|关键词: 工业控制系统 网络流量 异常检测 语义攻击
|Industrial Control Flow Anomaly Detection Method Based on Fusion Markov Model
|MA Biao,HU Mengna,ZHANG Zhonghao,ZHOU Zhengyin,JIA Juncheng,YANG Rongju
|School of Computer Science and Technology, Soochow University, Suzhou 215006, China;Siemens, Ltd., Beijing 100102, China
|Although the Industrial Internet has injected new vitality into modern industries and greatly improved the efficiency of industrial production, networking has also brought more threats to industrial control systems. In recent years, there have been many industrial control intrusion incidents at home and abroad, which have seriously affected the safety of industrial production, and the problem of industrial control security has become more and more prominent. In order to ensure the stable development of modern industry towards digitalization and automation, effective intrusion detection methods for industrial control systems have become the focus of research. Aiming at the situation that the existing methods in the industrial control system cannot effectively separate the multi-period mixed traffic, and it is difficult to detect and defend against more complex semantic attacks, making full use of the characteristics of high periodicity and high correlation of industrial traffic, this paper proposes a new method based on Anomaly detection method of industrial control network traffic by integrating Markov model. Firstly, the semantics of the packets are deeply analyzed and the original traffic sequence is mapped to the hash string sequence, and then the state transition diagram is generated according to the correlation between the string sequences. Next, according to the in-out relationship and frequency of each state in the state transition diagram, the sub-period symbols are classified and the DFA model is constructed in turn. In order to detect more semantic attacks, the method fuses the long-period patterns that are wrongly decomposed according to the in-out relationship between subperiods and the model false positive rate, and adds time interval information to the nodes of each DFA model.The experiment was carried out on a real SCADA test platform. The results show that this method can detect more types of attacks and has a higher detection rate for complex semantic attacks.
|Key words: Industrial Control System(ICS) netflow anomaly detection semantic attacks