[go: up one dir, main page]

CN111988289B - EPA Industrial Control Network Security Testing System and Method - Google Patents

EPA Industrial Control Network Security Testing System and Method Download PDF

Info

Publication number
CN111988289B
CN111988289B CN202010774356.6A CN202010774356A CN111988289B CN 111988289 B CN111988289 B CN 111988289B CN 202010774356 A CN202010774356 A CN 202010774356A CN 111988289 B CN111988289 B CN 111988289B
Authority
CN
China
Prior art keywords
message
communication
module
epa
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010774356.6A
Other languages
Chinese (zh)
Other versions
CN111988289A (en
Inventor
林瑞金
叶瑞哲
隋涛
洪炜林
林豪臻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen University of Technology
Original Assignee
Xiamen University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen University of Technology filed Critical Xiamen University of Technology
Priority to CN202010774356.6A priority Critical patent/CN111988289B/en
Publication of CN111988289A publication Critical patent/CN111988289A/en
Application granted granted Critical
Publication of CN111988289B publication Critical patent/CN111988289B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及网络安全技术领域,具体地说,涉及一种EPA工业控制网络安全测试系统及方法。其包括安全管理单元,所述安全管理单元用于对EPA控制网络应用层以及数据链路中报文的安全措施进行管理;报文控制单元,所述报文控制单元用于对数据链路中的EPA报文进行控制;信息库单元,所述信息库单元存放了所述安全管理单元所需的信息,并对其进行操作处理。本发明中报文接收方在收到报文后,提取原始消息,将原始消息和相应的校验密钥,通过设计的校验算法生成新的校验码,将此新校验码与接收报文中的校验码进行比较,若完全相同则确定报文合法并接受数据包;否则丢弃该数据包,从而有效的避免入侵数据包对网络造成威胁以及损坏。

Figure 202010774356

The invention relates to the technical field of network security, in particular to an EPA industrial control network security testing system and method. It includes a security management unit, which is used to manage the EPA control network application layer and the security measures of the message in the data link; the message control unit, which is used for the data link. The information library unit stores the information required by the security management unit and performs operation processing on it. In the present invention, after receiving the message, the message receiver extracts the original message, uses the original message and the corresponding check key to generate a new check code through the designed check algorithm, and combines the new check code with the received check code. The check codes in the packets are compared, and if they are identical, the packet is determined to be legal and the packet is accepted; otherwise, the packet is discarded, thereby effectively avoiding the threat and damage to the network caused by the intrusion packet.

Figure 202010774356

Description

EPA industrial control network security test system and method
Technical Field
The invention relates to the technical field of network security, in particular to a system and a method for testing the security of an EPA industrial control network.
Background
At present, with the development of information technologies such as computers, communications, networks, etc., the field of information exchange has covered factories, and with the further development of automation control technologies, it is necessary to establish a comprehensive automation network platform including various layers from an industrial field device layer to a control layer, a management layer, etc., and to establish an enterprise informatization system based on the industrial network technology.
For the network system, the method of preventing intrusion is usually an encryption method for the message, a temporary key distribution method or a pre-stored key form; however, in either form, certain disadvantages exist:
if the key is pre-stored in the form of the key, the function of the so-called encryption key is washed out and saved if the key is obtained in advance and then information is easy to crack if the key is obtained by external intrusion. Therefore, in the prior art, a dynamic key form is adopted, namely, the key is issued in the field when the connection is made. It is also easy to attack the field, and the way of dynamic key also leads to data intrusion and affects the security of the device.
The industrial control network system is very important for industrial production, so that a network technology which ensures network security and is not invaded is hopefully provided, and at present, an effective solution is not provided.
Disclosure of Invention
The invention aims to provide an EPA industrial control network security test system and a method thereof, which aim to solve the problems in the background technology.
In order to achieve the above object, one of the objects of the present invention is to provide an EPA industrial control network security test system, including an industrial control verification platform for verifying security of an EPA industrial control network, the industrial control verification platform including:
the security management unit is used for managing security measures of messages in an application layer of an EPA control network and a data link;
the message control unit is used for controlling the EPA message in the data link;
the communication session contact unit comprises a communication directory, wherein the communication directory records the ID of the communication equipment required, and the communication between the communication session contact unit and all the message senders and message receivers adopts a physical communication path different from the communication between the message senders and the message receivers, so that even if one physical communication path is intercepted, message information or communication key data can still not be intercepted, and the difficulty of intercepting the communication is increased;
the communication session contact unit is communicated with all the message senders and the message receivers, and the communication session contact between the message senders and the message receivers is confirmed by the communication session contact unit and provides physical addresses for connection;
the information base unit stores the information required by the safety management unit and performs operation processing on the information;
the security management unit comprises a message encryption module, an integrity check module, an equipment identification module and an access control module; the message encryption module is used for encrypting the message in the data link; the integrity checking module is used for ensuring the integrity of the encrypted message in the transmission process; the equipment authentication module is used for sending an authentication request message to the trusted center; the access control module is used for controlling and receiving the request received by the trusted center and establishing communication with the trusted device through the network bridge;
the message sending party constructs an original message, generates a check code by using the check key and the original message through a designed check algorithm, attaches the check code to the original message to be used as a field of the message, constructs the check code together with the original message to be an integrity check message, and sends the integrity check message to a receiving party.
After receiving the message, the message receiver extracts the original message, generates a new check code by the original message and a corresponding check key through a designed check algorithm, compares the new check code with the check code in the received message, and determines that the message is legal and receives a data packet if the new check code is completely the same as the check code in the received message; otherwise, the data packet is discarded, and whether a negative response is returned or not is determined according to the serviceID, so that whether the user data is illegally tampered or damaged or not is judged.
The message control unit comprises a message control module and a message filtering module; the message control module is used for controlling a message protocol in transmission; the message filtering module is used for filtering the message in transmission;
the information base unit comprises an information detection module, a vulnerability detection module, a protocol module and a storage module; the information detection module is used for scanning an open port of the equipment, identifying service, identifying trojans and detecting an operating system; the vulnerability detection module is used for scanning and detecting the characteristic messages in the storage module; the protocol module is used for information interaction among the information base unit, the security management unit and the message control unit; the storage module is used for storing the messages and the data of information interaction.
For the non-EPA equipment in the information detection module, whether the equipment is alive or not can be detected by sending PING or ARP messages, wherein the ARP can bypass the firewall to filter the PING; for EPA equipment, a capturing thread is developed to analyze an EPA equipment declaration message, so that equipment survival information, equipment information such as MAC (media access control), IP (Internet protocol) and redundant numbers are identified, illegal EPA equipment is found, then, the finding equipment is tested on UDP (user datagram protocol) ports and TCP (transmission control protocol) ports of a target system by adopting various port scanning technologies such as fully-open scanning, half-open scanning and UDP (user datagram protocol) scanning, the states of the ports are identified, and first-time service identification is carried out according to an open port and a service mapping table; this process may identify trojan threats on some ports; the second identification is that after the connection with the target system is established, returned Banner information is collected, the service type, even the name and the version of software can be roughly identified by inquiring a service feature library, and finally, the target system is identified by the measures of TTL flags and the like; for equipment depending on a general operating system, the system bug needs to be tested during bug detection, and for real-time operating systems such as UC/OS and EPA network equipment and field equipment without the operating systems, the system bug test can be bypassed.
As a further improvement of the technical solution, the message encryption module adopts a periodically updated key encryption method, and the key is initialized by the trusted center.
