Journal of Xidian University ›› 2023, Vol. 50 ›› Issue (4): 22-33.doi: 10.19665/j.issn1001-2400.2023.04.003

• Special Issue on Cyberspace Security • Previous Articles     Next Articles

Industrial control protocol reverse analysis based on active interactive learning

FU Anmin1(),MAO An1(),HUANG Tao1(),HU Chao2(),LIU Ying2(),ZHANG Xiaoming3(),WANG Zhanfeng4()   

  1. 1. School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China
    2. College of Command Control Engineering,Army Engineering University of PLA,Nanjing 210007,China
    3. National Computer Network and Information Security Management Center,Beijing 100029,China
    4. Nanjing Lexbell Information Technology Company Limited,Nanjing 210014,China
  • Received:2023-01-15 Online:2023-08-20 Published:2023-10-17


As an important basis for information exchange in industrial control systems,the standardization and completeness of the design and implementation of industrial control protocols involve the security of the entire industrial control system.For the reverse of unknown industrial control protocols,although the protocol reverse method based on traffic samples has attracted more and more attention because it does not need to analyze the system firmware and other advantages,this type of method also has the disadvantage of relying too much on sample diversity.Especially,insufficient sample diversity can easily lead to problems such as field division errors,state identification errors,and only a subset of protocol specifications can be obtained from analysis.For this reason,this paper proposes an industrial control protocol reverse analysis method based on active interactive learning.On the basis of the reverse results of traffic samples,a data packet set is constructed according to the initial reverse results,and interactive learning is carried out with real devices to detect unknown protocol fields and state machines.Simulation experimental results of interactive learning with industrial control simulation software show that this method can effectively verify field semantics,expand field values,expand abnormal sample types,and solve the problem of pseudo-long static fields caused by insufficient sample diversity and that it can detect new states and state transitions,greatly improving the accuracy of unknown protocol reverse.

Key words: industrial control protocol, protocol reverse, interactive learning, protocol state machine

CLC Number: 

  • TP393.0