Computer Science ›› 2018, Vol. 45 ›› Issue (1): 233-239.doi: 10.11896/j.issn.1002-137X.2018.01.041

Previous Articles     Next Articles

Anomaly Detection Method of ICS Based on Behavior Model

SONG Zhan-wei, ZHOU Rui-kang, LAI Ying-xu, FAN Ke-feng, YAO Xiang-zhen, LI Lin and LI Wei   

  • Online:2018-01-15 Published:2018-11-13

Abstract: At present,the ICS network security has become a key problem in the field of information security.Detecting attacks,such as behavior data tampering attack and control program tampering attack,is a difficult problem of ICS network security.Therefore,this paper proposed an anomaly detection method based on behavior model.This method extracts the behavior data sequence from the industrial control network traffic.Then it constructs the normal behavior model according to the control process and the controlled process of ICS.At last,it determines whether an exception occurs by comparing and analyzing the behavior data extracted in real time and the behavior data predicted by the model.The experimental analysis shows that it can effectively detect behavior data tampering attack,control program tampering attack and so on.

Key words: ICS,Network security,Anomaly detection,Behavior model,RLS,AIC,Modbus TCP

[1] STOUFFER K,PILLITTERI V,LIGHTMAN S,et al.NISTSP 800-82,Revision 2,Guide to Industrial Control System (ICS) Security[EB/OL].(2015-05)[2016-09-20].http://dx.doi.org/10.6028/NIST.SP.800-82r2.
[2] PENG Y,JIANG C Q,XIE F,et al(1)Industrial Control system cyber security research[J].Journal of Tsinghua University(Scien-ce and Technology),2012,2(10):1396-1408.(in Chinese) 彭勇,江常青,谢丰,等.工业控制系统信息安全研究进展[J].清华大学学报(自然科学版),2012,2(10):1396-1408.
[3] XIA C N,LIU T,WANG H Z,et al(1)Industrial Control System Security Analysis[J].Information Security and Technology,2013,4(2):13-18.(in Chinese) 夏春明,刘涛,王华忠,等.工业控制系统信息安全现状及发展趋势[J].信息安全与技术,2013,4(2):13-18.
[4] WANG X S,YANG A,SHI Z Q,et al(1)New Tread of Information Security In Industrial Control Systems[J].Netinfo Security,2015(1):6-11.(in Chinese) 王小山,杨安,石志强,等.工业控制系统信息安全新趋势[J].信息网络安全,2015(1):6-11.
[5] QING S H,JIANG J C,MA H T,et al.Research on intrusion detection techniques:a survey[J].Journal on Communications,2004,25(7):19-29.(in Chinese) 卿斯汉,蒋建春,马恒太,等.入侵检测技术研究综述[J].通信学报,2004,25(7):19-29.
[6] Modbus-IDA.MODBUS MESSAGING ON TCP/IP IMPLE-MENTATION GUIDE V1.0b [EB/OL].(2006-10-24)[2016-09-20].http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf.
[7] GB/T 19582.1-2008.Modbus industrial automation networkspecification-Part 1:Modbus application protocol[S].2008.(in Chinese).GB/T 19582.1-2008.基于Modbus协议的工业自动化网络规范第1部分:Modbus应用协议[S].2008.
[8] GB/T 19582.3-2008.Modbus industrial automation networkspecification-Part 3:Modbus protocol implementation guide over TCP/IP[S].2008.(in Chinese) GB/T 19582.3-2008.基于Modbus协议的工业自动化网络规范第3部分:Modbus协议在TCP/IP上的实现指南[S].2008.
[9] ZHOU R,LAI Y,LIU Z,et al.A Security Authentication Protocol for Trusted Domains in an Autonomous Decentralized System[J].International Journal of Distributed Sensor Networks,2016,2016(4):1-13.
[10] MORRIS T H,JONES B A,VAUGHN R B,et al.Deterministic Intrusion Detection Rules for MODBUS Protocols[C]∥ 2014 47th Hawaii International Conference on System Sciency.2013:1773-1781.
[11] KIM B K,KANG D H,NA J C,et al.Detecting Abnormal Behavior in SCADA Networks Using Normal Traffic Pattern Learning[J].Lecture Notes in Electrical Engineering,2015,330:121-126.
[12] LAI Y,LIU Z,SONG Z,et al.Anomaly detection in Industrial Autonomous Decentralized System based on time series[J].Si-mulation Modelling Practice & Theory,2016,65:57-71.
[13] JIANG W W,LIU G J,DAI Y W.Design of Modbus TCP Industrial Control Network Protocol Abnormal Data Detection Rules Based on Snort[J].Computer Sciense,2015,42(11):212-216.(in Chinese).姜伟伟,刘光杰,戴跃伟.基于Snort的Modbus TCP工控协议异常数据检测规则设计[J].计算机科学,2015,42(11):212-216.
[14] SHANG W L,ZHANG S S,WAN M,et al.Modbus/TCPCommunication Anomaly Detection Algorithm Based on PSO-SVM[J].Acta Electronica Sinica,2014,2(11):2314-2320.(in Chinese) 尚文利,张盛山,万明,等.基于PSO-SVM的Modbus TCP通讯的异常检测方法[J].电子学报,2014,42(11):2314-2320.
[15] WAN M,SHANG W L,ZENG P,et al.Modbus /TCP Communication Control Method Based on Deep Function Code Inspection[J].Information and Control,2016,45(2):248-256.(in Chinese) 万明,尚文利,曾鹏,等.基于功能码深度检测的Modbus/TCP通信访问控制方法[J].信息与控制,2016,45(2):248-256.
[16] ZHANG Y G,ZHAO H,WANG L N.A non-parametric CUSUM intrusion detection method based on industrial control model[J].J ournal of Southeast University (Natural Science Edition),2012,42(s1):55-59.(in Chinese) 张云贵,赵华,王丽娜.基于工业控制模型的非参数CUSUM入侵检测方法[J].东南大学学报(自然科学版),2012,42(s1):55-59.
[17] 庞中华,崔红.系统辨识与自适应控制MATLAB仿真[M].北京:北京航空航天大学出版社,2009:11-59.
[18] SHAN D S,ZHANG P Q,WU Y W,et al(1)Simulation of Parame-ter Identification for Gun Control System Based on RLS[J].Journal of System Simulation,2013,25(8):1726-1729.(in Chinese) 单东升,张培强,吴耀武,等.基于递推最小二乘法的炮控系统参数辨识仿真[J].系统仿真学报,2013,25(8):1726-1729.
[19] GENET J P,MALLART S,PINEL C,et al.Model selection and Akaike Information Criteria:An example from wine ratings and prices[J].Wine Economics & Policy,2014,3(1):3-9.

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!