The key is stored in an Octet String of 128 bytes, the device acquires the key actually used from the cipher table according to the offset of the key in the table and the length of the cipher table actually used, and the offset of the key in the table and the length of the key table actually used are determined by the application scenario and the requirement of the life cycle of the session key applied to the trusted center before the communication starts.
As a further improvement of the technical solution, the periodically updated key encryption method uses a key algorithm to produce a ciphertext, and the algorithm formula is as follows:
M={E(m,k)};
wherein M is a ciphertext; e () is an encryption function; m is an original message; k is a key.
As a further improvement of the technical solution, the periodically updated key encryption method uses a decryption function to decrypt, and the function formula is as follows:
m={D(M,k)};
wherein m is an original message; d () is a decryption function; m is a ciphertext; k is a key.
As a further improvement of the technical solution, the authentication request message mainly comprises an equipment ID, an equipment authentication code and a random number, the equipment authentication code is generated by a random algorithm through the equipment ID, the security ID and the random number, and an algorithm formula is as follows:
Maut={A(IDdev,IDsec,C)∣IDdev∣C};
wherein, Maut is a device identification request message; a () is an authentication algorithm; IDdev is the device ID; IDsec is a security ID.
As a further improvement of the technical solution, the trusted center receives the authentication request message, and generates a comparison authentication code by a random algorithm, wherein the algorithm formula is as follows:
MAC={A(IDdev,IDsec,C)};
wherein, MAC is a comparison authentication code; a () is an authentication algorithm; IDdev is the device ID; IDsec is a security ID.
As a further improvement of the technical solution, the message filtering module (122) is an acceptance filtering register.
As a further improvement of the technical scheme, the protocol module (133) adopts a TCP/IP protocol, and the TCP/IP protocol comprises an application layer, a transmission layer, a network layer and a data link layer.
As a further improvement of the present technical solution, the application layer is configured to receive data from the transport layer, and transmit the data to the transport layer according to different application requirements and manners; the transmission layer is used for providing a channel for the combination of the use platform and the internal data of the computer information network; the network layer is used for transmitting data packets in the network; the data link layer is used for providing link management error detection and effectively processing information detail problems related to different communication media.
Another object of the present invention is to provide an EPA industrial control network security testing method, including any one of the above EPA industrial control network security testing systems, including the following method steps:
s1, the communication initiator sends an authentication request message to the trusted center to apply for a session key;
s2, after the credible center receives the authentication request, if the authentication request is allowed, the credible center issues a session key to both communication parties;
s3, the message sender sends the virtual name of the message receiver needing communication to the communication session contact unit, the communication session contact unit distributes a communication key and the physical address of the message receiver to the message sender, and simultaneously sends a communication key and the physical address of the message sender to the message receiver; thereby establishing communication permission of a message sender and a message receiver;
s4, after obtaining the communication permission, the message sender encrypts the original message and the session key;
after encryption, the ciphertext is added as a message body to the security message header and then sent to an EPA application entity, and at the moment, a physical communication path which is the same as the physical communication path for communication among a message sender, a message receiver and a communication session contact unit is adopted as a physical communication path for communication;
s5, requesting the equipment authentication module to send an authentication request message;
s6, the network equipment receives the authentication request message;
s7, judging whether the identification request message exceeds the request frequency after receiving the identification request message;
s8, the trusted center receives the identification request message, and compares the generated equipment identification code with the equipment identification code in the message;
s9, before sending the message, the message sender firstly generates a ciphertext by a session key for a plaintext through a designed algorithm, and the ciphertext, a source IP, a destination IP and an operation form a message main body and are sent to the network equipment;
s10, after receiving the message, the network device firstly checks the message sending frequency;
and S11, after receiving the message, the message receiver decrypts the message to obtain the plaintext information.
Compared with the prior art, the invention has the beneficial effects that:
1. in the EPA industrial control network safety test system and method, a message receiver extracts an original message after receiving the message, generates a new check code by a designed check algorithm for the original message and a corresponding check key, compares the new check code with the check code in the received message, and determines that the message is legal and receives a data packet if the new check code is completely the same as the check code in the received message; otherwise, the data packet is discarded, thereby effectively avoiding the network from being threatened and damaged by the invading data packet.
2. In the EPA industrial control network security test system and method, the random factor added in the random algorithm is the timestamp in the calculation process, and the timestamp is used for preventing replay attack and guaranteeing semantic security.
3. In the EPA industrial control network security test system and method, the offset of the key in the table and the length of the actually used key table are determined by the application scene and the requirement of the life cycle of the session key applied to the trusted center before the communication starts, so that the security of the key in use is improved;
4. in the EPA industrial control network security test system and the method, the physical addresses of a message sender and a message receiver are temporarily distributed, so that the message is not easy to crack, and even if the message is cracked, the information cannot be intercepted, or the intercepted message cannot cheat the received method, thereby ensuring the security of communication information;
5. in the EPA industrial control network safety test system and method, the communication establishment channel and the communication channel adopt different physical communication paths, so that the communication and the channel establishment connection adopt different channels, and the communication is safer.
Drawings
FIG. 1 is a schematic view of the entire structure of embodiment 1;
FIG. 2 is a block diagram of a security management unit module of embodiment 1;
fig. 3 is a block diagram of a message control unit module according to embodiment 1;
FIG. 4 is a block diagram of an information library unit module of embodiment 1;
fig. 5 is a schematic view of an acceptance filtering process in embodiment 1.
The various reference numbers in the figures mean:
