基于组合扫描的无状态工控设备资产探测方法

Stateless Industrial Control Equipment Asset Detection Method Based on Combined Scanning

全面探测工控设备资产信息、了解资产状态是确保工业控制系统安全的重要前提。端口探活是进行资产探测的第一步,端口探活的准确率和效率将直接影响资产探测的性能。为提升端口探活的速度和准确性,提出了一种基于组合扫描的异步无状态端口扫描方法。通过构造组合扫描数据包,解决工控设备因禁ping导致主机探活准确率降低的问题,同时建立发送数据包线程和接收数据包线程,实现组合扫描数据包的异步处理,消除了传统无状态扫描的回复等待时间,缩短了端口探活时间。最后以Modbus协议为例,构造了资产请求数据包,并分析了数据包中主要字段和功能。测试结果表明,提出的资产探测方法在端口探活阶段单位时间内可以探测到更多的设备,同时能在较短的时间内完成完整资产信息的探测,在探测准确度和探测时间方面都得到了提升。

Comprehensive detection of the asset information of industrial control equipment and understanding the asset status is an important prerequisite to ensure the safety of industrial control system.Port detection is the first step of asset detection.The accuracy and efficiency of port detection will directly affect the performance of asset detection.In order to improve the speed and accuracy of port detection,an asynchronous stateless port scanning method based on combined scanning is proposed.By constructing combined scanning data packets,the problem that the accuracy rate of host detection is reduced due to the prohibition of Ping in industrial control equipment is solved.At the same time,a sending packet thread and a receiving packet thread are established to realize asynchronous processing of combined scanning packets,which eliminates the reply waiting time of traditional stateless scanning and shortens the port detection time.Finally,taking Modbus protocol as an example,the asset request data packet is constructed,and the main fields and functions in the data packet are analyzed.The test results show that the proposed asset detection method can detect more equipment per unit time in the port detection stage,and complete the detection of complete asset information in a shorter time,which improves the detection accuracy and detection time.