Abstract: Deficiencies of existing fuzz testing techniques in deep semantic modeling and feature representation of industrial control protocols, which led to high test case redundancy and low acceptance rates, were addressed by a fuzz testing method based on dual-channel semantic feature fusion. A dual-channel parallel architecture was adopted to perform multi-level semantic modeling, and a generative adversarial network (GAN) was used to generate diverse test cases. Global semantic features were extracted by capturing global dependencies in protocol sequences with a Transformer encoder. Local field features were extracted by capturing relationships among adjacent bytes or fields with a multi-scale one-dimensional convolutional neural network encoder. The extracted multi-level semantic features were adaptively fused by a gated recurrent unit (GRU) to enhance key semantic representation and acceptance. A “relative discrimination” training strategy was introduced in the GAN to enhance diversity by comparing relative authenticity of real and generated samples and alleviating mode collapse. Based on this method, the fuzz testing framework DCSFFuzzer was designed, and experiments were conducted on three industrial control protocols: Modbus/TCP, S7comm, and Ethernet/IP. Experimental results showed that, compared with TDRFuzzer, MLFRFuzzer, WGANFuzzer, GANFuzzer, and PeachFuzzer, DCSFFuzzer’s TCAR and DGD metrics were significantly improved, and target test abnormal rate (TTAR) increased by 0.015, 0.024, 0.068, 0.130, and 0.172 percentage points. It was shown that DCSFFuzzer, by fusing multi-level semantic features, covered more industrial control protocol vulnerabilities, validated the method’s effectiveness, and improved industrial control system security testing.

Key words: fuzz testing, Transformer, multi-scale one-dimensional convolutional neural network, dual-channel, feature fusion, industrial control protocols, vulnerability mining

摘要： 针对现有模糊测试技术在工业控制协议深层语义建模与特征表达方面的不足，导致测试用例重复率高、接受率低等问题，提出一种融合双通道语义特征的工业控制协议模糊测试方法。该方法采用双通道并行架构对工业控制协议进行多层次语义建模，并借助生成对抗网络(GAN)生成多样化测试用例。首先，通过Transformer编码器捕获协议序列中的全局依赖关系以提取全局语义特征，同时利用多尺度一维卷积神经网络编码器捕捉局部相邻字节或字段之间的关系以提取局部字段特征。随后，利用门控循环单元(GRU)对提取的多层次语义特征实现自适应特征融合，增强关键语义特征表达，以提高测试用例的接收率。最后，在生成对抗网络中引入“相对判别”训练策略，通过比较真实样本与生成样本的相对真实性来缓解模式坍塌，以增强测试用例多样性。基于上述方法，设计了模糊测试框架DCSFFuzzer，并针对Modbus/TCP、S7comm和Ethernet/IP三种工业控制协议进行实验评估。实验结果表明，所提方法相较与WGANFuzzer、TDRFuzzer、MLFRFuzzer、GANFuzzer、PeachFuzzer 5种模型，DCSFFuzzer的TCAR和DGD指标表现更优，且测试目标异常率(TTAR)分别提升了0.015、0.024、0.068、0.130、0.172个百分点。 表明DCSFFuzzer通过融合多层次语义特征在发现工业控制协议漏洞方面覆盖更广，验证了方法的有效性并提升了工业控制系统安全检测能力。

关键词: 模糊测试, Transformer, 多尺度一维卷积神经网络, 双通道, 特征融合, 工业控制协议, 漏洞挖掘