100. an industrial control verification platform;
110. a security management unit; 111. a message encryption module; 112. an integrity check module; 113. a device authentication module; 114. an access control module;
120. a message control unit; 121. a message control module; 122. a message filtering module;
130. an information base unit; 131. an information detection module; 132. a vulnerability detection module; 133. a protocol module; 134. and a storage module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
Referring to fig. 1-5, an object of the present embodiment is to provide an EPA industrial control network security testing system, which includes an industrial control verification platform 100 for verifying security of an EPA industrial control network, where the industrial control verification platform 100 includes:
the security management unit 110, the security management unit 110 is configured to manage security measures of messages in an EPA control network application layer and a data link;
the message control unit 120, the message control unit 120 is configured to control an EPA message in the data link;
the communication session contact unit comprises a communication directory, wherein the communication directory records the ID of the communication equipment required, and the communication between the communication session contact unit and all the message senders and message receivers adopts a physical communication path different from the communication between the message senders and the message receivers, so that even if one physical communication path is intercepted, message information or communication key data can still not be intercepted, and the difficulty of intercepting the communication is increased;
the communication session contact unit is communicated with all the message senders and the message receivers, and the communication session contact between the message senders and the message receivers is confirmed by the communication session contact unit and provides physical addresses for connection;
the information base unit 130, the information base unit 130 stores the information required by the security management unit 110 and performs operation processing on it, so that the user can easily customize other security measures.
The security management unit 110 includes a message encryption module 111, an integrity check module 112, a device authentication module 113, and an access control module 114; the message encryption module 111 is configured to encrypt a message in a data link; the integrity check module 112 is configured to ensure integrity of the encrypted message in the transmission process; the device authentication module 113 is configured to send an authentication request message to the trusted center; the access control module 114 is used for controlling and receiving the request received by the trusted center, and establishing communication with the trusted device through the network bridge;
the message sending party constructs an original message, generates a check code by using the check key and the original message through a designed check algorithm, attaches the check code to the original message to be used as a field of the message, constructs the check code together with the original message to be an integrity check message, and sends the integrity check message to a receiving party.
After receiving the message, the message receiver extracts the original message, generates a new check code by the original message and a corresponding check key through a designed check algorithm, compares the new check code with the check code in the received message, and determines that the message is legal and receives a data packet if the new check code is completely the same as the check code in the received message; otherwise, the data packet is discarded, and whether a negative response is returned or not is determined according to the serviceID, so that whether the user data is illegally tampered or damaged or not is judged.
The message control unit 120 includes a message control module 121 and a message filtering module 122; the message control module 121 is configured to control a message protocol in transmission; the message filtering module 122 is configured to filter a message in transmission;
the message is a unit of network transmission, and is continuously encapsulated into packets, packets and frames for transmission in the transmission process, wherein the encapsulation mode is to add some information segments.
The information base unit 130 includes an information detection module 131, a vulnerability detection module 132, a protocol module 133, and a storage module 134; the information detection module 131 is used for scanning an open port of the device, identifying services, identifying trojans and detecting an operating system; the vulnerability detection module 132 is used for scanning and detecting the feature messages in the storage module 134; the protocol module 133 is used for information interaction between the information base unit 130 and the security management unit 110 and the message control unit 120; the storage module 134 is used for storing the messages and the data of the information interaction.
For the non-EPA equipment in the information detection module, whether the equipment is alive or not can be detected by sending PING or ARP messages, wherein the ARP can bypass the firewall to filter the PING; for EPA equipment, a capturing thread is developed to analyze an EPA equipment declaration message, so that equipment survival information, equipment information such as MAC (media access control), IP (Internet protocol) and redundant numbers are identified, illegal EPA equipment is found, then, the finding equipment is tested on UDP (user datagram protocol) ports and TCP (transmission control protocol) ports of a target system by adopting various port scanning technologies such as fully-open scanning, half-open scanning and UDP (user datagram protocol) scanning, the states of the ports are identified, and first-time service identification is carried out according to an open port and a service mapping table; this process may identify trojan threats on some ports; the second identification is that after the connection with the target system is established, returned Banner information is collected, the service type, even the name and the version of software can be roughly identified by inquiring a service feature library, and finally, the target system is identified by the measures of TTL flags and the like; for equipment depending on a general operating system, the system bug needs to be tested during bug detection, and for real-time operating systems such as UC/OS and EPA network equipment and field equipment without the operating systems, the system bug test can be bypassed.
The vulnerability detection module is used for scanning and detecting by extracting the characteristic message from the storage module, the test unit is used for extracting the test characteristic fingerprint from the vulnerability characteristic library to form a test message, sending the test message to a test object, then monitoring the response of a detection target, collecting information, and then judging whether the security vulnerability exists in the EPA network by combining the vulnerability characteristic library; the actual expression is that the feature matching pairs are packaged in a test plug-in, the test plug-in completes the extraction of the features to form a test message, receives the return information and judges whether a bug exists.
In this embodiment, the message encryption module 111 adopts a periodically updated key encryption method, the key is initialized by a trusted center, and data confidentiality can be ensured by EPA message encryption, thereby preventing information from being illegally acquired.
