计算机科学

计算机科学 ›› 2022, Vol. 49 ›› Issue (3): 301-307.doi: 10.11896/jsjkx.210200078

• 信息安全 • 上一篇    下一篇

基于DTMC的工业串行协议状态检测算法

刘凯祥1, 谢永芳1, 陈新2, 吕飞2, 刘俊矫2   

  1. 1 中南大学自动化学院 长沙410083
    2 中国科学院信息工程研究所 北京100093
  • 收稿日期:2021-02-07 修回日期:2021-05-26 出版日期:2022-03-15 发布日期:2022-03-15
  • 通讯作者: 陈新(chenxin1990@iie.ac.cn)
  • 作者简介:(kaixiangliu@csu.edu.cn)
  • 基金资助:
    国家自然科学基金青年科学基金(61702506);国家杰出青年科学基金(61725306)

Industrial Serial Protocol State Detection Algorithm Based on DTMC

LIU Kai-xiang1, XIE Yong-fang1, CHEN Xin2, LYU Fei2, LIU Jun-jiao2   

  1. 1 School of Automation,Central South University,Changsha 410083,China
    2 Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
  • Received:2021-02-07 Revised:2021-05-26 Online:2022-03-15 Published:2022-03-15
  • About author:LIU Kai-xiang,born in 1995,postgra-duate.His main research interests include security of industrial control systems and so on.
    CHEN Xin,born in 1990,master,intermediate engineer.His main research interests include ICS security and ICS intrusion detection.
  • Supported by:
    Young Scientists Fund of National Natural Science Foundation of China(61702506) and National Science Fund for Distinguished Young Scholars of China(61725306).

PDF (PC)

392

摘要: 针对现有工业信息安全研究主要集中在工业以太网方面,缺少对串行链路协议防护的研究等问题,提出一种基于离散时间马尔可夫链(Discrete Time Markov Chain,DTMC)的工业串行协议状态检测算法。该算法利用工业控制系统(Industrial Control System,ICS)行为有限和状态有限的特征,根据串行链路协议历史流量数据,自动构建ICS正常行为模型——DTMC。模型包含状态事件、状态转移、状态转移概率和状态转移时间间隔等行为信息,使用该模型所包含的状态信息作为状态检测规则集。当检测阶段生成的状态信息与状态检测规则集中的信息不同或偏差超过阈值时,产生告警或拒绝等动作。同时,结合综合包检测(Comprehensive Packet Inspection,CPI)技术来扩大协议载荷数据的可检测范围。实验结果表明,所提算法能有效检测语义攻击,保护串行链路安全,且算法误报率为5.3%,漏报率为0.6%。

关键词: 串行链路协议, 工业控制系统, 工业信息安全, 离散时间马尔可夫链, 状态检测, 综合包检测

Abstract: Aiming at the problem that the existing research on industrial security mainly focuses on industrial ethernet and lacks the research on serial link protocol protection,an industrial serial protocol state detection algorithm based on discrete time Mar-kov chain (DTMC) is proposed.This method utilizes the characteristics of limited behavior and state of the industrial control system (ICS),and automatically constructs the normal behavior model of ICS——DTMC,based on the historical traffic data of the serial link protocol.The model contains behavior information such as state event,state transition,state transition probability and state transition time interval.Then the behavior information contained in the model is used as the state detection rule set.When the state information generated in the detection phase is different from the state detection rule set information or the deviation exceeds the threshold,actions such as alarm or rejection are generated.At the same time,combined with the comprehensive packet inspection (CPI) technology,the detectable range of protocol payload data is increased.Finally,the experimental results show that the proposed algorithm can effectively detect semantic attacks and protect the security of serial links,the false positive rate is 5.3% and false negative rate is 0.6%.

Key words: CPI, DTMC, ICS, Industrial security, Serial link protocol, State detection

中图分类号: 

  • TP393.08
[1]LAI Y,LIU Z,LIU J.Abnormal detection method of industrial control system based on behavior model[J].Computers & Security,2019,84(JUL.):166-178.
[2]SUO Y F,WANG S J,QIN Y,et al.Summary of Security Technology and Application in Industrial Control System[J].Computer Science,2018,45(4):25-33.
[3]YANG A,SUN L M,WANG X S,et al.Intrusion detectiontechniques for industrial control systems[J].Journal of Compu-ter Research and Development,2016,53(9):2039-2054.
[4]GUO X,WANG Y Y,FENG T,et al.Blockchain-based Role-Delegation Access Control for Industrial Control System[J].Computer Science,2021,48(9):306-316.
[5]FENG C,LI T,CHAN A D.Multi-level anomaly detection inindustrial control systems via package signatures and LSTM networks[C]//2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.IEEE,2017:261-272.
[6]LANGNER R.Stuxnet:dissecting a cyberwarfare weapon[J].IEEE Security and Privacy,2011,9(3):49-51.
[7]LV X F,XIE Y B.An Anomaly Detection Method for Industrial Control Systems via State Transition Graph[J].Acta AutomaticaSinica,2018,44(9):1662-1671.
[8]LEI Y Q,SHANG W L,WAN M,et al.Industrial firewall rules self-learning algorithm design[J].Computer Engineering and Design.2016,37(12):613-617.
[9]PAN F,WANG S W,XUE P.Self-learning method of industrial firewall rules based on SVM algorithm[J].Information Technology and Network Security,2018,37(5):29-33.
[10]DHEERAJ R,GUO H,VEERAVALLI B,et al.Design and Development of SCADA Firewall Security Features for Protecting Industrial Operations[C]//2019 IEEE VTS Asia Pacific Wireless Communications Symposium.IEEE,2019:1-5.
[11]YAN B,YIN L B,YING H,et al.Hierarchical Intrusion Detection Algorithm based on White List for Industrial Control Network[J].Communication Technology,2018,51(4):907-912.
[12]LU Y.Research on a New Hybrid Intrusion Detection Algo-rithm for Cloud Computing[J].Journal of Chongqing Univer-sity of Technology (Natural Science),2020,34(10):153-159.
[13]SONG Z W,ZHOU R K,LAI Y X,et al.Anomaly DetectionMethod of ICS Based on Behavior Mode[J].Computer Science,2018,45(1):233-239.
[14]CHEN Z,HUANG Y,ZOU H.Anomaly Detection of Industrial Control System Based on Outlier Mining[J].Computer Science,2014,41(5):178-181,203.
[15]FOVINO I N,CARCANO A,MUREL T D L,et al.Modbus/DNP3 state-based intrusion detection system[C]//2010 24th IEEE International Conference on Advanced Information Networking and Applications.IEEE,2010:729-736.
[16]CARCANO A,COLETTA A,GUGLIELMI M,et al.A Multidimensional Critical State Analysis for Detecting Intrusions in SCADA Systems[J].IEEE Transactions on Industrial Informa-tics,2011,7(2):179-186.
[17]MORRIS T,VAUGHN R,DANDASS Y.A retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems[C]//2012 45th Hawaii International Conference on System Sciences.IEEE,2012:2338-2345.
[18]MORRIS T,JONES B,VAUGHN R,et al.Deterministic intrusion detection rules for MODBUS protocols[C]//2013 46th Hawaii International Conference on System Sciences.IEEE,2013:1773-1781.
[19]TYLMAN W.Native support for Modbus RTU protocol inSnort intrusion detection system[M]//New Results in Dependa-bility and Computer Systems.Heidelberg:Springer,2013:479-487.
[20]ZHANG Y.Research on Industrial Control System IntrusionDetection Technology[D].Chengdu:University of Electronic Science and Technology of China,2018.
