基于Snort的Modbus TCP工控协议异常数据检测规则设计.pdfVIP

第 42 卷第11 期 计算机科学 Vo l. 42 No. 11 2015 年 11 月 Computer Science Nov 2015 基于 Snort 的 Modbus TCP 工控协议异常数据检测规则设计 姜伟伟l 刘光杰l 戴跃伟1.2 (南京理工大学自动化学院 南京 210094)1 (江苏科技大学 镇江 212003)2 摘 要 工业控制网络通信协议的脆弱性是导致工控网络遭受攻击的主要因素。 Modbus TCP 是工控网络的典型通 信协议。在对 Modbus TCP 协议进行脆弱性分析的基础上，结合Snort 检测机制对典型的异常行为进行归类，提出了 一种用于 Snort 的 Modbus TCP 协议异常数据流检测模板。 Modbus TCP 的分析和规则模板的设计方法也可推广至 其他基于工业控制协议的网络，具有一定的普适性。 关键词 工控网络安全，Modbus TCP 协议，脆弱性分析，Snort 规则模板 中图法分类号 TP393.08 文献标识码 A 001 10. 11896/j. is皿 1002-137X 2015. 11. 044 D四i伊 of Modbus TCP Industr刨Control Network Prot悦。I Abnonnal Data Detection Rul臼 Based on Snort JIANG Wei-weF LIU Guang-jiel DAI Yue-wei 1.2 (Sch∞1 of Automation ,Nanjing University of Science and Technology ,Nanjing 210094 ,China) 1 (]iangsu University of Science and Technology ,Zhenjiang 212003 ,China)2 Abstract The vulnerability of industrial control network communication protocol is the main reason on industrial con- trol network suffering from attacks. The vulnerability of Modbus TCP which is the typical industrial control network communication protocol was analyzed and synthesized. The abnormal behaviors of Modbus TCP were analyzed and cate- gorized according to the detection mechanisms exploited by Snort ,and the detection rule template defined in Snort for anomaly Modbus TCP data was constructed. According to the corresponding 缸咀lysis ， the rule template designing method can be generally extended to other network-based industrial control protocols. Keywords lndustrial control network security ,Modbus TCP protocol ,Vulnerability analysis , Snort rule template