Abstract:
In recent years, the security incidents of the industrial Internet have become more frequent, especially the industrial control systems (ICS), which reveals that there are already many hidden security risks in ICS. Meanwhile, most of the attack and defense methods against those ICS security risks need to analyze the industrial control protocol. However, most of the private industrial control protocols in ICS have typical characteristics that are completely different from ordinary Internet protocols, such as structure, field accuracy and periodicity, and as a result, those reverse analysis techniques for Internet protocols are generally not directly applicable to industrial control protocols. Therefore, the reverse analysis technology for industrial control protocols has become a research hotspot in academia and industry recently. In the paper, firstly, the structural characteristics of industrial control protocols are illustrated and summarized with two typical industrial control protocols. Secondly, we introduce the frameworks for reverse analysis of industrial control protocols, and deeply analyze the characteristics of frameworks based on program execution and packet sequence respectively. Then the industrial control protocols reverse methods based on packet sequence are analyzed and compared in detail from multiple perspectives, such as the degree of human-computer participation and the extraction method of protocol format. Finally, we discuss the characteristics and shortcomings of the existing reverse analysis methods, and prospect and analyze the future research directions of industrial control protocol reverse analysis technology.