The key is stored in an Octet String of 128 bytes, the device acquires the key actually used from the cipher table according to the offset of the key in the table and the length of the cipher table actually used, and the offset of the key in the table and the length of the key table actually used are determined by the application scenario and the requirement of the life cycle of the session key applied to the trusted center before the communication starts.
Further, the periodically updated key encryption method adopts a key algorithm to produce a ciphertext, and the algorithm formula is as follows:
M={E(m,k)};
wherein M is a ciphertext; e () is an encryption function; m is an original message; k is a key.
Specifically, the method comprises the following steps: the encryption method of the key with periodic update adopts a decryption function for decryption, and the function formula is as follows:
m={D(M,k)};
wherein m is an original message; d () is a decryption function; m is a ciphertext; k is a key.
In addition, the authentication request message mainly comprises an equipment ID, an equipment authentication code and a random number, wherein the equipment authentication code is generated through a random algorithm by the equipment ID, the security ID and the random number, and the algorithm formula is as follows:
Maut={A(IDdev,IDsec,C)∣IDdev∣C};
wherein, Maut is a device identification request message; a () is an authentication algorithm; IDdev is the device ID; IDsec is a security ID.
In addition, the trusted center receives the authentication request message, finds the corresponding device security ID according to the device ID, and generates a comparison authentication code together with the device ID and the random number through a random algorithm, wherein the algorithm formula is as follows:
MAC={A(IDdev,IDsec,C)};
wherein, MAC is a comparison authentication code; a () is an authentication algorithm; IDdev is the device ID; IDsec is a security ID.
Further, the message filtering module 122 is an acceptance filter register.
The acceptance filter register preferably adopts an acceptance filter register of the CAN message, the working process of the acceptance filter register is as known by persons in the technical field, the CAN controller monitors all messages from the CAN bus, and when one message arrives, the CAN controller executes a rapid hardware search algorithm to match the identifiers of the received CAN messages with the identifiers stored in the acceptance filter RAM; if the message is not matched with the CAN code, the message is discarded, the process cannot generate interruption to the CAN controller, and the application code is still normally executed; if there is a matching identifier, the CAN controller will generate an interrupt by setting the corresponding bit in the receive status register in the set, the interrupt service routine will copy the message from the CAN controller's register into RAM, and will release the CAN controller's receive register by setting the corresponding bit in the CAN command register.
Specifically, the protocol module 133 adopts a TCP/IP protocol, which includes an application layer, a transport layer, a network layer, and a data link layer.
In addition, the application layer is used for receiving data from the transmission layer and transmitting the data to the transmission layer according to different application requirements and modes; the transmission layer is used for providing a channel for the combination of the use platform and the data in the computer information network, and can realize data transmission and data sharing; the network layer is used for transmitting data packets in the network; the data link layer is used for providing link management error detection and effectively processing information detail problems related to different communication media.
Another object of this embodiment is to provide an EPA industrial control network security testing method, including any one of the above EPA industrial control network security testing systems, including the following method steps:
(I) message encryption:
s1, the communication initiator sends an authentication request message to the trusted center to apply for a session key;
s2, after the credible center receives the authentication request, if the authentication request is allowed, the credible center issues a session key to both communication parties;
s3, the message sender sends the virtual name of the message receiver needing communication to the communication session contact unit, the communication session contact unit distributes a communication key and the physical address of the message receiver to the message sender, and simultaneously sends a communication key and the physical address of the message sender to the message receiver; thereby establishing communication permission of a message sender and a message receiver;
s4, after obtaining the communication permission, the message sender encrypts the original message and the session key;
wherein, the encryption formula is: m ═ { E (M, k) };
after encryption, the ciphertext is added to the security message header as a message body and then sent to an EPA application entity; at this time, the physical communication path is the same as the physical communication path for communication among the message sender, the message receiver and the communication session contact unit;
(II) equipment authentication:
s5, requesting the device identification module 113 to send identification request message, the identification request message mainly consists of device ID, device identification code and random number, the device identification code is generated by device ID, security ID and random number through designed algorithm, the added random factor is time stamp, used to prevent replay attack and guarantee semantic security;
s6, the network equipment receives the authentication request message;
s7, judging whether the identification request message exceeds the request frequency after receiving the identification request message, if so, discarding the message, otherwise, forwarding the message to the terminal
A trusted center;
s8, the credible center receives the authentication request message, finds the corresponding device security ID according to the device ID, generates a device authentication code through a designed algorithm together with the device ID and the random number, compares the generated device authentication code with the device authentication code in the message, discards the message if the device authentication code and the device authentication code are different, sends an authentication passing message (including the initial access control list) to the network device if the device authentication code and the device authentication code are the same, allows the device to communicate, and sends the authentication passing message to the initial session key of the device;
(III) access control:
s9, before sending the message, the message sender firstly generates a ciphertext by a session key for a plaintext through a designed algorithm, and the ciphertext, a source IP, a destination IP and an operation form a message main body and are sent to the network equipment;
s10, after receiving the message, the network device checks the message sending frequency, if the message sending frequency exceeds the highest rate, the message is discarded; if the operation is normal, comparing the source IP, the destination IP and the information in the operation and control list; if the matching is carried out, the message is forwarded;
s11, after receiving the message, the message receiver decrypts the message to obtain the plaintext information;
wherein, the decryption formula is: m ═ D (M.k).
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and the preferred embodiments of the present invention are described in the above embodiments and the description, and are not intended to limit the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (2)

