Journal of Information Security Reserach ›› 2022, Vol. 8 ›› Issue (12): 1198-.

Previous Articles     Next Articles

Research and Implementation of Scalable Web Vulnerability Scanning Tool in Smart Microgrid

  

  • Online:2022-12-03 Published:2022-12-01

智能微电网中具有可扩展性的Web漏洞扫描工具研究与实现

廖微   

  1. (军事科学院系统工程研究院军事新能源技术研究所北京102300)
  • 通讯作者: 廖微 硕士,副研究员.主要研究方向为新能源与微电网. 1063000160@qq.com
  • 作者简介:廖微 硕士,副研究员.主要研究方向为新能源与微电网. 1063000160@qq.com

Abstract: As a new type of distributed power system, smart microgrid integrates traditional power transmission and distribution technology with intelligent integrated energy management system. As the control center, the microgrid energy management system (MGEMS) needs to use internet technology to collect and process a large amount of realtime data for dispatching decisionmaking and management control. Once there are vulnerabilities in the Web application, the attacker can attack the system server, steal power data and even disrupt the normal transmission and distribution of power. Aiming at the Web security involved in the smart microgrid system, this paper designs and implements a more comprehensive vulnerability detection framework. Users can freely select a scanning engine or perform automated vulnerability scanning to assist security personnel in vulnerability detection. The functions inside the framework are encapsulated as independent API interfaces for users to subsequently extend functions or write plugins. Considering the system overhead and resource occupancy, we use coroutine technology to avoid meaningless scheduling and improve detection performance. Finally, we conduct an attack test on an actual website. The experimental results show that the framework can realize functions such as password blasting and fuzzing, which can effectively detect vulnerabilities in the Web system.

Key words: smart microgrid, Web security, vulnerability scan, vulnerability detection, coroutine

摘要: 智能微电网作为一种新型的分布式电力系统,整合了传统的输配电技术和智能化的集成能源管理系统.作为控制中枢,微电网能量管理系统(MGEMS)需要借助互联网技术收集和处理大量的实时数据,进行调度决策和管理控制.一旦其中的Web应用存在漏洞,攻击者就能够攻击系统服务器,窃取电力数据甚至扰乱电能的正常传输与配送.针对智能微电网系统中涉及到的Web安全,设计并实现了一个较为全面的漏洞检测框架,可以由用户自由选择扫描引擎或进行自动化的漏洞扫描,以辅助安全人员进行漏洞检测.框架内部的功能封装为独立的API接口,供使用者后续扩展功能或编写插件.考虑到系统开销和资源占用,使用协程技术避免无意义的调度,提升检测性能.最后,对实际网站进行了攻击测试,实验结果显示该框架能实现密码爆破、模糊测试等功能,并能有效地检测Web系统中存在的漏洞.关键词


关键词: 智能微电网, Web安全, 漏洞扫描, 漏洞检测, 协程