计算机科学 ›› 2022, Vol. 49 ›› Issue (3): 301-307.doi: 10.11896/jsjkx.210200078
刘凯祥1, 谢永芳1, 陈新2, 吕飞2, 刘俊矫2
LIU Kai-xiang1, XIE Yong-fang1, CHEN Xin2, LYU Fei2, LIU Jun-jiao2
摘要: 针对现有工业信息安全研究主要集中在工业以太网方面,缺少对串行链路协议防护的研究等问题,提出一种基于离散时间马尔可夫链(Discrete Time Markov Chain,DTMC)的工业串行协议状态检测算法。该算法利用工业控制系统(Industrial Control System,ICS)行为有限和状态有限的特征,根据串行链路协议历史流量数据,自动构建ICS正常行为模型——DTMC。模型包含状态事件、状态转移、状态转移概率和状态转移时间间隔等行为信息,使用该模型所包含的状态信息作为状态检测规则集。当检测阶段生成的状态信息与状态检测规则集中的信息不同或偏差超过阈值时,产生告警或拒绝等动作。同时,结合综合包检测(Comprehensive Packet Inspection,CPI)技术来扩大协议载荷数据的可检测范围。实验结果表明,所提算法能有效检测语义攻击,保护串行链路安全,且算法误报率为5.3%,漏报率为0.6%。
中图分类号:
[1]LAI Y,LIU Z,LIU J.Abnormal detection method of industrial control system based on behavior model[J].Computers & Security,2019,84(JUL.):166-178. [2]SUO Y F,WANG S J,QIN Y,et al.Summary of Security Technology and Application in Industrial Control System[J].Computer Science,2018,45(4):25-33. [3]YANG A,SUN L M,WANG X S,et al.Intrusion detectiontechniques for industrial control systems[J].Journal of Compu-ter Research and Development,2016,53(9):2039-2054. [4]GUO X,WANG Y Y,FENG T,et al.Blockchain-based Role-Delegation Access Control for Industrial Control System[J].Computer Science,2021,48(9):306-316. [5]FENG C,LI T,CHAN A D.Multi-level anomaly detection inindustrial control systems via package signatures and LSTM networks[C]//2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.IEEE,2017:261-272. [6]LANGNER R.Stuxnet:dissecting a cyberwarfare weapon[J].IEEE Security and Privacy,2011,9(3):49-51. [7]LV X F,XIE Y B.An Anomaly Detection Method for Industrial Control Systems via State Transition Graph[J].Acta AutomaticaSinica,2018,44(9):1662-1671. [8]LEI Y Q,SHANG W L,WAN M,et al.Industrial firewall rules self-learning algorithm design[J].Computer Engineering and Design.2016,37(12):613-617. [9]PAN F,WANG S W,XUE P.Self-learning method of industrial firewall rules based on SVM algorithm[J].Information Technology and Network Security,2018,37(5):29-33. [10]DHEERAJ R,GUO H,VEERAVALLI B,et al.Design and Development of SCADA Firewall Security Features for Protecting Industrial Operations[C]//2019 IEEE VTS Asia Pacific Wireless Communications Symposium.IEEE,2019:1-5. [11]YAN B,YIN L B,YING H,et al.Hierarchical Intrusion Detection Algorithm based on White List for Industrial Control Network[J].Communication Technology,2018,51(4):907-912. [12]LU Y.Research on a New Hybrid Intrusion Detection Algo-rithm for Cloud Computing[J].Journal of Chongqing Univer-sity of Technology (Natural Science),2020,34(10):153-159. [13]SONG Z W,ZHOU R K,LAI Y X,et al.Anomaly DetectionMethod of ICS Based on Behavior Mode[J].Computer Science,2018,45(1):233-239. [14]CHEN Z,HUANG Y,ZOU H.Anomaly Detection of Industrial Control System Based on Outlier Mining[J].Computer Science,2014,41(5):178-181,203. [15]FOVINO I N,CARCANO A,MUREL T D L,et al.Modbus/DNP3 state-based intrusion detection system[C]//2010 24th IEEE International Conference on Advanced Information Networking and Applications.IEEE,2010:729-736. [16]CARCANO A,COLETTA A,GUGLIELMI M,et al.A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems[J].IEEE Transactions on Industrial Informa-tics,2011,7(2):179-186. [17]MORRIS T,VAUGHN R,DANDASS Y.A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems[C]//2012 45th Hawaii International Conference on System Sciences.IEEE,2012:2338-2345. [18]MORRIS T,JONES B,VAUGHN R,et al.Deterministic intrusion detection rules for MODBUS protocols[C]//2013 46th Hawaii International Conference on System Sciences.IEEE,2013:1773-1781. [19]TYLMAN W.Native support for Modbus RTU protocol inSnort intrusion detection system[M]//New Results in Dependa-bility