[go: up one dir, main page]

CN119316222B - Modbus TCP replay attack detection control method based on industrial control network gate - Google Patents

Modbus TCP replay attack detection control method based on industrial control network gate Download PDF

Info

Publication number
CN119316222B
CN119316222B CN202411682823.7A CN202411682823A CN119316222B CN 119316222 B CN119316222 B CN 119316222B CN 202411682823 A CN202411682823 A CN 202411682823A CN 119316222 B CN119316222 B CN 119316222B
Authority
CN
China
Prior art keywords
packet
data packet
address
response
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411682823.7A
Other languages
Chinese (zh)
Other versions
CN119316222A (en
Inventor
李鹏
马涌
李博
冯鹏飞
袁乃军
蔡淑敏
滕可心
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongwang Yun'an Xinchuang Cloud Computing Shandong Co ltd
Original Assignee
Zhongwang Yun'an Xinchuang Cloud Computing Shandong Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongwang Yun'an Xinchuang Cloud Computing Shandong Co ltd filed Critical Zhongwang Yun'an Xinchuang Cloud Computing Shandong Co ltd
Priority to CN202411682823.7A priority Critical patent/CN119316222B/en
Publication of CN119316222A publication Critical patent/CN119316222A/en
Application granted granted Critical
Publication of CN119316222B publication Critical patent/CN119316222B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本公开的实施例提供了一种基于工控网闸的Modbus TCP重放攻击检测控制方法,涉及网络安全领域。方法包括客户端发送数据包的时间在预设有效时间范围内,通过比较数据包的源IP地址与缓存的合法地址,放行或丢弃数据包;客户端发送数据包的时间不在预设有效时间范围内,判断数据包类型;若数据包为TCP握手包,则放行数据包;若数据包为请求包,则将数据包对应的第一响应包发送给客户端,客户端根据第一响应包生成第二响应包;根据第二响应包的类型,利用对应的阻断包阻断通信并重设预设有效时间范围以便下次检测客户端发送的数据包,或放行数据包。以此精确识别重放攻击,降低误检率,提升使用Modbus TCP通信的设备的安全性及工业内网稳定性。

The embodiment of the present disclosure provides a Modbus TCP replay attack detection and control method based on an industrial control network firewall, which relates to the field of network security. The method includes: when the time when the client sends a data packet is within a preset effective time range, by comparing the source IP address of the data packet with the cached legal address, releasing or discarding the data packet; when the time when the client sends a data packet is not within the preset effective time range, judging the type of the data packet; if the data packet is a TCP handshake packet, releasing the data packet; if the data packet is a request packet, sending the first response packet corresponding to the data packet to the client, and the client generates a second response packet based on the first response packet; according to the type of the second response packet, using the corresponding blocking packet to block the communication and reset the preset effective time range to detect the data packet sent by the client next time, or releasing the data packet. In this way, replay attacks can be accurately identified, the false detection rate can be reduced, and the security of equipment using Modbus TCP communication and the stability of the industrial intranet can be improved.

Description

Modbus TCP replay attack detection control method based on industrial control network gate
Technical Field
The disclosure relates to the field of network security, in particular to a Modbus TCP replay attack detection control method based on an industrial control network gate.
Background
The Modbus TCP protocol is designed to be the communication environment of the industrial intranet at the beginning, and has no mixed flow, so that the protocol removes check information, has no authentication and authorization, is extremely easy to attack such as data replay, illegal tampering and the like, and causes equipment abnormality. Therefore, detection and control of these attacks is required to avoid anomalies in the device.
Common detection methods of replay attack generally include function code verification, MAC/IP binding verification, rough verification based on time difference and communication encryption control, and verification methods based on sequence numbers and responses, but these methods still have high false detection rate, for example, when terminal equipment traffic passes through a switching device such as a router, the terminal MAC address is replaced by the switching device MAC address, the MAC/IP binding function fails, rough verification by using only the average time difference of recording requests has obvious abnormality when the network fluctuates, the transformation cost of adding a time stamp or a random value is very high, and is not suitable for a large-scale field environment, the communication encryption control is not suitable for the field environment because the protocol itself does not support encryption and the transformation cost is too high, and when a compliant data packet is used for replay, the server can basically perform stable replay traffic, and the verification method based on the sequence numbers and responses fails.
Disclosure of Invention
The disclosure provides a Modbus TCP replay attack detection control method, device and equipment based on an industrial control network gate and a storage medium.
According to a first aspect of the present disclosure, a Modbus TCP replay attack detection control method based on an industrial control gatekeeper is provided. The method comprises the following steps:
when the time of the client transmitting the data packet is within the preset effective time range, the data packet is released or discarded by comparing the source IP address of the data packet with the cached legal address.
Judging the type of the data packet when the time for the client to send the data packet is not in the preset effective time range, releasing the data packet if the data packet is a TCP handshake packet, and sending a first response packet corresponding to the constructed data packet to the client if the data packet is a request packet so that the client can generate a second response packet according to the first response packet.
And according to the type of the second response packet, blocking communication by using a blocking packet corresponding to the data packet and resetting a preset effective time range so as to detect the data packet sent by the client terminal next time or release the data packet.
In some implementations of the first aspect, passing or discarding the data packet by comparing the source IP address of the data packet with the cached legitimate address includes:
And if the source IP address of the data packet is a legal address, releasing the data packet.
If the source IP address of the data packet is an illegal address, discarding the data packet.
In some implementations of the first aspect, if the data packet is a request packet, before/after/while sending the first response packet corresponding to the constructed data packet to the client, the method includes:
the transaction ID in the data packet is extracted.
And setting the transaction ID of the first response packet according to the transaction ID in the data packet.
In some implementations of the first aspect, according to the type of the second response packet, blocking communication with a blocking packet corresponding to the data packet and resetting a preset valid time range to detect the data packet sent by the client next time, or releasing the data packet, including:
and if the transaction ID of the second response packet is equal to the transaction ID of the first response packet, blocking communication by using a blocking packet corresponding to the data packet and resetting a preset effective time range.
If the second response packet is an error prompt packet or a termination connection packet, blocking packets corresponding to the data packets are used for blocking communication and resetting a preset effective time range.
Otherwise, the data packet is released.
In some implementations of the first aspect, blocking communications using blocking packets corresponding to the data packets includes:
and recording the source IP address of the data packet as an illegal address, and sending a blocking packet corresponding to the data packet to the client for blocking communication.
In some implementations of the first aspect, the method further includes:
and recording the source IP address of the released data packet as a legal address.
According to a second aspect of the present disclosure, a Modbus TCP replay attack detection control module based on an industrial control gatekeeper is provided. The module comprises:
the system comprises a drainage module, a replay attack detection module and a packet module which are connected in sequence, wherein the replay attack detection module is also connected with a control module.
And the drainage module is used for receiving the data packet sent by the client and sending the data packet to the replay detection module.
And the replay attack detection module is used for receiving the data packet, and releasing or discarding the data packet according to the comparison result of the source IP address of the data packet and the cached legal address when the time for transmitting the data packet by the client is within the preset effective time range.
The method comprises the steps of receiving a data packet from a client, judging the type of the data packet when the time for the client to send the data packet is not in a preset effective time range, releasing the data packet if the data packet is a TCP handshake packet, and sending a first response packet corresponding to the constructed data packet to the client if the data packet is a request packet so that the client can generate a second response packet according to the first response packet.
And the method is also used for blocking communication by using a blocking packet corresponding to the data packet and resetting a preset valid time range according to the type of the second response packet so as to detect the data packet sent by the client terminal next time or release the data packet.
And the control module is used for comparing the source IP address of the data packet with the legal address of the cache.
The packet module is used for constructing a first response packet corresponding to the data packet and also used for constructing a blocking packet.
In some implementations of the second aspect, the control module is further configured to cache a source IP address of the data packet.
The package module is further configured to extract a transaction ID in the data packet, and set a transaction ID of the first response packet according to the transaction ID in the data packet.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device comprises at least one processor and a memory communicatively coupled to the at least one processor, the memory storing instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method as described above.
In the method, when the time of sending the data packet by the client is within a preset effective time range, the data packet is released or discarded by comparing the source IP address of the data packet with the cached legal address, when the time of sending the data packet by the client is not within the preset effective time range, the data packet type is judged, if the data packet is a TCP handshake packet, the data packet is released, if the data packet is a request packet, a first response packet corresponding to the constructed data packet is sent to the client so that the client generates a second response packet according to the first response packet, and according to the type of the second response packet, the communication is blocked by using a blocking packet corresponding to the data packet and the preset effective time range is reset so that the data packet sent by the client is detected next time or the data packet is released. In this way, zero-trust replay attack detection is realized, replay attack conforming to replay rules can be accurately identified, false detection rate is reduced, safety of equipment using Modbus TCP communication in an industrial control environment is improved, and maintenance of stability of an industrial intranet is facilitated.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
fig. 1 shows a flowchart of a Modbus TCP replay attack detection control method based on an industrial control network gate according to an embodiment of the disclosure.
Fig. 2 shows a block diagram of a Modbus TCP replay attack detection control device based on an industrial control network gate according to an embodiment of the present disclosure.
Fig. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" is merely an association relation describing the association object, and means that three kinds of relations may exist, for example, a and/or B, and that three kinds of cases where a exists alone, while a and B exist alone, exist alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Aiming at the problems in the background art, the embodiment of the disclosure provides a Modbus TCP replay attack detection control method based on an industrial control network gate. The method comprises the steps of comparing a source IP address of a data packet with a cached legal address when the time of the data packet sent by a client is within a preset effective time range, releasing or discarding the data packet, judging the type of the data packet when the time of the data packet sent by the client is not within the preset effective time range, releasing the data packet if the data packet is a TCP handshake packet, sending a first response packet corresponding to the constructed data packet to the client if the data packet is a request packet so that the client generates a second response packet according to the first response packet, blocking communication by using a blocking packet corresponding to the data packet according to the type of the second response packet, and resetting the preset effective time range so that the data packet sent by the client is detected next time or released. In this way, zero-trust replay attack detection is realized, replay attack conforming to replay rules can be accurately identified, false detection rate is reduced, safety of equipment using Modbus TCP communication in an industrial control environment is improved, and maintenance of stability of an industrial intranet is facilitated.
The Modbus TCP replay attack detection control method based on the industrial control network gate provided by the embodiment of the disclosure is described in detail by a specific embodiment with reference to the accompanying drawings.
Fig. 1 shows a flowchart of a Modbus TCP replay attack detection control method based on an industrial control network gate according to an embodiment of the disclosure, where the method 100 includes the following steps:
S110, when the time of the client transmitting the data packet is within the preset effective time range, the data packet is released or discarded by comparing the source IP address of the data packet with the cached legal address.
In some embodiments, the passing or dropping of the data packet by comparing the source IP address of the data packet with the cached legitimate address includes:
And if the source IP address of the data packet is a legal address, releasing the data packet.
If the source IP address of the data packet is an illegal address, discarding the data packet.
S120, when the time of sending the data packet by the client is not within the preset effective time range, judging the type of the data packet, if the data packet is a TCP handshake packet, releasing the data packet, and if the data packet is a request packet, sending a first response packet corresponding to the constructed data packet to the client so that the client can generate a second response packet according to the first response packet.
In some embodiments, if the data packet is a request packet, before/after/while sending the first response packet corresponding to the constructed data packet to the client, the method includes:
the transaction ID in the data packet is extracted.
And setting the transaction ID of the first response packet according to the transaction ID in the data packet.
In some embodiments, setting the transaction ID of the first response packet according to the transaction ID in the data packet includes:
The transaction ID in the data packet is noted X and the transaction ID of the first response packet is set to x+1.
S130, according to the type of the second response packet, blocking communication by using a blocking packet corresponding to the data packet and resetting a preset valid time range so as to detect the data packet sent by the client next time or release the data packet.
In some embodiments, according to the type of the second response packet, blocking communication with a blocking packet corresponding to the data packet and resetting the preset valid time range so as to detect the data packet sent by the client next time, or releasing the data packet, including:
And if the transaction ID of the second response packet is equal to the transaction ID of the first response packet, indicating that the data packet is replay attack data, blocking communication by using a blocking packet corresponding to the data packet and resetting a preset valid time range.
If the second response packet is an error prompt packet or a termination connection packet, the data packet is considered as replay attack data conforming to the replay rule, so that the communication is blocked by using the blocking packet corresponding to the data packet and the preset valid time range is reset.
Otherwise, the data packet is released.
In some embodiments, blocking communications using a blocking packet corresponding to a data packet includes:
and recording the source IP address of the data packet as an illegal address, and sending a blocking packet corresponding to the data packet to the client for blocking communication.
In some embodiments, the method 100 further comprises:
and recording the source IP address of the released data packet as a legal address.
According to the embodiment of the disclosure, when the time of sending the data packet by the client is within a preset effective time range, the data packet is released or discarded by comparing the source IP address of the data packet with the cached legal address, when the time of sending the data packet by the client is not within the preset effective time range, the data packet type is judged, if the data packet is a TCP handshake packet, the data packet is released, if the data packet is a request packet, a first response packet corresponding to the constructed data packet is sent to the client so that the client generates a second response packet according to the first response packet, and according to the type of the second response packet, the communication is blocked by using a blocking packet corresponding to the data packet and the preset effective time range is reset so that the data packet sent by the client is detected or released at the next time. In this way, zero-trust replay attack detection is realized, replay attack conforming to replay rules can be accurately identified, false detection rate is reduced, safety of equipment using Modbus TCP communication in an industrial control environment is improved, and maintenance of stability of an industrial intranet is facilitated.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 2 shows a block diagram of a Modbus TCP replay attack detection control device based on an industrial control network gate according to an embodiment of the present disclosure. The module 200 includes:
the system comprises a drainage module 210, a replay attack detection module 220 and a packaging module 240 which are connected in sequence, wherein the replay attack detection module is also connected with a control module 230.
The stream guidance module 210 is configured to receive a data packet sent by the client and send the data packet to the playback detection module 220.
In some embodiments, the drainage module 210 is specifically configured to:
the data packets sent by the clients are sent to the replay detection module 220 via the Modbus TCP communication port.
The replay attack detecting module 220 is configured to receive the data packet, and when the time of sending the data packet by the client is within the preset valid time range, release or discard the data packet according to the comparison result of the source IP address of the data packet and the cached legal address.
The method comprises the steps of receiving a data packet from a client, judging the type of the data packet when the time for the client to send the data packet is not in a preset effective time range, releasing the data packet if the data packet is a TCP handshake packet, and sending a first response packet corresponding to the constructed data packet to the client if the data packet is a request packet so that the client can generate a second response packet according to the first response packet.
And the method is also used for blocking communication by using a blocking packet corresponding to the data packet and resetting a preset valid time range according to the type of the second response packet so as to detect the data packet sent by the client terminal next time or release the data packet.
In some embodiments, replay attack detection module 220 is specifically configured to:
According to the type of the second response packet, blocking communication by using a blocking packet corresponding to the data packet and resetting a preset valid time range so as to detect the data packet sent by the client next time or release the data packet, including:
and if the transaction ID of the second response packet is equal to the transaction ID of the first response packet, blocking communication by using a blocking packet corresponding to the data packet and resetting a preset effective time range.
If the second response packet is an error prompt packet or a termination connection packet, blocking packets corresponding to the data packets are used for blocking communication and resetting a preset effective time range.
Otherwise, the data packet is released.
Further, blocking communication using a blocking packet corresponding to the data packet includes:
Recording the source IP address of the data packet as an illegal address, and sending a blocking packet corresponding to the data packet to a client for blocking communication, specifically recording the source IP address of the data packet as the illegal address, simultaneously caching the recorded illegal address to a packaging module, and sending the blocking packet corresponding to the data packet to the client for blocking communication.
The control module 230 is configured to compare the source IP address of the data packet with the cached valid address.
In some embodiments, the control module 230 is further configured to cache the source IP address of the data packet.
Specifically, the control module 230 is further configured to buffer the source IP address of the data packet recorded as a legal address and/or an illegal address.
The encapsulation module 240 is configured to construct a first response packet corresponding to the data packet, and is also configured to construct a blocking packet.
In some embodiments, the encapsulation module 240 is further configured to:
and extracting the transaction ID in the data packet, and setting the transaction ID of the first response packet according to the transaction ID in the data packet.
Specifically, if the data packet is a request packet, the method includes that before/after/while the first response packet corresponding to the constructed data packet is sent to the client, the method includes:
the transaction ID in the data packet is extracted.
And setting the transaction ID of the first response packet according to the transaction ID in the data packet.
It can be appreciated that each module/unit in the module 200 shown in fig. 2 has a function of implementing each step in the method 100 provided in the embodiment of the disclosure, and can achieve a corresponding technical effect, which is not described herein for brevity.
Fig. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure. Electronic device 300 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic device 300 may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 3, the electronic device 300 includes a computing unit 301 that can perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 302 or a computer program loaded from a storage unit 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data required for the operation of the electronic device 300 may also be stored. The computing unit 301, the ROM302, and the RAM303 are connected to each other by a bus 304. I/O interface 305 is also connected to bus 304.
Various components in the electronic device 300 are connected to the I/O interface 305, including an input unit 306, such as a keyboard, mouse, etc., an output unit 307, such as various types of displays, speakers, etc., a storage unit 308, such as a magnetic disk, optical disk, etc., and a communication unit 309, such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the electronic device 300 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 301 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 301 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 301 performs the various methods and processes described above, such as method 100. For example, in some embodiments, the method 100 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 308. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 300 via the ROM302 and/or the communication unit 309. One or more of the steps of the method 100 described above may be performed when the computer program is loaded into RAM303 and executed by the computing unit 301. Alternatively, in other embodiments, the computing unit 301 may be configured to perform the method 100 by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-chips (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that the present disclosure further provides a non-transitory computer readable storage medium storing computer instructions, where the computer instructions are configured to cause a computer to perform the method 100 and achieve corresponding technical effects achieved by performing the method according to the embodiments of the present disclosure, which are not described herein for brevity.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with the system described here.
Implementations of the systems and techniques of (a) interact) or in a computing system that includes any combination of such background components, middleware components, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), and the Internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (7)

1.一种基于工控网闸的Modbus TCP重放攻击检测控制方法,其特征在于,包括:1. A Modbus TCP replay attack detection and control method based on an industrial control network gate, characterized in that it includes: 客户端发送数据包的时间在预设有效时间范围内时,通过比较数据包的源IP地址与缓存的合法地址,放行或丢弃数据包;When the client sends a data packet within the preset valid time range, the source IP address of the data packet is compared with the cached legal address to release or discard the data packet; 客户端发送数据包的时间不在预设有效时间范围内时,判断数据包类型;若数据包为TCP握手包,则放行数据包;若数据包为请求包,则将构造的数据包对应的第一响应包发送给客户端,以便客户端根据第一响应包生成第二响应包;其中,所述若数据包为请求包,则将构造的数据包对应的第一响应包发送给客户端之前/之后/同时,包括:提取数据包中的事务ID;根据所述数据包中的事务ID设置第一响应包的事务ID;When the time when the client sends a data packet is not within the preset effective time range, the type of the data packet is determined; if the data packet is a TCP handshake packet, the data packet is released; if the data packet is a request packet, the first response packet corresponding to the constructed data packet is sent to the client, so that the client generates a second response packet according to the first response packet; wherein, if the data packet is a request packet, before/after/simultaneously sending the first response packet corresponding to the constructed data packet to the client, includes: extracting a transaction ID in the data packet; setting the transaction ID of the first response packet according to the transaction ID in the data packet; 若第二响应包为请求包,则比较第二响应包的事务ID与第一响应包的事务ID;若第二响应包的事务ID等于第一响应包的事务ID,则使用数据包对应的阻断包阻断通信并重新设置预设有效时间范围;If the second response packet is a request packet, compare the transaction ID of the second response packet with the transaction ID of the first response packet; if the transaction ID of the second response packet is equal to the transaction ID of the first response packet, use the blocking packet corresponding to the data packet to block the communication and reset the preset effective time range; 若第二响应包为错误提示包或终止连接包,则使用数据包对应的阻断包阻断通信并重新设置预设有效时间范围;If the second response packet is an error prompt packet or a connection termination packet, the blocking packet corresponding to the data packet is used to block the communication and reset the preset effective time range; 否则,放行数据包。Otherwise, the packet is passed. 2.根据权利要求1所述的方法,其特征在于,所述通过比较数据包的源IP地址与缓存的合法地址,放行或丢弃数据包,包括:2. The method according to claim 1, characterized in that the step of allowing or discarding a data packet by comparing the source IP address of the data packet with the cached legal address comprises: 若数据包的源IP地址为合法地址,则放行数据包;If the source IP address of the data packet is a legal address, the data packet is released; 若数据包的源IP地址为非法地址,则丢弃数据包。If the source IP address of the data packet is an illegal address, the data packet will be discarded. 3.根据权利要求1所述的方法,其特征在于,所述使用数据包对应的阻断包阻断通信,包括:3. The method according to claim 1, wherein the blocking packet corresponding to the data packet is used to block the communication, comprising: 将数据包的源IP地址记录为非法地址,并将数据包对应的阻断包发送给客户端阻断通信。The source IP address of the data packet is recorded as an illegal address, and a blocking packet corresponding to the data packet is sent to the client to block communication. 4.根据权利要求1所述的方法,其特征在于,所述方法还包括:4. The method according to claim 1, characterized in that the method further comprises: 将放行的数据包的源IP地址记录为合法地址。The source IP address of the released data packet is recorded as a legal address. 5.一种基于工控网闸的Modbus TCP重放攻击检测控制装置,其特征在于,包括:5. A Modbus TCP replay attack detection and control device based on an industrial control network gate, characterized in that it includes: 依次连接的引流模块、重放攻击检测模块、封包模块;其中,所述重放攻击检测模块还连接控制模块;A diversion module, a replay attack detection module, and a packetization module are connected in sequence; wherein the replay attack detection module is also connected to the control module; 引流模块,用于接收客户端发送的数据包并将数据包发送至重放检测模块;A traffic diversion module, used for receiving data packets sent by the client and sending the data packets to the replay detection module; 重放攻击检测模块,用于接收数据包,当客户端发送数据包的时间在预设有效时间范围内时,根据数据包的源IP地址与缓存的合法地址的比较结果,放行或丢弃数据包;The replay attack detection module is used to receive data packets. When the time when the client sends the data packet is within the preset effective time range, the data packet is released or discarded according to the comparison result between the source IP address of the data packet and the cached legal address; 还用于客户端发送数据包的时间不在预设有效时间范围内时,判断数据包类型;若数据包为TCP握手包,则放行数据包;若数据包为请求包,则将构造的数据包对应的第一响应包发送给客户端,以便客户端根据第一响应包生成第二响应包;It is also used to determine the type of data packet when the time when the client sends the data packet is not within the preset effective time range; if the data packet is a TCP handshake packet, the data packet is released; if the data packet is a request packet, the first response packet corresponding to the constructed data packet is sent to the client, so that the client generates a second response packet according to the first response packet; 还用于若第二响应包为请求包,则比较第二响应包的事务ID与第一响应包的事务ID;若第二响应包的事务ID等于第一响应包的事务ID,则使用数据包对应的阻断包阻断通信并重新设置预设有效时间范围;若第二响应包为错误提示包或终止连接包,则使用数据包对应的阻断包阻断通信并重新设置预设有效时间范围;否则,放行数据包;It is also used to compare the transaction ID of the second response packet with the transaction ID of the first response packet if the second response packet is a request packet; if the transaction ID of the second response packet is equal to the transaction ID of the first response packet, use the blocking packet corresponding to the data packet to block the communication and reset the preset effective time range; if the second response packet is an error prompt packet or a connection termination packet, use the blocking packet corresponding to the data packet to block the communication and reset the preset effective time range; otherwise, release the data packet; 控制模块,用于比较数据包的源IP地址与缓存的合法地址;A control module, used to compare the source IP address of the data packet with the cached legal address; 封包模块,用于构造数据包对应的第一响应包;还用于构造阻断包;还用于提取数据包中的事务ID,根据所述数据包中的事务ID设置第一响应包的事务ID。The packetization module is used to construct a first response packet corresponding to the data packet; it is also used to construct a blocking packet; it is also used to extract a transaction ID in the data packet and set the transaction ID of the first response packet according to the transaction ID in the data packet. 6.根据权利要求5所述的装置,其特征在于,6. The device according to claim 5, characterized in that 所述控制模块,还用于缓存数据包的源IP地址。The control module is also used to cache the source IP address of the data packet. 7.一种电子设备,其特征在于,包括:7. An electronic device, comprising: 至少一个处理器;以及at least one processor; and 与所述至少一个处理器通信连接的存储器;其中,a memory communicatively connected to the at least one processor; wherein, 所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1-4中任一权利要求所述的方法。The memory stores instructions that can be executed by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to perform the method of any one of claims 1 to 4.
CN202411682823.7A 2024-11-22 2024-11-22 Modbus TCP replay attack detection control method based on industrial control network gate Active CN119316222B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411682823.7A CN119316222B (en) 2024-11-22 2024-11-22 Modbus TCP replay attack detection control method based on industrial control network gate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411682823.7A CN119316222B (en) 2024-11-22 2024-11-22 Modbus TCP replay attack detection control method based on industrial control network gate

Publications (2)

Publication Number Publication Date
CN119316222A CN119316222A (en) 2025-01-14
CN119316222B true CN119316222B (en) 2025-07-08

Family

ID=94186246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411682823.7A Active CN119316222B (en) 2024-11-22 2024-11-22 Modbus TCP replay attack detection control method based on industrial control network gate

Country Status (1)

Country Link
CN (1) CN119316222B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768991A (en) * 2019-03-04 2019-05-17 杭州迪普科技股份有限公司 The Replay Attack detection method of message, device, electronic equipment
CN113824705A (en) * 2021-09-10 2021-12-21 浙江大学 Safety reinforcement method for Modbus TCP (transmission control protocol)

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2183669B1 (en) * 2007-08-27 2014-05-28 Correlsense Ltd. Apparatus and method for tracking transaction related data
KR101889502B1 (en) * 2013-03-26 2018-08-20 한국전자통신연구원 Abnormal traffic detection method on control system protocol
KR20160002058A (en) * 2014-06-30 2016-01-07 한국전자통신연구원 Modbus Communication Pattern Learning Based Abnormal Traffic Detection Apparatus and Method
CN105516186B (en) * 2015-12-31 2019-07-23 华为技术有限公司 A kind of method preventing Replay Attack and server
CN107087007A (en) * 2017-05-25 2017-08-22 腾讯科技(深圳)有限公司 A kind of defence method of network attack, relevant device and system
CN112437046B (en) * 2020-11-05 2023-04-28 中国人寿保险股份有限公司 Communication method, system, electronic device and storage medium for preventing replay attack
CN113472520B (en) * 2021-08-07 2022-06-03 山东省计算中心(国家超级计算济南中心) A ModbusTCP protocol security enhancement method and system
CN113938323B (en) * 2021-12-16 2022-03-25 深圳竹云科技有限公司 JWT (Java virtual machine-based) based replay attack prevention method, device, equipment and storage medium
CN117375962A (en) * 2023-10-30 2024-01-09 云南昆船设计研究院有限公司 Industrial control system asset and threat identification method based on Modbus protocol

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768991A (en) * 2019-03-04 2019-05-17 杭州迪普科技股份有限公司 The Replay Attack detection method of message, device, electronic equipment
CN113824705A (en) * 2021-09-10 2021-12-21 浙江大学 Safety reinforcement method for Modbus TCP (transmission control protocol)

Also Published As

Publication number Publication date
CN119316222A (en) 2025-01-14

Similar Documents

Publication Publication Date Title
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
US10666680B2 (en) Service overload attack protection based on selective packet transmission
KR20200118887A (en) Network probes and methods for handling messages
CN111181932A (en) DDOS attack detection and defense method, device, terminal device and storage medium
US9462011B2 (en) Determining trustworthiness of API requests based on source computer applications' responses to attack messages
CN106911514A (en) SCADA network inbreak detection methods and system based on the agreements of IEC60870 5 104
US11838319B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
CN114726579B (en) Method, device, equipment, storage medium and program product for defending network attack
CN104994094A (en) Virtualization platform safety protection method, device and system based on virtual switch
CN110995586A (en) BGP message processing method and device, electronic equipment and storage medium
CN119316222B (en) Modbus TCP replay attack detection control method based on industrial control network gate
CN114448706A (en) Single package authorization method and device, electronic equipment and storage medium
CN111181967B (en) Data flow identification method, device, electronic equipment and medium
CN114925406B (en) Data verification method, device and computer program product
CN105471839B (en) A kind of method for judging router data and whether being tampered
CN110460559A (en) Distributed credential stuffing behavior detection method, device and computer-readable storage medium
CN113726799B (en) Processing method, device, system and equipment for application layer attack
CN115883204B (en) C&C connection detection method, device, electronic device, and storage medium
CN116248329A (en) Anti-violence cracking method, terminal device and storage medium
CN119652607A (en) Method, device, equipment, storage medium and program product for processing access request
CN117857171A (en) Network attack detection method, device, electronic equipment and storage medium
CN119089437A (en) Page detection method, device, electronic device and readable storage medium
CN115499184A (en) Network proxy service identification method and device, electronic equipment and storage medium
CN118748621A (en) Data access detection method, device, electronic device and readable storage medium
CN119652798A (en) Flow detection method, device, electronic equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant