[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102624587A - A detection system and method for implementation defects of IEC60870-5-101/104 communication protocol - Google Patents

A detection system and method for implementation defects of IEC60870-5-101/104 communication protocol Download PDF

Info

Publication number
CN102624587A
CN102624587A CN2012100813065A CN201210081306A CN102624587A CN 102624587 A CN102624587 A CN 102624587A CN 2012100813065 A CN2012100813065 A CN 2012100813065A CN 201210081306 A CN201210081306 A CN 201210081306A CN 102624587 A CN102624587 A CN 102624587A
Authority
CN
China
Prior art keywords
test
variation
message
tested
device under
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100813065A
Other languages
Chinese (zh)
Other versions
CN102624587B (en
Inventor
李焕
张波
树娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
China Electric Power Research Institute Co Ltd CEPRI
Global Energy Interconnection Research Institute
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN201210081306.5A priority Critical patent/CN102624587B/en
Publication of CN102624587A publication Critical patent/CN102624587A/en
Application granted granted Critical
Publication of CN102624587B publication Critical patent/CN102624587B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a system and a method capable of achieving defect detection for an IEC60870-5-101/104 communication protocol. The system comprises a tester and a device to be tested, the device is connected with the tester, and the tester consists of a function point traversing unit and a protocol message variation testing unit receiving a traversing result. The method comprises the steps as follows: (1) carrying out coherence test for a message to be tested and transmitted by the device to be tested; (2) carrying out a variation test for the message to be tested; and (3) generating a test log and a statistical report. According to the system and the method provided by the invention, automatic detection to attack on a distribution power grid automatic system and terminal is achieved, so that protocol defect of the device to be tested is found out, and situation of non-disclosure and incorrect ruling of test problems can be reduced, and test process interruption is effectively prevented.

Description

一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统及方法A detection system and method for implementation defects of IEC60870-5-101/104 communication protocol

技术领域 technical field

本发明属于配电网自动化系统通信安全领域,具体涉及一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统及方法。The invention belongs to the field of communication security of distribution network automation systems, and in particular relates to a detection system and method for realizing defects of the IEC60870-5-101/104 communication protocol.

背景技术 Background technique

配电网自动化系统及终端的智能化和互联化,增加了配电网自动化系统通信的安全风险。传统的通信安全防护只能从防御的角度减轻电力工控系统及终端的安全风险,并未从根本上解决配电网自动化统数据通信过程中遭受互联网恶意攻击的安全隐患。开展面向配电网自动化系统通信安全的101/104规约实现缺陷检测,成为主动排除安全隐患的迫切需要。The intelligentization and interconnection of distribution network automation system and terminals increase the security risk of distribution network automation system communication. Traditional communication security protection can only reduce the security risks of power industrial control systems and terminals from the perspective of defense, but does not fundamentally solve the security risks of malicious Internet attacks in the process of distribution network automation system data communication. Carrying out the 101/104 protocol for communication security of distribution network automation system to realize defect detection has become an urgent need to actively eliminate potential safety hazards.

目前用于通信设备的网络协议实现的缺陷检测和漏洞挖掘的主要测试方法是基于模糊测试原理的协议健壮性测试,并已经有成熟的协议健壮性测试工具。模糊测试的工作原理如图1所示,模糊器以一定的方法来诱导被测对象进入目标状态,通过向目标对象发送预先精心设计的带有攻击性的输入,再监视返回的结果是否异常来发现被测对象的安全漏洞。At present, the main test method for defect detection and vulnerability mining of network protocol implementation of communication equipment is the protocol robustness test based on fuzzy testing principle, and there are already mature protocol robustness testing tools. The working principle of fuzz testing is shown in Figure 1. The fuzzer uses a certain method to induce the tested object to enter the target state, by sending a pre-designed aggressive input to the target object, and then monitoring whether the returned result is abnormal. Discover the security holes of the object under test.

基于协议状态机的模糊器通常由被测对象协议模板、异常用例生成、状态机协商、异常用例发送以及被测对象监控几部分组成。其中,被测对象协议模板采用参数脚本的方式实现,用来描述被测对象协议报文的基本层次结构及各字段,是其他各个部分的基础;异常用例生成采用多种算法来生成最终的攻击用例,是模糊测试的核心部分;状态机协商与被测对象进行正常的报文交互,诱导被测对象进入目标状态,以达到异常用例发送的条件;异常用例发送根据被测对象协议在协议栈中的位置来正确封装并发送异常用例;模糊器中的监控模块用来对被测对象的异常状态进行收集、分析,最终定位漏洞所在;通过此方法可发现被测对象在网络协议处理过程中的安全漏洞。The fuzzer based on the protocol state machine usually consists of the protocol template of the object under test, generation of exception cases, state machine negotiation, sending of exception cases and monitoring of the object under test. Among them, the protocol template of the object under test is implemented in the form of a parameter script, which is used to describe the basic hierarchical structure and fields of the protocol message of the object under test, which is the basis of other parts; the abnormal use case generation uses a variety of algorithms to generate the final attack The use case is the core part of the fuzz test; the state machine negotiates with the object under test for normal message interaction, induces the object under test to enter the target state, so as to meet the conditions for sending the abnormal use case; the sending of the abnormal use case is based on the protocol of the object under test in the protocol stack The position in the fuzzer is used to correctly encapsulate and send the abnormal use case; the monitoring module in the fuzzer is used to collect and analyze the abnormal state of the object under test, and finally locate the vulnerability; through this method, it can be found that the object under test is in the process of network protocol processing security holes.

目前没有针对IEC60870-5-101/104规约实现的缺陷检测方法,通用的协议健壮性测试方法,采用基于捕获报文的协议状态机分析,使测试范围依赖于测试人员捕获报文的质量,难以做到对101/104规约实现缺陷的深度挖掘;而且现有的协议健壮性测试方法在异常测试用例生成环节,主要依靠通用协议分析软件对报文的解析结果(报文格式、字段类型等),由于通用协议分析软件无法深度解析IEC60870-5-101/104规约报文,生成的异常测试用例适用性差,较难保证协议健壮性测试的深度和效率;再者,现有的协议健壮性测试工具,无法正确处理104规约收、发序列号变更等情况,导致测试进程的中断或测试问题的漏报和误判。At present, there is no defect detection method for the implementation of the IEC60870-5-101/104 protocol. The general protocol robustness test method adopts the protocol state machine analysis based on the captured message, so that the test scope depends on the quality of the tester's captured message, which is difficult Achieve in-depth excavation of the defects in the implementation of the 101/104 protocol; and the existing protocol robustness testing method mainly relies on the analysis results of the message (message format, field type, etc.) , because general-purpose protocol analysis software cannot deeply analyze IEC60870-5-101/104 protocol messages, the applicability of abnormal test cases generated is poor, and it is difficult to guarantee the depth and efficiency of protocol robustness testing; moreover, the existing protocol robustness testing The tool cannot correctly handle 104 protocol receiving and sending serial number changes, etc., resulting in interruption of the test process or missed reports and misjudgments of test problems.

发明内容 Contents of the invention

为克服上述缺陷,本发明提供了一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统及方法,实现对被测配电网自动化系统及终端的攻击的自动检测,从而发现被测设备的规约实现缺陷,且可减少测试问题漏报、误判的情况,并有效解决测试进程中断的问题。In order to overcome the above-mentioned defects, the present invention provides a detection system and method for implementing defects in the IEC60870-5-101/104 communication protocol to realize automatic detection of attacks on the distribution network automation system and terminals under test, thereby discovering the detected Flaws in the implementation of the equipment protocol can reduce the number of missed reports and misjudgments of test problems, and effectively solve the problem of interruption of the test process.

为实现上述目的,本发明提供一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统,其包括:测试仪和与其连接的被测设备;其改进之处在于,所述测试仪包括功能点遍历单元和接收其遍历结果的规约报文变异测试单元。In order to achieve the above object, the present invention provides a detection system for implementing defects in the IEC60870-5-101/104 communication protocol, which includes: a tester and a device under test connected thereto; the improvement is that the tester includes A function point traversal unit and a protocol packet mutation test unit that receives the traversal result.