[21]SHANG W L,QIAO Q S,WAN M,et al.Self-learning method for generation and optimization of industrial firewall rules[J].Computer Engineering and Design,2016,37(7):1752-1756.
[22]ROSS S M.Introduction to Probability Models [M].Ninth Edition.Singapore:Elesevier,2007:185-263.
[23]GB/T 19582.1-2008.Modbus industrial automation networkspecification-Part 1:Modbus application protocol[S].Beijing:China Standard Press,2008.
[24]GB/T 19582.2-2008.Modbus industrial automation networkspecification-Part 2:Modbus protocol implementation guide over serial link[S].Beijing:MarkovChain,2008.
[25]MODBUS IDA.MODBUS over Serial Line Specification and Implementation Guide v1.02[EB/OL].http://www.modbus.org/docs/Modbus_over_serial_line_V1_02.pdf,December 20,2006.
[26]LI D,GUO H,ZHOU J,et al.SCADAWall:A CPI-enabled firewall model for SCADA security[J].Computers & Security,2019,80(JAN.):134-154.
[27]CASELLI M,ZAMBON E,KARGL F.Sequence-aware intru-sion detection in industrial control systems[C]//Proceedings of the 1st ACM Workshop on Cyber-Physical System Security.2015:13-24.
[28]FOUNDATIONS C.Protecting America’s Infrastructures:The Report of the President’s Commission on Critical Infrastructure Protection[R].Washington DC:The President’s Commission on Critical Infrastructure Protection.
[29]ZHANG J T,ZHOU J,XU H L,et al.An Arterial Travel Time Estimation Model Based on Discrete Time Markov Chains[J].System Engineering,2014,32(5):98-104.
[30]KARLIN S,TAYLOR H.A First Course in Stochastic Pro-cesses[M].Second Edition.Beijing:Posts & Telecom Press,2007.
[31]ZHAO Z Y,XIA X J.Intrusion Detection Algorithm of Power Grid Industrial Control System Based on CNN[J].Computer Systems & Applications,2020,29(8):179-184.
[32]SHANG W L,ZHANG S S,WAN M,et al.Modbus/TCPCommunication Anomaly Detection Algorithm Based on PSO-SVM[J].Acta Electronica Sinica,2014,42(11):2314-2320.
[1] 郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪.
基于区块链的工业控制系统角色委派访问控制机制
Blockchain-based Role-Delegation Access Control for Industrial Control System
计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235
[2] 锁延锋,王少杰,秦宇,李秋香,丰大军,李京春.
工业控制系统的安全技术与应用研究综述
Summary of Security Technology and Application in Industrial Control System
计算机科学, 2018, 45(4): 25-33. https://doi.org/10.11896/j.issn.1002-137X.2018.04.004
[3] 宋站威,周睿康,赖英旭,范科峰,姚相振,李琳,李巍.
基于行为模型的工控异常检测方法研究
Anomaly Detection Method of ICS Based on Behavior Model
计算机科学, 2018, 45(1): 233-239. https://doi.org/10.11896/j.issn.1002-137X.2018.01.041
[4] 张剑华,邹祎杰,高强,陈胜勇.
相差显微图像下的癌细胞状态检测
State Detection of Cancer Cell in Phase-contrast Microscopy Images
计算机科学, 2016, 43(5): 298-303. https://doi.org/10.11896/j.issn.1002-137X.2016.05.057
[5] 陈庄,黄勇,邹航.
基于离群点挖掘的工业控制系统异常检测
Anomaly Detection of Industrial Control System Based on Outlier Mining
计算机科学, 2014, 41(5): 178-181. https://doi.org/10.11896/j.issn.1002-137X.2014.05.037
[6] 陈庄,黄勇,邹航.
工业控制系统信息安全审计系统分析与设计
Analysis and Design of ICS Information Security Audit System
计算机科学, 2013, 40(Z6): 340-343.
[7] 郭志林,赵树理,史开泉.
基于随机P-集合的系统状态检测-识别
System State Detection-Recognition Based on Random P-sets
计算机科学, 2013, 40(7): 178-181.
[8] 曹科强,顾庆任,颖新,陈道蓄.
服务组合中基于DTMC的可靠性和性能分析
Reliability and Performance Analysis of Web Service Composition Based on DTMC
计算机科学, 2009, 36(10): 179-182.
[9] 李琦 蒙杨 卿斯汉.
网络中主机和服务的状态检测

计算机科学, 2005, 32(5): 79-81.
[10] 陈慧 熊光泽 罗克露.
硬实时以太网ARTC可靠性保障技术研究

计算机科学, 2004, 31(3): 72-74.
[11] 王庆凯 胡亮.
PC机环境中的状态检测和空闲机选择

计算机科学, 1998, 25(4): 95-97.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发