A Vulnerability Mining Method For Industrial Control Network Protocol Based On Anti-sample

With the rapid development of computer network technology,the deep integration of industrialization and informatization,and the rapid advancement of Internet of things technology,the Industrial Control System(ICS)has become the core control system in the field of national critical infrastructure.At present,the vast majority of ICS in China do not have any protective measures,which is facing huge security risks.Therefore,it is the most important thing to construct an efficient vulnerability mining technology for ICS.Modbus TCP protocol is widely used in ICS.Traditionally,vulnerability mining methods for Modbus TCP usually have the shortcomings of poor vulnerability mining ability and low reception rate.In this paper,Modbus TCP protocol is used as the vulnerability mining object,combining the high dependence of Modbus TCP protocol and the characteristics of RNN timing,a vulnerability mining method based on anti-sample algorithm is proposed.The main research work is divided into three parts:(1)In order to represent the rule of each data value in the register,a probability distribution based on a Recurrent Neural Network(RNN)is proposed.In Modbus TCP protocol,the protocol data unit contains the register address field to access the industrial control equipment,and the data value in the field represents the specific operation to be performed by the industrial control equipment in each register.Thus,the RNN is used to learn the semantics of the protocol data unit,and the Softmax function outputs the probability distribution matrix of the data value.In this way,it is helpful for RNN to understand the data value that appears frequently and infrequently in each register,so as to use the anti-sample algorithm to generate test cases.(2)In order to increase the possibility of discovering unknown vulnerabilities,a generation strategy based on anti-sample algorithm is proposed.In the protocol,different register addresses represent different meanings,and each register has a specific data value.Among them,the data value that frequently appears indicates that it has been accessed for many times,and the possibility of discovering new vulnerabilities is extremely low,while the data value that infrequently appears has better vulnerability mining capability.Therefore,the data value corresponding to the maximum probability in the probability distribution matrix is the data value that occurs frequently,while the data value corresponding to the minimum probability is the data value that occurs infrequently.For each probability matrix generated,a random variable threshold value is generated,the relationship between the random variable threshold value and the maximum probability is compared,and the test case is generated based on the comparison result to determine whether to choose the data value that occurs frequently.Every time a test case is sent,we observe whether the test case causes abnormal response of the equipment by the state of the industrial control equipment,so as to find the protocol vulnerability.(3)In order to generate efficient test cases for vulnerability mining of Modbus TCP protocol,a test case generation model for Modbus TCP is proposed.First,build and iteratively train the RNN,determine the weight parameters of each layer,and understand the data value rules of different registers.Then,the probability matrix and anti-sample algorithm are used to generate test cases to increase the possibility of discovering unknown vulnerabilities.According to the above three parts of work,the implemented vulnerability mining method is called Anti-sample Fuzzer.Experiments on industrial control equipment using Anti-sample Fuzzer show that it not only improves the reception rate of test cases and the vulnerability mining ability,but also detects the vulnerabilities in the industrial control protocols more quickly.Therefore,the shortcomings of low reception rate and poor vulnerability mining ability in the traditional method are solved.