[go: up one dir, main page]

CN111786832A - A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios - Google Patents

A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios Download PDF

Info

Publication number
CN111786832A
CN111786832A CN202010618524.2A CN202010618524A CN111786832A CN 111786832 A CN111786832 A CN 111786832A CN 202010618524 A CN202010618524 A CN 202010618524A CN 111786832 A CN111786832 A CN 111786832A
Authority
CN
China
Prior art keywords
attack
industrial control
module
defense
defense platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010618524.2A
Other languages
Chinese (zh)
Other versions
CN111786832B (en
Inventor
杨旭
孙云霄
王佰玲
何清刚
刘红日
辛国栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Weihai
Original Assignee
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Weihai filed Critical Harbin Institute of Technology Weihai
Priority to CN202010618524.2A priority Critical patent/CN111786832B/en
Publication of CN111786832A publication Critical patent/CN111786832A/en
Application granted granted Critical
Publication of CN111786832B publication Critical patent/CN111786832B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method and a device for interconnecting an attack and defense platform and various industrial control scenes. The device and the method for interconnecting the attack and defense platform and various industrial control scenes can realize the interconnection of the attack and defense platform and various industrial control scenes at a scene level only by issuing the configuration file, can ensure the high efficiency, quickness and safety of connection, and meet the interconnection requirement. The interconnection device is programmable, and a user can perform secondary development according to a given function interface and the user-defined requirement. The application range comprises security companies and scientific research institutions needing to interconnect the defense and attack platform and the industrial control scene, and the defense and attack platform and the scientific research institutions are used for network interconnection at any time and any place. Has wide application prospect.

Description

一种攻防平台与多种工控场景互联的方法与装置A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios

技术领域technical field

本发明涉及一种攻防平台与多种工控场景互联的方法与装置,属于计算机安全技术领域。The invention relates to a method and a device for interconnecting an attack and defense platform with various industrial control scenarios, and belongs to the technical field of computer security.

背景技术Background technique

随着网络靶场的不断发展,工业控制系统技术体系的不断成熟,将网络攻防平台与多种实际或模拟的场景相连,从而组成一个完整的互联网靶场,成为亟待解决的问题。此外,攻防平台与多样化场景的互联也有助于对更深、更广的网络安全问题的研究。With the continuous development of the network shooting range and the continuous maturity of the industrial control system technology system, connecting the network attack and defense platform with a variety of actual or simulated scenarios to form a complete Internet shooting range has become an urgent problem to be solved. In addition, the interconnection of offensive and defensive platforms and diverse scenarios also contributes to the study of deeper and broader network security issues.

现有的互联方法主要是虚拟专用网络(VPN)、虚拟扩展局域网(VXLAN)和网络专线。VPN采用高级的加密和身份识别协议保护数据避免受到窥探,能够实现高效、安全的互联,并且可扩展性强,往往不用增加额外的基础设施就可以提供较大的容量和应用。但是VPN配置复杂,需要高水平地理解网络和安全问题,要认真的进行规划和配置,需要点到点地进行、配置及管理,并且任何使用高级加密技术的解决方案都可能被攻破。VXLAN可以支持更多的网路虚拟设备,实现了物理网络和虚拟网络解耦,提升了设备性能。但其管理比较难,权限难以集中,并且由于使用了隧道技术,需要为每个报文封装与解封装隧道头,降低了报文的转发效率。网络专线连接高速、稳定,用户可以实现24小时的访问,随时获取信息,并且不会有较大的网络波动,相对的传输质量高,延时小;但是部署成本太高,价格昂贵。The existing interconnection methods are mainly virtual private network (VPN), virtual extended local area network (VXLAN) and network dedicated line. VPN uses advanced encryption and identification protocols to protect data from snooping, can achieve efficient and secure interconnection, and is highly scalable, often providing larger capacity and applications without adding additional infrastructure. However, VPN configuration is complex, requires a high-level understanding of network and security issues, careful planning and configuration, point-to-point implementation, configuration and management, and any solution using advanced encryption technology may be broken. VXLAN can support more network virtual devices, realize the decoupling of physical network and virtual network, and improve device performance. However, it is difficult to manage, and it is difficult to centralize permissions, and because of the use of tunneling technology, it is necessary to encapsulate and decapsulate a tunnel header for each packet, which reduces packet forwarding efficiency. The dedicated network connection is high-speed and stable. Users can achieve 24-hour access and obtain information at any time without major network fluctuations. The relative transmission quality is high and the delay is small. However, the deployment cost is too high and the price is expensive.

经检索发现,中国专利文献CN110290045A公开了一种云架构下网络靶场软硬结合模型构建方法,该方法基于OpenStack云平台构建VXLAN子网,将虚拟设备网络与物理设备网络相互隔离。通过建立中心网络节点,物理设备与虚拟设备通过中心网络节点,依靠软件定义网络技术进行信息交互,从而实现软硬结合,使网络靶场能够高效的与外部物理设备进行数据通信,提高了网络靶场的实用性。该方法依靠VXLAN技术在三层网络中实现了二层网络的扩展,基于VXLAN组建子网,有效隔离外部网络与内部网络之间的数据泛洪,从而减少了网络流量泛洪,提高了网络传输效率及网络靶场的安全性。After searching, it is found that the Chinese patent document CN110290045A discloses a method for building a software-hardware combination model for a network shooting range under a cloud architecture. The method builds a VXLAN subnet based on the OpenStack cloud platform to isolate the virtual device network from the physical device network. By establishing a central network node, physical devices and virtual devices exchange information through the central network node and rely on software-defined network technology to realize the combination of software and hardware, so that the network range can efficiently communicate with external physical devices. practicality. This method relies on VXLAN technology to realize the expansion of the two-layer network in the three-layer network, and builds a subnet based on VXLAN to effectively isolate the data flooding between the external network and the internal network, thereby reducing network traffic flooding and improving network transmission. Efficiency and security of cyber ranges.

中国专利文献CN109743293A公开了一种网络靶场的访问方法及网络靶场系统、计算机存储介质,其包括:接收虚拟机访问请求,所述虚拟机访问请求由浏览器客户端发送,所述虚拟机上搭建有基于SPICE协议运行的网络靶场;通过SPICE AGENT组件请求spiceHTML5客户端,所述spiceHTML5客户端用于实现HTTP协议与SPICE协议之间的转换;通过websockify库连接所述spiceHTML5客户端;向SPICE AGENT组件请求所述虚拟机的令牌;基于所述令牌访问所述虚拟机,并通过所述spiceHTML5客户端完成所述虚拟机与所述浏览器客户端的交互。用户可以在浏览器上实现与虚拟机的交互,从而操作或攻击网络靶场中模拟的工控设备,不需要在其操作终端预装多种环境来进行适配,直接通过浏览器页面就能实现操作,提升了操作的便捷性。Chinese patent document CN109743293A discloses a method for accessing a network shooting range, a network shooting range system, and a computer storage medium, which include: receiving a virtual machine access request, the virtual machine access request is sent by a browser client, and a virtual machine is built on the virtual machine. There is a network shooting range based on SPICE protocol operation; request spiceHTML5 client through SPICE AGENT component, described spiceHTML5 client is used to realize the conversion between HTTP protocol and SPICE protocol; connect described spiceHTML5 client through websockify library; to SPICE AGENT component Request the token of the virtual machine; access the virtual machine based on the token, and complete the interaction between the virtual machine and the browser client through the spiceHTML5 client. Users can interact with the virtual machine on the browser, so as to operate or attack the simulated industrial control equipment in the network shooting range. It is not necessary to pre-install a variety of environments on the operating terminal for adaptation, and the operation can be realized directly through the browser page. , which improves the convenience of operation.

但是,现有技术大多是关于攻防平台针对一种工控场景互联的网络靶场,通过攻防平台与单一工控场景进行模拟攻防演练等,还未发现攻防平台与多样化场景进行相连,实现网络靶场内部的互联互通。However, most of the existing technologies are about a network shooting range in which the offensive and defensive platforms are connected to an industrial control scenario, and the offensive and defensive platforms are connected with a single industrial control scenario to simulate offensive and defensive drills. interconnection.

发明内容SUMMARY OF THE INVENTION

针对现有技术的不足,本发明提供一种攻防平台与多种工控场景互联的方法与装置,通过本发明互联装置可以实现攻防平台与多种工控场景数据的互联互通,形成一个完整靶场。该互联装置可以以下发配置文件的形式实现多种工控场景下的设备部署。Aiming at the deficiencies of the prior art, the present invention provides a method and device for interconnecting an offensive and defensive platform with various industrial control scenarios. The interconnection device of the present invention can realize the interconnection and intercommunication between the offensive and defensive platform and various industrial control scenarios to form a complete shooting range. The interconnection device can implement device deployment in various industrial control scenarios in the form of sending configuration files.

本发明的技术方案如下:The technical scheme of the present invention is as follows:

一种攻防平台与多种工控场景互联的方法,包括以下步骤:A method for interconnecting an attack-defense platform with multiple industrial control scenarios, comprising the following steps:

(1)用户向互联装置下发场景配置信息,配置信息包括攻防平台入口的IP地址及端口号和工控场景的IP地址及端口号;(1) The user sends the scene configuration information to the interconnected device, and the configuration information includes the IP address and port number of the entrance of the attack and defense platform and the IP address and port number of the industrial control scene;

(2)配置模块将配置信息发送到存储模块进行存储,并提交到管理模块;在多种工控场景下,用户需要将各工控场景的配置信息导入到攻防平台侧的互联装置中,各工控场景的互联装置内需要提前配置好攻防平台的配置信息;(2) The configuration module sends the configuration information to the storage module for storage, and submits it to the management module; in a variety of industrial control scenarios, the user needs to import the configuration information of each industrial control scenario into the interconnection device on the attack and defense platform side, and each industrial control scenario The configuration information of the attack and defense platform needs to be configured in advance in the interconnected device;

(3)各互联装置内的管理模块将配置信息下发到各个模块;(3) The management module in each interconnection device sends the configuration information to each module;

(4)各个互联装置根据配置信息配置通信模块和网关模块,完成互联装置与攻防平台、工控场景之间的通信连接;(4) Each interconnection device configures the communication module and the gateway module according to the configuration information, and completes the communication connection between the interconnection device, the attack and defense platform, and the industrial control scene;

(5)攻防平台互联装置的对象组件模块收集各个工控场景的关键信息,各工控场景对象组件模块收集攻防平台对象关键信息,采用统一格式对数据进行标准化处理,完成攻防平台对象和工控场景对象的构建,并将对象数据存储到数据库中;(5) The object component module of the attack and defense platform interconnection device collects the key information of each industrial control scene, and each industrial control scene object component module collects the key information of the attack and defense platform object, uses a unified format to standardize the data, and completes the attack and defense platform object and the industrial control scene object. Build and store object data in the database;

(6)攻防平台与工控场景之间通过通信模块、网关模块构建映射,实现二者的逻辑连接,连接成功后,将映射信息进行存储;(6) A mapping is constructed between the attack and defense platform and the industrial control scene through the communication module and the gateway module to realize the logical connection of the two. After the connection is successful, the mapping information is stored;

(7)管理模块协调各个模块,执行各项指令。(7) The management module coordinates each module and executes various instructions.

