A Modbus/TCP communication method is proposed, benefit both from the shared memory ferry based isolation and deep protocol data filtering.Xen virtualization technologybased Shared memory ferry wasproposed to providenon-routable isolation between industrial control system (ICS) management network and field network against the attacks on TCP or lower layers,while application layer's behavior and connection features oriented deep packet filtering strategies were proposed against Modbus/TCP application layer threats.The experiment showed the threats can be dealt successfully with read and write bandwidth of 56.54 MB/sand 57.1 MB/s, which meets ICS network security and performance requirements.To our knowledge, there is as yet no paper in the open literature to combine the virtualization based shared memory ferrywith feature filtering strategies for ICS secure communication.%结合物理摆渡隔离和逻辑协议过滤技术的优点,提出了1种基于共享内存摆渡的Modbus/TCP网络安全通信方法.采用基于共享内存的Xen虚拟机间通信方式实现ICS控制网和现场网的隔离.针对Modbus/TCP通信栈面临的安全威胁,采用无路由的内存摆渡隔离机制过滤底层协议攻击,针对应用层行为和连接特征提出了较为完善的深度包过滤策略.实验实现的隔离过滤平台表明,所提方法能针对Modbus/TCP协议数据进行有效的安全过滤,数据交换读写带宽分别为56.54 MB/s和57.1 MB/s,通信效率较高.所提方法能满足工业控制网络性能和安全的双重需求.据本文作者了解,目前还没有其它公共文献使用基于虚拟化技术的共享内存摆渡方法和流量特征过滤策略提出工控环境安全通信方法.
展开▼
