[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN110058565A - A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS - Google Patents

A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS Download PDF

Info

Publication number
CN110058565A
CN110058565A CN201910154291.2A CN201910154291A CN110058565A CN 110058565 A CN110058565 A CN 110058565A CN 201910154291 A CN201910154291 A CN 201910154291A CN 110058565 A CN110058565 A CN 110058565A
Authority
CN
China
Prior art keywords
linux
fingerprint
industry control
control plc
protocol stack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910154291.2A
Other languages
Chinese (zh)
Other versions
CN110058565B (en
Inventor
冯毓
刘赟
陈思
张位
毛得明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronic Technology Cyber Security Co Ltd
Original Assignee
China Electronic Technology Cyber Security Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronic Technology Cyber Security Co Ltd filed Critical China Electronic Technology Cyber Security Co Ltd
Priority to CN201910154291.2A priority Critical patent/CN110058565B/en
Publication of CN110058565A publication Critical patent/CN110058565A/en
Application granted granted Critical
Publication of CN110058565B publication Critical patent/CN110058565B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/05Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
    • G05B19/054Input/output
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/10Plc systems
    • G05B2219/15Plc structure of the system
    • G05B2219/15028Controller and device have several formats and protocols, select common one

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Programmable Controllers (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS that the invention discloses a kind of, the step of including the steps that obtaining simultaneously analytical industry control PLC system fingerprint and modifying the finger print information of (SuSE) Linux OS, realize a kind of technology for detecting under conditions of normal operation operating system on terminal, server to OS and returning to industrial control system PLC finger print information, it solves the problems, such as that current industrial control system honey jar detects OS and returns to real system fingerprint exposure honey jar identity, improve the duplicity of industrial control system.

Description

A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS
Technical field
The present invention relates to field of information security technology more particularly to a kind of Industry Control PLC based on (SuSE) Linux OS System fingerprint analogy method.
Background technique
OS (operating system) Detection Techniques are a series of by constructing the network protocol packets to sort by sending to goal systems, It collects and analyzes response message feature to achieve the purpose that judge target os release.This feature that response is come back for probe Information summation is just system fingerprint, it identifies the realization feature of ICP/IP protocol stack under every kind of operating system, due to every kind of behaviour Make system and realize that the mode of ICP/IP protocol stack is all not quite similar, and can not change in the realization of OS layers of protocol stack in client layer Become, thus system fingerprint it is unique with invariance the characteristics of, be based on this characteristic, system fingerprint is commonly used to as one The mark of system utilizes acquisition destination host os release information by network sweep person and hacker just as the fingerprint of people.
System fingerprint analogue technique is a kind of technology for protecting destination OS not detected by attacker, and can be with It simulates other operating system response messages to return to attacker, so that attacker is obtained a wrong system detection result, reach Protect itself operation system information, while the purpose of spoofing attack person.
Industry Control PLC (programmable logic controller (PLC)) system fingerprint analogue technique research based on (SuSE) Linux OS It is concentrated mainly on following two o'clock: first is that proposing a kind of to change linux system fingerprint and be modeled as Industry Control PLC system fingerprint Technology, second is that propose it is a kind of linux system fingerprint is changed and is modeled as Industry Control PLC system fingerprint under the premise of, no Influence the technology of the normal network communications function of destination host.
Currently, not yet find a kind of technology that Industry Control PLC system fingerprint is simulated on terminal, server, Industry Control PLC system fingerprint analogue technique based on (SuSE) Linux OS, thus it is possible to vary terminal, server are System fingerprint, and it is modeled as Industry Control PLC system fingerprint, the industrial control system honey for operating in both of the above can be effectively improved The emulator of tank prevents honey jar attacker from identifying honey pot system from system bottom operation system information, keeps Industry Control sweet Tank has more duplicity, to be collected into more more valuable information.
Summary of the invention
The technical problems to be solved by the present invention are: in view of the problems of the existing technology, the present invention proposes that one kind is based on The Industry Control PLC system fingerprint analogue technique of (SuSE) Linux OS, mainly considers the following:
1, the problem of collecting simultaneously analytical industry control PLC system fingerprint: Yao Shixian (SuSE) Linux OS simulates Industry Control PLC system fingerprint, the first step need to obtain the system fingerprint of Industry Control PLC, otherwise can not set the mesh that will eventually be simulated Mark feature;Second step needs to analyze fingerprint, converts finger print information to after obtaining Industry Control PLC system fingerprint ICP/IP protocol stack realizes feature, is compared with the ICP/IP protocol stack implementation of terminal, server OS system.
2, it the problem of modifying linux system fingerprint: in order to modify linux system fingerprint, substantially needs to visit for probe The information for surveying part changes the realization of ICP/IP protocol stack, it is therefore necessary to provide the operation system of system kernel source code based on one System realizes logic by TCP/IP module in modification kernel source code, and it is various in response to reach change system to recompilate kernel Otherwise the behavior of network protocol can not pass through the finger print information of the modification change system in client layer.
A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS provided by the invention, comprising:
The step of obtaining simultaneously analytical industry control PLC system fingerprint: using system exploratory probe to industrial control system PLC It is scanned, obtains Industry Control PLC system fingerprint;Industry Control PLC system fingerprint is analyzed, obtains to include PLC ICP/IP protocol stack realize main feature information;
The step of modifying the finger print information of (SuSE) Linux OS: it is used to distinguish different operating system in analysis OS detection Primary fingerprint attribute obtains the realization feature of ICP/IP protocol stack in Industry Control PLC;It studies and compares PLC system TCP/IP Protocol stack feature and linux system ICP/IP protocol stack feature, find out linux system ICP/IP protocol stack feature and PLC system The different part of ICP/IP protocol stack feature changes the logical AND algorithm of the part in the realization of linux system ICP/IP protocol stack, Linux system kernel is recompilated, linux system fingerprint is finally reached and Industry Control PLC system fingerprint is almost the same.
Further, industrial control system PLC is scanned by the system exploratory probe of special tectonic using 5 classes, this 5 Class probe includes: Sequence Generation Algorithm probe, Transmission Control Protocol probe, udp protocol probe, ICMP echo probe and ECN probe.
Further, the sequence that the information that analysis obtains includes: ICP/IP protocol stack is carried out to Industry Control PLC system fingerprint Generating algorithm, the greatest common divisor of TCP ISN, rate of rise and SP, TCP timestamp selection algorithm, TCP home window are big Small, TCP Explicit Congestion treatment mechanism, UDP retain head position and other more careful zone bit informations and IP packet attribute.
Further, analysis OS detection in be used to distinguish different operating system primary fingerprint attribute include: GCD, SP, TI, TS, W, DF and DFI.
Of the invention innovative proposition simultaneously realizes a kind of normal operation operating system on terminal, server Under the conditions of to OS detect return Industry Control PLC system finger print information technology, solve current industrial control system honey jar pair OS detection returns to the problem of real system fingerprint exposure honey jar identity, improves the duplicity of industrial control system.
Specific embodiment
All features disclosed in this specification or disclosed all methods or in the process the step of, in addition to mutually exclusive Feature and/or step other than, can combine in any way.
Any feature disclosed in this specification unless specifically stated can be equivalent or with similar purpose by other Alternative features are replaced.That is, unless specifically stated, each feature is an example in a series of equivalent or similar characteristics ?.
Industry Control PLC system fingerprint analogue technique provided by the invention based on (SuSE) Linux OS mainly include with Under several aspects:
1. obtaining simultaneously analytical industry control PLC system fingerprint
Industrial control system PLC is scanned by the system detection sequence probe of special tectonic using 5 classes:
(1) Sequence Generation Algorithm probe;
(2) Transmission Control Protocol probe;
(3) udp protocol probe;
(4) ICMP echo probe;
(5) ECN probe.
These probes be specific in RFC standard agreement it is various have ambiguity part and design, by these probes Scanning probe after available a string of regular lengths character string information as system fingerprint, can be obtained by analyzing fingerprint The Sequence Generation Algorithm of ICP/IP protocol stack, the greatest common divisor of TCP ISN (i.e. TCP initialization sequence number), rate of rise with And (i.e. TCP ISN sequence predictability index, higher expression TCP ISN generating algorithm predictability is higher, represents to generate and calculate by SP Method may have more defects), TCP timestamp selection algorithm, TCP initial window size, TCP Explicit Congestion treatment mechanism, UDP Retain head position and other more careful zone bit informations and IP packet attribute;These information include the ICP/IP protocol of PLC The main feature that stack is realized can be used to judge to distinguish different OS systems.
2. modifying the finger print information of (SuSE) Linux OS
It mainly include GCD (greatest by being used to distinguish different operating system primary fingerprint attribute in analysis OS detection Common diviso, i.e. greatest common divisor), SP, TI (indicate TCP response) to sequence probes, TS (Timestamp, immediately Between stab), W (indicate TCP window size), DF (IP not fragment flag bit), DFI (indicating that IP responds the DF of ICMP probe), obtain The realization feature of ICP/IP protocol stack in Industry Control PLC, study and compare PLC system ICP/IP protocol stack feature with Linux system ICP/IP protocol stack feature, finds out linux system ICP/IP protocol stack feature and PLC system ICP/IP protocol stack The different part of feature changes the logical AND algorithm of the part in the realization of linux system ICP/IP protocol stack, recompilates Linux system kernel is finally reached linux system fingerprint and the almost the same effect of Industry Control PLC system fingerprint, with this mould The system fingerprint of quasi- Industry Control PLC.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can To be done through the relevant hardware of the program instructions, which be can be stored in a computer readable storage medium, and storage is situated between Matter may include: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc..
The invention is not limited to specific embodiments above-mentioned.The present invention, which expands to, any in the present specification to be disclosed New feature or any new combination, and disclose any new method or process the step of or any new combination.

Claims (4)

1. a kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS characterized by comprising
The step of obtaining simultaneously analytical industry control PLC system fingerprint: industrial control system PLC is carried out using system exploratory probe Scanning, obtains Industry Control PLC system fingerprint;Industry Control PLC system fingerprint is analyzed, obtains to include PLC's The information for the main feature that ICP/IP protocol stack is realized;
The step of modifying the finger print information of (SuSE) Linux OS: it is used to distinguish the main of different operating system in analysis OS detection Fingerprint attribute obtains the realization feature of ICP/IP protocol stack in Industry Control PLC;It studies and compares PLC system ICP/IP protocol Stack feature and linux system ICP/IP protocol stack feature, find out linux system ICP/IP protocol stack feature and PLC system TCP/ The different part of IP protocol stack feature changes the logical AND algorithm of the part in the realization of linux system ICP/IP protocol stack, again Linux system kernel is compiled, linux system fingerprint is finally reached and Industry Control PLC system fingerprint is almost the same.
2. a kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS according to claim 1, It is characterized in that, being scanned by the system exploratory probe of special tectonic to industrial control system PLC using 5 classes, this 5 class is visited Needle includes: Sequence Generation Algorithm probe, Transmission Control Protocol probe, udp protocol probe, ICMP echo probe and ECN probe.
3. a kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS according to claim 1, It is generated it is characterized in that, carrying out the sequence that the information that analysis obtains includes: ICP/IP protocol stack to Industry Control PLC system fingerprint Algorithm, the greatest common divisor of TCP ISN, rate of rise and SP, TCP timestamp selection algorithm, TCP initial window size, TCP Explicit Congestion treatment mechanism, UDP retain head position and other more careful zone bit informations and IP packet attribute.
4. a kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS according to claim 1, It is characterized in that, analysis OS detection in be used to distinguish different operating system primary fingerprint attribute include: GCD, SP, TI, TS, W, DF and DFI.
CN201910154291.2A 2019-03-01 2019-03-01 Industrial control PLC system fingerprint simulation method based on Linux operating system Active CN110058565B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910154291.2A CN110058565B (en) 2019-03-01 2019-03-01 Industrial control PLC system fingerprint simulation method based on Linux operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910154291.2A CN110058565B (en) 2019-03-01 2019-03-01 Industrial control PLC system fingerprint simulation method based on Linux operating system

Publications (2)

Publication Number Publication Date
CN110058565A true CN110058565A (en) 2019-07-26
CN110058565B CN110058565B (en) 2021-07-09

Family

ID=67316521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910154291.2A Active CN110058565B (en) 2019-03-01 2019-03-01 Industrial control PLC system fingerprint simulation method based on Linux operating system

Country Status (1)

Country Link
CN (1) CN110058565B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363087A (en) * 2022-01-27 2022-04-15 杭州默安科技有限公司 Scanner countermeasure method and system based on bypass interference
CN117111489A (en) * 2023-08-25 2023-11-24 哈尔滨工程大学 Simulation method of PLC (programmable logic controller) equipment, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916934A (en) * 2011-08-03 2013-02-06 西安秦码软件科技有限公司 Network camouflage system on basis of topology and operating system
CN104519068A (en) * 2014-12-26 2015-04-15 赵卫伟 Moving target protection method based on operating system fingerprint jumping
CN107493300A (en) * 2017-09-20 2017-12-19 河北师范大学 Network security protection system
CN108667768A (en) * 2017-03-29 2018-10-16 腾讯科技(深圳)有限公司 A kind of recognition methods of network application fingerprint and device
CN108833346A (en) * 2018-05-04 2018-11-16 北京天元创新科技有限公司 A kind of industrial control system safety communicating method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916934A (en) * 2011-08-03 2013-02-06 西安秦码软件科技有限公司 Network camouflage system on basis of topology and operating system
CN104519068A (en) * 2014-12-26 2015-04-15 赵卫伟 Moving target protection method based on operating system fingerprint jumping
CN108667768A (en) * 2017-03-29 2018-10-16 腾讯科技(深圳)有限公司 A kind of recognition methods of network application fingerprint and device
CN107493300A (en) * 2017-09-20 2017-12-19 河北师范大学 Network security protection system
CN108833346A (en) * 2018-05-04 2018-11-16 北京天元创新科技有限公司 A kind of industrial control system safety communicating method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘长征等: "操作系统指纹特征伪装技术研究", 《等级保护》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114363087A (en) * 2022-01-27 2022-04-15 杭州默安科技有限公司 Scanner countermeasure method and system based on bypass interference
CN114363087B (en) * 2022-01-27 2024-05-14 杭州默安科技有限公司 Scanner countermeasure method and system based on bypass interference
CN117111489A (en) * 2023-08-25 2023-11-24 哈尔滨工程大学 Simulation method of PLC (programmable logic controller) equipment, storage medium and electronic equipment
CN117111489B (en) * 2023-08-25 2024-05-17 哈尔滨工程大学 Simulation method of PLC (programmable logic controller) equipment, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN110058565B (en) 2021-07-09

Similar Documents

Publication Publication Date Title
Hamad et al. Iot device identification via network-flow based fingerprinting and learning
Protić Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets
CN110245491B (en) Network attack type determination method and device, memory and processor
Burroughs et al. Analysis of distributed intrusion detection systems using Bayesian methods
Sarasamma et al. Hierarchical Kohonenen net for anomaly detection in network security
CN108183895A (en) A kind of networked asset information acquisition system
Stevanovic et al. On the ground truth problem of malicious DNS traffic analysis
CN107360145A (en) A kind of multinode honey pot system and its data analysing method
WO2016190868A1 (en) Processing network data using a graph data structure
Huang et al. Automatic identification of honeypot server using machine learning techniques
US20110030059A1 (en) Method for testing the security posture of a system
EP3913888A1 (en) Detection method for malicious domain name in domain name system and detection device
Pellegrino et al. Learning behavioral fingerprints from netflows using timed automata
CN113496033A (en) Access behavior recognition method and device and storage medium
Qin et al. Worm detection using local networks
Ali et al. Firewall policy reconnaissance: Techniques and analysis
US10965697B2 (en) Indicating malware generated domain names using digits
CN110058565A (en) A kind of Industry Control PLC system fingerprint analogy method based on (SuSE) Linux OS
CN112839054A (en) Network attack detection method, device, equipment and medium
Schiavoni et al. Tracking and characterizing botnets using automatically generated domains
Middlemiss et al. Weighted feature extraction using a genetic algorithm for intrusion detection
Lee et al. DGA-based malware detection using DNS traffic analysis
Aguirre-Anaya et al. A new procedure to detect low interaction honeypots
CN117354024A (en) DNS malicious domain name detection system and method based on big data
CN113726775B (en) Attack detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant