时,解析任务详情,基于解析结果获取任务数据和创建新的测试进程进行任务处理;The task analyzer is used to analyze the tasks issued by the configuration management module; specifically: the tasks are issued in the form of instructions, and the instructions include task names and task details, task data addresses, etc.; when receiving task data, analyze Task details, based on the analysis results to obtain task data and create a new test process for task processing;

配置管理模块用于下发测试任务以及接收漏洞扫描系统返回的测试结果;所述测试任务中包含测试所需要的脚本名称及其参数信息;还包含任务名称和任务详情、任务数据地址;当接收到任务数据时,解析任务详情;还用于为所需要的没给测试脚本配置调度策略;所述调度策略可以是一个初始的默认调度策略;The configuration management module is used to issue test tasks and receive test results returned by the vulnerability scanning system; the test task includes the script name and parameter information required for the test; it also includes the task name and task details, and the task data address; when receiving When the task data is received, the task details are parsed; it is also used to configure the scheduling strategy for the required test script; the scheduling strategy can be an initial default scheduling strategy;

所述基于解析结果获取任务数据和创建新的测试进程进行任务处理,具体为:解析任务详情以获取任务类型,当任务类型中脚本执行类型时,获取任务数据地址,并基于所述任务数据地址获取脚本名称及参数信息,基于所述脚本名称和参数信息创建新的测试进程,将所述脚本名称和参数信息拷贝新的测试进程的进程存储空间中;这样就能够通过进程体本身进行数据的传递,任务分析器和脚本引擎之间没有共享存储空间,避免了数据污染的可能性;The task processing based on obtaining task data and creating a new test process based on the analysis result is specifically: analyzing task details to obtain task type, when the script execution type is in the task type, obtaining task data address, and based on the task data address Obtain the script name and parameter information, create a new test process based on the script name and parameter information, and copy the script name and parameter information in the process storage space of the new test process; Passing, there is no shared storage space between the task analyzer and the script engine, avoiding the possibility of data pollution;

所述任务详情包含任务类型,任务可分为多种类型,主要类型如下:The task details include the task type, which can be divided into multiple types, the main types are as follows:

CREQ_ATTACHED_FILE:收到的内容为文件类型,将对收到的文件进行存储;CREQ_ATTACHED_FILE: The received content is a file type, and the received file will be stored;

CREQ_LONG_ATTACK:收到脚本执行命令,将调用指定的脚本(策略配置选取)对配置目标进行发包检测;CREQ_LONG_ATTACK: After receiving the script execution command, the specified script (policy configuration selection) will be invoked to send packets to the configuration target;

CREQ_PAUSE_WHOLE_TEST:向所有的测试进程发送SIGUSR1信号,以暂停所有的测试;CREQ_PAUSE_WHOLE_TEST: Send a SIGUSR1 signal to all test processes to pause all tests;

CREQ_PLUGIN_INFO:获取指定OID值的测试脚本信息;CREQ_PLUGIN_INFO: Get the test script information of the specified OID value;

CREQ_PREFERENCES:获取扫描引擎参数信息;CREQ_PREFERENCES: Get scan engine parameter information;

CREQ_RESUME_WHOLE_TEST:向所有的测试进程发送SIGUSR2信号,以恢复被暂停的测试;CREQ_RESUME_WHOLE_TEST: Send a SIGUSR2 signal to all test processes to resume the suspended test;

CREQ_STOP_ATTACK:向指定主机的测试进程发送SIGTERM信号,以结束扫描进程;CREQ_STOP_ATTACK: Send a SIGTERM signal to the test process of the specified host to end the scanning process;

CREQ_STOP_WHOLE_TEST:向所有主机的测试进程发送SIGTERM信号,结束所有的扫描进程;CREQ_STOP_WHOLE_TEST: Send a SIGTERM signal to the test process of all hosts to end all scanning processes;

CREQ_NVT_INFO:获得NVT脚本库信息;CREQ_NVT_INFO: get NVT script library information;

CREQ_UNKNOWN:默认类型,收到的任务不合规或无法解析,不对此任务请求进行处理;CREQ_UNKNOWN: The default type, the received task is not compliant or cannot be parsed, and the task request will not be processed;

脚本引擎包括脚本调度模块和脚本执行模块、知识库;其中,脚本调度模块对需要执行的测试脚本进行选取,脚本执行模块用于执行所选取的测试脚本;The script engine includes a script scheduling module, a script execution module, and a knowledge base; wherein, the script scheduling module selects the test scripts to be executed, and the script execution module is used to execute the selected test scripts;

所述脚本调度模块用于读取测试脚本和完成脚本调用的初始化与序列化;所述脚本调度模块包括脚本加载模块和脚本组织模块;The script scheduling module is used to read the test script and complete the initialization and serialization of the script call; the script scheduling module includes a script loading module and a script organization module;

所述加载模块用于根据需要执行的脚本名称及参数信息,加载相应的测试脚本,并对其进行初始化;具体的:加载所有的测试脚本,并存储为包含脚本引擎在启动、运行和结束过程中所有信息的全局变量链表;优选的:所述全局变量链表保存在测试进程的进程空间中;当控制权从任务分析器移交给脚本引擎的过程中,通过进程进行数据交换和保存;The loading module is used to load the corresponding test script according to the script name and parameter information that needs to be executed, and initialize it; specifically: load all the test scripts, and store them as script engine in the process of starting, running and ending. A global variable linked list of all information; preferably: said global variable linked list is stored in the process space of the test process; when the control right is handed over from the task analyzer to the script engine, data exchange and preservation are carried out through the process;

