协议安全是工业控制系统信息安全中的一项重要内容,非标协议格式的正确识别是协议安全分析的基础.基于工控系统行业现状和工控协议的结构确定、传输重复、语义有限的特性,提出了基于网络流量的非标准工控协议逆向识别方法,通过单报文处理进行初步分词聚类,多报文处理进行报文序列比对,关键字段推断语义,最终得到协议格式.验证结果表明,该方法能较好地识别非标工控协议格式.%Correct non-standard protocol format recognition is the foundation of protocol security analysis,which is an important part of industrial control system(ICS) information security content.Due to current situation of ICS and protocol features of structure determination,transmission repeat and semantic limited,a method based on net-trace is proposed.The formats of protocol are gotten by single message processing for a preliminary clustering,packet processing for sequence alignment,key fields to infer semantics.Verification results show that the method can reverse recognition non-standard ICS protocol format.
展开▼