本发明提供的优选技术方案中,所述功能点遍历单元设置有功能点遍历测试序列模块;所述功能点遍历单元对被测设备的通信功能点进行遍历,并记录相互对应的交互报文,生成存储在所述功能点遍历测试序列模块中的功能点遍历测试序列。In the preferred technical solution provided by the present invention, the function point traversal unit is provided with a function point traversal test sequence module; the function point traversal unit traverses the communication function points of the device under test, and records the interactive messages corresponding to each other, A function point traversal test sequence stored in the function point traversal test sequence module is generated.

本发明提供的第二优选技术方案中,所述功能点遍历单元顺次向所述被测设备发送接收到的被测报文Qj,所述被测设备在接收到被测报文Qj后,向所述测试仪发出应答报文An,所述功能点遍历单元将得到应答报文的所述通信功能点记录入所述功能点遍历测试序列。In the second preferred technical solution provided by the present invention, the function point traversal unit sequentially sends the received tested message Qj to the tested device, and the tested device, after receiving the tested message Qj, A response message An is sent to the tester, and the function point traversal unit records the communication function points obtained from the response message into the function point traversal test sequence.

本发明提供的第三优选技术方案中,所述规约报文变异测试单元包括:依次连接的测试用例设计模块、变异测试样本生成及分组模块和变异样本组测试模块,以及分别与所述测试用例设计模块连接的变异算法模块和手工编辑报文测试模块。In the third preferred technical solution provided by the present invention, the protocol message variation test unit includes: a test case design module, a variation test sample generation and grouping module, and a variation sample group test module connected in sequence, and respectively connected with the test case The mutation algorithm module connected with the design module and the manual editing message test module.

本发明提供的第四优选技术方案中,所述测试用例设计模块选择被测报文中的字段,选取被测字段试用的测试类型。In the fourth preferred technical solution provided by the present invention, the test case design module selects the fields in the message to be tested, and selects the test type for the field to be tested.

本发明提供的第五优选技术方案中,所述变异算法模块包括:依次设置的基本变异组件、缓冲区溢出组件、域缺失组件和组合变异组件。In the fifth preferred technical solution provided by the present invention, the mutation algorithm module includes: a basic mutation component, a buffer overflow component, a domain deletion component and a combination mutation component arranged in sequence.

本发明提供的第六优选技术方案中,所述变异测试样本生成及分组模块,调用基本变异组件,生成与被测字段对应的变异测试样本;所述变异测试样本生成及分组模块,针对报文中自定义字段,调用所述缓冲区溢出组件,构造超长字段的变异测试样本;所述变异测试样本生成及分组模块,调用所述域缺失组件,对被测字段进行零填充处理,省略该字段的填充;所述变异测试样本生成及分组模块,调用所述组合变异组件,根据字段变异的情况,对字段采用基本变异、缓冲区溢出和域缺失组合的方式进行变换测试。In the sixth preferred technical solution provided by the present invention, the variation test sample generation and grouping module calls the basic variation component to generate a variation test sample corresponding to the field to be tested; the variation test sample generation and grouping module is for message In the self-defined field, call the buffer overflow component to construct a mutation test sample of an ultra-long field; the mutation test sample generation and grouping module calls the domain missing component to zero-fill the tested field, omitting the Field filling; the variation test sample generation and grouping module invokes the combination variation component, and according to the field variation, performs a transformation test on the field using a combination of basic variation, buffer overflow and domain loss.

本发明提供的第七优选技术方案中,所述基本变异组件对被测字段为控制域和类型标识的情况,采取全变异测试,所述全变异测试的变异测试样本数=2m,m为变异字段的位数。In the seventh preferred technical solution provided by the present invention, the basic variation component adopts a full variation test when the field to be tested is a control field and a type identifier, and the number of variation test samples of the full variation test= 2m , where m is The number of bits in the mutating field.

本发明提供的第八优选技术方案中,所述缓冲区溢出组件测试的变异测试样本报文长度字段,取值可选择不变或加超长字段长度值。In the eighth preferred technical solution provided by the present invention, the value of the packet length field of the variation test sample tested by the buffer overflow component can be selected to be unchanged or to add an extra-long field length value.

本发明提供的第九优选技术方案中,所述域缺失组件测试的变异测试样本报文长度字段,取值可选择不变或减省略字段长度值。In the ninth preferred technical solution provided by the present invention, the value of the packet length field of the mutation test sample in the domain missing component test can be chosen to be unchanged or to be omitted.

本发明提供的第十优选技术方案中,所述变异测试样本生成及分组模块,调用所述手工编辑报文测试模块,手工输入测试报文,并设置测试报文发送的次数及顺序。In the tenth preferred technical solution provided by the present invention, the variation test sample generation and grouping module calls the manual editing message testing module, manually inputs test messages, and sets the number and order of sending test messages.

本发明提供的较优选技术方案中,所述变异测试样本生成及分组模块,将16份变异测试样本分为一个测试样本组,并将生成的测试样本组顺序传输给所述变异测试模块。In the preferred technical solution provided by the present invention, the variation test sample generation and grouping module divides 16 variation test samples into a test sample group, and sequentially transmits the generated test sample groups to the variation test module.

本发明提供的第二较优选技术方案中,所述变异测试模块,对接收到的测试样本组进行变异测试。In the second preferred technical solution provided by the present invention, the variation testing module performs variation testing on the received test sample group.

本发明提供的第三较优选技术方案中,提供一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统的检测方法,其改进之处在于,所述检测方法包括如下步骤:In the third preferred technical solution provided by the present invention, a detection method for a detection system for implementing defects in the IEC60870-5-101/104 communication protocol is provided. The improvement is that the detection method includes the following steps:

(1).对被测设备发出的被测报文进行一致性测试;(1).Consistency test on the tested message sent by the tested device;

(2).对被测报文进行变异测试;(2). Carry out mutation test on the tested message;

(3).生成测试日志和统计报告。(3). Generate test logs and statistical reports.

本发明提供的第四较优选技术方案中,在所述步骤1中,所述测试仪的所述功能点遍历单元对被测设备的通信功能点进行遍历,并记录相互对应的交互报文,生成存储在所述功能点遍历测试序列模块中的功能点遍历测试序列。In the fourth preferred technical solution provided by the present invention, in the step 1, the function point traversal unit of the tester traverses the communication function points of the device under test, and records the interactive messages corresponding to each other, A function point traversal test sequence stored in the function point traversal test sequence module is generated.

本发明提供的第五较优选技术方案中,所述步骤1包括如下步骤:In the fifth preferred technical solution provided by the present invention, the step 1 includes the following steps:

(1-1).所述功能点遍历单元顺次向所述被测设备发送接收到的被测报文Qj;(1-1). The function point traversal unit sequentially sends the received tested message Qj to the tested device;

(1-2).所述被测设备在接收到被测报文Qj后,向所述测试仪发出应答报文An;(1-2). The device under test sends a response message An to the tester after receiving the message Qj under test;

(1-3).所述功能点遍历单元将得到应答报文的所述通信功能点记录入所述功能点遍历测试序列。(1-3). The function point traversal unit records the communication function points obtained from the response message into the function point traversal test sequence.

本发明提供的第六较优选技术方案中,在所述步骤2中,所述测试用例设计模块选择被测报文中的字段,选取被测字段试用的测试类型;变异测试样本生成及分组模块,分别调用所述变异算法模块和所述手工编辑报文测试模块生成测试样本组;所述变异测试模块,对接收到的测试样本组进行变异测试。In the sixth preferred technical solution provided by the present invention, in the step 2, the test case design module selects the field in the message to be tested, and selects the test type for the field to be tested; the variation test sample generation and grouping modules, respectively calling the mutation algorithm module and the manually edited message test module to generate a test sample group; the mutation test module performs a mutation test on the received test sample group.

本发明提供的第七较优选技术方案中,所述步骤2包括如下步骤:In the seventh preferred technical solution provided by the present invention, the step 2 includes the following steps:

(2-1).选择变异字段、测试类型;(2-1). Select the variation field and test type;

(2-2).生成n份变异测试样本,并将每16份变异测试样本分成一个测试样本组,共分成i个测试样本组,对生成的i个测试样本组顺序进行变异测试;(2-2). Generate n variation test samples, and divide every 16 variation test samples into a test sample group, which is divided into i test sample groups, and perform variation test on the generated i test sample groups in sequence;

(2-3).所述测试仪按序向所述被测设备发送第i个测试样本组中的变异测试样本,并判断是否接收到所述被测设备发出的响应报文,若收到,则对变异测试样本进行检测,否则进行步骤2-4;(2-3). The tester sends the variation test samples in the i-th test sample group to the device under test in sequence, and judges whether the response message sent by the device under test is received. , then detect the variation test sample, otherwise proceed to steps 2-4;

(2-4).所述测试仪继续向所述被测设备发送该测试样本组中的变异测试样本;(2-4). The tester continues to send the variation test samples in the test sample group to the device under test;

(2-5).所述测试仪判断第i个测试样本组中的变异测试样本是否都传输到了所述被测设备,若是则间隔向所述被测设备发送检测报文,否则返回步骤2-3;(2-5). The tester judges whether the variation test samples in the i-th test sample group have been transmitted to the device under test, and if so, send detection messages to the device under test at intervals, otherwise return to step 2 -3;

(2-6).所述测试仪判断是否收到响应报文;若是则报“被测设备状态正常”,令i=i+1,并返回步骤2-3;否则记录问题样本,报“被测设备出现问题”,对被测设备进行初始化设置,令i=i+1,并返回步骤2-3;(2-6). The tester judges whether a response message is received; if so, it will report "the state of the device under test is normal", make i=i+1, and return to step 2-3; otherwise record the problem sample and report " There is a problem with the device under test", initialize the device under test, set i=i+1, and return to step 2-3;

其中,i的初始值为1。Among them, the initial value of i is 1.

本发明提供的第八较优选技术方案中,在所述步骤2-3中,对变异测试样本进行检测的步骤如下:In the eighth preferred technical solution provided by the present invention, in the step 2-3, the steps of detecting the variation test sample are as follows:

(2-3-1).所述测试仪间隔向所述被测设备发送检测报文;(2-3-1). The tester sends detection messages to the device under test at intervals;

(2-3-2).所述测试仪判断是否收到响应报文;若是则记录问题样本,并报“被测设备出现异常”;否则记录问题样本,报“被测设备出现问题”,并对被测设备进行初始化设置;(2-3-2). The tester judges whether a response message is received; if so, record the problem sample and report "the device under test is abnormal"; otherwise record the problem sample and report "the device under test has a problem", And initialize the device under test;

其中,所述测试仪向所述被测设备发送检测报文的间隔次数的最大值为10。Wherein, the maximum number of intervals at which the tester sends detection messages to the device under test is 10.

本发明提供的第九较优选技术方案中,在所述步骤2-5中,所述测试仪向所述被测设备发送检测报文的间隔次数的最大值为4。In the ninth preferred technical solution provided by the present invention, in the step 2-5, the maximum number of intervals at which the tester sends detection messages to the device under test is 4.

本发明提供的第十较优选技术方案中,在所述步骤3中生成的测试日志及统计报告用于记录测试过程的实际报文交互情况和问题统计信息;测试过程实时记录被测报文、被测字段、原始报文和变异报文信息,测试交互报文,返回报文检测和设备状态检测结果,以及被测设备初始化的提示;测试结束后生成放入统计报告中的统计信息包括:总测试用例数、总测试样本数、已测试用例数、已测试样本数、未通过的测试功能点、被测设备出现异常次数及测试样本、被测设备出现问题次数及测试样本。In the tenth more preferred technical solution provided by the present invention, the test logs and statistical reports generated in the step 3 are used to record the actual message interaction and problem statistics of the test process; the test process records the tested messages in real time, Tested field, original message and mutated message information, test interactive message, returned message detection and device status detection results, and prompts for device initialization under test; the statistical information generated and put into the statistical report after the test includes: The total number of test cases, the total number of test samples, the number of tested cases, the number of tested samples, the failed test function points, the number of abnormalities of the tested equipment and test samples, the number of problems of the tested equipment and test samples.

与现有技术比,本发明提供的一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统及方法,测试样本组的设置大大提升测试效率,减少了样本测试时每次发送检测报文的检测时间;设备状态检测环节的设置考虑到了一些配电自动化设备具备一定异常处理机制,增加设备状态检测的时长,可以降低问题误判的几率;通过设定功能点遍历测试序列,为通信功能点遍历提供测试范本,并保证101/104规约实现缺陷检测的规约全覆盖及规约报文变异测试的有效性;而且,本系统和方法采用自动化脚本语言对测试用例设计及测试执行过程进行描述,实现101/104规约实现缺陷检测的自动化测试;本系统和方法提出的规约报文变异测试流程,结合101/104规约报文结构及问答式交互特点,运用模糊测试的原理,设计变异测试用例并构造变异报文,实现对被测配电网自动化系统及终端的攻击,从而发现被测设备的规约实现缺陷;再者,本系统和方法设计了适用于配电自动化系统测试的设备状态检测和初始化环节,可减少测试问题漏报、误判的情况,并有效解决测试进程中断的问题。Compared with the prior art, the present invention provides a detection system and method for implementing defects in the IEC60870-5-101/104 communication protocol. The setting of the test sample group greatly improves the test efficiency and reduces the number of test reports sent each time during the sample test. The detection time of the document; the setting of the equipment status detection link takes into account that some distribution automation equipment has a certain exception handling mechanism, increasing the duration of the equipment status detection can reduce the probability of misjudgment; by setting function points to traverse the test sequence, for communication Function point traversal provides test templates, and guarantees the full coverage of the 101/104 protocol to achieve defect detection and the validity of the protocol message variation test; moreover, the system and method use an automated script language to describe the test case design and test execution process , realize the automatic testing of defect detection in the 101/104 protocol; the protocol message variation test process proposed by this system and method, combined with the 101/104 protocol message structure and the interactive characteristics of question and answer, use the principle of fuzzy testing to design a variation test case And construct the mutation message to realize the attack on the distribution network automation system and terminal under test, so as to find the protocol implementation defect of the device under test; moreover, the system and method design the equipment state detection suitable for the distribution automation system test and initialization link, which can reduce the situation of missed reporting and misjudgment of test problems, and effectively solve the problem of interruption of the test process.

附图说明 Description of drawings

图1为现有的网络协议模糊测试实施示意图。Figure 1 is a schematic diagram of the implementation of the existing network protocol fuzzing test.

图2为功能点遍历测试序列示意图。Fig. 2 is a schematic diagram of a function point traversal test sequence.

图3为针对IEC60870-5-101/104通信规约实现缺陷的检测方法的示意图。FIG. 3 is a schematic diagram of a detection method for implementation defects of the IEC60870-5-101/104 communication protocol.

具体实施方式 Detailed ways

一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统,其包括:测试仪和与其连接的被测设备;所述测试仪包括功能点遍历单元和接收其遍历结果的规约报文变异测试单元。A detection system for implementing defects in the IEC60870-5-101/104 communication protocol, which includes: a tester and a device under test connected to it; the tester includes a function point traversal unit and a protocol message variation that receives the traversal result test unit.

所述功能点遍历单元设置有功能点遍历测试序列模块;所述功能点遍历单元对被测设备的通信功能点进行遍历,并记录相互对应的交互报文,生成存储在所述功能点遍历测试序列模块中的功能点遍历测试序列。The function point traversal unit is provided with a function point traversal test sequence module; the function point traversal unit traverses the communication function points of the device under test, and records the interactive messages corresponding to each other, and generates and stores them in the function point traversal test sequence module. The function points in the sequence module traverse the test sequence.

所述功能点遍历单元顺次向所述被测设备发送接收到的被测报文Qj,所述被测设备在接收到被测报文Qj后,向所述测试仪发出应答报文An,所述功能点遍历单元将得到应答报文的所述通信功能点记录入所述功能点遍历测试序列。The function point traversal unit sequentially sends the received tested message Qj to the tested device, and the tested device sends a response message An to the tester after receiving the tested message Qj, The function point traversal unit records the communication function points obtained from the response message into the function point traversal test sequence.

所述规约报文变异测试单元包括:依次连接的测试用例设计模块、变异测试样本生成及分组模块和变异样本组测试模块,以及分别与所述测试用例设计模块连接的变异算法模块和手工编辑报文测试模块。The statute message variation test unit includes: a test case design module connected in sequence, a variation test sample generation and grouping module and a variation sample group test module, and a variation algorithm module and a manual editing report connected to the test case design module respectively. text test module.

所述测试用例设计模块选择被测报文中的字段,选取被测字段试用的测试类型。The test case design module selects the fields in the message to be tested, and selects the test type for the field to be tested.

所述变异算法模块包括:依次设置的基本变异组件、缓冲区溢出组件、域缺失组件和组合变异组件。The mutation algorithm module includes: a basic mutation component, a buffer overflow component, a domain missing component and a combined mutation component arranged in sequence.

所述变异测试样本生成及分组模块,调用基本变异组件,生成与被测字段对应的变异测试样本;所述变异测试样本生成及分组模块,针对报文中自定义字段,调用所述缓冲区溢出组件,构造超长字段的变异测试样本;所述变异测试样本生成及分组模块,调用所述域缺失组件,对被测字段进行零填充处理,省略该字段的填充;所述变异测试样本生成及分组模块,调用所述组合变异组件,根据字段变异的情况,对字段采用基本变异、缓冲区溢出和域缺失组合的方式进行变换测试。The variation test sample generation and grouping module calls the basic variation component to generate a variation test sample corresponding to the field to be tested; the variation test sample generation and grouping module calls the buffer overflow for the custom field in the message Components for constructing a variation test sample of an ultra-long field; the variation test sample generation and grouping module, calling the domain missing component, performing zero-fill processing on the measured field, and omitting the filling of the field; the variation test sample generation and The grouping module invokes the combined mutation component, and performs a transformation test on the field by using a combination of basic mutation, buffer overflow and domain deletion according to the field mutation.

所述基本变异组件对被测字段为控制域和类型标识的情况,采取全变异测试,所述全变异测试的变异测试样本数=2m,m为变异字段的位数。The basic variation component adopts a full variation test for the case where the measured field is a control field and a type identifier, and the number of variation test samples of the full variation test is 2 m , where m is the number of bits of the variation field.

所述缓冲区溢出组件测试的变异测试样本报文长度字段,取值可选择不变或加超长字段长度值。The value of the packet length field of the mutation test sample tested by the buffer overflow component can be selected to be unchanged or to add the value of the extra-long field length.

所述域缺失组件测试的变异测试样本报文长度字段,取值可选择不变或减省略字段长度值。The value of the packet length field of the mutation test sample in the domain missing component test can be selected to be unchanged or the value of the omitted field length can be selected.

所述变异测试样本生成及分组模块,调用所述手工编辑报文测试模块,手工输入测试报文,并设置测试报文发送的次数及顺序。The variation test sample generation and grouping module invokes the manual editing message testing module, manually inputs test messages, and sets the number and order of sending test messages.

所述变异测试样本生成及分组模块,将16份变异测试样本分为一个测试样本组,并将生成的测试样本组顺序传输给所述变异测试模块。The variation test sample generation and grouping module divides 16 variation test samples into a test sample group, and sequentially transmits the generated test sample groups to the variation test module.

所述变异测试模块,对接收到的测试样本组进行变异测试。The variation testing module performs variation testing on the received test sample group.

如图3所示,提供一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统的检测方法,所述检测方法包括如下步骤:As shown in Figure 3, a kind of detection method of the detection system that realizes defect for IEC60870-5-101/104 communication protocol is provided, and described detection method comprises the following steps:

(1).对被测设备发出的被测报文进行一致性测试;(1).Consistency test on the tested message sent by the tested device;

(2).对被测报文进行变异测试;(2). Carry out mutation test on the tested message;

(3).生成测试日志和统计报告。(3). Generate test logs and statistical reports.

如图2所示,在所述步骤1中,所述测试仪的所述功能点遍历单元对被测设备的通信功能点进行遍历,并记录相互对应的交互报文,生成存储在所述功能点遍历测试序列模块中的功能点遍历测试序列。As shown in Figure 2, in the step 1, the function point traversal unit of the tester traverses the communication function points of the device under test, and records the interactive messages corresponding to each other to generate and store in the function point The function point traversal test sequence in the point traversal test sequence module.

所述步骤1包括如下步骤:Described step 1 comprises the following steps:

(1-1).所述功能点遍历单元顺次向所述被测设备发送接收到的被测报文Qj;(1-1). The function point traversal unit sequentially sends the received tested message Qj to the tested device;

(1-2).所述被测设备在接收到被测报文Qj后,向所述测试仪发出应答报文An:(1-2). After receiving the tested message Qj, the device under test sends a response message An to the tester:

(1-3).所述功能点遍历单元将得到应答报文的所述通信功能点记录入所述功能点遍历测试序列。(1-3). The function point traversal unit records the communication function points obtained from the response message into the function point traversal test sequence.

如图3所示,在所述步骤2中,所述测试用例设计模块选择被测报文中的字段,选取被测字段试用的测试类型;变异测试样本生成及分组模块,分别调用所述变异算法模块和所述手工编辑报文测试模块生成测试样本组;所述变异测试模块,对接收到的测试样本组进行变异测试。As shown in Figure 3, in said step 2, said test case design module selects the field in the message to be tested, selects the test type of tested field trial use; Variation test sample generation and grouping module call said mutation algorithm module respectively and the manually edited message test module to generate a test sample group; the variation test module performs a variation test on the received test sample group.

所述步骤2包括如下步骤:Described step 2 comprises the following steps:

(2-1).选择变异字段、测试类型;(2-1). Select the variation field and test type;

(2-2).生成n份变异测试样本,并将每16份变异测试样本分成一个测试样本组,共分成i个测试样本组,对生成的i个测试样本组顺序进行变异测试;(2-2). Generate n variation test samples, and divide every 16 variation test samples into a test sample group, which is divided into i test sample groups, and perform variation test on the generated i test sample groups in sequence;

(2-3).所述测试仪按序向所述被测设备发送第i个测试样本组中的变异测试样本,并判断是否接收到所述被测设备发出的响应报文,若收到,则对变异测试样本进行检测,否则进行步骤2-4;(2-3). The tester sends the variation test samples in the i-th test sample group to the device under test in sequence, and judges whether the response message sent by the device under test is received. , then detect the variation test sample, otherwise proceed to steps 2-4;

(2-4).所述测试仪继续向所述被测设备发送该测试样本组中的变异测试样本;(2-4). The tester continues to send the variation test samples in the test sample group to the device under test;

(2-5).所述测试仪判断第i个测试样本组中的变异测试样本是否都传输到了所述被测设备,若是则间隔向所述被测设备发送检测报文,否则返回步骤2-3;(2-5). The tester judges whether the variation test samples in the i-th test sample group have been transmitted to the device under test, and if so, send detection messages to the device under test at intervals, otherwise return to step 2 -3;

(2-6).所述测试仪判断是否收到响应报文;若是则报“被测设备状态正常”,令i=i+1,并返回步骤2-3;否则记录问题样本,报“被测设备出现问题”,对被测设备进行初始化设置,令i=i+1,并返回步骤2-3;(2-6). The tester judges whether a response message is received; if so, it will report "the state of the device under test is normal", make i=i+1, and return to step 2-3; otherwise record the problem sample and report " There is a problem with the device under test", initialize the device under test, set i=i+1, and return to step 2-3;

其中,i的初始值为1。Among them, the initial value of i is 1.

在所述步骤2-3中,对变异测试样本进行检测的步骤如下:In the step 2-3, the steps of detecting the variation test sample are as follows:

(2-3-1).所述测试仪间隔向所述被测设备发送检测报文;(2-3-1). The tester sends detection messages to the device under test at intervals;

(2-3-2).所述测试仪判断是否收到响应报文;若是则记录问题样本,并报“被测设备出现异常”;否则记录问题样本,报“被测设备出现问题”,并对被测设备进行初始化设置;(2-3-2). The tester judges whether a response message is received; if so, record the problem sample and report "the device under test is abnormal"; otherwise record the problem sample and report "the device under test has a problem", And initialize the device under test;

其中,所述测试仪向所述被测设备发送检测报文的间隔次数的最大值为10。Wherein, the maximum number of intervals at which the tester sends detection messages to the device under test is 10.

在所述步骤2-5中,所述测试仪向所述被测设备发送检测报文的间隔次数的最大值为4。In the step 2-5, the maximum number of intervals at which the tester sends detection messages to the device under test is 4.

在所述步骤3中生成的测试日志及统计报告用于记录测试过程的实际报文交互情况和问题统计信息;测试过程实时记录被测报文、被测字段、原始报文和变异报文信息,测试交互报文,返回报文检测和设备状态检测结果,以及被测设备初始化的提示;测试结束后生成放入统计报告中的统计信息包括:总测试用例数、总测试样本数、已测试用例数、已测试样本数、未通过的测试功能点、被测设备出现异常次数及测试样本、被测设备出现问题次数及测试样本。The test log and statistical report generated in the step 3 are used to record the actual message interaction and problem statistics of the test process; the test process records the tested message, the measured field, the original message and the variation message information in real time , test interactive messages, return message detection and device status detection results, and prompts for the initialization of the device under test; the statistical information generated and put into the statistical report after the test includes: the total number of test cases, the total number of test samples, the number of tested The number of use cases, the number of tested samples, the failed test function points, the number of abnormalities in the tested equipment and test samples, the number of problems in the tested equipment and the test samples.

本发明针对现有协议健壮性测试方法在IEC60870-5-101/104规约健壮性测试存在的测试覆盖面受测试人员经验约束、漏报误判测试问题、测试深度和效率低等适用性问题,无法达到提供一种适用于配电网自动化系统的101/104规约实现缺陷检测方法。本发明在IEC60870-5-101/104规约一致性测试实现配电网自动化系统规约报文及功能点全覆盖的基础上,引入模糊测试的技术原理,提供一种面向配电网自动化系统通信安全的101/104规约实现缺陷检测方法。The present invention aims at the existing protocol robustness test method in the IEC60870-5-101/104 statute robustness test, the test coverage is limited by the experience of the testers, the problem of false positives and misjudgments, the test depth and low efficiency and other applicability problems, cannot It is achieved to provide a defect detection method for 101/104 statute which is suitable for distribution network automation system. Based on the IEC60870-5-101/104 protocol consistency test to realize the full coverage of distribution network automation system protocol messages and function points, the present invention introduces the technical principle of fuzzy testing, and provides a communication security system for distribution network automation systems. The 101/104 protocol implements defect detection methods.

测试过程包括以下步骤:The testing process includes the following steps:

测试环境搭建:Test environment setup:

连接被测对象与101/104规约解析及报文构造工具,对被测对象和测试工具进行规约选择及通道建立的设置。Connect the object under test with the 101/104 protocol analysis and message construction tool, and select the protocol and set up the channel for the object under test and the test tool.

设备功能点报文遍历:Device function point message traversal:

测试通道建立后,对被测设备进行IEC60870-5-101/104规约一致性测试,通过IEC60870-5-101/104规约一致性测试,实现对被测对象通信功能点遍历,并记录对应的正常交互报文。结合功能点在前置状态的要求,优化排序后通过自动化脚本语言进行描述,生成“功能点遍历测试序列”(如图2)。“功能点遍历测试序列”的设置为通信功能点遍历提供了测试范本,方便缺少规约测试经验的测试人员,自动化开展测试并进行后续规约变异测试的测试用例设计。After the test channel is established, conduct the IEC60870-5-101/104 protocol conformance test on the tested equipment, pass the IEC60870-5-101/104 protocol conformance test, realize the traversal of the communication function points of the tested object, and record the corresponding normal Interactive message. Combined with the requirements of the function points in the pre-state, optimize the sorting and describe it through an automated script language to generate a "function point traversal test sequence" (as shown in Figure 2). The setting of "function point traversal test sequence" provides a test template for communication function point traversal, which is convenient for testers who lack experience in protocol testing to automate the test and design test cases for subsequent protocol mutation tests.

通过设备功能点报文遍历测试,保证设备的规约报文实现与101、104规约的一致性,作为后续规约报文变异测试的前提。Through the device function point message traversal test, ensure that the protocol message of the device is consistent with the 101 and 104 protocols, as the premise of the subsequent protocol message variation test.

规约报文变异测试Protocol packet mutation test

这部分是本专利提出的101/104规约实现缺陷检测方法的核心。配电自动化设备在“通信功能点遍历”通过规约一致性测试的101、104规约报文,通过执行报文变异测试,完成被测设备在101/104规约实现上的缺陷检测。测试流程如下图3所示:变异测试大体分为测试用例设计、变异测试样本生成及分组、变异样本组测试三个环节。This part is the core of the 101/104 protocol proposed in this patent to realize the defect detection method. The distribution automation equipment passes the 101 and 104 protocol messages of the protocol consistency test in the "communication function point traversal", and completes the defect detection of the device under test in the implementation of the 101/104 protocol by performing the message variation test. The test process is shown in Figure 3 below: the mutation test is roughly divided into three links: test case design, mutation test sample generation and grouping, and mutation sample group testing.

测试用例设计:选择被测报文中的字段,凭借测试人员对规约的理解,选取被测字段试用的测试类型。主要测试类型及方法有:Test case design: select the field in the message to be tested, and select the test type for the field to be tested based on the tester's understanding of the protocol. The main test types and methods are:

(a)基本变异:通过调用变异算法,生成被测字段对应的变异测试样本。建议控制域、类型标识等字段采取全变异(即变异样本数=2m,m为变异字段的位数),大于1字节的字段可根据测试需求,调整报文变异调用的模糊算法来控制测试粒度。(a) Basic mutation: By calling the mutation algorithm, generate a mutation test sample corresponding to the measured field. It is recommended that fields such as the control domain and type identification adopt full mutation (that is, the number of mutation samples = 2 m , m is the number of digits in the mutation field), and fields larger than 1 byte can be controlled by adjusting the fuzzy algorithm called by the message mutation according to the test requirements Test granularity.

(b)缓冲区溢出:主要是针对报文中自定义字段,通过变异算法构造超长字段的变异测试样本。缓冲区溢出测试的变异测试样本报文长度字段,可选择不变或随超长字段做相应调整。(b) Buffer overflow: mainly for the custom fields in the message, the mutation test samples of super-long fields are constructed through the mutation algorithm. The packet length field of the mutation test sample in the buffer overflow test can be selected unchanged or adjusted accordingly with the extra-long field.

(c)域缺失:对字段进行零填充处理,故意省略该字段的填充。域缺失测试的变异测试样本报文长度字段,可选择不变或随省略字段长度做相应调整。(c) Missing field: zero padding is performed on the field, and the padding of this field is intentionally omitted. The packet length field of the mutation test sample for the domain missing test can be selected to remain unchanged or to be adjusted accordingly with the length of the omitted field.

(d)组合变异:面向多个字段同时变异的情况,具体的变化方式会根据所选择字段的类型采用基本变异、缓冲区溢出和域缺失等方式组合进行变换。(d) Combined mutation: For the case of simultaneous mutation of multiple fields, the specific change method will be transformed by combining basic mutation, buffer overflow, and domain deletion according to the type of the selected field.

变异测试样本生成及分组:测试用例调用变异算法生成了大量的变异测试样本,每16样本分为一个测试样本组。这个环节的设置可以大大提升测试效率,减少了每样本测试的每次发送检测报文的检测时间。Generation and grouping of mutation test samples: test cases invoke the mutation algorithm to generate a large number of mutation test samples, and every 16 samples are divided into a test sample group. The setting of this link can greatly improve the test efficiency and reduce the detection time of each sent detection message for each sample test.

变异样本组测试:变异测试执行按样本组顺序测试,每个样本组按序发送16个异常报文。一组异常报文发送过程中,如被测设备未回复响应报文(被测设备对待异常报文的正确处理是丢弃该报文,不回复响应报文),在16个异常报文发送结束后执行设备状态检测;如被测设备回复响应报文,则中断发送异常报文,执行设备状态检测后,再发送后续异常报文。Mutation sample group test: The mutation test performs sequential testing by sample group, and each sample group sends 16 abnormal packets in sequence. During the sending of a group of abnormal messages, if the device under test does not reply a response message (the correct processing of the device under test for the abnormal message is to discard the message and not reply the response message), after sending 16 abnormal messages Then perform device status detection; if the device under test replies with a response message, it will stop sending abnormal messages, and after performing device status detection, send subsequent abnormal messages.

设备状态检测环节,测试仪间隔发送检测报文发送10次,直到收到响应报文停止;这一设置主要是考虑到一些配电自动化设备具备一定异常处理机制,增加设备状态检测的时长,可以降低问题误判的几率。In the equipment status detection link, the tester sends the detection message 10 times at intervals until it receives the response message and stops; this setting is mainly to consider that some power distribution automation equipment has a certain exception handling mechanism, and to increase the duration of equipment status detection can be Reduce the chance of misjudgment of the problem.

设备状态检测报文的设置,用于检测被测设备连续接收到异常报文后设备的运行状态,通常选取不需设备进入前置状态的报文,测试101规约可通过U格式-测试帧进行设备状态检测,测试104规约可通过请求二级数据帧(两种交替使用可规避收发序列号问题)进行设备状态检测。如未对设备状态检测报文做出正确的响应,设备可能已经出现宕机的情况,需要对被测设备进行初始化设置(如重新建立通道),保证后续测试的执行。The setting of the device status detection message is used to detect the operating status of the device after the device under test receives abnormal messages continuously. Usually, the message that does not require the device to enter the pre-state is selected. The test 101 protocol can be performed through the U format-test frame Device status detection, the test 104 protocol can perform device status detection by requesting secondary data frames (the two alternate use can avoid the problem of sending and receiving serial numbers). If a correct response is not made to the device status detection message, the device may have been down, and the device under test needs to be initialized (such as re-establishing the channel) to ensure the execution of subsequent tests.

测试用例设计及测试执行过程,通过自动化脚本语言进行描述,形成测试套被保存或加载,实现规约报文变异测试的自动化。The test case design and test execution process are described by an automated script language, and the test suite is saved or loaded to realize the automation of the protocol packet mutation test.

测试日志及统计报告Test log and statistical report

测试日志及统计报告用于记录测试过程的实际报文交互情况和问题统计信息,方便测试人员快速便捷的发现及定位问题。测试过程实时记录被测报文、被测字段、原始报文、变异报文等信息,测试交互报文,返回报文检测和设备状态检测结果,以及被测设备初始化等提示。测试结束生成统计报告,统计信息可包括总测试用例数、总测试样本数、已测试用例数、已测试样本数、未通过的测试功能点、被测设备出现异常次数及测试样本、被测设备出现问题次数及测试样本等。The test log and statistical report are used to record the actual message interaction and problem statistics during the test process, which is convenient for testers to quickly and conveniently discover and locate problems. During the test process, the information such as the tested message, the tested field, the original message, and the mutated message are recorded in real time, the interactive message is tested, the message detection and device status detection results are returned, and the device under test is initialized and other prompts. A statistical report is generated at the end of the test. The statistical information can include the total number of test cases, the total number of test samples, the number of tested cases, the number of tested samples, the failed test function points, the number of abnormalities of the tested equipment and test samples, and the tested equipment The number of problems and test samples, etc.

手工编辑报文测试Manually edit message test

手工编辑报文测试主要用于:规约报文变异测试环节不能涵盖的报文变异测试,以及规约报文变异测试环节发现问题的复现验证。测试人员可以手工编辑报文,并设置报文发送的次数及顺序,通过自动化脚本语言进行描述,完成自动化测试执行。这一环节使测试人员最大限度地发挥测试技巧,实现更深层次的规约实现漏洞挖掘。The manual editing message test is mainly used for: the packet variation test that cannot be covered by the protocol packet variation test, and the recurrence verification of the problems found in the protocol packet variation test. Testers can manually edit messages, set the number and sequence of message sending, and describe through automated scripting language to complete automated test execution. This link enables the testers to maximize their testing skills and achieve a deeper level of protocol implementation vulnerability mining.

需要声明的是,本发明内容及具体实施方式意在证明本发明所提供技术方案的实际应用,不应解释为对本发明保护范围的限定。本领域技术人员在本发明的精神和原理启发下,可作各种修改、等同替换、或改进。但这些变更或修改均在申请待批的保护范围内。It should be declared that the contents and specific implementation methods of the present invention are intended to prove the practical application of the technical solutions provided by the present invention, and should not be construed as limiting the protection scope of the present invention. Those skilled in the art may make various modifications, equivalent replacements, or improvements under the inspiration of the spirit and principles of the present invention. But these changes or modifications are all within the protection scope of the pending application.

Claims (21)

1.一种针对IEC60870-5-101/104通信规约实现缺陷的检测系统,其包括:测试仪和与其连接的被测设备;其特征在于,所述测试仪包括功能点遍历单元和接收其遍历结果的规约报文变异测试单元。1. A detection system for implementing defects in the IEC60870-5-101/104 communication protocol, comprising: a tester and a device under test connected thereto; it is characterized in that the tester includes a function point traversal unit and receives its traversal The resulting protocol packet mutation test unit. 2.根据权利要求1所述的检测系统,其特征在于,所述功能点遍历单元设置有功能点遍历测试序列模块;所述功能点遍历单元对被测设备的通信功能点进行遍历,并记录相互对应的交互报文,生成存储在所述功能点遍历测试序列模块中的功能点遍历测试序列。2. detection system according to claim 1, is characterized in that, described function point traversal unit is provided with function point traversal test sequence module; Described function point traversal unit traverses the communication function point of equipment under test, and records The interaction messages corresponding to each other generate a function point traversal test sequence stored in the function point traversal test sequence module. 3.根据权利要求2所述的检测系统,其特征在于,所述功能点遍历单元顺次向所述被测设备发送接收到的被测报文Qj,所述被测设备在接收到被测报文Qj后,向所述测试仪发出应答报文An,所述功能点遍历单元将得到应答报文的所述通信功能点记录入所述功能点遍历测试序列。3. The detection system according to claim 2, wherein the function point traversal unit sends the received test message Qj to the device under test sequentially, and the device under test receives the measured message Qj after receiving the After the message Qj, send a response message An to the tester, and the function point traversal unit records the communication function points obtained from the response message into the function point traversal test sequence. 4.根据权利要求1所述的检测系统,其特征在于,所述规约报文变异测试单元包括:依次连接的测试用例设计模块、变异测试样本生成及分组模块和变异样本组测试模块,以及分别与所述测试用例设计模块连接的变异算法模块和手工编辑报文测试模块。4. detection system according to claim 1, is characterized in that, described stipulation message variation test unit comprises: the test case design module, variation test sample generation and grouping module and variation sample group test module connected successively, and respectively A mutation algorithm module and a manual editing message test module connected with the test case design module. 5.根据权利要求4所述的检测系统,其特征在于,所述测试用例设计模块选择被测报文中的字段,选取被测字段试用的测试类型。5. The detection system according to claim 4, wherein the test case design module selects the field in the message to be tested, and selects the test type for trial use of the field to be tested. 6.根据权利要求5所述的检测系统,其特征在于,所述变异算法模块包括:依次设置的基本变异组件、缓冲区溢出组件、域缺失组件和组合变异组件。6 . The detection system according to claim 5 , wherein the mutation algorithm module includes: a basic mutation component, a buffer overflow component, a domain missing component and a combination mutation component arranged in sequence. 7.根据权利要求6所述的检测系统,其特征在于,所述变异测试样本生成及分组模块,调用基本变异组件,生成与被测字段对应的变异测试样本;所述变异测试样本生成及分组模块,针对报文中自定义字段,调用所述缓冲区溢出组件,构造超长字段的变异测试样本;所述变异测试样本生成及分组模块,调用所述域缺失组件,对被测字段进行零填充处理,省略该字段的填充;所述变异测试样本生成及分组模块,调用所述组合变异组件,根据字段变异的情况,对字段采用基本变异、缓冲区溢出和域缺失组合的方式进行变换测试。7. The detection system according to claim 6, wherein the variation test sample generation and grouping module calls the basic variation component to generate a variation test sample corresponding to the field to be tested; the variation test sample generation and grouping module, for the self-defined field in the message, call the buffer overflow component, and construct the mutation test sample of the super long field; the mutation test sample generation and grouping module, call the domain missing component, and zero Filling processing, omitting the filling of this field; the variation test sample generation and grouping module calls the combined variation component, and according to the situation of field variation, transforms the field using a combination of basic variation, buffer overflow and domain loss. . 8.根据权利要求7所述的检测系统,其特征在于,所述基本变异组件对被测字段为控制域和类型标识,采取全变异测试,所述全变异测试的变异测试样本数=2m,m为变异字段的位数。8. The detection system according to claim 7, wherein the basic variation component is a control field and a type identifier for the field to be tested, and adopts a full variation test, and the number of variation test samples of the full variation test=2 m , m is the number of digits of the variable field. 9.根据权利要求7所述的检测系统,其特征在于,所述缓冲区溢出组件测试的变异测试样本报文长度字段,取值选择不变或加超长字段长度值。9. The detection system according to claim 7, characterized in that, the value of the variation test sample message length field of the buffer overflow component test is chosen to be unchanged or to add an extra-long field length value. 10.根据权利要求7所述的检测系统,其特征在于,所述域缺失组件测试的变异测试样本报文长度字段,取值选择不变或减省略字段长度值。10. The detection system according to claim 7, characterized in that, the value of the packet length field of the mutation test sample in the domain missing component test is chosen to be unchanged or to omit the field length value. 11.根据权利要求4所述的检测系统,其特征在于,所述变异测试样本生成及分组模块,调用所述手工编辑报文测试模块,手工输入测试报文,并设置测试报文发送的次数及顺序。11. detection system according to claim 4, is characterized in that, described variation test sample generation and grouping module, call described manual editing message test module, manually input test message, and the number of times that test message is sent and order. 12.根据权利要求4所述的检测系统,其特征在于,所述变异测试样本生成及分组模块,将16份变异测试样本分为一个测试样本组,并将生成的测试样本组顺序传输给所述变异测试模块。12. The detection system according to claim 4, wherein the variation test sample generation and grouping module divides 16 variation test samples into a test sample group, and transmits the generated test sample group to the test sample group sequentially. The variation test module described above. 13.根据权利要求4所述的检测系统,其特征在于,所述变异测试模块,对接收到的测试样本组进行变异测试。13. The detection system according to claim 4, wherein the variation testing module performs variation testing on the received test sample group. 14.根据1-13项权利要求任一项所述的针对IEC60870-5-101/104通信规约实现缺陷的检测系统的检测方法,其特征在于,所述检测方法包括如下步骤:14. According to any one of claims 1-13, the detection method of the detection system for implementing defects in the IEC60870-5-101/104 communication protocol is characterized in that the detection method comprises the following steps: (1).对被测设备发出的被测报文进行一致性测试;(1).Consistency test on the tested message sent by the tested device; (2).对被测报文进行变异测试;(2). Carry out mutation test on the tested message; (3).生成测试日志和统计报告。(3). Generate test logs and statistical reports. 15.根据权利要求14所述的检测方法,其特征在于,在所述步骤1中,所述测试仪的所述功能点遍历单元对被测设备的通信功能点进行遍历,并记录相互对应的交互报文,生成存储在所述功能点遍历测试序列模块中的功能点遍历测试序列。15. The detection method according to claim 14, characterized in that, in the step 1, the function point traversal unit of the tester traverses the communication function points of the device under test, and records the corresponding An interactive message is used to generate a function point traversal test sequence stored in the function point traversal test sequence module. 16.根据权利要求15所述的检测方法,其特征在于,所述步骤1包括如下步骤:16. detection method according to claim 15, is characterized in that, described step 1 comprises the steps: (1-1).所述功能点遍历单元顺次向所述被测设备发送接收到的被测报文Qj;(1-1). The function point traversal unit sequentially sends the received tested message Qj to the tested device; (1-2).所述被测设备在接收到被测报文Qj后,向所述测试仪发出应答报文An;(1-2). The device under test sends a response message An to the tester after receiving the message Qj under test; (1-3).所述功能点遍历单元将得到应答报文的所述通信功能点记录入所述功能点遍历测试序列。(1-3). The function point traversal unit records the communication function points obtained from the response message into the function point traversal test sequence. 17.根据权利要求14所述的检测方法,其特征在于,在所述步骤2中,所述测试用例设计模块选择被测报文中的字段,选取被测字段试用的测试类型;变异测试样本生成及分组模块,分别调用所述变异算法模块和所述手工编辑报文测试模块生成测试样本组;所述变异测试模块,对接收到的测试样本组进行变异测试。17. detection method according to claim 14, is characterized in that, in described step 2, described test case design module selects the field in the message under test, selects the test type of field under test for trial use; Variation test sample generation and The grouping module calls the variation algorithm module and the manually edited message testing module to generate a test sample group respectively; the variation testing module performs a variation test on the received test sample group. 18.根据权利要求17所述的检测方法,其特征在于,所述步骤2包括如下步骤:18. detection method according to claim 17, is characterized in that, described step 2 comprises the steps: (2-1).选择变异字段、测试类型;(2-1). Select the variation field and test type; (2-2).生成n份变异测试样本,并将每16份变异测试样本分成一个测试样本组,共分成i个测试样本组,对生成的i个测试样本组顺序进行变异测试;(2-2). Generate n variation test samples, and divide every 16 variation test samples into a test sample group, which is divided into i test sample groups, and perform variation test on the generated i test sample groups in sequence; (2-3).所述测试仪按序向所述被测设备发送第i个测试样本组中的变异测试样本,并判断是否接收到所述被测设备发出的响应报文,若收到,则对变异测试样本进行检测,否则进行步骤2-4;(2-3). The tester sends the variation test samples in the i-th test sample group to the device under test in sequence, and judges whether the response message sent by the device under test is received. , then detect the variation test sample, otherwise proceed to steps 2-4; (2-4).所述测试仪继续向所述被测设备发送该测试样本组中的变异测试样本;(2-4). The tester continues to send the variation test samples in the test sample group to the device under test; (2-5).所述测试仪判断第i个测试样本组中的变异测试样本是否都传输到了所述被测设备,若是则间隔向所述被测设备发送检测报文,否则返回步骤2-3;(2-5). The tester judges whether the variation test samples in the i-th test sample group have been transmitted to the device under test, and if so, send detection messages to the device under test at intervals, otherwise return to step 2 -3; (2-6).所述测试仪判断是否收到响应报文;若是则报“被测设备状态正常”,令i=i+1,并返回步骤2-3;否则记录问题样本,报“被测设备出现问题”,对被测设备进行初始化设置,令i=i+1,并返回步骤2-3;(2-6). The tester judges whether a response message is received; if so, it will report "the state of the device under test is normal", make i=i+1, and return to step 2-3; otherwise record the problem sample and report " There is a problem with the device under test", initialize the device under test, set i=i+1, and return to step 2-3; 其中,i的初始值为1。Among them, the initial value of i is 1. 19.根据权利要求18所述的检测方法,其特征在于,在所述步骤2-3中,对变异测试样本进行检测的步骤如下:19. The detection method according to claim 18, characterized in that, in the step 2-3, the step of detecting the variation test sample is as follows: (2-3-1).所述测试仪间隔向所述被测设备发送检测报文;(2-3-1). The tester sends detection messages to the device under test at intervals; (2-3-2).所述测试仪判断是否收到响应报文;若是则记录问题样本,并报“被测设备出现异常”;否则记录问题样本,报“被测设备出现问题”,并对被测设备进行初始化设置;(2-3-2). The tester judges whether a response message is received; if so, record the problem sample and report "the device under test is abnormal"; otherwise record the problem sample and report "the device under test has a problem", And initialize the device under test; 其中,所述测试仪向所述被测设备发送检测报文的间隔次数的最大值为10。Wherein, the maximum number of intervals at which the tester sends detection messages to the device under test is 10. 20.根据权利要求18所述的检测方法,其特征在于,在所述步骤2-5中,所述测试仪向所述被测设备发送检测报文的间隔次数的最大值为4。20. The detection method according to claim 18, characterized in that, in the step 2-5, the maximum number of intervals at which the tester sends detection messages to the device under test is 4. 21.根据权利要求14所述的检测方法,其特征在于,在所述步骤3中生成的测试日志及统计报告用于记录测试过程的实际报文交互情况和问题统计信息;测试过程实时记录被测报文、被测字段、原始报文和变异报文信息,测试交互报文,返回报文检测和设备状态检测结果,以及被测设备初始化的提示;测试结束后生成放入统计报告中的统计信息包括:总测试用例数、总测试样本数、已测试用例数、已测试样本数、未通过的测试功能点、被测设备出现异常次数及测试样本、被测设备出现问题次数及测试样本。21. The detection method according to claim 14, characterized in that, the test logs and statistical reports generated in said step 3 are used to record the actual message interaction and problem statistics of the test process; the real-time records of the test process are recorded Test messages, tested fields, original messages and mutated message information, test interactive messages, return message detection and device status detection results, and prompts for the initialization of the device under test; after the test is completed, generate and put in the statistical report Statistical information includes: total number of test cases, total number of test samples, number of tested cases, number of tested samples, failed test function points, number of abnormalities in the tested device and test samples, number of problems in the tested device and test samples .
CN201210081306.5A 2012-03-26 2012-03-26 System and method capable of achieving defect detection for IEC60870-5-101/104 communication protocol Active CN102624587B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210081306.5A CN102624587B (en) 2012-03-26 2012-03-26 System and method capable of achieving defect detection for IEC60870-5-101/104 communication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210081306.5A CN102624587B (en) 2012-03-26 2012-03-26 System and method capable of achieving defect detection for IEC60870-5-101/104 communication protocol

Publications (2)

Publication Number Publication Date
CN102624587A true CN102624587A (en) 2012-08-01
CN102624587B CN102624587B (en) 2015-04-29

Family

ID=46564278

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210081306.5A Active CN102624587B (en) 2012-03-26 2012-03-26 System and method capable of achieving defect detection for IEC60870-5-101/104 communication protocol

Country Status (1)

Country Link
CN (1) CN102624587B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795146A (en) * 2014-01-26 2014-05-14 国家电网公司 Power distribution terminal conformance testing method
WO2015007161A1 (en) * 2013-07-18 2015-01-22 江苏省电力公司淮安供电公司 Detection method for communication states of iec104 protocol of dispatching automation system
CN104601406A (en) * 2015-01-14 2015-05-06 国家电网公司 Method and detection device for automatically generating IEC 101 and IEC 104 protocol point tables
CN105827469A (en) * 2014-12-29 2016-08-03 国家电网公司 MODBUS TCP implementation defect tester and detection method thereof
CN111726264A (en) * 2020-06-18 2020-09-29 中国电子科技集团公司第三十六研究所 Network protocol variation detection method, device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572440A (en) * 2009-02-27 2009-11-04 国电南瑞科技股份有限公司 Power grid protocol analysis and test method
CN101604870A (en) * 2009-07-14 2009-12-16 攀枝花电业局 The extended method of power system IEC 60870-5-101/104 standards
CN102331534A (en) * 2011-06-09 2012-01-25 航天科工深圳(集团)有限公司 Power distribution terminal detecting system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572440A (en) * 2009-02-27 2009-11-04 国电南瑞科技股份有限公司 Power grid protocol analysis and test method
CN101604870A (en) * 2009-07-14 2009-12-16 攀枝花电业局 The extended method of power system IEC 60870-5-101/104 standards
CN102331534A (en) * 2011-06-09 2012-01-25 航天科工深圳(集团)有限公司 Power distribution terminal detecting system and method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015007161A1 (en) * 2013-07-18 2015-01-22 江苏省电力公司淮安供电公司 Detection method for communication states of iec104 protocol of dispatching automation system
CN103795146A (en) * 2014-01-26 2014-05-14 国家电网公司 Power distribution terminal conformance testing method
CN103795146B (en) * 2014-01-26 2016-02-10 国家电网公司 Distribution terminal conformance test method
CN105827469A (en) * 2014-12-29 2016-08-03 国家电网公司 MODBUS TCP implementation defect tester and detection method thereof
CN104601406A (en) * 2015-01-14 2015-05-06 国家电网公司 Method and detection device for automatically generating IEC 101 and IEC 104 protocol point tables
CN111726264A (en) * 2020-06-18 2020-09-29 中国电子科技集团公司第三十六研究所 Network protocol variation detection method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN102624587B (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN110401581B (en) A method of generating fuzzy test cases for industrial control protocol based on traffic traceability
CN105763392B (en) A Protocol State-Based Fuzzing Method for Industrial Control Protocols
CN110505111A (en) A Fuzzy Testing Method for Industrial Control Protocol Based on Traffic Replay
CN105245403B (en) A system and method for mining power grid industrial control protocol vulnerabilities based on fuzz testing
CN102624587B (en) System and method capable of achieving defect detection for IEC60870-5-101/104 communication protocol
CN109063486B (en) A security penetration testing method and system based on PLC device fingerprint identification
CN104796240B (en) A kind of fuzz testing system of stateful procotol
CN107046526A (en) Distributed Heterogeneous Network Vulnerability Mining Method Based on Fuzzing Algorithm
CN100466563C (en) Centralized monitoring method for data service system without network management interface
CN105827469A (en) MODBUS TCP implementation defect tester and detection method thereof
CN113572760B (en) Device protocol vulnerability detection method and device
CN102123044A (en) Detection device and method of network topology consistency based on topology discovery technology
CN108920963A (en) A kind of industrial control system automation Hole Detection plug-in unit generation method and system
CN105306246A (en) Method, device and server for automatic answering of network complaints
CN104079579A (en) Power distribution terminal communication encryption protocol detecting method
CN109660558A (en) IEC104 protocol bug excavation method based on protocol status figure traversal
CN117254964A (en) Power grid intelligent terminal protocol vulnerability detection method based on high-order attribute grammar
CN101488890A (en) Method and system for network attack test
He et al. Intelligent fuzzing algorithm for 5g nas protocol based on predefined rules
CN101656642B (en) Method, device and system for testing authentication performance of network access equipment
CN113055374B (en) A detection method and system for IEC104 power protocol security testing
CN104993976B (en) A kind of PLC safety protection equipments assessment method and system
CN107241241A (en) A kind of Network records analytical equipment performance test methods
CN110572296A (en) A security detection method for communication protocol consistency of Internet of Things terminal equipment
CN203870171U (en) System for testing remote control function of power distribution terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: STATE ELECTRIC NET CROP.

Effective date: 20130715

C41 Transfer of patent application or patent right or utility model
TA01 Transfer of patent application right

Effective date of registration: 20130715

Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15

Applicant after: China Electric Power Research Institute

Applicant after: State Grid Corporation of China

Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15

Applicant before: China Electric Power Research Institute

C14 Grant of patent or utility model
GR01 Patent grant
C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20160425

Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15

Patentee after: China Electric Power Research Institute

Patentee after: State Grid Smart Grid Institute

Patentee after: State Grid Corporation of China

Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15

Patentee before: China Electric Power Research Institute

Patentee before: State Grid Corporation of China

C56 Change in the name or address of the patentee
CP01 Change in the name or title of a patent holder

Address after: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15

Patentee after: China Electric Power Research Institute

Patentee after: GLOBAL ENERGY INTERCONNECTION RESEARCH INSTITUTE

Patentee after: State Grid Corporation of China

Address before: 100192 Beijing city Haidian District Qinghe small Camp Road No. 15

Patentee before: China Electric Power Research Institute

Patentee before: State Grid Smart Grid Institute

Patentee before: State Grid Corporation of China