and Computer Systems.Heidelberg:Springer,2013:479-487. [20]ZHANG Y.Research on Industrial Control System IntrusionDetection Technology[D].Chengdu:University of Electronic Science and Technology of China,2018. [21]SHANG W L,QIAO Q S,WAN M,et al.Self-learning method for generation and optimization of industrial firewall rules[J].Computer Engineering and Design,2016,37(7):1752-1756. [22]ROSS S M.Introduction to Probability Models [M].Ninth Edition.Singapore:Elesevier,2007:185-263. [23]GB/T 19582.1-2008.Modbus industrial automation networkspecification-Part 1:Modbus application protocol[S].Beijing:China Standard Press,2008. [24]GB/T 19582.2-2008.Modbus industrial automation networkspecification-Part 2:Modbus protocol implementation guide over serial link[S].Beijing:MarkovChain,2008. [25]MODBUS IDA.MODBUS over Serial Line Specification and Implementation Guide v1.02[EB/OL].http://www.modbus.org/docs/Modbus_over_serial_line_V1_02.pdf,December 20,2006. [26]LI D,GUO H,ZHOU J,et al.SCADAWall:A CPI-enabled firewall model for SCADA security[J].Computers & Security,2019,80(JAN.):134-154. [27]CASELLI M,ZAMBON E,KARGL F.Sequence-aware intru-sion detection in industrial control systems[C]//Proceedings of the 1st ACM Workshop on Cyber-Physical System Security.2015:13-24. [28]FOUNDATIONS C.Protecting America’s Infrastructures:The Report of the President’s Commission on Critical Infrastructure Protection[R].Washington DC:The President’s Commission on Critical Infrastructure Protection. [29]ZHANG J T,ZHOU J,XU H L,et al.An Arterial Travel Time Estimation Model Based on Discrete Time Markov Chains[J].System Engineering,2014,32(5):98-104. [30]KARLIN S,TAYLOR H.A First Course in Stochastic Pro-cesses[M].Second Edition.Beijing:Posts & Telecom Press,2007. [31]ZHAO Z Y,XIA X J.Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN[J].Computer Systems & Applications,2020,29(8):179-184. [32]SHANG W L,ZHANG S S,WAN M,et al.Modbus/TCPCommunication Anomaly Detection Algorithm Based on PSO-SVM[J].Acta Electronica Sinica,2014,42(11):2314-2320. |
[1] | 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪. 基于区块链的工业控制系统角色委派访问控制机制 Blockchain-based Role-Delegation Access Control for Industrial Control System 计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235 |
[2] | 锁延锋,王少杰,秦宇,李秋香,丰大军,李京春. 工业控制系统的安全技术与应用研究综述 Summary of Security Technology and Application in Industrial Control System 计算机科学, 2018, 45(4): 25-33. https://doi.org/10.11896/j.issn.1002-137X.2018.04.004 |
[3] | 宋站威,周睿康,赖英旭,范科峰,姚相振,李琳,李巍. 基于行为模型的工控异常检测方法研究 Anomaly Detection Method of ICS Based on Behavior Model 计算机科学, 2018, 45(1): 233-239. https://doi.org/10.11896/j.issn.1002-137X.2018.01.041 |
[4] | 张剑华,邹祎杰,高强,陈胜勇. 相差显微图像下的癌细胞状态检测 State Detection of Cancer Cell in Phase-contrast Microscopy Images 计算机科学, 2016, 43(5): 298-303. https://doi.org/10.11896/j.issn.1002-137X.2016.05.057 |
[5] | 陈庄,黄勇,邹航. 基于离群点挖掘的工业控制系统异常检测 Anomaly Detection of Industrial Control System Based on Outlier Mining 计算机科学, 2014, 41(5): 178-181. https://doi.org/10.11896/j.issn.1002-137X.2014.05.037 |
[6] | 陈庄,黄勇,邹航. 工业控制系统信息安全审计系统分析与设计 Analysis and Design of ICS Information Security Audit System 计算机科学, 2013, 40(Z6): 340-343. |
[7] | 郭志林,赵树理,史开泉. 基于随机P-集合的系统状态检测-识别 System State Detection-Recognition Based on Random P-sets 计算机科学, 2013, 40(7): 178-181. |
[8] | 曹科强,顾庆任,颖新,陈道蓄. 服务组合中基于DTMC的可靠性和性能分析 Reliability and Performance Analysis of Web Service Composition Based on DTMC 计算机科学, 2009, 36(10): 179-182. |
[9] | 李琦 蒙杨 卿斯汉. 网络中主机和服务的状态检测 计算机科学, 2005, 32(5): 79-81. |
[10] | 陈慧 熊光泽 罗克露. 硬实时以太网ARTC可靠性保障技术研究 计算机科学, 2004, 31(3): 72-74. |
[11] | 王庆凯 胡亮. PC机环境中的状态检测和空闲机选择 计算机科学, 1998, 25(4): 95-97. |
|