1.一种EPA工业控制网络安全测试方法,包括EPA工业控制网络安全测试系统,所述EPA工业控制网络安全测试系统包括工业控制验证平台(100),用于验证EPA工业控制网络的安全性,其特征在于:所述工业控制验证平台(100)包括:1. an EPA industrial control network security test method, comprising an EPA industrial control network security test system, the EPA industrial control network security test system comprising an industrial control verification platform (100) for verifying the safety of the EPA industrial control network, It is characterized in that: the industrial control verification platform (100) includes: 安全管理单元(110),所述安全管理单元(110)用于对EPA控制网络应用层以及数据链路中报文的安全措施进行管理;a security management unit (110), the security management unit (110) is configured to manage the EPA control network application layer and security measures for messages in the data link; 报文控制单元(120),所述报文控制单元(120)用于对数据链路中的EPA报文进行控制;a message control unit (120), the message control unit (120) is configured to control the EPA message in the data link; 通信对话联系单元,所述通信对话联系单元包括通信目录,所述通信目录记录了所以需要通信设备的ID,其中,通信对话联系单元和所有的报文发送方、报文接受方的通信采用不同于报文发送方和报文接受方之间通信的物理通信路径,从而,使得即使一条物理通信路径被截获,报文信息或通信密钥数据依然可以不被截获,增加通信被截获的难度;The communication dialogue contact unit, the communication dialogue contact unit includes a communication directory, and the communication directory records the ID of the communication equipment required, wherein the communication dialogue contact unit and all the message senders and message receivers use different communication methods. The physical communication path for communication between the message sender and the message receiver, so that even if a physical communication path is intercepted, the message information or communication key data can still not be intercepted, increasing the difficulty of communication interception; 通信对话联系单元和所有报文发送方、报文接收方通信,报文发送方和报文接收方之间的通信联系由通信对话联系单元确认,并提供物理地址进行连接;The communication dialogue contact unit communicates with all message senders and message receivers, and the communication link between the message sender and the message receiver is confirmed by the communication dialogue contact unit, and a physical address is provided for connection; 信息库单元(130),所述信息库单元(130)存放了所述安全管理单元(110)所需的信息,并对其进行操作处理;an information base unit (130), the information base unit (130) stores the information required by the security management unit (110), and performs operation processing on it; 所述安全管理单元(110)包括报文加密模块(111)、完整性校验模块(112)、设备鉴别模块(113)和访问控制模块(114);所述报文加密模块(111)用于对数据链路中报文进行加密;所述完整性校验模块(112)用于保证加密后的报文在传输过程中的完整性;所述设备鉴别模块(113)用于向可信中心发出鉴别请求报文;所述访问控制模块(114)用于控制接收所述可信中心收到的请求,并通过网桥与可信设备建立通信;The security management unit (110) includes a message encryption module (111), an integrity check module (112), a device identification module (113) and an access control module (114); the message encryption module (111) uses for encrypting the message in the data link; the integrity check module (112) is used to ensure the integrity of the encrypted message in the transmission process; the device identification module (113) is used to provide trusted The center sends an authentication request message; the access control module (114) is used to control and receive the request received by the trusted center, and establish communication with the trusted device through the bridge; 所述报文控制单元(120)包括报文控制模块(121)和报文过滤模块(122);所述报文控制模块(121)用于控制传输中的报文协议;所述报文过滤模块(122)用于对传输中的报文进行过滤;The message control unit (120) includes a message control module (121) and a message filtering module (122); the message control module (121) is used to control a message protocol in transmission; the message filtering The module (122) is used to filter the message in transmission; 其中,所述报文过滤模块(122)为验收滤波寄存器;所述验收滤波寄存器采用CAN报文的验收滤波寄存器,CAN控制器监听所有来自CAN总线上的报文,当一个报文到达时,所述CAN控制器执行快速的硬件搜索算法,将收到的CAN报文标识符与验收过滤RAM中存储的标识符进行匹配;如果没有匹配,则丢弃该报文,这个过程不会对所述CAN控制器产生中断,应用代码仍然正常执行;如果有匹配的标识符,所述CAN控制器将通过置位集中接收状态寄存器中的相应位产生中断,中断服务程序将该报文从CAN控制器的寄存器复制到RAM中,并通过置位CAN命令寄存器的相应位来释放所述CAN控制器的接收寄存器;Wherein, the message filtering module (122) is an acceptance filter register; the acceptance filter register adopts the acceptance filter register of the CAN message, and the CAN controller monitors all messages from the CAN bus, and when a message arrives, The CAN controller executes a fast hardware search algorithm, and matches the received CAN message identifier with the identifier stored in the acceptance filter RAM; if there is no match, the message is discarded, and this process will not affect the The CAN controller generates an interrupt, and the application code is still executed normally; if there is a matching identifier, the CAN controller will generate an interrupt by setting the corresponding bit in the centralized reception status register, and the interrupt service routine will send the message from the CAN controller. The register is copied into the RAM, and the receiving register of the CAN controller is released by setting the corresponding bit of the CAN command register; 所述信息库单元(130)包括信息探测模块(131)、漏洞检测模块(132)、协议模块(133)和存储模块(134);所述信息探测模块(131)用于对设备的开放端口进行扫描、服务辨识、木马识别和操作系统探测;所述漏洞检测模块(132)用于对所述存储模块(134)中的特征报文进行扫描和检测;所述协议模块(133)用于所述信息库单元(130)与所述安全管理单元(110)和所述报文控制单元(120)三者之间的信息交互;所述存储模块(134)用于对报文以及信息交互的数据进行存储;The information base unit (130) includes an information detection module (131), a vulnerability detection module (132), a protocol module (133) and a storage module (134); the information detection module (131) is used for opening a port to a device Scanning, service identification, Trojan horse identification and operating system detection are performed; the vulnerability detection module (132) is used to scan and detect the characteristic packets in the storage module (134); the protocol module (133) is used to the information exchange between the information base unit (130), the security management unit (110) and the message control unit (120); the storage module (134) is used to exchange messages and information data is stored; 所述信息探测模块(131)对于非EPA识备通过发送PING或ARP报文探测设备是否存活,ARP绕过防火墙对PING的过滤;对于EPA设备,开辟捕获线程对EPA设备声明报文进行解析,从而识别包括设备存活信息、MAC、IP和冗余号在内的设备信息,并发现非法EPA设备,然后对发现设备采用包括全开扫描、半开扫描、UDP扫描在内的端口扫描技术对目标系统的UDP端口和TCP端口进行测试,识别各端口状态,并根据开放端口与服务映射表,进行第一次服务辨识;对一些端口上的木马威胁进行识别;第二次辨识是通过与目标系统建立连接后,收集返回的Banner信息,查询服务特征库就能识别出服务类型、软件的名称和版本,最后采用TTL旗帜对目标系统进行操作系统辨识;对于依赖通用操作系统的设备就需要在漏洞检测时测试系统漏洞,而对于UC/OS等实时操作系统和无操作系统的EPA网络设备和现场设备可绕过系统漏洞测试;The information detection module (131) detects whether the device is alive by sending a PING or ARP message for the non-EPA device, and the ARP bypasses the filtering of the PING by the firewall; for the EPA device, a capture thread is opened to parse the EPA device declaration message, Thereby identifying the device information including device survival information, MAC, IP and redundancy number, and discovering illegal EPA devices, and then using port scanning technologies including full-open scanning, half-open scanning, and UDP scanning for the discovered devices to target the target. The UDP port and TCP port of the system are tested, the status of each port is identified, and the first service identification is carried out according to the open port and service mapping table; the Trojan threat on some ports is identified; the second identification is through the target system. After the connection is established, collect the returned banner information, query the service signature database to identify the service