引用本文
  • 马标,胡梦娜,张重豪,周正寅,贾俊铖,杨荣举.基于融合马尔科夫模型的工控网络流量异常检测方法[J].信息安全学报,2022,7(3):17-32    [点击复制]
  • MA Biao,HU Mengna,ZHANG Zhonghao,ZHOU Zhengyin,JIA Juncheng,YANG Rongju.Industrial Control Flow Anomaly Detection Method Based on Fusion Markov Model[J].Journal of Cyber Security,2022,7(3):17-32   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

←前一篇|后一篇→

过刊浏览    高级检索

本文已被:浏览 5255次   下载 4464 本文二维码信息
码上扫一扫!
基于融合马尔科夫模型的工控网络流量异常检测方法
马标1, 胡梦娜1, 张重豪1, 周正寅1, 贾俊铖1, 杨荣举2
0
(1.苏州大学计算机科学与技术学院 苏州 中国 215006;2.西门子(中国)有限公司 北京 中国 100102)
摘要:
虽然工业互联网为现代工业注入了新的活力,极大地提高了工业生产效率,但是网络化也给工业控制系统带来了更多的威胁。近年来,国内外发生了多起工控入侵事件,严重影响了工业生产安全,工控安全问题愈发突出。为确保现代工业向着数字化、自动化等方向稳定发展,有效的工控系统入侵检测方法成为了研究重点。针对工业控制系统中现有的方法对于多周期混合的流量无法进行有效分离、难以检测和防御更加复杂的语义攻击的情况,充分利用工业流量高周期性和高相关性的特点,提出一种基于融合马尔科夫模型的工控网络流量异常检测方法。首先深度解析报文语义并将原始流量序列映射为hash字符串序列,然后根据字符串序列间的相关性生成状态转移图。接下来,根据状态转移图间各状态的出入关系和频率将子周期符号进行分类并依次构建DFA模型。为了检测更多语义攻击,该方法根据子周期间的出入关系和模型误报率将错误分解的长周期模式进行融合并在每个DFA模型的节点中加入时间间隔信息。在SCADA测试平台上进行实验验证,结果表明此方法能检测更多类型的攻击,对复杂语义攻击具有较高的检出率。
关键词:  工业控制系统  网络流量  异常检测  语义攻击
DOI:10.19363/J.cnki.cn10-1380/tn.2022.05.02
投稿时间:2021-03-06修订日期:2021-06-29
基金项目:本课题得到中国博士后科学基金资助及项目(No.2017M611905)、苏州市产业技术创新专项(民生科技)项目(No.SS201701)、江苏高校优势学科建设工程资助项目(PAPD)资助。
Industrial Control Flow Anomaly Detection Method Based on Fusion Markov Model
MA Biao1, HU Mengna1, ZHANG Zhonghao1, ZHOU Zhengyin1, JIA Juncheng1, YANG Rongju2
(1.School of Computer Science and Technology, Soochow University, Suzhou 215006, China;2.Siemens, Ltd., Beijing 100102, China)
Abstract:
Although the Industrial Internet has injected new vitality into modern industries and greatly improved the efficiency of industrial production, networking has also brought more threats to industrial control systems. In recent years, there have been many industrial control intrusion incidents at home and abroad, which have seriously affected the safety of industrial production, and the problem of industrial control security has become more and more prominent. In order to ensure the stable development of modern industry towards digitalization and automation, effective intrusion detection methods for industrial control systems have become the focus of research. Aiming at the situation that the existing methods in the industrial control system cannot effectively separate the multi-period mixed traffic, and it is difficult to detect and defend against more complex semantic attacks, making full use of the characteristics of high periodicity and high correlation of industrial traffic, this paper proposes a new method based on Anomaly detection method of industrial control network traffic by integrating Markov model. Firstly, the semantics of the packets are deeply analyzed and the original traffic sequence is mapped to the hash string sequence, and then the state transition diagram is generated according to the correlation between the string sequences. Next, according to the in-out relationship and frequency of each state in the state transition diagram, the sub-period symbols are classified and the DFA model is constructed in turn. In order to detect more semantic attacks, the method fuses the long-period patterns that are wrongly decomposed according to the in-out relationship between subperiods and the model false positive rate, and adds time interval information to the nodes of each DFA model.The experiment was carried out on a real SCADA test platform. The results show that this method can detect more types of attacks and has a higher detection rate for complex semantic attacks.
Key words:  Industrial Control System(ICS)  netflow  anomaly detection  semantic attacks