Research On Unknown Industrial Network Protocol Reverse Analysis

Traditional industrial control networks are physically isolated and do not have to worry about security issues.However,in recent years,with the concept of industrial informationization proposed,industrial technology and Internet technology are gradually integrated.More and more industrial control networks break the physical isolation and traditional computer network connection.This change has brought efficiency improvement to industrial production,but also a series of security problems.Due to the high dependence on protocol specifications,traditional network security protection methods are facing a large number of private industrial control protocols which will cause difficulties in resolution when they are introduced into the industry control field.Therefore,in order to make the network security protection technology and industrial control protocol more compatible with each other and achieve the purpose of protecting industrial control network security,this thesis puts forward a new reverse analysis method to infer the specific protocol specifications through the analysis of industrial control protocol messages.The specific contents and innovations of this thesis will be shown as follow:(1)An unknown industrial control protocol message classifi cation method based on key fields.In this thesis,the format of industrial control protocol message is analyzed in detail,and it is found that the dialogue message of industrial control protocol is related in structure.To solve the problem that the cate gory characteristics of single message of industrial control protocol are not obvious,an unknown classification method of industrial control protocol message based on key field is proposed.This method first extracts the association features in the messag e structure of a dialog through sequence alignment,and generates a state sequence that reflects the correlation features.Second,the voting method is used to identify key field locations from conversation messages with similar status sequences.Then the feature matrix is constructed based on the key fields.Finally,a suitable dimension reduction and clustering algorithm is selected to complete message classification.Compared with the binary protocol messages sort method,this method improves the classif ication efficiency by 3% to 15%,and the specific improvement is related to the selection of parameters.(2)An unknown industrial control protocol message segmentation method based on field redundancy.Because the innovations(1)only achieve the purpose of classification,lack of segmentation of messages,and other traditional methods of segmenting messages do not handle the problem of high repetition rate of different field values in industrial control protocol messages,this thesis presents an unknown industrial control protocol message segmentation method based on field redundancy.This method makes use of the redundant bits prevalent before the message section of the industrial control protocol.First,the redundant bits of elements in different positions of each message in the same type of message are counted and the redundancy of different positions of the message is calculated.Secondly,segment eigenvalues are calculated based on redundancy.Then the field rules are found from the piecewise eigenvalues and the demarcation locations are found.Finally,incorrect segments are identified and corrected according to the field characteristics in the industrial control protocol message.Compared with the NEMESYS method,this method optimizes the segmentation effect by more than 10% when the parameters are selected appropriately,and this method also guarantees higher segmentation efficiency.