type, software name and version, and finally use the TTL flag to identify the operating system of the target system; System vulnerabilities are tested during detection, and system vulnerability testing can be bypassed for real-time operating systems such as UC/OS and EPA network devices and field devices without operating systems; 所述漏洞检测模块(132)通过从存储模块中抽取特征报文进行扫描和检测,测试单元从漏洞特征库中提取测试特征指纹形成测试报文,向测试对象发送测试报文,然后侦听检测目标的响应,并收集信息,而后结合漏洞特征库判断EPA网络是否存在安全漏洞;实际表现为封装在一条测试插件中的特征匹配对,测试插件完成特征的提取,形成测试报文,接收返回信息并判断是否存在漏洞;The vulnerability detection module (132) scans and detects by extracting feature packets from the storage module, and the test unit extracts test feature fingerprints from the vulnerability feature library to form test packets, sends the test packets to the test object, and then listens for detection. The target responds, collects information, and then combines the vulnerability feature library to determine whether there is a security vulnerability in the EPA network; the actual performance is a feature matching pair encapsulated in a test plug-in, the test plug-in completes the feature extraction, forms a test message, and receives the returned information. and determine whether there are loopholes; 所述报文加密模块(111)采用周期性更新的秘钥加密法;The message encryption module (111) adopts a periodically updated secret key encryption method; 所述周期性更新的秘钥加密法采用秘钥算法生产密文,其算法公式如下:The periodically updated secret key encryption method adopts secret key algorithm to produce ciphertext, and its algorithm formula is as follows: M={E(m,k)};M={E(m,k)}; 其中,M为密文;E(*)为加密函数;m为原始消息;k为秘钥;Among them, M is the ciphertext; E(*) is the encryption function; m is the original message; k is the secret key; 包括如下方法步骤:It includes the following method steps: S1、通信发起方向可信中心发出鉴别请求报文,申请会话密钥;S1. The communication initiator sends an authentication request message to the trusted center to apply for a session key; S2、可信中心收到鉴别请求后,如果容许则向通信双方下发会话密钥;S2. After receiving the authentication request, the trusted center issues a session key to both parties if it is allowed; S3、报文发送方发送需要通话的报文接收方的虚拟名称给通信对话联系单元,通信对话联系单元分配一个通信密钥和报文接收方的物理地址给报文发送方,同时,发送一个通信密钥和报文发送方的物理地址给报文接受方;从而建立报文发送方和报文接收方的通信许可;S3. The message sender sends the virtual name of the message receiver that needs to talk to the communication dialogue contact unit, and the communication dialogue contact unit assigns a communication key and the physical address of the message receiver to the message sender, and at the same time, sends a The communication key and the physical address of the message sender are given to the message receiver; thereby establishing the communication permission of the message sender and the message receiver; S4、在获得通信许可后,报文发送方将原始消息和会话密钥进行加密;S4. After obtaining the communication permission, the message sender encrypts the original message and the session key; 加密后,密文作为报文体加在安全报文头之后交由EPA应用实体发送,此时,通信物理路径采用同于报文发送方、报文接受方和通信对话联系单元之间通信的物理通信路径;After encryption, the ciphertext is added as a message body to the security message header and sent by the EPA application entity. At this time, the physical communication path adopts the same physical communication method as the communication between the message sender, the message receiver and the communication dialogue contact unit. communication path; S5、请求设备鉴别模块(113)发送鉴别请求报文;S5, requesting the device authentication module (113) to send an authentication request message; S6、网络设备接收鉴别请求报文;S6, the network device receives the authentication request message; S7、接收鉴别请求报文后判断其是否超过请求频率;S7. After receiving the authentication request message, determine whether it exceeds the request frequency; S8、可信中心接收到鉴别请求报文,将生成的设备鉴别码与报文中的设备鉴别码进行比对;S8. The trusted center receives the authentication request message, and compares the generated device authentication code with the device authentication code in the message; S9、报文在发送之前,报文发送方先将明文用会话密钥通过设计的算法生成密文,密文与源IP、目的IP和操作组成报文的主体,一起发送给网络设备;S9. Before the message is sent, the message sender first uses the session key to generate the ciphertext through the designed algorithm, and the ciphertext, the source IP, the destination IP and the operation form the main body of the message and send it to the network device together; S10、网络设备在接收到报文后,先对报文发送的频率进行检查;S10. After receiving the message, the network device first checks the frequency of message sending; S11、报文接收方在接收报文后,对于报文进行解密,获得明文信息;S11. After receiving the message, the message receiver decrypts the message to obtain plaintext information; 所述周期性更新的秘钥加密法采用解密函数进行解密,其函数公式如下:The periodically updated secret key encryption method adopts a decryption function to decrypt, and its function formula is as follows: m={D(M,k)};m={D(M,k)}; 其中,m为原始消息;D(*)为解密函数;M为密文;k为秘钥;Among them, m is the original message; D(*) is the decryption function; M is the ciphertext; k is the secret key; 所述鉴别请求报文主要由设备ID、设备鉴别码和随机数构成,设备鉴别码通过设备ID、安全ID和随机数通过随机算法生成,其算法公式如下:The authentication request message is mainly composed of a device ID, a device authentication code and a random number, and the device authentication code is generated by a random algorithm through the device ID, security ID and random number, and the algorithm formula is as follows: Maut={A(IDdev,IDsec,C)∣IDdev∣C};Maut={A(IDdev, IDsec, C)∣IDdev∣C}; 其中,Maut为设备鉴别请求报文;A(*)为鉴别算法;IDdev为设备ID;IDsec为安全ID;Among them, Maut is the device authentication request message; A(*) is the authentication algorithm; IDdev is the device ID; IDsec is the security ID; 所述协议模块(133)采用TCP/IP协议,TCP/IP协议包括应用层、传输层、网络层和数据链路层;The protocol module (133) adopts the TCP/IP protocol, and the TCP/IP protocol includes an application layer, a transport layer, a network layer and a data link layer; 所述应用层用于接收来自所述传输层的数据,同时按不同应用要求与方式将数据传输至传输层;所述传输层用于为使用平台和计算机信息网内部数据结合提供通道;所述网络层用于负责网络中数据包的传送;所述数据链路层用于提供链路管理错误检测。The application layer is used to receive data from the transport layer, and at the same time transmit the data to the transport layer according to different application requirements and methods; the transport layer is used to provide a channel for the combination of the use platform and the internal data of the computer information network; the The network layer is responsible for the transmission of data packets in the network; the data link layer is used to provide link management error detection. 2.根据权利要求1所述的EPA工业控制网络安全测试方法,其特征在于:所述可信中心接收到鉴别请求报文,通过随机算法生成对比鉴别码,其算法公式如下:2. EPA industrial control network security testing method according to claim 1, is characterized in that: described trusted center receives the authentication request message, generates contrast authentication code by random algorithm, and its algorithm formula is as follows: MAC={A(IDdev,IDsec,C)};MAC={A(IDdev, IDsec, C)}; 其中,MAC为对比鉴别码;A(*)为鉴别算法;IDdev为设备ID;IDsec为安全ID。Among them, MAC is the comparison authentication code; A(*) is the authentication algorithm; IDdev is the device ID; IDsec is the security ID.
CN202010774356.6A 2020-08-04 2020-08-04 EPA Industrial Control Network Security Testing System and Method Active CN111988289B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010774356.6A CN111988289B (en) 2020-08-04 2020-08-04 EPA Industrial Control Network Security Testing System and Method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010774356.6A CN111988289B (en) 2020-08-04 2020-08-04 EPA Industrial Control Network Security Testing System and Method

Publications (2)

Publication Number Publication Date
CN111988289A CN111988289A (en) 2020-11-24
CN111988289B true CN111988289B (en) 2021-07-23

Family

ID=73446017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010774356.6A Active CN111988289B (en) 2020-08-04 2020-08-04 EPA Industrial Control Network Security Testing System and Method

Country Status (1)

Country Link
CN (1) CN111988289B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112583662A (en) * 2020-12-04 2021-03-30 恒安嘉新(北京)科技股份公司 Host survival detection method, device, equipment and storage medium
CN113313216B (en) * 2021-07-30 2021-11-30 深圳市永达电子信息股份有限公司 Method and device for extracting main body of network data, electronic equipment and storage medium
CN115834090A (en) * 2021-09-15 2023-03-21 华为技术有限公司 Communication method and device
CN116881108B (en) * 2023-09-01 2023-11-28 安徽高灯微行科技有限公司 Vehicle ETC function monitoring method and device, vehicle, storage medium and product
CN119906572A (en) * 2025-01-17 2025-04-29 烽火通信科技股份有限公司 Device protection method and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
CN105429962A (en) * 2015-11-03 2016-03-23 清华大学 A general encryption data-oriented intermediate network service construction method and system
CN110381035A (en) * 2019-06-25 2019-10-25 北京威努特技术有限公司 Network security test method, device, computer equipment and readable storage medium storing program for executing

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017129089A1 (en) * 2016-01-29 2017-08-03 腾讯科技(深圳)有限公司 Wireless network connecting method and apparatus, and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
CN105429962A (en) * 2015-11-03 2016-03-23 清华大学 A general encryption data-oriented intermediate network service construction method and system
CN110381035A (en) * 2019-06-25 2019-10-25 北京威努特技术有限公司 Network security test method, device, computer equipment and readable storage medium storing program for executing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
EPA网络安全方案的设计与实现;王浩;《总线与网络》;20110315(第3期);正文第3节,图2 *

Also Published As

Publication number Publication date
CN111988289A (en) 2020-11-24

Similar Documents

Publication Publication Date Title
CN111988289B (en) EPA Industrial Control Network Security Testing System and Method
US7370354B2 (en) Method of remotely managing a firewall
US9438592B1 (en) System and method for providing unified transport and security protocols
US9094372B2 (en) Multi-method gateway-based network security systems and methods
US8413248B2 (en) Method for secure single-packet remote authorization
KR100628325B1 (en) Intrusion detection sensor and wireless network intrusion detection system and method for detecting attack on wireless network
US20040098620A1 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
CN101248613A (en) Trusted device admission scheme for secure communication networks, in particular secure IP telephony networks
US8671451B1 (en) Method and apparatus for preventing misuse of a group key in a wireless network
CA2506418C (en) Systems and apparatuses using identification data in network communication
CN118677647B (en) IPv6 neighbor discovery protocol security protection method and system based on SDN and P4 technology
CN116633556B (en) Firewall signature authentication method and firewall-based anti-network topology discovery system
Vuong et al. A survey of VoIP intrusions and intrusion detection systems
KR20110087972A (en) Blocking Abnormal Traffic Using Session Tables
KR20020096194A (en) Network security method and system for integration security network card
CN119109636A (en) A network security management system based on big data
Ilyas et al. The security aspect of networks based on SIP and H323 protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Lin Ruijin

Inventor after: Ye Ruizhe

Inventor after: Sui Tao

Inventor after: Hong Weilin

Inventor after: Lin Haozhen

Inventor before: Lin Ruijin

Inventor before: Ye Ruizhe

Inventor before: Sui Tao

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant