随着工业控制系统应用越来越广泛，工业生产效率有了明显的提升。工业控制协议作为工业控制系统中不同设备、组件通信的桥梁，由于存在潜在的漏洞和缺陷，导致工业控制协议容易遭受黑客的攻击。为了减少网络攻击的威胁，亟需使用有效的漏洞挖掘技术及时发现工业控制协议可能存在的漏洞，这对工业控制系统安全具有重要的意义。

模糊测试是一种常用的漏洞挖掘方法，已被应用于工控协议漏洞挖掘，但现有方法仍存在一些问题：(1) 现有的工控协议模糊测试方法大都基于传统的模糊测试框架，存在测试用例输入系统后通过率和覆盖率不高的问题；(2) 模糊测试变异的方法存在一定的盲目性，缺少高效多样的变异策略支撑；(3) 对测试人员专业性要求较高，缺少自动化程度高的漏洞挖掘框架以降低人力消耗、提升漏洞挖掘效率。

根据上述存在的问题，本文进行了如下研究：

(1) 针对工控协议模糊测试用例生成存在的通过率和覆盖率不高的问题，提出了基于覆盖率引导的生成对抗网络模糊测试用例生成方法。为了提高测试用例的覆盖率，设计了基于覆盖率引导的序列生成对抗网络，利用该网络可以生成高通过率的测试用例；通过以用例相似度为指标的筛选算法，减少测试用例冗余；引入随机变异策略进行测试用例变异，提高测试用例多样性和漏洞发现概率。经过实验对比，该方法能有效提高测试用例的覆盖率和通过率。

(2) 在分析现有用例变异策略的缺陷后，提出了基于Multi-Arm Bandit的工控协议模糊测试变异策略。将测试用例变异的过程建模为Multi-Arm Bandit问题，引导变异策略选择价值回报高的用例变异操作，从而降低用例变异时的盲目性；通过对多种用例变异操作的组合，提升测试用例的多样性。将该变异策略在DNP3和Modbus仿真环境下分别进行实验，实验结果表明该策略能有效提高用例变异的效率。

(3) 以提出的方法为基础，设计了一个工控协议模糊测试框架，开发了相应的原型系统，实现了数据采集、测试用例生成、系统日志记录、漏洞利用性分析等功能。通过该原型系统，降低了工控协议模糊测试的专业门槛，提高了漏洞挖掘的效率。

With the extensive applications of industrial control system, the efficiency of industry has been significantly improved. However, industrial control protocols as the bridge of different parts of industrial control systems are vulnerable to be attacked due to their vulnerabilities. Therefore, it is important for the security of national and public facilities to find out potential vulnerabilities in industrial control protocols with the use of efficient vulnerabilities mining methods.

Fuzzing is a common method of vulnerabilities mining. However, in order to apply the traditional fuzzing methods to mine the vulnerability of the protocol in the industrial control system, and there are still existing the following problems: (1) Most of the available studies use traditional fuzzing methods, and some studies combined with deep learning methods are rarely realized without effective metrics to guide the models,which cause low passing rate and code coverage after the test cases are inputed into the system; (2) Random mutation strategies in fuzzing are blindness, which lack effective and are diversified mutation strategy support; (3) The fuzzing of industry control protocols has high requirements for testers, and lacks a vulnerability mining framework with high automation to improve fuzzing efficiency.

According to the above problems, the following studies are carried out in this thesis:

(1) Aiming at the problem of low passing rate and code coverage in fuzzing industrial control protocol, a generative adversarial network test cases generation method based on coverage guidance is proposed. This method applies sequence generation adversarial network to generate high passing rate test cases. The redundancy of test cases is reduced by using diversity filter algorithm based on the similarity of test cases. Random mutation strategy is introduced to mutate test cases to improve the diversity of test cases and the probability of finding out vulnerabilities. The experiments show that this method can effectively improve the code coverage and passing rate of test cases.

(2) After analyzing the defects of the existing mutation strategy, we proposed a mutation strategy for fuzzing of industrial control protocol based on Multi-Arm Bandit. By modeling the process of test cases mutation as Multi-Arm Bandit problem, the mutation strategy can be guided to select the mutation operation with high reward, so as to reduce its blindness. The diversity of test cases can be improved by assembling each mutation operation. Through experimental analysis, this strategy can improve the efficiency of test cases mutation in fuzzing DNP3 and Modbus, respectively.

(3) Based on the proposed method, we design a fuzzing framework for industrial control protocol, and its prototype system is designed, which includes data collection module, test case generation module, system log recording module, vulnerabilities analysis module and so on. Through the prototype system, the requirements of industrial control protocol fuzzing for testers are reduced and the efficiency of vulnerabilities mining is improved.