Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Industrial protocol protection method based on iptables u32

An industrial protocol and protocol technology, applied in the field of network security, can solve problems such as inability to recognize protocols or fields, inability to process industrial Internet SCADA messages, etc., to achieve flexible analysis and filtering, and prevent abnormal attacks.

Pending Publication Date: 2021-10-19
山东云天安全技术有限公司
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Open source firewalls are mainly used in IT networks because iptables cannot recognize protocols or fields other than the network layer (ie TCP and UDP), and cannot process industrial Internet SCADA messages transmitted through TCP

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Industrial protocol protection method based on iptables u32
  • Industrial protocol protection method based on iptables u32
  • Industrial protocol protection method based on iptables u32

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0056] Embodiment 1: The untrusted network node executes the operation of reading the device identification, but refuses to execute it. Match by filtering modbusfunction 43, MEI 14, READ DEVICE ID(2), OBJECT ID(0).

[0057] 1. The system receives the Modbus bytes: 00 04 00 00 00 05 01 2b 0e 02 00. According to the rules, the content is parsed as follows: the transaction identifier is 4 (0x0004), the protocol identifier is 0, and the field length is 5 (0x0005), the unit identifier is 1 (0x01), the function code is 43 (0x2b), and the content is 0x0e0200 (0x0e stands for MEI to read the device identity, 0x02 reads the general product information, 0x00.

[0058] 2. The IP protocol identification module generates a message search pointer string S1="0>>22&0x3c".

[0059] 3. The TCP protocol identification module generates a message search pointer string S2="@12>>26&0x3c".

[0060] 4. The SCADA protocol reading module generates a message search pointer string. When searching for fu...

Embodiment 2

[0063] Embodiment 2: For the Modbus protocol, it is prohibited to restart the service. The command passes through the protocol protector and accurately detects the application layer content in the Modbus data packet to block. The behavior of clearing the diagnostic register value is blocked, and the request rule for filtering the modbus restart service is blocked. function 8 sub fun 01, clear Modbus diagnostic register value function8 sub fun 10:

[0064] 1. The system receives the Modbus bytes: 00 04 00 00 00 06 01 08 00 01 00 00. According to the rules, the content is parsed as follows: the transaction identifier is 4 (0x0004), the protocol identifier is 0, and the field length is It is 6 (0x0006), the unit identifier is 1 (0x01), the function code is 8 (0x08), and the subfuction is 1 (0x01).

[0065] 2. The IP protocol identification module generates a message search pointer string S1="0>>22&0x3c".

[0066] 3. The TCP protocol identification module generates a message sear...

Embodiment 3

[0070] Embodiment 3: block the behavior of clearing the value of the PLC diagnostic register, fun 8 sub fun 10 (0x0A).

[0071] 1. The protocol protection system receives an instruction from a certain address (supplementary instruction example). The Modbus byte received by the system is: 00 04 00 00 00 06 01 08 00 01 00 00. ) is 4 (0x0004), the protocol identifier is 0, the field length is 6 (0x0006), the unit identifier is 1 (0x01), the function code is 8 (0x08), and the subfuction is 1 (0x01).

[0072] 2. The IP protocol identification module generates a message search pointer string S1="0>>22&0x3c".

[0073] 3. The TCP protocol identification module generates a message search pointer string S2="@12>>26&0x3c".

[0074] 4. The SCADA protocol reading module generates a message search pointer string S3="@7>>8&0xffffff=0x08000A".

[0075] 5. The protocol protection module generates an instruction string (changed to an instruction to modify the source address) --- S4="-j DROP"....

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to the technical field of network security, in particular to an industrial protocol protection method based on iptables u32, which comprises the following steps of: S1, a header length field is extracted from an IP header by an IP protocol identification module, and the header length field by 4 is multiplied to obtain a header length taking bytes as units; S2, a message retrieval pointer jumps to the beginning of a TCO header by using the value; S3, a TCP protocol identification module extracts a header length field from a TCP header, and multiplies the header length field by 4 to obtain a header length with bytes as units; S4, the message retrieval pointer uses the value to jump to the beginning of the SCADA message; and S5, the MODBUS protocol reading module specifies the offset at the beginning of the SCADA message, and then the offset is matched with the required value. The method has the beneficial effects that the iptables u32 module can be used for directly and flexibly analyzing and filtering the industrial protocol without programming.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to an industrial protocol protection method based on iptables u32. Background technique [0002] At present, the main technical solution for the protection of industrial protocols is through industrial firewalls, which are one of the most widely used security devices for protecting industrial network communications. They secure the entire industrial control system by preventing illegal or abnormal traffic from entering the industrial control network and protected industrial assets. The realization of industrial firewall software needs to be programmed on the basis of linux kernel. [0003] Common industrial firewalls support in-depth analysis of ICS-related protocols, but they are very expensive. Sometimes it happens that the price of the equipment of the industrial firewall is higher than that of the asset being protected. Open source firewalls are mainly used in IT net...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
CPCH04L69/22H04L63/0236
Inventor 孙晓鹏张雨和希文曹璐李峰王绍密孙瑞勇候绪森李艳虎水沝
Owner 山东云天安全技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com