所述组织模块用于根据脚本的调度策略以及知识库中已存储的相关调度信息,确定脚本的执行顺序,并基于所述执行顺序进行测试脚本的解释和执行;具体的;组织模块用于根据脚本的调度策略获取确定初步执行顺序;通过知识库中已存储的相关调度信息对所述初步执行顺序进行调整以获取脚本的执行顺序;基于所述执行顺序进行测试脚本的解释和执行;The organization module is used to determine the execution order of the script according to the scheduling strategy of the script and the relevant scheduling information stored in the knowledge base, and to interpret and execute the test script based on the execution order; specifically; the organization module is used to Acquiring the scheduling policy of the script to determine the preliminary execution order; adjusting the preliminary execution order through the relevant scheduling information stored in the knowledge base to obtain the execution order of the script; interpreting and executing the test script based on the execution order;

优选的:每个测试脚本有其对应的调度策略,所述调度策略为配置管理模块设置;所述调度策略中包含脚本的运行状态、策略编码、优先级、超时时间、tcp端口、udp短偶,所需要的全局变量链表中节点标识、强制需要的全局变量链表中节点标识等;Preferably: each test script has its corresponding dispatching strategy, and described dispatching strategy is that configuration management module is set; In the described dispatching strategy, comprise script running state, policy coding, priority, overtime, tcp port, udp short even , the node ID in the required global variable linked list, the node ID in the mandatory global variable linked list, etc.;

所述组织模块用于根据脚本的调度策略获取确定初步执行顺序,具体为:组织模块获取所有的测试脚本,并基于所述测试脚本的调度策略获取调度策略的策略类型,并基于所述调度策略的类型获取其对应的优先级;基于所述优先级以及策略编码确定初步执行顺序;下表为策略类型及其优先级的对照表;The organization module is used to obtain and determine the preliminary execution order according to the scheduling strategy of the script, specifically: the organization module obtains all test scripts, and obtains the strategy type of the scheduling strategy based on the scheduling strategy of the test script, and based on the scheduling strategy Obtain its corresponding priority; based on the priority and policy code to determine the initial execution order; the following table is a comparison table of policy types and their priorities;

表1:策略类型及其优先级对照表Table 1: Comparison table of policy types and their priorities

所述基于所述优先级以及策略编码确定初步执行顺序,具体为:将脚本策略按照优先级大小进行排序,优先级越大执行顺序越靠前,反之亦然;如果两个测试脚本的优先级大小相同,则按照策略编码进行排序,当策略编码的值越小,则执行顺序越靠前;The determination of the preliminary execution order based on the priority and policy coding is specifically: sorting the script policies according to the priority, the greater the priority, the higher the execution order, and vice versa; if the priority of the two test scripts If the size is the same, they will be sorted according to the strategy code. When the value of the strategy code is smaller, the execution order will be higher;

所述通过知识库中已存储的相关调度信息对所述初步执行顺序进行调整以获取脚本的执行顺序,具体为:基于测试脚本之间的依赖关系进行初步执行顺序的调整以得到执行顺序;The step of adjusting the preliminary execution sequence by using the relevant scheduling information stored in the knowledge base to obtain the execution sequence of the scripts is specifically: adjusting the preliminary execution sequence based on the dependencies between test scripts to obtain the execution sequence;

所述基于测试脚本之间的依赖关系进行初步执行顺序的调整以得到执行顺序;具体为:初步执行顺序中的两个测试脚本的执行顺序违反所述两个测试脚本之间的先后顺序要求时,将所述两个测试脚本的顺序进行调整以满足所述先后顺序要求;将满足先后顺序要求的执行顺序作为执行顺序;The adjustment of the preliminary execution sequence based on the dependency between the test scripts is carried out to obtain the execution sequence; specifically: when the execution sequence of the two test scripts in the preliminary execution sequence violates the sequence requirements between the two test scripts , adjusting the sequence of the two test scripts to meet the sequence requirements; taking the execution sequence that meets the sequence requirements as the execution sequence;

所述基于所述执行顺序进行测试脚本的解释和执行,具体为:基于执行环境预断待执行测试脚本运行需求是否能够被脚本引擎的执行环境满足,如果能够满足,则继续执行所述测试脚本;否则,将所述执行脚本在执行顺序上进行推后处理;该对脚本调度的进行的优化,最为直接有效的方法是确认脚本引擎处于何种情况,而无需启动该脚本。例如,脚本需要建立到远程主机123/TCP端口的连接,如果知道这个端口已经被关闭,就没有必要再运行此脚本。对知识库中相关信息进行操作,确定脚本的调度策略;The explanation and execution of the test script based on the execution sequence is specifically: predicting based on the execution environment whether the running requirements of the test script to be executed can be satisfied by the execution environment of the script engine, and if so, continue to execute the test script; Otherwise, the execution sequence of the execution script is postponed; the most direct and effective way to optimize the script scheduling is to confirm the situation of the script engine without starting the script. For example, if the script needs to establish a connection to the remote host on port 123/TCP, there is no need to run the script if it is known that this port is closed. Operate the relevant information in the knowledge base to determine the scheduling strategy of the script;

所述将所述执行脚本在执行顺序上进行推后处理,具体为:将所述执行脚本放在不同于所述执行顺序队列的等待队列中,并定期的对执行环境进行检查,在执行环境能够满足所述测试脚本运行需求时,唤醒所述测试脚本,并将所述测试脚本放在执行顺序中的首位;The post-processing of the execution order of the execution script is specifically: placing the execution script in a waiting queue different from the execution order queue, and regularly checking the execution environment. When the running requirements of the test script can be met, the test script is awakened, and the test script is placed first in the execution sequence;

优选的:通过查询知识库和测试脚本对应的调度策略以获取测试脚本的运行需求;通过查询全局变量链表以获取执行环境信息;Preferably: by querying the knowledge base and the scheduling strategy corresponding to the test script to obtain the running requirements of the test script; by querying the global variable linked list to obtain the execution environment information;

优选的:脚本引擎从进程空间中获取测试任务需要完成的测试脚本及其参数信息;Preferably: the script engine obtains the test script and its parameter information that the test task needs to complete from the process space;

系统将加载所有的脚本,并存储为arglist结构,其为一个全局变量链表,包含引擎在启动、运行和结束过程中的所有信息,包含启动配置、脚本解释执行以及返回信息等,其节点的数据结构中包含节点名称、节点类型(代表所保存的信息的类型)、节点值(代表所保保存信息的内容)、节点长度、节下一节点地址、节点编号(根据哈希算法计算)等信息;脚本引擎所需要的每一种信息,比如脚本信息、目标主机信息等都包含在与其对应的一个链表中,这些链表都连接在全局变量链表上,脚本引擎启动时会初始化一个空的全局变量链表,在运行期间填写该全局变量链表;脚本引擎在运行过程中从所述全局变量链表中搜索所需要的信息;全局变量链表随着脚本引擎的运行,每个节点上的信息是实时修改的;The system will load all the scripts and store them as an arglist structure, which is a global variable linked list, which contains all the information of the engine during startup, operation and termination, including startup configuration, script interpretation and execution, and return information, etc., and its node data The structure contains information such as node name, node type (representing the type of saved information), node value (representing the content of the saved information), node length, node address of the next node, node number (calculated according to the hash algorithm) and other information ;Every information required by the script engine, such as script information, target host information, etc., is contained in a linked list corresponding to it, and these linked lists are connected to the global variable linked list. When the script engine starts, an empty global variable will be initialized Linked list, fill in the global variable linked list during operation; the script engine searches the required information from the global variable linked list during running; the global variable linked list is modified in real time with the operation of the script engine ;

所述脚本引擎在运行过程中从所述全局变量链表中搜索所需要的信息,具体为:脚本引擎中保存全局变量链表摘要表;脚本引擎通过所述摘要表对全局变量链表进行搜索;所述全局变量链表摘要表中保存了节点摘要值及其类型、位置的对应关系;所述摘要值为节点的关键性信息,所述关键性信息为常见的搜索内容、键值等;脚本引擎在对全局变量链表的修改后需要实时的修改所述摘要表;The script engine searches the required information from the global variable linked list during operation, specifically: the script engine saves a summary table of the global variable linked list; the script engine searches the global variable linked list through the summary table; The summary table of the global variable linked list saves the corresponding relationship between the node summary value and its type and position; the summary value is the key information of the node, and the key information is the common search content, key value, etc.; After the modification of the global variable linked list, the summary table needs to be modified in real time;

所述知识库,用于进行测试脚本的保存以及进行测试脚本信息的间交互;在脚本引擎的工作中,将脚本执行收集到的信息保存在知识库中,可有效避免重复扫描,减少不必要的资源浪费,提高工作效率;The knowledge base is used to store test scripts and interact with test script information; in the work of the script engine, the information collected by script execution is stored in the knowledge base, which can effectively avoid repeated scanning and reduce unnecessary waste of resources and improve work efficiency;

脚本引擎维护的脚本知识库,记录了一些脚本运行后所得到的有用信息,如操作系统的类型、打开的端口、提供的服务、登陆的账户等;利用知识库可以进行脚本间的信息交互,为一些脚本的运行提供基础,同时,也简化了脚本代码的编写;例如;无需在测试脚本中写明运行中需要依赖的系统环境、端口状态等信息;在测试脚本在实际执行过程中,对于所依赖的系统环境、端口状态等信息,通过查询知识库来做出合理的操作;例如:基于脚本的类型进行脚本相关信息的查询;脚本引擎在维护的过程中,基于脚本中的共性进行知识库的自动填充;在脚本引擎的对脚本执行完毕后,基于执行过程中的执行信息,进行知识库的填充;The script knowledge base maintained by the script engine records some useful information obtained after the script runs, such as the type of operating system, opened ports, services provided, and login accounts, etc. The knowledge base can be used for information interaction between scripts, It provides the basis for the operation of some scripts, and at the same time, it simplifies the writing of script codes; for example, there is no need to specify the system environment, port status and other information that need to be relied on during the operation in the test script; during the actual execution of the test script, for Dependent system environment, port status and other information, make reasonable operations by querying the knowledge base; for example: query script-related information based on the type of script; during the maintenance process of the script engine, perform knowledge based on the commonality in the script Automatic filling of the library; after the script engine executes the script, based on the execution information during the execution process, the knowledge base is filled;

如图2所示:脚本执行模块用于解释执行具体的测试脚本;脚本执行模块包含脚本解释器,脚本解释器将按照测试脚本中语句的动态顺序,逐句地进行分析解释,通过词法分析、语法分析、语义分析,结合符号表及出错处理机制,将脚本转换成内部函数及变量并执行;As shown in Figure 2: the script execution module is used to explain and execute specific test scripts; the script execution module includes a script interpreter, and the script interpreter will analyze and explain sentence by sentence according to the dynamic order of the sentences in the test script, through lexical analysis, Syntactic analysis, semantic analysis, combined with symbol tables and error handling mechanisms, convert scripts into internal functions and variables and execute them;

优选的:在完成脚本的加载及组织后,脚本引擎将调用脚本执行模块来执行具体的测试脚本;Preferably: after completing the loading and organization of the script, the script engine will call the script execution module to execute the specific test script;

优选的:词法分析主要用于将NASL脚本分成类型与值的二元组,分隔出单个的单词,并填入符号表中;语法分析则是对词法分析阶段形成的字链表进行分析,识别出完整的语句,并进行语法完整性验证;在执行脚本的过程中,识别所定义的各种变量,并将变量填入符号表中;语义分析用于语法分析阶段,对形成的语法树中的每一个语句进行解析,并执行相应的语义动作;Preferred: lexical analysis is mainly used to divide the NASL script into two-tuples of type and value, separate individual words, and fill them in the symbol table; grammatical analysis is to analyze the word list formed in the lexical analysis stage, and identify complete statement, and perform grammatical integrity verification; in the process of executing the script, identify the various variables defined, and fill the variables into the symbol table; semantic analysis is used in the grammatical analysis stage to check the Each statement is parsed and the corresponding semantic action is executed;

漏洞扫描测试脚本库中保存漏洞扫描测试脚本;漏洞扫描测试脚本使用nasl语言进行编写,测试脚本包括漏洞及脚本描述部分和漏洞测试流程部分;The vulnerability scanning test script library stores the vulnerability scanning test script; the vulnerability scanning test script is written in nasl language, and the test script includes the vulnerability and script description part and the vulnerability test process part;

所述漏洞及脚本描述部分对测试脚本本身以及漏洞本身进描述,包括漏洞名称,漏洞描述,漏洞id号,漏洞cve编号,漏洞bid编号,漏洞cnvd编号,漏洞cnnvd编号,漏洞影响版本,漏洞解决方案,漏洞威胁等级,漏洞所属家族,漏洞相关链接地址,漏洞所需kb值,漏洞强制所需kb值,漏洞排除kb值,漏洞脚本扫描参数等;The vulnerability and script description part describes the test script itself and the vulnerability itself, including the vulnerability name, vulnerability description, vulnerability id number, vulnerability cve number, vulnerability bid number, vulnerability cnvd number, vulnerability cnnvd number, vulnerability affected version, and vulnerability resolution Solution, vulnerability threat level, vulnerability family, vulnerability-related link address, KB value required for vulnerability, KB value required for vulnerability enforcement, KB value for vulnerability exclusion, vulnerability script scanning parameters, etc.;

所述漏洞测试流程部分为进行漏洞验证的逻辑流程,即发送数据包的方式方法,包括字符串解析、socket相关函数、文件操作相关函数等;The loophole testing process part is a logic flow for loophole verification, that is, the method of sending data packets, including string analysis, socket related functions, file operation related functions, etc.;

漏洞扫描测试可根据待测设备运行状况及扫描时间安排等,选择相应扫描策略进行漏洞检测;附图3中示出了几种漏洞扫描策略;The vulnerability scanning test can select the corresponding scanning strategy for vulnerability detection according to the operating status of the device under test and the scanning schedule; Figure 3 shows several vulnerability scanning strategies;

就具体的测试脚本的测试策略而言,早期已建成的配电自动化系统安全防护体系支持基于非对称密钥技术的单向认证功能,主站下发的遥控命令应带有基于调度证书的数字签名,子站侧或终端侧应能够鉴别主站的数字签名,实现对主站系统的控制命令和参数设置指令安全鉴别和数据完整性验证。但终端上线运行时主站对其缺乏认证机制,导致主站对终端真伪缺乏鉴别能力。且主站与终端间的遥测、遥信数据交互为明文传输,容易造成数据泄露、篡改。针对这种情况,利用检测系统主动发包与被动截取数据包分析的方式,对配电协议安全认证及加密功能进行检测。目前配电主站与终端普遍采用101/104协议进行通信,因此,通过分析配电101/104协议规约,构造协议建连及通信数据包,主动发送至被测试目标系统,通过目标系统响应情况来测试其是否进行了有效的认证处理。若使用未认证数据包能顺利与目标系统建立连接并通信,则表明目标系统未采用认证机制。另外,通过截取101/104协议通信数据包,对其进行深度包解析,通过tshark来过滤指定目标设备IP和指定端口(2404)的数据包,然后通过tshark内置的60870-5-104-Asdu组件来分析数据包是否符合101/104规约协议,如果符合再提取数据包中的Typeid信息及功能码信息,若提取信息符合101/104标准协议规定,则认为协议未加密。As far as the test strategy of the specific test script is concerned, the safety protection system of the distribution automation system that has been built in the early stage supports the one-way authentication function based on asymmetric key technology, and the remote control command issued by the master station should carry the digital key based on the dispatching certificate. Signature, the sub-station side or the terminal side should be able to identify the digital signature of the master station, and realize the security authentication and data integrity verification of the control commands and parameter setting instructions of the master station system. However, the main station lacks an authentication mechanism for the terminal when it is running online, resulting in the main station lacking the ability to identify the authenticity of the terminal. Moreover, the telemetry and telematics data interaction between the master station and the terminal is transmitted in plain text, which is easy to cause data leakage and tampering. In view of this situation, the security authentication and encryption functions of the power distribution protocol are tested by using the detection system to actively send packets and passively intercept data packet analysis. At present, the power distribution master station and the terminal generally use the 101/104 protocol for communication. Therefore, by analyzing the power distribution 101/104 protocol, construct the protocol connection establishment and communication data packets, actively send them to the target system under test, and respond to the situation through the target system to test whether it has a valid authentication process. If the connection and communication with the target system can be successfully established and communicated with the unauthenticated data packet, it indicates that the target system does not use an authentication mechanism. In addition, by intercepting the 101/104 protocol communication data packets, performing in-depth packet analysis on them, filtering the data packets of the specified target device IP and specified port (2404) through tshark, and then through the built-in 60870-5-104-Asdu component of tshark To analyze whether the data packet conforms to the 101/104 protocol, if it conforms to the Typeid information and function code information in the extracted data packet, if the extracted information conforms to the 101/104 standard protocol, the protocol is considered unencrypted.

