CN-122027224-A - Communication method and device

Abstract

The application provides a communication method and a communication device, which are applied to network equipment, wherein the network equipment is in an industrial control security network, and the method comprises the steps of receiving a service message, identifying a first industrial control function code included in the service message if the service message is matched with a locally configured security policy and the security policy comprises an industrial control sub-policy, and correspondingly processing the service message according to the security policy if the first industrial control function code is matched with a locally configured second industrial control function code.

Inventors

• GUO LINGLING

Assignees

• 新华三技术有限公司

Dates

Publication Date

20260512

Application Date

20260112

Claims (10)

1. 1. A communication method, applied to a network device, where the network device is in an industrial control security network, the method comprising: Receiving a service message; If the service message is matched with a locally configured security policy and the security policy comprises an industrial control sub-policy, identifying a first industrial control function code included in the service message; and if the first industrial control function code is matched with a second industrial control function code configured locally, carrying out corresponding processing on the service message according to the security policy.
2. 2. The method of claim 1, wherein prior to receiving the service message, the method further comprises: Receiving an operation instruction input by a user; according to the operation instruction, locally configuring an application identification feature library; the application identification feature library is configured through an industrial control function code identification file, and the industrial control function code identification file comprises an industrial control application description sub-file, an industrial control application group description sub-file, an industrial control port identification rule sub-file and an industrial control content identification rule sub-file; The industrial control content identification rule subfile comprises a second industrial control function code.
3. 3. The method of claim 2, wherein the service message comprises a message feature; If the service message is matched with a locally configured security policy and the security policy includes an industrial control sub-policy, identifying a first industrial control function code included in the service message specifically includes: According to the message characteristics, locally searching a security policy matched with the message characteristics; If the security policy exists locally, judging whether the security policy comprises the industrial control sub-policy or not; if the industrial control sub-strategy is included, determining an industrial control protocol to which the service message belongs, and acquiring the first industrial control function code from the service message; According to the industrial control protocol, a target industrial control function code identification file corresponding to the industrial control protocol is obtained from the application identification feature library, and the second industrial control function code is obtained from a target industrial control content identification rule subfile included in the target industrial control function code identification file; and judging whether the first industrial control function code is matched with the second industrial control function code.
4. 4. The method of claim 3, wherein the determining the industrial control protocol to which the service packet belongs specifically includes: obtaining a port number from the service message; And determining the industrial control protocol to which the service message belongs according to the port number.
5. 5. A method according to claim 3, wherein the service message comprises a load carrying the first industrial control function code.
6. 6. A communication apparatus for use with a network device, the network device being within an industrial control security network, the apparatus comprising: a receiving unit, configured to receive a service packet; The identification unit is used for identifying a first industrial control function code included in the service message if the service message is matched with a locally configured security policy and the security policy comprises an industrial control sub-policy; and the processing unit is used for correspondingly processing the service message according to the security policy if the first industrial control function code is matched with the second industrial control function code configured locally.
7. 7. The apparatus according to claim 6, wherein the receiving unit is further configured to receive an operation instruction input by a user; The device also comprises a configuration unit, a configuration unit and a processing unit, wherein the configuration unit is used for locally configuring an application identification feature library according to the operation instruction; the application identification feature library comprises an industrial control function code identification file, wherein the industrial control function code identification file comprises an industrial control application description sub-file, an industrial control application group description sub-file, an industrial control port identification rule sub-file and an industrial control content identification rule sub-file; The industrial control content identification rule subfile comprises a second industrial control function code.
8. 8. The apparatus of claim 7, wherein the service message comprises a message feature; The identification unit is specifically configured to locally find a security policy matched with the message feature according to the message feature; If the security policy exists locally, judging whether the security policy comprises the industrial control sub-policy or not; if the industrial control sub-strategy is included, determining an industrial control protocol to which the service message belongs, and acquiring the first industrial control function code from the service message; According to the industrial control protocol, a target industrial control function code identification file corresponding to the industrial control protocol is obtained from the application identification feature library, and the second industrial control function code is obtained from a target industrial control content identification rule subfile included in the target industrial control function code identification file; and judging whether the first industrial control function code is matched with the second industrial control function code.
9. 9. The apparatus according to claim 8, wherein the identifying unit is further specifically configured to obtain a port number from the service packet; And determining the industrial control protocol to which the service message belongs according to the port number.
10. 10. The apparatus of claim 8, wherein the service message comprises a load carrying the first industrial control function code.

Description

Communication method and device Technical Field The present application relates to the field of communications technologies, and in particular, to a communications method and apparatus. Background As shown in fig. 1, fig. 1 is a schematic diagram of an existing industrial control security networking. In fig. 1, L3 is used as a management network, and L2, L1, and L0 are used as production networks. In practical application, a communication channel is established between the management network and the production network through a TCP/IP protocol, and interaction of service contents is realized by utilizing an industrial control protocol. There are hundreds of current industrial control protocols, e.g., modbus, s7, opcua, CIP, etc., each including hundreds of function codes. After receiving the protocol message sent by the opposite terminal, the network equipment in the management network or the production network identifies the relevant service content to be executed by using the function code value. However, the above identification method depends on the implementation of the coding logic, and for hundreds of functional codes included in hundreds of industrial control protocols, the coding logic has a large workload and is unfavorable for the subsequent updating and expansion. Disclosure of Invention In view of this, the present application provides a communication method and apparatus for solving the problems that the workload of the encoding logic is large and the subsequent update and expansion are not facilitated in the existing industrial control protocol identification method. In a first aspect, the present application provides a communication method applied to a network device, where the network device is in an industrial control security network, the method comprising: Receiving a service message; If the service message is matched with a locally configured security policy and the security policy comprises an industrial control sub-policy, identifying a first industrial control function code included in the service message; and if the first industrial control function code is matched with a second industrial control function code configured locally, carrying out corresponding processing on the service message according to the security policy. In a second aspect, the present application provides a communication apparatus applied to a network device, where the network device is in an industrial control security network, and the method includes: a receiving unit, configured to receive a service packet; The identification unit is used for identifying a first industrial control function code included in the service message if the service message is matched with a locally configured security policy and the security policy comprises an industrial control sub-policy; and the processing unit is used for correspondingly processing the service message according to the security policy if the first industrial control function code is matched with the second industrial control function code configured locally. In a third aspect, the application provides a network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to cause the processor to perform the method provided by the first aspect of the application. The communication method and the communication device provided by the application are applied to the network equipment to receive the service message, if the service message is matched with the locally configured security policy and the security policy comprises the industrial control sub-policy, the network equipment identifies the first industrial control function code included in the service message, and if the first industrial control function code is matched with the locally configured second industrial control function code, the network equipment correspondingly processes the service message according to the security policy. The communication method and the communication device are suitable for industrial control safety scenes with high real-time performance and low false alarm, the normalization rule description of the industrial control protocol is realized by configuring the industrial control function codes locally, hard coding is not needed to be carried out on each industrial control function code independently, development and maintenance cost is reduced, the newly added industrial control function codes can be configured locally in a version upgrading mode without modifying plug-in codes, and subsequently, after the service message is received, the locally configured industrial control function codes are compared with the industrial control function codes in the service message, and under the same condition, the service message is managed and controlled according to a safety strategy. The method solves the problems that the existing industrial control protocol identification mode has large coding logic workload and i