CN112087462A - Vulnerability detection method and device of industrial control system - Google Patents
Vulnerability detection method and device of industrial control system Download PDFInfo
- Publication number
- CN112087462A CN112087462A CN202010958036.6A CN202010958036A CN112087462A CN 112087462 A CN112087462 A CN 112087462A CN 202010958036 A CN202010958036 A CN 202010958036A CN 112087462 A CN112087462 A CN 112087462A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- vulnerability
- control equipment
- network
- equipment corresponding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 77
- 238000000034 method Methods 0.000 claims description 41
- 238000004590 computer program Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 5
- 239000000047 product Substances 0.000 description 17
- 238000004891 communication Methods 0.000 description 12
- 238000004519 manufacturing process Methods 0.000 description 6
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a vulnerability detection method and a vulnerability detection device of an industrial control system, which relate to the technical field of equipment safety and comprise the following steps: acquiring an IP network segment and a network protocol list of an industrial control network to be detected; based on the network protocol list, sending a compliance detection packet to the industrial control equipment corresponding to each IP in the IP network segment, and acquiring a compliance data packet fed back by the industrial control equipment corresponding to each IP based on the compliance detection packet; extracting the identity information of the industrial control equipment corresponding to each IP by utilizing the industrial control equipment fingerprint library and the compliance data packet; the vulnerability information of the industrial control equipment corresponding to each IP is determined based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database, and the technical problem that the normal operation of the industrial control equipment is influenced when vulnerability detection is carried out on an industrial control system in the prior art is solved.
Description
Technical Field
The invention relates to the technical field of equipment safety, in particular to a vulnerability detection method and device of an industrial control system.
Background
The new infrastructure is an accelerator for further deepening the digital operation of the government and enterprise business, and the informatization degree of the industrial control system is higher and higher along with the gradual fusion of informatization and industrialization. The wide use of general software and hardware and network facilities breaks through the original isolation protection of the traditional industrial control system, and the safety problem of the traditional IT network gradually permeates into the industrial internet while the development of the industrial internet is continuously promoted. However, compared with the traditional IT network, the characteristics of the industrial internet are more complex, not only are the types of devices involved and the complexity increased, but also more public protocols or private protocols are used, and meanwhile, the requirements on the stability and the real-time performance of the production environment of the whole industrial system are higher, so that the factors which form the security threat to the industrial internet are more and more complex.
However, in the prior art, in the process of detecting the vulnerability of the industrial control system, the normal operation of the industrial control normal production environment is influenced.
No effective solution has been proposed to the above problems.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for detecting a vulnerability of an industrial control system, so as to alleviate the technical problem that the normal operation of industrial control equipment is affected when the vulnerability of the industrial control system is detected in the prior art.
In a first aspect, an embodiment of the present invention provides a vulnerability detection method for an industrial control system, including: acquiring an IP network segment and a network protocol list of an industrial control network to be detected; based on the network protocol list, sending a compliance detection packet to the industrial control equipment corresponding to each IP in the IP network segment, and acquiring a compliance data packet fed back by the industrial control equipment corresponding to each IP based on the compliance detection packet; extracting the identity information of the industrial control equipment corresponding to each IP by using an industrial control equipment fingerprint library and the compliance data packet; and determining the vulnerability information of the industrial control equipment corresponding to each IP based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database.
Further, the identity information includes at least one of: equipment manufacturer, equipment model, equipment version number.
Further, the vulnerability information includes at least one of: the method comprises the steps of CVE numbers corresponding to the vulnerabilities, CNNVD numbers corresponding to the vulnerabilities, CNVD numbers corresponding to the vulnerabilities, vulnerability grades, vulnerability types, description information of the vulnerabilities and vulnerability solutions.
Further, before the IP network segment and the network protocol list of the industrial control network to be detected are obtained, the method further includes: acquiring a product catalog of an industrial control equipment manufacturer; determining a classification rule of the industrial control equipment by using a product catalog of the industrial control equipment manufacturer; and constructing a vulnerability detection rule matching database based on the classification rules and the vulnerability checking mode of the industrial control equipment manufacturer.
Further, based on the identity information of the industrial control device corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database, determining the vulnerability information of the industrial control device corresponding to each IP, including: determining a vulnerability matching rule corresponding to the industrial control equipment corresponding to each IP by using the identity information of the industrial control equipment corresponding to each IP and the vulnerability detection rule matching database; determining the loophole of the industrial control equipment corresponding to each IP by using the loophole matching rule corresponding to the industrial control equipment corresponding to each IP; and determining vulnerability information corresponding to the industrial control equipment corresponding to each IP based on the vulnerability of the industrial control equipment corresponding to each IP and the vulnerability database.
And further, displaying the vulnerability information corresponding to the industrial control equipment corresponding to each IP by using a dashboard.
In a second aspect, an embodiment of the present invention provides a vulnerability detection apparatus for an industrial control system, including: the system comprises an acquisition unit, an execution unit, an extraction unit and a determination unit, wherein the acquisition unit is used for acquiring an IP network segment and a network protocol list of the industrial control network to be detected; the execution unit is configured to send a compliance detection packet to the industrial control device corresponding to each IP in the IP network segment based on the network protocol list, and obtain a compliance data packet fed back by the industrial control device corresponding to each IP based on the compliance detection packet; the extraction unit is used for extracting the identity information of the industrial control equipment corresponding to each IP by utilizing an industrial control equipment fingerprint library and the compliance data packet; and the determining unit is used for determining the vulnerability information of the industrial control equipment corresponding to each IP based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database.
Further, the apparatus further comprises: a building unit to: acquiring a product catalog of an industrial control equipment manufacturer; determining a classification rule of the industrial control equipment by using a product catalog of the industrial control equipment manufacturer; and constructing a vulnerability detection rule matching database based on the classification rules and the vulnerability checking mode of the industrial control equipment manufacturer.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory is used to store a program that supports the processor to execute the method in the first aspect, and the processor is configured to execute the program stored in the memory.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps of the method in the first aspect.
In the embodiment of the invention, an IP network segment and a network protocol list of an industrial control network to be detected are obtained; based on the network protocol list, sending a compliance detection packet to the industrial control equipment corresponding to each IP in the IP network segment, and acquiring a compliance data packet fed back by the industrial control equipment corresponding to each IP based on the compliance detection packet; extracting the identity information of the industrial control equipment corresponding to each IP by utilizing the industrial control equipment fingerprint library and the compliance data packet; and determining the vulnerability information of the industrial control equipment corresponding to each IP based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database.
In the embodiment of the invention, according to the industrial control system network protocol, active detection is realized based on the compliance data packet instead of scanning the device port in a large scale, and then leak detection is carried out on the device in the industrial control system by the active method of port identification scanning and system identification scanning.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a vulnerability detection method of an industrial control system according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for constructing a vulnerability detection rule matching database according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for determining vulnerability information of industrial control equipment according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a vulnerability detection apparatus of an industrial control system according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, the following two methods are generally adopted for detecting the vulnerability of the industrial control system:
risk detection based on passive: the network device will sniff all network traffic and parse them to obtain data that can be used for asset discovery, identification. However, the traffic metadata needed for asset discovery is often promiscuous, hidden among the network traffic that is heavily interactive in communication. In a large amount of network traffic, finding key information that can be used to identify equipment manufacturers, product models, firmware versions, etc. is a difficult task, as is the case with a marine fishing needle, and accurate results are not always obtained. Such passive monitoring methods have technical limitations and cannot be detected for idle and inactive devices. The detected data quantity is limited, the identified equipment data is also extremely limited, and the passive network traffic monitoring mode is not suitable for OT (operation Technology) asset management.
Active probing based on massscan, nmap scanner: due to the high requirements of industrial control network environment on stability and real-time performance, related traditional scanners like nmap are only suitable for IT networks with stronger robustness and are not suitable for scanning and detecting in OT network environment.