下面,以104协议为基础,详细分析其协议安全测试方法;例如:104协议安全测试是对运行104协议的配电网系统进行协议安全性检查,包括验证104报文是否进行认证、104报文是否进行加密两部分;Next, based on the 104 protocol, the protocol security testing method is analyzed in detail; for example: the 104 protocol security test is to check the protocol security of the distribution network system running the 104 protocol, including verifying whether the 104 message is authenticated, the 104 message Whether to encrypt two parts;

本发明的所述脆弱性检测方法,包括如下步骤:The vulnerability detection method of the present invention comprises the following steps:

步骤S1:验证报文是否进行认证;具体为:通过主动向已确定运行协议的终端发送报文进行验证(如附图4所示);Step S1: Verify whether the message is authenticated; specifically: verify by actively sending a message to a terminal that has determined to run the protocol (as shown in Figure 4);

步骤S11:确定待验证的所述已确定运行协议的终端是否为运行特定协议的终端;如果是,则进入下一步,否则,进入步骤S1X;Step S11: Determine whether the terminal that has been confirmed to be running the protocol to be verified is a terminal running a specific protocol; if yes, go to the next step; otherwise, go to step S1X;

步骤S12:确定是否能够和终端之间建立链接;如果是,则进入下一步,否则;进入步骤S16;Step S12: Determine whether a link can be established with the terminal; if yes, proceed to the next step; otherwise, proceed to step S16;

步骤S13:发送协议链路请求测试报文,如果终端返回链路测试成功报文,则进入步骤S14,否则,进入步骤S17;Step S13: Send a protocol link request test message, if the terminal returns a link test success message, then go to step S14, otherwise, go to step S17;

步骤S14:发送协议总召测试报文,如果终端返回总召测试成功报文,则进入步骤S15,否则进入步骤S18;Step S14: Send a protocol general call test message, if the terminal returns a general call test success message, then go to step S15, otherwise go to step S18;

步骤S15:确定协议未进行认证;Step S15: Determine that the protocol is not authenticated;

步骤S16:连接出现异常,无法测试协议认证状态;进入步骤S1X;Step S16: The connection is abnormal, and the protocol authentication status cannot be tested; go to step S1X;

步骤S17:确定链路请求测试失败,进入步骤S14;Step S17: determine that the link request test fails, and enter step S14;

步骤S18:确定总召测试失败,进入步骤S19;Step S18: Determine that the general call test has failed, and proceed to step S19;

步骤S19:确定协议已进行认证;Step S19: determine that the protocol has been authenticated;

步骤S1X:结束;Step S1X: end;

步骤S2:验证报文是否进行加密;具体为:通过主动抓取运行协议的终端的端口数据包进行分析,以确定报文是否加密(如附图5所示);Step S2: verify whether the message is encrypted; specifically: analyze by actively capturing the port data packet of the terminal running the protocol to determine whether the message is encrypted (as shown in Figure 5);

步骤S21:确定终端是否为运行特定协议的终端;如果是,则进入下一步,否则进入步骤S2X;Step S21: Determine whether the terminal is a terminal running a specific protocol; if yes, proceed to the next step, otherwise proceed to step S2X;

步骤S22:实时抓取端口数据包;Step S22: capture port data packets in real time;

优选的:通过tshark抓取2404端口数据包;Preferable: Capture port 2404 data packets through tshark;

步骤S23:确定数据包中是否包含特定类型的数据;Step S23: determine whether the data packet contains data of a specific type;

优选的:所述特定类型为60870-5-105-Asdu数据;Preferably: the specific type is 60870-5-105-Asdu data;

步骤S24:确定协议未进行加密,进入步骤S2X;Step S24: Determine that the protocol is not encrypted, and proceed to step S2X;

步骤S25:确定协议已进行加密;Step S25: determine that the protocol has been encrypted;

步骤S2X:结束;Step S2X: end;

如附图6所示,本发明的脆弱性检测方法能够快速的发现漏洞,附图6中示出了本发明的漏洞检测结果;As shown in accompanying drawing 6, the vulnerability detection method of the present invention can quickly find loopholes, and the vulnerability detection results of the present invention are shown in accompanying drawing 6;

在本发明所提供的几个实施例中,应该理解到,所揭露的方法和终端,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In the several embodiments provided by the present invention, it should be understood that the disclosed method and terminal may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the modules is only a logical function division, and there may be other division methods in actual implementation.

另外,在不发生矛盾的情况下,上述几个实施例中的技术方案可以相互组合和替换。In addition, the technical solutions in the above several embodiments may be combined and replaced with each other under the condition that no contradiction occurs.

所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components shown as modules may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本发明各个实施例中的各功能模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能模块的形式实现。In addition, each functional module in each embodiment of the present invention may be integrated into one processing unit, or each unit may physically exist separately, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software function modules.

对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本发明内。不应将权利要求中的任何附关联图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。系统权利要求中陈述的多个模块或装置也可以由一个模块或装置通过软件或者硬件来实现。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。It will be apparent to those skilled in the art that the invention is not limited to the details of the above-described exemplary embodiments, but that the invention can be embodied in other specific forms without departing from the spirit or essential characteristics of the invention. Accordingly, the embodiments should be regarded in all points of view as exemplary and not restrictive, the scope of the invention being defined by the appended claims rather than the foregoing description, and it is therefore intended that the scope of the invention be defined by the appended claims rather than by the foregoing description. All changes within the meaning and range of equivalents of the elements are embraced in the present invention. Any reference sign in a claim should not be construed as limiting the claim concerned. In addition, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of modules or devices stated in the system claims may also be realized by one module or device through software or hardware. The words first, second, etc. are used to denote names and do not imply any particular order.

最后应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或等同替换,而不脱离本发明技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention without limitation. Although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be Modifications or equivalent replacements can be made without departing from the spirit and scope of the technical solutions of the present invention.

Claims (8)

1.一种脆弱性检测方法,对脆弱性检测方法用的系统包括漏洞扫描系统和配置管理模块;1. A vulnerability detection method, the system used for the vulnerability detection method includes a vulnerability scanning system and a configuration management module; 漏洞扫描系统和配置管理模块之间通信连接,以进行任务下发工作和结果返回;The communication connection between the vulnerability scanning system and the configuration management module is used to issue tasks and return results; 所述漏洞扫描系统包括任务分析器、脚本引擎、漏洞扫描测试脚本库;其中:任务分析器用于对配置管理模块下发的任务进行分析,脚本引擎用于加载完成所下发任务需要执行的测试脚本,对所述测试脚本进行语法分析和执行,并将测试脚本的执行结果返回给配置管理模块;The vulnerability scanning system includes a task analyzer, a script engine, and a vulnerability scanning test script library; wherein: the task analyzer is used to analyze the tasks issued by the configuration management module, and the script engine is used to load and complete the tests that need to be executed for the issued tasks A script, performing grammatical analysis and execution on the test script, and returning the execution result of the test script to the configuration management module; 所述脚本引擎包括脚本调度模块和脚本执行模块、知识库;其中,脚本调度模块对需要执行的测试脚本进行选取,脚本执行模块用于执行所选取的测试脚本;Described script engine comprises script scheduling module and script execution module, knowledge base; Wherein, script scheduling module selects the test script that needs to be carried out, and script execution module is used for carrying out the selected test script; 所述脚本调度模块用于读取测试脚本和完成脚本调用的初始化与序列化;所述脚本调度模块包括脚本加载模块和脚本组织模块;The script scheduling module is used to read the test script and complete the initialization and serialization of the script call; the script scheduling module includes a script loading module and a script organization module; 所述加载模块用于根据需要执行的脚本名称及参数信息,加载相应的测试脚本,并对其进行初始化;具体的:加载所有的测试脚本,并存储为包含脚本引擎在启动、运行和结束过程中所有信息的全局变量链表;所述全局变量链表保存在测试进程的进程空间中;当控制权从任务分析器移交给脚本引擎的过程中,通过进程进行数据交换和保存;The loading module is used to load the corresponding test script according to the script name and parameter information that needs to be executed, and initialize it; specifically: load all the test scripts, and store them as script engine in the process of starting, running and ending. The global variable linked list of all information in; The global variable linked list is stored in the process space of the test process; When the control right is handed over from the task analyzer to the process of the script engine, data exchange and preservation are carried out by the process; 所述任务分析器用于对配置管理模块下发的任务进行分析;具体的:任务采用指令的方式下发,指令中包含任务名称和任务详情、任务数据地址等;当接收到任务数据时,解析任务详情,基于解析结果获取任务数据和创建新的测试进程进行任务处理;The task analyzer is used to analyze the tasks issued by the configuration management module; specifically: the tasks are issued in the form of instructions, and the instructions include task names and task details, task data addresses, etc.; when receiving task data, analyze Task details, based on the analysis results to obtain task data and create a new test process for task processing; 配置管理模块用于下发测试任务以及接收漏洞扫描系统返回的测试结果;所述测试任务中包含测试所需要的脚本名称及其参数信息;还包含任务名称和任务详情、任务数据地址;还用于为所需要的每个测试脚本配置调度策略;所述调度策略是一个初始的默认调度策略;The configuration management module is used to issue test tasks and receive test results returned by the vulnerability scanning system; the test task includes the script name and parameter information required for the test; it also includes the task name and task details, and the task data address; To configure a scheduling strategy for each required test script; the scheduling strategy is an initial default scheduling strategy; 所述基于解析结果获取任务数据和创建新的测试进程进行任务处理,具体为:解析任务详情以获取任务类型,当任务类型中脚本执行类型时,获取任务数据地址,并基于所述任务数据地址获取脚本名称及参数信息,基于所述脚本名称和参数信息创建新的测试进程,将所述脚本名称和参数信息拷贝新的测试进程的进程存储空间中;这样就能够通过进程体本身进行数据的传递,任务分析器和脚本引擎之间没有共享存储空间,避免了数据污染的可能性;The task processing based on obtaining task data and creating a new test process based on the analysis result is specifically: analyzing task details to obtain task type, when the script execution type is in the task type, obtaining task data address, and based on the task data address Obtain the script name and parameter information, create a new test process based on the script name and parameter information, and copy the script name and parameter information in the process storage space of the new test process; Passing, there is no shared storage space between the task analyzer and the script engine, avoiding the possibility of data pollution; 其特征在于,所述方法包括:It is characterized in that the method comprises: 步骤S1:验证报文是否进行认证;Step S1: Verify whether the message is authenticated; 步骤S2:验证报文是否进行加密。Step S2: Verify whether the message is encrypted. 2.根据权利要求1所述的脆弱性检测方法,其特征在于,所述步骤S1,具体为:通过主动向已确定运行协议的终端发送报文进行验证。2. The vulnerability detection method according to claim 1, wherein the step S1 is specifically: verifying by actively sending a message to a terminal whose operation protocol has been determined. 3.根据权利要求2所述的脆弱性检测方法,其特征在于,所述通过主动向已确定运行协议的终端发送报文进行验证,具体为:3. The vulnerability detection method according to claim 2, wherein the verification is performed by actively sending a message to a terminal whose operation protocol has been determined, specifically: 步骤S11:确定待验证的所述已确定运行协议的终端是否为运行特定协议的终端;如果是,则进入下一步,否则,进入步骤S1X;Step S11: Determine whether the terminal that has been confirmed to be running the protocol to be verified is a terminal running a specific protocol; if yes, go to the next step; otherwise, go to step S1X; 步骤S12: 确定是否能够和终端之间建立链接;如果是,则进入下一步,否则;进入步骤S16;Step S12: Determine whether a link can be established with the terminal; if yes, go to the next step; otherwise, go to step S16; 步骤S13:发送协议链路请求测试报文,如果终端返回链路测试成功报文,则进入步骤S14,否则,进入步骤S17;Step S13: Send a protocol link request test message, if the terminal returns a link test success message, then go to step S14, otherwise, go to step S17; 步骤S14:发送协议总召测试报文,如果终端返回总召测试成功报文,则进入步骤S15,否则进入步骤S18;Step S14: Send a protocol general call test message, if the terminal returns a general call test success message, then go to step S15, otherwise go to step S18; 步骤S15:确定协议未进行认证;Step S15: Determine that the protocol has not been authenticated; 步骤S16:连接出现异常,无法测试协议认证状态;进入步骤S1X;Step S16: The connection is abnormal, and the protocol authentication status cannot be tested; go to step S1X; 步骤S17:确定链路请求测试失败,进入步骤S14;Step S17: determine that the link request test fails, and enter step S14; 步骤S18:确定总召测试失败,进入步骤S19;Step S18: Determine that the general call test has failed, and proceed to step S19; 步骤S19:确定协议已进行认证;Step S19: determine that the protocol has been authenticated; 步骤S1X:结束。Step S1X: end. 4.根据权利要求3所述的脆弱性检测方法,其特征在于,所述步骤S2具体为:通过主动抓取运行协议的终端的端口数据包进行分析,以确定报文是否加密。4 . The vulnerability detection method according to claim 3 , wherein the step S2 specifically includes: actively grabbing and analyzing port data packets of terminals running the protocol to determine whether the packets are encrypted. 5 . 5.根据权利要求4所述的脆弱性检测方法,其特征在于,所述通过主动抓取运行协议的终端的端口数据包进行分析,以确定报文是否加密,具体为:5. The vulnerability detection method according to claim 4, wherein the analysis is performed by actively capturing the port data packet of the terminal running the protocol to determine whether the message is encrypted, specifically: 步骤S21:确定终端是否为运行特定协议的终端;如果是,则进入下一步,否则进入步骤S2X;Step S21: Determine whether the terminal is a terminal running a specific protocol; if yes, proceed to the next step, otherwise proceed to step S2X; 步骤S22:实时抓取端口数据包;Step S22: capture port data packets in real time; 步骤S23:确定数据包中是否包含特定类型的数据;Step S23: determine whether the data packet contains data of a specific type; 步骤S24:确定协议未进行加密,进入步骤S2X;Step S24: Determine that the protocol is not encrypted, and proceed to step S2X; 步骤S25:确定协议已进行加密;Step S25: determine that the protocol has been encrypted; 步骤S2X:结束。Step S2X: end. 6.根据权利要求5所述的脆弱性检测方法,其特征在于,通过tshark抓取2404端口数据包。6. The vulnerability detection method according to claim 5, characterized in that the 2404 port data packets are captured by tshark. 7.根据权利要求6所述的脆弱性检测方法,其特征在于,所述特定类型为60870-5-105-Asdu数据。7. The vulnerability detection method according to claim 6, wherein the specific type is 60870-5-105-Asdu data. 8.根据权利要求7所述的脆弱性检测方法,其特征在于,所述协议为104协议。8. The vulnerability detection method according to claim 7, wherein the protocol is 104 protocol.
CN201811622270.0A 2018-12-28 2018-12-28 A Vulnerability Detection Method Active CN111385249B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811622270.0A CN111385249B (en) 2018-12-28 2018-12-28 A Vulnerability Detection Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811622270.0A CN111385249B (en) 2018-12-28 2018-12-28 A Vulnerability Detection Method

Publications (2)

Publication Number Publication Date
CN111385249A CN111385249A (en) 2020-07-07
CN111385249B true CN111385249B (en) 2023-07-18

Family

ID=71217993

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811622270.0A Active CN111385249B (en) 2018-12-28 2018-12-28 A Vulnerability Detection Method

Country Status (1)

Country Link
CN (1) CN111385249B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118449750B (en) * 2024-05-08 2025-03-04 李炜 Vulnerability assessment verification method and system for IEC 104 protocol

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7450514B2 (en) * 2003-09-03 2008-11-11 University-Industry Cooperation Group Of Kyunghee University Method and device for delivering multimedia data using IETF QoS protocols
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
CN103106368A (en) * 2013-02-26 2013-05-15 南京理工大学常熟研究院有限公司 Vulnerability scanning method for grade protection
CN104200166A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Script-based website vulnerability scanning method and system
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN104583949A (en) * 2012-08-16 2015-04-29 高通股份有限公司 Pre-processing of scripts in web browsers
CN106227668A (en) * 2016-07-29 2016-12-14 腾讯科技(深圳)有限公司 Data processing method and device
CN107094158A (en) * 2017-06-27 2017-08-25 四维创智(北京)科技发展有限公司 The fragile analysis system of one kind automation intranet security

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102377571A (en) * 2011-11-15 2012-03-14 航天科工深圳(集团)有限公司 Method and system for implementing IEC104 message transmission
US9203811B2 (en) * 2012-10-09 2015-12-01 Futurewei Technologies, Inc. Authenticated encryption support in ISO/IEC 23009-4
CN103888444B (en) * 2014-02-24 2018-07-10 国家电网公司 A kind of safe distribution of electric power authentication device and its method
CN104168288A (en) * 2014-08-27 2014-11-26 中国科学院软件研究所 Automatic vulnerability discovery system and method based on protocol reverse parsing
CN105721255A (en) * 2016-04-14 2016-06-29 北京工业大学 Industrial control protocol vulnerability mining system based on fuzzy test
CN106302535A (en) * 2016-09-30 2017-01-04 中国南方电网有限责任公司电网技术研究中心 Attack simulation method and device for power system and attack simulation equipment
CN107070893A (en) * 2016-12-09 2017-08-18 中国电子科技网络信息安全有限公司 A kind of power distribution network terminal IEC101 protocol massages certification method of discrimination
CN106911514A (en) * 2017-03-15 2017-06-30 江苏省电力试验研究院有限公司 SCADA network inbreak detection methods and system based on the agreements of IEC60870 5 104

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7450514B2 (en) * 2003-09-03 2008-11-11 University-Industry Cooperation Group Of Kyunghee University Method and device for delivering multimedia data using IETF QoS protocols
CN102082659A (en) * 2009-12-01 2011-06-01 厦门市美亚柏科信息股份有限公司 Vulnerability scanning system oriented to safety assessment and processing method thereof
CN104583949A (en) * 2012-08-16 2015-04-29 高通股份有限公司 Pre-processing of scripts in web browsers
CN103106368A (en) * 2013-02-26 2013-05-15 南京理工大学常熟研究院有限公司 Vulnerability scanning method for grade protection
CN104200166A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Script-based website vulnerability scanning method and system
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN106227668A (en) * 2016-07-29 2016-12-14 腾讯科技(深圳)有限公司 Data processing method and device
CN107094158A (en) * 2017-06-27 2017-08-25 四维创智(北京)科技发展有限公司 The fragile analysis system of one kind automation intranet security

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CPU仿真器MCS中存贮结构仿真的实现;李锋,王雷,刘又诚,周伯生;北京航空航天大学学报(第04期);全文 *

Also Published As

Publication number Publication date
CN111385249A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
US8433811B2 (en) Test driven deployment and monitoring of heterogeneous network systems
CN115701019B (en) Zero-trust network access request processing method and device and electronic equipment
CN114679292B (en) Honeypot identification method, device, equipment and medium based on network space mapping
CN111092910B (en) Database security access method, device, equipment, system and readable storage medium
CN111385253B (en) Vulnerability detection system for network security of power distribution automation system
US20150156202A1 (en) Privilege Separation
EP4407954A1 (en) Data exchange method, system and apparatus, and device
CN109726531A (en) A marketing terminal security control method based on blockchain smart contract
Yuan et al. MQTTactic: Security analysis and verification for logic flaws in MQTT implementations
Tabrizi et al. Formal security analysis of smart embedded systems
Mladenov et al. Formal verification of the implementation of the MQTT protocol in IoT devices
Khandker et al. ASTRA-5G: automated over-the-air security testing and research architecture for 5G SA devices
CN111385249B (en) A Vulnerability Detection Method
Tang et al. Ssldetecter: detecting SSL security vulnerabilities of android applications based on a novel automatic traversal method
CN113194088B (en) Access interception method, device, log server and computer readable storage medium
Anantharaman et al. Phasorsec: Protocol security filters for wide area measurement systems
CN110110524A (en) Vulnerability scanning and maintaining method for computing equipment system
CN112214769A (en) Active measurement system of Windows system based on SGX architecture
Dong et al. {CoreCrisis}:{Threat-Guided} and {Context-Aware} Iterative Learning and Fuzzing of 5G Core Networks
CN112437070A (en) Operation-based spanning tree state machine integrity verification calculation method and system
CN100440892C (en) Grid security communication system and grid security communication method
Cheng et al. PDFuzzerGen: Policy‐Driven Black‐Box Fuzzer Generation for Smart Devices
Chen et al. Research on Mobile Application Local Denial of Service Vulnerability Detection Technology Based on Rule Matching
CN112953969A (en) Network request response method and device, computer equipment and storage medium
CN116032798B (en) Automatic testing method and device for zero-trust identity authorization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant