计算机科学

计算机科学 ›› 2018, Vol. 45 ›› Issue (1): 233-239.doi: 10.11896/j.issn.1002-137X.2018.01.041

• 信息安全 • 上一篇    下一篇

基于行为模型的工控异常检测方法研究

宋站威,周睿康,赖英旭,范科峰,姚相振,李琳,李巍   

  1. 北京工业大学计算机学院 北京100124,中国电子技术标准化研究院 北京100007,北京工业大学计算机学院 北京100124,中国电子技术标准化研究院 北京100007,中国电子技术标准化研究院 北京100007,中国电子技术标准化研究院 北京100007,中国电子技术标准化研究院 北京100007
  • 出版日期:2018-01-15 发布日期:2018-11-13
  • 基金资助:
    本文受国家智能制造专项:面向智能制造的工业信息安全关键标准研制及验证平台建设项目(京财经一指[2015]1170号)资助

Anomaly Detection Method of ICS Based on Behavior Model

SONG Zhan-wei, ZHOU Rui-kang, LAI Ying-xu, FAN Ke-feng, YAO Xiang-zhen, LI Lin and LI Wei   

  • Online:2018-01-15 Published:2018-11-13

PDF (PC)

765

摘要: 目前,工业控制系统(Industrial Control Systems,ICS)网络安全已经成为信息安全领域的重点问题,而检测篡改行为数据及控制程序等攻击是ICS网络安全的难点问题,据此提出了基于行为模型的工控异常检测方法。该方法从工控网络流量中提取行为数据序列,根据ICS的控制和被控过程构建正常行为模型,通过比较分析实时提取的行为数据与模型预测的行为数据,判断是否出现异常。通过实验分析,验证了所提方法能有效实现对篡改行为数据及控制程序等攻击的异常检测。

关键词: 工业控制系统,网络安全,异常检测,行为模型,递推最小二乘,AIC,Modbus TCP

Abstract: At present,the ICS network security has become a key problem in the field of information security.Detecting attacks,such as behavior data tampering attack and control program tampering attack,is a difficult problem of ICS network security.Therefore,this paper proposed an anomaly detection method based on behavior model.This method extracts the behavior data sequence from the industrial control network traffic.Then it constructs the normal behavior model according to the control process and the controlled process of ICS.At last,it determines whether an exception occurs by comparing and analyzing the behavior data extracted in real time and the behavior data predicted by the model.The experimental analysis shows that it can effectively detect behavior data tampering attack,control program tampering attack and so on.

Key words: ICS,Network security,Anomaly detection,Behavior model,RLS,AIC,Modbus TCP

[1] STOUFFER K,PILLITTERI V,LIGHTMAN S,et al.NISTSP 800-82,Revision 2,Guide to Industrial Control System (ICS) Security[EB/OL].(2015-05)[2016-09-20].http://dx.doi.org/10.6028/NIST.SP.800-82r2.
[2] PENG Y,JIANG C Q,XIE F,et al(1)Industrial Control system cyber security research[J].Journal of Tsinghua University(Scien-ce and Technology),2012,2(10):1396-1408.(in Chinese) 彭勇,江常青,谢丰,等.工业控制系统信息安全研究进展[J].清华大学学报(自然科学版),2012,2(10):1396-1408.
[3] XIA C N,LIU T,WANG H Z,et al(1)Industrial Control System Security Analysis[J].Information Security and Technology,2013,4(2):13-18.(in Chinese) 夏春明,刘涛,王华忠,等.工业控制系统信息安全现状及发展趋势[J].信息安全与技术,2013,4(2):13-18.
[4] WANG X S,YANG A,SHI Z Q,et al(1)New Tread of Information Security In Industrial Control Systems[J].Netinfo Security,2015(1):6-11.(in Chinese) 王小山,杨安,石志强,等.工业控制系统信息安全新趋势[J].信息网络安全,2015(1):6-11.
[5] QING S H,JIANG J C,MA H T,et al.Research on intrusion detection techniques:a survey[J].Journal on Communications,2004,25(7):19-29.(in Chinese) 卿斯汉,蒋建春,马恒太,等.入侵检测技术研究综述[J].通信学报,2004,25(7):19-29.
[6] Modbus-IDA.MODBUS MESSAGING ON TCP/IP IMPLE-MENTATION GUIDE V1.0b [EB/OL].(2006-10-24)[2016-09-20].http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf.
[7] GB/T 19582.1-2008.Modbus industrial automation networkspecification-Part 1:Modbus application protocol[S].2008.(in Chinese).GB/T 19582.1-2008.基于Modbus协议的工业自动化网络规范第1部分:Modbus应用协议[S].2008.
[8] GB/T 19582.3-2008.Modbus industrial automation networkspecification-Part 3:Modbus protocol implementation guide over TCP/IP[S].2008.(in Chinese) GB/T 19582.3-2008.基于Modbus协议的工业自动化网络规范第3部分:Modbus协议在TCP/IP上的实现指南[S].2008.
[9] ZHOU R,LAI Y,LIU Z,et al.A Security Authentication Protocol for Trusted Domains in an Autonomous Decentralized System[J].International Journal of Distributed Sensor Networks,2016,2016(4):1-13.
[10] MORRIS T H,JONES B A,VAUGHN R B,et al.Deterministic Intrusion Detection Rules for MODBUS Protocols[C]∥ 2014 47th Hawaii International Conference on System Sciency.2013:1773-1781.
[11] KIM B K,KANG D H,NA J C,et al.Detecting Abnormal Behavior in SCADA Networks Using Normal Traffic Pattern Learning[J].Lecture Notes in Electrical Engineering,2015,330:121-126.
[12] LAI Y,LIU Z,SONG Z,et al.Anomaly detection in Industrial Autonomous Decentralized System based on time series[J].Si-mulation Modelling Practice & Theory,2016,65:57-71.
[13] JIANG W W,LIU G J,DAI Y W.Design of Modbus TCP Industrial Control Network Protocol Abnormal Data Detection Rules Based on Snort[J].Computer Sciense,2015,42(11):212-216.(in Chinese).姜伟伟,刘光杰,戴跃伟.基于Snort的Modbus TCP工控协议异常数据检测规则设计[J].计算机科学,2015,42(11):212-216.
[14] SHANG W L,ZHANG S S,WAN M,et al.Modbus/TCPCommunication Anomaly Detection Algorithm Based on PSO-SVM[J].Acta Electronica Sinica,2014,2(11):2314-2320.(in Chinese) 尚文利,张盛山,万明,等.基于PSO-SVM的Modbus TCP通讯的异常检测方法[J].电子学报,2014,42(11):2314-2320.
[15] WAN M,SHANG W L,ZENG P,et al.Modbus /TCP Communication Control Method Based on Deep Function Code Inspection[J].Information and Control,2016,45(2):248-256.(in Chinese) 万明,尚文利,曾鹏,等.基于功能码深度检测的Modbus/TCP通信访问控制方法[J].信息与控制,2016,45(2):248-256.
[16] ZHANG Y G,ZHAO H,WANG L N.A non-parametric CUSUM intrusion detection method based on industrial control model[J].J ournal of Southeast University (Natural Science Edition),2012,42(s1):55-59.(in Chinese) 张云贵,赵华,王丽娜.基于工业控制模型的非参数CUSUM入侵检测方法[J].东南大学学报(自然科学版),2012,42(s1):55-59.
[17] 庞中华,崔红.系统辨识与自适应控制MATLAB仿真[M].北京:北京航空航天大学出版社,2009:11-59.
[18] SHAN D S,ZHANG P Q,WU Y W,et al(1)Simulation of Parame-ter Identification for Gun Control System Based on RLS[J].Journal of System Simulation,2013,25(8):1726-1729.(in Chinese) 单东升,张培强,吴耀武,等.基于递推最小二乘法的炮控系统参数辨识仿真[J].系统仿真学报,2013,25(8):1726-1729.
[19] GENET J P,MALLART S,PINEL C,et al.Model selection and Akaike Information Criteria:An example from wine ratings and prices[J].Wine Economics & Policy,2014,3(1):3-9.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发