Search

CN-122027716-A - Industrial control message deep parsing method and system

CN122027716ACN 122027716 ACN122027716 ACN 122027716ACN-122027716-A

Abstract

The application relates to the technical field of information, in particular to a method and a system for deeply analyzing an industrial control message. The method comprises the steps of reading a pre-configured point position configuration file, generating a point position analysis rule according to the point position configuration file, collecting an original message transmitted in an industrial control network, matching the original message according to an industrial control protocol standard coding format to obtain an industrial control protocol type number, a communication mode and an industrial control data load, reading the point position analysis rule according to the industrial control protocol type number, and analyzing the industrial control data load according to the communication mode and the point position analysis rule. The method has the beneficial effects that the point location information is automatically extracted by combining the industrial control protocol standard coding format and the intelligent analysis point location configuration file, so that the deployment efficiency is improved, human errors are avoided, and the accuracy and the reliability of point location identification are improved.

Inventors

  • FENG XU
  • Ye Longyan
  • LI GUANNAN

Assignees

  • 浙江腾珑网安科技有限公司

Dates

Publication Date
20260512
Application Date
20260414

Claims (10)

  1. 1. The industrial control message deep analysis method is characterized by comprising the following steps: Reading a pre-configured point location configuration file, and generating a point location analysis rule according to the point location configuration file; Collecting an original message transmitted in an industrial control network; Matching the original message according to an industrial control protocol standard coding format to obtain an industrial control protocol type number, a communication mode and an industrial control data load; reading the point location analysis rule according to the industrial control protocol type number; analyzing the industrial control data load according to the communication mode and the point position analysis rule; analyzing the industrial control data load comprises: When the communication mode is a request/response mode, extracting point location identifiers from the request message and corresponding point location data from the matched response message based on point location analysis rules corresponding to the request message and the response message respectively, and associating physical variable names and dimensions; when the communication mode is a broadcast or multicast mode, extracting all point location data from the industrial control data load according to the point location analysis rule and marking the physical variable names and the dimensions of the point location data; When the communication mode is a unicast alarm mode, alarm confirmation or alarm disposal data are extracted from the industrial control data load, corresponding alarm events are matched based on a predefined association relation, the state of the alarm events is updated, and the alarm confirmation or alarm disposal data are associated.
  2. 2. The method for deep parsing industrial control message according to claim 1, wherein, The method for obtaining the industrial control protocol type number, the communication mode and the industrial control data load comprises the following steps of: presetting a corresponding protocol specification coding format template aiming at each supported industrial control protocol, wherein the protocol specification coding format template records a protocol identifier, a function code or transmission instruction field position, a data unit boundary and a load offset rule; Sequentially performing structure matching on the byte sequence of the original message and each protocol specification coding format template, judging that the message belongs to a corresponding industrial control protocol type if the initial byte, the field length and the key control field of the message accord with the definition of any protocol specification coding format template, and outputting the industrial control protocol type number of the message; Based on the identified industrial control protocol type, analyzing the function code, request/response identification or message type field and alarm characteristic information in the message, and determining that the communication mode is a request/response mode, a broadcast or multicast mode or a unicast alarm mode by combining with the MAC or IP of the message destination; And intercepting the industrial control data load from the message according to the data load initial offset and the length rule defined in the protocol specification coding format template.
  3. 3. The method for deep parsing industrial control message according to claim 1, wherein, The method for configuring the point location resolution rule configuration file comprises the following steps: Acquiring a point location configuration file of an industrial control system; When the point location configuration file is a structured data file, analyzing the point location configuration file, and extracting point location identification, protocol type, function code or transmission instruction, data logic address, data offset, data length, data type and dimension information; when the point location configuration file is an unstructured document, converting the point location configuration file into a configuration text through an optical character recognition technology, and then carrying out semantic analysis on the configuration text by utilizing a pre-configured natural language processing model to extract point location identification, protocol type, function code or transmission instruction, data offset position, data length, data type and dimension; And generating a point location analysis rule associated with the industrial control protocol type number and the point location identifier according to the point location configuration file, and storing the point location analysis rule as a point location analysis rule configuration file.
  4. 4. The method for deep parsing industrial control message according to claim 3, wherein, The method for generating the point location analysis rule according to the point location configuration file comprises the following steps: Mapping the extracted point location identification with a configured address space, and determining an addressing mode of the point location identification in a data load; constructing a structured point location analysis rule based on the function code or the transmission instruction, the point location identifier, the data offset position, the data length and the data type; Carrying out semantic verification on the point location analysis rule, wherein the semantic verification comprises the steps of checking whether the data length is matched with the data type, whether the offset position exceeds the maximum load boundary and whether the dimension unit is correct; storing the point location analysis rule passing the verification as a point location analysis rule configuration file; The method for storing the point location analysis rule passing the verification comprises the following steps: The point location analysis rule is stored in a nonvolatile storage medium in a lasting mode by adopting a layered storage structure, and is loaded to a high-speed memory during operation; before storing the point location analysis rule, determining the priority of the point location analysis rule; grouping the point location analysis rules according to the priority, and sequencing the point location analysis rules in each group according to the mapping values of the feature field combinations; when the message is analyzed, the method for searching the matched point location analysis rule comprises the steps of generating a mapping value of a feature field combination according to a preset rule according to a feature field identified by the message, generating a retrieval identifier according to the mapping value, and searching a rule matched with the retrieval identifier from a group; And after the matching item is found, further checking whether the record in the rule is completely consistent with the actual field of the message, if so, judging that the matching is successful and stopping the searching, otherwise, continuing the searching until the completion.
  5. 5. The method for deep parsing industrial control message according to claim 1, wherein, The method for collecting the original message transmitted in the industrial control network comprises the following steps: acquiring an original message transmitted in an industrial control network through link concatenation or a switch mirror image port; verifying the message which is preset and needs to be verified through the hash verification value or the digital signature of the original message, and discarding the original message which does not pass the verification; The method for judging the communication mode to be the request/response mode comprises the following steps: Determining whether the corresponding industrial control protocol adopts a request/response mode transmission according to the industrial control protocol type number; If the original message adopts a request/response mode transmission, identifying a field for identifying the original message as a request type or a response type from an application layer of the original message according to the industrial control protocol standard coding format, and identifying the original message as the request type or the response type; if the original message is not transmitted in a request/response mode, the original message is marked as a non-request/response mode type; The method for obtaining the response message matched with the request message comprises the following steps: Extracting a session association field after identifying a message of a request type, wherein the session association field comprises at least one of a transaction identifier, a serial number or a transmission serial number in a control domain; Comparing and matching the session association field with a corresponding field in a response type message received subsequently; When the session association field in the response message and the request message Wen Pi are matched, judging that the response message is a matched response message of the request message; If no matched response message is received within the preset timeout time, the request message is marked as no response abnormal event.
  6. 6. The method for deep parsing industrial control message according to claim 1, wherein, When the industrial control data load is ciphertext, decrypting the industrial control data load according to a pre-configured decryption algorithm and a corresponding key to obtain the industrial control data load of plaintext; the method for extracting the point location data from the industrial control data load comprises the following steps: extracting a byte sequence of the data length from the initial byte or the position deviating from the initial byte of the industrial control data load according to the point position analysis rule; Converting the byte sequence into a corresponding numerical value or character string according to the data type defined in the point position analysis rule; when the data type is numerical value, converting the obtained numerical value into an engineering value with a physical unit according to a scaling factor contained in dimension information in the point position analysis rule; and performing range verification on the engineering value, marking the point location data as suspicious data if the engineering value exceeds a preset range, and generating an alarm record.
  7. 7. The method for deep parsing industrial control message according to claim 1, wherein, Configuring an alarm disposal control, and when an operator triggers the alarm disposal control, sending a unicast message containing a confirmation identifier to alarm source equipment, wherein the data load of the unicast message contains an alarm event ID, a point location address and a confirmation value corresponding to an alarm event to be confirmed; the point location identification, the data type and the dimension information of the confirmation variable and the association relation between the confirmation variable and the point location of the original alarm event are predefined in the point location analysis rule; When the unicast message is analyzed, extracting an alarm event ID and a confirmation variable value according to the point position analysis rule, and matching corresponding original alarm events based on the association relation; The association relation is uniquely bound through an alarm event ID and a device address; And after successful matching, updating the state of the original alarm event.
  8. 8. An industrial control message deep parsing system, which is characterized by comprising: The rule generation module reads a pre-configured point location configuration file and generates a point location analysis rule according to the point location configuration file; The acquisition module acquires an original message transmitted in the industrial control network; The identification module is used for matching the original message according to the industrial control protocol standard coding format to obtain an industrial control protocol type number, a communication mode and an industrial control data load; The reading module reads the generated point location analysis rule according to the industrial control protocol type number; the analysis module analyzes the industrial control data load according to the communication mode and the point position analysis rule; analyzing the industrial control data load comprises: When the communication mode is a request/response mode, extracting point location identifiers from the request message and corresponding point location data from the matched response message based on point location analysis rules corresponding to the request message and the response message respectively, and associating physical variable names and dimensions; when the communication mode is a broadcast or multicast mode, extracting all point location data from the industrial control data load according to the point location analysis rule and marking the physical variable names and the dimensions of the point location data; When the communication mode is a unicast alarm mode, alarm confirmation or alarm disposal data are extracted from the industrial control data load, corresponding alarm events are matched based on a predefined association relation, the state of the alarm events is updated, and the alarm confirmation or alarm disposal data are associated.
  9. 9. An electronic device comprising a processor and a memory; the processor is connected with the memory; The memory is used for storing executable program codes; The processor runs a program corresponding to executable program code stored in the memory by reading the executable program code for performing the method according to any one of claims 1-7.
  10. 10. A computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method according to any of claims 1-7.

Description

Industrial control message deep parsing method and system Technical Field The application relates to the technical field of information, in particular to a method and a system for deeply analyzing an industrial control message. Background With the rapid development of industrial internet technology, industrial automation control systems have evolved gradually from traditional closed and isolated information islands to open interconnected industrial network key nodes. This transformation significantly improves the productivity and system coordination, but also exposes industrial control systems to increasingly severe cyber-security threats. At present, industrial firewalls, log audit systems, host security protection, intrusion detection and other traditional network security products are commonly deployed in industrial sites. The products mainly use the general IT security concept, focus on the security protection of a network layer and a transmission layer, and can effectively identify and process the MAC address, IP address, protocol type, port number and other basic quintuple information in the industrial control message, thereby resisting conventional network attacks such as port scanning, denial of service and the like. However, such conventional schemes have fundamental limitations, which cannot deeply analyze the application layer data load of the industrial control message, and it is difficult to accurately identify the specific physical point location semantics carried therein. Thus, existing protection systems tend to fail in the face of advanced persistent threat attacks. The attack is characterized in that legal control instructions conforming to protocol specifications are carefully constructed, normal five-tuple communication is shown in a network layer, hidden tampering or destruction is implemented in a physical layer, and the malicious intention of the traditional security equipment cannot be perceived due to lack of understanding of point-level service semantics. The key point of breaking through the bottleneck is to realize the deep analysis and the accurate point location identification of the industrial control protocol message. However, in the prior art, the expert in the multi-dependent field manually writes the analysis rule aiming at the specific equipment and protocol, which has the disadvantages of complex process, long period, high cost, difficulty in adapting to industrial field environments of multiple manufacturers, multiple protocols and frequent change, and serious deficiency of system flexibility and expandability. Therefore, a technical solution capable of automatically and intelligently extracting point location information from industrial control configuration data and dynamically generating high-precision analysis rules is needed. Disclosure of Invention Various embodiments of the present disclosure describe a method and system for deep parsing an industrial control message. In a first aspect, an embodiment of the present disclosure provides a method for deep parsing an industrial control message, including the steps of: Reading a pre-configured point location configuration file, and generating a point location analysis rule according to the point location configuration file; Collecting an original message transmitted in an industrial control network; Matching the original message according to an industrial control protocol standard coding format to obtain an industrial control protocol type number, a communication mode and an industrial control data load; reading the point location analysis rule according to the industrial control protocol type number; analyzing the industrial control data load according to the communication mode and the point position analysis rule; analyzing the industrial control data load comprises: When the communication mode is a request/response mode, extracting point location identifiers from the request message and corresponding point location data from the matched response message based on point location analysis rules corresponding to the request message and the response message respectively, and associating physical variable names and dimensions; when the communication mode is a broadcast or multicast mode, extracting all point location data from the industrial control data load according to the point location analysis rule and marking the physical variable names and the dimensions of the point location data; When the communication mode is a unicast alarm mode, alarm confirmation or alarm disposal data are extracted from the industrial control data load, corresponding alarm events are matched based on a predefined association relation, the state of the alarm events is updated, and the alarm confirmation or alarm disposal data are associated. In a second aspect, an embodiment of the present disclosure provides an industrial control message deep parsing system, including: The rule generation module reads a pre-configured point location config