优选的,通过日志记录模块记录步骤(1)-(7)运行期间的数据,并将日志信息存储到数据存储模块。Preferably, the data during the operation of steps (1)-(7) are recorded by the log recording module, and the log information is stored in the data storage module.

优选的,所述步骤(1)中,用户通过指令将配置文件发送到互联装置。Preferably, in the step (1), the user sends the configuration file to the interconnected device through an instruction.

优选的,所述步骤(2)中,配置模块根据配置信息提交到管理模块进行自身的参数设置。Preferably, in the step (2), the configuration module submits the configuration information to the management module to set its own parameters.

优选的,所述步骤(4)中,互联装置与攻防平台之间采用HTTP协议作为应用层协议,TCP/IP作传输层协议进行通信;互联装置与工控场景之间采用HTTP协议作为应用层协议,TCP/IP作传输层协议进行通信。Preferably, in the step (4), HTTP protocol is used as the application layer protocol and TCP/IP is used as the transport layer protocol for communication between the interconnection device and the attack and defense platform; HTTP protocol is used as the application layer protocol between the interconnection device and the industrial control scene , TCP/IP as the transport layer protocol for communication.

优选的,所述步骤(5)中,为实现攻防平台与工控场景之间高效的数据交互,在建模过程中采用统一格式对象定义的语言对场景对象进行标准化描述,其中包括多种子对象的定义及场景的关键信息。Preferably, in the step (5), in order to achieve efficient data interaction between the attack and defense platform and the industrial control scene, in the modeling process, a language defined by objects in a unified format is used to standardize the description of the scene objects, including multiple sub-objects. Definition and key information about the scenario.

一种攻防平台与多种工控场景互联的装置,包括;A device for interconnecting an offensive and defensive platform with a variety of industrial control scenarios, including;

配置模块,获取用户下发的配置信息,将配置信息发送给管理模块,并将配置信息放入数据存储模块进行存储;The configuration module obtains the configuration information issued by the user, sends the configuration information to the management module, and puts the configuration information into the data storage module for storage;

管理模块,对其他模块进行统一调度和管理,对攻防平台与工控场景互联中所有的物理、虚拟资源进行统一分配和管理;Management module, which performs unified scheduling and management of other modules, and uniformly allocates and manages all physical and virtual resources in the interconnection between attack and defense platforms and industrial control scenarios;

通信模块,进行互联装置与攻防平台之间、互联装置与工控场景之间的数据传输;The communication module is used for data transmission between the interconnected device and the attack and defense platform, and between the interconnected device and the industrial control scene;

网关模块,用于攻防平台与工控场景之间数据转换,实现根据不同的协议对数据进行翻译转换;The gateway module is used for data conversion between the attack and defense platform and industrial control scenarios, and realizes the translation and conversion of data according to different protocols;

数据存储模块,用于对各种数据的存储,将数据存储到数据库中,进行持久化操作;The data storage module is used to store various data, store the data in the database, and perform persistent operations;

对象组件模块,实现对每种工控场景对象的构建;The object component module realizes the construction of each industrial control scene object;

日志记录模块,记录互联装置运行期间的各种数据;The log recording module records various data during the operation of the interconnected device;

程序控制器,负责将操作控制信号变成指令放到存储器里,并且在互联装置运行时能够读出指令形成控制信号分给各个模块执行。The program controller is responsible for converting the operation control signal into an instruction and placing it in the memory, and can read out the instruction to form a control signal and distribute it to each module for execution when the interconnection device is running.

优选的,所述数据存储模块通过统一接口与其他模块连接,数据存储模块包含多种不同的数据库。Preferably, the data storage module is connected with other modules through a unified interface, and the data storage module includes a variety of different databases.

一种服务器,包括:A server that includes:

一个或多个处理器;one or more processors;

存储装置,其上存储有一个或多个程序,a storage device on which one or more programs are stored,

当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述的攻防平台与多种工控场景互联的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the above-mentioned method for interconnecting an attack and defense platform with a variety of industrial control scenarios.

一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现上述的攻防平台与多种工控场景互联的方法。A computer-readable medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the above-mentioned method for interconnecting an attack-defense platform with a variety of industrial control scenarios is implemented.

本发明的有益效果在于:The beneficial effects of the present invention are:

1.本发明提出的攻防平台与多种工控场景互联的装置与方法,只需进行下发配置文件就可以实现二者在场景级的互联,并且可以保证连接的高效、快捷和安全,符合互联的需求。互联装置自身可编程,用户可以根据给定的函数接口结合自定义需求进行二次开发。1. The device and method for interconnecting the attack and defense platform and various industrial control scenarios proposed by the present invention can realize the interconnection of the two at the scene level only by issuing a configuration file, and can ensure the efficient, fast and safe connection, in line with the interconnection. demand. The interconnection device itself is programmable, and the user can carry out secondary development according to the given function interface and custom requirements.

2.本发明提出的攻防平台与多种工控场景互联的装置与方法,使用范围包括需要攻防平台与工控场景互联的安全公司和科研院所,并将其用于任何时间、任何地点的网络互联。应用前景十分广泛。2. The device and method for interconnecting an offensive and defensive platform with a variety of industrial control scenarios proposed by the present invention can be used in security companies and scientific research institutes that require interconnection between an offensive and defensive platform and industrial control scenarios, and use it for network interconnection at any time and any place. . The application prospect is very broad.

附图说明Description of drawings

图1为本发明攻防平台与多种工控场景互联的连接关系示意图;1 is a schematic diagram of the connection relationship between the attack and defense platform of the present invention and the interconnection of various industrial control scenarios;

图2为本发明攻防平台与多种工控场景互联的装置的模块构成图;2 is a block diagram of a device for interconnecting an attack and defense platform with a variety of industrial control scenarios according to the present invention;

图3为本发明攻防平台与多种工控场景互联的方法的流程图;3 is a flowchart of a method for interconnecting an attack and defense platform with a variety of industrial control scenarios according to the present invention;

具体实施方式Detailed ways

下面通过实施例并结合附图对本发明做进一步说明,但不限于此。The present invention will be further described below with reference to the embodiments and the accompanying drawings, but is not limited thereto.

实施例1:Example 1:

如图3所示,本实施例提供一种攻防平台与多种工控场景互联的方法,包括以下步骤:As shown in FIG. 3 , this embodiment provides a method for interconnecting an attack and defense platform with multiple industrial control scenarios, including the following steps:

(1)用户通过程序控制器的指令向互联装置下发场景配置信息,配置信息包括攻防平台入口的IP地址及端口号和工控场景的IP地址及端口号;(1) The user sends the scene configuration information to the interconnection device through the instruction of the program controller, and the configuration information includes the IP address and port number of the entrance of the attack and defense platform and the IP address and port number of the industrial control scene;

(2)配置模块将配置信息发送到存储模块进行存储,并提交到管理模块,进行自身的参数设置;在多种工控场景下,用户需要将各工控场景的配置信息导入到攻防平台侧的互联装置中,各工控场景的互联装置内需要提前配置好攻防平台的配置信息;(2) The configuration module sends the configuration information to the storage module for storage, and submits it to the management module to set its own parameters; in a variety of industrial control scenarios, the user needs to import the configuration information of each industrial control scenario into the interconnection on the attack and defense platform side In the device, the configuration information of the attack and defense platform needs to be configured in advance in the interconnection device of each industrial control scene;

(3)各互联装置内的管理模块将配置信息下发到各个模块;(3) The management module in each interconnection device sends the configuration information to each module;

(4)根据配置信息配置通信模块和网关模块,并完成互联装置与攻防平台、工控场景之间的通信连接;(4) Configure the communication module and the gateway module according to the configuration information, and complete the communication connection between the interconnection device, the attack and defense platform, and the industrial control scene;

互联装置与攻防平台之间采用HTTP协议作为应用层协议,TCP/IP作传输层协议进行通信;互联装置与工控场景之间采用HTTP协议作为应用层协议,TCP/IP作传输层协议进行通信。The HTTP protocol is used as the application layer protocol and TCP/IP is used as the transport layer protocol for communication between the interconnected device and the attack and defense platform.

(5)攻防平台互联装置的对象组件模块收集各个工控场景的关键信息,各工控场景对象组件模块收集攻防平台对象关键信息,采用统一格式对数据进行标准化处理,完成攻防平台对象和工控场景对象的构建,并将对象数据存储到数据库中;(5) The object component module of the attack and defense platform interconnection device collects the key information of each industrial control scene, and each industrial control scene object component module collects the key information of the attack and defense platform object, uses a unified format to standardize the data, and completes the attack and defense platform object and the industrial control scene object. Build and store object data in the database;

为实现攻防平台与工控场景之间高效的数据交互,在建模过程中采用统一格式对象定义的语言对场景对象进行标准化描述,其中包括多种子对象的定义及场景的关键信息。In order to realize efficient data interaction between the attack and defense platform and the industrial control scene, the language of the unified format object definition is used to standardize the description of the scene object in the modeling process, including the definition of various sub-objects and the key information of the scene.

(6)攻防平台与工控场景之间通过通信模块、网关模块构建映射,实现二者的逻辑连接,连接成功后,将映射信息进行存储;(6) A mapping is constructed between the attack and defense platform and the industrial control scene through the communication module and the gateway module to realize the logical connection of the two. After the connection is successful, the mapping information is stored;

(7)管理模块协调各个模块,执行各项指令。(7) The management module coordinates each module and executes various instructions.

通过日志记录模块记录步骤(1)-(7)运行期间的数据,并将日志信息存储到数据存储模块。The data during the operation of steps (1)-(7) are recorded by the log recording module, and the log information is stored in the data storage module.

