西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (4): 22-33.doi: 10.19665/j.issn1001-2400.2023.04.003

• 网络空间安全专栏 • 上一篇    下一篇

基于主动交互式学习的工控协议逆向分析

付安民1(),毛安1(),黄涛1(),胡超2(),刘莹2(),张晓明3(),王占丰4()   

  1. 1.南京理工大学 计算机科学与工程学院,江苏 南京 210094
    2.中国人民解放军陆军工程大学 指挥控制工程学院,江苏 南京 210007
    3.国家计算机网络与信息安全管理中心,北京 100029
    4.南京莱克贝尔信息技术有限公司,江苏 南京 210014
  • 收稿日期:2023-01-15 出版日期:2023-08-20 发布日期:2023-10-17
  • 作者简介:付安民(1981—),男,教授,E-mail:fuam@njust.edu.cn;|毛安(1998—),男,南京理工大学硕士研究生,E-mail:120106022665@njust.edu.cn;|黄涛(1988—),男,南京理工大学博士研究生,E-mail:nuisthuangtao@163.com;|胡超(1984—),男,副教授,E-mail:huchao@aeu.edu.cn;|刘莹(1987—),女,讲师,E-mail:liuying_seven@163.com;|张晓明(1980—),男,高级工程师,E-mail:zhangxiaoming@cert.org.cn;|王占丰(1982—),男,博士后,E-mail:hehengw@hotmail.com
  • 基金资助:
    国家重点研发计划(2022YFB3104002);国家自然科学基金(62072239);江苏省重点研发计划(BE2022081);未来网络科研基金(FNSRFP-2021-ZD-05)

Industrial control protocol reverse analysis based on active interactive learning

FU Anmin1(),MAO An1(),HUANG Tao1(),HU Chao2(),LIU Ying2(),ZHANG Xiaoming3(),WANG Zhanfeng4()   

  1. 1. School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China
    2. College of Command Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
    3. National Computer Network and Information Security Management Center,Beijing 100029,China
    4. Nanjing Lexbell Information Technology Company Limited,Nanjing 210014,China
  • Received:2023-01-15 Online:2023-08-20 Published:2023-10-17

摘要:

作为工业控制系统信息交互的重要基础,工控协议在设计和实现上的规范与完备直接关系到整个工业控制系统的安全运行。针对未知工业控制协议逆向,基于流量样本的协议逆向方法因其无需分析系统固件等优点而受到越来越多的关注。但是该类方法也存在过于依赖样本多样性等缺点,特别是样本多样性不足容易导致字段划分错误、状态识别错误、分析只得到协议规范子集等问题。为此提出一种基于主动交互式学习的工控协议逆向分析方法,在流量样本逆向结果的基础上,依据初始逆向结果构建数据包集合,与真实设备进行交互学习,探测未知协议字段与状态机。与工控模拟软件的交互学习仿真实验结果显示,该方法能有效地验证字段语义、扩充字段取值、扩充异常样本类型,并解决因样本多样性不足而导致的伪长静态字段问题,同时还能有效探测新的状态和状态变迁,极大提高了未知协议逆向的准确性。

关键词: 工控协议, 协议逆向, 交互式学习, 协议状态机

Abstract:

As an important basis for information exchange in industrial control systems,the standardization and completeness of the design and implementation of industrial control protocols involve the security of the entire industrial control system.For the reverse of unknown industrial control protocols,although the protocol reverse method based on traffic samples has attracted more and more attention because it does not need to analyze the system firmware and other advantages,this type of method also has the disadvantage of relying too much on sample diversity.Especially,insufficient sample diversity can easily lead to problems such as field division errors,state identification errors,and only a subset of protocol specifications can be obtained from analysis.For this reason,this paper proposes an industrial control protocol reverse analysis method based on active interactive learning.On the basis of the reverse results of traffic samples,a data packet set is constructed according to the initial reverse results,and interactive learning is carried out with real devices to detect unknown protocol fields and state machines.Simulation experimental results of interactive learning with industrial control simulation software show that this method can effectively verify field semantics,expand field values,expand abnormal sample types,and solve the problem of pseudo-long static fields caused by insufficient sample diversity and that it can detect new states and state transitions,greatly improving the accuracy of unknown protocol reverse.

Key words: industrial control protocol, protocol reverse, interactive learning, protocol state machine

中图分类号: 

  • TP393.0