In view of the technical problems of the above two methods, the following embodiments are proposed in the present application.
The first embodiment is as follows:
according to an embodiment of the present invention, an embodiment of a vulnerability detection method of an industrial control system is provided, it should be noted that the steps illustrated in the flowchart of the drawings may be executed in a computer system such as a set of computer executable instructions, and although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be executed in an order different from that here.
Fig. 1 is a flowchart of a vulnerability detection method of an industrial control system according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S102, obtaining an IP network segment and a network protocol list of an industrial control network to be detected;
it should be noted that the IP network segment may include one IP, multiple IPs, or a whole IP network segment in the industrial control system.
For the network protocol list of the industrial control system, if communication is mainly realized by modbus and snmp protocols among the industrial control devices in the production environment, the network protocol list can only select modbus, snmp and other common protocols; if the industrial control equipment in the production environment communicates with each other by using the S7 and the snmp protocol, the network protocol list can select S7, the snmp protocol and other common protocols; if the industrial control equipment in the production environment realizes communication by an EtherNet/IP protocol, the network protocol list can select the EtherNet/IP protocol and other common protocols; of course, if the communication protocol under uncertain environment is not determined, all industrial control environment communication protocols can be selected as defaults.
Step S104, based on the network protocol list, sending a compliance detection packet to the industrial control equipment corresponding to each IP in the IP network segment, and acquiring a compliance data packet fed back by the industrial control equipment corresponding to each IP based on the compliance detection packet;
it should be noted that, in the OT space, the network protocol used by each industrial control device has query metadata of product identifiers from device location, vendor to firmware version, etc., and includes proprietary protocols of Modbus, Ethernet/IP, Profinet, S7, etc.
Metadata attributes are equally applicable to IT protocols used in the OT, such as the SNMP protocol. The industrial control protocol basically has a specific function of inquiring metadata, and the design of the network protocol of the industrial control system is characterized by being convenient for equipment manufacturers to find and obtain configuration details of each equipment in the industrial control system on a workstation and an HMI (human machine interface), for example, equipment discovery products of suppliers such as Siemens, Rockwell, Schneider-Electric and the like can also use the protocols to realize equipment configuration management, so that the normal work of the industrial control equipment can be ensured when the network protocol compliance detection packet of the industrial control system is used for acquiring the identity information of the industrial control equipment.
According to the method and the device, all network flows in the industrial control system or a large number of port detection packets are sent to scanning equipment, and the compliance detection packets of appropriate and matched compliance protocols are sent at one time to discover and collect the equipment, so that only equipment information needing to be detected can be contained in the compliance data packets obtained by active detection in the method and the device, and the influence of the equipment detection process on the industrial control production environment is greatly reduced.
The industrial control protocol is based on a specific protocol port, and a protocol detection packet relatively matched with the specific protocol port is related and called to detect industrial control equipment information. The active detection method using the compliance detection packet has strong pertinence and only consumes little processor performance and memory.
Step S106, extracting the identity information of the industrial control equipment corresponding to each IP by using the industrial control equipment fingerprint library and the compliance data packet;
it should be noted that the identity information includes at least one of the following: equipment manufacturer, equipment model, equipment version number.
And S108, determining the vulnerability information of the industrial control equipment corresponding to each IP based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database.
It should be noted that the vulnerability information includes at least one of the following: the method comprises the steps of CVE numbers corresponding to the vulnerabilities, CNNVD numbers corresponding to the vulnerabilities, CNVD numbers corresponding to the vulnerabilities, vulnerability grades, vulnerability types, description information of the vulnerabilities and vulnerability solutions.
In the embodiment of the invention, according to the industrial control system network protocol, active detection is realized based on the compliance data packet instead of scanning the device port in a large scale, and then leak detection is carried out on the device in the industrial control system by the active method of port identification scanning and system identification scanning.
In the embodiment of the present invention, as shown in fig. 2, before acquiring an IP network segment and a network protocol list of an industrial control network to be detected, the method further includes the following steps:
step S11, acquiring a product catalog of an industrial control equipment manufacturer;
step S12, determining the classification rule of the industrial control equipment by using the product catalog of the industrial control equipment manufacturer;
and step S13, constructing the vulnerability detection rule matching database based on the classification rules and the vulnerability checking mode of the industrial control equipment manufacturer.
A vulnerability detection rule matching library is a product catalog book based on each industrial control manufacturer, designs an accurate industrial control product dividing method covering the whole area, establishes a detailed vulnerability detection rule matching library by combining a vulnerability checking mode of manually reviewing vulnerability security bulletins of manufacturers, and realizes accurate detection rule matching of industrial control subdivided products, so that vulnerabilities existing in equipment can be accurately detected, the false alarm rate based on static vulnerability detection is greatly reduced, and the risk of missing report of potential vulnerabilities is avoided.
In the embodiment of the present invention, as shown in fig. 3, step S108 includes the following steps:
step S21, determining vulnerability matching rules corresponding to the industrial control equipment corresponding to each IP by using the identity information of the industrial control equipment corresponding to each IP and the vulnerability detection rule matching database;
step S22, determining the loophole of the industrial control equipment corresponding to each IP by using the loophole matching rule corresponding to the industrial control equipment corresponding to each IP;
and step S23, determining vulnerability information corresponding to the industrial control equipment corresponding to each IP based on the vulnerability of the industrial control equipment corresponding to each IP and the vulnerability database.
In the embodiment of the invention, product identification metadata such as equipment manufacturers, product models, version numbers and the like can be acquired by utilizing each network protocol, the manufacturers and the products are classified, rules matched with the equipment are quickly inquired in an equipment vulnerability detection rule base of a target manufacturer, and known vulnerability association is further completed based on the inquired vulnerability detection rules.
Therefore, the identity information of the industrial control equipment corresponding to each IP and the vulnerability detection rule matching database can be used for determining the vulnerability matching rule corresponding to the industrial control equipment corresponding to each IP, and then the vulnerability of the industrial control equipment corresponding to each IP is determined by using the vulnerability matching rule corresponding to the industrial control equipment corresponding to each IP.
Finally, according to the loophole and loophole database of the industrial control equipment corresponding to each IP, loophole information such as a CVE number, a CNNVD number, a CNVD number, a loophole grade, a loophole type, loophole description and a solution corresponding to the loophole corresponding to the industrial control equipment corresponding to each IP is determined.
It should be noted that, based on the vulnerability list associated with each device, a visual report can be generated corresponding to the vulnerability database and the vulnerability information, and each vulnerability detail of the industrial control device is displayed through a Web interface.
In an embodiment of the present invention, the method further includes the steps of:
and step S110, displaying the vulnerability information corresponding to the industrial control equipment corresponding to each IP by using a dashboard.
In the embodiment of the invention, the industrial control equipment in the whole industrial control system and the loophole information corresponding to the industrial control equipment are subjected to data analysis such as industrial control equipment classification, risk threat level and loophole type statistics, and the loophole information corresponding to each industrial control equipment in the industrial control network is visually presented in a dashboard manner.
Example two:
the embodiment of the invention also provides a vulnerability detection device of the industrial control system, which is used for executing the vulnerability detection method of the industrial control system provided by the embodiment of the invention.
As shown in fig. 4, fig. 4 is a schematic view of the vulnerability detection apparatus of the industrial control system, and the vulnerability detection apparatus of the industrial control system includes: an acquisition unit 10, an execution unit 20, an extraction unit 30 and a determination unit 40.
The acquiring unit 10 is configured to acquire an IP network segment and a network protocol list of an industrial control network to be detected;
the execution unit 20 is configured to send a compliance detection packet to the industrial control device corresponding to each IP in the IP network segment based on the network protocol list, and obtain a compliance data packet fed back by the industrial control device corresponding to each IP based on the compliance detection packet;
the extracting unit 30 is configured to extract, by using an industrial control device fingerprint library and the compliance data packet, the identity information of the industrial control device corresponding to each IP;
the determining unit 40 is configured to determine vulnerability information of the industrial control device corresponding to each IP based on the identity information of the industrial control device corresponding to each IP, the vulnerability detection rule matching database, and the vulnerability database.
In the embodiment of the invention, according to the industrial control system network protocol, active detection is realized based on the compliance data packet instead of scanning the device port in a large scale, and then leak detection is carried out on the device in the industrial control system by the active method of port identification scanning and system identification scanning.
Preferably, the identity information comprises at least one of: equipment manufacturer, equipment model, equipment version number.
Preferably, the vulnerability information includes at least one of: the method comprises the steps of CVE numbers corresponding to the vulnerabilities, CNNVD numbers corresponding to the vulnerabilities, CNVD numbers corresponding to the vulnerabilities, vulnerability grades, vulnerability types, description information of the vulnerabilities and vulnerability solutions.
Preferably, the apparatus further comprises: a building unit to: acquiring a product catalog of an industrial control equipment manufacturer; determining a classification rule of the industrial control equipment by using a product catalog of the industrial control equipment manufacturer; and constructing a vulnerability detection rule matching database based on the classification rules and the vulnerability checking mode of the industrial control equipment manufacturer.
Preferably, the determining unit is configured to determine the vulnerability matching rule corresponding to the industrial control device corresponding to each IP by using the identity information of the industrial control device corresponding to each IP and the vulnerability detection rule matching database; determining the loophole of the industrial control equipment corresponding to each IP by using the loophole matching rule corresponding to the industrial control equipment corresponding to each IP; and determining vulnerability information corresponding to the industrial control equipment corresponding to each IP based on the vulnerability of the industrial control equipment corresponding to each IP and the vulnerability database.
Preferably, the apparatus further comprises: and the display unit is used for displaying the vulnerability information corresponding to the industrial control equipment corresponding to each IP by utilizing an instrument panel.
Example three:
an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory is used to store a program that supports the processor to execute the method described in the first embodiment, and the processor is configured to execute the program stored in the memory.
Referring to fig. 5, an embodiment of the present invention further provides an electronic device 100, including: the device comprises a processor 50, a memory 51, a bus 52 and a communication interface 53, wherein the processor 50, the communication interface 53 and the memory 51 are connected through the bus 52; the processor 50 is arranged to execute executable modules, such as computer programs, stored in the memory 51.
The Memory 51 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 53 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 52 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
The memory 51 is used for storing a program, the processor 50 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 50, or implemented by the processor 50.
The processor 50 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 50. The Processor 50 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 51, and the processor 50 reads the information in the memory 51 and completes the steps of the method in combination with the hardware thereof.
Example four:
the embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program performs the steps of the method in the first embodiment.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A vulnerability detection method of an industrial control system is characterized by comprising the following steps:
acquiring an IP network segment and a network protocol list of an industrial control network to be detected;
based on the network protocol list, sending a compliance detection packet to the industrial control equipment corresponding to each IP in the IP network segment, and acquiring a compliance data packet fed back by the industrial control equipment corresponding to each IP based on the compliance detection packet;
extracting the identity information of the industrial control equipment corresponding to each IP by using an industrial control equipment fingerprint library and the compliance data packet;
and determining the vulnerability information of the industrial control equipment corresponding to each IP based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database.
2. The method of claim 1, wherein the identity information comprises at least one of: equipment manufacturer, equipment model, equipment version number.
3. The method of claim 1, wherein the vulnerability information comprises at least one of: the method comprises the steps of CVE numbers corresponding to the vulnerabilities, CNNVD numbers corresponding to the vulnerabilities, CNVD numbers corresponding to the vulnerabilities, vulnerability grades, vulnerability types, description information of the vulnerabilities and vulnerability solutions.
4. The method of claim 1, wherein before obtaining the IP network segment and the network protocol list of the industrial control network to be detected, the method further comprises:
acquiring a product catalog of an industrial control equipment manufacturer;
determining a classification rule of the industrial control equipment by using a product catalog of the industrial control equipment manufacturer;
and constructing a vulnerability detection rule matching database based on the classification rules and the vulnerability checking mode of the industrial control equipment manufacturer.
5. The method according to claim 4, wherein determining vulnerability information of the industrial control device corresponding to each IP based on the identity information of the industrial control device corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database comprises:
determining a vulnerability matching rule corresponding to the industrial control equipment corresponding to each IP by using the identity information of the industrial control equipment corresponding to each IP and the vulnerability detection rule matching database;
determining the loophole of the industrial control equipment corresponding to each IP by using the loophole matching rule corresponding to the industrial control equipment corresponding to each IP;
and determining vulnerability information corresponding to the industrial control equipment corresponding to each IP based on the vulnerability of the industrial control equipment corresponding to each IP and the vulnerability database.
6. The method of claim 1, further comprising:
and displaying the vulnerability information corresponding to the industrial control equipment corresponding to each IP by using a dashboard.
7. The utility model provides a leak detection device of industrial control system which characterized in that includes: an acquisition unit, an execution unit, an extraction unit and a determination unit, wherein,
the acquisition unit is used for acquiring an IP network segment and a network protocol list of the industrial control network to be detected;
the execution unit is configured to send a compliance detection packet to the industrial control device corresponding to each IP in the IP network segment based on the network protocol list, and obtain a compliance data packet fed back by the industrial control device corresponding to each IP based on the compliance detection packet;
the extraction unit is used for extracting the identity information of the industrial control equipment corresponding to each IP by utilizing an industrial control equipment fingerprint library and the compliance data packet;
and the determining unit is used for determining the vulnerability information of the industrial control equipment corresponding to each IP based on the identity information of the industrial control equipment corresponding to each IP, the vulnerability detection rule matching database and the vulnerability database.
8. The apparatus of claim 7, further comprising: a building unit to:
acquiring a product catalog of an industrial control equipment manufacturer;
determining a classification rule of the industrial control equipment by using a product catalog of the industrial control equipment manufacturer;
and constructing a vulnerability detection rule matching database based on the classification rules and the vulnerability checking mode of the industrial control equipment manufacturer.
9. An electronic device comprising a memory for storing a program that enables a processor to perform the method of any of claims 1 to 6 and a processor configured to execute the program stored in the memory.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of the claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010958036.6A CN112087462A (en) | 2020-09-11 | 2020-09-11 | Vulnerability detection method and device of industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010958036.6A CN112087462A (en) | 2020-09-11 | 2020-09-11 | Vulnerability detection method and device of industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112087462A true CN112087462A (en) | 2020-12-15 |
Family
ID=73737657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010958036.6A Pending CN112087462A (en) | 2020-09-11 | 2020-09-11 | Vulnerability detection method and device of industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112087462A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112818357A (en) * | 2021-03-11 | 2021-05-18 | 北京顶象技术有限公司 | Automated batch IoT firmware risk assessment method and system |
| CN112822210A (en) * | 2021-02-06 | 2021-05-18 | 华能国际电力股份有限公司 | Vulnerability management system based on network assets |
| CN113055379A (en) * | 2021-03-11 | 2021-06-29 | 北京顶象技术有限公司 | Risk situation perception method and system for key infrastructure of whole network |
| CN113343246A (en) * | 2021-05-28 | 2021-09-03 | 福建榕基软件股份有限公司 | Method and terminal for detecting database bugs |
| CN114006761A (en) * | 2021-11-01 | 2022-02-01 | 北京顶象技术有限公司 | Vulnerability detection communication method and device and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110740125A (en) * | 2019-09-23 | 2020-01-31 | 公安部第一研究所 | method for implementing vulnerability library used for vulnerability detection of video monitoring equipment |
| CN111008380A (en) * | 2019-11-25 | 2020-04-14 | 杭州安恒信息技术股份有限公司 | Method and device for detecting industrial control system bugs and electronic equipment |
| US20200120126A1 (en) * | 2018-10-15 | 2020-04-16 | International Business Machines Corporation | Prioritizing vulnerability scan results |
| CN111585989A (en) * | 2020-04-26 | 2020-08-25 | 杭州安恒信息技术股份有限公司 | Vulnerability detection method and device of networked industrial control equipment and computer equipment |
-
2020
- 2020-09-11 CN CN202010958036.6A patent/CN112087462A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200120126A1 (en) * | 2018-10-15 | 2020-04-16 | International Business Machines Corporation | Prioritizing vulnerability scan results |
| CN110740125A (en) * | 2019-09-23 | 2020-01-31 | 公安部第一研究所 | method for implementing vulnerability library used for vulnerability detection of video monitoring equipment |
| CN111008380A (en) * | 2019-11-25 | 2020-04-14 | 杭州安恒信息技术股份有限公司 | Method and device for detecting industrial control system bugs and electronic equipment |
| CN111585989A (en) * | 2020-04-26 | 2020-08-25 | 杭州安恒信息技术股份有限公司 | Vulnerability detection method and device of networked industrial control equipment and computer equipment |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112822210A (en) * | 2021-02-06 | 2021-05-18 | 华能国际电力股份有限公司 | Vulnerability management system based on network assets |
| CN112822210B (en) * | 2021-02-06 | 2023-01-03 | 华能国际电力股份有限公司 | Vulnerability management system based on network assets |
| CN112818357A (en) * | 2021-03-11 | 2021-05-18 | 北京顶象技术有限公司 | Automated batch IoT firmware risk assessment method and system |
| CN113055379A (en) * | 2021-03-11 | 2021-06-29 | 北京顶象技术有限公司 | Risk situation perception method and system for key infrastructure of whole network |
| CN113343246A (en) * | 2021-05-28 | 2021-09-03 | 福建榕基软件股份有限公司 | Method and terminal for detecting database bugs |
| CN114006761A (en) * | 2021-11-01 | 2022-02-01 | 北京顶象技术有限公司 | Vulnerability detection communication method and device and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
| CN111935172B (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN110708315A (en) | Asset vulnerability identification method, device and system | |
| CN110535727B (en) | Asset identification method and device | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN113687969A (en) | Alarm information generation method and device, electronic equipment and readable storage medium | |
| CN106649063A (en) | Method and system used for monitoring time consuming data when program runs | |
| CN111178760A (en) | Risk monitoring method and device, terminal equipment and computer readable storage medium | |
| CN112636985B (en) | Network asset detection device based on automatic discovery algorithm | |
| US11856426B2 (en) | Network analytics | |
| CN105787364A (en) | Automated testing method, device and system for task | |
| CN113760641A (en) | Service monitoring method, device, computer system and computer readable storage medium | |
| CN112688806A (en) | Method and system for presenting network assets | |
| US11336663B2 (en) | Recording medium on which evaluating program is recorded, evaluating method, and information processing apparatus | |
| CN111193727A (en) | Operation monitoring system and operation monitoring method | |
| CN112653693A (en) | Industrial control protocol analysis method and device, terminal equipment and readable storage medium | |
| CN110177024B (en) | Monitoring method of hotspot equipment, client, server and system | |
| CN115615732A (en) | Quality detector abnormal state monitoring method and system | |
| CN113098852B (en) | Log processing method and device | |
| CN113014587B (en) | API detection method and device, electronic equipment and storage medium | |
| CN114338347A (en) | Ampere platform-based fault information out-of-band acquisition method and device | |
| CN112464238A (en) | Vulnerability scanning method and electronic equipment | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN112306871A (en) | Data processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201215 |
|
| RJ01 | Rejection of invention patent application after publication |