本发明攻防平台与多种工控场景互联的工作原理:The working principle of the interconnection between the attack and defense platform of the present invention and various industrial control scenarios:

攻防平台与多种工控场景互联如图1所示。攻防平台与多种工控场景互联时,需要在攻防平台边缘位置部署一个互联装置A,各个工控场景的边缘位置部署互联装置B1、B2(这里以两种场景为例)等。首先由用户配置互联装置A上的各个场景的IP地址及端口号信息,配置互联装置B1、B2上的攻防平台的IP地址及端口号信息。各装置联通后,互联装置A获取各个场景对象中的关键信息如设备数量、设备名、序列号、设备类型、版本等信息,构建场景对象。互联装置B1、B2等获取攻防平台中的关键信息如IP地址、端口号等构建攻防平台对象,完成攻防平台与多种工控场景的互联。如果在连接请求发出一定次数后仍然失败,则日志模块记录连接失败信息。The interconnection between the attack and defense platform and various industrial control scenarios is shown in Figure 1. When the attack and defense platform is interconnected with various industrial control scenarios, an interconnection device A needs to be deployed at the edge of the attack and defense platform, and interconnection devices B1 and B2 are deployed at the edge of each industrial control scenario (two scenarios are used here as examples), etc. First, the user configures the IP address and port number information of each scenario on the interconnection device A, and configures the IP address and port number information of the attack and defense platforms on the interconnection device B1 and B2. After each device is connected, the interconnected device A obtains key information in each scene object, such as the number of devices, device name, serial number, device type, version, etc., to construct the scene object. The interconnection devices B1, B2, etc. obtain key information in the attack and defense platform, such as IP address, port number, etc., to construct the attack and defense platform object, and complete the interconnection between the attack and defense platform and various industrial control scenarios. If the connection request still fails after a certain number of times, the log module records the connection failure information.

实施例2:Example 2:

如图2所示,本实施例提供一种攻防平台与多种工控场景互联的装置,包括通过总线结构连接的;As shown in FIG. 2 , this embodiment provides a device for interconnecting an attack and defense platform with a variety of industrial control scenarios, including a device connected through a bus structure;

配置模块,获取用户下发的配置信息,将配置信息发送给管理模块,并将配置信息放入数据存储模块进行存储;The configuration module obtains the configuration information issued by the user, sends the configuration information to the management module, and puts the configuration information into the data storage module for storage;

管理模块,对其他模块进行统一调度和管理,对攻防平台与工控场景互联中所有的物理、虚拟资源进行统一分配和管理;Management module, which performs unified scheduling and management of other modules, and uniformly allocates and manages all physical and virtual resources in the interconnection between attack and defense platforms and industrial control scenarios;

通信模块,进行互联装置与攻防平台之间、互联装置与工控场景之间的数据传输;The communication module is used for data transmission between the interconnected device and the attack and defense platform, and between the interconnected device and the industrial control scene;

网关模块,用于攻防平台与工控场景之间数据转换,实现根据不同的协议对数据进行翻译转换;The gateway module is used for data conversion between the attack and defense platform and industrial control scenarios, and realizes the translation and conversion of data according to different protocols;

各个工控场景通过自己的互联装置与攻防平台的互联装置进行互联,由于工控场景有多种,采用的通信协议有所不同,攻防平台的网关模块可以进行不同协议间的转换,工控场景的网关模块可以接收攻防平台的数据信息,并将其转换为工控场景所采用的协议类型;Each industrial control scene is interconnected with the interconnection device of the attack and defense platform through its own interconnection device. Since there are various industrial control scenes and different communication protocols, the gateway module of the attack and defense platform can perform conversion between different protocols, and the gateway module of the industrial control scene It can receive the data information of the attack and defense platform and convert it into the protocol type used in the industrial control scenario;

数据存储模块,用于对各种数据的存储,将数据存储到数据库中,进行持久化操作;The data storage module is used to store various data, store the data in the database, and perform persistent operations;

对象组件模块,实现对每种工控场景对象的构建;The object component module realizes the construction of each industrial control scene object;

日志记录模块,记录互联装置运行期间的各种数据;The log recording module records various data during the operation of the interconnected device;

程序控制器,负责将操作控制信号变成指令放到存储器里,并且在互联装置运行时能够读出指令形成控制信号分给各个模块执行。The program controller is responsible for converting the operation control signal into an instruction and placing it in the memory, and can read out the instruction to form a control signal and distribute it to each module for execution when the interconnection device is running.

为实现攻防平台与工控场景之间高效的数据交互,在建模过程中采用统一格式对象定义的语言对场景对象进行标准化描述,其中包括多种子对象的定义及场景的关键信息。In order to realize efficient data interaction between the attack and defense platform and the industrial control scene, the language of the unified format object definition is used to standardize the description of the scene object in the modeling process, including the definition of various sub-objects and the key information of the scene.

所述数据存储模块通过统一接口与其他模块连接,数据存储模块包含多种不同的数据库。装置的硬件系统由中央处理器(CPU,central processing unit),存储器和网络通信模块组成。CPU作为装置的运算和控制核心,是信息处理、程序运行的最终执行单元;具体型号可以采用Broadcom BCM4709A等处理器。存储器包括随机访问存储器(Random AccessMemory,RAM)、只读存储器(Read-Only Memory,ROM)和闪存(Flash Memory),并且存储支持扩展;具体规格RAM采用512MB,DDR3;ROM采用1G;闪存采用256MB。The data storage module is connected with other modules through a unified interface, and the data storage module includes a variety of different databases. The hardware system of the device is composed of a central processing unit (CPU, central processing unit), a memory and a network communication module. As the operation and control core of the device, the CPU is the final execution unit for information processing and program operation; the specific model can be a processor such as Broadcom BCM4709A. The memory includes random access memory (Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM) and flash memory (Flash Memory), and the storage supports expansion; specific specifications RAM adopts 512MB, DDR3; ROM adopts 1G; flash memory adopts 256MB .

网络通信模块包括多个网络接口到达其他设备,网络接口包括网线接口、蓝牙、通用串行总线(Universal Serial Bus,USB)和无线接口。具体型号USB接口为USB2.0和USB3.0两种,无线传输速率1000Mbps等。The network communication module includes multiple network interfaces to reach other devices, and the network interfaces include network cable interfaces, Bluetooth, Universal Serial Bus (USB) and wireless interfaces. The specific model USB interface is USB2.0 and USB3.0, and the wireless transmission rate is 1000Mbps.

互联装置还包括一套软件系统,包括上述的软件模块:配置模块、管理模块、对象组件模块、通信模块、网关模块、数据存储模块和日志记录模块。这些模块是软件模块,是逻辑上的,其代码存储在存储器中。The interconnection device also includes a set of software systems, including the above-mentioned software modules: a configuration module, a management module, an object component module, a communication module, a gateway module, a data storage module and a log recording module. These modules are software modules, which are logical and whose code is stored in memory.

为实现平台与各种场景之间的相互通信及操作,定义了统一的消息格式、数据格式和场景对象。消息用于平台与场景之间传递各种控制信息;数据用于表示网络平台与工控场景之间的大规模的数据流,比如各种设备的各种状态和视频信息等。对象组件模块实现场景对象的构建。场景对象是实现对每种场景的建模,为实现平台与场景之间高效的数据交互,在建模过程中采用统一格式对象定义的语言对场景对象进行标准化描述,其中包括多种子对象的定义及场景的关键信息。In order to realize the mutual communication and operation between the platform and various scenarios, a unified message format, data format and scenario objects are defined. Messages are used to transfer various control information between the platform and the scene; data is used to represent the large-scale data flow between the network platform and the industrial control scene, such as various states and video information of various devices. The object component module implements the construction of scene objects. The scene object is to realize the modeling of each scene. In order to realize the efficient data interaction between the platform and the scene, the language of the unified format object definition is used to standardize the description of the scene object in the modeling process, including the definition of various sub-objects. and key information about the scene.

实施例3:Example 3:

本实施例提供一种服务器,包括:This embodiment provides a server, including:

一个或多个处理器;one or more processors;

存储装置,其上存储有一个或多个程序,a storage device on which one or more programs are stored,

当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现实施例1所述的攻防平台与多种工控场景互联的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the method for interconnecting an attack and defense platform with multiple industrial control scenarios described in Embodiment 1.

实施例4:Example 4:

本实施例提供一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现实施例1所述的攻防平台与多种工控场景互联的方法。This embodiment provides a computer-readable medium on which a computer program is stored, wherein when the computer program is executed by a processor, the method for interconnecting an attack-defense platform with various industrial control scenarios described in Embodiment 1 is implemented.

Claims (10)

1.一种攻防平台与多种工控场景互联的方法,其特征在于,包括以下步骤:1. a method for interconnecting attack and defense platforms with multiple industrial control scenarios, is characterized in that, comprises the following steps: (1)用户向互联装置下发场景配置信息,配置信息包括攻防平台入口的IP地址及端口号和工控场景的IP地址及端口号;(1) The user sends the scene configuration information to the interconnected device, and the configuration information includes the IP address and port number of the entrance of the attack and defense platform and the IP address and port number of the industrial control scene; (2)配置模块将配置信息发送到存储模块进行存储,并提交到管理模块;在多种工控场景下,用户需要将各工控场景的配置信息导入到攻防平台侧的互联装置中,各工控场景的互联装置内需要提前配置好攻防平台的配置信息;(2) The configuration module sends the configuration information to the storage module for storage, and submits it to the management module; in a variety of industrial control scenarios, the user needs to import the configuration information of each industrial control scenario into the interconnection device on the attack and defense platform side, and each industrial control scenario The configuration information of the attack and defense platform needs to be configured in advance in the interconnected device; (3)各互联装置内的管理模块将配置信息下发到各个模块;(3) The management module in each interconnection device sends the configuration information to each module; (4)各个互联装置根据配置信息配置通信模块和网关模块,完成互联装置与攻防平台、工控场景之间的通信连接;(4) Each interconnection device configures the communication module and the gateway module according to the configuration information, and completes the communication connection between the interconnection device, the attack and defense platform, and the industrial control scene; (5)攻防平台互联装置的对象组件模块收集各个工控场景的关键信息,各工控场景对象组件模块收集攻防平台对象关键信息,采用统一格式对数据进行标准化处理,完成攻防平台对象和工控场景对象的构建,并将对象数据存储到数据库中;(5) The object component module of the attack and defense platform interconnection device collects the key information of each industrial control scene, and each industrial control scene object component module collects the key information of the attack and defense platform object, uses a unified format to standardize the data, and completes the attack and defense platform object and the industrial control scene object. Build and store object data in the database; (6)攻防平台与工控场景之间通过通信模块、网关模块构建映射,实现二者的逻辑连接,连接成功后,将映射信息进行存储;(6) A mapping is constructed between the attack and defense platform and the industrial control scene through the communication module and the gateway module to realize the logical connection of the two. After the connection is successful, the mapping information is stored; (7)管理模块协调各个模块,执行各项指令。(7) The management module coordinates each module and executes various instructions. 2.如权利要求1所述的攻防平台与多种工控场景互联的方法,其特征在于,通过日志记录模块记录步骤(1)-(7)运行期间的数据,并将日志信息存储到数据存储模块。2. the method for interconnecting attack and defense platform and multiple industrial control scenarios as claimed in claim 1, is characterized in that, record the data during the operation of step (1)-(7) by log record module, and log information is stored in data storage module. 3.如权利要求1所述的攻防平台与多种工控场景互联的方法,其特征在于,所述步骤(1)中,用户通过指令将配置文件发送到互联装置。3 . The method for interconnecting an attack-defense platform with a variety of industrial control scenarios according to claim 1 , wherein in the step (1), the user sends the configuration file to the interconnection device through an instruction. 4 . 4.如权利要求1所述的攻防平台与多种工控场景互联的方法,其特征在于,所述步骤(2)中,配置模块根据配置信息提交到管理模块进行自身的参数设置。4. The method for interconnecting an attack-defense platform with a variety of industrial control scenarios according to claim 1, wherein in the step (2), the configuration module submits the configuration information to the management module to set its own parameters. 5.如权利要求1所述的攻防平台与多种工控场景互联的方法,其特征在于,所述步骤(4)中,互联装置与攻防平台之间采用HTTP协议作为应用层协议,TCP/IP作传输层协议进行通信;互联装置与工控场景之间采用HTTP协议作为应用层协议,TCP/IP作传输层协议进行通信。5. the method for interconnection of attack and defense platform as claimed in claim 1 and multiple industrial control scenarios, is characterized in that, in described step (4), adopts HTTP protocol as application layer protocol between interconnection device and attack and defense platform, TCP/IP The communication between the interconnection device and the industrial control scene adopts the HTTP protocol as the application layer protocol, and TCP/IP as the transport layer protocol for communication. 6.如权利要求1所述的攻防平台与多种工控场景互联的方法,其特征在于,所述步骤(5)中,为实现攻防平台与工控场景之间高效的数据交互,在建模过程中采用统一格式对象定义的语言对场景对象进行标准化描述,其中包括多种子对象的定义及场景的关键信息。6. The method for interconnecting the attack and defense platform and multiple industrial control scenarios as claimed in claim 1, wherein in the step (5), in order to realize efficient data interaction between the attack and defense platform and the industrial control scene, in the modeling process The language of the unified format object definition is used to standardize the description of the scene object, including the definition of various sub-objects and the key information of the scene. 7.一种攻防平台与多种工控场景互联的装置,其特征在于,包括;7. A device for interconnecting an attack-defense platform with a variety of industrial control scenarios, comprising: 配置模块,获取用户下发的配置信息,将配置信息发送给管理模块,并将配置信息放入数据存储模块进行存储;The configuration module obtains the configuration information issued by the user, sends the configuration information to the management module, and puts the configuration information into the data storage module for storage; 管理模块,对其他模块进行统一调度和管理,对攻防平台与工控场景互联中所有的物理、虚拟资源进行统一分配和管理;Management module, which performs unified scheduling and management of other modules, and uniformly allocates and manages all physical and virtual resources in the interconnection between attack and defense platforms and industrial control scenarios; 通信模块,进行互联装置与攻防平台之间、互联装置与工控场景之间的数据传输;The communication module is used for data transmission between the interconnected device and the attack and defense platform, and between the interconnected device and the industrial control scene; 网关模块,用于攻防平台与工控场景之间数据转换,实现根据不同的协议对数据进行翻译转换;The gateway module is used for data conversion between the attack and defense platform and industrial control scenarios, and realizes the translation and conversion of data according to different protocols; 数据存储模块,用于对各种数据的存储,将数据存储到数据库中,进行持久化操作;The data storage module is used to store various data, store the data in the database, and perform persistent operations; 对象组件模块,实现对每种工控场景对象的构建;The object component module realizes the construction of each industrial control scene object; 日志记录模块,记录互联装置运行期间的各种数据;The log recording module records various data during the operation of the interconnected device; 程序控制器,负责将操作控制信号变成指令放到存储器里,并且在互联装置运行时能够读出指令形成控制信号分给各个模块执行。The program controller is responsible for converting the operation control signal into an instruction and placing it in the memory, and can read out the instruction to form a control signal and distribute it to each module for execution when the interconnection device is running. 8.如权利要求7所述的攻防平台与多种工控场景互联的装置,其特征在于,所述数据存储模块通过统一接口与其他模块连接,数据存储模块包含多种不同的数据库。8 . The device for interconnecting an attack-defense platform with a variety of industrial control scenarios according to claim 7 , wherein the data storage module is connected to other modules through a unified interface, and the data storage module includes a variety of different databases. 9 . 9.一种服务器,包括:9. A server comprising: 一个或多个处理器;one or more processors; 存储装置,其上存储有一个或多个程序,a storage device on which one or more programs are stored, 当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现权利要求1-6任一项所述的攻防平台与多种工控场景互联的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the method for interconnecting an attack and defense platform with multiple industrial control scenarios according to any one of claims 1-6 . 10.一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现权利要求1-6任一项所述的攻防平台与多种工控场景互联的方法。10. A computer-readable medium on which a computer program is stored, wherein when the computer program is executed by a processor, the method for interconnecting an attack-defense platform with multiple industrial control scenarios according to any one of claims 1-6 is implemented.
CN202010618524.2A 2020-07-01 2020-07-01 A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios Active CN111786832B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010618524.2A CN111786832B (en) 2020-07-01 2020-07-01 A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010618524.2A CN111786832B (en) 2020-07-01 2020-07-01 A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios

Publications (2)

Publication Number Publication Date
CN111786832A true CN111786832A (en) 2020-10-16
CN111786832B CN111786832B (en) 2022-06-07

Family

ID=72759962

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010618524.2A Active CN111786832B (en) 2020-07-01 2020-07-01 A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios

Country Status (1)

Country Link
CN (1) CN111786832B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367239A (en) * 2021-01-11 2021-02-12 南京赛宁信息技术有限公司 Network target range rapid interconnection system and method
CN114050942A (en) * 2022-01-11 2022-02-15 浙江国利网安科技有限公司 Security policy configuration method, device, network equipment and medium
CN116132221A (en) * 2023-04-04 2023-05-16 鹏城实验室 Virtual and real interconnection method, device, equipment and storage medium of network shooting range platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805385A (en) * 2006-01-11 2006-07-19 西安电子科技大学 Network security emulation system and its emulation method
CN105024990A (en) * 2015-03-30 2015-11-04 清华大学 Deployment method and device for network security attack and defense exercise environment
US20180324077A1 (en) * 2017-05-05 2018-11-08 Dell Products L.P. Method and system for providing a platform for testing of processes over server communications protocols
CN109802852A (en) * 2018-12-13 2019-05-24 烽台科技(北京)有限公司 The construction method and system of network simulation topology applied to network target range
CN110351271A (en) * 2019-07-09 2019-10-18 广东工业大学 Network-combination yarn experimental system building method, system, device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1805385A (en) * 2006-01-11 2006-07-19 西安电子科技大学 Network security emulation system and its emulation method
CN105024990A (en) * 2015-03-30 2015-11-04 清华大学 Deployment method and device for network security attack and defense exercise environment
US20180324077A1 (en) * 2017-05-05 2018-11-08 Dell Products L.P. Method and system for providing a platform for testing of processes over server communications protocols
CN109802852A (en) * 2018-12-13 2019-05-24 烽台科技(北京)有限公司 The construction method and system of network simulation topology applied to network target range
CN110351271A (en) * 2019-07-09 2019-10-18 广东工业大学 Network-combination yarn experimental system building method, system, device and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367239A (en) * 2021-01-11 2021-02-12 南京赛宁信息技术有限公司 Network target range rapid interconnection system and method
CN112367239B (en) * 2021-01-11 2021-04-06 南京赛宁信息技术有限公司 Network target range rapid interconnection system and method
CN114050942A (en) * 2022-01-11 2022-02-15 浙江国利网安科技有限公司 Security policy configuration method, device, network equipment and medium
CN114050942B (en) * 2022-01-11 2022-04-26 浙江国利网安科技有限公司 Security policy configuration method, device, network equipment and medium
CN116132221A (en) * 2023-04-04 2023-05-16 鹏城实验室 Virtual and real interconnection method, device, equipment and storage medium of network shooting range platform
CN116132221B (en) * 2023-04-04 2023-08-25 鹏城实验室 Virtual-real interconnection method, device, equipment and storage medium of network target range platform

Also Published As

Publication number Publication date
CN111786832B (en) 2022-06-07

Similar Documents

Publication Publication Date Title
CN104125243B (en) A kind of method for penetrating Intranet and remotely connecting large-scale virtual machine
CN111726421B (en) A method and device for realizing the interconnection of network shooting range and industrial control equipment
CN105159753B (en) The method, apparatus and pooling of resources manager of accelerator virtualization
CN104660682B (en) A kind of OPC data collection and monitoring intelligent terminal based on TD-LTE
CN111786832B (en) A method and device for interconnecting an attack-defense platform with a variety of industrial control scenarios
CN103384274B (en) Public network based on http agreement connects the communication means of inner net computer
CN107071039A (en) A kind of private data cloud storage system and private data cloud storage method
CN105450588A (en) RDMA-based data transmission method and RDMA network cards
CN101650670B (en) Electronic system capable of sharing application program configuration parameters and method thereof
CN114124929A (en) Cross-network data processing method and device
CN110730095B (en) A data security emergency drill method and system for cloud computing platform
CN115189920A (en) Cross-network domain communication method and related device
CN103581325A (en) Cloud computing resource pool system and implement method thereof
CN108881425B (en) Data packet processing method and system
CN108365976B (en) Method and device for optimizing network service
JP2009123201A (en) Server-processor hybrid system and method for processing data
CN106648838B (en) Resource pool management configuration method and device
CN110233750B (en) Private cloud management system and method
CN101242412A (en) A transmission method, device and system for multi-dimension data instance
CN116418573A (en) Data packet acquisition method and device
CN114371935B (en) Gateway processing method, gateway, device and medium
CN111966634A (en) File operation method, system, device and medium
CN102710518A (en) Method and system for realizing NAT (Network Address Translator) traversal under wide area network
CN106657377A (en) WIA-PA (Wireless Networks for Industrial Automation-Process Automation)/full-interconnection manufacturing network information service adaptor and realization method thereof
CN1972276B (en) A protocol access management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Liu Hongri

Inventor after: Sun Yunxiao

Inventor after: Wang Bailing

Inventor after: He Qinggang

Inventor after: Xin Guodong

Inventor after: Yang Xu

Inventor before: Yang Xu

Inventor before: Sun Yunxiao

Inventor before: Wang Bailing

Inventor before: He Qinggang

Inventor before: Liu Hongri

Inventor before: Xin Guodong

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant