计算机科学 ›› 2015, Vol. 42 ›› Issue (11): 212-216.doi: 10.11896/j.issn.1002-137X.2015.11.044

• 信息安全 • 上一篇    下一篇

基于Snort的Modbus TCP工控协议异常数据检测规则设计

姜伟伟,刘光杰,戴跃伟   

  1. 南京理工大学自动化学院 南京210094,南京理工大学自动化学院 南京210094,南京理工大学自动化学院 南京210094;江苏科技大学 镇江212003
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受国家自然科学基金项目(61472188,61103301,61170250)资助

Design of Modbus TCP Industrial Control Network Protocol Abnormal Data Detection Rules Based on Snort

JIANG Wei-wei, LIU Guang-jie and DAI Yue-wei   

  • Online:2018-11-14 Published:2018-11-14

摘要: 工业控制网络通信协议的脆弱性是导致工控网络遭受攻击的主要因素。Modbus TCP是工控网络的典型通信协议。在对Modbus TCP协议进行脆弱性分析的基础上,结合Snort检测机制对典型的异常行为进行归类,提出了一种用于Snort的Modbus TCP协议异常数据流检测模板。Modbus TCP的分析和规则模板的设计方法也可推广至其他基于工业控制协议的网络,具有一定的普适性。

关键词: 工控网络安全,Modbus TCP协议,脆弱性分析,Snort规则模板

Abstract: The vulnerability of industrial control network communication protocol is the main reason on industrial control network suffering from attacks.The vulnerability of Modbus TCP which is the typical industrial control network communication protocol was analyzed and synthesized.The abnormal behaviors of Modbus TCP were analyzed and categorized according to the detection mechanisms exploited by Snort,and the detection rule template defined in Snort for anomaly Modbus TCP data was constructed.According to the corresponding analysis,the rule template designing methodcan be generally extended to other network-based industrial control protocols.

Key words: Industrial control network security,Modbus TCP protocol,Vulnerability analysis,Snort rule template

[1] 张运凯,王长广,王方伟,等.“震荡波”蠕虫分析与防范[J].计算机工程,2005,1(18):65-67Zhang Yun-kai,Wang Chang-guang,Wang Fang-wei,et al.Other “Sasser” worm analysis and prevention [J].Computer Enginee-ring,2005,1(18):65-67
[2] Beaumont P.Stuxnet worm heralds new era of global cyberwar[N].London:Guardian.co.uk,2010-9-30(16)
[3] Ardisk K.Stuxnet病毒引发的嵌入式系统安全性考虑[J].电子技术设计,2013(3):49-50 Ardisk K.Stuxnet virus triggered embedded system security considerations [J].Electronic Technology Design,2013(3):49-50
[4] 高国辉.西门子被曝工业系统漏洞或影响多数工业化国家[N].南方日报,2011-6-8(A18) Gao Guo-hui.Siemens traced to industrial system vulnerabilities or affected most industrialized countries [N].Nanfang Daily,2011-6-8(A18)
[5] Bencsáth B,Pék G,Buttyán L,et al.Duqu:Analysis,detection,and lessons learned[C]∥ACM European Workshop on System Security (EuroSec).2012
[6] 纪芳.Flame病毒深度分析及防范技术[J].信息网络安全,2012(12):67-69 Ji Fang.Flame virus-depth analysis and prevention techniques [J].Information Network Security,2012(12):67-69
[7] 李鸿培.工业控制系统及其安全性研究报告[R].绿盟科技,2013 Li Hong-pei.Industrial control systems and safety research report [R].NSFOCUS,2013
[8] 卢慧康.工业控制系统脆弱性测试与风险评估研究[D].上海:华东理工大学,2014 Lu Hui-kang.Industrial control systems vulnerability testing and risk assessment studies [D].Shanghai:East China University of Technology,2014
[9] Morris T H,Jones B A,Vaughn R B,et al.Deterministic intrusion detection rules for MODBUS protocols[C]∥2013 46th Hawaii International Conference on System Sciences (HICSS).IEEE,2013:1773-1781
[10] Fovino I N,Carcano A,De Lacheze Murel T,et al.Modbus/DNP3 state-based intrusion detection system[C]∥2010 24th IEEE International Conference on Advanced Information Networking and Applications (AINA).IEEE,2010:729-736
[11] Quickdraw scada IDS[EB/OL].[2014-09-25].http://www.digitalbond.com/tools/quickdraw/
[12] Modbus Application Protocol Specification V1.1b[DB/OL].[2014-09-25].http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
[13] MODBUS over Serial Line Specification and ImplementationGuide V1.02[DB/OL].http://www.modbus.org/docs/Modbus_over_serial_line_V1_02.pdf
[14] MODBUS Messaging on TCP/IP Implementation Guide V11[DB/OL].[2014-09-25].http://www.electroind.com/pdf/Modbus_messaging_on_TCPIP_implementation_guide_V11.pdf
[15] Roesch Martin,Green Chris.Snort users manual 2.9.6[EB/OL].[2014-09-25].http://manual.snort.org/
[16] 卞峥嵘.Backtracks从入门到精通[M].国防工业出版社,2012 Bian Zheng-rong.Backtracks From Novice to Professional [M].National Defense Industry Press,2012
[17] Blanchette J,Summerfield M.C++ GUI programming with Qt 4[M].Prentice Hall Professional,2006

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!