A Vulnerability Mining Method For Industrial Control Network Protocol Based On Fuzz Testing

With the deep fusion of information and industrialization,Industrial Control System(ICS)gradually integrated the information and internet technology,while improving the efficiency of enterprises,it also increased the security risk of ICS.In recent years,cyberattacks on ICS have become more and more frequent.ICS was the part of national critical infrastructure,and the network security of ICS was related to national security.Therefore,the network security of ICS became a key research issue in the security field.The analysis of ICS attacks happened in recent years came to a conclusion that the security vulnerabilities were the major cause of security hazards in ICS.Attackers can take advantage of these vulnerabilities to attack ICS.To solve difficulties in applying traditional vulnerability mining method to ICS,a fuzz testing method based on ICS network protocol was adopted,which included three research contents.First of all,to generate targeted testing cases,the vulnerabilities of ICS were classified and the key features of different categories were extracted according to the common vulnerability information in ICS.The testing case variation factors for industrial control network protocol and their execution method were proposed.The data values of the variation factors were mapped by roulette wheel selection strategy and normalization method of interval,which simplified the random selection process.Afterwards,to fuzz industrial control public protocol effectively,Modbus TCP protocol was used as the sample of public protocol.Analyzing protocol features of single packet and relation between request and response on the basis of protocol specification.According to the dependency of Modbus TCP protocol features,Modbus TCP testing case generation strategy was proposed by combining variation factors.Based on the protocol feature relation between request and response and bypass monitoring method,detecting whether the response data was normal.Algorithm for attribute reduction based on discernibility matrix is used to determine the key protocol features that lead to abnormality.Eventually,in order to fuzz industrial control private protocol effectively,the byte with function identifier feature was used as the division byte.Private protocol data set was classified and tree was built.Fuzz testing and abnormal monitoring were carried out according to probability statistical method of variable byte values,length field learning method,Apriori and Needleman/Wunsch algorithm.Industrial control network protocol fuzz testing system was designed and implemented,and real industrial control equipment was used to fuzz testing.The experimental results of Modbus TCP fuzz testing method was compared to traditional fuzzy tester.Detecting and analyzing the abnormalities of Modbus TCP protocol stack,learning protocol features of industrial control private protocol data set,analyzing learning results of protocol features and fuzz testing results proved that this method can have high performance for learning industrial control private protocol features and detecting vulnerabilities of industrial control network protocol.